def create_cert(subject_com_name, subject_bumen_name, subject_zuzhi_name,
subject_city_name, subject_shengfen_name, subject_guojia_name,
issuer_com_name, issuer_zuzhi_name, issuer_guojia_name,
root_flag, before_time, after_time, mysf, beiyong_name, myqd,
qmsf, key_pass):
key = None
builder = None
certificate = None
try:
if subject_bumen_name:
builder = x509.CertificateBuilder().subject_name(
x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME,
subject_guojia_name),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME,
subject_shengfen_name),
x509.NameAttribute(NameOID.LOCALITY_NAME,
subject_city_name),
x509.NameAttribute(NameOID.ORGANIZATION_NAME,
subject_zuzhi_name),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME,
subject_bumen_name),
x509.NameAttribute(NameOID.COMMON_NAME, subject_com_name),
]))
else:
builder = x509.CertificateBuilder().subject_name(
x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME,
subject_guojia_name),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME,
subject_shengfen_name),
x509.NameAttribute(NameOID.LOCALITY_NAME,
subject_city_name),
x509.NameAttribute(NameOID.ORGANIZATION_NAME,
subject_zuzhi_name),
x509.NameAttribute(NameOID.COMMON_NAME, subject_com_name),
]))
except Exception as e:
print(e)
return {'error': False, 'msg': u'提交内容错误!'}
# 添加issuer信息
builder = builder.issuer_name(
x509.Name([
x509.NameAttribute(NameOID.COMMON_NAME, issuer_com_name),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, issuer_zuzhi_name),
x509.NameAttribute(NameOID.COUNTRY_NAME, issuer_guojia_name),
]))
# 其他杂项
##############
try:
builder = builder.not_valid_before(
datetime.datetime.strptime(before_time, '%Y-%m-%d %H:%M:%S'))
builder = builder.not_valid_after(
datetime.datetime.strptime(after_time, '%Y-%m-%d %H:%M:%S'))
except Exception as e:
return {'error': False, 'msg': u'过期时间小于颁发时间!'}
builder = builder.serial_number(x509.random_serial_number())
##################
try:
dns_name = [x509.DNSName(i) for i in beiyong_name.split(',')]
except Exception as e:
print(e)
return {'error': False, 'msg': u'备用名请用逗号隔开!'}
builder = builder.add_extension(x509.SubjectAlternativeName(dns_name),
critical=False)
builder = builder.add_extension(
x509.BasicConstraints(ca=root_flag, path_length=None),
critical=True,
)
#########################
#########################
if mysf == 'RSA':
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=int(myqd),
backend=default_backend())
builder = builder.public_key(private_key.public_key())
if key_pass:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.BestAvailableEncryption(
key_pass),
)
else:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
if qmsf == 'MD5':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.MD5(),
backend=default_backend())
elif qmsf == 'SHA1':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA1(),
backend=default_backend())
elif qmsf == 'SHA224':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA224(),
backend=default_backend())
elif qmsf == 'SHA256':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA256(),
backend=default_backend())
elif qmsf == 'SHA384':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA384(),
backend=default_backend())
elif qmsf == 'SHA512':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA512(),
backend=default_backend())
else:
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA1(),
backend=default_backend())
return {
'error': True,
'cert': certificate.public_bytes(serialization.Encoding.PEM),
'priv_key': key
}
elif mysf == 'DSA':
private_key = dsa.generate_private_key(key_size=int(myqd),
backend=default_backend())
builder = builder.public_key(private_key.public_key())
if key_pass:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.BestAvailableEncryption(
key_pass),
)
else:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
if qmsf == 'SHA1':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA1(),
backend=default_backend())
elif qmsf == 'SHA224':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA224(),
backend=default_backend())
elif qmsf == 'SHA256':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA256(),
