def create_cert(subject_com_name, subject_bumen_name, subject_zuzhi_name, subject_city_name, subject_shengfen_name, subject_guojia_name, issuer_com_name, issuer_zuzhi_name, issuer_guojia_name, root_flag, before_time, after_time, mysf, beiyong_name, myqd, qmsf, key_pass): key = None builder = None certificate = None try: if subject_bumen_name: builder = x509.CertificateBuilder().subject_name( x509.Name([ # Provide various details about who we are. x509.NameAttribute(NameOID.COUNTRY_NAME, subject_guojia_name), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, subject_shengfen_name), x509.NameAttribute(NameOID.LOCALITY_NAME, subject_city_name), x509.NameAttribute(NameOID.ORGANIZATION_NAME, subject_zuzhi_name), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, subject_bumen_name), x509.NameAttribute(NameOID.COMMON_NAME, subject_com_name), ])) else: builder = x509.CertificateBuilder().subject_name( x509.Name([ # Provide various details about who we are. x509.NameAttribute(NameOID.COUNTRY_NAME, subject_guojia_name), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, subject_shengfen_name), x509.NameAttribute(NameOID.LOCALITY_NAME, subject_city_name), x509.NameAttribute(NameOID.ORGANIZATION_NAME, subject_zuzhi_name), x509.NameAttribute(NameOID.COMMON_NAME, subject_com_name), ])) except Exception as e: print(e) return {'error': False, 'msg': u'提交内容错误!'} # 添加issuer信息 builder = builder.issuer_name( x509.Name([ x509.NameAttribute(NameOID.COMMON_NAME, issuer_com_name), x509.NameAttribute(NameOID.ORGANIZATION_NAME, issuer_zuzhi_name), x509.NameAttribute(NameOID.COUNTRY_NAME, issuer_guojia_name), ])) # 其他杂项 ############## try: builder = builder.not_valid_before( datetime.datetime.strptime(before_time, '%Y-%m-%d %H:%M:%S')) builder = builder.not_valid_after( datetime.datetime.strptime(after_time, '%Y-%m-%d %H:%M:%S')) except Exception as e: return {'error': False, 'msg': u'过期时间小于颁发时间!'} builder = builder.serial_number(x509.random_serial_number()) ################## try: dns_name = [x509.DNSName(i) for i in beiyong_name.split(',')] except Exception as e: print(e) return {'error': False, 'msg': u'备用名请用逗号隔开!'} builder = builder.add_extension(x509.SubjectAlternativeName(dns_name), critical=False) builder = builder.add_extension( x509.BasicConstraints(ca=root_flag, path_length=None), critical=True, ) ######################### ######################### if mysf == 'RSA': private_key = rsa.generate_private_key(public_exponent=65537, key_size=int(myqd), backend=default_backend()) builder = builder.public_key(private_key.public_key()) if key_pass: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.BestAvailableEncryption( key_pass), ) else: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption(), ) if qmsf == 'MD5': certificate = builder.sign(private_key=private_key, algorithm=hashes.MD5(), backend=default_backend()) elif qmsf == 'SHA1': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA1(), backend=default_backend()) elif qmsf == 'SHA224': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA224(), backend=default_backend()) elif qmsf == 'SHA256': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()) elif qmsf == 'SHA384': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA384(), backend=default_backend()) elif qmsf == 'SHA512': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA512(), backend=default_backend()) else: certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA1(), backend=default_backend()) return { 'error': True, 'cert': certificate.public_bytes(serialization.Encoding.PEM), 'priv_key': key } elif mysf == 'DSA': private_key = dsa.generate_private_key(key_size=int(myqd), backend=default_backend()) builder = builder.public_key(private_key.public_key()) if key_pass: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.BestAvailableEncryption( key_pass), ) else: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption(), ) if qmsf == 'SHA1': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA1(), backend=default_backend()) elif qmsf == 'SHA224': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA224(), backend=default_backend()) elif qmsf == 'SHA256': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()) else: certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA1(), backend=default_backend()) return { 'error': True, 'cert': certificate.public_bytes(serialization.Encoding.PEM), 'priv_key': key } elif mysf == 'ECDSA': if myqd == 'P192': private_key = ec.generate_private_key(curve=ec.SECP192R1(), backend=default_backend()) builder = builder.public_key(private_key.public_key()) elif myqd == 'P224': private_key = ec.generate_private_key(curve=ec.SECP224R1(), backend=default_backend()) builder = builder.public_key(private_key.public_key()) elif myqd == 'P256': private_key = ec.generate_private_key(curve=ec.SECP256R1(), backend=default_backend()) builder = builder.public_key(private_key.public_key()) elif myqd == 'P384': private_key = ec.generate_private_key(curve=ec.SECP384R1(), backend=default_backend()) builder = builder.public_key(private_key.public_key()) elif myqd == 'P521': private_key = ec.generate_private_key(curve=ec.SECP521R1(), backend=default_backend()) builder = builder.public_key(private_key.public_key()) else: private_key = ec.generate_private_key(curve=ec.SECP256R1(), backend=default_backend()) builder = builder.public_key(private_key.public_key()) if key_pass: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.BestAvailableEncryption( key_pass), ) else: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption(), ) if qmsf == 'SHA1': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA1(), backend=default_backend()) elif qmsf == 'SHA224': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA224(), backend=default_backend()) elif qmsf == 'SHA256': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()) elif qmsf == 'SHA384': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA384(), backend=default_backend()) elif qmsf == 'SHA512': certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA512(), backend=default_backend()) else: certificate = builder.sign(private_key=private_key, algorithm=hashes.SHA1(), backend=default_backend()) return { 'error': True, 'cert': certificate.public_bytes(serialization.Encoding.PEM), 'priv_key': key }
