def add_new_channel(self, nA, nB):
a_signkey = SigningKey.generate()
a_chankey = PrivateKey.generate()
a_CIDkey = os.urandom(32)
a_transports = nA.agent.individualize_transports(nA.agent.get_transports())
b_signkey = SigningKey.generate()
b_chankey = PrivateKey.generate()
b_CIDkey = os.urandom(32)
b_transports = nB.agent.individualize_transports(nB.agent.get_transports())
a_rec = { "channel_pubkey": a_chankey.public_key.encode().encode("hex"),
"CID_key": a_CIDkey.encode("hex"),
"transports": a_transports.values(),
}
b_rec = { "channel_pubkey": b_chankey.public_key.encode().encode("hex"),
"CID_key": b_CIDkey.encode("hex"),
"transports": b_transports.values(),
}
q = ("INSERT INTO addressbook"
" (petname, acked, next_outbound_seqnum,"
" my_signkey,"
" their_channel_record_json,"
" my_CID_key, next_CID_token,"
" highest_inbound_seqnum,"
" my_old_channel_privkey, my_new_channel_privkey,"
" they_used_new_channel_key, their_verfkey)"
" VALUES(?,?,?,?,?,?,?,?,?,?,?,?)")
vA=("petname-from-A", 1, 1,
a_signkey.encode().encode("hex"),
json.dumps(b_rec),
a_CIDkey.encode("hex"), None,
0,
a_chankey.encode().encode("hex"),
a_chankey.encode().encode("hex"),
0, b_signkey.verify_key.encode().encode("hex"),
)
vB=("petname-from-A", 1, 1,
b_signkey.encode().encode("hex"),
json.dumps(a_rec),
b_CIDkey.encode("hex"), None,
0,
b_chankey.encode().encode("hex"),
b_chankey.encode().encode("hex"),
0, a_signkey.verify_key.encode().encode("hex"),
)
nA.db.execute(q, vA)
nA.db.commit()
nB.db.execute(q, vB)
nA.db.commit()
entA = nA.db.execute("SELECT * FROM addressbook").fetchone()
entB = nB.db.execute("SELECT * FROM addressbook").fetchone()
return entA, entB
def test_nacl_encrypt_decrypt():
skbob = PrivateKey.generate()
pkbob = skbob.public_key
skalice = PrivateKey.generate()
pkalice = skalice.public_key
message_bytes = nacl.utils.random(SALT_SIZE)
encrypted = nacl_encrypt(message_bytes, skbob, pkalice)
decrypted = nacl_decrypt(encrypted, skalice, pkbob)
assert decrypted == message_bytes
def purchase(self, node_to_ask, contract):
"""
Send an order message to the vendor.
Args:
node_to_ask: a `dht.node.Node` object
contract: a complete `Contract` object containing the buyer's order
"""
def parse_response(response):
try:
address = contract.contract["buyer_order"]["order"]["payment"]["address"]
verify_key = nacl.signing.VerifyKey(node_to_ask.signed_pubkey[64:])
verify_key.verify(str(address), response[1][0])
return response[1][0]
except Exception:
return False
public_key = contract.contract["vendor_offer"]["listing"]["id"]["pubkeys"]["encryption"]
skephem = PrivateKey.generate()
pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder)
box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder))
nonce = nacl.utils.random(Box.NONCE_SIZE)
ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce)
d = self.protocol.callOrder(node_to_ask, pkephem, ciphertext)
return d.addCallback(parse_response)
def create_node(so, stdout=sys.stdout, stderr=sys.stderr):
basedir = so["basedir"]
if os.path.exists(basedir):
print >>stderr, "basedir '%s' already exists, refusing to touch it" % basedir
return 1
os.mkdir(basedir)
dbfile = os.path.join(basedir, "petmail.db")
db = database.get_db(dbfile, stderr)
db.execute("INSERT INTO node (webhost, webport) VALUES (?,?)",
(so["webhost"], so["webport"]))
db.execute("INSERT INTO services (name) VALUES (?)", ("client",))
db.execute("INSERT INTO `client_profile`"
" (`name`, `icon_data`) VALUES (?,?)",
("",""))
privkey = PrivateKey.generate()
TID_tokenid, TID_privkey, TID_token0 = rrid.create()
server_desc = { "transport_privkey": privkey.encode().encode("hex"),
"TID_private_key": TID_privkey.encode("hex"),
"local_TID0": TID_token0.encode("hex"),
"local_TID_tokenid": TID_tokenid.encode("hex"),
}
db.execute("INSERT INTO mailbox_server_config"
" (private_descriptor_json, enable_retrieval)"
" VALUES (?,?)",
(json.dumps(server_desc), 0))
db.commit()
print >>stdout, "node created in %s" % basedir
return 0
def storeAccount(phrase, uid, auth, alias):
"""
Store new account information
@param phrase: new passphrase as bytes
@param uid: user id
@param auth: authentication token
@param alias: user set alias for profile
@return: Profile ID of newly created profile and safe
"""
con = getCursor()
# random phrase buffer
buffer = nacl.utils.random(nacl.secret.SecretBox.KEY_SIZE)
# create safe (db encryption)
safe = SecretBox(b''.join((phrase, buffer[len(phrase) - 32:])))
# create new signing_key and verify_key (message signing)
skey = nacl.signing.SigningKey.generate()
# create new private and public key (message encryption)
mkey = PrivateKey.generate()
con.execute("INSERT INTO profiles (uid, auth, signing_key, verify_key, private_key, public_key, buffer, alias) "
"VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
list(encrypt(safe, uid, auth, skey._seed, skey.verify_key.encode(encoder=nacl.encoding.HexEncoder),
mkey._private_key, mkey.public_key._public_key)) + [buffer, alias])
profileId = con.lastrowid
return profileId, safe
def authenticate(self, permissions=[]): #TODO check is needs to = None
keys = PrivateKey.generate()
nonce = nacl.utils.random(Box.NONCE_SIZE)
payload = {
'app': {
'name': self.name,
'version': self.version,
'vendor': self.vendor,
'id': self.id
},
'publicKey': base64.b64encode(keys.public_key.__bytes__()),
'nonce': base64.b64encode(nonce),
'permissions': permissions
}
headers = {
'Content-Type': 'application/json'
}
