def test_load_ssh_public_key_ecdsa_nist_p521(self, backend): _skip_curve_unsupported(backend, ec.SECP521R1()) ssh_key = ( b"ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1" b"MjEAAACFBAGTrRhMSEgF6Ni+PXNz+5fjS4lw3ypUILVVQ0Av+0hQxOx+MyozELon" b"I8NKbrbBjijEs1GuImsmkTmWsMXS1j2A7wB4Kseh7W9KA9IZJ1+TMrzWUEwvOOXi" b"wT23pbaWWXG4NaM7vssWfZBnvz3S174TCXnJ+DSccvWBFnKP0KchzLKxbg== " b"root@cloud-server-01" ) key = load_ssh_public_key(ssh_key, backend) expected_x = int( "54124123120178189598842622575230904027376313369742467279346415219" "77809037378785192537810367028427387173980786968395921877911964629" "142163122798974160187785455", 10 ) expected_y = int( "16111775122845033200938694062381820957441843014849125660011303579" "15284560361402515564433711416776946492019498546572162801954089916" "006665939539407104638103918", 10 ) assert key.public_numbers() == ec.EllipticCurvePublicNumbers( expected_x, expected_y, ec.SECP521R1() )
def test_load_invalid_public_ec_key_from_numbers(self, backend): _skip_curve_unsupported(backend, ec.SECP521R1()) # Bad X coordinate numbers = ec.EllipticCurvePublicNumbers( int( "000003647356b91f8ace114c7247ecf4f4a622553fc025e04a178f179ef27" "9090c184af678a4c78f635483bdd8aa544851c6ef291c1f0d6a241ebfd145" "77d1d30d9903ce", 16), int( "000001499bc7e079322ea0fcfbd6b40103fa6a1536c2257b182db0df4b369" "6ec643adf100eb4f2025d1b873f82e5a475d6e4400ba777090eeb4563a115" "09e4c87319dc26", 16), ec.SECP521R1()) with pytest.raises(ValueError): numbers.public_key(backend) # Bad Y coordinate numbers = ec.EllipticCurvePublicNumbers( int( "0000019aadc221cc0525118ab6d5aa1f64720603de0be128cbfea0b381ad8" "02a2facc6370bb58cf88b3f0c692bc654ee19d6cad198f10d4b681b396f20" "d2e40603fa945b", 16), int( "0000025da392803a320717a08d4cb3dea932039badff363b71bdb8064e726" "6c7f4f4b748d4d425347fc33e3885d34b750fa7fcd5691f4d90c89522ce33" "feff5db10088a5", 16), ec.SECP521R1()) with pytest.raises(ValueError): numbers.public_key(backend)
def build_csr(self): if not self.private_key: if self.key_type == KeyTypes.RSA: self.private_key = rsa.generate_private_key( public_exponent=65537, key_size=self.key_length, backend=default_backend()) elif self.key_type == KeyTypes.ECDSA: if self.key_curve == "P521": curve = ec.SECP521R1() elif self.key_curve == "P384": curve = ec.SECP384R1() elif self.key_curve == "P256": curve = ec.SECP256R1() elif self.key_curve == "P224": curve = ec.SECP224R1() else: curve = ec.SECP521R1() self.private_key = ec.generate_private_key( curve, default_backend()) else: raise ClientBadData self.public_key_from_private() csr_builder = x509.CertificateSigningRequestBuilder() subject = [ x509.NameAttribute( NameOID.COMMON_NAME, self.common_name, ) ] csr_builder = csr_builder.subject_name(x509.Name(subject)) alt_names = [] if self.ip_addresses: for ip in self.ip_addresses: alt_names.append(x509.IPAddress(ipaddress.IPv4Address(ip))) if self.san_dns: for ns in self.san_dns: alt_names.append(x509.DNSName(ns)) if self.email_addresses: for mail in self.email_addresses: alt_names.append(x509.RFC822Name(mail)) csr_builder = csr_builder.add_extension( x509.SubjectAlternativeName(alt_names), critical=False, ) csr_builder = csr_builder.sign(self.private_key, hashes.SHA256(), default_backend()) self.csr = csr_builder.public_bytes( serialization.Encoding.PEM).decode() return