class RSACrypto(object): """RSACrypto.""" ALGORITHM_DICT = { 'sha1': hashes.SHA1(), 'sha224': hashes.SHA224(), 'sha256': hashes.SHA256(), 'sha384': hashes.SHA384(), 'sha512': hashes.SHA512() } @staticmethod def generate_private_key(key_size): """Generate rsa private key.""" private_key = rsa.generate_private_key(public_exponent=65537, key_size=key_size, backend=default_backend()) return private_key @staticmethod def dump_private_key_pem(private_key): """Dump private key pem.""" pem = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()) return pem.decode() @staticmethod def dump_public_key_pem(public_key): """Dump public key pem.""" pem = public_key.public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) return pem.decode() @classmethod def signing(cls, message, private_key, algorithm='sha1'): """signing.""" if not isinstance(message, bytes): message = message.encode() algorithm = cls.ALGORITHM_DICT.get(algorithm) signer = private_key.signer( padding.PSS(mgf=padding.MGF1(algorithm), salt_length=padding.PSS.MAX_LENGTH), algorithm) signer.update(message) return signer.finalize() @classmethod def verification(cls, message, signature, public_key, algorithm='sha1'): """Verification.""" if not isinstance(message, bytes): message = message.encode() algorithm = cls.ALGORITHM_DICT.get(algorithm) verifier = public_key().verifier( signature, padding.PSS(mgf=padding.MGF1(algorithm), salt_length=padding.PSS.MAX_LENGTH), algorithm) verifier.update(message) return verifier.verify() @classmethod def encrypt(cls, message, public_key, algorithm='sha1'): """Public key encrypt.""" if not isinstance(message, bytes): message = message.encode() algorithm = cls.ALGORITHM_DICT.get(algorithm) ciphertext = public_key.encrypt( message, padding.OAEP(mgf=padding.MGF1(algorithm=algorithm), algorithm=algorithm, label=None)) return ciphertext @classmethod def decrypt(cls, ciphertext, private_key, algorithm='sha1'): """Private key descrption.""" algorithm = cls.ALGORITHM_DICT.get(algorithm) plaintext = private_key.decrypt( ciphertext, padding.OAEP(mgf=padding.MGF1(algorithm=algorithm), algorithm=algorithm, label=None)) return plaintext.decode()
# This file is dual licensed under the terms of the Apache License, Version # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. from __future__ import absolute_import, division, print_function import binascii import pytest from cryptography.exceptions import InvalidSignature from cryptography.hazmat.primitives import hashes, hmac _HMAC_ALGORITHMS = { "HMACSHA1": hashes.SHA1(), "HMACSHA224": hashes.SHA224(), "HMACSHA256": hashes.SHA256(), "HMACSHA384": hashes.SHA384(), "HMACSHA512": hashes.SHA512(), "HMACSHA3-224": hashes.SHA3_224(), "HMACSHA3-256": hashes.SHA3_256(), "HMACSHA3-384": hashes.SHA3_384(), "HMACSHA3-512": hashes.SHA3_512(), } @pytest.mark.wycheproof_tests( "hmac_sha1_test.json", "hmac_sha224_test.json", "hmac_sha256_test.json", "hmac_sha384_test.json",
class SiriusAPICrypto(): """ SiriusAPICrypto class, implement crypto API of Sirius """ VERBOSE = False # SHA sha_dict = { "SHA1": 0, "SHA224": 1, "SHA256": 2, "SHA384": 3, "SHA512": 4, } sha_functions = { "SHA1": hashes.SHA1(), "SHA224": hashes.SHA224(), "SHA256": hashes.SHA256(), "SHA384": hashes.SHA384(), "SHA512": hashes.SHA512(), } # ECDSA ecdsa_curve = { "secp256k1": 0, "secp256r1": 0, } ecdsa_sha_functions = { "SHA1": 0, "SHA256": 1, } # DSA dsa_sha_functions = { "SHA1": 0, "SHA256": 1, } # AES aes_key_length = [16, 24, 32] aes_mode = { "ECB_ENC": 0, "ECB_DEC": 1, "CBC_ENC": 2, "CBC_DEC": 3, "OFB_ENC": 4, "OFB_DEC": 5, "CFB_ENC": 6, "CFB_DEC": 7, } aes_block_size = 16 # TDES tdes_key_length = [8, 16, 24] tdes_mode = { "ECB_ENC": 0, "ECB_DEC": 1, "CBC_ENC": 2, "CBC_DEC": 3, "OFB_ENC": 4, "OFB_DEC": 5, "CFB_ENC": 6, "CFB_DEC": 7, } tdes_block_size = 8 # CMAC cmac_operation = { "TDES": 0, "AES": 1, } cmac_key_length = {"TDES": tdes_key_length, "AES": aes_key_length} # RSA rsa_operations = { "ENC": 0, "DEC": 1, } def __init__(self, bluefin_serial, verbose=False): """ """ self._datalink = bluefin_serial self.VERBOSE = verbose @staticmethod def getShaMethodList(): ret = [] for key in SiriusAPICrypto.sha_dict: ret.append(key) return ret @staticmethod def getShaMethodStr(): return ', '.join([ '%s' % (key) for (key, value) in SiriusAPICrypto.sha_dict.items() ]) def Trng(self, target, numberOfBytes): """ """ sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF pkt = BluefinserialCommand(sirius_target) trng_package = struct.pack('<B', numberOfBytes) cmd = pkt.Packet('\x8b', '\x0e', trng_package) rsp = self._datalink.Exchange(cmd) if (rsp is None): print_err("Send fail") return None if rsp[2] != '\x00': print_err("Trng serial API fail, code 0x%02x" % ord(rsp[2])) return None return rsp[3:] def Sha(self, target, method, message, selfCheck=False, verbose=False): """ SHA digest API method: <str> method of hashing message: <str> message to be hased isApp: <bool> if true, will send to Application processor """ if method not in SiriusAPICrypto.sha_dict: print_err("Invalid method: %s" % method) return None sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF pkt = BluefinserialCommand(sirius_target, verbose=verbose) sha_package = struct.pack('<B', SiriusAPICrypto.sha_dict[method]) + message cmd = pkt.Packet('\x8b', '\x4e', sha_package) rsp = self._datalink.Exchange(cmd) if (rsp is None): print_err("Send fail") return None if rsp[2] != '\x00': print_err("Sha serial API fail, code 0x%02x" % ord(rsp[2])) return None # Check with our result if selfCheck: digest = hashes.Hash(SiriusAPICrypto.sha_functions[method], backend=default_backend()) digest.update(message) ourResult = digest.finalize() theirResult = rsp[3:] if len(theirResult) != len(ourResult): print_err("Wrong length, our: %d, their: %d" % (len(ourResult), len(theirResult))) return None if theirResult != ourResult: print_err("Wrong value") dump_hex(ourResult, "Ours: ") dump_hex(theirResult, "Theirs: ") return None if verbose: dump_hex(rsp[3:], "Sha serial return: ") return rsp[3:] def