def test_pks8_encrypted_corrupt_format(self, backend):
        # enc-rsa-pkcs8.pem with some bits flipped.
        key_data = textwrap.dedent("""\
        -----BEGIN ENCRYPTED PRIVATE KEY-----
        MIICojAcBgoqhkiG9w0BDAEDMA4ECHK0M0+QuEL9AgIBIcSCAoDRq+KRY+0XP0tO
        lwBTzViiXSXoyNnKAZKt5r5K/fGNntv22g/1s/ZNCetrqsJDC5eMUPPacz06jFq/
        Ipsep4/OgjQ9UAOzXNrWEoNyrHnWDo7usgD3CW0mKyqER4+wG0adVMbt3N+CJHGB
        85jzRmQTfkdx1rSWeSx+XyswHn8ER4+hQ+omKWMVm7AFkjjmP/KnhUnLT98J8rhU
        ArQoFPHz/6HVkypFccNaPPNg6IA4aS2A+TU9vJYOaXSVfFB2yf99hfYYzC+ukmuU
        5Lun0cysK5s/5uSwDueUmDQKspnaNyiaMGDxvw8hilJc7vg0fGObfnbIpizhxJwq
        gKBfR7Zt0Hv8OYi1He4MehfMGdbHskztF+yQ40LplBGXQrvAqpU4zShga1BoQ98T
        0ekbBmqj7hg47VFsppXR7DKhx7G7rpMmdKbFhAZVCjae7rRGpUtD52cpFdPhMyAX
        huhMkoczwUW8B/rM4272lkHo6Br0yk/TQfTEGkvryflNVu6lniPTV151WV5U1M3o
        3G3a44eDyt7Ln+WSOpWtbPQMTrpKhur6WXgJvrpa/m02oOGdvOlDsoOCgavgQMWg
        7xKKL7620pHl7p7f/8tlE8q6vLXVvyNtAOgt/JAr2rgvrHaZSzDE0DwgCjBXEm+7
        cVMVNkHod7bLQefVanVtWqPzbmr8f7gKeuGwWSG9oew/lN2hxcLEPJHAQlnLgx3P
        0GdGjK9NvwA0EP2gYIeE4+UtSder7xQ7bVh25VB20R4TTIIs4aXXCVOoQPagnzaT
        6JLgl8FrvdfjHwIvmSOO1YMNmILBq000Q8WDqyErBDs4hsvtO6VQ4LeqJj6gClX3
        qeJNaJFu
        -----END ENCRYPTED PRIVATE KEY-----
        """).encode()

        password = b"this password is wrong"

        with pytest.raises(ValueError):
            load_pem_private_key(
                key_data, None, backend
            )

        with pytest.raises(ValueError):
            load_pem_private_key(
                key_data, password, backend
            )
Example #2
1
    def _authenticate(self, data):
        client_param = data[:32]
        app_param = data[32:64]
        kh_len = ord(data[64])
        key_handle = data[65:65 + kh_len].encode('hex')
        if key_handle not in self.data['keys']:
            raise ValueError("Unknown key handle!")

        # Unwrap:
        unwrapped = self.data['keys'][key_handle]
        if app_param != unwrapped['app_param'].decode('hex'):
            raise ValueError("Incorrect app param!")
        priv_pem = unwrapped['priv_key'].encode('ascii')
        privu = serialization.load_pem_private_key(
            priv_pem, password=None, backend=default_backend(),
        )

        # Increment counter
        self.data['counter'] += 1
        self._persist()

        # Create signature
        touch = chr(1)  # Always indicate user presence
        counter = struct.pack('>I', self.data['counter'])

        signer = privu.signer(ec.ECDSA(hashes.SHA256()))
        signer.update(app_param + touch + counter + client_param)
        signature = signer.finalize()
        raw_response = touch + counter + signature

        return raw_response
Example #3
0
    def ParseFromString(self, pem_string):
        try:
            self._value = serialization.load_pem_private_key(pem_string, password=None, backend=openssl.backend)
            return
        except (TypeError, ValueError, exceptions.UnsupportedAlgorithm) as e:

            if "private key is encrypted" not in str(e):
                raise type_info.TypeValueError("Private key invalid: %s" % e)

            # pylint: disable=g-explicit-bool-comparison, g-equals-none

            # The private key is passphrase protected, we need to see if we are
            # allowed to ask the user.
            #
            # If allow_prompt is False, we are explicitly told that we are not.
            if self.allow_prompt == False:
                raise type_info.TypeValueError("Private key invalid: %s" % e)

            # allow_prompt was not set, we use the context we are in to see if it
            # makes sense to ask.
            elif self.allow_prompt == None:
                if "Commandline Context" not in config_lib.CONFIG.context:
                    raise type_info.TypeValueError("Private key invalid: %s" % e)

            # pylint: enable=g-explicit-bool-comparison, g-equals-none

        try:
            # The private key is encrypted and we can ask the user for the passphrase.
            password = utils.PassphraseCallback()
            self._value = serialization.load_pem_private_key(pem_string, password=password, backend=openssl.backend)
        except (TypeError, ValueError, exceptions.UnsupportedAlgorithm) as e:
            raise type_info.TypeValueError("Unable to load private key: %s" % e)
    def test_traditional_encrypted_corrupt_format(self, backend):
        # privkey.pem with a single bit flipped
        key_data = textwrap.dedent("""\
        -----BEGIN RSA PRIVATE KEY-----
        Proc-Type: <,ENCRYPTED
        DEK-Info: AES-128-CBC,5E22A2BD85A653FB7A3ED20DE84F54CD

        hAqtb5ZkTMGcs4BBDQ1SKZzdQThWRDzEDxM3qBfjvYa35KxZ54aic013mW/lwj2I
        v5bbpOjrHYHNAiZYZ7RNb+ztbF6F/g5PA5g7mFwEq+LFBY0InIplYBSv9QtE+lot
        Dy4AlZa/+NzJwgdKDb+JVfk5SddyD4ywnyeORnMPy4xXKvjXwmW+iLibZVKsjIgw
        H8hSxcD+FhWyJm9h9uLtmpuqhQo0jTUYpnTezZx2xeVPB53Ev7YCxR9Nsgj5GsVf
        9Z/hqLB7IFgM3pa0z3PQeUIZF/cEf72fISWIOBwwkzVrPUkXWfbuWeJXQXSs3amE
        5A295jD9BQp9CY0nNFSsy+qiXWToq2xT3y5zVNEStmN0SCGNaIlUnJzL9IHW+oMI
        kPmXZMnAYBWeeCF1gf3J3aE5lZInegHNfEI0+J0LazC2aNU5Dg/BNqrmRqKWEIo/
        -----END RSA PRIVATE KEY-----
        """).encode()

        password = b"this password is wrong"

        with pytest.raises(ValueError):
            load_pem_private_key(
                key_data, None, backend
            )

        with pytest.raises(ValueError):
            load_pem_private_key(
                key_data, password, backend
            )
    def test_corrupt_pkcs8_format(self, backend):
        # unenc-rsa-pkcs8.pem with a bunch of data missing.
        key_data = textwrap.dedent("""\
        -----BEGIN PRIVATE KEY-----
        MIICdQIBADALBgkqhkiG9w0BAQEEggJhMIICXQIBAAKBgQC7JHoJfg6yNzLMOWet
        8Z49a4KD0dCspMAYvo2YAMB7/wdEycocujbhJ2n/seONi+5XqTqqFkM5VBl8rmkk
        FPZk/7x0xmdsTPECSWnHK+HhoaNDFPR3j8jQhVo1laxiqcEhAHegi5cwtFosuJAv
        FiRC0Cgz+frQPFQEBsAV9RuasyQxqzxrR0Ow0qncBeGBWbYE6WZhqtcLAI895b+i
        +F4lbB4iD7T9QeIDMU/aIMXA81UO4cns1z4qDAHKeyLLrPQrJ/B4X7XC+egUWm5+
        hr1qmyAMusyXIBECQQDJWZ8piluf4yrYfsJAn6hF5T4RjTztbqvO0GVG2McHY7Uj
        NPSffhzHx/ll0fQEQji+OgydCCX8o3HZrgw5YfSJAkEA7e+rqdU5nO5ZG//PSEQb
        tjLnRiTzBH/elQhtdZ5nF7pcpNTi4k13zutmKcWW4GK75azcRGJUhu1kDM7QYAOd
        SQJAVNkYcifkvna7GmooL5VYEsQsqLbM4v0NF2TIGNfG3z1MGp75KrC5LhL97MNR
        we2p/bd2k0HYyCKUGnf2nMPDiQJBAI75pwittSoE240EobUGIDTSz8CJsXIxuDmL
        z+KOpdpPRR5TQmbEMEspjsFpFymMiuYPgmihQbO2cJl1qScY5OkCQQCJ6m5tcN8l
        Xxg/SNpjEIv+qAyUD96XVlOJlOIeLHQ8kYE0C6ZA+MsqYIzgAreJk88Yn0lU/X0/
        mu/UpE/BRZmR
        -----END PRIVATE KEY-----
        """).encode()

        with pytest.raises(ValueError):
            load_pem_private_key(
                key_data, None, backend
            )

        with pytest.raises(ValueError):
            load_pem_private_key(
                key_data, b"this password will not be used", backend
            )
Example #6
0
def load_private_key_list(data, password=None):
    """
    Load a private key list from a sequence of concatenated PEMs.

    :param data: bytes containing the private keys
    :param password: bytes, the password to encrypted keys in the bundle

    :returns: List of python-cryptography ``PrivateKey`` objects
    """
    crypto_backend = default_backend()
    priv_keys = []

    for match in re.finditer(PEM_PRIV_REGEX, data):
        if re.search(b"ENCRYPTED", match.group()) is not None:
            if password is None:
                raise RuntimeError("Password is required for the encrypted "
                                   "keys in the bundle.")
            # Load private key as encrypted
            priv_keys.append(
                load_pem_private_key(match.group(), password,
                                     backend=crypto_backend))
        else:
            priv_keys.append(
                load_pem_private_key(match.group(), None,
                                     backend=crypto_backend))

    return priv_keys
Example #7
0
def private_key(key):
    """
    User to validate that a given string is a RSA private key

    :param key:
    :return: :raise ValueError:
    """
    try:
        serialization.load_pem_private_key(bytes(key), None, backend=default_backend())
    except Exception:
        raise ValidationError('Private key presented is not valid.')
Example #8
0
 def test_private_bytes_encrypted_pem(self, backend, fmt, password):
     _skip_curve_unsupported(backend, ec.SECP256R1())
     key_bytes = load_vectors_from_file(
         os.path.join("asymmetric", "PKCS8", "ec_private_key.pem"), lambda pemfile: pemfile.read().encode()
     )
     key = serialization.load_pem_private_key(key_bytes, None, backend)
     serialized = key.private_bytes(serialization.Encoding.PEM, fmt, serialization.BestAvailableEncryption(password))
     loaded_key = serialization.load_pem_private_key(serialized, password, backend)
     loaded_priv_num = loaded_key.private_numbers()
     priv_num = key.private_numbers()
     assert loaded_priv_num == priv_num
Example #9
0
 def test_private_bytes_encrypted_pem(self, backend, fmt, password):
     key_bytes = load_vectors_from_file(
         os.path.join("asymmetric", "PKCS8", "unenc-dsa-pkcs8.pem"), lambda pemfile: pemfile.read().encode()
     )
     key = serialization.load_pem_private_key(key_bytes, None, backend)
     _skip_if_no_serialization(key, backend)
     serialized = key.private_bytes(serialization.Encoding.PEM, fmt, serialization.BestAvailableEncryption(password))
     loaded_key = serialization.load_pem_private_key(serialized, password, backend)
     loaded_priv_num = loaded_key.private_numbers()
     priv_num = key.private_numbers()
     assert loaded_priv_num == priv_num
Example #10
0
 def test_private_bytes_unencrypted_pem(self, backend, fmt):
     key_bytes = load_vectors_from_file(
         os.path.join("asymmetric", "Traditional_OpenSSL_Serialization", "dsa.1024.pem"),
         lambda pemfile: pemfile.read().encode(),
     )
     key = serialization.load_pem_private_key(key_bytes, None, backend)
     _skip_if_no_serialization(key, backend)
     serialized = key.private_bytes(serialization.Encoding.PEM, fmt, serialization.NoEncryption())
     loaded_key = serialization.load_pem_private_key(serialized, None, backend)
     loaded_priv_num = loaded_key.private_numbers()
     priv_num = key.private_numbers()
     assert loaded_priv_num == priv_num
    def test_wrong_private_format(self, backend):
        key_data = b"---- NOT A KEY ----\n"

        with pytest.raises(ValueError):
            load_pem_private_key(
                key_data, None, backend
            )

        with pytest.raises(ValueError):
            load_pem_private_key(
                key_data, b"this password will not be used", backend
            )
Example #12
0
File: views.py Project: m4c3/lemur
def private_key_str(value, name):
    """
    User to validate that a given string is a RSA private key

    :param value:
    :param name:
    :return: :raise ValueError:
    """
    try:
        serialization.load_pem_private_key(bytes(value), None, backend=default_backend())
    except Exception:
        raise ValueError("The parameter '{0}' needs to be a valid RSA private key".format(name))
    return value
    def from_secret_pem(cls, key_bytes=None, path=None):
        """
        Read a pem file and set it as the private key
        :return: Return new Token instance
        """
        if key_bytes:
            secret_bytes = load_pem_private_key(key_bytes, None, default_backend())
            return cls(secret_bytes=secret_bytes)

        if os.path.exists(path):
            with open(path, 'r') as pem_file:
                secret_bytes = load_pem_private_key(pem_file.read(), None, default_backend())
                return cls(secret_bytes=secret_bytes)
Example #14
0
def load_private_key(secret, pass_phrase):
    """Loads a private key that may use a pass_phrase.