def test_autodetect_keytype(self): """ Test the autodetection of the key type """ private_key = generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend()) ec_private_key = ec.generate_private_key(ec.SECP256R1(), default_backend()) # Test when we give it the wrong algorithm type with self.assertRaises(scitokens.scitokens.UnsupportedKeyException): token = scitokens.SciToken(key=private_key, algorithm="ES256") # Test when we give it the wrong algorithm type with self.assertRaises(scitokens.scitokens.UnsupportedKeyException): token = scitokens.SciToken(key=ec_private_key, algorithm="RS256") # Test when we give an unsupported algorithm unsupported_private_key = ec.generate_private_key( ec.SECP521R1(), default_backend()) with self.assertRaises(scitokens.scitokens.UnsupportedKeyException): token = scitokens.SciToken(key=unsupported_private_key) token = scitokens.SciToken(key=ec_private_key, algorithm="ES256") token.serialize(issuer="local")
def gen_key(alg): if alg == 'rsa': print('Generating new private key') size = int(input('Choose a bit size between [2048-4096]: ')) while not size >= 2048 and size <= 4096: print('Choose 2048, 3072, or 4096.') size = int(input('')) key = rsa.generate_private_key( public_exponent=65537, key_size=size, backend=default_backend() ) elif alg == 'ecc': curve = input('Use a p256, p384, or p521 curve? ') while not curve in ['p256','p384','p521']: colorize('red') curve = input('Use a p256, p384, or p521 curve? ') colorize_edit('reset') if curve == 'p256': key = ec.generate_private_key(ec.SECP256R1(), default_backend()) elif curve == 'p384': key = ec.generate_private_key(ec.SECP384R1(), default_backend()) elif curve == 'p521': key = ec.generate_private_key(ec.SECP521R1(), default_backend()) return key
def get_key_type_from_ec_curve(curve_name): """ Give an EC curve name, return the matching key_type. :param: curve_name :return: key_type """ _CURVE_TYPES = { ec.SECP192R1().name: "ECCPRIME192V1", ec.SECP256R1().name: "ECCPRIME256V1", ec.SECP224R1().name: "ECCSECP224R1", ec.SECP384R1().name: "ECCSECP384R1", ec.SECP521R1().name: "ECCSECP521R1", ec.SECP256K1().name: "ECCSECP256K1", ec.SECT163K1().name: "ECCSECT163K1", ec.SECT233K1().name: "ECCSECT233K1", ec.SECT283K1().name: "ECCSECT283K1", ec.SECT409K1().name: "ECCSECT409K1", ec.SECT571K1().name: "ECCSECT571K1", ec.SECT163R2().name: "ECCSECT163R2", ec.SECT233R1().name: "ECCSECT233R1", ec.SECT283R1().name: "ECCSECT283R1", ec.SECT409R1().name: "ECCSECT409R1", ec.SECT571R1().name: "ECCSECT571R2", } if curve_name in _CURVE_TYPES.keys(): return _CURVE_TYPES[curve_name] else: return None
def generateCertClient(self, client_id): password = "******" #self.privKey = rsa.generate_private_key(65537, 2048, default_backend()) self.privKey = ec.generate_private_key(ec.SECP521R1(), default_backend()) self.pubKey = self.privKey.public_key() #encoding_privKey = self.privKey.private_bytes(serialization.Encoding.PEM, serialization.PrivateFormat.PKCS8, serialization.BestAvailableEncryption(bytes(password, "utf-8"))) encoding_privKey = self.privKey.private_bytes( serialization.Encoding.PEM, serialization.PrivateFormat.PKCS8, serialization.NoEncryption()) #encoding_pubKey = self.pubKey.public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo) encoding_pubKey = self.pubKey.public_bytes( serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo) # Guardar chaves file = open("security/KEYS/privKeyClient" + str(client_id) + ".PEM", "wb") file.write(encoding_privKey) file.close() # Guardar certificados num ficheiro (publico) file = open("security/KEYS/pubKeyClient" + str(client_id) + ".PEM", "wb") file.write(encoding_pubKey) file.close() key = {'pubKey': encoding_pubKey, 'privKey': encoding_privKey} return key
