def kem_encapsulate(self, public_key):
"""Generate a shared key and a key encapsulated message."""
shared_key = Buffer(self.kem_shared_key_len(key=public_key))
encapsulated_key = Buffer(self.kem_encapsulated_key_len(public_key=public_key))
status = self._lib_vscf_ecc.vscf_ecc_kem_encapsulate(self.ctx, public_key.c_impl, shared_key.c_buffer, encapsulated_key.c_buffer)
VscfStatus.handle_status(status)
return shared_key.get_bytes(), encapsulated_key.get_bytes()
def generate_server_key_pair(self):
"""Generates new NIST P-256 server key pair for some client"""
server_private_key = Buffer(Common.PHE_PRIVATE_KEY_LENGTH)
server_public_key = Buffer(Common.PHE_PUBLIC_KEY_LENGTH)
status = self._lib_vsce_uokms_server.vsce_uokms_server_generate_server_key_pair(self.ctx, server_private_key.c_buffer, server_public_key.c_buffer)
VsceStatus.handle_status(status)
return server_private_key.get_bytes(), server_public_key.get_bytes()
def blind(self, password):
d_password = Data(password)
deblind_factor = Buffer(self.MPI_LEN)
blinded_point = Buffer(self.POINT_LEN)
status = self._lib_vscf_brainkey_client.vscf_brainkey_client_blind(
self.ctx, d_password.data, deblind_factor.c_buffer,
blinded_point.c_buffer)
VscfStatus.handle_status(status)
return deblind_factor.get_bytes(), blinded_point.get_bytes()
def rotate_keys(self, server_private_key):
"""Updates server's private and public keys and issues an update token for use on client's side"""
d_server_private_key = Data(server_private_key)
new_server_private_key = Buffer(Common.PHE_PRIVATE_KEY_LENGTH)
new_server_public_key = Buffer(Common.PHE_PUBLIC_KEY_LENGTH)
update_token = Buffer(Common.PHE_PRIVATE_KEY_LENGTH)
status = self._lib_vsce_uokms_server.vsce_uokms_server_rotate_keys(self.ctx, d_server_private_key.data, new_server_private_key.c_buffer, new_server_public_key.c_buffer, update_token.c_buffer)
VsceStatus.handle_status(status)
return new_server_private_key.get_bytes(), new_server_public_key.get_bytes(), update_token.get_bytes()
def generate_encrypt_wrap(self, encryption_key_len):
"""Generates new encrypt wrap (which should be stored and then used for decryption) + encryption key
of "encryption key len" that can be used for symmetric encryption"""
wrap = Buffer(Common.PHE_PUBLIC_KEY_LENGTH)
encryption_key = Buffer(encryption_key_len)
status = self._lib_vsce_uokms_client.vsce_uokms_client_generate_encrypt_wrap(
self.ctx, encryption_key_len, wrap.c_buffer,
encryption_key.c_buffer)
VsceStatus.handle_status(status)
return wrap.get_bytes(), encryption_key.get_bytes()
def generate_decrypt_request(self, wrap):
"""Generates request to decrypt data, this request should be sent to the server.
Server response is then passed to "process decrypt response" where encryption key can be decapsulated"""
d_wrap = Data(wrap)
deblind_factor = Buffer(Common.PHE_PRIVATE_KEY_LENGTH)
decrypt_request = Buffer(Common.PHE_PUBLIC_KEY_LENGTH)
status = self._lib_vsce_uokms_client.vsce_uokms_client_generate_decrypt_request(
self.ctx, d_wrap.data, deblind_factor.c_buffer,
decrypt_request.c_buffer)
VsceStatus.handle_status(status)
return deblind_factor.get_bytes(), decrypt_request.get_bytes()
def finish_auth_encryption(self):
"""Accomplish an authenticated encryption and place tag separately.
Note, if authentication tag should be added to an encrypted data,
method "finish" can be used."""
out = Buffer(self.out_len(data_len=0))
tag = Buffer(self.AUTH_TAG_LEN)
status = self._lib_vscf_aes256_gcm.vscf_aes256_gcm_finish_auth_encryption(
self.ctx, out.c_buffer, tag.c_buffer)
VscfStatus.handle_status(status)
return out.get_bytes(), tag.get_bytes()
def blind(self, password):
"""Blinds password. Turns password into a pseudo-random string.
