def __init__(self, conn, client):
threading.Thread.__init__(self)
self.connexion = conn
self.key = keychain(curve=ec.BrainpoolP512R1())
self.client_addr = client[0]
self.client_port = client[1]
self.header = hat(port, self.client_port)
def _generate_data_key_pair(data, create_cipher=True):
region_details = KMSBackend.get()
kms = aws_stack.connect_to_service("kms")
key_id = data.get("KeyId")
key_spec = data.get("KeyPairSpec") or data.get("KeySpec")
key = None
public_format = None
if key_spec.startswith("RSA"):
rsa_key_sizes = {
"RSA_2048": 2048,
"RSA_3072": 3072,
"RSA_4096": 4096,
}
key_size = rsa_key_sizes.get(key_spec)
key = rsa.generate_private_key(public_exponent=65537,
key_size=key_size)
public_format = crypto_serialization.PublicFormat.PKCS1
if key_spec.startswith("ECC"):
curve = None
if key_spec == "ECC_NIST_P256":
curve = ec.BrainpoolP256R1()
elif key_spec == "ECC_NIST_P384":
curve = ec.BrainpoolP384R1()
elif key_spec == "ECC_NIST_P521":
curve = ec.BrainpoolP512R1()
elif key_spec == "ECC_SECG_P256K1":
curve = ec.SECP256K1()
key = ec.generate_private_key(curve)
public_format = crypto_serialization.PublicFormat.SubjectPublicKeyInfo
private_key = key.private_bytes(
crypto_serialization.Encoding.DER,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption(),
)
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.DER, public_format)
cipher_text_blob = None
if create_cipher:
cipher_text = kms.encrypt(KeyId=key_id,
Plaintext=private_key)["CiphertextBlob"]
cipher_text_blob = base64.b64encode(cipher_text)
result = {
"PrivateKeyCiphertextBlob": cipher_text_blob,
"PrivateKeyPlaintext": base64.b64encode(private_key),
"PublicKey": base64.b64encode(public_key),
"KeyId": key_id,
"KeyPairSpec": key_spec,
"KeySpec": key_spec,
"_key_": key,
}
region_details.key_pairs[key_id] = result
return result
except ValueError:
print("File size too huge")
choice = ""
except FileNotFoundError:
print("File not found")
choice = ""
elif choice == "Q":
print("A bientot :D")
sys.exit()
else:
print("Choix non reconnu.")
# On essaye de se connecter
host,port,timeout = config()
target = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#On crée l'objet qui gère la cryptographie
key = keychain(curve=ec.BrainpoolP512R1())
try:
#On initie la connexion
target.connect((host, port))
target.settimeout(timeout)
my_ip,my_port = target.getsockname()
head = hat(my_port,port,MODE=mode)
except socket.error:
print("La connexion a échoué.")
sys.exit()
############ Initialisation ############
############ Corps ############
try:
print("Connexion établie avec le serveur %s:%d"%(host,port))
head = head.forKeyExch()
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ec
from ..hazmat.primitives.test_ec import _skip_exchange_algorithm_unsupported
_CURVES = {
"secp224r1": ec.SECP224R1(),
"secp256r1": ec.SECP256R1(),
"secp384r1": ec.SECP384R1(),
"secp521r1": ec.SECP521R1(),
"secp256k1": ec.SECP256K1(),
"brainpoolP224r1": None,
"brainpoolP256r1": ec.BrainpoolP256R1(),
"brainpoolP320r1": None,
"brainpoolP384r1": ec.BrainpoolP384R1(),
"brainpoolP512r1": ec.BrainpoolP512R1(),
"brainpoolP224t1": None,
"brainpoolP256t1": None,
"brainpoolP320t1": None,
"brainpoolP384t1": None,
"brainpoolP512t1": None,
}
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@pytest.mark.wycheproof_tests(
"ecdh_test.json",
"ecdh_brainpoolP224r1_test.json",
"ecdh_brainpoolP256r1_test.json",
"ecdh_brainpoolP320r1_test.json",
"ecdh_brainpoolP384r1_test.json",
'secp384r1',
), (
'sha512',
ec.SECP521R1(),
'secp521r1',
), (
'sha256',
ec.BrainpoolP256R1(),
'brainpoolp256r1',
), (
'sha384',
ec.BrainpoolP384R1(),
'brainpoolp384r1',
), (
'sha512',
ec.BrainpoolP512R1(),
'brainpoolp512r1',
)])
def test_tls_prf(hash_alg, hazmat_curve, curve):
key = objects.ECCKey(0xe0f1)
_, _ = optiga_ec.generate_pair(key, curve=curve)
private_key = ec.generate_private_key(hazmat_curve, default_backend())
peer_public_key = private_key.public_key().public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
optiga_ec.ecdh(key, peer_public_key)
ses = objects.AcquiredSession()
derived_key = optiga_ec.tls_prf(ses,
32,
seed=bytes().fromhex(seed),
hash_algorithm=hash_alg,
def _native_to_pkcs(pkey, key=None, algorithm=None):
"""
OPTIGA doesnt use and accept key information as part of the imput, so we need to append it after key_generation
or strip for input
:param pkey:
a bytestring with the public key from OPTIGA
:param key:
A bytestring with key value from OPTIGA
:param algorithm:
A unicode string for an algorithm.