def _load_ssh_ecdsa_public_key(expected_key_type, decoded_data, backend): curve_name, rest = _read_next_string(decoded_data) data, rest = _read_next_string(rest) if expected_key_type != b"ecdsa-sha2-" + curve_name: raise ValueError( 'Key header and key body contain different key type values.' ) if rest: raise ValueError('Key body contains extra bytes.') if curve_name == b"nistp256": curve = ec.SECP256R1() elif curve_name == b"nistp384": curve = ec.SECP384R1() elif curve_name == b"nistp521": curve = ec.SECP521R1() if six.indexbytes(data, 0) != 4: raise NotImplementedError( "Compressed elliptic curve points are not supported" ) # key_size is in bits, and sometimes it's not evenly divisible by 8, so we # add 7 to round up the number of bytes. if len(data) != 1 + 2 * ((curve.key_size + 7) // 8): raise ValueError("Malformed key bytes") x = _int_from_bytes(data[1:1 + (curve.key_size + 7) // 8], byteorder='big') y = _int_from_bytes(data[1 + (curve.key_size + 7) // 8:], byteorder='big') return ec.EllipticCurvePublicNumbers(x, y, curve).public_key(backend)
class ECDH: _ec_groups = { Transform.DhId.DH_19: ec.SECP256R1(), Transform.DhId.DH_20: ec.SECP384R1(), Transform.DhId.DH_21: ec.SECP521R1(), } backend = cryptography.hazmat.backends.openssl.backend def __init__(self, group): self.group = group self._private_key = ec.generate_private_key(self._ec_groups[group], backend=self.backend) # Trick to get the ceil of the division self.key_len = (self._private_key.key_size + 7) // 8 self.shared_secret = None public_numbers = self._private_key.public_key().public_numbers() self.public_key = (public_numbers.x.to_bytes(self.key_len, 'big') + public_numbers.y.to_bytes(self.key_len, 'big')) def compute_secret(self, peer_public_key): x = int.from_bytes(peer_public_key[:self.key_len], 'big') y = int.from_bytes(peer_public_key[self.key_len:], 'big') peer_public_numbers = ec.EllipticCurvePublicNumbers(x, y, self._ec_groups[self.group]) peer_public_key = peer_public_numbers.public_key(self.backend) self.shared_secret = self._private_key.exchange(ec.ECDH(), peer_public_key)
def pack_secp521r1(self) -> bytes: private_key: ec.EllipticCurvePrivateKey = ec.generate_private_key(ec.SECP521R1(), default_backend()) public_key: ec.EllipticCurvePublicKey = private_key.public_key() self.private = private_key self.public = public_key.public_bytes(encoding=serialization.Encoding.X962, format=serialization.PublicFormat.UncompressedPoint) return self.public
class Curve(Enum): P224 = ec.SECP224R1() P256 = ec.SECP256R1() P384 = ec.SECP384R1() P521 = ec.SECP521R1() @staticmethod def from_label(label: int): label = bytes([label]) if Curve.P224.value == label: return Curve.P224.name elif Curve.P256.value == label: return Curve.P256.name elif Curve.P384.value == label: return Curve.P384.name elif Curve.P521.value == label: return Curve.P521.name else: raise SDKException(ErrorCode.unknown_asymmetric_key_type) @staticmethod def from_str_curve(str_curve: str): if not isinstance(str_curve, str): raise SDKException(ErrorCode.require_str_params) if str_curve == 'P224': return Curve.P224 elif str_curve == 'P256': return Curve.P256 elif str_curve == 'P384': return Curve.P384 elif str_curve == 'P521': return Curve.P521 else: raise SDKException(ErrorCode.unknown_asymmetric_key_type)
