def encrypt(pubkey, password):
"""Encrypt password using given RSA public key and encode it with base64.
The encrypted password can only be decrypted by someone with the
private key (in this case, only Travis).
"""
key = load_key(pubkey)
encrypted_password = key.encrypt(password, PKCS1v15())
return base64.b64encode(encrypted_password)
def _validate_signature(self, message):
pubkey = self._get_pubkey(message["SigningCertURL"])
signature = self._get_signature(message)
data = self._get_data_to_sign(message)
try:
pubkey.verify(signature, data, PKCS1v15(), SHA1())
except _InvalidSignature:
raise InvalidMessage("Invalid Signature") from None
def validateSign(signature, data, pub_key):
try:
pub_key.verify(signature, data, PKCS1v15(), hashes.SHA1())
print("Verification Succeeded")
return True
except ValueError as ve:
print(ve)
print("Verification failed")
return False
def mac(self, data):
rsamac = self.signer(
data,
# PSS(
# mgf=MGF1(hashes.SHA256()),
# salt_length=PSS.MAX_LENGTH
# ),
PKCS1v15(),
hashes.SHA256())
return rsamac
def test_init(self, one_key_of_many):
key_pem, key_serialized = one_key_of_many
if isinstance(key_pem, Path):
private_key_pem_file = key_pem
private_key_pem = None
else:
private_key_pem_file = None
private_key_pem = key_pem
login = "******"
expiration_time = 20
read_only = True
global_key = True
label = f"{__project__} {__version__}"
authentication_url = "http etc"
connection_timeout = 30
token = AccessToken(
login=login,
private_key=private_key_pem,
private_key_file=private_key_pem_file,
expiration_time=expiration_time,
read_only=read_only,
global_key=global_key,
label=label,
authentication_url=authentication_url,
connection_timeout=connection_timeout,
)
assert token.login == login
assert token.time_to_live == expiration_time
assert token.read_only == read_only
assert token.global_key == global_key
assert token.label == label
assert token.authentication_url == authentication_url
assert token.connection_timeout == connection_timeout
payload = (
"Apparently private keys can't be compared directly when extracted (salts?)."
"But they MUST create the same signature when signing the same data!"
)
assert token.private_key.sign(
str.encode(payload), PKCS1v15(), SHA512()
) == key_serialized.sign(str.encode(payload), PKCS1v15(), SHA512())
def rsa_verify(timestamp, nonce, body, signature, certificate):
sign_str = '%s\n%s\n%s\n' % (timestamp, nonce, body)
public_key = certificate.public_key()
message = sign_str.encode('UTF-8')
signature = b64decode(signature)
try:
public_key.verify(signature, message, PKCS1v15(), SHA256())
except InvalidSignature:
return False
return True
def asymmetric_wrap(self, data, wrapping_cert, mechanism=None):
"""
:param data Data to be wrapped
:param wrapping_cert Public key to wrap data
:param mechanism algorithm of symmetric key to be wrapped
Wrap (encrypt) data using the supplied asymmetric key
"""
public_key = wrapping_cert.public_key()
return public_key.encrypt(data, PKCS1v15())
def sign(self, msg: bytes, algorithm=hashes.SHA256(), padding_=PKCS1v15()):
"""Signing with private key - pkcs1 encode and decrypt
p = PinkSign(pubkey_path="/path/signCert.der", prikey_path="/path/signPri.key", prikey_password="******")
s = p.sign(b'my message') # '\x00\x01\x02...'
"""
if self.prikey is None:
raise ValueError("Private key is required for signing.")
return self.prikey.sign(data=msg,
padding=padding_,
algorithm=algorithm)
def verify(self, data, sig):
"""Verify the signature on a block of data"""
verifier = self._pub_key.verifier(sig, PKCS1v15(), SHA1())
verifier.update(data)
try:
verifier.verify()
return True
except InvalidSignature:
return False
def _run_login_encryption(self):
# Set up protocol encryption with the client, then return.
server_token = b'\x89\x82\x9a\x01' # Guaranteed to be random.