r = self._post('auth', headers, payload)
if r.status_code == 200:
responseJson = r.json()
cipherText = base64.b64decode(responseJson['encryptedKey'])
self.token = responseJson['token']
self.permissions = responseJson['permissions']
self.publicKey = base64.b64decode(responseJson['publicKey'])
box = Box(keys, PublicKey(self.publicKey))
data = box.decrypt(cipherText, nonce=nonce)
self.symmetricKey = data[0:PrivateKey.SIZE]
self.symmetricNonce = data[PrivateKey.SIZE:]
return True
else:
return False
def get_node(node_to_ask):
def parse_response(response):
if response[0] and response[1][0] == "True":
return True
elif not response[0]:
contract_dict = json.loads(json.dumps(contract.contract, indent=4),
object_pairs_hook=OrderedDict)
del contract_dict["vendor_order_confirmation"]
order_id = digest(json.dumps(contract_dict, indent=4)).encode("hex")
self.send_message(Node(unhexlify(guid)),
nacl.signing.VerifyKey(
contract.contract["buyer_order"]["order"]["id"]["pubkeys"]["guid"],
encoder=nacl.encoding.HexEncoder).to_curve25519_public_key().encode(),
objects.PlaintextMessage.Type.Value("ORDER_CONFIRMATION"),
json.dumps(contract.contract["vendor_order_confirmation"]),
order_id,
store_only=True)
return True
else:
return False
if node_to_ask:
public_key = nacl.signing.VerifyKey(
contract.contract["buyer_order"]["order"]["id"]["pubkeys"]["guid"],
encoder=nacl.encoding.HexEncoder).to_curve25519_public_key()
skephem = PrivateKey.generate()
pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder)
box = Box(skephem, public_key)
nonce = nacl.utils.random(Box.NONCE_SIZE)
ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce)
d = self.protocol.callOrderConfirmation(node_to_ask, pkephem, ciphertext)
return d.addCallback(parse_response)
else:
return parse_response([False])
def send_message(self, receiving_node, public_key, message_type, message, subject=None):
"""
Sends a message to another node. If the node isn't online it
will be placed in the dht for the node to pick up later.
"""
pro = Profile().get()
if len(message) > 1500:
return
p = objects.Plaintext_Message()
p.sender_guid = self.kserver.node.id
p.signed_pubkey = self.kserver.node.signed_pubkey
p.encryption_pubkey = PrivateKey(self.signing_key.encode()).public_key.encode()
p.type = message_type
p.message = message
if subject is not None:
p.subject = subject
if pro.handle:
p.handle = pro.handle
if pro.avatar_hash:
p.avatar_hash = pro.avatar_hash
p.timestamp = int(time.time())
signature = self.signing_key.sign(p.SerializeToString())[:64]
p.signature = signature
skephem = PrivateKey.generate()
pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder)
box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder))
nonce = nacl.utils.random(Box.NONCE_SIZE)
ciphertext = box.encrypt(p.SerializeToString(), nonce)
def get_response(response):
if not response[0]:
self.kserver.set(digest(receiving_node.id), pkephem, ciphertext)
self.protocol.callMessage(receiving_node, pkephem, ciphertext).addCallback(get_response)
def purchase(self, node_to_ask, contract):
"""
Send an order message to the vendor.
Args:
node_to_ask: a `dht.node.Node` object
contract: a complete `Contract` object containing the buyer's order
"""
def parse_response(response):
try:
address = contract.contract["buyer_order"]["order"]["payment"]["address"]
chaincode = contract.contract["buyer_order"]["order"]["payment"]["chaincode"]
masterkey_b = contract.contract["buyer_order"]["order"]["id"]["pubkeys"]["bitcoin"]
buyer_key = derive_childkey(masterkey_b, chaincode)
amount = contract.contract["buyer_order"]["order"]["payment"]["amount"]
listing_hash = contract.contract["buyer_order"]["order"]["ref_hash"]
verify_key = nacl.signing.VerifyKey(node_to_ask.signed_pubkey[64:])
verify_key.verify(
str(address) + str(amount) + str(listing_hash) + str(buyer_key), response[1][0])
return response[1][0]
except Exception:
return False
public_key = contract.contract["vendor_offer"]["listing"]["id"]["pubkeys"]["encryption"]
skephem = PrivateKey.generate()
pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder)
box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder))
nonce = nacl.utils.random(Box.NONCE_SIZE)
ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce)
d = self.protocol.callOrder(node_to_ask, pkephem, ciphertext)
self.log.info("purchasing contract %s from %s" % (contract.get_contract_id().encode("hex"), node_to_ask))
return d.addCallback(parse_response)
def get_node(node_to_ask):
def parse_response(response):
if response[0] and response[1][0] == "True":
return True
elif not response[0]:
contract_dict = json.loads(json.dumps(contract.contract, indent=4),
object_pairs_hook=OrderedDict)
del contract_dict["vendor_order_confirmation"]
del contract_dict["buyer_receipt"]
order_id = digest(json.dumps(contract_dict, indent=4)).encode("hex")
self.send_message(Node(unhexlify(guid)),
contract.contract["vendor_offer"]["listing"]["id"]["pubkeys"]["encryption"],
objects.Plaintext_Message.Type.Value("RECEIPT"),
json.dumps(contract.contract["buyer_receipt"]),
order_id,
store_only=True)
return True
else:
return False
if node_to_ask:
public_key = contract.contract["vendor_offer"]["listing"]["id"]["pubkeys"]["encryption"]
skephem = PrivateKey.generate()
pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder)
box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder))
nonce = nacl.utils.random(Box.NONCE_SIZE)
ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce)