def from_jwk(jwk): try: if isinstance(jwk, str): obj = json.loads(jwk) elif isinstance(jwk, dict): obj = jwk else: raise ValueError except ValueError: raise InvalidKeyError("Key is not valid JSON") if obj.get("kty") != "EC": raise InvalidKeyError("Not an Elliptic curve key") if "x" not in obj or "y" not in obj: raise InvalidKeyError("Not an Elliptic curve key") x = base64url_decode(obj.get("x")) y = base64url_decode(obj.get("y")) curve = obj.get("crv") if curve == "P-256": if len(x) == len(y) == 32: curve_obj = ec.SECP256R1() else: raise InvalidKeyError( "Coords should be 32 bytes for curve P-256") elif curve == "P-384": if len(x) == len(y) == 48: curve_obj = ec.SECP384R1() else: raise InvalidKeyError( "Coords should be 48 bytes for curve P-384") elif curve == "P-521": if len(x) == len(y) == 66: curve_obj = ec.SECP521R1() else: raise InvalidKeyError( "Coords should be 66 bytes for curve P-521") else: raise InvalidKeyError(f"Invalid curve: {curve}") public_numbers = ec.EllipticCurvePublicNumbers( x=int.from_bytes(x, byteorder="big"), y=int.from_bytes(y, byteorder="big"), curve=curve_obj, ) if "d" not in obj: return public_numbers.public_key() d = base64url_decode(obj.get("d")) if len(d) != len(x): raise InvalidKeyError("D should be {} bytes for curve {}", len(x), curve) return ec.EllipticCurvePrivateNumbers( int.from_bytes(d, byteorder="big"), public_numbers).private_key()
def verify(self, message, signature): if self[-1] != 1: raise ValueError("Unsupported elliptic curve") ec.EllipticCurvePublicNumbers(bytes2int(self[-2]), bytes2int(self[-3]), ec.SECP521R1()).public_key( default_backend()).verify( signature, message, ec.ECDSA(self._HASH_ALG))
def load_ec_pub_key(): with open(os.path.join(BASE_PATH, 'jwk_ec_pub.json'), 'r') as infile: keyobj = json.load(infile) return ec.EllipticCurvePublicNumbers(x=decode_value(keyobj['x']), y=decode_value(keyobj['y']), curve=ec.SECP521R1()).public_key( default_backend())
def _crv_to_curve(cls, crv: str) -> ec.EllipticCurve: # crv is case-sensitive if crv == 'P-256': return ec.SECP256R1() if crv == 'P-384': return ec.SECP384R1() if crv == 'P-521': return ec.SECP521R1() raise errors.DeserializationError()
def _get_curve_by_name(self, name): if name == 'P-256': return ec.SECP256R1() elif name == 'P-384': return ec.SECP384R1() elif name == 'P-521': return ec.SECP521R1() else: raise InvalidJWKValue('Unknown Elliptic Curve Type')
def load_ec_pub_key_p_521(): with open(os.path.join(BASE_PATH, "jwk_ec_pub_P-521.json")) as infile: keyobj = json.load(infile) return ec.EllipticCurvePublicNumbers( x=decode_value(keyobj["x"]), y=decode_value(keyobj["y"]), curve=ec.SECP521R1(), ).public_key()
def _create_single_token(cls, user, fingerprint, issuer_ip_address, token_type='access', meta=None): token_id = str(uuid.uuid4()) private_key = ec.generate_private_key(ec.SECP521R1(), default_backend()) public_key = private_key.public_key() rsa_pem = public_key.public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo).decode() if meta is not None: device = meta.get('device') platform = meta.get('platform') browser = meta.get('browser') else: device, platform, browser = None, None, None payload = { "userid": user.id, "username": user.username, 'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=settings.TOKEN_MINUTES), "iss": "ceteus:security", "type": token_type, 'iat': datetime.datetime.utcnow() } token = jwt.encode(payload, private_key, algorithm='ES512', headers={'tokenid': token_id}) cls.objects.create(user=user, token_id=token_id, token_type=token_type, token_secret=rsa_pem, fingerprint=fingerprint, device=device, platform=platform, browser=browser, issuer_ip_address=issuer_ip_address) return token