    Tries to correct or diagnose common errors:

    - provided pass_phrase but didn't need one
    - provided a public key
    """
    if isinstance(secret, six.text_type):
        secret = secret.encode("ascii")
    if isinstance(pass_phrase, six.text_type):
        pass_phrase = pass_phrase.encode("ascii")

    backend = default_backend()

    try:
        # 0) Try with pass_phrase
        return serialization.load_pem_private_key(secret, pass_phrase, backend=backend)
    except TypeError:
        # 1) Either:
        #    - key has pass_phrase and one wasn't provided
        #    - key doesn't have pass_phrase and one was provided.
        #
        #    Can't fix the first, but we *can* fix the second.
        #    This can happen if the DEFAULT profile has a pass_phrase but
        #    another profile uses a key file without a pass_phrase.
        if pass_phrase is None:
            # 1.1) private key needed a pass_phrase and we don't have one
            raise MissingPrivateKeyPassphrase("The provided key requires a passphrase.")
        else:
            # 1.2) try again without pass_phrase; could be an artifact from DEFAULT
            return serialization.load_pem_private_key(secret, None, backend=backend)
    except ValueError:
        # 2) Try to determine what kind of failure this is.
        #    Most likely, this is either a bad password or a public key.
        #    If loading it as a public key fails, it's almost certainly a bad password.
        for loader in [
            serialization.load_der_public_key,
            serialization.load_pem_public_key,
            serialization.load_ssh_public_key
        ]:
            try:
                loader(secret, backend=backend)
            except (ValueError, UnsupportedAlgorithm):
                # 2.1) Not a public key; try the next format
                pass
            else:
                # 2.2) This is a public key
                raise InvalidPrivateKey("Authentication requires a private key, but a public key was provided.")
        # 2.3) Password is probably wrong.
        raise InvalidPrivateKey("The provided key is not a private key, or the provided passphrase is incorrect.")
Example #15
0
def private_key(key):
    """
    User to validate that a given string is a RSA private key

    :param key:
    :return: :raise ValueError:
    """
    try:
        if isinstance(key, bytes):
            serialization.load_pem_private_key(key, None, backend=default_backend())
        else:
            serialization.load_pem_private_key(key.encode('utf-8'), None, backend=default_backend())
    except Exception:
        raise ValidationError('Private key presented is not valid.')
    def from_secret_pem(cls, key_bytes=None, path=None):
        """
        Create a :class:`~oneid.keychain.Keypair` from a PEM-formatted private ECDSA key

        :return: :class:`~oneid.keychain.Keypair` instance
        """
        if key_bytes:
            secret_bytes = load_pem_private_key(utils.to_bytes(key_bytes), None, default_backend())
            return cls(secret_bytes=secret_bytes)

        if os.path.exists(path):
            with open(path, 'rb') as pem_file:
                secret_bytes = load_pem_private_key(pem_file.read(), None, default_backend())
                return cls(secret_bytes=secret_bytes)
Example #17
0
    def from_secret_pem(cls, key_bytes=None, path=None):
        """
        Create a :class:`~oneid.keychain.Keypair` from a PEM-formatted private ECDSA key

        :return: :class:`~oneid.keychain.Keypair` instance
        """
        if key_bytes:
            secret_bytes = load_pem_private_key(utils.to_bytes(key_bytes), None, default_backend())
            return cls(secret_bytes=secret_bytes)

        if file_adapter.file_exists(path):
            with file_adapter.read_file(path) as pem_data:
                secret_bytes = load_pem_private_key(pem_data, None, default_backend())
                return cls(secret_bytes=secret_bytes)
Example #18
0
File: key.py Project: repleo/bounca
    def check_passphrase(self, pem: bytes, passphrase: bytes=None) -> bool:
        """
        Checks passphrase of a pem key file

        Arguments: pem - bytes with key
                   passphrase - passphrase (must be bytes)
        Returns:   true if passphrase is ok
        """
        try:
            serialization.load_pem_private_key(pem, passphrase, backend=default_backend())
            return True
        except ValueError as e:
            if str(e) == 'Bad decrypt. Incorrect password?':
                return False
            raise e
Example #19
0
    def __init__(self, secret, algorithm=None):
        if algorithm is None:
            algorithm = DEFAULT_SIGN_ALGORITHM

        assert algorithm in ALGORITHMS, "Unknown algorithm"
        if isinstance(secret, six.string_types): secret = secret.encode("ascii")

        self._rsa_public = None
        self._rsa_private = None
        self._hash = None
        self.sign_algorithm, self.hash_algorithm = algorithm.split('-')

        if self.sign_algorithm == 'rsa':

            try:
                self._rsahash = HASHES[self.hash_algorithm]
                self._rsa_private = serialization.load_pem_private_key(secret,
                                                                       None,
                                                                       backend=default_backend())
                self._rsa_public = self._rsa_private.public_key()
            except ValueError as e:
                try:
                    self._rsa_public = serialization.load_pem_public_key(secret,
                                                                         backend=default_backend())
                except ValueError as e:
                    raise HttpSigException("Invalid key.")

        elif self.sign_algorithm == 'hmac':

            self._hash = hmac.HMAC(secret,
                                   HASHES[self.hash_algorithm](),
                                   backend=default_backend())
Example #20
0
    def test_encode_decode_with_ecdsa_sha512(self):
        # PEM-formatted EC key
        with open('tests/testkey_ec', 'r') as ec_priv_file:
            priv_eckey = load_pem_private_key(ensure_bytes(ec_priv_file.read()),
                                              password=None, backend=default_backend())
            jwt_message = jwt.encode(self.payload, priv_eckey,
                                     algorithm='ES512')

        with open('tests/testkey_ec.pub', 'r') as ec_pub_file:
            pub_eckey = load_pem_public_key(ensure_bytes(ec_pub_file.read()), backend=default_backend())
            assert jwt.decode(jwt_message, pub_eckey)

            load_output = jwt.load(jwt_message)
            jwt.verify_signature(key=pub_eckey, *load_output)

        # string-formatted key
        with open('tests/testkey_ec', 'r') as ec_priv_file:
            priv_eckey = ec_priv_file.read()
            jwt_message = jwt.encode(self.payload, priv_eckey,
                                     algorithm='ES512')

        with open('tests/testkey_ec.pub', 'r') as ec_pub_file:
            pub_eckey = ec_pub_file.read()
            assert jwt.decode(jwt_message, pub_eckey)

            load_output = jwt.load(jwt_message)
            jwt.verify_signature(key=pub_eckey, *load_output)
Example #21
0
def _deserialize_private_key(key_str):
    from cryptography.hazmat.primitives import serialization
    from cryptography.hazmat.backends import default_backend

    return serialization.load_pem_private_key(
        key_str, backend=default_backend(), password=None
    )
Example #22
0
File: le.py Project: morpheu/rpaas
def _revoke(rawkey, rawcert):
    ns = ConfigNamespace(None)
    acme = acme_client.Client(ns.server, key=JWKRSA(
        key=serialization.load_pem_private_key(
            rawkey, password=None, backend=default_backend())))
    acme.revoke(jose.ComparableX509(OpenSSL.crypto.load_certificate(
                OpenSSL.crypto.FILETYPE_PEM, rawcert)))
Example #23
0
    def test_generate_cert_key_pair(self):
        cn = 'testCN'
        bit_length = 512

        # Attempt to generate a cert/key pair
        cert_object = self.cert_generator.generate_cert_key_pair(
            cn=cn,
            validity=2 * 365 * 24 * 60 * 60,
            bit_length=bit_length,
            passphrase=self.ca_private_key_passphrase,
            ca_cert=self.ca_certificate,
            ca_key=self.ca_private_key,
            ca_key_pass=self.ca_private_key_passphrase
        )

        # Validate that the cert and key are loadable
        cert = x509.load_pem_x509_certificate(
            data=cert_object.certificate, backend=backends.default_backend())
        self.assertIsNotNone(cert)

        key = serialization.load_pem_private_key(
            data=cert_object.private_key,
            password=cert_object.private_key_passphrase,
            backend=backends.default_backend())
        self.assertIsNotNone(key)
Example #24
0
    def test_encode_decode_with_rsa_sha384(self):
        # PEM-formatted RSA key
        with open('tests/testkey_rsa', 'r') as rsa_priv_file:
            priv_rsakey = load_pem_private_key(ensure_bytes(rsa_priv_file.read()),
                                               password=None, backend=default_backend())
            jwt_message = jwt.encode(self.payload, priv_rsakey,
                                     algorithm='RS384')

        with open('tests/testkey_rsa.pub', 'r') as rsa_pub_file:
            pub_rsakey = load_ssh_public_key(ensure_bytes(rsa_pub_file.read()),
                                             backend=default_backend())
            assert jwt.decode(jwt_message, pub_rsakey)

        # string-formatted key
        with open('tests/testkey_rsa', 'r') as rsa_priv_file:
            priv_rsakey = rsa_priv_file.read()
            jwt_message = jwt.encode(self.payload, priv_rsakey,
                                     algorithm='RS384')

        with open('tests/testkey_rsa.pub', 'r') as rsa_pub_file:
            pub_rsakey = rsa_pub_file.read()
            assert jwt.decode(jwt_message, pub_rsakey)

            load_output = jwt.load(jwt_message)
            jwt.verify_signature(key=pub_rsakey, *load_output)
Example #25
0
def load_private_key(path):
    _, ext = os.path.splitext(path)
    with open(path, "rb") as f:
        if ext == ".pem":
            return serialization.load_pem_private_key(f.read(), password=None, backend=default_backend())
        else:
            return serialization.load_der_private_key(f.read(), password=None, backend=default_backend())
Example #26
0
def sign_update_sparkle(dmg, dsaprivpem):
    """
    Signs the Darwin dmg and returns the base64 encoded hash.

    This replaces the functionality in:
    https://github.com/brave/Sparkle/blob/master/bin/sign_update

    Need to run the equivalent of the command:
    `$openssl dgst -sha1 -binary < "$1" | $openssl dgst -sha1 -sign "$2" | $openssl enc -base64`
    """

    import base64
    from cryptography.hazmat.backends import default_backend
    from cryptography.hazmat.primitives import hashes, serialization
    from cryptography.hazmat.primitives.asymmetric import padding

    digest = hashes.Hash(hashes.SHA1(), backend=default_backend())
    sha1digest = None

    with open(dmg, 'rb') as dmg:
        with open(dsaprivpem, 'rb') as key:
            dmgcontent = dmg.read()
            digest.update(dmgcontent)
            sha1digest = digest.finalize()

            private_key = serialization.load_pem_private_key(key.read(), password=None,
                                                             backend=default_backend())
            signature = private_key.sign(sha1digest, hashes.SHA1())
            encoded_sign = base64.encodestring(signature)

    if sha1digest is not None:
        return encoded_sign
def deserialize_sk(sk_s):
    if isinstance(sk_s, (bytes, basestring, unicode)):
        return serialization.load_pem_private_key(
            bytes(sk_s), password=None, backend=default_backend()
        )
    else:
        return sk_s
def gen_key_pair(length=None, pub_exp=None, typ=None, raw=False, password=None,
                 priv_key_pem=None):

    if isinstance(password, str):
        password = password.encode()
    if isinstance(priv_key_pem, str):
        priv_key_pem = priv_key_pem.encode()

    if priv_key_pem:
        priv_key = serialization.load_pem_private_key(priv_key_pem, password,
                                                      default_backend())
    else:
        priv_key = gen_key(length=length, pub_exp=pub_exp, typ=typ, raw=True)

    pub_key = priv_key.public_key()