This step is necessary to prevent 3rd-parties from knowledge of end user's password."""
d_password = Data(password)
blinded_password = Buffer(self.blinded_password_buf_len())
blinding_secret = Buffer(self.blinding_secret_buf_len())
status = self._lib_vscp_pythia.vscp_pythia_blind(
d_password.data, blinded_password.c_buffer,
blinding_secret.c_buffer)
VscpStatus.handle_status(status)
return blinded_password.get_bytes(), blinding_secret.get_bytes()
def rotate_keys(self, update_token):
"""Rotates client and server keys using given update token obtained from server"""
d_update_token = Data(update_token)
new_client_private_key = Buffer(Common.PHE_PRIVATE_KEY_LENGTH)
new_server_public_key = Buffer(Common.PHE_PUBLIC_KEY_LENGTH)
status = self._lib_vsce_uokms_client.vsce_uokms_client_rotate_keys(
self.ctx, d_update_token.data, new_client_private_key.c_buffer,
new_server_public_key.c_buffer)
VsceStatus.handle_status(status)
return new_client_private_key.get_bytes(
), new_server_public_key.get_bytes()
def auth_encrypt(self, data, auth_data):
"""Encrypt given data.
If 'tag' is not given, then it will written to the 'enc'."""
d_data = Data(data)
d_auth_data = Data(auth_data)
out = Buffer(self.auth_encrypted_len(data_len=len(data)))
tag = Buffer(self.AUTH_TAG_LEN)
status = self._lib_vscf_aes256_gcm.vscf_aes256_gcm_auth_encrypt(
self.ctx, d_data.data, d_auth_data.data, out.c_buffer,
tag.c_buffer)
VscfStatus.handle_status(status)
return out.get_bytes(), tag.get_bytes()
def transform(self, blinded_password, tweak, transformation_private_key):
"""Transforms blinded password using transformation private key."""
d_blinded_password = Data(blinded_password)
d_tweak = Data(tweak)
d_transformation_private_key = Data(transformation_private_key)
transformed_password = Buffer(self.transformed_password_buf_len())
transformed_tweak = Buffer(self.transformed_tweak_buf_len())
status = self._lib_vscp_pythia.vscp_pythia_transform(
d_blinded_password.data, d_tweak.data,
d_transformation_private_key.data, transformed_password.c_buffer,
transformed_tweak.c_buffer)
VscpStatus.handle_status(status)
return transformed_password.get_bytes(), transformed_tweak.get_bytes()
def unwrap(self, pem):
"""Takes PEM data and extract binary data from it."""
d_pem = Data(pem)
data = Buffer(self.unwrapped_len(pem_len=len(pem)))
status = self._lib_vscf_pem.vscf_pem_unwrap(d_pem.data, data.c_buffer)
VscfStatus.handle_status(status)
return data.get_bytes()
def gather(self, len):
"""Gather entropy of the requested length."""
out = Buffer(len)
status = self._lib_vscf_seed_entropy_source.vscf_seed_entropy_source_gather(
self.ctx, len, out.c_buffer)
VscfStatus.handle_status(status)
return out.get_bytes()
def decrypt(self, private_key, data):
"""Decrypt given data."""
d_data = Data(data)
out = Buffer(self.decrypted_len(private_key=private_key, data_len=len(data)))
status = self._lib_vscf_hybrid_key_alg.vscf_hybrid_key_alg_decrypt(self.ctx, private_key.c_impl, d_data.data, out.c_buffer)
VscfStatus.handle_status(status)
return out.get_bytes()
def sign_hash(self, private_key, hash_id, digest):
"""Sign data digest with a given private key."""
d_digest = Data(digest)
signature = Buffer(self.signature_len(private_key=private_key))
status = self._lib_vscf_hybrid_key_alg.vscf_hybrid_key_alg_sign_hash(self.ctx, private_key.c_impl, hash_id, d_digest.data, signature.c_buffer)
VscfStatus.handle_status(status)
return signature.get_bytes()
def encode(self, data):
"""Encode given data to the base64 format.
Note, written buffer is NOT null-terminated."""
d_data = Data(data)
str = Buffer(self.encoded_len(data_len=len(data)))
self._lib_vscf_base64.vscf_base64_encode(d_data.data, str.c_buffer)
return str.get_bytes()
def encrypt(self, public_key, data):
"""Encrypt data with a given public key."""
d_data = Data(data)
out = Buffer(self.encrypted_len(public_key=public_key, data_len=len(data)))
status = self._lib_vscf_hybrid_key_alg.vscf_hybrid_key_alg_encrypt(self.ctx, public_key.c_impl, d_data.data, out.c_buffer)
VscfStatus.handle_status(status)
return out.get_bytes()
def update(self, data):
"""Process encryption or decryption of the given data chunk."""