self.write_packet(
clientbound.login.EncryptionRequestPacket(
server_id='',
verify_token=server_token,
public_key=self.server.public_key_bytes))
packet = self.read_packet()
assert isinstance(packet, serverbound.login.EncryptionResponsePacket)
private_key = self.server.private_key
client_token = private_key.decrypt(packet.verify_token, PKCS1v15())
assert client_token == server_token
shared_secret = private_key.decrypt(packet.shared_secret, PKCS1v15())
cipher = create_AES_cipher(shared_secret)
enc, dec = cipher.encryptor(), cipher.decryptor()
self.socket = EncryptedSocketWrapper(self.socket, enc, dec)
self.socket_file = EncryptedFileObjectWrapper(self.socket_file, dec)
def generar_firma(self, texto, algo="sha1"):
sha_algo = SHA1
if algo == 'sha256':
sha_algo = SHA256
if type(texto) is not bytes:
texto = texto.encode()
signature = self.key.sign(texto,
padding=PKCS1v15(),
algorithm=sha_algo())
text = base64.b64encode(signature).decode()
return text
def _verify_signature_with_pubkey(self, signed_info_c14n, raw_signature,
key_value, signature_alg):
if "ecdsa-" in signature_alg:
ec_key_value = self._find(key_value,
"ECKeyValue",
namespace="dsig11")
named_curve = self._find(ec_key_value,
"NamedCurve",
namespace="dsig11")
public_key = self._find(ec_key_value,
"PublicKey",
namespace="dsig11")
key_data = b64decode(public_key.text)[1:]
x = bytes_to_long(key_data[:len(key_data) // 2])
y = bytes_to_long(key_data[len(key_data) // 2:])
curve_class = self.known_ecdsa_curves[named_curve.get("URI")]
key = ec.EllipticCurvePublicNumbers(
x=x, y=y,
curve=curve_class()).public_key(backend=default_backend())
verifier = key.verifier(
raw_signature,
ec.ECDSA(self._get_signature_digest_method(signature_alg)))
elif "dsa-" in signature_alg:
dsa_key_value = self._find(key_value, "DSAKeyValue")
p = self._get_long(dsa_key_value, "P")
q = self._get_long(dsa_key_value, "Q")
g = self._get_long(dsa_key_value, "G", require=False)
y = self._get_long(dsa_key_value, "Y")
pn = dsa.DSAPublicNumbers(
y=y, parameter_numbers=dsa.DSAParameterNumbers(p=p, q=q, g=g))
key = pn.public_key(backend=default_backend())
sig_as_der_seq = der_encoder.encode(
DERSequenceOfIntegers([
bytes_to_long(raw_signature[:len(raw_signature) // 2]),
bytes_to_long(raw_signature[len(raw_signature) // 2:])
]))
verifier = key.verifier(
sig_as_der_seq,
self._get_signature_digest_method(signature_alg))
elif "rsa-" in signature_alg:
rsa_key_value = self._find(key_value, "RSAKeyValue")
modulus = self._get_long(rsa_key_value, "Modulus")
exponent = self._get_long(rsa_key_value, "Exponent")
key = rsa.RSAPublicNumbers(
e=exponent, n=modulus).public_key(backend=default_backend())
verifier = key.verifier(
raw_signature,
padding=PKCS1v15(),
algorithm=self._get_signature_digest_method(signature_alg))
else:
raise NotImplementedError()
verifier.update(signed_info_c14n)
verifier.verify()
def sign_data(self,
data,
private_key=None,
padding=PKCS1v15(),
hash_algorithm=SHA256()):
if private_key is None:
private_key = self.private_key
return private_key.sign(data=data.encode(CHARACTER_ENCODING),
padding=padding,
algorithm=hash_algorithm)
def test_load_response(self):
resp = _load_data(
os.path.join("x509", "ocsp", "resp-sha256.der"),
ocsp.load_der_ocsp_response,
)
from cryptography.hazmat.backends.openssl.backend import backend
issuer = _load_cert(
os.path.join("x509", "letsencryptx3.pem"),
x509.load_pem_x509_certificate,
backend
)
assert resp.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL
assert (resp.signature_algorithm_oid ==
x509.SignatureAlgorithmOID.RSA_WITH_SHA256)