    if raw:
        return pub_key, priv_key
    else:
        if not password:
            encryption = serialization.NoEncryption()
        else:
            encryption = serialization.BestAvailableEncryption(password)
        priv_pem = priv_key.private_bytes(encoding=serialization.Encoding.PEM,
                                          format=serialization.PrivateFormat.PKCS8,
                                          encryption_algorithm=encryption)
        pub_pem = pub_key.public_bytes(encoding=serialization.Encoding.PEM,
                                       format=serialization.PublicFormat.SubjectPublicKeyInfo)
        return pub_pem.decode(), priv_pem.decode()
Example #29
0
def get_connection_params(args):
    """
    Construct and return the connection parameters

    parameter: (dict) args
        The command arguments of the command function calling this helper function

    returns:
        Snowflake connection params
    """
    params: dict = {}
    set_provided(params, 'user', USER)
    set_provided(params, 'password', PASSWORD)
    set_provided(params, 'account', ACCOUNT)
    set_provided(params, 'authenticator', AUTHENTICATOR)
    set_provided(params, 'region', REGION)
    set_provided(params, 'insecure_mode', INSECURE)
    set_provided(params, 'warehouse', args.get('warehouse'), WAREHOUSE)
    set_provided(params, 'database', args.get('database'), DATABASE)
    set_provided(params, 'schema', args.get('schema'), SCHEMA)
    set_provided(params, 'role', args.get('role'), ROLE)
    if CERTIFICATE:
        p_key = serialization.load_pem_private_key(CERTIFICATE, password=CERT_PASSWORD, backend=default_backend())
        pkb = p_key.private_bytes(
            encoding=serialization.Encoding.DER,
            format=serialization.PrivateFormat.PKCS8,
            encryption_algorithm=serialization.NoEncryption()
        )
        params['private_key'] = pkb
    return params
Example #30
0
def decrypt(data, symmetric_key=None, private_key=None):
    """
    Decrypts data with symmetric key or public key.
    """
    if symmetric_key:
        try:
            fernet = Fernet(symmetric_key)
            return fernet.decrypt(data)
        except InvalidToken:
            raise errors.AuthenticationError(
                message=_('Invalid credentials'))

    elif private_key:
        try:
            private_key_obj = load_pem_private_key(
                data=private_key,
                password=None,
                backend=default_backend()
            )
            return private_key_obj.decrypt(
                data,
                padding.OAEP(
                    mgf=padding.MGF1(algorithm=hashes.SHA1()),
                    algorithm=hashes.SHA1(),
                    label=None
                )
            )
        except ValueError:
            raise errors.AuthenticationError(
                message=_('Invalid credentials'))
Example #31
0
def main():
    logger.debug('App started')

    parser = argparse.ArgumentParser(description='Key processing tool')
    parser.add_argument('-t',
                        '--threads',
                        dest='threads',
                        type=int,
                        default=None,
                        help='Number of threads to use for cert download')
    parser.add_argument('--debug',
                        dest='debug',
                        action='store_const',
                        const=True,
                        help='enables debug mode')
    parser.add_argument('--verbose',
                        dest='verbose',
                        action='store_const',
                        const=True,
                        help='enables verbose mode')

    parser.add_argument('--dump-json',
                        dest='dump_json',
                        action='store_const',
                        const=True,
                        help='dumps JSON of the filtered certificates')
    parser.add_argument('--dump-cert',
                        dest='dump_cert',
                        action='store_const',
                        const=True,
                        help='dumps PEM of the filtered certificates')

    parser.add_argument(
        '-f',
        '--filter-org',
        dest='filter_org',
        help='Filter out certificates issued with given organization - regex')
    parser.add_argument(
        '--filter-domain',
        dest='filter_domain',
        help='Filter out certificates issued for the given domain - regex')

    parser.add_argument('--pubs',
                        dest='pubs',
                        nargs=argparse.ZERO_OR_MORE,
                        help='File with public keys (PEM)')

    parser.add_argument('--certs',
                        dest='certs',
                        nargs=argparse.ZERO_OR_MORE,
                        help='File with certificates (PEM)')

    parser.add_argument('--ossl',
                        dest='ossl',
                        type=int,
                        default=None,
                        help='OpenSSL generator')

    parser.add_argument('--per-key-stat',
                        dest='per_key_stat',
                        action='store_const',
                        const=True,
                        help='Print prob matching for each key')

    parser.add_argument('--subs',
                        dest='subs',
                        action='store_const',
                        const=True,
                        help='Plot random subgroups charts')
    parser.add_argument('--subs-k',
                        dest='subs_k',
                        type=int,
                        default=5,
                        help='Size of the subset')
    parser.add_argument('--subs-n',
                        dest='subs_n',
                        type=int,
                        default=1000,
                        help='Number of subsets to sample')

    parser.add_argument('--pca-src',
                        dest='pca_src',
                        action='store_const',
                        const=True,
                        help='Plot PCA sampled distribution vs collected one')
    parser.add_argument(
        '--pca-src-n',
        dest='pca_src_n',
        type=int,
        default=10000,
        help='Number of subsets to sample from source distributions')
    parser.add_argument('--pca-src-k',
                        dest='pca_src_k',
                        type=int,
                        default=3,
                        help='Size of the subset from the source distribution')

    parser.add_argument('--pca-grp',
                        dest='pca_grp',
                        action='store_const',
                        const=True,
                        help='Plot PCA on the input keys (groups)')

    parser.add_argument('--mixture',
                        dest='mixture',
                        action='store_const',
                        const=True,
                        help='Mixture distribution on masks - sources')

    parser.add_argument('--distrib',
                        dest='distrib',
                        action='store_const',
                        const=True,
                        help='Plot distributions - to the PDF')

    parser.add_argument('--distrib-mix',
                        dest='distribmix',
                        action='store_const',
                        const=True,
                        help='Plot distributions groups mixed with sources')

    parser.add_argument('--key-dist',
                        dest='plot_key_dist',
                        action='store_const',
                        const=True,
                        help='Plots key mask distribution')

    parser.add_argument('files',
                        nargs=argparse.ZERO_OR_MORE,
                        default=[],
                        help='file with ssl-dump json output')

    args = parser.parse_args()

    last_src_id = 0
    src_names = []
    masks_db = []
    masks_src = []
    cert_db = []
    keys_db = []

    # Input = ssl-dump output
    if len(args.files) > 0:
        # Cert Organization Filtering
        re_org = None if args.filter_org is None else re.compile(
            args.filter_org, re.IGNORECASE)
        # Domain filtering
        re_dom = None if args.filter_domain is None else re.compile(
            args.filter_domain, re.IGNORECASE)

        # Process files
        for fl in args.files:
            with open(fl, mode='r') as fh:
                data = fh.read()

                # Parse json out
                if '-----BEGIN JSON-----' in data:
                    if '-----END JSON-----' not in data:
                        raise ValueError('BEGIN JSON present but END JSON not')
                    match = re.search(
                        r'-----BEGIN JSON-----(.+?)-----END JSON-----', data,
                        re.MULTILINE | re.DOTALL)
                    if match is None:
                        raise ValueError('Could not extract JSON')
                    data = match.group(1)

                json_data = json.loads(data)
                for cert in json_data:
                    org = cert['org']
                    if org is None:
                        org = ''
                    if re_org is not None and re_org.match(org) is None:
                        if args.verbose:
                            print('Organization filtered out %s' % org)
                        continue
                    if re_dom is not None:
                        dom_match = re_dom.match(cert['cn']) is not None
                        for alt in cert['alts']:
                            dom_match |= re_dom.match(alt) is not None
                        if not dom_match:
                            if args.verbose:
                                print('Domain filtered out %s' % cert['cn'])
                            continue

                    cert_db.append(cert)
                    masks_db.append(cert['pubkey']['mask'])
                    masks_src.append(last_src_id)
            src_names.append(fl)
            last_src_id += 1

        if args.verbose:
            print('Certificate database size %d' % len(cert_db))

        if args.dump_json:
            print(json.dumps(cert_db))

        if args.dump_cert:
            for cert in cert_db:
                print cert['cert']

    # public key list processing
    if args.pubs is not None:
        for pubf in args.pubs:
            with open(pubf, mode='r') as fh:
                data = fh.read()
                keys = []
                for match in re.finditer(
                        r'-----BEGIN PUBLIC KEY-----(.+?)-----END PUBLIC KEY-----',
                        data, re.MULTILINE | re.DOTALL):
                    key = match.group(0)
                    keys.append(key)
                print('File %s keys num: %d' % (pubf, len(keys)))

                # pubkey -> mask
                for key in keys:
                    pub = serialization.load_pem_public_key(
                        key, utils.get_backend())
                    mask = keys_basic.compute_key_mask(pub.public_numbers().n)
                    keys_db.append(pub)
                    masks_db.append(mask)
                    masks_src.append(last_src_id)
            src_names.append(pubf)
            last_src_id += 1

    # extract public key from certificate
    if args.certs is not None:
        for certf in args.certs:
            with open(certf, mode='r') as fh:
                data = fh.read()
                certs = []
                for match in re.finditer(
                        r'-----BEGIN CERTIFICATE-----(.+?)-----END CERTIFICATE-----',
                        data, re.MULTILINE | re.DOTALL):
                    cert = match.group(0)
                    certs.append(cert)

                # cert -> mask
                for cert in certs:
                    x509 = utils.load_x509(str(cert))
                    pub = x509.public_key()
                    mask = keys_basic.compute_key_mask(pub.public_numbers().n)
                    keys_db.append(pub)
                    masks_db.append(mask)
                    masks_src.append(last_src_id)
            src_names.append(certf)
            last_src_id += 1

    # generate openssl keys on the fly
    if args.ossl is not None:
        for i in range(0, args.ossl):
            print('Generating RSA1024 key %03d' % i)
            key = OpenSSL.crypto.PKey()
            key.generate_key(OpenSSL.crypto.TYPE_RSA, 1024)
            key_pem = OpenSSL.crypto.dump_privatekey(
                OpenSSL.crypto.FILETYPE_PEM, key)

            priv = serialization.load_pem_private_key(key_pem, None,
                                                      utils.get_backend())
            mask = keys_basic.compute_key_mask(
                priv.public_key().public_numbers().n)
            keys_db.append(priv.public_key())
            masks_db.append(mask)
            masks_src.append(last_src_id)
        src_names.append('ossl-%d' % args.ossl)
        last_src_id += 1

    # Load statistics
    st = key_stats.KeyStats()
    st.load_tables()
    if args.verbose:
        print('Source stats: ')
        for src in st.sources_cn:
            print(' %30s: %08d' % (src, st.sources_cn[src]))
        print('Group stats:')
        for grp in st.groups:
            print(' %30s: %02d' % (grp, st.get_group_size(grp)))

    # mask indices
    mask_map, mask_max, mask_map_x, mask_map_y, mask_map_last_x, mask_map_last_y = keys_basic.generate_pubkey_mask_indices(
    )
    print('Max mask 1D config: [%d]' % mask_max)
    print('Max mask 2D config: [%d, %d]' % (mask_map_last_x, mask_map_last_y))

    # masks processing part
    if len(masks_db) == 0:
        return

    # Simple match
    if args.per_key_stat:
        print('Per-key matching: ')
        for idx, mask in enumerate(masks_db):
            print('Key %02d, mask: %s' % (idx, mask))

            res = []
            for src in st.table_prob:
                val = st.table_prob[src][mask]
                res.append((src, val if val is not None else 0))
            print_res(res, st)

    # Total key matching
    use_loglikelihood = True
    print('Fit for all keys in one distribution:')
    total_weights = src_total_match = comp_total_match_dict(
        masks_db, st, loglikelihood=use_loglikelihood)
    res = key_val_to_list(src_total_match)
    print_res(res, st, loglikelihood=use_loglikelihood)
    res = st.res_src_to_group(res)
    # bar_chart(res=res, title='Fit for all keys')

    # Avg + mean
    print('Avg + mean:')
    src_total_match = {}  # source -> [p1, p2, p3, p4, ..., p_keynum]
    for src in st.table_prob:
        src_total_match[src] = []
        for idx, mask in enumerate(masks_db):
            val = keys_basic.aggregate_mask(st.sources_masks_prob[src], mask)
            if use_loglikelihood:
                if total_weights[src] is not None:
                    src_total_match[src].append(val + total_weights[src])
                else:
                    src_total_match[src].append(-9999.9)
            else:
                src_total_match[src].append(val * total_weights[src])
            pass
        pass
    res = []
    devs = []
    for src in st.sources:
        m = np.mean(src_total_match[src])
        s = np.std(src_total_match[src])
        res.append((src, m))
        devs.append(s)

    # Total output
    print_res(res, st, error=devs, loglikelihood=use_loglikelihood)
    # bar_chart(res=res, error=devs, title='Avg for all keys + error')