d_data = Data(data)
out = Buffer(self.out_len(data_len=len(data)))
self._lib_vscf_aes256_cbc.vscf_aes256_cbc_update(
self.ctx, d_data.data, out.c_buffer)
return out.get_bytes()
def generate_update_token_oneparty(self):
"""Generates update token for one-party mode"""
update_token = Buffer(Common.PHE_PRIVATE_KEY_LENGTH)
status = self._lib_vsce_uokms_client.vsce_uokms_client_generate_update_token_oneparty(
self.ctx, update_token.c_buffer)
VsceStatus.handle_status(status)
return update_token.get_bytes()
def decrypt(self, message, public_key):
"""Decrypts message"""
plain_text = Buffer(self.decrypt_len(message=message))
status = self._lib_vscf_group_session.vscf_group_session_decrypt(
self.ctx, message.ctx, public_key.c_impl, plain_text.c_buffer)
VscfStatus.handle_status(status)
return plain_text.get_bytes()
def decrypt(self, message):
"""Decrypts message"""
plain_text = Buffer(self.decrypt_len(message=message))
status = self._lib_vscr_ratchet_session.vscr_ratchet_session_decrypt(
self.ctx, message.ctx, plain_text.c_buffer)
VscrStatus.handle_status(status)
return plain_text.get_bytes()
def random(self, data_len):
"""Generate random bytes.
All RNG implementations must be thread-safe."""
data = Buffer(data_len)
status = self._lib_vscf_key_material_rng.vscf_key_material_rng_random(self.ctx, data_len, data.c_buffer)
VscfStatus.handle_status(status)
return data.get_bytes()
def compute_shared_key(self, public_key, private_key):
"""Compute shared key for 2 asymmetric keys.
Note, computed shared key can be used only within symmetric cryptography."""
shared_key = Buffer(self.shared_key_len(key=private_key))
status = self._lib_vscf_ecc.vscf_ecc_compute_shared_key(self.ctx, public_key.c_impl, private_key.c_impl, shared_key.c_buffer)
VscfStatus.handle_status(status)
return shared_key.get_bytes()
def derive(self, data, key_len):
"""Derive key of the requested length from the given data."""
d_data = Data(data)
key = Buffer(key_len)
self._lib_vscf_kdf2.vscf_kdf2_derive(self.ctx, d_data.data, key_len,
key.c_buffer)
return key.get_bytes()
def harden(self, identity_secret, blinded_point):
d_identity_secret = Data(identity_secret)
d_blinded_point = Data(blinded_point)
hardened_point = Buffer(self.POINT_LEN)
status = self._lib_vscf_brainkey_server.vscf_brainkey_server_harden(self.ctx, d_identity_secret.data, d_blinded_point.data, hardened_point.c_buffer)
VscfStatus.handle_status(status)
return hardened_point.get_bytes()
def finish(self):
"""Accomplish encryption or decryption process."""
out = Buffer(self.out_len(data_len=0))
status = self._lib_vscf_aes256_cbc.vscf_aes256_cbc_finish(
self.ctx, out.c_buffer)
VscfStatus.handle_status(status)
return out.get_bytes()
def finish_padded_data_processing(self):
"""Accomplish padded data processing and return left data without a padding."""
out = Buffer(self.finish_padded_data_processing_out_len())
status = self._lib_vscf_random_padding.vscf_random_padding_finish_padded_data_processing(
self.ctx, out.c_buffer)
VscfStatus.handle_status(status)
return out.get_bytes()
def generate_client_private_key(self):
"""Generates client private key"""
client_private_key = Buffer(Common.PHE_PRIVATE_KEY_LENGTH)
status = self._lib_vsce_uokms_client.vsce_uokms_client_generate_client_private_key(
self.ctx, client_private_key.c_buffer)
VsceStatus.handle_status(status)
return client_private_key.get_bytes()
def kem_decapsulate(self, encapsulated_key, private_key):
"""Decapsulate the shared key."""
d_encapsulated_key = Data(encapsulated_key)
shared_key = Buffer(self.kem_shared_key_len(key=private_key))
status = self._lib_vscf_ecc.vscf_ecc_kem_decapsulate(self.ctx, d_encapsulated_key.data, private_key.c_impl, shared_key.c_buffer)
VscfStatus.handle_status(status)
return shared_key.get_bytes()
def compute_public_key_id(self, public_key):
"""Computes 8 bytes key pair id from Curve25519 (in PKCS8 or raw format) public key"""
d_public_key = Data(public_key)
key_id = Buffer(Common.KEY_ID_LEN)
status = self._lib_vscr_ratchet_key_id.vscr_ratchet_key_id_compute_public_key_id(self.ctx, d_public_key.data, key_id.c_buffer)
VscrStatus.handle_status(status)
return key_id.get_bytes()