d = self.protocol.callCompleteOrder(node_to_ask, pkephem, ciphertext)
return d.addCallback(parse_response)
else:
return parse_response([False])
def key_gen(self): """Generate a private key""" import base64, zlib from nacl.public import PrivateKey privObj = PrivateKey.generate() privKey = base64.b64encode(zlib.compress(str(privObj), 9)) return privObj, privKey
def test_wrong_types():
priv = PrivateKey.generate()
check_type_error(("PrivateKey must be created from a 32 bytes long "
"raw secret key"),
PrivateKey, 12)
check_type_error(("PrivateKey must be created from a 32 bytes long "
"raw secret key"),
PrivateKey, priv)
check_type_error(("PrivateKey must be created from a 32 bytes long "
"raw secret key"),
PrivateKey, priv.public_key)
check_type_error("PublicKey must be created from 32 bytes",
PublicKey, 13)
check_type_error("PublicKey must be created from 32 bytes",
PublicKey, priv)
check_type_error("PublicKey must be created from 32 bytes",
PublicKey, priv.public_key)
check_type_error("Box must be created from a PrivateKey and a PublicKey",
Box, priv, "not a public key")
check_type_error("Box must be created from a PrivateKey and a PublicKey",
Box, priv.encode(), priv.public_key.encode())
check_type_error("Box must be created from a PrivateKey and a PublicKey",
Box, priv, priv.public_key.encode())
check_type_error("Box must be created from a PrivateKey and a PublicKey",
Box, priv.encode(), priv.public_key)
check_type_error("seed must be a 32 bytes long",
PrivateKey.from_seed, b"1")
def send_rekey(self):
self.pkey = PrivateKey.generate()
msg = six.int2byte(Message.rekey) + encode_varint(self.my_seq) + self.pkey.public_key._public_key
mac = self.get_mac(msg)
self.my_seq += 1
self._send(msg + mac)
self.state = ClientState.rekey
def test_list_request(self):
serverkey = PrivateKey.generate()
RT = "01234567" # 8 bytes
req, tmppub = retrieval.encrypt_list_request(serverkey.public_key.encode(), RT)
got_tmppub, boxed0 = server.decrypt_list_request_1(req)
ts, got_RT = server.decrypt_list_request_2(got_tmppub, boxed0, serverkey)
self.failUnlessEqual(RT, got_RT)
def respond_to_rekey(self, message):
# Verify length
if not len(message) == 34 + self._mac_length:
_logger.info('Invalid length of rekey')
# TODO: Multi-byte asequence numbers should also be allowed
return
# Verify MAC
msg, sig = message[:-self._mac_length], message[-self._mac_length:]
if not self.verify_mac(message):
_logger.info('Invalid MAC on rekey')
return
# Verify sequence number
if not self.validate_and_update_others_seqnum(msg):
_logger.info('Invalid sequence number on rekey')
return
client_pubkey = msg[2:]
self.pkey = PrivateKey.generate()
self.new_master_key = self.derive_shared_key(client_pubkey)
msg = six.int2byte(Message.rekey_response) + encode_varint(self.my_seq) + self.pkey.public_key._public_key
self.state = ServerState.rekey
full_msg = msg + self.get_mac(msg)
self._send(full_msg)
self.my_seq += 1
def get_node(node_to_ask, recipient_guid, public_key):
def parse_response(response):
if not response[0]:
self.send_message(
Node(unhexlify(recipient_guid)),
nacl.signing.VerifyKey(public_key, encoder=nacl.encoding.HexEncoder)
.to_curve25519_public_key()
.encode(),
objects.PlaintextMessage.Type.Value("DISPUTE_OPEN"),
json.dumps(contract),
order_id,
store_only=True,
)
if node_to_ask:
enc_key = nacl.signing.VerifyKey(
public_key, encoder=nacl.encoding.HexEncoder
).to_curve25519_public_key()
skephem = PrivateKey.generate()
pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder)
box = Box(skephem, enc_key)
nonce = nacl.utils.random(Box.NONCE_SIZE)
ciphertext = box.encrypt(json.dumps(contract, indent=4), nonce)
d = self.protocol.callDisputeOpen(node_to_ask, pkephem, ciphertext)
return d.addCallback(parse_response)
else:
return parse_response([False])
def __new__(cls, microdescriptor):
relay_identity = decodeMicrodescriptorIdentifier(microdescriptor)
relay_ntor_onion_key = base64.b64decode(microdescriptor.ntor_onion_key)
secret_key = PrivateKey.generate()
public_key = secret_key.public_key
return super(NTorState, cls).__new__(
cls, relay_identity, relay_ntor_onion_key, secret_key, public_key)
def getauth(secret=''):
if secret != '':
try:
return nacl.public.PrivateKey(secret,encoder=nacl.encoding.HexEncoder)
except:
raise err.api('invalid secret')
else:
return PrivateKey.generate()
def generate_key_hex(self):
"""
Generate a new private key and return a pair with the hex encodings
of (priv_key, pub_key).
"""
key = PrivateKey.generate()
priv_key = key.encode(encoder=HexEncoder)
pub_key = key.public_key.encode(encoder=HexEncoder)
return priv_key.decode('ascii'), pub_key.decode('ascii')
def test_list_entry(self):
symkey = os.urandom(32)
tmppriv = PrivateKey.generate()
tmppub = tmppriv.public_key.encode()
entry, fetch_token, delete_token = server.create_list_entry(symkey, tmppub, 1234)
got_fetch_token, got_delete_token, length = retrieval.decrypt_list_entry(entry, symkey, tmppub)
self.failUnlessEqual(fetch_token, got_fetch_token)
self.failUnlessEqual(delete_token, got_delete_token)
self.failUnlessEqual(length, 1234)
def test_sealed_box_too_short_msg():
empty_plaintext = b''
k = PrivateKey.generate()
enc_box = SealedBox(k.public_key)
dec_box = SealedBox(k)
msg = enc_box.encrypt(empty_plaintext)
with pytest.raises(CryptoError):
dec_box.decrypt(msg[:-1])
def generate_key(self):
"""
Generate a new private key and return a pair with the base64 encodings
of (priv_key, pub_key).