    # PCA on the keys - groups
    keys_grp_vec = []
    for idx, mask in enumerate(masks_db):
        keys_grp_vec.append([])
        for src in st.groups:
            keys_grp_vec[idx].append(0)
        for idxs, src in enumerate(st.sources):
            grp = st.src_to_group(src)
            prob = st.table_prob[src][mask]
            keys_grp_vec[idx][st.get_group_idx(grp)] += prob

    if args.pca_grp:
        X = np.array(keys_grp_vec)
        pca = PCA(n_components=2)
        pca.fit(X)
        X_transformed = pca.transform(X)
        print('PCA mean: %s, components: ' % pca.mean_)
        print(pca.components_)

        masks_src_np = np.array(masks_src)
        plt.rcdefaults()
        colors = matplotlib.cm.rainbow(np.linspace(0, 1, last_src_id))
        for src_id in range(0, last_src_id):
            plt.scatter(X_transformed[masks_src_np == src_id, 0],
                        X_transformed[masks_src_np == src_id, 1],
                        label=src_names[src_id],
                        color=colors[src_id],
                        alpha=0.25,
                        marker=',')
        plt.legend(loc="best", shadow=False, scatterpoints=1)
        plt.show()

    # Random subset
    if args.subs:
        masks_db_tup = []
        for idx, mask in enumerate(masks_db):
            masks_db_tup.append((idx, mask, masks_src[idx]))

        # Many random subsets, top groups
        subs_size = args.subs_k
        subs_count = args.subs_n
        groups_cnt = {}
        subs_data = []
        subs_data_mark = []
        dsrc_num = last_src_id + 1

        # Take subs_count samples fro the input masks_db, evaluate it, prepare for PCA
        for i in range(0, subs_count):
            masks = random_subset(masks_db_tup, subs_size)
            src_total_match = comp_total_match_dict([x[1] for x in masks], st)
            res = key_val_to_list(src_total_match)

            total = 0.0
            for tup in res:
                total += tup[1]

            # data vectors for PCA
            tmp_data = []
            for idx, tmp_src in enumerate(st.sources):
                val = src_total_match[tmp_src]
                val = long(math.floor(val * (1000.0 / total)))
                tmp_data.append(val)

            # PCA on groups.
            # if want PCA on sources, use subs_data.append(tmp_data)
            subs_data.append(tmp_data)
            # res_grp_val = st.res_src_to_group(zip(st.sources, tmp_data))
            # subs_data.append([x[1] for x in res_grp_val])

            subs_dsources = {}
            max_dsrc = (0, 0)
            for dsrc in [x[2] for x in masks]:
                if dsrc not in subs_dsources:
                    subs_dsources[dsrc] = 0
                subs_dsources[dsrc] += 1

            for dsrc in subs_dsources:
                if subs_dsources[dsrc] > max_dsrc[1]:
                    max_dsrc = (dsrc, subs_dsources[dsrc])
            tmp_mark = max_dsrc[0]

            if max_dsrc[1] == subs_size:
                tmp_mark = max_dsrc[0]
            else:
                tmp_mark = last_src_id

            subs_data_mark.append(tmp_mark)

            for tup in res:
                src = tup[0]
                score = long(math.floor(tup[1] * (1000.0 / total)))
                if score == 0:
                    continue

                grp = st.src_to_group(src)
                if grp not in groups_cnt:
                    groups_cnt[grp] = score
                else:
                    groups_cnt[grp] += score

                if src not in groups_cnt:
                    groups_cnt[src] = score
                else:
                    groups_cnt[src] += score

            # Equalize group sizes
            for grp in st.groups:
                grp = grp.lower()
                if grp in groups_cnt:
                    groups_cnt[grp] /= float(st.get_group_size(grp))

            # best group only
            # best_src = res[0][0]
            # best_grp = st.src_to_group(best_src)
            # if best_grp not in groups_cnt:
            #     groups_cnt[best_grp] = 1
            # else:
            #     groups_cnt[best_grp] += 1

        print('Combinations: (N, k)=(%d, %d) = %d' %
              (subs_count, subs_size, scipy.misc.comb(subs_count, subs_size)))

        sources = st.groups
        values = []
        for source in sources:
            val = groups_cnt[source] if source in groups_cnt else 0
            values.append(val)
        bar_chart(sources,
                  values,
                  xlabel='# of occurrences as top group (best fit)',
                  title='Groups vs. %d random %d-subsets' %
                  (subs_count, subs_size))

        # PCA stuff
        X = np.array(subs_data)
        pca = PCA(n_components=2)
        pU, pS, pV = pca._fit(X)
        X_transformed = pca.transform(X)
        subs_data_mark_pca = np.array(subs_data_mark)

        print('Sources: ')
        print(st.sources)

        print('PCA input data shape %d x %d' %
              (len(subs_data), len(subs_data[0])))
        print('PCA mean: \n%s \nPCA components: \n' % pca.mean_)
        print(pca.components_)

        print('PCA components x: ')
        for x in pca.components_[0]:
            print x
        print('\nPCA components y: ')
        for y in pca.components_[1]:
            print y

        # print('\nPCA U,S,V')
        # print(pU)
        # print(pS)
        # print(pV)

        colors = ['blue', 'red', 'green', 'gray', 'yellow']

        plt.rcdefaults()
        for src_id in range(0, dsrc_num):
            plt.scatter(X_transformed[subs_data_mark_pca == src_id, 0],
                        X_transformed[subs_data_mark_pca == src_id, 1],
                        color=colors[src_id],
                        alpha=0.5 if src_id < dsrc_num - 1 else 0.2)
        plt.legend(loc="best", shadow=False, scatterpoints=1)

        # plt.scatter([x[0] for x in X_transformed],
        #             [x[1] for x in X_transformed],
        #             alpha=0.5)

        plt.show()

        # PCA against defined sources with known distributions?
        # Creates "background distribution" we want to match to
        if args.pca_src:
            # Four axes, returned as a 2-d array
            plt.rcdefaults()
            #f, axarr = plt.subplots(len(st.sources), 1)
            src_k = args.pca_src_k
            src_n = args.pca_src_n

            # prepare PDF
            ppdf = PdfPages('test.pdf')  # todo-filenae-from-set
            sources_to_test = st.sources[20:25] + [
                x for x in st.sources if 'micro' in x.lower()
            ]

            # compute for each source
            src_mark_idx = len(subs_data_mark)
            subs_data_src = subs_data
            subs_data_mark_src = subs_data_mark
            for src_idx, source in enumerate(sources_to_test):
                # cur_plot = axarr[src_idx]
                cur_plot = plt

                print('Plotting PCA source %s %d/%d' %
                      (source, src_idx + 1, len(sources_to_test)))

                # Extend subs_data_src with draws from the source distribution
                for i in range(0, src_n):
                    masks = []
                    for tmpk in range(0, src_k):
                        masks.append(st.sample_source_distrib(source))
                    src_total_match = comp_total_match_dict(masks, st)
                    res = key_val_to_list(src_total_match)

                    total = 0.0
                    for tup in res:
                        total += tup[1]

                    # data vectors for PCA
                    tmp_data = []
                    for idx, tmp_src in enumerate(st.sources):
                        val = src_total_match[tmp_src]
                        val = long(math.floor(val * (1000.0 / total)))
                        tmp_data.append(val)

                    # PCA on groups.
                    # if want PCA on sources, use subs_data.append(tmp_data)
                    subs_data_src.append(tmp_data)
                    subs_data_mark_src.append(src_mark_idx)

                # PCA stuff
                X = np.array(subs_data_src)
                pca = PCA(n_components=2)
                pU, pS, pV = pca._fit(X)
                X_transformed = pca.transform(X)
                subs_data_mark_pca = np.array(subs_data_mark_src)

                colors = ['blue', 'red', 'green', 'gray', 'yellow']

                # plot input sources
                for src_id in range(0, dsrc_num):
                    cur_plot.scatter(
                        X_transformed[subs_data_mark_pca == src_id, 0],
                        X_transformed[subs_data_mark_pca == src_id, 1],
                        color=colors[src_id],
                        alpha=0.5 if src_id < dsrc_num - 1 else 0.2)

                # plot the source stuff
                cur_plot.scatter(
                    X_transformed[subs_data_mark_pca == src_mark_idx, 0],
                    X_transformed[subs_data_mark_pca == src_mark_idx, 1],
                    color='gray',
                    marker='+',
                    alpha=0.05)

                cur_plot.legend(loc="best", shadow=False, scatterpoints=1)
                cur_plot.title('Src [%s] input: %s' % (source,
                                                       (', '.join(src_names))))

                cur_plot.savefig(ppdf, format='pdf')
                cur_plot.clf()

            print('Finalizing PDF...')
            # plt.savefig(ppdf, format='pdf')
            ppdf.close()
            pass

    if args.distrib:
        # Plotting distributions for groups, to the PDF
        plt.rcdefaults()
        ppdf = PdfPages('groups_distrib.pdf')

        # Compute for each source
        range_ = st.masks
        range_idx = np.arange(len(st.masks))
        for grp_idx, grp in enumerate(st.groups):
            cur_data = st.groups_masks_prob[grp]
            raw_data = [cur_data[x] for x in st.masks]
            cur_plot = plt

            logger.debug('Plotting distribution %02d/%02d : %s ' %
                         (grp_idx + 1, len(st.groups), grp))
            axes = cur_plot.gca()
            axes.set_xlim([0, len(st.masks)])
            cur_plot.bar(range_idx, raw_data, linewidth=0, width=0.4)
            cur_plot.title('%s (%s)' % (grp, get_group_desc(grp, st)))
            cur_plot.savefig(ppdf, format='pdf')
            cur_plot.clf()

        # Print input data - per source
        max_src = max(masks_src)
        bars = []
        for src_id in range(max_src + 1):
            axes = plt.gca()
            axes.set_xlim([0, len(st.masks)])

            map_data = {}
            for mask in st.masks:
                map_data[mask] = 0.0
            for mask_idx, mask in enumerate(masks_db):
                if masks_src[mask_idx] == src_id:
                    map_data[mask] += 1

            raw_data = []
            for mask in st.masks:
                raw_data.append(map_data[mask])

            b1 = plt.bar(range_idx, raw_data, linewidth=0, width=0.4)
            bars.append(b1)

            plt.title('Source %d' % src_id)
            plt.savefig(ppdf, format='pdf')
            plt.clf()

        # Group distribution + source:
        if args.distribmix:
            width = 0.25
            range_idx = np.arange(len(st.masks))

            # One source to the graph
            max_src = max(masks_src)
            cur_plot = plt
            for src_id in range(max_src + 1):

                bars = []
                logger.debug('Plotting mix distribution src %d ' % src_id)

                map_data = {}
                for mask in st.masks:
                    map_data[mask] = 0.0
                for mask_idx, mask in enumerate(masks_db):
                    if masks_src[mask_idx] == src_id:
                        map_data[mask] += 1

                raw_data = []
                for mask in st.masks:
                    raw_data.append(map_data[mask])
                raw_data = np.array(raw_data)
                raw_data /= float(sum(raw_data))

                for grp_idx, grp in enumerate(st.groups):
                    logger.debug(
                        ' - Plotting mix distribution %02d/%02d : %s ' %
                        (grp_idx + 1, len(st.groups), grp))

                    # Source
                    fig, ax = plt.subplots()
                    b1 = ax.bar(range_idx + width,
                                raw_data,
                                linewidth=0,
                                width=width,
                                color='r')
                    bars.append(b1)

                    # Group
                    cur_data2 = st.groups_masks_prob[grp]
                    raw_data2 = [cur_data2[x] for x in st.masks]

                    bar1 = ax.bar(range_idx,
                                  raw_data2,
                                  linewidth=0,
                                  width=width,
                                  color='b')
                    bars.append(bar1)

                    ax.legend(tuple([x[0] for x in bars]),
                              tuple(['Src %d' % src_id, grp]))
                    ax.set_xlim([0, len(st.masks)])

                    cur_plot.title('%s + source %d' % (grp, src_id))
                    cur_plot.savefig(ppdf, format='pdf')
                    cur_plot.clf()

        logger.info('Finishing PDF')
        ppdf.close()
        pass

    if args.mixture:
        # http://www.pymix.org/pymix/index.php?n=PyMix.Tutorial#bayesmix
        # 1. Create mixture model = add discrete distributions to the package
        dists = []
        alphabet = mixture.Alphabet(st.masks)
        taken_src = []

        for src in st.sources:
            if 'openssl 1.0.2g' == src or 'microsoft .net' == src:
                pass
            else:
                continue
            print(' - Source: %s' % src)

            taken_src.append(src)
            probs = []
            for m in st.masks:
                probs.append(st.sources_masks_prob[src][m])

            d = mixture.DiscreteDistribution(len(alphabet),
                                             probs,
                                             alphabet=alphabet)
            dists.append(d)

        # 2. Create the model, for now, with even distribution among components.
        comp_weights = [1.0 / len(dists)] * len(dists)
        mmodel = mixture.MixtureModel(len(dists), comp_weights, dists)
        print '-' * 80
        print mmodel
        print '-' * 80

