def with_signing_key(self, signing_key): # type: (bytes) -> EncryptionMaterials """Get new encryption materials that also include this signing key. .. versionadded:: 1.5.0 :param bytes signing_key: Signing key :rtype: EncryptionMaterials :raises AttributeError: if signing key is already set :raises SignatureKeyError: if algorithm suite does not support signing keys """ if self.signing_key is not None: raise AttributeError("Signing key is already set.") if self.algorithm.signing_algorithm_info is None: raise SignatureKeyError("Algorithm suite does not support signing keys.") new_materials = copy.copy(self) # Verify that the signing key matches the algorithm Signer.from_key_bytes(algorithm=new_materials.algorithm, key_bytes=signing_key) new_materials._setattr("signing_key", signing_key) # simplify access to copies pylint: disable=protected-access return new_materials
def test_f_signer_from_key_bytes(): check = Signer(algorithm=ALGORITHM, key=VALUES['ecc_private_key_prime']) test = Signer.from_key_bytes( algorithm=ALGORITHM, key_bytes=VALUES['ecc_private_key_prime_private_bytes']) assert check.key.private_numbers( ).private_value == test.key.private_numbers().private_value
def test_signer_key_bytes_cycle(): key = ec.generate_private_key(curve=ec.SECP384R1, backend=default_backend()) signer = Signer(algorithm=aws_encryption_sdk.Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, key=key) key_bytes = signer.key_bytes() new_signer = Signer.from_key_bytes( algorithm=aws_encryption_sdk.Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, key_bytes=key_bytes ) assert new_signer.key.private_numbers().private_value == signer.key.private_numbers().private_value
def test_signer_key_bytes(patch_default_backend, patch_serialization, patch_build_hasher): private_key = MagicMock() signer = Signer(MagicMock(), key=private_key) test = signer.key_bytes() assert test is private_key.private_bytes.return_value private_key.private_bytes.assert_called_once_with( encoding=patch_serialization.Encoding.DER, format=patch_serialization.PrivateFormat.PKCS8, encryption_algorithm=patch_serialization.NoEncryption.return_value)
def test_signer_encoded_public_key(patch_default_backend, patch_serialization, patch_build_hasher, patch_ecc_encode_compressed_point, patch_base64): patch_ecc_encode_compressed_point.return_value = sentinel.compressed_point patch_base64.b64encode.return_value = sentinel.encoded_point private_key = MagicMock() signer = Signer(MagicMock(), key=private_key) test_key = signer.encoded_public_key() patch_ecc_encode_compressed_point.assert_called_once_with(private_key) patch_base64.b64encode.assert_called_once_with(sentinel.compressed_point) assert test_key == sentinel.encoded_point
def test_signer_finalize(patch_default_backend, patch_serialization, patch_build_hasher, patch_ecc_static_length_signature): algorithm = MagicMock() private_key = MagicMock() signer = Signer(algorithm, key=private_key) test_signature = signer.finalize() patch_build_hasher.return_value.finalize.assert_called_once_with() patch_ecc_static_length_signature.assert_called_once_with( key=private_key, algorithm=algorithm, digest=patch_build_hasher.return_value.finalize.return_value) assert test_signature is patch_ecc_static_length_signature.return_value
def _prep_message(self): """Performs initial message setup. :raises MasterKeyProviderError: if primary master key is not a member of supplied MasterKeyProvider :raises MasterKeyProviderError: if no Master Keys are returned from key_provider """ validate_commitment_policy_on_encrypt(self.config.commitment_policy, self.config.algorithm) try: plaintext_length = self.stream_length except NotSupportedError: plaintext_length = None encryption_materials_request = EncryptionMaterialsRequest( algorithm=self.config.algorithm, encryption_context=self.config.encryption_context.copy(), frame_length=self.config.frame_length, plaintext_rostream=aws_encryption_sdk.internal.utils.streams. ROStream(self.source_stream), plaintext_length=plaintext_length, commitment_policy=self.config.commitment_policy, ) self._encryption_materials = self.config.materials_manager.get_encryption_materials( request=encryption_materials_request) if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm: raise ActionNotAllowedError( ("Cryptographic materials manager provided algorithm suite" " differs from algorithm suite in request.\n" "Required: {requested}\n" "Provided: {provided}").format( requested=self.config.algorithm, provided=self._encryption_materials.algorithm)) if self._encryption_materials.signing_key is None: self.signer = None else: self.signer = Signer.from_key_bytes( algorithm=self._encryption_materials.algorithm, key_bytes=self._encryption_materials.signing_key) aws_encryption_sdk.internal.utils.validate_frame_length( frame_length=self.config.frame_length, algorithm=self._encryption_materials.algorithm) message_id = aws_encryption_sdk.internal.utils.message_id( self._encryption_materials.algorithm.message_id_length()) self._derived_data_key = derive_data_encryption_key( source_key=self._encryption_materials.data_encryption_key.data_key, algorithm=self._encryption_materials.algorithm, message_id=message_id, ) self._header = self.generate_header(message_id) self._write_header() if self.content_type == ContentType.NO_FRAMING: self._prep_non_framed() self._message_prepped = True
def _generate_signing_key_and_update_encryption_context( self, algorithm, encryption_context): """Generates a signing key based on the provided algorithm. :param algorithm: Algorithm for which to generate signing key :type algorithm: aws_encryption_sdk.identifiers.Algorithm :param dict encryption_context: Encryption context from request :returns: Signing key bytes :rtype: bytes or None """ _LOGGER.debug("Generating signing key") if algorithm.signing_algorithm_info is None: return None signer = Signer(algorithm=algorithm, key=generate_ecc_signing_key(algorithm=algorithm)) encryption_context[ENCODED_SIGNER_KEY] = to_str( signer.encoded_public_key()) return signer.key_bytes()
def test_signer_from_key_bytes(patch_default_backend, patch_serialization, patch_build_hasher): _algorithm = MagicMock() signer = Signer.from_key_bytes(algorithm=_algorithm, key_bytes=sentinel.key_bytes) patch_serialization.load_der_private_key.assert_called_once_with( data=sentinel.key_bytes, password=None, backend=patch_default_backend.return_value) assert isinstance(signer, Signer) assert signer.algorithm is _algorithm assert signer.key is patch_serialization.load_der_private_key.return_value
def test_f_signer_key_bytes(): test = Signer(algorithm=ALGORITHM, key=VALUES['ecc_private_key_prime']) assert test.key_bytes() == VALUES['ecc_private_key_prime_private_bytes']
def test_signer_update(patch_default_backend, patch_serialization, patch_build_hasher): signer = Signer(MagicMock(), key=MagicMock()) signer.update(sentinel.data) patch_build_hasher.return_value.update.assert_called_once_with( sentinel.data)