"""
key = PrivateKey.generate()
priv_key = key.encode(encoder=Base64Encoder)
pub_key = key.public_key.encode(encoder=Base64Encoder)
return (u'{}'.format(priv_key), u'{}'.format(pub_key))
def startInvitation(self, petname, code, transports):
#print "invite", petname, code.encode("hex")
stretched = stretch(code)
inviteKey = SigningKey(stretched)
inviteID = inviteKey.verify_key.encode(Hex)
mySigningKey = SigningKey.generate()
myCIDkey = os.urandom(32)
myTempPrivkey = PrivateKey.generate()
# create my channel record
tids = ",".join([str(tid) for tid in sorted(transports.keys())])
channel_key = PrivateKey.generate()
pub_crec = { "channel_pubkey": channel_key.public_key.encode(Hex),
"CID_key": myCIDkey.encode("hex"),
"transports": transports.values(),
}
priv_data = { "my_signkey": mySigningKey.encode(Hex),
"my_CID_key": myCIDkey.encode("hex"),
"my_old_channel_privkey": channel_key.encode(Hex),
"my_new_channel_privkey": channel_key.encode(Hex),
"transport_ids": tids,
}
db = self.db
c = db.execute("SELECT inviteID FROM invitations")
if inviteID in [str(row[0]) for row in c.fetchall()]:
raise CommandError("invitation code already in use")
iid = db.insert("INSERT INTO `invitations`"
" (code, petname, inviteKey,"
" inviteID,"
" myTempPrivkey, mySigningKey,"
" my_channel_record, my_private_channel_data,"
" myMessages, theirMessages, nextExpectedMessage)"
" VALUES (?,?,?, ?, ?,?, ?,?, ?,?,?)",
(code.encode("hex"), petname, stretched.encode("hex"),
inviteID,
myTempPrivkey.encode(Hex), mySigningKey.encode(Hex),
json.dumps(pub_crec), json.dumps(priv_data),
"", "", 1),
"invitations")
self.subscribe(inviteID)
i = Invitation(iid, self.db, self)
i.sendFirstMessage()
self.db.commit()
def __init__(self, relay):
'''
:param stem.descriptor.server_descriptor.RelayDescriptor relay:
the relay that we're doing an ntor handshake with
'''
self._signing_key = tools.signingKeyToSHA1(relay.signing_key)
self._ntor_onion_key = base64.b64decode(relay.ntor_onion_key)
self._secret_key = PrivateKey.generate()
self._public_key = self._secret_key.public_key
self.is_bad = False
def asymmetricEncryption(toEncrypt): #generiranje privatnog kljuca posiljatelja koji mora ostati tajan skSender = PrivateKey.generate() #generiranje javnog kljuca posiljatelja pkSender = skSender.public_key #generiranje privatnog kljuca primatelja koji mora ostati tajan skReceiver = PrivateKey.generate() #generiranje javnog kljuca primatelja pkReceiver = skReceiver.public_key #"kutija" s posiljateljevim privatnim kljucem i primateljevim javnim kljucem #sluzi za enkriptiranje poruke senderBox = Box(skSender, pkReceiver) #broj koji se koristi samo jednom, ne smatra se tajnim i moze ga se slati uz enkriptiranu poruku #dobar izvor za nonce su nasumicna 24 byta nonce = nacl.utils.random(Box.NONCE_SIZE) #enkriptiranje poruke koja ce potom biti dulja za tocno 40 byta od originalne poruke #razlog tome je informacija o autentifikaciji i nonce koji se pohranjuju uz nju encrypted = senderBox.encrypt(toEncrypt, nonce, encoder = nacl.encoding.Base64Encoder) return pkSender, skReceiver, encrypted
def test_sealed_box_zero_length_plaintext():
empty_plaintext = b''
k = PrivateKey.generate()
enc_box = SealedBox(k.public_key)
dec_box = SealedBox(k)
msg = enc_box.encrypt(empty_plaintext)
decoded = dec_box.decrypt(msg)
assert decoded == empty_plaintext
def setUp(self):
super(RekeyCompleteTest, self).setUp()
self.session.send_rekey()
rekey_msg = self.channel.sent_messages.pop(0).msg
self.client_pubkey = rekey_msg[2:-self.mac_len]
pkey = PrivateKey.generate()
msg = b'\x83\x00' + pkey.public_key._public_key
mac = self.get_mac(msg)
response = self.get_response(msg + mac).msg
self.new_shared_key = crypto_scalarmult(pkey._private_key, self.client_pubkey)
def test_wrong_types():
priv = PrivateKey.generate()
check_type_error(("SealedBox must be created from a PublicKey"
" or a PrivateKey"),
SealedBox, priv.encode())
check_type_error(("SealedBox must be created from a PublicKey"
" or a PrivateKey"),
SealedBox, priv.public_key.encode())
with pytest.raises(TypeError):
SealedBox(priv, priv.public_key)
def generate_keypair(kB, client_id):
"""Given a kbR and a client_id returned from the FxA auth server
returns a key pair (public+encrypted private key)
"""
kBr = get_kBr(kB, client_id)
priv = PrivateKey.generate()
pub = priv.public_key
pub = binascii.hexlify(pub.encode())
priv = binascii.hexlify(priv.encode())
encrypted_priv = encrypt_data(priv, kBr)
return pub, priv, encrypted_priv
def test_responds_to_valid_rekey_response(self):
pkey = PrivateKey.generate()
msg = b'\x83\x02' + pkey.public_key._public_key
mac = self.get_mac(msg)
response = self.get_response(msg + mac).msg
self.assert_message_type(response, 0x04)
self.assertEqual(len(response), 1 + self.mac_len)
shared_key = crypto_scalarmult(pkey._private_key, self.client_pubkey)
mac_func = getattr(hashlib, self.mac)
expected_mac = mac_func(shared_key + response[:-self.mac_len]).digest()[:self.mac_len]
self.assertEqual(response[-self.mac_len:], expected_mac)
self.assertEqual(self.session.state, ClientState.wait_for_rekey_complete)
def __init__(
self,
nursery: trio.Nursery,
key: PrivateKey = None,
whitelist: Optional[PublicKey] = None
):
self.nursery = nursery
self.contexts: Dict[IPv4Address, UDPContext] = {}
self.conn_cb: Optional[Callable[[UDPContext], None]] = None