        # dump mixtures to the file
        mixture.writeMixture(mmodel, 'src.mix')

        # 3. Input data - array of input masks
        masks_data = [[x] for x in masks_db]
        data = mixture.DataSet()
        data.fromList(masks_data)
        data.internalInit(mmodel)

        print masks_data
        print data
        print '---------'

        # 4. Compute EM
        # if there is a distribution in the input data which has zero matching inputs,
        # an exception will be thrown. Later - discard such source from the input...
        print mmodel.modelInitialization(data, 1)
        print('EM start: ')

        ress = []
        for r in range(10):
            mmodel.modelInitialization(data, 1)
            emres = mmodel.EM(data, 1000, 0.00000000000000001)
            ress.append(emres)
        emres = max(ress, key=lambda x: x[1])

        # print mmodel.randMaxEM(data, 10, 40, 0.1)
        print emres

        # Plot
        plt.rcdefaults()
        # plt.plot(range(0, len(emres[0][3])), [2.71828**x for x in emres[0][3]], 'o')
        # plt.plot(range(0, len(emres[0][3])), emres[0][3], 'k')
        # plt.show()

        for i in range(0, 5):
            print('-------')
            for idx, src in enumerate(emres[0]):
                print('- i:%02d src: %02d, val: %s' % (i, idx, src[i]))

        colors = matplotlib.cm.rainbow(np.linspace(0, 1, len(taken_src)))
        range_ = range(0, len(emres[0][0]))
        bars = []
        for idx, src in enumerate(emres[0]):
            b1 = plt.bar(range_, [2.71828**x for x in src], color=colors[idx])
            bars.append(b1)

        plt.legend(tuple(bars), tuple(taken_src))
        plt.grid(True)
        plt.show()

        # for src in emres[0]:
        #     plt.plot(range(0, len(src)), [2.71828**x for x in src], 'o')
        #     # plt.grid(True)
        #     # plt.show()
        #
        # # plt.scatter(mask_map_last_x, mask_map_last_y, c='red', s=scale, alpha=0.3)
        # # plt.legend()
        # plt.grid(True)
        # plt.show()

    # Chisquare
    for source in st.sources_masks:
        cn = st.sources_cn[source]
        # chi = chisquare()
        # gen = keys_basic.generate_pubkey_mask()

    # 2D Key plot
    if args.plot_key_dist:
        plot_key_mask_dist(masks_db, st)
Example #32
0
def private_key_loading(key):
    # loads the private key in .pem format into a variable and returns it
    with open(key, "rb") as key_file:
        private_key = serialization.load_pem_private_key(
            key_file.read(), password=None, backend=default_backend())
        return private_key
Example #33
0
def mk_signed_cert(cacert, ca_pk, name, serialnum):
    del serialnum
    csr = {
        "request": {
            "CN":
            name,
            "hosts": [
                name,
            ],
            "key": {
                "algo": "rsa",
                "size": config.getint('ca', 'cert_bits')
            },
            "names": [{
                "C": config.get('ca', 'cert_country'),
                "L": config.get('ca', 'cert_locality'),
                "O": config.get('ca', 'cert_organization'),
                "OU": config.get('ca', 'cert_org_unit'),
                "ST": config.get('ca', 'cert_state')
            }]
        }
    }

    # check CRL distribution point
    disturl = config.get('ca', 'cert_crl_dist')
    if disturl == 'default':
        disturl = f"http://{socket.getfqdn()}:{config.CRL_PORT}/crl.der"

    # set up config for cfssl server
    cfsslconfig = {
        "signing": {
            "default": {
                "usages": [
                    "client auth", "server auth", "key agreement",
                    "key encipherment", "signing", "digital signature",
                    "data encipherment"
                ],
                "expiry":
                "8760h",
                "crl_url":
                disturl,
            }
        }
    }
    secdir = secure_mount.mount()
    try:
        # need to temporarily write out the private key with no password
        # to tmpfs.
        with os.fdopen(
                os.open(f"{secdir}/ca-key.pem", os.O_WRONLY | os.O_CREAT,
                        0o600), 'wb') as f:
            f.write(
                ca_pk.private_bytes(
                    encoding=serialization.Encoding.PEM,
                    format=serialization.PrivateFormat.PKCS8,
                    encryption_algorithm=serialization.NoEncryption(),
                ))

        with open(os.path.join(secdir, 'cfsslconfig.yml'),
                  'w',
                  encoding="utf-8") as f:
            json.dump(cfsslconfig, f)

        with open(f"{secdir}/cacert.crt", 'wb') as f:
            f.write(cacert.public_bytes(serialization.Encoding.PEM))

        cmdline = f"-config={secdir}/cfsslconfig.yml"

        privkey_path = os.path.abspath(f"{secdir}/ca-key.pem")
        cacert_path = os.path.abspath(f"{secdir}/cacert.crt")

        cmdline += f" -ca-key {privkey_path} -ca {cacert_path}"

        start_cfssl(cmdline)
        body = post_cfssl('api/v1/cfssl/newcert', csr)
    finally:
        stop_cfssl()
        os.remove(os.path.join(secdir, "ca-key.pem"))
        os.remove(os.path.join(secdir, "cfsslconfig.yml"))
        os.remove(os.path.join(secdir, "cacert.crt"))

    if body['success']:
        pk = serialization.load_pem_private_key(
            body['result']['private_key'].encode('utf-8'),
            password=None,
            backend=default_backend(),
        )
        cert = x509.load_pem_x509_certificate(
            data=body['result']['certificate'].encode('utf-8'),
            backend=default_backend(),
        )
        return cert, pk

    raise Exception(f"Unable to create cert for {name}")
Example #34
0
def load_pem_key(data, password=None):
    return serialization.load_pem_private_key(data,
                                              password=password,
                                              backend=CRYPTO_BACKEND)
Example #35
0
 def get_key(self):
     password = settings.ACCOUNT_KEY_PASSWORD.encode()
     if not self.key:
         self.set_key()
         self.save()
     return serialization.load_pem_private_key(self.key.encode(), password=password, backend=default_backend())
Example #36
0
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization

with open("private_key.pem", "rb") as key_file:
    private_key = serialization.load_pem_private_key(key_file.read(),
                                                     password=None,
                                                     backend=default_backend())

with open("public_key.pem", "rb") as key_file:
    public_key = serialization.load_pem_public_key(key_file.read(),
                                                   backend=default_backend())

print(private_key)
print(public_key)
Example #37
0
def sign_device(device_key_file, signer_file, signer_key_file, o, cn):
    # Make sure files exist
    if not (os.path.isfile(signer_file) and os.path.isfile(signer_key_file)):
        raise FileNotFoundError('Failed to find {} or {}'.format(
            signer_file, signer_key_file))

    # Setup cryptography
    be = cryptography.hazmat.backends.default_backend()

    #print('\nLoad Device Public Key')
    # Load the public key
    public_key_pem = device_key_file.replace('\\n', '\n').encode()

    # Convert the key into the cryptography format
    public_key = serialization.load_pem_public_key(public_key_pem, be)

    #print('\nLoad Signer')
    # Load the Signing key from the file
    #print('    Loading key from %s' % signer_key_file)
    with open(signer_key_file, 'rb') as f:
        signer_ca_priv_key = serialization.load_pem_private_key(data=f.read(),
                                                                password=None,
                                                                backend=be)

    # Load the Signing Certificate from the file
    #print('    Loading certificate from %s' % signer_file)
    with open(signer_file, 'rb') as f:
        signer_ca_cert = x509.load_pem_x509_certificate(f.read(), be)

    # Build certificate
    #print('\nCreate Device Certificate template')
    builder = x509.CertificateBuilder()

    builder = builder.issuer_name(signer_ca_cert.subject)

    # Device cert must have minutes and seconds set to 0
    builder = builder.not_valid_before(
        datetime.datetime.now(tz=pytz.utc).replace(minute=0, second=0))

    # Should be year 9999, but this doesn't work on windows
    builder = builder.not_valid_after(
        datetime.datetime(3000, 12, 31, 23, 59, 59))

    builder = builder.subject_name(
        x509.Name([
            x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, o),
            x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn)
        ]))

    builder = builder.public_key(public_key)

    # Device certificate is generated from certificate dates and public key
    builder = builder.serial_number(device_cert_sn(16, builder))

    # Subject Key ID is used as the thing name and MQTT client ID and is required for this demo
    builder = builder.add_extension(
        x509.SubjectKeyIdentifier.from_public_key(public_key), critical=False)

    issuer_ski = signer_ca_cert.extensions.get_extension_for_class(
        x509.SubjectKeyIdentifier)
    builder = builder.add_extension(
        x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
            issuer_ski.value),
        critical=False)

    # Sign certificate
    device_cert = builder.sign(private_key=signer_ca_priv_key,
                               algorithm=hashes.SHA256(),
                               backend=be)

    # Save certificate for reference
    devcert_pem = device_cert.public_bytes(encoding=serialization.Encoding.PEM)
    print(devcert_pem.decode())
    print('rtclientcert create success')
Example #38
0
info = [{
    'title': u'CA Server App',
    'description': 'Sign Your Certificate Signing Request',
}, {
    'endpoint': '/csr',
    'action': 'POST',
    'description': 'Post Your CSR here to receive signed key'
}]

ca_public_key_file = open("keys/ca_pub_key.pem", "rb")
ca_public_key = x509.load_pem_x509_certificate(ca_public_key_file.read(),
                                               default_backend())

ca_private_key_file = open('keys/ca_priv_key.pem', 'rb')
ca_private_key = serialization.load_pem_private_key(
    ca_private_key_file.read(), "passphrase".encode("utf-8"),
    default_backend())


@app.route('/info', methods=['GET'])
def ca_get_tasks():
    return jsonify({'App info': info})


@app.route('/csr', methods=['POST'])
def ca_sign_csr():
    csr_from_request = request.data
    csr = x509.load_pem_x509_csr(csr_from_request, default_backend())
    file_name = request.headers.get('Filename')
    signed_csr = sign_csr(csr, ca_public_key, ca_private_key, file_name)
    return signed_csr
Example #39
0
    def encrypt(self,
                msg,
                receiver_name,
                receiver_enc_pub_key_alias,
                sender_sign_header,
                adata='',
                sign_also=True):
        """Encrypt the message msg, using the receiver's encryption_pub_key, and generate signature using sender's 
        sender_sign_priv_key. You have to obtain the keys from the private and public key_rings that you passed 
        during creating this PKFernet object. @sender_sign_header looks like "ecdsa_with_sha256.secp224r1.1.sig[
        .priv]". The signer has to parse out from this header to obtain signing private key alias and the hashing 
        algorithm to use for signing. """

        # Check receiver's encryption public key algorithm
        if 'rsa.2048.1' not in receiver_enc_pub_key_alias:
            raise UnsupportedAlgorithm
        enc_algorithm = b'rsa.2048.1'

        # Check sender's signing private key algorithm
        if 'rsa_with_sha256.2048.1' not in sender_sign_header:
            raise UnsupportedAlgorithm
        sig_algorithm = b'rsa_with_sha256.2048.1'
        sig_algorithm_b64 = base64.urlsafe_b64encode(sig_algorithm)

        # Loading sender's private signing key for signing the message
        sender_sig_priv_key_string = self.deserialize(
            self.local_private_key_ring['rsa.2048.1.sig.priv'])
        sender_sig_priv_key = serialization.load_pem_private_key(
            bytes(sender_sig_priv_key_string, 'utf-8'),
            password=None,
            backend=default_backend())

        #  Signing the message using the sender's signing private key
        signer = sender_sig_priv_key.signer(
            padding.PSS(mgf=padding.MGF1(hashes.SHA256()),
                        salt_length=padding.PSS.MAX_LENGTH), hashes.SHA256())

        if isinstance(msg, str):
            msg = bytes(msg, 'utf-8')
        signer.update(msg)
        signature = signer.finalize()
        signature_b64 = base64.urlsafe_b64encode(signature)

        # Symmetrically encrypting message
        R_sym = os.urandom(32)
        iv = b'\x00' * 16  # IV is 256-bit for AES256;
        sym_encryptor = ciphers.Cipher(ciphers.algorithms.AES(R_sym),
                                       ciphers.modes.CTR(iv),
                                       backend=default_backend()).encryptor()
        msg_encrypted = sym_encryptor.update(msg) + sym_encryptor.finalize()
        msg_encrypted_b64 = base64.urlsafe_b64encode(msg_encrypted)

        # Creating associated data
        if isinstance(adata, str):
            adata = bytes(adata, 'utf-8')
        adata_b64 = base64.urlsafe_b64encode(adata)

        # Generating HMAC
        R_hmac = os.urandom(32)
        h = hmac.HMAC(R_hmac, hashes.SHA256(), backend=default_backend())
        h.update(adata_b64 + b'|' + msg_encrypted_b64 + b'|' +
                 sig_algorithm_b64 + b'|' + signature_b64)
        hmac_b64 = base64.urlsafe_b64encode(h.finalize())