:raises:
- ValueError - when any of the parameters are not expected
- TypeError - when any of the parameters are of the wrong type
- OSError - when an error is returned by the core initialisation library
:returns:
A tuple of keys (public_key, private_key)
"""
_algorithms_map = {
'secp256r1':
('ec', b'0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07', ec.SECP256R1()),
'secp384r1':
('ec', b'0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"', ec.SECP384R1()),
'secp521r1':
('ec', b'0\x81\x9b0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00#', ec.SECP521R1()),
'brainpoolp256r1':
('ec', b'0Z0\x14\x06\x07*\x86H\xce=\x02\x01\x06\t+$\x03\x03\x02\x08\x01\x01\x07', ec.BrainpoolP256R1()),
'brainpoolp384r1':
('ec', b'0z0\x14\x06\x07*\x86H\xce=\x02\x01\x06\t+$\x03\x03\x02\x08\x01\x01\x0b', ec.BrainpoolP384R1()),
'brainpoolp512r1':
('ec', b'0\x81\x9b0\x14\x06\x07*\x86H\xce=\x02\x01\x06\t+$\x03\x03\x02\x08\x01\x01\r', ec.BrainpoolP512R1())
}
if algorithm not in _algorithms_map:
raise ValueError(
'{0} isn\'t supported. Use one of {1}'.format(algorithm, _algorithms_map.keys())
)
if not isinstance(pkey, (bytes, bytearray)):
raise TypeError(
'pkey is of unsupported types (pkey type = {0}), '
'should be either bytes or bytearray'.format(type(pkey))
)
if key is not None and not isinstance(key, (bytes, bytearray)):
raise TypeError(
'key is of unsupported types (key type = {0}), '
'should be either bytes or bytearray'.format(type(key))
)
_type = _algorithms_map[algorithm][0]
if _type == 'ec':
prefix = _algorithms_map[algorithm][1]
pyca_curve = _algorithms_map[algorithm][2]
public_key = prefix + pkey
if key is not None:
print(int.from_bytes(key[2:], 'big'))
private_key = ec.derive_private_key(int.from_bytes(key[2:], 'big'), pyca_curve, default_backend())
private_key = private_key.private_bytes(encoding=serialization.Encoding.DER,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption())
else:
private_key = None
return public_key, private_key
key_object = objects.ECCKey(0xe0f1)
pkey, _ = optiga_ec.generate_pair(
key_object,
curve='secp384r1',
key_usage=['authentication', 'signature'])
# key agreement hasnt been selected, thus an error
optiga_ec.ecdh(key_object, pkey)
@pytest.mark.parametrize("curve, hazmat_curve",
[('secp256r1', ec.SECP256R1()),
('secp384r1', ec.SECP384R1()),
('secp521r1', ec.SECP521R1()),
('brainpoolp256r1', ec.BrainpoolP256R1()),
('brainpoolp384r1', ec.BrainpoolP384R1()),
('brainpoolp512r1', ec.BrainpoolP512R1())])
def test_ecdh_internal(curve, hazmat_curve):
key_object = objects.ECCKey(0xe0f1)
_, _ = optiga_ec.generate_pair(key_object, curve)
private_key = ec.generate_private_key(hazmat_curve, default_backend())
peer_public_key = private_key.public_key().public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
optiga_ec.ecdh(key_object, peer_public_key)
@pytest.mark.parametrize("curve, hazmat_curve",
[('secp256r1', ec.SECP256R1()),
('secp384r1', ec.SECP384R1()),
('secp521r1', ec.SECP521R1()),
('brainpoolp256r1', ec.BrainpoolP256R1()),
def _generate_data_key_pair(data, create_cipher=True):
region_details = KMSBackend.get()
kms = aws_stack.connect_to_service("kms")
key_id = data.get("KeyId")
key_spec = data.get("KeyPairSpec") or data.get("KeySpec") or data.get(
"CustomerMasterKeySpec")
key = None
public_format = None
if key_spec.startswith("RSA"):
rsa_key_sizes = {
"RSA_2048": 2048,
"RSA_3072": 3072,
"RSA_4096": 4096,
}
key_size = rsa_key_sizes.get(key_spec)
key = rsa.generate_private_key(public_exponent=65537,
key_size=key_size)
public_format = crypto_serialization.PublicFormat.PKCS1
if key_spec.startswith("ECC"):
curve = None
if key_spec == "ECC_NIST_P256":
curve = ec.BrainpoolP256R1()
elif key_spec == "ECC_NIST_P384":
curve = ec.BrainpoolP384R1()
elif key_spec == "ECC_NIST_P521":
curve = ec.BrainpoolP512R1()
elif key_spec == "ECC_SECG_P256K1":
curve = ec.SECP256K1()
key = ec.generate_private_key(curve)
public_format = crypto_serialization.PublicFormat.SubjectPublicKeyInfo
private_key = key.private_bytes(
crypto_serialization.Encoding.DER,
crypto_serialization.PrivateFormat.PKCS8,
crypto_serialization.NoEncryption(),
)
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.DER, public_format)
cipher_text_blob = None
if create_cipher:
cipher_text = kms.encrypt(KeyId=key_id,
Plaintext=private_key)["CiphertextBlob"]
cipher_text_blob = base64.b64encode(cipher_text)
region = region_details.get_current_request_region()
result = {
"PrivateKeyCiphertextBlob": cipher_text_blob,
"PrivateKeyPlaintext": base64.b64encode(private_key),
"PublicKey": base64.b64encode(public_key),
"KeyId": key_id,
"KeyPairSpec": key_spec,
"KeySpec": key_spec,
"KeyUsage": "SIGN_VERIFY",
"Policy": data.get("Policy"),
"Region": region,
"Description": data.get("Description"),
"Arn": aws_stack.kms_key_arn(key_id),
"_key_": key,
}
region_details.key_pairs[key_id] = result
key = Key("", result["KeyUsage"], key_spec, result["Description"], region)
key.id = key_id
return {**key.to_dict()["KeyMetadata"], **result}