KeyDownload(self, target, DSS_p=None, DSS_q=None, DSS_g=None, DSS_y=None, DSS_x=None, ECDSA_x=None, ECDSA_y=None, ECDSA_pri=None, RSA_p=None, RSA_q=None, RSA_n=None, RSA_d=None, RSA_e=None, verbose=False): info = MlsKeyTlv(verbose=self.VERBOSE) if DSS_p is not None: info.AddValList('DSS_p', DSS_p) if DSS_q is not None: info.AddValList('DSS_q', DSS_q) if DSS_g is not None: info.AddValList('DSS_g', DSS_g) if DSS_y is not None: info.AddValList('DSS_y', DSS_y) if DSS_x is not None: info.AddValList('DSS_x', DSS_x) if ECDSA_x is not None: info.AddValList('ECDSA_x', ECDSA_x) if ECDSA_y is not None: info.AddValList('ECDSA_y', ECDSA_y) if ECDSA_pri is not None: info.AddValList('ECDSA_pri', ECDSA_pri) if RSA_n is not None: info.AddValList('RSA_n', RSA_n) if RSA_d is not None: info.AddValList('RSA_d', RSA_d) if RSA_p is not None: info.AddValList('RSA_p', RSA_p) if RSA_q is not None: info.AddValList('RSA_q', RSA_q) if RSA_e is not None: # RSA_e should be a number if isinstance(RSA_e, int): RSA_e_str = struct.pack('>I', RSA_e) info.AddValList('RSA_e', RSA_e_str) elif isinstance(RSA_e, str): info.AddValList('RSA_e', RSA_e) else: print_err("Invalid value of RSA_e, abort") return None sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF for item in info.ValList(): pkt = BluefinserialCommand(sirius_target, verbose=verbose) cmd = pkt.Packet('\x8b', '\x46', item) rsp = self._datalink.Exchange(cmd) if (rsp is None): print_err("Send fail") return None if rsp[2] != '\x00': print_err("Key download fail, code 0x%02x" % ord(rsp[2])) return None return True def EcdsaSign(self, target, curve, hashAlgo, message, verbose=False): """ return: + signature if success + None if fail """ if curve not in SiriusAPICrypto.ecdsa_curve: print_err("Invalid curve: %s" % curve) return None if hashAlgo not in SiriusAPICrypto.ecdsa_sha_functions: print_err("Invalid hash: %s" % hashAlgo) return None sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF pkt = BluefinserialCommand(sirius_target, verbose=verbose) ecdsa_sign_package = struct.pack( '<BBBHB', 0, # operation: sign SiriusAPICrypto.ecdsa_curve[curve], # curve SiriusAPICrypto.ecdsa_sha_functions[hashAlgo], # sha len(message), # message len 0 # no signature ) + message cmd = pkt.Packet('\x8b', '\x4a', ecdsa_sign_package) rsp = self._datalink.Exchange(cmd) if (rsp is None): print_err("Send fail") return None if rsp[2] != '\x00': print_err("ECDSA sign fail, code 0x%02x" % ord(rsp[2])) return None if verbose: dump_hex(rsp[3:], "signature: ") return rsp[3:] def EcdsaVerify(self, target, curve, hashAlgo, message, signature, verbose=False): """ return: + True if verify ok + False if verify fail + None if communication error """ if curve not in SiriusAPICrypto.ecdsa_curve: print_err("Invalid curve: %s" % curve) return None if hashAlgo not in SiriusAPICrypto.ecdsa_sha_functions: print_err("Invalid hash: %s" % hashAlgo) return None sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF pkt = BluefinserialCommand(sirius_target, verbose=verbose) ecdsa_sign_package = struct.pack( '<BBBHB', 1, # operation: verify SiriusAPICrypto.ecdsa_curve[curve], # curve SiriusAPICrypto.ecdsa_sha_functions[hashAlgo], # sha len(message), # message len len(signature) # no signature ) + message + signature cmd = pkt.Packet('\x8b', '\x4a', ecdsa_sign_package) rsp = self._datalink.Exchange(cmd) if (rsp is None): print_err("Send fail") return None if rsp[2] != '\x00': print_err("ECDSA verify fail, code 0x%02x" % ord(rsp[2])) return None if verbose: print("Verify status: %s" % ("ok" if ord(rsp[3]) == 0 else "failed")) return True if ord(rsp[3]) == 0 else False def DsaSign(self, target, hashAlgo, message, verbose=False): """ return: + signature if success + None if fail """ if hashAlgo not in SiriusAPICrypto.dsa_sha_functions: print_err("Invalid hash: %s" % curve) return None sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF pkt = BluefinserialCommand(sirius_target, verbose=False) dsa_sign_package = struct.pack( '<BBHB', 0, # operation: sign SiriusAPICrypto.dsa_sha_functions[hashAlgo], # sha len(message), # message len 0 # no signature ) + message cmd = pkt.Packet('\x8b', '\x48', dsa_sign_package) rsp = self._datalink.Exchange(cmd) if (rsp is None): print_err("Send fail") return None if rsp[2] != '\x00': print_err("DSA sign fail, code 0x%02x" % ord(rsp[2])) return None if verbose: dump_hex(rsp[3:], "signature: ") return rsp[3:] def DsaVerify(self, target, hashAlgo, message, signature, verbose=False): """ return: + True if verify ok + False if verify fail + None if communication error """ if hashAlgo not in SiriusAPICrypto.dsa_sha_functions: print_err("Invalid hash: %s" % hashAlgo) return None sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF pkt = BluefinserialCommand(sirius_target, verbose=verbose) dsa_verify_package = struct.pack( '<BBHB', 1, # operation: verify SiriusAPICrypto.dsa_sha_functions[hashAlgo], # sha len(message), # message len len(signature) # no signature ) + message + signature cmd = pkt.Packet('\x8b', '\x48', dsa_verify_package) rsp = self._datalink.Exchange(cmd) if (rsp is None): print_err("Send fail") return None if rsp[2] != '\x00': print_err("Dsa verify fail, code 0x%02x" % ord(rsp[2])) return None if verbose: print("Verify status: %s" % ("ok" if ord(rsp[3]) == 0 else "failed")) return True if ord(rsp[3]) == 0 else False def Cmac(self, target, cipher, key, message): """ return: CMAC, with corresponding cipher, key, message """ if cipher not in SiriusAPICrypto.cmac_operation: print_err("Invalid cipher: %s" % cipher) return None if len(key) not in SiriusAPICrypto.cmac_key_length[cipher]: print_err("Invalid key length: %d" % len(key)) return None msgLen = len(message) sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF pkt = BluefinserialCommand(sirius_target, verbose=False) cmac_package = struct.pack( '<BBB', SiriusAPICrypto.cmac_operation[cipher], # cipher type msgLen, # message len len(key), # key length ) + message + key cmd = pkt.Packet('\x8b', '\x44', cmac_package) rsp = self._datalink.Exchange(cmd) if (rsp is None): print_err("Send fail") return None if rsp[2] != '\x00': print_err("Cmac fail, code 0x%02x" % ord(rsp[2])) return None return rsp[3:] def Aes(self, target, en_dec, mode, iv, key, data): """ """ en_dec = en_dec.upper() mode = mode.upper() aes_mode = mode + "_" + en_dec if aes_mode not in SiriusAPICrypto.aes_mode: print_err("Invalid mode: %s" % aes_mode) return None if len(key) not in SiriusAPICrypto.aes_key_length: print_err("Invalid key length: %d" % len(key)) return None if len(data) % SiriusAPICrypto.aes_block_size != 0: print_err("Invalid data length: %d" % len(data)) return None if len(iv) != SiriusAPICrypto.aes_block_size: print_err("Invalid IV length: %d" % len(iv)) return None numOfBlock = len(data) / SiriusAPICrypto.aes_block_size sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF pkt = BluefinserialCommand(sirius_target, verbose=False) aes_package = struct.pack( '<BB', numOfBlock, # number of 16-bytes AES or 8-bytess TDES block len(key), # data len ) + data + key + iv + chr(SiriusAPICrypto.aes_mode[aes_mode]) cmd = pkt.Packet('\x8b', '\x0c', aes_package) rsp = self._datalink.Exchange(cmd) if (rsp is None): print_err("Send fail") return None if rsp[2] != '\x00': print_err("AES fail, code 0x%02x" % ord(rsp[2])) return None return rsp[3:] def Tdes(self, target, en_dec, mode, iv, key, data): """ """ en_dec = en_dec.upper() mode = mode.upper() tdes_mode = mode + "_" + en_dec if tdes_mode not in SiriusAPICrypto.tdes_mode: print_err("Invalid mode: %s" % tdes_mode) return None if len(key) not in SiriusAPICrypto.tdes_key_length: print_err("Invalid key length: %d" % len(key)) return None if len(data) % SiriusAPICrypto.tdes_block_size != 0: print_err("Invalid data length: %d" % len(data)) return None if len(iv) != SiriusAPICrypto.tdes_block_size: print_err("Invalid IV length: %d" % len(iv)) return None numOfBlock = len(data) / SiriusAPICrypto.tdes_block_size sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF pkt = BluefinserialCommand(sirius_target, verbose=False) tdes_package = struct.pack( '<BB', numOfBlock, # number of 16-bytes tdes or 8-bytess TDES block len(key), # data len ) + data + key + iv + chr(SiriusAPICrypto.tdes_mode[tdes_mode]) cmd = pkt.Packet('\x8b', '\x0a', tdes_package) rsp = self._datalink.Exchange(cmd) if (rsp is None): print_err("Send fail") return None if rsp[2] != '\x00': print_err("Tdes fail, code 0x%02x" % ord(rsp[2])) return None return rsp[3:] def Rsa(self, target, operation, data, verbose=False): """ """ if operation not in SiriusAPICrypto.rsa_operations: print_err("Invalid operation %s" % (operation)) return None sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF pkt = BluefinserialCommand(sirius_target, verbose=verbose) rsa_package = struct.pack( '<B', SiriusAPICrypto.rsa_operations[operation], # rsa operation ) + data cmd = pkt.Packet('\x8b', '\x4c', rsa_package) rsp = self._datalink.Exchange(cmd) if (rsp is None): print_err("Send fail") return None if rsp[2] != '\x00': print_err("Rsa %s fail, code 0x%02x" % (operation, ord(rsp[2]))) return None return rsp[3:]
import abc import datetime from enum import Enum import six from cryptography import x509 from cryptography.hazmat.primitives import hashes from cryptography.x509.base import (_EARLIEST_UTC_TIME, _convert_to_naive_utc_time, _reject_duplicate_extension) _OIDS_TO_HASH = { "1.3.14.3.2.26": hashes.SHA1(), "2.16.840.1.101.3.4.2.4": hashes.SHA224(), "2.16.840.1.101.3.4.2.1": hashes.SHA256(), "2.16.840.1.101.3.4.2.2": hashes.SHA384(), "2.16.840.1.101.3.4.2.3": hashes.SHA512(), } class OCSPResponderEncoding(Enum): HASH = "By Hash" NAME = "By Name" class OCSPResponseStatus(Enum): SUCCESSFUL = 0 MALFORMED_REQUEST = 1 INTERNAL_ERROR = 2
output.append(binascii.hexlify(ct).decode("utf-8")) return "\n".join(output) def write_file(data, filename): with open(filename, "w") as f: f.write(data) oaep_path = os.path.join( "asymmetric", "RSA", "pkcs-1v2-1d2-vec", "oaep-vect.txt" ) hashalgs = [ hashes.SHA1(), hashes.SHA224(), hashes.SHA256(), hashes.SHA384(), hashes.SHA512(), ] for hashtuple in itertools.product(hashalgs, hashalgs): if isinstance(hashtuple[0], hashes.SHA1) and isinstance( hashtuple[1], hashes.SHA1 ): continue write_file( build_vectors(hashtuple[0], hashtuple[1], oaep_path), "oaep-{0}-{1}.txt".format(hashtuple[0].name, hashtuple[1].name), )
def create_test_list(): hash_msg_bitsizes = tuple(pow(2, _) for _ in range(8, 24)) symm_msg_bitsizes = tuple(pow(2, _) for _ in range(8, 24)) prng_msg_bitsizes = tuple(pow(2, _) for _ in range(8, 18)) return [ TestArgRange(TestPythonRandom, msgbits=prng_msg_bitsizes), TestArgRange(TestPythonSysRandom, msgbits=prng_msg_bitsizes), TestArgRange(TestPyCryptPRNG, msgbits=prng_msg_bitsizes), TestArgRange(TestGenPrime, bits=(32, 64, 128, 256, 512)), # cryptography symmetric ciphers TestArgRange(TestCryptCipher, algorithms.AES, keybits=256, msgbits=symm_msg_bitsizes), TestArgRange(TestCryptCipher, algorithms.TripleDES, keybits=64, msgbits=symm_msg_bitsizes), TestArgRange(TestCryptCipher, algorithms.TripleDES, keybits=128, msgbits=symm_msg_bitsizes), TestArgRange(TestCryptCipher, algorithms.TripleDES, keybits=192, msgbits=symm_msg_bitsizes), TestArgRange(TestCryptCipher, algorithms.Blowfish, keybits=256, msgbits=symm_msg_bitsizes), TestArgRange(TestCryptCipher, algorithms.CAST5, keybits=128, msgbits=symm_msg_bitsizes), TestArgRange(TestCryptCipher, algorithms.ARC4, keybits=256, msgbits=symm_msg_bitsizes), TestArgRange(TestCryptCipher, algorithms.IDEA, keybits=128, msgbits=symm_msg_bitsizes), TestArgRange(TestCryptCipher, algorithms.SEED, keybits=128, msgbits=symm_msg_bitsizes), TestArgRange(TestCryptCipher, algorithms.Camellia, keybits=256, msgbits=symm_msg_bitsizes), # pycrypt symmetric ciphers TestArgRange(TestPyCryptCipher, Crypto.Cipher.AES, keybits=256, msgbits=symm_msg_bitsizes), TestArgRange(TestPyCryptCipher, Crypto.Cipher.DES, keybits=64, msgbits=symm_msg_bitsizes), TestArgRange(TestPyCryptCipher, Crypto.Cipher.DES3, keybits=128, msgbits=symm_msg_bitsizes), TestArgRange(TestPyCryptCipher, Crypto.Cipher.DES3, keybits=192, msgbits=symm_msg_bitsizes), TestArgRange(TestPyCryptCipher, Crypto.Cipher.Blowfish, keybits=256, msgbits=symm_msg_bitsizes), TestArgRange(TestPyCryptCipher, Crypto.Cipher.CAST, keybits=128, msgbits=symm_msg_bitsizes), TestArgRange(TestPyCryptCipher, Crypto.Cipher.ARC4, keybits=256, msgbits=symm_msg_bitsizes), TestArgRange(TestPyCryptCipher, Crypto.Cipher.XOR, keybits=256, msgbits=symm_msg_bitsizes), TestArgRange(TestPyCryptCipher, Crypto.Cipher.ARC2, keybits=256, msgbits=symm_msg_bitsizes), # cryptography