        # Loading receiver's encryption public key for encrypting the symmetric keys
        receiver_public_keys = self.import_pub_keys(
            receiver_name, self.remote_public_keyrings)
        receiver_enc_pub_key_string = self.deserialize(
            receiver_public_keys['rsa.2048.1.enc.pub'])
        receiver_enc_pub_key = serialization.load_pem_public_key(
            bytes(receiver_enc_pub_key_string, 'utf-8'),
            backend=default_backend())

        # Asymmetrically encrypting R = (R_sym || R_hmac)
        R_encrypted = receiver_enc_pub_key.encrypt(
            R_sym + R_hmac,
            padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()),
                         algorithm=hashes.SHA256(),
                         label=None))
        R_encrypted_b64 = base64.urlsafe_b64encode(R_encrypted)

        # Ciphertext format: [adata_b64, enc_algorithm, R_encrypted_b64, msg_encrypted_b64, signature_b64, hmac_b64]
        ctx = b'|'.join([
            adata_b64, enc_algorithm, R_encrypted_b64, msg_encrypted_b64,
            sig_algorithm_b64, signature_b64, hmac_b64
        ])

        logging.debug('Generated ciphertext:')
        return ctx
Example #40
0
def initPrivateKey():
    # Initialize RSA object + load private key into RSA object
    with open("private.pem", "rb") as key_file:
        private_key = serialization.load_pem_private_key(
            key_file.read(), password=None, backend=default_backend())
    return private_key
    def test_001_block_write(self):
        """
        use the same case as the test_000_trans_write, but transactions are seperated into different blocks
        :return:
        """
        # replace the following connection address with the address in the chainbase

        tinput = [(
            b'O\x1e,-\xe1\xa0!\x16D\x87\xcc\x923\xf7\xf6\xca\xad\xd1\t\x8eV\xdc\xe8t}N\xfa\x8af\xbe\xe7\xef',
            0)]

        private_key1 = load_pem_private_key(
            b'-----BEGIN PRIVATE KEY-----\nMIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0w'
            b'awIBAQQg64DiDBUkuGC5rrTfH6uy\nHt6vhvHrMHj3Gm64SZtdqtKhRANCAATMIea'
            b'IK4vT0ni00F6GGW40qioinPFgXjsj\n6sZGivW9Ipj+zcDfPc7RxZuFeKFmbtVaUX'
            b'Z877DM4C8ELZs2DPVQ\n-----END PRIVATE KEY-----\n', None,
            default_backend())
        public_key = b'-----BEGIN PUBLIC KEY-----\nMFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEzCHmiCuL09J4tNBehhluNKoqIpzx' \
                     b'YF47\nI+rGRor1vSKY/s3A3z3O0cWbhXihZm7VWlF2fO+wzOAvBC2bNgz1UA==\n-----END PUBLIC KEY-----\n'
        sha = hashlib.sha256()
        sha.update(public_key)
        public_key_hash = sha.digest()

        T1 = TransInput(tinput, public_key_hash)

        public_key_hash = []
        private_keys = []
        public_keys = []

        for i in range(6):
            private_key = ec.generate_private_key(ec.SECP256K1,
                                                  default_backend())
            private_keys.append(private_key)

            public_key = private_key.public_key()
            public_key = public_key.public_bytes(
                Encoding.PEM, PublicFormat.SubjectPublicKeyInfo)
            public_keys.append(public_key)

            sha = hashlib.sha256()
            sha.update(public_key)
            public_key_hash.append(sha.digest())

        toutput = [(7, public_key_hash[i]) for i in range(6)]
        T2 = TransOutput(toutput)

        T = Transaction(T1, T2)
        T.ready(private_key1)

        pri_key = private_keys[0]
        public_key_hash1 = public_key_hash[0]

        T8 = TransInput([(T.txid, 0)], public_key_hash1)

        toutput = [(7, public_key_hash[1])]
        T9 = TransOutput(toutput)

        T4 = Transaction(T8, T9)
        T4.ready(pri_key)

        at = Attachment()
        at.add_data(b'')
        at.ready()

        bd = BlockData([T, T4], at)
        t = time.time()
        block = Block(
            1, t, bd,
            b'G\xfdk\x88\xda5\xff\x8c\x97t\x9f\xcb\xe0\xa8\x07S\x8b9t:.9\x1d\xee\xf4\xb1\xda\xd1r\xaf\xfcu',
            33)
        """
        construct a second valid transaction, which pay 7 from random address 1 to random address 2 
        """

        with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM
                           ) as s:  # submit the second valid transaction

            s.connect(self.address)
            payload = send_handler(MsgType.TYPE_BLOCK_WRITE, block.b)
            s.sendall(payload)
            header, length, msgtype, content = recv_parser(s)

            self.assertEqual(content, b'')
            self.assertEqual(length, 0)
            self.assertEqual(
                msgtype, MsgType.TYPE_RESPONSE_OK)  # the chainbase returns OK
Example #42
0
def getPrivKey(username):
    with open(os.path.join(__location__, 'priv_' + username + '.pem'),
              'rb') as f:
        private_key = serialization.load_pem_private_key(
            f.read(), password=None, backend=default_backend())
        return private_key
Example #43
0
def main():
    config = ndr.Config('/etc/ndr/config.yml')

    # Unlike the majority of NDR tools, this one is meant to run interactivity
    print("Network Data Recorder Enlistment Tool")
    print("Copyright (C) 2017 - Secured By THEM")

    if os.getuid() != 0:
        print("ERROR: This utility must be run as root!")
        sys.exit(-1)

    hostname = config.hostname
    print("Hostname: ", hostname)

    # Print out some helpful messages, then ask questions
    print('''
This script will automatically generate a certificate signing request
and other security keys for this recorder. The information used in the CSR
will be used to create an organization and site if necessary, and the pseudonym
will become the default human readable name used to refer to this recorder.

Manual processing of the CSR is required server side. After uploading the CSR,
we'll poll to wait for the CSR to be signed and downloaded. If you don't wish to
enlist this recorder now, press Ctrl-C

NOTE: Names are case sensitive!
''')

    got_info = False
    while got_info is False:
        organization = ""
        while organization == "":
            organization = input("Organization: ")
            if organization == "":
                print("Organization can not be blank!")

        org_unit = ""
        while org_unit == "":
            org_unit = input("Organization Unit/Site: ")
            if organization == "":
                org_unit("OU can not be blank!")

        pseudonym = ""
        while pseudonym == "":
            pseudonym = input("Pseudonym/Human Name: ")
            if organization == "":
                pseudonym("Pseudonym can not be blank!")

        print()
        print("=== CSR to be generated ===")
        print("Organization:", organization)
        print("Organization Unit (Site):", org_unit)
        print("Pseudonym (Human Name):", pseudonym)
        print("Common Name:", hostname)
        print()

        confirmation = input("Is this information correct? [N/y] ")
        if confirmation and confirmation.lower()[0] == 'y':
            got_info = True

    # Check if we have a private key
    print("STEP 1: Checking cryptography keys ...")
    key = None
    if os.path.isfile(config.ssl_private_key) is False:
        print("No private key found, generating. This may take some time ...")
        key = rsa.generate_private_key(public_exponent=65537,
                                       key_size=2048,
                                       backend=default_backend())

        with open(config.ssl_private_key, "wb") as f:
            f.write(
                key.private_bytes(
                    encoding=serialization.Encoding.PEM,
                    format=serialization.PrivateFormat.TraditionalOpenSSL,
                    encryption_algorithm=serialization.NoEncryption()))
        print("Generated ", config.ssl_private_key)

    else:
        print("Have recorder private key")
        with open(config.ssl_private_key, "rb") as f:
            key = load_pem_private_key(f.read(),
                                       password=None,
                                       backend=default_backend())

    # Now generate a certificate signing request (we can always generate a new
    # one safely)
    print("STEP 2: Generating CSR ...")
    csr = x509.CertificateSigningRequestBuilder().subject_name(
        x509.Name([
            x509.NameAttribute(NameOID.COMMON_NAME, hostname),
            x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization),
            x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, org_unit),
            x509.NameAttribute(NameOID.PSEUDONYM, pseudonym)
        ])).sign(key, hashes.SHA256(), default_backend())

    with open(config.ssl_csr, "wb") as f:
        f.write(csr.public_bytes(serialization.Encoding.PEM))
    print("CSR written to ", config.ssl_csr)

    # Uploading the report is a bit different since we don't have a local certificate to sign it
    # with. First, let's create a CertificateRequest message

    csr_msg = ndr.CertificateRequest(config)
    csr_msg.csr = str(csr.public_bytes(serialization.Encoding.PEM), 'utf-8')

    csr_msg.destination_queue = ndr.IngestMessageDestinations.ENROLLMENT_QUEUE

    # Now we create the report, and load it into signed message and send it on
    # its way
    csr_msg.create_report()
    csr_msg.signed_message = csr_msg.message
    csr_msg.load_into_queue()
    def login_proto(self):
        print("something")
        Message = COMM_MESSAGE()

        data, temp = self.connection_from_client.recvfrom(4096)
        print(temp)
        Message.ParseFromString(data)

        if Message.type == Message.TYPE.LOGIN:
            N1 = os.urandom(16)
            N1 = N1.hex()
            print(N1)

            digest = sha256()
            digest.update(N1.encode())
            Message.N1_hash = digest.hexdigest()
            Message.message = N1[5:]
            self.connection_from_client.sendall(Message.SerializeToString())

            data, temp = self.connection_from_client.recvfrom(4096)
            print(temp)
            Message.ParseFromString(data)

            if Message.N1 == N1:
                print("Puzzle figured out!")
            else:
                print("Wrong!")

            bob = DiffieHellman(group=5, key_length=200)
            bob.generate_public_key()
            Message.gb_mod_p = str(bob.public_key)
            bob.generate_shared_secret(int(Message.message))
            Kas = str(bob.shared_secret)[:16].encode()
            # Kas = (bob.shared_secret).to_bytes(16,sys.byteorder)
            print("Shared secret is:", int.from_bytes(Kas, sys.byteorder))
            Message.gb_mod_p = str(bob.public_key)

            #### loading private key
            with open("private_key.pem", "rb") as key_file:
                private_key = serialization.load_pem_private_key(
                    key_file.read(), password=None, backend=default_backend())

            #### encryption
            plain_text_sign = Message.message + "|" + Message.gb_mod_p
            plain_text_sign = plain_text_sign.encode()
            ### sign the text
            signature = private_key.sign(
                plain_text_sign,
                paddings.PSS(mgf=paddings.MGF1(hashes.SHA256()),
                             salt_length=paddings.PSS.MAX_LENGTH),
                hashes.SHA256())
            #### Timestamp
            timestamp = str(int(time.time()))
            timestamp = timestamp.encode()
            plain_text = signature + timestamp

            iv = os.urandom(16)
            Message.iv = iv
            padder = padding.PKCS7(128).padder()
            padded_data = padder.update(plain_text)
            padded_data += padder.finalize()
            plain_text_padded = padded_data

            authenticate_data = b'Final Project'
            # self.Message.authenticate_data = authenticate_data

            # GCM Mode, we also need an IV
            # encrypt
            cipher = Cipher(algorithms.AES(Kas),
                            modes.GCM(iv),
                            backend=default_backend())
            encryptor = cipher.encryptor()
            encryptor.authenticate_additional_data(authenticate_data)
            cipher_text = encryptor.update(
                plain_text_padded) + encryptor.finalize()
            Message.cipher_text = cipher_text
            Message.tag = encryptor.tag

            self.connection_from_client.sendall(Message.SerializeToString())

            ### Decrypt and verify the client:
            data = self.connection_from_client.recv(4096)
            Message.ParseFromString(data)
            #  AES  decryption
            decryptor = Cipher(algorithms.AES(Kas),
                               modes.GCM(iv, Message.tag),
                               backend=default_backend()).decryptor()
            decryptor.authenticate_additional_data(authenticate_data)
            decrypted_plain_text = decryptor.update(
                Message.cipher_text) + decryptor.finalize()

            # unpad
            unpadder = padding.PKCS7(128).unpadder()
            plain_text = unpadder.update(
                decrypted_plain_text) + unpadder.finalize()

            # Verify timestamp
            plain_text_timestamp = plain_text[-10:]
            message_timestamp = int(plain_text_timestamp)
            if ((int(time.time()) - message_timestamp) < 60):
                print("Timestamp verified")
            else:
                print("Timestamp failed!")