assert isinstance(resp.signature_hash_algorithm, hashes.SHA256)
assert resp.signature == base64.b64decode(
b"I9KUlyLV/2LbNCVu1BQphxdNlU/jBzXsPYVscPjW5E93pCrSO84GkIWoOJtqsnt"
b"78DLcQPnF3W24NXGzSGKlSWfXIsyoXCxnBm0mIbD5ZMnKyXEnqSR33Z9He/A+ML"
b"A8gbrDUipGNPosesenkKUnOtFIzEGv29hV5E6AMP2ORPVsVlTAZegPJFbbVIWc0"
b"rZGFCXKxijDxtUtgWzBhpBAI50JbPHi+IVuaOe4aDJLYgZ0BIBNa6bDI+rScyoy"
b"5U0DToV7SZn6CoJ3U19X7BHdYn6TLX0xi43eXuzBGzdHnSzmsc7r/DvkAKJm3vb"
b"dVECXqe/gFlXJUBcZ25jhs70MUA=="
)
assert resp.tbs_response_bytes == base64.b64decode(
b"MIHWoUwwSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzA"
b"hBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzGA8yMDE4MDgzMDExMT"
b"UwMFowdTBzMEswCQYFKw4DAhoFAAQUfuZq53Kas/z4oiBkbBahLWBxCF0EFKhKa"
b"mMEfd265tE5t6ZFZe/zqOyhAhIDHHh6fckClQB7xfIiCztSevCAABgPMjAxODA4"
b"MzAxMTAwMDBaoBEYDzIwMTgwOTA2MTEwMDAwWg=="
)
issuer.public_key().verify(
resp.signature,
resp.tbs_response_bytes,
PKCS1v15(),
resp.signature_hash_algorithm
)
assert resp.certificates == []
assert resp.responder_key_hash is None
assert resp.responder_name == issuer.subject
assert resp.produced_at == datetime.datetime(2018, 8, 30, 11, 15)
assert resp.certificate_status == ocsp.OCSPCertStatus.GOOD
assert resp.revocation_time is None
assert resp.revocation_reason is None
assert resp.this_update == datetime.datetime(2018, 8, 30, 11, 0)
assert resp.next_update == datetime.datetime(2018, 9, 6, 11, 0)
assert resp.issuer_key_hash == (
b'\xa8Jjc\x04}\xdd\xba\xe6\xd19\xb7\xa6Ee\xef\xf3\xa8\xec\xa1'
)
assert resp.issuer_name_hash == (
b'~\xe6j\xe7r\x9a\xb3\xfc\xf8\xa2 dl\x16\xa1-`q\x08]'
)
assert isinstance(resp.hash_algorithm, hashes.SHA1)
assert resp.serial_number == 271024907440004808294641238224534273948400
assert len(resp.extensions) == 0
def sign_raw(self, data: bytes, digest_algorithm: str,
dry_run=False) -> bytes:
from cryptography.hazmat.primitives import serialization
priv_key = serialization.load_der_private_key(
self.signing_key.dump(), password=None
)
from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
padding = PKCS1v15()
hash_algo = get_pyca_cryptography_hash(digest_algorithm)
return priv_key.sign(data, padding, hash_algo)
def check_certificate_against_public_key(
cert: Certificate,
public_key: RSAPublicKey,
) -> None:
# Check if the signature of the certificate matches the public key
public_key.verify(
cert.signature,
cert.tbs_certificate_bytes,
PKCS1v15(),
SHA256(),
)
def generate_presigned_cookies(self, path, expires_at=None):
# https://gist.github.com/mjohnsullivan/31064b04707923f82484c54981e4749e
expires_at = expires_at or pendulum.now('utc') + self.lifetime
url = self.generate_unsigned_url(path)
policy = self.generate_cookie_policy(url, expires_at)
signature = self.get_private_key().sign(policy, PKCS1v15(), SHA1())
return {
'ExpiresAt': expires_at.to_iso8601_string(),
'CloudFront-Policy': self._encode(policy),
'CloudFront-Signature': self._encode(signature),
'CloudFront-Key-Pair-Id': self.get_key_pair()['keyId'],
}
def encryptInitiatorPassword():
PASS = "******"
cert_file_path = os.path.join(os.path.dirname(__file__), CERTIFICATE_FILE)
cert_file = open(cert_file_path, 'rb')
cert_data = cert_file.read()
cert_file.close()
cert = x509.load_pem_x509_certificate(cert_data, default_backend())
PASS = str.encode(PASS) # If you are using python 3
pub_key = cert.public_key()
cipher = pub_key.encrypt(PASS, padding=PKCS1v15())
return b64encode(cipher)
def sign(self, payload):
if sign_rsa_pss:
signature = self.key.sign(data=bytes(payload),