hashes TestArgRange(TestCryptHash, hashes.SHA224(), msgbits=hash_msg_bitsizes), TestArgRange(TestCryptHash, hashes.SHA256(), msgbits=hash_msg_bitsizes), TestArgRange(TestCryptHash, hashes.SHA384(), msgbits=hash_msg_bitsizes), TestArgRange(TestCryptHash, hashes.SHA512(), msgbits=hash_msg_bitsizes), TestArgRange(TestCryptHash, hashes.SHA1(), msgbits=hash_msg_bitsizes), TestArgRange(TestCryptHash, hashes.MD5(), msgbits=hash_msg_bitsizes), TestArgRange(TestCryptHash, hashes.RIPEMD160(), msgbits=hash_msg_bitsizes), TestArgRange(TestCryptHash, hashes.Whirlpool(), msgbits=hash_msg_bitsizes), # pycrypt hashes TestArgRange(TestPyCryptHash, Crypto.Hash.SHA224, msgbits=hash_msg_bitsizes), TestArgRange(TestPyCryptHash, Crypto.Hash.SHA256, msgbits=hash_msg_bitsizes), TestArgRange(TestPyCryptHash, Crypto.Hash.SHA384, msgbits=hash_msg_bitsizes), TestArgRange(TestPyCryptHash, Crypto.Hash.SHA512, msgbits=hash_msg_bitsizes), TestArgRange(TestPyCryptHash, Crypto.Hash.SHA, msgbits=hash_msg_bitsizes), TestArgRange(TestPyCryptHash, Crypto.Hash.MD5, msgbits=hash_msg_bitsizes), TestArgRange(TestPyCryptHash, Crypto.Hash.RIPEMD, msgbits=hash_msg_bitsizes), TestArgRange(TestPyCryptHash, Crypto.Hash.MD2, msgbits=hash_msg_bitsizes), TestArgRange(TestPyCryptHash, Crypto.Hash.MD4, msgbits=hash_msg_bitsizes), # cryptography rsa TestArgRange(TestCryptRsa, modbits=(1024,2048,4096), msgbits=(2,256,512,1024)), # PyCrypto rsa TestArgRange(TestPyCryptRsa, modbits=(1024,2048,4096), msgbits=(2,256,512,1024)), # now some tests to see how very simple operations perform TestEval("pass"), TestEval("1+2"), TestEval("8*9"), TestLambda(nop), TestLambda(lambda: 1), TestLambda(lambda: 1+2), TestLambda(lambda: 1+2+3+4), TestLambda(lambda: 8*9), TestLambda(lambda: pow(1, 1, 2)), # some elliptic curve crypto TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT571R1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT409R1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT283R1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT233R1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT163R2), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT571K1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT409K1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT283K1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT233K1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT163K1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECP521R1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECP384R1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECP256R1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECP256K1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECP224R1), TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECP192R1), ]
datetime:2019/6/13 9:46 software: PyCharm description: Python 利用cryptography包进行rsa加密/解密, 签名/验证 ''' from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric import rsa, padding from cryptography.hazmat.primitives import serialization, hashes from cryptography.hazmat.primitives.serialization import NoEncryption,\ Encoding, PrivateFormat, PublicFormat import base64 from cryptography.exceptions import InvalidSignature ALGORITHM_DICT = { 'sha1': hashes.SHA1(), 'sha224': hashes.SHA224(), 'sha256': hashes.SHA256(), 'sha384': hashes.SHA384(), 'sha512': hashes.SHA512() } def generate_keys(): ''' 生成公钥和私钥 :return: ''' privkey = rsa.generate_private_key( public_exponent=65537, key_size=1024, backend=default_backend(),
OID_RSA_WITH_SHA224 = ObjectIdentifier("1.2.840.113549.1.1.14") OID_RSA_WITH_SHA256 = ObjectIdentifier("1.2.840.113549.1.1.11") OID_RSA_WITH_SHA384 = ObjectIdentifier("1.2.840.113549.1.1.12") OID_RSA_WITH_SHA512 = ObjectIdentifier("1.2.840.113549.1.1.13") OID_ECDSA_WITH_SHA224 = ObjectIdentifier("1.2.840.10045.4.3.1") OID_ECDSA_WITH_SHA256 = ObjectIdentifier("1.2.840.10045.4.3.2") OID_ECDSA_WITH_SHA384 = ObjectIdentifier("1.2.840.10045.4.3.3") OID_ECDSA_WITH_SHA512 = ObjectIdentifier("1.2.840.10045.4.3.4") OID_DSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10040.4.3") OID_DSA_WITH_SHA224 = ObjectIdentifier("2.16.840.1.101.3.4.3.1") OID_DSA_WITH_SHA256 = ObjectIdentifier("2.16.840.1.101.3.4.3.2") _SIG_OIDS_TO_HASH = { OID_RSA_WITH_MD5.dotted_string: hashes.MD5(), OID_RSA_WITH_SHA1.dotted_string: hashes.SHA1(), OID_RSA_WITH_SHA224.dotted_string: hashes.SHA224(), OID_RSA_WITH_SHA256.dotted_string: hashes.SHA256(), OID_RSA_WITH_SHA384.dotted_string: hashes.SHA384(), OID_RSA_WITH_SHA512.dotted_string: hashes.SHA512(), OID_ECDSA_WITH_SHA224.dotted_string: hashes.SHA224(), OID_ECDSA_WITH_SHA256.dotted_string: hashes.SHA256(), OID_ECDSA_WITH_SHA384.dotted_string: hashes.SHA384(), OID_ECDSA_WITH_SHA512.dotted_string: hashes.SHA512(), OID_DSA_WITH_SHA1.dotted_string: hashes.SHA1(), OID_DSA_WITH_SHA224.dotted_string: hashes.SHA224(), OID_DSA_WITH_SHA256.dotted_string: hashes.SHA256() } OID_SERVER_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.1") OID_CLIENT_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.2") OID_CODE_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.3")
from typing import Callable, Mapping, cast from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes as cr_hashes from . import backend from ... import hashes _hash_factories: Mapping[hashes.HashAlgorithmId, Callable[ [hashes.HashParameters], cr_hashes.HashAlgorithm]] = { hashes.HashAlgorithmId.MD5: lambda params: cr_hashes.MD5(), hashes.HashAlgorithmId.SHA1: lambda params: cr_hashes.SHA1(), hashes.HashAlgorithmId.SHA2_224: lambda params: cr_hashes.SHA224(), hashes.HashAlgorithmId.SHA2_256: lambda params: cr_hashes.SHA256(), hashes.HashAlgorithmId.SHA2_384: lambda params: cr_hashes.SHA384(), hashes.HashAlgorithmId.SHA2_512: lambda params: cr_hashes.SHA512(), hashes.HashAlgorithmId.BLAKE2B: lambda params: cr_hashes.BLAKE2b( cast(hashes.Blake2Params, params).length), hashes.HashAlgorithmId.BLAKE2S: lambda params: cr_hashes.BLAKE2s( cast(hashes.Blake2Params, params).length), }