def generate_private_key(key_type): """ Generates a new private key based on key_type. Valid key types: RSA2048, RSA4096', 'ECCPRIME192V1', 'ECCPRIME256V1', 'ECCSECP192R1', 'ECCSECP224R1', 'ECCSECP256R1', 'ECCSECP384R1', 'ECCSECP521R1', 'ECCSECP256K1', 'ECCSECT163K1', 'ECCSECT233K1', 'ECCSECT283K1', 'ECCSECT409K1', 'ECCSECT571K1', 'ECCSECT163R2', 'ECCSECT233R1', 'ECCSECT283R1', 'ECCSECT409R1', 'ECCSECT571R2' :param key_type: :return: """ _CURVE_TYPES = { "ECCPRIME192V1": ec.SECP192R1(), "ECCPRIME256V1": ec.SECP256R1(), "ECCSECP192R1": ec.SECP192R1(), "ECCSECP224R1": ec.SECP224R1(), "ECCSECP256R1": ec.SECP256R1(), "ECCSECP384R1": ec.SECP384R1(), "ECCSECP521R1": ec.SECP521R1(), "ECCSECP256K1": ec.SECP256K1(), "ECCSECT163K1": ec.SECT163K1(), "ECCSECT233K1": ec.SECT233K1(), "ECCSECT283K1": ec.SECT283K1(), "ECCSECT409K1": ec.SECT409K1(), "ECCSECT571K1": ec.SECT571K1(), "ECCSECT163R2": ec.SECT163R2(), "ECCSECT233R1": ec.SECT233R1(), "ECCSECT283R1": ec.SECT283R1(), "ECCSECT409R1": ec.SECT409R1(), "ECCSECT571R2": ec.SECT571R1(), } if key_type not in CERTIFICATE_KEY_TYPES: raise Exception("Invalid key type: {key_type}. Supported key types: {choices}".format( key_type=key_type, choices=",".join(CERTIFICATE_KEY_TYPES) )) if 'RSA' in key_type: key_size = int(key_type[3:]) return rsa.generate_private_key( public_exponent=65537, key_size=key_size, backend=default_backend() ) elif 'ECC' in key_type: return ec.generate_private_key( curve=_CURVE_TYPES[key_type], backend=default_backend() )
def generate_ec_private_key(cls, crv, **properties): if crv == PbWKTypeECCurve.P_256: curve = ec.SECP256R1() elif crv == PbWKTypeECCurve.P_384: curve = ec.SECP384R1() elif crv == PbWKTypeECCurve.P_521: curve = ec.SECP521R1() else: raise TypeError() key = ec.generate_private_key(curve, default_backend()) return cls.from_key(key, **properties)
def from_jwk(jwk): try: obj = json.loads(jwk) except ValueError: raise InvalidKeyError('Key is not valid JSON') if obj.get('kty') != 'EC': raise InvalidKeyError('Not an Elliptic curve key') if 'x' not in obj or 'y' not in obj: raise InvalidKeyError('Not an Elliptic curve key') x = base64url_decode(force_bytes(obj.get('x'))) y = base64url_decode(force_bytes(obj.get('y'))) curve = obj.get('crv') if curve == 'P-256': if len(x) == len(y) == 32: curve_obj = ec.SECP256R1() else: raise InvalidKeyError( "Coords should be 32 bytes for curve P-256") elif curve == 'P-384': if len(x) == len(y) == 48: curve_obj = ec.SECP384R1() else: raise InvalidKeyError( "Coords should be 48 bytes for curve P-384") elif curve == 'P-521': if len(x) == len(y) == 66: curve_obj = ec.SECP521R1() else: raise InvalidKeyError( "Coords should be 66 bytes for curve P-521") else: raise InvalidKeyError("Invalid curve: {}".format(curve)) public_numbers = ec.EllipticCurvePublicNumbers( x=int_from_bytes(x, 'big'), y=int_from_bytes(y, 'big'), curve=curve_obj) if 'd' not in obj: return public_numbers.public_key(default_backend()) d = base64url_decode(force_bytes(obj.get('d'))) if len(d) != len(x): raise InvalidKeyError("D should be {} bytes for curve {}", len(x), curve) return ec.EllipticCurvePrivateNumbers(int_from_bytes( d, 'big'), public_numbers).private_key(default_backend())