self.sock = trio.socket.socket(
socket.AF_INET,
socket.SOCK_DGRAM
)
self.key = PrivateKey.generate() if key is None else key
self.whitelist = whitelist
def generate_keys():
logging.info("generating public-private key pair")
# create public/private pair
private_key = PrivateKey.generate()
public_key = private_key.public_key
key_length = private_key.SIZE * 8
# get key strings
public_key = public_key.encode(encoder=nacl.encoding.HexEncoder).decode()
private_key = private_key.encode(encoder=nacl.encoding.HexEncoder).decode()
# return key pair as dictionary
return({
"key_length_bits": key_length,
"public_key": public_key,
"private_key": private_key
})
def keyMake(node, path):
## create a public, private, and signature key set
# generate the encryption keypair
key = PrivateKey.generate()
# generate the signature key
sig = nacl.signing.SigningKey.generate()
verify = sig.verify_key
sig_hex = verify.encode(encoder=nacl.encoding.HexEncoder)
# write all of the keys to file
with open(path + '/' + node + '.sig', 'w+') as signing_key:
pickle.dump(sig, signing_key)
with open(path + '/' + node + '.sighex', 'w+') as verify_hex:
pickle.dump(sig_hex, verify_hex)
with open(path + '/' + node + '.private', 'w+') as private:
pickle.dump(key, private)
with open(path + '/' + node + '.public', 'w+') as public:
pickle.dump(key.public_key, public)
def __init__(self, application_namespace):
# Save the application namespace
self.application_namespace = application_namespace
# Generate a private key
self.private_key = PrivateKey.generate()
# Generate a signing key
self.signing_key = SigningKey.generate()
# Create subject for incoming payloads
self.incoming_payload = rx.subject.Subject()
# Create a set of reachable instances
self.reachable_peers: Set[InstanceReference] = set()
# Create subject for newly reachable instances
self.incoming_greeting = rx.subject.Subject()
def __init__(self,
nursery: trio.Nursery,
addr: IPv4Address = ("0.0.0.0", 12000),
key: PrivateKey = None,
max_rounds: int = 2):
self.nursery = nursery
self.addr = addr
self.max_rounds = max_rounds
if key is None:
self.key = PrivateKey.generate()
else:
self.key = PrivateKey(bytes.fromhex(key))
self.nodes: Dict[PublicKey, BoxerRemoteNode] = {}
self.fights: Dict[str, BoxerFight] = {}
self.fightidmngr = SessionIDManager()
def test_rekey(self):
pkey = PrivateKey.generate()
msg = b'\x03\x00' + pkey.public_key._public_key
response = self.send_with_mac(msg).msg
self.assertEqual(len(response), 34 + self.mac_len)
self.assert_correct_mac(response)
self.assertEqual(six.byte2int(response[1:]), 0x00)
self.assert_message_type(response, 0x83)
server_pubkey = response[2:-self.mac_len]
new_shared_secret = crypto_scalarmult(pkey._private_key, server_pubkey)
# Send confirm
self.session_key = new_shared_secret
msg = b'\x04'
response = self.send_with_mac(msg).msg
self.assert_correct_mac(response)
self.assert_message_type(response, 0x84)
self.assertEqual(self.session_key, self.channel.shared_key)
def __init__(self, server, reader, writer):
self.proxy_writer = None
self.proxy_reader = None
self.__reader = reader
self.client_writer = writer
self.key = PrivateKey.generate()
self.client_key = None
self.proxy_pub_key = self.key.public_key
self.proxy_pub_key_b64 = self.key.public_key.encode(
encoder=nacl.encoding.Base64Encoder)
self.aes_key = None
self.encrypt = False
self.AES = None
self.server = server
self.logger = server.logger
def get_cybersource_test_settings(private_key=None):
"""
Generates a valid set of settings for CyberSource
"""
if private_key is None:
private_key = PrivateKey.generate()
return {
"CYBERSOURCE_WSDL_URL":
(f"http://localhost/service/CyberSourceTransaction_{SERVICE_VERSION}.wsdl"
),
"CYBERSOURCE_MERCHANT_ID":
"merchant_id",
"CYBERSOURCE_TRANSACTION_KEY":
"transaction_key",
"CYBERSOURCE_INQUIRY_LOG_NACL_ENCRYPTION_KEY":
Base64Encoder.encode(bytes(private_key.public_key)),
}
def read_config_file(commandlineoptions=None):
global config_file
if os.path.exists(config_file):
with open(config_file, 'r') as f:
return yaml.load(f)
else:
# generate the config file for the client including the secret key
# which must be kept secret
config = dict()
config['own_sk'] = PrivateKey.generate()
config['registration_successful'] = False
config['server_pk'] = PublicKey(
commandlineoptions.server_pk_str.decode('hex'))
config['contact_list'] = list()
config['username'] = "******"
config['status_msg'] = "Testing OnionPIR..."
save_config_file(config)
return config
def apply(document, config):
"""
Generates a deploy key, injects config/master keys and performs the extra deployment time encryption of secrets.
"""
url = util.rget(document, 'secretary', 'url')
if not url:
return config
# Check for encrypted secrets
found = False
for key, value in config.get('env', {}).iteritems():
envelopes = extractEnvelopes(value)
found = found or envelopes
# e.g. dots aren't valid in a shell identifier, so `secretary decrypt -e` wouldn't work with them
if envelopes and not _SHELL_IDENTIFIER_RE.match(key):
raise RuntimeError((
"The env var '%s' has an encrypted value but its name is not a valid shell script identifier and not supported by Secretary. "
+
"Only alphanumeric characters and underscores are supported, starting with an alphabetic or underscore character."
+
"Please check https://github.com/meltwater/lighter#secrets-management ."