backend=default_backend())
else:
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA1(),
backend=default_backend())
return {
'error': True,
'cert': certificate.public_bytes(serialization.Encoding.PEM),
'priv_key': key
}
elif mysf == 'ECDSA':
if myqd == 'P192':
private_key = ec.generate_private_key(curve=ec.SECP192R1(),
backend=default_backend())
builder = builder.public_key(private_key.public_key())
elif myqd == 'P224':
private_key = ec.generate_private_key(curve=ec.SECP224R1(),
backend=default_backend())
builder = builder.public_key(private_key.public_key())
elif myqd == 'P256':
private_key = ec.generate_private_key(curve=ec.SECP256R1(),
backend=default_backend())
builder = builder.public_key(private_key.public_key())
elif myqd == 'P384':
private_key = ec.generate_private_key(curve=ec.SECP384R1(),
backend=default_backend())
builder = builder.public_key(private_key.public_key())
elif myqd == 'P521':
private_key = ec.generate_private_key(curve=ec.SECP521R1(),
backend=default_backend())
builder = builder.public_key(private_key.public_key())
else:
private_key = ec.generate_private_key(curve=ec.SECP256R1(),
backend=default_backend())
builder = builder.public_key(private_key.public_key())
if key_pass:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.BestAvailableEncryption(
key_pass),
)
else:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
if qmsf == 'SHA1':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA1(),
backend=default_backend())
elif qmsf == 'SHA224':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA224(),
backend=default_backend())
elif qmsf == 'SHA256':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA256(),
backend=default_backend())
elif qmsf == 'SHA384':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA384(),
backend=default_backend())
elif qmsf == 'SHA512':
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA512(),
backend=default_backend())
else:
certificate = builder.sign(private_key=private_key,
algorithm=hashes.SHA1(),
backend=default_backend())
return {
'error': True,
'cert': certificate.public_bytes(serialization.Encoding.PEM),
'priv_key': key
}
class RSACrypto(object):
"""RSACrypto."""
ALGORITHM_DICT = {
'sha1': hashes.SHA1(),
'sha224': hashes.SHA224(),
'sha256': hashes.SHA256(),
'sha384': hashes.SHA384(),
'sha512': hashes.SHA512()
}
@staticmethod
def generate_private_key(key_size):
"""Generate rsa private key."""
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=key_size,
backend=default_backend())
return private_key
@staticmethod
def dump_private_key_pem(private_key):
"""Dump private key pem."""
pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption())
return pem.decode()
@staticmethod
def dump_public_key_pem(public_key):
"""Dump public key pem."""
pem = public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
return pem.decode()
@classmethod
def signing(cls, message, private_key, algorithm='sha1'):
"""signing."""
if not isinstance(message, bytes):
message = message.encode()
algorithm = cls.ALGORITHM_DICT.get(algorithm)
signer = private_key.signer(
padding.PSS(mgf=padding.MGF1(algorithm),
salt_length=padding.PSS.MAX_LENGTH), algorithm)
signer.update(message)
return signer.finalize()
@classmethod
def verification(cls, message, signature, public_key, algorithm='sha1'):
"""Verification."""
if not isinstance(message, bytes):
message = message.encode()
algorithm = cls.ALGORITHM_DICT.get(algorithm)
verifier = public_key().verifier(
signature,
padding.PSS(mgf=padding.MGF1(algorithm),
salt_length=padding.PSS.MAX_LENGTH), algorithm)
verifier.update(message)
return verifier.verify()
@classmethod
def encrypt(cls, message, public_key, algorithm='sha1'):
"""Public key encrypt."""
if not isinstance(message, bytes):
message = message.encode()
algorithm = cls.ALGORITHM_DICT.get(algorithm)
ciphertext = public_key.encrypt(
message,
padding.OAEP(mgf=padding.MGF1(algorithm=algorithm),
algorithm=algorithm,
label=None))
return ciphertext
@classmethod
def decrypt(cls, ciphertext, private_key, algorithm='sha1'):
"""Private key descrption."""