def test_for_curve(self): self.assertEqual(ALGORITHM.for_curve(ec.SECP224R1()), ALGORITHM.EC_P224) self.assertEqual(ALGORITHM.for_curve(ec.SECP256R1()), ALGORITHM.EC_P256) self.assertEqual(ALGORITHM.for_curve(ec.SECP384R1()), ALGORITHM.EC_P384) self.assertEqual(ALGORITHM.for_curve(ec.SECP521R1()), ALGORITHM.EC_P521) self.assertEqual(ALGORITHM.for_curve(ec.SECP256K1()), ALGORITHM.EC_K256) self.assertEqual(ALGORITHM.for_curve(BRAINPOOLP256R1()), ALGORITHM.EC_BP256) self.assertEqual(ALGORITHM.for_curve(BRAINPOOLP384R1()), ALGORITHM.EC_BP384) self.assertEqual(ALGORITHM.for_curve(BRAINPOOLP512R1()), ALGORITHM.EC_BP512)
def test_private_numbers_ne(self): pub = ec.EllipticCurvePublicNumbers(1, 2, ec.SECP192R1()) priv = ec.EllipticCurvePrivateNumbers(1, pub) assert priv != ec.EllipticCurvePrivateNumbers( 2, ec.EllipticCurvePublicNumbers(1, 2, ec.SECP192R1())) assert priv != ec.EllipticCurvePrivateNumbers( 1, ec.EllipticCurvePublicNumbers(2, 2, ec.SECP192R1())) assert priv != ec.EllipticCurvePrivateNumbers( 1, ec.EllipticCurvePublicNumbers(1, 3, ec.SECP192R1())) assert priv != ec.EllipticCurvePrivateNumbers( 1, ec.EllipticCurvePublicNumbers(1, 2, ec.SECP521R1())) assert priv != object()
def extract_key(self): if self.kty == PbWKType.EC: if self.kty_prop_ec.crv == PbWKTypeECCurve.P_256: key_size = 256 x = BitArray(bytes=self.kty_prop_ec.x, length=key_size).uint y = BitArray(bytes=self.kty_prop_ec.y, length=key_size).uint public_numbers = ec.EllipticCurvePublicNumbers( x, y, ec.SECP256R1()) elif self.kty_prop_ec.crv == PbWKTypeECCurve.P_384: key_size = 384 x = BitArray(bytes=self.kty_prop_ec.x, length=key_size).uint y = BitArray(bytes=self.kty_prop_ec.y, length=key_size).uint public_numbers = ec.EllipticCurvePublicNumbers( x, y, ec.SECP384R1()) elif self.kty_prop_ec.crv == PbWKTypeECCurve.P_521: key_size = 521 x = BitArray(bytes=self.kty_prop_ec.x, length=key_size).uint y = BitArray(bytes=self.kty_prop_ec.y, length=key_size).uint public_numbers = ec.EllipticCurvePublicNumbers( x, y, ec.SECP521R1()) # return private_key or public_key if self.kty_prop_ec.d: d = BitArray(bytes=self.kty_prop_ec.d, length=key_size).uint private_numbers = ec.EllipticCurvePrivateNumbers( d, public_numbers) key = private_numbers.private_key(default_backend()) else: key = public_numbers.public_key(default_backend()) elif self.kty == PbWKType.RSA: n = BitArray(bytes=self.kty_prop_rsa.n).uint e = BitArray(bytes=self.kty_prop_rsa.e).uint public_numbers = rsa.RSAPublicNumbers(e, n) # return private_key or public_key if self.kty_prop_rsa.d: d = BitArray(bytes=self.kty_prop_rsa.d).uint p = BitArray(bytes=self.kty_prop_rsa.p).uint q = BitArray(bytes=self.kty_prop_rsa.q).uint dmp1 = BitArray(bytes=self.kty_prop_rsa.dp).uint dmq1 = BitArray(bytes=self.kty_prop_rsa.dq).uint iqmp = BitArray(bytes=self.kty_prop_rsa.qi).uint private_numbers = rsa.RSAPrivateNumbers( p, q, d, dmp1, dmq1, iqmp, public_numbers) key = private_numbers.private_key(default_backend()) else: key = public_numbers.public_key(default_backend()) elif self.kty == PbWKType.OCT: key_size = len(self.kty_prop_oct.k) * 8 assert (key_size % 8 == 0) key = BitArray(bytes=self.kty_prop_oct.k, length=key_size).bytes else: raise TypeError() return key