            ###
            plain_text = plain_text[0:len(plain_text) - 10]
            plain_text = plain_text.decode()
            username = plain_text.split("|")[0]
            password = plain_text.split("|")[1]
            #if username == "Yushen" and password == "123":
            #    verify = "Success"
            #else:
            #   verify = "Fail"
            verify = "Fail"
            if username in self.identities.keys():
                pass_digest = sha256()
                pass_digest.update(password.encode())
                pass_digest.update(self.identities[username]["salt"].encode())
                pass_hash = pass_digest.hexdigest()
                print(pass_hash, "is the passhash")
                if pass_hash == self.identities[username]["passhash"]:
                    verify = "Success"
            ####
            plain_text = verify.encode()
            timestamp = str(int(time.time()))
            timestamp = timestamp.encode()
            plain_text = plain_text + timestamp

            padder = padding.PKCS7(128).padder()
            padded_data = padder.update(plain_text)
            padded_data += padder.finalize()
            plain_text_padded = padded_data

            cipher = Cipher(algorithms.AES(Kas),
                            modes.GCM(iv),
                            backend=default_backend())
            encryptor = cipher.encryptor()
            encryptor.authenticate_additional_data(authenticate_data)
            cipher_text = encryptor.update(
                plain_text_padded) + encryptor.finalize()
            Message.cipher_text = cipher_text
            Message.tag = encryptor.tag

            self.connection_from_client.sendall(Message.SerializeToString())
            # connection_from_client.shutdown(0)
            # self.socket_from_client.shutdown(0)
            self.connection_from_client.close()
            self.socket_from_client.close()
Example #45
0
    def decrypt(self, ctx, sender_name, verfiy_also=True):
        """ Decrypt the ciphertext ctx, using receiver's encryption_priv_key and verify signature using sender's 
        signing_pub_key. Which encryption key to use, and which verification key to use is specified in the 
        ciphertext. """

        if isinstance(ctx, str):
            ctx = bytes(ctx, 'utf-8')

        ctx_list = ctx.split(b'|')
        [
            adata_b64, enc_algorithm, R_encrypted_b64, msg_encrypted_b64,
            sig_algorithm_b64, signature_b64, hmac_b64
        ] = ctx_list
        logging.debug('Parsed ciphertext')

        if b'rsa.2048.1' not in enc_algorithm:
            raise UnsupportedAlgorithm

        if b'rsa_with_sha256.2048.1' not in base64.urlsafe_b64decode(
                sig_algorithm_b64):
            raise UnsupportedAlgorithm

        #  Loading sender's private encryption key
        sender_enc_priv_key_string = self.deserialize(
            self.local_private_key_ring['rsa.2048.1.enc.priv'])
        sender_enc_priv_key = serialization.load_pem_private_key(
            bytes(sender_enc_priv_key_string, 'utf-8'),
            password=None,
            backend=default_backend())
        logging.debug('Loaded sender\'s private encryption key')

        # Loading sender's public signing key for signature verification
        sender_public_keys = self.import_pub_keys(sender_name,
                                                  self.remote_public_keyrings)
        sender_sig_pub_key_string = self.deserialize(
            sender_public_keys['rsa.2048.1.sig.pub'])
        sender_sig_pub_key = serialization.load_pem_public_key(
            bytes(sender_sig_pub_key_string, 'utf-8'),
            backend=default_backend())

        # Asymmetrically decrypt {R} back to (R_sym || R_hmac)
        R_encrypted = base64.urlsafe_b64decode(R_encrypted_b64)

        R = sender_enc_priv_key.decrypt(
            R_encrypted,
            padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()),
                         algorithm=hashes.SHA256(),
                         label=None))
        R_sym, R_hmac = R[:32], R[32:]
        logging.debug('Decrypted R = (R_sym || R_hmac)')

        # Verify HMAC
        h = hmac.HMAC(R_hmac, hashes.SHA256(), backend=default_backend())
        h.update(adata_b64 + b'|' + msg_encrypted_b64 + b'|' +
                 sig_algorithm_b64 + b'|' + signature_b64)
        h.verify(base64.urlsafe_b64decode(hmac_b64))
        logging.debug('Verified HMAC')

        # Symetrically decrypt {msg}
        iv = b'\x00' * 16
        msg_encrypted = base64.urlsafe_b64decode(msg_encrypted_b64)
        decryptor = ciphers.Cipher(ciphers.algorithms.AES(R_sym),
                                   ciphers.modes.CTR(iv),
                                   backend=default_backend()).decryptor()
        msg = decryptor.update(msg_encrypted) + decryptor.finalize()
        logging.debug('Decrypted {msg}')

        # Verifying signature
        signature = base64.urlsafe_b64decode(signature_b64)
        verifier = sender_sig_pub_key.verifier(
            signature,
            padding.PSS(mgf=padding.MGF1(hashes.SHA256()),
                        salt_length=padding.PSS.MAX_LENGTH), hashes.SHA256())
        verifier.update(msg)
        verifier.verify()
        logging.debug('Decrypted signature')
        return msg
Example #46
0
def load_privkey(pem):
    return serialization.load_pem_private_key(pem, None, default_backend())
def create_ecdsa_public_and_private_from_pem(pem, password=None):
    """
  <Purpose>
    Create public and private ECDSA keys from a private 'pem'.  The public and
    private keys are strings in PEM format:

    public: '-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----',
    private: '-----BEGIN EC PRIVATE KEY----- ... -----END EC PRIVATE KEY-----'}}

    >>> junk, private = generate_public_and_private()
    >>> public, private = create_ecdsa_public_and_private_from_pem(private)
    >>> securesystemslib.formats.PEMECDSA_SCHEMA.matches(public)
    True
    >>> securesystemslib.formats.PEMECDSA_SCHEMA.matches(private)
    True
    >>> passphrase = 'secret'
    >>> encrypted_pem = create_ecdsa_encrypted_pem(private, passphrase)
    >>> public, private = create_ecdsa_public_and_private_from_pem(encrypted_pem, passphrase)
    >>> securesystemslib.formats.PEMECDSA_SCHEMA.matches(public)
    True
    >>> securesystemslib.formats.PEMECDSA_SCHEMA.matches(private)
    True

  <Arguments>
    pem:
      A string in PEM format.  The private key is extracted and returned in
      an ecdsakey object.

    password: (optional)
      The password, or passphrase, to decrypt the private part of the ECDSA key
      if it is encrypted.  'password' is not used directly as the encryption
      key, a stronger encryption key is derived from it.

  <Exceptions>
    securesystemslib.exceptions.FormatError, if the arguments are improperly
    formatted.

    securesystemslib.exceptions.UnsupportedAlgorithmError, if the ECDSA key
    pair could not be extracted, possibly due to an unsupported algorithm.

    securesystemslib.exceptions.UnsupportedLibraryError, if the cryptography
    module is not available.

  <Side Effects>
    None.

  <Returns>
    A dictionary containing the ECDSA keys and other identifying information.
    Conforms to 'securesystemslib.formats.ECDSAKEY_SCHEMA'.
  """

    if not CRYPTO:  # pragma: no cover
        raise securesystemslib.exceptions.UnsupportedLibraryError(
            NO_CRYPTO_MSG)

    # Does 'pem' have the correct format?
    # This check will ensure 'pem' conforms to
    # 'securesystemslib.formats.ECDSARSA_SCHEMA'.
    securesystemslib.formats.PEMECDSA_SCHEMA.check_match(pem)

    if password is not None:
        securesystemslib.formats.PASSWORD_SCHEMA.check_match(password)
        password = password.encode('utf-8')

    else:
        logger.debug('The password/passphrase is unset.  The PEM is expected'
                     ' to be unencrypted.')

    public = None
    private = None

    # Generate the public and private ECDSA keys.  The pyca/cryptography library
    # performs the actual import operation.
    try:
        private = load_pem_private_key(pem.encode('utf-8'),
                                       password=password,
                                       backend=default_backend())

    except (ValueError, cryptography.exceptions.UnsupportedAlgorithm) as e:
        raise securesystemslib.exceptions.CryptoError(
            'Could not import private'
            ' PEM.\n' + str(e))

    public = private.public_key()

    # Serialize public and private keys to PEM format.
    private = private.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption())

    public = public.public_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PublicFormat.SubjectPublicKeyInfo)

    return public.decode('utf-8'), private.decode('utf-8')
def create_ecdsa_encrypted_pem(private_pem, passphrase):
    """
  <Purpose>
    Return a string in PEM format, where the private part of the ECDSA key is
    encrypted. The private part of the ECDSA key is encrypted as done by
    pyca/cryptography: "Encrypt using the best available encryption for a given
    key's backend. This is a curated encryption choice and the algorithm may
    change over time."

    >>> junk, private = generate_public_and_private()
    >>> passphrase = 'secret'
    >>> encrypted_pem = create_ecdsa_encrypted_pem(private, passphrase)
    >>> securesystemslib.formats.PEMECDSA_SCHEMA.matches(encrypted_pem)
    True

  <Arguments>
    private_pem:
    The private ECDSA key string in PEM format.

    passphrase:
    The passphrase, or password, to encrypt the private part of the ECDSA
    key. 'passphrase' is not used directly as the encryption key, a stronger
    encryption key is derived from it.

    <Exceptions>
      securesystemslib.exceptions.FormatError, if the arguments are improperly
      formatted.

      securesystemslib.exceptions.CryptoError, if an ECDSA key in encrypted PEM
      format cannot be created.

    securesystemslib.exceptions.UnsupportedLibraryError, if the cryptography
    module is not available.

  <Side Effects>
    None.

  <Returns>
    A string in PEM format, where the private RSA portion is encrypted.
    Conforms to 'securesystemslib.formats.PEMECDSA_SCHEMA'.
  """

    if not CRYPTO:  # pragma: no cover
        raise securesystemslib.exceptions.UnsupportedLibraryError(
            NO_CRYPTO_MSG)

    # Does 'private_key' have the correct format?
    # Raise 'securesystemslib.exceptions.FormatError' if the check fails.
    securesystemslib.formats.PEMRSA_SCHEMA.check_match(private_pem)

    # Does 'passphrase' have the correct format?
    securesystemslib.formats.PASSWORD_SCHEMA.check_match(passphrase)

    encrypted_pem = None

    private = load_pem_private_key(private_pem.encode('utf-8'),
                                   password=None,
                                   backend=default_backend())

    encrypted_private_pem = \
      private.private_bytes(encoding=serialization.Encoding.PEM,
      format=serialization.PrivateFormat.TraditionalOpenSSL,
      encryption_algorithm=serialization.BestAvailableEncryption(passphrase.encode('utf-8')))

    return encrypted_private_pem
Example #49
0
 def makekey_from_privkey(privkey, encryptedKeyValue):
     privkey = serialization.load_pem_private_key(privkey.read(),
                                                  password=None,
                                                  backend=default_backend())
     skey = privkey.decrypt(encryptedKeyValue, padding.PKCS1v15())
     return skey
def create_signature(public_key,
                     private_key,
                     data,
                     scheme='ecdsa-sha2-nistp256'):
    """
  <Purpose>
    Return a (signature, scheme) tuple.

    >>> requested_scheme = 'ecdsa-sha2-nistp256'
    >>> public, private = generate_public_and_private(requested_scheme)
    >>> data = b'The quick brown fox jumps over the lazy dog'
    >>> signature, scheme = create_signature(public, private, data, requested_scheme)
    >>> securesystemslib.formats.ECDSASIGNATURE_SCHEMA.matches(signature)
    True
    >>> requested_scheme == scheme
    True

  <Arguments>
    public:
      The ECDSA public key in PEM format.

    private:
      The ECDSA private key in PEM format.

    data:
      Byte data used by create_signature() to generate the signature returned.

    scheme:
      The signature scheme used to generate the signature.  For example:
      'ecdsa-sha2-nistp256'.

  <Exceptions>
    securesystemslib.exceptions.FormatError, if the arguments are improperly
    formatted.

    securesystemslib.exceptions.CryptoError, if a signature cannot be created.

    securesystemslib.exceptions.UnsupportedAlgorithmError, if 'scheme' is not
    one of the supported signature schemes.

    securesystemslib.exceptions.UnsupportedLibraryError, if the cryptography
    module is not available.

  <Side Effects>
    None.