from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.asymmetric import padding, rsa, ec from cryptography.exceptions import InvalidSignature, InvalidTag from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.primitives.ciphers.aead import AESGCM from datetime import timedelta app = Flask(__name__) app.config['SECRET_KEY'] = '1234' folders = {'Archive': 'Archive\\'} ALLOWED_EXTENSIONS = set(['pem']) SHA_DIC = { 'SHA2': { '224': hashes.SHA224(), '256': hashes.SHA256(), '384': hashes.SHA384(), '512': hashes.SHA512(), }, 'SHA3': { '224': hashes.SHA3_224(), '256': hashes.SHA3_256(), '384': hashes.SHA3_384(), '512': hashes.SHA3_512(), } } AES_DIC = { 'CBC': modes.CBC, 'CTR': modes.CTR,
def _publish_certificate(req: object, issuer: dict): logger.info('Create a certificate builder...') crt_builder = x509.CertificateBuilder() crt_builder = crt_builder.subject_name(name=req._subject()) crt_builder = crt_builder.public_key(key=req._public_key()) for extension in req._extensions(): crt_builder = crt_builder.add_extension(extension=extension.value, critical=extension.critical) logger.info('Ready to sign the certificate request...') if not isinstance(issuer['valid_year'], int): issuer['valid_year'] = int(issuer['valid_year']) if issuer['is_ca'] == 'true': issuer['is_ca'] = True if issuer['is_ca'] == 'false': issuer['is_ca'] = False crt_builder = crt_builder.not_valid_before(time=datetime.datetime.today()) crt_builder = crt_builder.not_valid_after( time=datetime.datetime.today() + datetime.timedelta(days=issuer['valid_year'] * 365)) crt_builder = crt_builder.serial_number(number=x509.random_serial_number()) crt_builder = crt_builder.add_extension(extension=x509.BasicConstraints( ca=issuer['is_ca'], path_length=None), critical=True) logger.info( 'Select CA to sign the certificate signing request and output certificate' ) if issuer['ca'] == 'SelfSign': logger.debug('CA is self-signed') crt_builder = crt_builder.issuer_name(name=req._subject()) ca_key = req.private_key() else: ca_dir = os.path.join( os.path.dirname(os.path.dirname(os.path.abspath(__file__))), 'common_static/ca') ca_file = "{}/{}.pfx".format(ca_dir, issuer['ca']) logger.debug("CA file is located in {}".format(ca_file)) with open(file=ca_file, mode='rb') as f: ca_bytes = f.read() logger.debug('CA file content is \n{}'.format(ca_bytes)) crt_chain = ReadCertificateChain({ 'bytes': ca_bytes, 'password': b'Cisco123!' }) ca_crt = crt_chain.certificate(data_type='object') ca_key = crt_chain.private_key(data_type='object') crt_builder = crt_builder.issuer_name(name=ca_crt.subject) hash_obj_list = { hashes.MD5(), hashes.SHA1(), hashes.SHA224(), hashes.SHA256(), hashes.SHA384(), hashes.SHA512(), hashes.SHA512_224(), hashes.SHA512_256(), hashes.SHA3_224(), hashes.SHA3_256(), hashes.SHA3_384(), hashes.SHA3_512() } for hash_obj in hash_obj_list: if issuer['hash_alg'] == hash_obj.name: hash_algor = hash_obj break else: hash_algor = hashes.MD5() return crt_builder.sign(private_key=ca_key, algorithm=hash_algor, backend=default_backend())
RSA_WITH_SHA256 = ObjectIdentifier("1.2.840.113549.1.1.11") RSA_WITH_SHA384 = ObjectIdentifier("1.2.840.113549.1.1.12") RSA_WITH_SHA512 = ObjectIdentifier("1.2.840.113549.1.1.13") ECDSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10045.4.1") ECDSA_WITH_SHA224 = ObjectIdentifier("1.2.840.10045.4.3.1") ECDSA_WITH_SHA256 = ObjectIdentifier("1.2.840.10045.4.3.2") ECDSA_WITH_SHA384 = ObjectIdentifier("1.2.840.10045.4.3.3") ECDSA_WITH_SHA512 = ObjectIdentifier("1.2.840.10045.4.3.4") DSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10040.4.3") DSA_WITH_SHA224 = ObjectIdentifier("2.16.840.1.101.3.4.3.1") DSA_WITH_SHA256 = ObjectIdentifier("2.16.840.1.101.3.4.3.2") _SIG_OIDS_TO_HASH = { SignatureAlgorithmOID.RSA_WITH_MD5.dotted_string: hashes.MD5(), SignatureAlgorithmOID.RSA_WITH_SHA1.dotted_string: hashes.SHA1(), SignatureAlgorithmOID.RSA_WITH_SHA224.dotted_string: hashes.SHA224(), SignatureAlgorithmOID.RSA_WITH_SHA256.dotted_string: hashes.SHA256(), SignatureAlgorithmOID.RSA_WITH_SHA384.dotted_string: hashes.SHA384(), SignatureAlgorithmOID.RSA_WITH_SHA512.dotted_string: hashes.SHA512(), SignatureAlgorithmOID.ECDSA_WITH_SHA1.dotted_string: hashes.SHA1(), SignatureAlgorithmOID.ECDSA_WITH_SHA224.dotted_string: hashes.SHA224(), SignatureAlgorithmOID.ECDSA_WITH_SHA256.dotted_string: hashes.SHA256(), SignatureAlgorithmOID.ECDSA_WITH_SHA384.dotted_string: hashes.SHA384(), SignatureAlgorithmOID.ECDSA_WITH_SHA512.dotted_string: hashes.SHA512(), SignatureAlgorithmOID.DSA_WITH_SHA1.dotted_string: hashes.SHA1(), SignatureAlgorithmOID.DSA_WITH_SHA224.dotted_string: hashes.SHA224(), SignatureAlgorithmOID.DSA_WITH_SHA256.dotted_string: hashes.SHA256() } class ExtendedKeyUsageOID(object):
('RSA', 'SHA384'): sha384WithRSAEncryption, ('RSA', 'SHA512'): sha512WithRSAEncryption, ('DSA', 'SHA1'): rfc2459.id_dsa_with_sha1, ('DSA', 'SHA224'): id_dsa_with_sha224, ('DSA', 'SHA256'): id_dsa_with_sha256, } SIGNING_ALGORITHMS_INV = dict((v, k) for k, v in SIGNING_ALGORITHMS.items()) SIGNER_CONSTRUCTION = { rfc2459.md5WithRSAEncryption: (lambda key: key.signer(padding.PKCS1v15(), hashes.MD5())), rfc2459.sha1WithRSAEncryption: (lambda key: key.signer(padding.PKCS1v15(), hashes.SHA1())), sha224WithRSAEncryption: (lambda key: key.signer(padding.PKCS1v15(), hashes.SHA224())), sha256WithRSAEncryption: (lambda key: key.signer(padding.PKCS1v15(), hashes.SHA256())), sha384WithRSAEncryption: (lambda key: key.signer(padding.PKCS1v15(), hashes.SHA384())), sha512WithRSAEncryption: (lambda key: key.signer(padding.PKCS1v15(), hashes.SHA512())), rfc2459.id_dsa_with_sha1: (lambda key: key.signer(hashes.SHA1())), id_dsa_with_sha224: (lambda key: key.signer(hashes.SHA224())), id_dsa_with_sha256: (lambda key: key.signer(hashes.SHA256())), } VERIFIER_CONSTRUCTION = { rfc2459.md5WithRSAEncryption: (lambda key, signature: key.verifier( signature, padding.PKCS1v15(), hashes.MD5())), rfc2459.sha1WithRSAEncryption: (lambda key, signature: key.verifier(