def test_signer_es512(): payload = "Please take a moment to register today" eck = ec.generate_private_key(ec.SECP521R1(), default_backend()) _key = ECKey().load_key(eck) keys = [_key] # keys[0]._keytype = "private" _jws = JWS(payload, alg="ES512") _jwt = _jws.sign_compact(keys) _pubkey = ECKey().load_key(eck.public_key()) _rj = JWS() info = _rj.verify_compact(_jwt, [_pubkey]) assert info == payload
def _get_curve_by_name(self, name): if name == 'P-256': return ec.SECP256R1() elif name == 'P-384': return ec.SECP384R1() elif name == 'P-521': return ec.SECP521R1() elif name == 'secp256k1': return ec.SECP256K1() elif name in _OKP_CURVES_TABLE: return name else: raise InvalidJWKValue('Unknown Elliptic Curve Type')
def ecc_key(self,key_size_length_change,key_name): if key_size_length_change == 1: curve = ec.SECP256R1() elif key_size_length_change == 2: curve = ec.SECP384R1() elif key_size_length_change == 3: curve = ec.SECP521R1() key = ec.generate_private_key(curve=curve,backend=default_backend()) with open(key_name+".key","wb") as f: f.write(key.private_bytes(encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(),))
def _curve_from_curve_id(cid: int) -> EllipticCurve: if cid == TPM_ECC_NIST_P192: return crypto_ec.SECP192R1() if cid == TPM_ECC_NIST_P224: return crypto_ec.SECP224R1() if cid == TPM_ECC_NIST_P256: return crypto_ec.SECP256R1() if cid == TPM_ECC_NIST_P384: return crypto_ec.SECP384R1() if cid == TPM_ECC_NIST_P521: return crypto_ec.SECP521R1() raise ValueError(f"Invalid curve id {cid} requested")
def _load_ecdsa(key, is_verifier): if key.get('kty') != 'EC': raise JWKError('Not an Elliptic curve key') if 'x' not in key or 'y' not in key: raise JWKError('Not an Elliptic curve key') x = base64.urlsafe_b64decode(key.get('x')) y = base64.urlsafe_b64decode(key.get('y')) curve = key.get('crv') if curve == 'P-256': if len(x) == len(y) == 32: alg = 'ES256' curve_obj = ec.SECP256R1() else: raise JWKError("Coords should be 32 bytes for curve P-256") elif curve == 'P-384': if len(x) == len(y) == 48: alg = "ES384" curve_obj = ec.SECP384R1() else: raise JWKError("Coords should be 48 bytes for curve P-384") elif curve == 'P-521': if len(x) == len(y) == 66: alg = "ES512" curve_obj = ec.SECP521R1() else: raise JWKError("Coords should be 66 bytes for curve P-521") else: raise JWKError("Invalid curve: {}".format(curve)) public_numbers = ec.EllipticCurvePublicNumbers(x=int_from_bytes(x, 'big'), y=int_from_bytes(y, 'big'), curve=curve_obj) if not is_verifier: if 'd' not in key: raise JWKError("Signing ECDSA keys must contain private key") d = base64.urlsafe_b64decode(key.get('d')) if len(d) != len(x): raise JWKError("D should be {} bytes for curve {}", len(x), curve) key = ec.EllipticCurvePrivateNumbers(int_from_bytes( d, 'big'), public_numbers).private_key(default_backend()) else: key = public_numbers.public_key(default_backend()) return alg, key
def to_curve(self): if self == TpmEccCurve.NONE: raise ValueError("No such curve") elif self == TpmEccCurve.NIST_P192: return ec.SECP192R1() elif self == TpmEccCurve.NIST_P224: return ec.SECP224R1() elif self == TpmEccCurve.NIST_P256: return ec.SECP256R1() elif self == TpmEccCurve.NIST_P384: return ec.SECP384R1() elif self == TpmEccCurve.NIST_P521: return ec.SECP521R1() raise ValueError("curve is not supported", self)