  <Returns>
    A signature dictionary conformat to
    'securesystemslib.format.SIGNATURE_SCHEMA'.  ECDSA signatures are XX bytes,
    however, the hexlified signature is stored in the dictionary returned.
  """

    if not CRYPTO:  # pragma: no cover
        raise securesystemslib.exceptions.UnsupportedLibraryError(
            NO_CRYPTO_MSG)

    # Do 'public_key' and 'private_key' have the correct format?
    # This check will ensure that the arguments conform to
    # 'securesystemslib.formats.PEMECDSA_SCHEMA'.  Raise
    # 'securesystemslib.exceptions.FormatError' if the check fails.
    securesystemslib.formats.PEMECDSA_SCHEMA.check_match(public_key)

    # Is 'private_key' properly formatted?
    securesystemslib.formats.PEMECDSA_SCHEMA.check_match(private_key)

    # Is 'scheme' properly formatted?
    securesystemslib.formats.ECDSA_SCHEME_SCHEMA.check_match(scheme)

    # 'ecdsa-sha2-nistp256' is the only currently supported ECDSA scheme, so this
    # if-clause isn't strictly needed.  Nevertheless, the conditional statement
    # is included to accommodate multiple schemes that can potentially be added
    # in the future.
    if scheme == 'ecdsa-sha2-nistp256':
        try:
            private_key = load_pem_private_key(private_key.encode('utf-8'),
                                               password=None,
                                               backend=default_backend())

            signature = private_key.sign(data, ec.ECDSA(hashes.SHA256()))

        except TypeError as e:
            raise securesystemslib.exceptions.CryptoError('Could not create'
                                                          ' signature: ' +
                                                          str(e))

    # A defensive check for an invalid 'scheme'.  The
    # ECDSA_SCHEME_SCHEMA.check_match() above should have already validated it.
    else:  #pragma: no cover
        raise securesystemslib.exceptions.UnsupportedAlgorithmError(
            'Unsupported'
            ' signature scheme is specified: ' + repr(scheme))

    return signature, scheme
def create_device(device_file, device_key_file, signer_file, signer_key_file, root_file, root_key_file):
    # Make sure files exist
    if not (os.path.isfile(signer_file) and os.path.isfile(signer_key_file) and os.path.isfile(root_file)):
        raise FileNotFoundError('Failed to find {}, {}, or {}'.format(signer_file, signer_key_file, root_file))

    # Setup cryptography
    be = cryptography.hazmat.backends.default_backend()

    print('\nLoad Device Public Key')
    # Load the public key from the device or a file
    print('    Loading from %s' % device_key_file)
    with open(device_key_file, 'r') as f:
        public_key_pem = f.read()

    # Convert the key into the cryptography format
    public_key = serialization.load_pem_public_key(public_key_pem.encode('ascii'), be)
    
    print('\nLoad Signer')
    # Load the Signing key from the file
    print('    Loading key from %s' % signer_key_file)
    with open(signer_key_file, 'rb') as f:
        signer_ca_priv_key = serialization.load_pem_private_key(data=f.read(), password=None, backend=be)

    # Load the Signing Certificate from the file
    print('    Loading certificate from %s' % signer_file)
    with open(signer_file, 'rb') as f:
        signer_ca_cert = x509.load_pem_x509_certificate(f.read(), be)

    with open(root_file, 'rb') as f:
        root_ca_cert = x509.load_pem_x509_certificate(f.read(), be)
        root_public = root_ca_cert.public_key()

    # Build certificate
    print('\nCreate Device Certificate template')
    builder = x509.CertificateBuilder()

    builder = builder.issuer_name(signer_ca_cert.subject)

    # Device cert must have minutes and seconds set to 0
    builder = builder.not_valid_before(datetime.datetime.now(tz=pytz.utc).replace(minute=0,second=0))

    # Should be year 9999, but this doesn't work on windows
    builder = builder.not_valid_after(datetime.datetime(3000, 12, 31, 23, 59, 59))

    o = input("organization name:")
    cn = str('0123xxxxxxxxxxxxee')

    with open('ou.txt', 'w') as f:
        print(o, file=f)

    builder = builder.subject_name(x509.Name([
        x509.NameAttribute(x509.oid.NameOID.ORGANIZATION_NAME, o),
        x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, cn)]))

    builder = builder.public_key(public_key)

    # Device certificate is generated from certificate dates and public key
    builder = builder.serial_number(device_cert_sn(16, builder))

    # Subject Key ID is used as the thing name and MQTT client ID and is required for this demo
    builder = builder.add_extension(
        x509.SubjectKeyIdentifier.from_public_key(public_key),
        critical=False)

    issuer_ski = signer_ca_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
    builder = builder.add_extension(
        x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(issuer_ski.value),
        critical=False)

    # Sign certificate with longest R & S pattern 
    while True: 
        device_cert = builder.sign(private_key=signer_ca_priv_key, algorithm=hashes.SHA256(), backend=be)
        cert = decoder.decode(device_cert.public_bytes(encoding=serialization.Encoding.DER), asn1Spec=rfc2459.Certificate())[0]
        info = cert_sig_offset_length(cert)
        if info['length'] == 75:
            break

    # Save certificate for reference
    print('    Save Device Certificate to %s' % device_file)
    with open(device_file, 'wb') as f:
        f.write(device_cert.public_bytes(encoding=serialization.Encoding.PEM))

    # Save root public key
    print('    Save Root Public Key to %s' % root_key_file)
    with open(root_key_file, 'wb') as f:
        f.write(root_public.public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo))
Example #52
0
from cryptography.exceptions import InvalidSignature
from cryptography.fernet import Fernet, InvalidToken
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric.rsa import _modinv
from cryptography.hazmat.primitives.serialization import load_pem_private_key

from flask import Flask, abort, request

app = Flask(__name__)

with open("ctf.key", "rb") as f:
    pem_data = f.read()

ctf_key = load_pem_private_key(pem_data,
                               password=None,
                               backend=default_backend())

CSAW_FLAG = open("flag").read().strip()
FERNET = Fernet(Fernet.generate_key())


@app.route("/capture", methods=["POST"])
def capture():
    sig = binascii.unhexlify(request.form["signature"])
    challenge = request.form["challenge"].encode("ascii")
    try:
        FERNET.decrypt(challenge)
    except InvalidToken:
        print("Here")
        abort(400)
Example #53
0
 def load(cls, path):
     with openfile(path, 'rb') as key_file:
         key = serialization.load_pem_private_key(key_file.read(),
                                                  password=None,
                                                  backend=cls.__backend__)
     return PrivateKey.new(key) if cls.__type__ is None else cls(key)
Example #54
0
    def sign_cert(cls,
                  csr,
                  validity,
                  ca_cert=None,
                  ca_key=None,
                  ca_key_pass=None,
                  ca_digest=None):
        """Signs a certificate using our private CA based on the specified CSR

        The signed certificate will be valid from now until <validity> seconds
        from now.

        :param csr: A Certificate Signing Request
        :param validity: Valid for <validity> seconds from the current time
        :param ca_cert: Signing Certificate (default: config)
        :param ca_key: Signing Certificate Key (default: config)
        :param ca_key_pass: Signing Certificate Key Pass (default: config)
        :param ca_digest: Digest method to use for signing (default: config)

        :return: Signed certificate
        :raises Exception: if certificate signing fails
        """
        LOG.info("Signing a certificate request using OpenSSL locally.")
        cls._validate_cert(ca_cert, ca_key, ca_key_pass)
        if not ca_digest:
            ca_digest = CONF.certificates.signing_digest
        try:
            algorithm = getattr(hashes, ca_digest.upper())()
        except AttributeError:
            raise crypto_exceptions.UnsupportedAlgorithm(
                "Supplied digest method not found: %s" % ca_digest)

        if not ca_cert:
            with open(CONF.certificates.ca_certificate, 'rb') as f:
                ca_cert = f.read()
        if not ca_key:
            with open(CONF.certificates.ca_private_key, 'rb') as f:
                ca_key = f.read()
        if not ca_key_pass:
            ca_key_pass = CONF.certificates.ca_private_key_passphrase
            ca_key_pass = ca_key_pass.encode('utf-8')

        try:
            lo_cert = x509.load_pem_x509_certificate(
                data=ca_cert, backend=backends.default_backend())
            lo_key = serialization.load_pem_private_key(
                data=ca_key,
                password=ca_key_pass,
                backend=backends.default_backend())
            lo_req = x509.load_pem_x509_csr(data=csr,
                                            backend=backends.default_backend())
            new_cert = x509.CertificateBuilder()
            new_cert = new_cert.serial_number(cls._new_serial())
            valid_from_datetime = datetime.datetime.utcnow()
            valid_to_datetime = (datetime.datetime.utcnow() +
                                 datetime.timedelta(seconds=validity))
            new_cert = new_cert.not_valid_before(valid_from_datetime)
            new_cert = new_cert.not_valid_after(valid_to_datetime)
            new_cert = new_cert.issuer_name(lo_cert.subject)
            new_cert = new_cert.subject_name(lo_req.subject)
            new_cert = new_cert.public_key(lo_req.public_key())
            new_cert = new_cert.add_extension(x509.BasicConstraints(
                ca=False, path_length=None),
                                              critical=True)
            cn_str = lo_req.subject.get_attributes_for_oid(
                x509.oid.NameOID.COMMON_NAME)[0].value
            new_cert = new_cert.add_extension(x509.SubjectAlternativeName(
                [x509.DNSName(cn_str)]),
                                              critical=False)
            new_cert = new_cert.add_extension(x509.KeyUsage(
                digital_signature=True,
                key_encipherment=True,
                data_encipherment=True,
                key_agreement=True,
                content_commitment=False,
                key_cert_sign=False,
                crl_sign=False,
                encipher_only=False,
                decipher_only=False),
                                              critical=True)
            new_cert = new_cert.add_extension(x509.ExtendedKeyUsage([
                x509.oid.ExtendedKeyUsageOID.SERVER_AUTH,
                x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH
            ]),
                                              critical=True)
            signed_cert = new_cert.sign(private_key=lo_key,
                                        algorithm=algorithm,
                                        backend=backends.default_backend())
            return signed_cert.public_bytes(
                encoding=serialization.Encoding.PEM)
        except Exception as e:
            LOG.error("Unable to sign certificate.")
            raise exceptions.CertificateGenerationException(msg=e)
Example #55
0
 def get_responder_key(self):
     key = self.get_responder_key_data()
     return serialization.load_pem_private_key(key, None, default_backend())
Example #56
0
def load_private_key(private_key_path):
    """Load pem encoded private key"""
    with open(private_key_path, 'r') as f:
        return serialization.load_pem_private_key(f.read(),
                                                  password=None,
                                                  backend=default_backend())
Example #57
0
SNOWFLAKE_SCHEMA = 'BASWARE'
SNOWFLAKE_WAREHOUSE = 'DEV_WH'


##################################
# Establish Snowflake connection #
##################################
# Establish the Snowflake connection first so it can be referenced anywhere easily.
# Key pair authentication is used rather than directly storing the SCRIPT_USER user's password in this script for extra security.
# Currently the private key passphrase is stored directly below, but it only works if the user also has the private key itself which is in an external file.
# The private key passphrase can be easily externalized from this script as well for an additional layer of security if needed.
# Code is taken from the "Key Pair Authentication" section at https://docs.snowflake.net/manuals/user-guide/python-connector-example.html
with open(SNOWFLAKE_PRIVATE_KEY_PATH, 'rb') as key:
    p_key = serialization.load_pem_private_key(
        key.read(),
        password='******'.encode(),
        backend=default_backend()
    )

pkb = p_key.private_bytes(
    encoding=serialization.Encoding.DER,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.NoEncryption())

snowflake_connection = snowflake.connector.connect(
    user='******',
    account='xxxxxxx',
    private_key=pkb)

snowflake_cursor = snowflake_connection.cursor()
Example #58
0
def load_private_key(path):
    with open(path, 'rb') as f:
        pem_data = f.read()
    return serialization.load_pem_private_key(pem_data,
                                              password=None,
                                              backend=default_backend())
Example #59
0
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization

# AES keys
aes_key_merchant = b'$P\xb5I8\xcb\xd2y\xa7\xad\x8c\xb3\xb7Se\xed\xe1|\xeeu\x9e\x8f\x0f8{\xa9{sO\xc1\xfdL'
aes_iv_merchant = b'\xcd!9\xae\xc1\xd0/Yv\xc8\x02x\xdc\x89\xa9\xa6'

aes_key_PG = b'\xf5\tq5}z9\x95\xf2\x0ce\x10\xa6nm\xb6mn\x9b\xa2\xf9\xb7\xd5}\x99\xd1\xd4\x97\xed\xa6\x98\x9c'
aes_iv_PG = b'V\xd1\xeev\xe6\xb0o0\xdbF"\x1a\xf9\x1a\xd7\x00'

# RSA keys
with open("Keys/client_rsa_priv_key.txt", "rb") as key_file:
    private_key_rsa = serialization.load_pem_private_key(
        key_file.read(),
        password=None,
    )

with open("Keys/client_rsa_pub_key.txt", "rb") as key_file:
    public_key_rsa = serialization.load_pem_public_key(key_file.read())

with open("Keys/merchant_rsa_pub_key.txt", "rb") as key_file:
    public_key_rsa_merchant = serialization.load_pem_public_key(
        key_file.read())

with open("Keys/pg_rsa_pub_key.txt", "rb") as key_file:
    public_key_rsa_pg = serialization.load_pem_public_key(key_file.read())


def generate_cert_client():
    subject = issuer = x509.Name([
Example #60
0
def ReadPrivateKey(filename):
  return serialization.load_pem_private_key(
      open(filename, 'rb').read(), password=None, backend=default_backend())