) % key)
# Avoid adding public keys if no secrets present
if not found:
return config
result = deepcopy(config)
masterKey = decodePublicKey(
util.rget(document, 'secretary', 'master', 'publickey'))
result['env'] = result.get('env', {})
result['env']['SECRETARY_URL'] = url
result['env']['MASTER_PUBLIC_KEY'] = encodeKey(masterKey)
# Autogenerate a deploy key
deployKey = PrivateKey.generate()
result['env']['DEPLOY_PRIVATE_KEY'] = KeyValue(encodeKey(deployKey))
result['env']['DEPLOY_PUBLIC_KEY'] = KeyValue(
encodeKey(deployKey.public_key))
return result
def generate_keys():
# Generate applications public and private key
# In practice, these would be set externally and stored outside the repository
sk = PrivateKey.generate()
pk = sk.public_key
# write to filesfor access if they don't exist
sk_path = os.path.join(os.path.dirname(__file__), "..", "private_key")
if not os.path.exists(sk_path):
# write as binary
with open(sk_path, 'wb') as f:
sk_bytes = bytes(sk)
f.write(sk_bytes)
pk_path = os.path.join(os.path.dirname(__file__), "..", "public_key")
if not os.path.exists(pk_path):
with open(pk_path, 'wb') as f:
pk_bytes = bytes(pk)
f.write(pk_bytes)
def operator_key_pair_create():
try:
privKey = PrivateKey.generate()
pubKey = privKey.public_key
key_pair_res = {
"DID": ''.join(random.choices(string.ascii_uppercase + string.ascii_lowercase + string.digits, k=22)),
"public_key": binascii.b2a_base64(bytes(pubKey)).decode("utf-8").strip(),
"private_key": binascii.b2a_base64(bytes(privKey)).decode("utf-8").strip(),
"timestamp": str(int(time.time()))
}
client_key_res = copy.deepcopy(key_pair_res)
mongo_setup_provider.key_pair_col.insert_one(key_pair_res)
return jwt.encode(client_key_res, os.environ["VPNAAS_KEY"], algorithm="HS256")
except Exception as error:
logger.error(error)
sys.exit()
#tl.start(block=False)
def NACL_sealedBox_encrypt(text):
# Generate Bob's private key, as we've done in the Box example
skbob = PrivateKey.generate()
pkbob = skbob.public_key
# Alice wishes to send a encrypted message to Bob,
# but prefers the message to be untraceable
sealed_box = SealedBox(pkbob)
# This is Alice's message
message = bytes(text,'utf-8')
# Encrypt the message, it will carry the ephemeral key public part
# to let Bob decrypt it
encrypted = sealed_box.encrypt(message)
#Now, Bob wants to read the secret message he just received; therefore he must create a SealedBox using his own
#private key:
unseal_box = SealedBox(skbob)
# decrypt the received message
plaintext = unseal_box.decrypt(encrypted)
print(plaintext.decode('utf-8'))
return True
def __init__(self, user, keyring, filename=None):
"""
we want to keep all the cryptographic functions as side-effect
free as possible, so when we instantiate a keyring we'll do as
much of the setup and I/O as possible.
"""
self.keyring = keyring
if not filename:
filename = keyring.lstrip('/key').replace('/', '.')
filename = os.path.join(DIR, '{}.{}'.format(user, filename))
try:
self._load_from_private_keyfile(filename)
except FileNotFoundError:
self.enc_key = PrivateKey.generate()
self.signing_key = nacl.signing.SigningKey.generate()
self.enc_key_id = uuid.uuid4().hex
self.signing_key_id = uuid.uuid4().hex
self._to_private_keyfile(filename)
def purchase(self, node_to_ask, contract):
"""
Send an order message to the vendor.
Args:
node_to_ask: a `dht.node.Node` object
contract: a complete `Contract` object containing the buyer's order
"""
def parse_response(response):
try:
address = contract.contract["buyer_order"]["order"]["payment"][
"address"]
chaincode = contract.contract["buyer_order"]["order"][
"payment"]["chaincode"]
masterkey_b = contract.contract["buyer_order"]["order"]["id"][
"pubkeys"]["bitcoin"]
buyer_key = derive_childkey(masterkey_b, chaincode)
amount = contract.contract["buyer_order"]["order"]["payment"][
"amount"]
listing_hash = contract.contract["buyer_order"]["order"][
"ref_hash"]
verify_key = nacl.signing.VerifyKey(
node_to_ask.signed_pubkey[64:])
verify_key.verify(
str(address) + str(amount) + str(listing_hash) +
str(buyer_key), response[1][0])
return response[1][0]
except Exception:
return False
public_key = contract.contract["vendor_offer"]["listing"]["id"][
"pubkeys"]["encryption"]
skephem = PrivateKey.generate()
pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder)
box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder))
nonce = nacl.utils.random(Box.NONCE_SIZE)
ciphertext = box.encrypt(json.dumps(contract.contract, indent=4),
nonce)
d = self.protocol.callOrder(node_to_ask, pkephem, ciphertext)
self.log.info("purchasing contract %s from %s" %
(contract.get_contract_id().encode("hex"), node_to_ask))
return d.addCallback(parse_response)
def test_login_failure_no_public_key(self):
"""
Test to login without public_key
"""
# our public / private key box
box = PrivateKey.generate()
# our hex encoded public / private keys
user_session_private_key_hex = box.encode(
encoder=nacl.encoding.HexEncoder).decode()
user_session_public_key_hex = box.public_key.encode(
encoder=nacl.encoding.HexEncoder).decode()
server_crypto_box = Box(
PrivateKey(user_session_private_key_hex,
encoder=nacl.encoding.HexEncoder),
PublicKey(settings.PUBLIC_KEY, encoder=nacl.encoding.HexEncoder))
login_info_nonce = nacl.utils.random(nacl.secret.SecretBox.NONCE_SIZE)
encrypted = server_crypto_box.encrypt(
json.dumps({
'username': self.test_username,
'authkey': self.test_authkey,
}).encode("utf-8"), login_info_nonce)
login_info_encrypted = encrypted[len(login_info_nonce):]
data = {
'login_info':
nacl.encoding.HexEncoder.encode(login_info_encrypted).decode(),
'login_info_nonce':
nacl.encoding.HexEncoder.encode(login_info_nonce).decode(),
# 'public_key': user_session_public_key_hex,
}
url = reverse('authentication_login')
models.Token.objects.all().delete()
response = self.client.post(url, data)
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
def show_cluster_config(cluster_id: str) -> dict:
box = PrivateKey.generate()
private_key_hex = box.encode(encoder=nacl.encoding.HexEncoder)
public_key_hex = box.public_key.encode(encoder=nacl.encoding.HexEncoder)
if not cluster_id or cluster_id == 'None':
return {
'error': 'CLUSTER_ID required'
}
try:
cluster = Fileserver_Cluster.objects.filter(pk=cluster_id).get()
except Fileserver_Cluster.DoesNotExist:
return {
'error': 'A cluster with this id was not found. You can use "fsclusterlist" to display all'
}
if cluster.links.count() == 0:
return {