padding=PSS(mgf=MGF1(SHA256()),
salt_length=32),
algorithm=SHA256())
else:
signature = self.key.sign(data=bytes(payload),
padding=PKCS1v15(),
algorithm=SHA256())
assert len(signature) == self.sig_len()
return signature
def validate_certificate(self, debug=False):
certificate = self.client_certificate
ca_public_key = None
ca_cert = None
with open(path("TC_CA.cert.pem"), "rb") as cert_file:
ca_cert = load_pem_x509_certificate(cert_file.read())
ca_public_key = ca_cert.public_key()
if ca_cert.subject.get_attributes_for_oid(NameOID.COUNTRY_NAME)[0].value != \
certificate.issuer.get_attributes_for_oid(NameOID.COUNTRY_NAME)[0].value:
debug and print("Mismatched field: %s" % NameOID.COUNTRY_NAME)
return False
if ca_cert.subject.get_attributes_for_oid(NameOID.STATE_OR_PROVINCE_NAME)[0].value != \
certificate.issuer.get_attributes_for_oid(NameOID.STATE_OR_PROVINCE_NAME)[0].value:
debug and print(
"Mismatched field: %s" % NameOID.STATE_OR_PROVINCE_NAME)
return False
if ca_cert.subject.get_attributes_for_oid(NameOID.LOCALITY_NAME)[0].value != \
certificate.issuer.get_attributes_for_oid(NameOID.LOCALITY_NAME)[0].value:
debug and print("Mismatched field: %s" % NameOID.LOCALITY_NAME)
return False
if ca_cert.subject.get_attributes_for_oid(NameOID.ORGANIZATION_NAME)[0].value != \
certificate.issuer.get_attributes_for_oid(NameOID.ORGANIZATION_NAME)[0].value:
debug and print("Mismatched field: %s" % NameOID.ORGANIZATION_NAME)
return False
if ca_cert.subject.get_attributes_for_oid(NameOID.ORGANIZATIONAL_UNIT_NAME)[0].value != \
certificate.issuer.get_attributes_for_oid(NameOID.ORGANIZATIONAL_UNIT_NAME)[0].value:
debug and print(
"Mismatched field: %s" % NameOID.ORGANIZATIONAL_UNIT_NAME)
return False
if ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value != \
certificate.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value:
debug and print("Mismatched field: %s" % NameOID.COMMON_NAME)
return False
if certificate.subject.get_attributes_for_oid(
NameOID.COMMON_NAME)[0].value != "TC Client":
debug and print(
"Wrong field (server cert): %s" % NameOID.COMMON_NAME)
return False
ca_public_key.verify(certificate.signature,
certificate.tbs_certificate_bytes, PKCS1v15(),
certificate.signature_hash_algorithm)
return True
def __init__(
self,
signature_cert_chain_url_key=SIGNATURE_CERT_CHAIN_URL_HEADER,
signature_key=SIGNATURE_HEADER,
padding=PKCS1v15(), hash_algorithm=SHA256()):
# type: (str, str, AsymmetricPadding, HashAlgorithm) -> None
"""Verifier that performs request signature verification.
This is a concrete implementation of
:py:class:`AbstractVerifier` class, handling the request
signature verification of the input request. This verifier uses
the Cryptography module x509 functions to validate the
signature chain in the input request. The verification follows
the mechanism explained here :
https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#checking-the-signature-of-the-request
The constructor takes the header key names for retrieving
Signature Certificate Chain and Signature. They are defaulted
to the header names present in the
:py:mod:`ask_sdk_webservice_support.conf`. Additionally, one
can also provide the Padding and the Hash Algorithm functions
that is used to verify the input body. These are defaulted as
:py:class:`cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15`
and :py:class:`cryptography.hazmat.primitives.hashes.SHA256`
instances respectively.
A certificate cache is initialized, to store certificate chains
for faster retrieval and validation in subsequent input
dispatch.
