def verify_and_generate_shared_secret(self, dh_secret, dh_received, auth,
B):
shared_secret = libnacl.crypto_box_beforenm(
dh_received, dh_secret.key.sk) + libnacl.crypto_box_beforenm(
B, dh_secret.key.sk)
libnacl.crypto_auth_verify(auth, dh_received, shared_secret)
return shared_secret
def decode_auth(cls, token, key, extra):
payload = base64.urlsafe_b64decode(extra[0])
message = payload[:-32]
mac = payload[-32:]
footer = b''
if len(extra) > 1:
footer = base64.b64decode(extra[1], validate=True)
libnacl.crypto_auth_verify(
mac, pre_auth_encode([b'v2.auth.', message, footer]), key)
return message, footer
def test_auth_verify_rejects_wrong_key_lengths(self):
msg = b"I'd take the awe of understanding over the awe of ignorance any day."
good_key = b'This valid key is 32 bytes long.'
good_token = b'This token is likewise also 32B.'
for bad_key in (b'too short', b'too long' * 100):
with self.assertRaises(ValueError) as context:
libnacl.crypto_auth_verify(good_token, msg, bad_key)
self.assertEqual(context.exception.args, ('Invalid secret key',))
for bad_token in (b'too short', b'too long' * 100):
with self.assertRaises(ValueError) as context:
libnacl.crypto_auth_verify(bad_token, msg, good_key)
self.assertEqual(context.exception.args, ('Invalid authenticator',))
def test_auth_verify(self):
msg = b'Anybody can invent a cryptosystem he cannot break himself. Except Bruce Schneier.'
key1 = libnacl.utils.salsa_key()
key2 = libnacl.utils.salsa_key()
sig1 = libnacl.crypto_auth(msg, key1)
sig2 = libnacl.crypto_auth(msg, key2)
self.assertTrue(libnacl.crypto_auth_verify(sig1, msg, key1))
self.assertTrue(libnacl.crypto_auth_verify(sig2, msg, key2))
with self.assertRaises(ValueError) as context:
libnacl.crypto_auth_verify(sig1, msg, key2)
self.assertTrue('Failed to auth msg' in context.exception.args)
with self.assertRaises(ValueError) as context:
libnacl.crypto_auth_verify(sig2, msg, key1)
self.assertTrue('Failed to auth msg' in context.exception.args)
#!/usr/bin/env python3
#
# Use symetric encryption to validate a digest for a value
#
import sys
import libnacl
if __name__ == '__main__':
if len(sys.argv) != 4:
print("Usage: {} key digest message".format(sys.argv[0]))
print(" key: the key in hex format")
print(" digest: the digest in hex format")
print(" message: unencrypted data")
sys.exit(1)
# load the key
key = bytes.fromhex(sys.argv[1])
# load the digest
digest = bytes.fromhex(sys.argv[2])
# message must be of type bytes, not str, so we convert
message = sys.argv[3].encode()
# no convenience methods for this, so we use the raw wrapper methods
try:
libnacl.crypto_auth_verify(digest, message, key)
print("Verified")
except ValueError:
print("NOT verified")