'error': ' Shard: Not found for this cluster. You can create one with "fsshardcreate TITLE \'Some description\'" and then link it to this cluster with "fsshardlink ' + str(
cluster.id) + ' SHARD_ID"'
}
uni = string.ascii_letters + string.digits + string.punctuation
print('SECRET_KEY: ' + repr((''.join([random.SystemRandom().choice(uni) for i in range(50)])).replace('\'', '"')))
print('PRIVATE_KEY: ' + repr(str(private_key_hex.decode())))
print('PUBLIC_KEY: ' + repr(str(public_key_hex.decode())))
print('SERVER_URL: ' + repr(settings.HOST_URL))
print('SERVER_PUBLIC_KEY: ' + repr(settings.PUBLIC_KEY))
print("CLUSTER_ID: '"+ str(cluster.id) +"'")
print("CLUSTER_PRIVATE_KEY: '"+ str(decrypt_with_db_secret(cluster.auth_private_key)) +"'")
shards = []
for links in cluster.links.all():
shards.append('{shard_id: ' + str(links.shard_id) + ', read: ' + str(links.read) + ', write: ' + str(links.write) + ', delete: ' + str(links.delete_capability) + ', allow_link_shares: ' + str(links.allow_link_shares) + ', engine: {class: \'local\', kwargs: {location: \'/opt/psono-shard/'+ str(links.shard_id) +'\'}}}')
print("SHARDS: ["+','.join(shards)+"]")
return {}
def get_node(node_to_ask, recipient_guid, public_key):
def parse_response(response):
if not response[0]:
self.send_message(Node(unhexlify(recipient_guid)),
public_key,
objects.PlaintextMessage.Type.Value("DISPUTE_CLOSE"),
dispute_json,
order_id,
store_only=True)
if node_to_ask:
skephem = PrivateKey.generate()
pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder)
box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder))
nonce = nacl.utils.random(Box.NONCE_SIZE)
ciphertext = box.encrypt(json.dumps(dispute_json, indent=4), nonce)
d = self.protocol.callDisputeClose(node_to_ask, pkephem, ciphertext)
return d.addCallback(parse_response)
else:
return parse_response([False])
def fake_transport():
privkey = PrivateKey.generate()
pubkey_hex = privkey.public_key.encode().encode("hex")
TID_tokenid, TID_privkey, TID_token0 = rrid.create()
private = {
"privkey": privkey,
"TID": (TID_tokenid, TID_privkey, TID_token0)
}
# this is what lives in our database. All channels that share the same
# transport will use the same thing.
db_record = {
"for_sender": {
"type": "test-return",
"transport_pubkey": pubkey_hex,
},
"for_recipient": {
"TID": TID_token0.encode("hex")
},
}
return private, db_record
def rotate_user_key(args):
"""Rotates the user main key.
Required when a device was removed to keep future content safe.
Maximum rotation rate once per second, but please don't: it will just make
the user identity block bloated, eventually blocking the user by upload limit.
"""
username = get_username(args)
user_storage = LocalStorage(username)
old_signing = _get_user_signingkey(username)
old_private = _get_user_privatekey(username)
timestamp = get_timestamp_seconds()
with user_storage as us:
us["signingkey"] = SigningKey.generate().encode()
us["privatekey"] = PrivateKey.generate().encode()
us["previous_keys"][timestamp] = {
"signingkey": us["signingkey"],
"privatekey": us["privatekey"],
}
def setUp(self):
box = PrivateKey.generate()
private_key_hex = box.encode(encoder=nacl.encoding.HexEncoder)
public_key_hex = box.public_key.encode(
encoder=nacl.encoding.HexEncoder)
private_key_hex = encrypt_with_db_secret(private_key_hex.decode())
public_key_hex = encrypt_with_db_secret(public_key_hex.decode())
self.cluster = models.Fileserver_Cluster.objects.create(
title='Some Title',
auth_public_key=public_key_hex,
auth_private_key=private_key_hex,
file_size_limit=0,
)
self.shard = models.Fileserver_Shard.objects.create(
title='Some Title',
description='Some description',
)
def new_shop(req: ShopCreateRequest):
try:
b64decode(req.shop_pub_key)
except binascii.Error:
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST,
detail='公鑰錯誤')
shop = Shop(name=req.name, shop_pub_key=req.shop_pub_key)
private_key = PrivateKey.generate()
box = SecretBox(SERVER_MASTER_SECRET)
try:
Secret(shop=shop,
server_secret_key=b64encode(
box.encrypt(private_key._private_key)).decode('ascii'))
commit()
except TransactionIntegrityError:
rollback()
raise HTTPException(status_code=status.HTTP_409_CONFLICT,
detail='公鑰已被使用')
return b64encode(private_key.public_key._public_key).decode('ascii')
def __init__(self,
reactor,
host,
port,
serverKey,
serverExtension,
clientKey=None,
clientExtension='\x00' * 16):
self.reactor = reactor
self.host = host
self.port = port
self.serverKey = serverKey
self.serverExtension = serverExtension
if clientKey is None:
clientKey = PrivateKey.generate()
self.clientKey = clientKey
self.clientExtension = clientExtension
self._funcs = []
self.setupClient()
self.delayedCall = None
def get_wg_keys(self, ifname):
private_key_path = f"/etc/syntropy-agent/privatekey-{ifname}"
public_key_path = f"/etc/syntropy-agent/publickey-{ifname}"
private_key = Path(private_key_path)
public_key = Path(public_key_path)
if not private_key.is_file() or not public_key.is_file():
privKey = PrivateKey.generate()
pubKey = base64.b64encode(bytes(privKey.public_key))
privKey = base64.b64encode(bytes(privKey))
base64_privKey = privKey.decode('ascii')
base64_pubKey = pubKey.decode('ascii')
private_key.write_text(base64_privKey)
public_key.write_text(base64_pubKey)
private_key.chmod(0o600)
public_key.chmod(0o600)
if self.wg_kernel:
return public_key.read_text().strip(), private_key.read_text(
).strip()
else:
return public_key.read_text().strip(), private_key_path
def start():
if not os.path.exists("keys.txt"):
secretkey = PrivateKey.generate()
publickey = secretkey.public_key
publickey64 = publickey.encode(Base64Encoder).decode("utf8")
secretkey64 = secretkey.encode(Base64Encoder).decode("utf8")
with open("keys.txt", "w") as myfile:
myfile.write(publickey64)
myfile.write("\n")
myfile.write(secretkey64)
else:
with open("keys.txt", "r") as myfile:
publickey64 = myfile.readline()
secretkey64 = myfile.readline()
#publickey = nacl.public.PublicKey(publickey64, nacl.encoding.Base64Encoder)
secretkey = nacl.public.PrivateKey(secretkey64, nacl.encoding.Base64Encoder)
print(secretkey)
return secretkey
def handle(self, *args, **options):
uni = string.ascii_letters + string.digits + string.punctuation
box = PrivateKey.generate()
private_key_hex = box.encode(encoder=nacl.encoding.HexEncoder)
public_key_hex = box.public_key.encode(encoder=nacl.encoding.HexEncoder)
print('')
print('# Copy paste this content into your settings.yml and replace existing occurrences')
print('# ')
print('# WARNING: Do this only for a fresh installation!')