algorithm = cls.ALGORITHM_DICT.get(algorithm)
plaintext = private_key.decrypt(
ciphertext,
padding.OAEP(mgf=padding.MGF1(algorithm=algorithm),
algorithm=algorithm,
label=None))
return plaintext.decode()
# This file is dual licensed under the terms of the Apache License, Version
# 2.0, and the BSD License. See the LICENSE file in the root of this repository
# for complete details.
from __future__ import absolute_import, division, print_function
import binascii
import pytest
from cryptography.exceptions import InvalidSignature
from cryptography.hazmat.primitives import hashes, hmac
_HMAC_ALGORITHMS = {
"HMACSHA1": hashes.SHA1(),
"HMACSHA224": hashes.SHA224(),
"HMACSHA256": hashes.SHA256(),
"HMACSHA384": hashes.SHA384(),
"HMACSHA512": hashes.SHA512(),
"HMACSHA3-224": hashes.SHA3_224(),
"HMACSHA3-256": hashes.SHA3_256(),
"HMACSHA3-384": hashes.SHA3_384(),
"HMACSHA3-512": hashes.SHA3_512(),
}
@pytest.mark.wycheproof_tests(
"hmac_sha1_test.json",
"hmac_sha224_test.json",
"hmac_sha256_test.json",
"hmac_sha384_test.json",
class SiriusAPICrypto():
"""
SiriusAPICrypto class, implement crypto API of Sirius
"""
VERBOSE = False
# SHA
sha_dict = {
"SHA1": 0,
"SHA224": 1,
"SHA256": 2,
"SHA384": 3,
"SHA512": 4,
}
sha_functions = {
"SHA1": hashes.SHA1(),
"SHA224": hashes.SHA224(),
"SHA256": hashes.SHA256(),
"SHA384": hashes.SHA384(),
"SHA512": hashes.SHA512(),
}
# ECDSA
ecdsa_curve = {
"secp256k1": 0,
"secp256r1": 0,
}
ecdsa_sha_functions = {
"SHA1": 0,
"SHA256": 1,
}
# DSA
dsa_sha_functions = {
"SHA1": 0,
"SHA256": 1,
}
# AES
aes_key_length = [16, 24, 32]
aes_mode = {
"ECB_ENC": 0,
"ECB_DEC": 1,
"CBC_ENC": 2,
"CBC_DEC": 3,
"OFB_ENC": 4,
"OFB_DEC": 5,
"CFB_ENC": 6,
"CFB_DEC": 7,
}
aes_block_size = 16
# TDES
tdes_key_length = [8, 16, 24]
tdes_mode = {
"ECB_ENC": 0,
"ECB_DEC": 1,
"CBC_ENC": 2,
"CBC_DEC": 3,
"OFB_ENC": 4,
"OFB_DEC": 5,
"CFB_ENC": 6,
"CFB_DEC": 7,
}
tdes_block_size = 8
# CMAC
cmac_operation = {
"TDES": 0,
"AES": 1,
}
cmac_key_length = {"TDES": tdes_key_length, "AES": aes_key_length}
# RSA
rsa_operations = {
"ENC": 0,
"DEC": 1,
}
def __init__(self, bluefin_serial, verbose=False):
"""
"""
self._datalink = bluefin_serial
self.VERBOSE = verbose
@staticmethod
def getShaMethodList():
ret = []
for key in SiriusAPICrypto.sha_dict:
ret.append(key)
return ret
@staticmethod
def getShaMethodStr():
return ', '.join([
'%s' % (key) for (key, value) in SiriusAPICrypto.sha_dict.items()
])
def Trng(self, target, numberOfBytes):
"""
"""
sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF
pkt = BluefinserialCommand(sirius_target)
trng_package = struct.pack('<B', numberOfBytes)
cmd = pkt.Packet('\x8b', '\x0e', trng_package)
rsp = self._datalink.Exchange(cmd)
if (rsp is None):
print_err("Send fail")
return None
if rsp[2] != '\x00':
print_err("Trng serial API fail, code 0x%02x" % ord(rsp[2]))
return None
return rsp[3:]
def Sha(self, target, method, message, selfCheck=False, verbose=False):
"""
SHA digest API
method: <str> method of hashing
message: <str> message to be hased
isApp: <bool> if true, will send to Application processor
"""
if method not in SiriusAPICrypto.sha_dict:
print_err("Invalid method: %s" % method)
return None
sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF
pkt = BluefinserialCommand(sirius_target, verbose=verbose)
sha_package = struct.pack('<B',
SiriusAPICrypto.sha_dict[method]) + message
cmd = pkt.Packet('\x8b', '\x4e', sha_package)
rsp = self._datalink.Exchange(cmd)
if (rsp is None):
print_err("Send fail")
return None
if rsp[2] != '\x00':
print_err("Sha serial API fail, code 0x%02x" % ord(rsp[2]))
return None
# Check with our result
if selfCheck:
digest = hashes.Hash(SiriusAPICrypto.sha_functions[method],
backend=default_backend())
digest.update(message)
ourResult = digest.finalize()
theirResult = rsp[3:]
if len(theirResult) != len(ourResult):
print_err("Wrong length, our: %d, their: %d" %
(len(ourResult), len(theirResult)))
return None
if theirResult != ourResult:
print_err("Wrong value")
dump_hex(ourResult, "Ours: ")
dump_hex(theirResult, "Theirs: ")
return None
if verbose:
dump_hex(rsp[3:], "Sha serial return: ")
return rsp[3:]
def KeyDownload(self,
target,
DSS_p=None,
DSS_q=None,
DSS_g=None,
DSS_y=None,
DSS_x=None,
ECDSA_x=None,
ECDSA_y=None,
ECDSA_pri=None,
RSA_p=None,
RSA_q=None,
RSA_n=None,
RSA_d=None,
RSA_e=None,
verbose=False):
info = MlsKeyTlv(verbose=self.VERBOSE)
if DSS_p is not None:
info.AddValList('DSS_p', DSS_p)
if DSS_q is not None:
info.AddValList('DSS_q', DSS_q)
if DSS_g is not None:
info.AddValList('DSS_g', DSS_g)
if DSS_y is not None:
info.AddValList('DSS_y', DSS_y)
if DSS_x is not None:
info.AddValList('DSS_x', DSS_x)
if ECDSA_x is not None:
info.AddValList('ECDSA_x', ECDSA_x)
if ECDSA_y is not None:
info.AddValList('ECDSA_y', ECDSA_y)
if ECDSA_pri is not None:
info.AddValList('ECDSA_pri', ECDSA_pri)
if RSA_n is not None:
info.AddValList('RSA_n', RSA_n)
if RSA_d is not None:
info.AddValList('RSA_d', RSA_d)
if RSA_p is not None:
info.AddValList('RSA_p', RSA_p)
if RSA_q is not None:
info.AddValList('RSA_q', RSA_q)
if RSA_e is not None:
# RSA_e should be a number
if isinstance(RSA_e, int):
RSA_e_str = struct.pack('>I', RSA_e)
info.AddValList('RSA_e', RSA_e_str)
elif isinstance(RSA_e, str):
info.AddValList('RSA_e', RSA_e)
else:
print_err("Invalid value of RSA_e, abort")
return None
sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF
for item in info.ValList():
pkt = BluefinserialCommand(sirius_target, verbose=verbose)
cmd = pkt.Packet('\x8b', '\x46', item)
rsp = self._datalink.Exchange(cmd)
if (rsp is None):
print_err("Send fail")
return None
if rsp[2] != '\x00':
print_err("Key download fail, code 0x%02x" % ord(rsp[2]))
return None
return True
def EcdsaSign(self, target, curve, hashAlgo, message, verbose=False):
"""
return:
+ signature if success
+ None if fail
"""
if curve not in SiriusAPICrypto.ecdsa_curve:
print_err("Invalid curve: %s" % curve)
return None
if hashAlgo not in SiriusAPICrypto.ecdsa_sha_functions:
print_err("Invalid hash: %s" % hashAlgo)
return None
sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF
pkt = BluefinserialCommand(sirius_target, verbose=verbose)
ecdsa_sign_package = struct.pack(
'<BBBHB',
0, # operation: sign
SiriusAPICrypto.ecdsa_curve[curve], # curve
SiriusAPICrypto.ecdsa_sha_functions[hashAlgo], # sha
len(message), # message len
0 # no signature
) + message
cmd = pkt.Packet('\x8b', '\x4a', ecdsa_sign_package)
rsp = self._datalink.Exchange(cmd)
if (rsp is None):
print_err("Send fail")