:param signature_cert_chain_url_key: Header key to be used, to
retrieve Signature Certificate Chain URL from headers
:type signature_cert_chain_url_key: str
:param signature_key: Header key to be used, to
retrieve Signature from headers
:type signature_key: str
:param padding: Asymmetric padding algorithm instance to be
used to verify the hash value of the request body with the
decrypted signature. Defaulted to `PKCS1v15`
:type padding:
cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding
:param hash_algorithm: Hash algorithm instance to be used
to verify the hash value of the request body with the
decrypted signature. Defaulted to `SHA256`
:type hash_algorithm:
cryptography.hazmat.primitives.hashes.HashAlgorithm
"""
self._signature_cert_chain_url_key = signature_cert_chain_url_key
self._signature_key = signature_key
self._padding = padding
self._hash_algorithm = hash_algorithm
self._cert_cache = {} # type: Dict[str, bytes]
def calculate_response(challenge, user_id, password):
obj = decode(challenge)
out = {
1: [49],
2: obj[2],
3: obj[3],
8: [ord(c) for c in user_id],
9: [ord(c) for c in password],
}
encoded = encode(out)
pub_key = RSAPublicNumbers(ba2num(obj[5]), ba2num(obj[4])).public_key(default_backend())
encrypted = pub_key.encrypt(ba2bytes(encoded), PKCS1v15())
return bytes2hex(encrypted)
def _get_signature_details_internal(self):
setlocale(LC_ALL, 'en_US')
date_str = datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT')
if isinstance(self._provider,
oci.auth.signers.InstancePrincipalsSecurityTokenSigner):
self._provider.refresh_security_token()
private_key = self._provider.private_key
key_id = self._provider.api_key
try:
signature = private_key.sign(self._signing_content(date_str),
PKCS1v15(), SHA256())
signature = b64encode(signature)
except TypeError:
signature = private_key.sign(
self._signing_content(date_str).encode(), PKCS1v15(), SHA256())
signature = b64encode(signature).decode()
sig_header = str.format(SignatureProvider.SIGNATURE_HEADER_FORMAT,
SignatureProvider.SIGNING_HEADERS, key_id,
'rsa-sha256', signature,
SignatureProvider.SIGNATURE_VERSION)
return SignatureProvider.SignatureDetails(sig_header, date_str)
def verify(timestamp, nonce, body, signature, certificate):
sign_str = '%s\n%s\n%s\n' % (timestamp, nonce, body)
public_key_str = dump_public_key(certificate)
public_key = load_pem_public_key(data=public_key_str.encode('UTF-8'),
backend=default_backend())
message = sign_str.encode('UTF-8')
signature = b64decode(signature)
try:
public_key.verify(signature, sign_str.encode('UTF-8'), PKCS1v15(),
SHA256())
except InvalidSignature:
return False
return True
def _get_windows_instance_pass(self, instance_id, key_file):
if not HAS_BOTO3:
LOG.error("boto3 required when using Windows instances")
sys.exit(1)
if not HAS_CRYPTOGRAPHY:
LOG.error("cryptography package required when using Windows instances")
sys.exit(1)
ec2_client = boto3.client("ec2")
data_response = ec2_client.get_password_data(InstanceId=instance_id)
decoded = b64decode(data_response["PasswordData"])
with open(key_file, "rb") as f:
key = load_pem_private_key(f.read(), None, default_backend())
return key.decrypt(decoded, PKCS1v15())
def test_valid(self, sns_certificate, sns_privatekey, topics, data):
response = pretend.stub(raise_for_status=lambda: None,
content=sns_certificate)
session = pretend.stub(get=lambda url: response)
verifier = MessageVerifier(topics=topics, session=session)
private_key = load_pem_private_key(sns_privatekey,
password=None,
backend=default_backend())
signature_bytes = private_key.sign(verifier._get_data_to_sign(data),
PKCS1v15(), hashes.SHA1())
data["Signature"] = base64.b64encode(signature_bytes)
verifier.verify(data)
def create_signature(self, private_key, digest_b64, algorithm=(
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")):
data = b64decode(digest_b64)
padding = PKCS1v15()
algorithm = self._encode_string(algorithm)
algorithm = algorithm.decode("utf-8")
hash_algorithm = self.algorithms[algorithm][1]()
signature = private_key.sign(data, padding, Prehashed(hash_algorithm))
return signature
def verifyMac(self, data, checkMac):
try:
self.verifier(
checkMac,
data,
# PSS(
# mgf=MGF1(hashes.SHA256()),
# salt_length=PSS.MAX_LENGTH
# ),
PKCS1v15(),
hashes.SHA256())
return True
except InvalidSignature:
return False
def verify(binary, signature, pubkey_data, raise_error=True):
try:
pubkey = serialization.load_pem_public_key(pubkey_data,
backend=default_backend())
pubkey.verify(signature, binary, PKCS1v15(),
SHA256()) # Raises InvalidSignature
return True
except InvalidSignature:
if raise_error:
raise
else:
return False
def _check_signature(self, message: Dict[str, str]):
"""
Checks Signature by comparing the message with the Signature
:param message: Message
:return: None if Signature matches, throws if Mismatch
"""
public_key = self._get_public_key(message)
plaintext = self._get_text_to_sign(message).encode()
signature = base64.b64decode(message.get('Signature'))
try:
public_key.verify(signature, plaintext, PKCS1v15(),
SHA1()) # nosec
except InvalidSignature:
raise SnsSignatureFailureException("Signature mismatch")