print('# Changing those variables afterwards will break the program e.g.:')
print('# Activation links will not work, Server will not be able to read user emails, ...')
print('')
print('SECRET_KEY: ' + repr((''.join([random.SystemRandom().choice(uni) for i in range(50)])).replace('\'', '"')))
print('ACTIVATION_LINK_SECRET: ' + repr((''.join([random.SystemRandom().choice(uni) for i in range(50)])).replace('\'', '"')))
print('DB_SECRET: ' + repr((''.join([random.SystemRandom().choice(uni) for i in range(50)])).replace('\'', '"')))
print('EMAIL_SECRET_SALT: ' + repr(str(bcrypt.gensalt().decode())))
print('PRIVATE_KEY: ' + repr(str(private_key_hex.decode())))
print('PUBLIC_KEY: ' + repr(str(public_key_hex.decode())))
print('')
def decrypt(self, packetID, payload):
if packetID == 20100:
self.sessionKey = payload[4:]
self.sk = PrivateKey.generate()
self.pk = self.sk.public_key
return payload
elif packetID == 20103 and not self.sessionKey:
return payload
elif packetID == 22280 or (packetID == 20103 and self.sessionKey):
nonce = Nonce(self.encryptNonce, self.pk, self.serverKey)
decrypted = self.decryptPacket(payload, nonce)
self.sharedKey = Box.decode(decrypted[24:56]) # Overwrite the previous sharedKey
self.decryptNonce = Nonce(decrypted[:24])
return decrypted[56:]
else:
return self.decryptPacket(payload)
def get_node(node_to_ask):
def parse_response(response):
if response[0] and response[1][0] == "True":
return True
elif not response[0]:
contract_dict = json.loads(json.dumps(contract.contract,
indent=4),
object_pairs_hook=OrderedDict)
del contract_dict["vendor_order_confirmation"]
order_id = digest(json.dumps(contract_dict,
indent=4)).encode("hex")
self.send_message(
Node(unhexlify(guid)),
contract.contract["buyer_order"]["order"]["id"]
["pubkeys"]["encryption"],
objects.Plaintext_Message.Type.Value(
"ORDER_CONFIRMATION"),
json.dumps(
contract.contract["vendor_order_confirmation"]),
order_id,
store_only=True)
return True
else:
return False
if node_to_ask:
public_key = contract.contract["buyer_order"]["order"]["id"][
"pubkeys"]["encryption"]
skephem = PrivateKey.generate()
pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder)
box = Box(skephem,
PublicKey(public_key, nacl.encoding.HexEncoder))
nonce = nacl.utils.random(Box.NONCE_SIZE)
ciphertext = box.encrypt(
json.dumps(contract.contract, indent=4), nonce)
d = self.protocol.callOrderConfirmation(
node_to_ask, pkephem, ciphertext)
return d.addCallback(parse_response)
else:
return parse_response([False])
def setUp(self):
box = PrivateKey.generate()
self.cluster_private_key_hex = box.encode(encoder=nacl.encoding.HexEncoder).decode()
self.cluster_public_key_hex = box.public_key.encode(encoder=nacl.encoding.HexEncoder).decode()
private_key = encrypt_with_db_secret(self.cluster_private_key_hex)
public_key = encrypt_with_db_secret(self.cluster_public_key_hex)
self.cluster1 = Fileserver_Cluster.objects.create(
title='Some Fileserver Cluster Title',
auth_public_key=public_key,
auth_private_key=private_key,
file_size_limit=0,
)
self.shard1 = Fileserver_Shard.objects.create(
title='Some Shard Title',
description='Some Shard Description',
)
self.link1 = Fileserver_Cluster_Shard_Link.objects.create(
cluster=self.cluster1,
shard=self.shard1,
read=True,
write=True,
)
token_hash = TokenAuthentication.user_token_to_token_hash('abc')
self.fileserver1 = Fileserver_Cluster_Members.objects.create(
create_ip='127.0.0.1',
fileserver_cluster=self.cluster1,
key=token_hash,
public_key=binascii.hexlify(os.urandom(settings.USER_PUBLIC_KEY_LENGTH_BYTES)).decode(),
secret_key=binascii.hexlify(os.urandom(settings.USER_PUBLIC_KEY_LENGTH_BYTES)).decode(),
url='https://fs01.example.com/fileserver',
read=True,
write=True,
delete_capability=True,
valid_till=timezone.now() + datetime.timedelta(seconds=30),
)
def _replyWithCookie(self, data, host_port):
if len(data) != _helloStruct.size:
return
serverExtension, clientExtension, clientShortPubkey, nonce, encrypted = _helloStruct.unpack(
data)
serverLongClientShort = Box(self.serverKey.key,
PublicKey(clientShortPubkey))
try:
serverLongClientShort.decrypt(encrypted,
'CurveCP-client-H' + nonce)
except CryptoError:
return
serverShortKey = PrivateKey.generate()
unencryptedCookie = clientShortPubkey + str(serverShortKey)
cookieNonce = self.serverKey.nonce(longterm=True)
cookie = cookieNonce + self._secretBox.encrypt(
unencryptedCookie, 'c' * 8 + cookieNonce).ciphertext
boxData = str(serverShortKey.public_key) + cookie
cookiePacket = ('RL3aNMXK' + clientExtension + serverExtension +
cookieNonce + serverLongClientShort.encrypt(
boxData, 'CurveCPK' + cookieNonce).ciphertext)
self.transport.write(cookiePacket, host_port)