#hash bloom filter 1 bit_vect1 = [0] * 2988288 #hash bloom filter 2 bit_vect2 = [0] * 2988288 print("starting bloom filter process...") #for each line for kkey in Tempkey: TempHash = str(kkey) TempHash = ' '.join(format(ord(x), 'b') for x in TempHash) #bloom filter 1 setting bad passwords b1_h1 = hashes.Hash(hashes.SHA224(), backend=backend) b1_h1.update(TempHash.encode()) b1_h1_hval = b1_h1.finalize() b1_h1_hval = hexlify(b1_h1_hval) b1_h1_hval = int(b1_h1_hval, 16) #calculated index for each bloomfilter b1_h1_hval = int(b1_h1_hval) % (len(bit_vect1)) #set corresponding bloom filter index to 1 bit_vect1[b1_h1_hval] = 1 b1_h2 = hashes.Hash(hashes.SHA256(), backend=backend) b1_h2.update(TempHash.encode()) b1_h2_hval = b1_h2.finalize() b1_h2_hval = hexlify(b1_h2_hval)
ECDSA_WITH_SHA512 = ObjectIdentifier("1.2.840.10045.4.3.4") DSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10040.4.3") DSA_WITH_SHA224 = ObjectIdentifier("2.16.840.1.101.3.4.3.1") DSA_WITH_SHA256 = ObjectIdentifier("2.16.840.1.101.3.4.3.2") ED25519 = ObjectIdentifier("1.3.101.112") ED448 = ObjectIdentifier("1.3.101.113") GOSTR3411_94_WITH_3410_2001 = ObjectIdentifier("1.2.643.2.2.3") GOSTR3410_2012_WITH_3411_2012_256 = ObjectIdentifier("1.2.643.7.1.1.3.2") GOSTR3410_2012_WITH_3411_2012_512 = ObjectIdentifier("1.2.643.7.1.1.3.3") _SIG_OIDS_TO_HASH = { SignatureAlgorithmOID.RSA_WITH_MD5: hashes.MD5(), SignatureAlgorithmOID.RSA_WITH_SHA1: hashes.SHA1(), SignatureAlgorithmOID._RSA_WITH_SHA1: hashes.SHA1(), SignatureAlgorithmOID.RSA_WITH_SHA224: hashes.SHA224(), SignatureAlgorithmOID.RSA_WITH_SHA256: hashes.SHA256(), SignatureAlgorithmOID.RSA_WITH_SHA384: hashes.SHA384(), SignatureAlgorithmOID.RSA_WITH_SHA512: hashes.SHA512(), SignatureAlgorithmOID.ECDSA_WITH_SHA1: hashes.SHA1(), SignatureAlgorithmOID.ECDSA_WITH_SHA224: hashes.SHA224(), SignatureAlgorithmOID.ECDSA_WITH_SHA256: hashes.SHA256(), SignatureAlgorithmOID.ECDSA_WITH_SHA384: hashes.SHA384(), SignatureAlgorithmOID.ECDSA_WITH_SHA512: hashes.SHA512(), SignatureAlgorithmOID.DSA_WITH_SHA1: hashes.SHA1(), SignatureAlgorithmOID.DSA_WITH_SHA224: hashes.SHA224(), SignatureAlgorithmOID.DSA_WITH_SHA256: hashes.SHA256(), SignatureAlgorithmOID.ED25519: None, SignatureAlgorithmOID.ED448: None, SignatureAlgorithmOID.GOSTR3411_94_WITH_3410_2001: None, SignatureAlgorithmOID.GOSTR3410_2012_WITH_3411_2012_256: None,
(options, args) = parser.parse_args() # Init the com port try: comm = BluefinserialSend(options.serial, options.baud) except Exception, e: print e parser.print_help() sys.exit(-1) print_ok("Use " + options.serial + " with baudrate = " + str(options.baud)) sirius_crypto = SiriusAPICrypto(comm) digestEngine = [ hashes.Hash(hashes.SHA1(), backend=default_backend()), hashes.Hash(hashes.SHA224(), backend=default_backend()), hashes.Hash(hashes.SHA256(), backend=default_backend()), hashes.Hash(hashes.SHA384(), backend=default_backend()), hashes.Hash(hashes.SHA512(), backend=default_backend()), ] DIGEST_ALGOS = ["SHA1", "SHA224", "SHA256", "SHA384", "SHA512"] for idx, digest in enumerate(DIGEST_ALGOS): # print the head of resulr print("") print_ok(">"*40) print_ok("Testing %s" % (digest)) # get digest from sirius digest_sirius = sirius_crypto.Sha(options.target, digest, options.message) # self calculate
# 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. import binascii import pytest from cryptography.exceptions import InvalidSignature, UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec from .utils import wycheproof_tests _DIGESTS = { "SHA-1": hashes.SHA1(), "SHA-224": hashes.SHA224(), "SHA-256": hashes.SHA256(), "SHA-384": hashes.SHA384(), "SHA-512": hashes.SHA512(), "SHA3-224": hashes.SHA3_224(), "SHA3-256": hashes.SHA3_256(), "SHA3-384": hashes.SHA3_384(), "SHA3-512": hashes.SHA3_512(), } @wycheproof_tests( "ecdsa_test.json", "ecdsa_brainpoolP224r1_sha224_test.json", "ecdsa_brainpoolP256r1_sha256_test.json", "ecdsa_brainpoolP320r1_sha384_test.json",
class CryptoUtils: pwd_context = CryptContext(schemes=["pbkdf2_sha256"], default="pbkdf2_sha256", pbkdf2_sha256__default_rounds=30000) algorithms = { "sha256": hashes.SHA256(), "sha224": hashes.SHA224(), "sha384": hashes.SHA256(), "sha512": hashes.SHA256(), "blake2b": hashes.BLAKE2b(64), "blake2s": hashes.BLAKE2s(32), "sha3_256": hashes.SHA3_256(), "sha3_224": hashes.SHA3_224(), "sha3_384": hashes.SHA3_384(), "sha3_512": hashes.SHA3_512() } @staticmethod def hash(password): return CryptoUtils.pwd_context.hash(password) @staticmethod def check_hash(password, hashed): return CryptoUtils.pwd_context.verify(password, hashed) @staticmethod def make_key(password, algorithm, salt): if algorithm not in CryptoUtils.algorithms: raise casket.invalid_algorithm("Algorithm %s is not supported." % (algorithm)) kdf = PBKDF2HMAC(algorithm=CryptoUtils.algorithms[algorithm], length=32, salt=salt, iterations=100000, backend=default_backend()) return base64.urlsafe_b64encode(kdf.derive(password)) @staticmethod def encrypt_password(master_pswd, plain_pswd, salt=os.urandom(16), algorithm="sha256"): key = CryptoUtils.make_key(master_pswd.encode("utf-8"), algorithm, salt) cipher_suite = Fernet(key) cipher_text = cipher_suite.encrypt(plain_pswd.encode("utf-8")) enc_pswd = base64.b64encode(salt).decode('utf-8') + cipher_text.decode( 'utf-8') return enc_pswd @staticmethod def decrypt_password(master_pswd, enc_pswd, algorithm="sha256"): salt = base64.b64decode(enc_pswd[:24].encode("utf-8")) key = CryptoUtils.make_key(master_pswd.encode("utf-8"), algorithm, salt) cipher_suite = Fernet(key) plain_text = cipher_suite.decrypt(enc_pswd[24:].encode("utf-8")) plain_text_utf8 = plain_text.decode("utf-8") return plain_text_utf8 @staticmethod def get_salt(encrypted_string): return base64.b64decode(encrypted_string[:24].encode("utf-8"))
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives.asymmetric import utils from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives import serialization from openstack.image.iterable_chunked_file import IterableChunkedFile HASH_METHODS = { 'SHA-224': hashes.SHA224(), 'SHA-256': hashes.SHA256(), 'SHA-384': hashes.SHA384(), 'SHA-512': hashes.SHA512(), } class ImageSigner: """Image file signature generator. Generates signatures for files using a specified private key file. """ def __init__(self, hash_method='SHA-256', padding_method='RSA-PSS'): padding_types = { 'RSA-PSS': padding.PSS(mgf=padding.MGF1(HASH_METHODS[hash_method]),
class TestSHA224(object): test_sha224 = generate_base_hash_test( hashes.SHA224(), digest_size=28, )
skip_message="Does not support SHA1", ) @pytest.mark.hmac class TestHMAC_SHA1(object): test_hmac_sha1 = generate_hmac_test( load_hash_vectors, "HMAC", [ "rfc-2202-sha1.txt", ], hashes.SHA1(), ) @pytest.mark.supported( only_if=lambda backend: backend.hmac_supported(hashes.SHA224()), skip_message="Does not support SHA224", ) @pytest.mark.hmac class TestHMAC_SHA224(object): test_hmac_sha224 = generate_hmac_test( load_hash_vectors, "HMAC", [ "rfc-4231-sha224.txt", ], hashes.SHA224(), ) @pytest.mark.supported(
def create_csr(com_name, bumen_name, zuzhi_name, city_name, shengfen_name, guojia_name, mysf, beiyong_name, myqd, qmsf, key_pass): private_key = None csr = None key = None try: if bumen_name: csr_subject_name = x509.CertificateSigningRequestBuilder( ).subject_name( x509.Name([ # Provide various details about who we are. x509.NameAttribute(NameOID.COUNTRY_NAME, guojia_name), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, shengfen_name), x509.NameAttribute(NameOID.LOCALITY_NAME, city_name), x509.NameAttribute(NameOID.ORGANIZATION_NAME, zuzhi_name), x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, bumen_name), x509.NameAttribute(NameOID.COMMON_NAME, com_name), ])) else: csr_subject_name = x509.CertificateSigningRequestBuilder( ).subject_name( x509.Name([ # Provide various details about who we are. x509.NameAttribute(NameOID.COUNTRY_NAME, guojia_name), x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, shengfen_name), x509.NameAttribute(NameOID.LOCALITY_NAME, city_name), x509.NameAttribute(NameOID.ORGANIZATION_NAME, zuzhi_name), x509.NameAttribute(NameOID.COMMON_NAME, com_name), ])) except Exception as e: print(e) return {'error': False, 'msg': u'提交内容错误!'} try: dns_name = [x509.DNSName(i) for i in beiyong_name.split(',')] except Exception as e: print(e) return {'error': False, 'msg': u'备用名请用逗号隔开!'} csr_add_extension = csr_subject_name.add_extension( x509.SubjectAlternativeName(dns_name), critical=False, ) if mysf == 'RSA': private_key = rsa.generate_private_key(public_exponent=65537, key_size=int(myqd), backend=default_backend()) if key_pass: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.BestAvailableEncryption( key_pass), ) else: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption(), ) if qmsf == 'MD5': csr = csr_add_extension.sign(private_key, hashes.MD5(), default_backend()) elif qmsf == 'SHA1': csr = csr_add_extension.sign(private_key, hashes.SHA1(), default_backend()) elif qmsf == 'SHA224': csr = csr_add_extension.sign(private_key, hashes.SHA224(), default_backend()) elif qmsf == 'SHA256': csr = csr_add_extension.sign(private_key, hashes.SHA256(), default_backend()) elif qmsf == 'SHA384': csr = csr_add_extension.sign(private_key, hashes.SHA384(), default_backend()) elif qmsf == 'SHA512': csr = csr_add_extension.sign(private_key, hashes.SHA512(), default_backend()) else: csr = csr_add_extension.sign(private_key, hashes.SHA1(), default_backend()) return { 'error': True, 'csr': csr.public_bytes(serialization.Encoding.PEM), 'priv_key': key } elif mysf == 'DSA': private_key = dsa.generate_private_key(key_size=int(myqd), backend=default_backend()) if key_pass: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.BestAvailableEncryption( key_pass), ) else: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption(), ) if qmsf == 'SHA1': csr = csr_add_extension.sign(private_key, hashes.SHA1(), default_backend()) elif qmsf == 'SHA224': csr = csr_add_extension.sign(private_key, hashes.SHA224(), default_backend()) elif qmsf == 'SHA256': csr = csr_add_extension.sign(private_key, hashes.SHA256(), default_backend()) else: csr = csr_add_extension.sign(private_key, hashes.SHA1(), default_backend()) return { 'error': True, 'csr': csr.public_bytes(serialization.Encoding.PEM), 'priv_key': key } elif mysf == 'ECDSA': if myqd == 'P192': private_key = ec.generate_private_key(curve=ec.SECP192R1(), backend=default_backend()) elif myqd == 'P224': private_key = ec.generate_private_key(curve=ec.SECP224R1(), backend=default_backend()) elif myqd == 'P256': private_key = ec.generate_private_key(curve=ec.SECP256R1(), backend=default_backend()) elif myqd == 'P384': private_key = ec.generate_private_key(curve=ec.SECP384R1(), backend=default_backend()) elif myqd == 'P521': private_key = ec.generate_private_key(curve=ec.SECP521R1(), backend=default_backend()) else: private_key = ec.generate_private_key(curve=ec.SECP256R1(), backend=default_backend()) if key_pass: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.BestAvailableEncryption( key_pass), ) else: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption(), ) if qmsf == 'SHA1': csr = csr_add_extension.sign(private_key, hashes.SHA1(), default_backend()) elif qmsf == 'SHA224': csr = csr_add_extension.sign(private_key, hashes.SHA224(), default_backend()) elif qmsf == 'SHA256': csr = csr_add_extension.sign(private_key, hashes.SHA256(), default_backend()) elif qmsf == 'SHA384': csr = csr_add_extension.sign(private_key, hashes.SHA384(), default_backend()) elif qmsf == 'SHA512': csr = csr_add_extension.sign(private_key, hashes.SHA512(), default_backend()) else: csr = csr_add_extension.sign(private_key, hashes.SHA1(), default_backend()) return { 'error': True, 'csr': csr.public_bytes(serialization.Encoding.PEM), 'priv_key': key }
key_pass), ) else: key = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption(), ) if qmsf == 'MD5': csr = csr_add_extension.sign(private_key, hashes.MD5(), default_backend()) elif qmsf == 'SHA1': csr = csr_add_extension.sign(private_key, hashes.SHA1(), default_backend()) elif qmsf == 'SHA224': csr = csr_add_extension.sign(private_key, hashes.SHA224(), default_backend()) elif qmsf == 'SHA256': csr = csr_add_extension.sign(private_key, hashes.SHA256(), default_backend()) elif qmsf == 'SHA384': csr = csr_add_extension.sign(private_key, hashes.SHA384(), default_backend()) elif qmsf == 'SHA512': csr = csr_add_extension.sign(private_key, hashes.SHA512(), default_backend()) else: csr = csr_add_extension.sign(private_key, hashes.SHA1(), default_backend()) return { 'error': True,
class TestSHA224(object): test_SHA224 = generate_base_hash_test( hashes.SHA224(), digest_size=28, block_size=64, )