return None
if rsp[2] != '\x00':
print_err("ECDSA sign fail, code 0x%02x" % ord(rsp[2]))
return None
if verbose:
dump_hex(rsp[3:], "signature: ")
return rsp[3:]
def EcdsaVerify(self,
target,
curve,
hashAlgo,
message,
signature,
verbose=False):
"""
return:
+ True if verify ok
+ False if verify fail
+ None if communication error
"""
if curve not in SiriusAPICrypto.ecdsa_curve:
print_err("Invalid curve: %s" % curve)
return None
if hashAlgo not in SiriusAPICrypto.ecdsa_sha_functions:
print_err("Invalid hash: %s" % hashAlgo)
return None
sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF
pkt = BluefinserialCommand(sirius_target, verbose=verbose)
ecdsa_sign_package = struct.pack(
'<BBBHB',
1, # operation: verify
SiriusAPICrypto.ecdsa_curve[curve], # curve
SiriusAPICrypto.ecdsa_sha_functions[hashAlgo], # sha
len(message), # message len
len(signature) # no signature
) + message + signature
cmd = pkt.Packet('\x8b', '\x4a', ecdsa_sign_package)
rsp = self._datalink.Exchange(cmd)
if (rsp is None):
print_err("Send fail")
return None
if rsp[2] != '\x00':
print_err("ECDSA verify fail, code 0x%02x" % ord(rsp[2]))
return None
if verbose:
print("Verify status: %s" %
("ok" if ord(rsp[3]) == 0 else "failed"))
return True if ord(rsp[3]) == 0 else False
def DsaSign(self, target, hashAlgo, message, verbose=False):
"""
return:
+ signature if success
+ None if fail
"""
if hashAlgo not in SiriusAPICrypto.dsa_sha_functions:
print_err("Invalid hash: %s" % curve)
return None
sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF
pkt = BluefinserialCommand(sirius_target, verbose=False)
dsa_sign_package = struct.pack(
'<BBHB',
0, # operation: sign
SiriusAPICrypto.dsa_sha_functions[hashAlgo], # sha
len(message), # message len
0 # no signature
) + message
cmd = pkt.Packet('\x8b', '\x48', dsa_sign_package)
rsp = self._datalink.Exchange(cmd)
if (rsp is None):
print_err("Send fail")
return None
if rsp[2] != '\x00':
print_err("DSA sign fail, code 0x%02x" % ord(rsp[2]))
return None
if verbose:
dump_hex(rsp[3:], "signature: ")
return rsp[3:]
def DsaVerify(self, target, hashAlgo, message, signature, verbose=False):
"""
return:
+ True if verify ok
+ False if verify fail
+ None if communication error
"""
if hashAlgo not in SiriusAPICrypto.dsa_sha_functions:
print_err("Invalid hash: %s" % hashAlgo)
return None
sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF
pkt = BluefinserialCommand(sirius_target, verbose=verbose)
dsa_verify_package = struct.pack(
'<BBHB',
1, # operation: verify
SiriusAPICrypto.dsa_sha_functions[hashAlgo], # sha
len(message), # message len
len(signature) # no signature
) + message + signature
cmd = pkt.Packet('\x8b', '\x48', dsa_verify_package)
rsp = self._datalink.Exchange(cmd)
if (rsp is None):
print_err("Send fail")
return None
if rsp[2] != '\x00':
print_err("Dsa verify fail, code 0x%02x" % ord(rsp[2]))
return None
if verbose:
print("Verify status: %s" %
("ok" if ord(rsp[3]) == 0 else "failed"))
return True if ord(rsp[3]) == 0 else False
def Cmac(self, target, cipher, key, message):
"""
return:
CMAC, with corresponding cipher, key, message
"""
if cipher not in SiriusAPICrypto.cmac_operation:
print_err("Invalid cipher: %s" % cipher)
return None
if len(key) not in SiriusAPICrypto.cmac_key_length[cipher]:
print_err("Invalid key length: %d" % len(key))
return None
msgLen = len(message)
sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF
pkt = BluefinserialCommand(sirius_target, verbose=False)
cmac_package = struct.pack(
'<BBB',
SiriusAPICrypto.cmac_operation[cipher], # cipher type
msgLen, # message len
len(key), # key length
) + message + key
cmd = pkt.Packet('\x8b', '\x44', cmac_package)
rsp = self._datalink.Exchange(cmd)
if (rsp is None):
print_err("Send fail")
return None
if rsp[2] != '\x00':
print_err("Cmac fail, code 0x%02x" % ord(rsp[2]))
return None
return rsp[3:]
def Aes(self, target, en_dec, mode, iv, key, data):
"""
"""
en_dec = en_dec.upper()
mode = mode.upper()
aes_mode = mode + "_" + en_dec
if aes_mode not in SiriusAPICrypto.aes_mode:
print_err("Invalid mode: %s" % aes_mode)
return None
if len(key) not in SiriusAPICrypto.aes_key_length:
print_err("Invalid key length: %d" % len(key))
return None
if len(data) % SiriusAPICrypto.aes_block_size != 0:
print_err("Invalid data length: %d" % len(data))
return None
if len(iv) != SiriusAPICrypto.aes_block_size:
print_err("Invalid IV length: %d" % len(iv))
return None
numOfBlock = len(data) / SiriusAPICrypto.aes_block_size
sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF
pkt = BluefinserialCommand(sirius_target, verbose=False)
aes_package = struct.pack(
'<BB',
numOfBlock, # number of 16-bytes AES or 8-bytess TDES block
len(key), # data len
) + data + key + iv + chr(SiriusAPICrypto.aes_mode[aes_mode])
cmd = pkt.Packet('\x8b', '\x0c', aes_package)
rsp = self._datalink.Exchange(cmd)
if (rsp is None):
print_err("Send fail")
return None
if rsp[2] != '\x00':
print_err("AES fail, code 0x%02x" % ord(rsp[2]))
return None
return rsp[3:]
def Tdes(self, target, en_dec, mode, iv, key, data):
"""
"""
en_dec = en_dec.upper()
mode = mode.upper()
tdes_mode = mode + "_" + en_dec
if tdes_mode not in SiriusAPICrypto.tdes_mode:
print_err("Invalid mode: %s" % tdes_mode)
return None
if len(key) not in SiriusAPICrypto.tdes_key_length:
print_err("Invalid key length: %d" % len(key))
return None
if len(data) % SiriusAPICrypto.tdes_block_size != 0:
print_err("Invalid data length: %d" % len(data))
return None
if len(iv) != SiriusAPICrypto.tdes_block_size:
print_err("Invalid IV length: %d" % len(iv))
return None
numOfBlock = len(data) / SiriusAPICrypto.tdes_block_size
sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF
pkt = BluefinserialCommand(sirius_target, verbose=False)
tdes_package = struct.pack(
'<BB',
numOfBlock, # number of 16-bytes tdes or 8-bytess TDES block
len(key), # data len
) + data + key + iv + chr(SiriusAPICrypto.tdes_mode[tdes_mode])
cmd = pkt.Packet('\x8b', '\x0a', tdes_package)
rsp = self._datalink.Exchange(cmd)
if (rsp is None):
print_err("Send fail")
return None
if rsp[2] != '\x00':
print_err("Tdes fail, code 0x%02x" % ord(rsp[2]))
return None
return rsp[3:]
def Rsa(self, target, operation, data, verbose=False):
"""
"""
if operation not in SiriusAPICrypto.rsa_operations:
print_err("Invalid operation %s" % (operation))
return None
sirius_target = BluefinserialCommand.TARGET_APPLICATION if target == "APP" else BluefinserialCommand.TARGET_RF
pkt = BluefinserialCommand(sirius_target, verbose=verbose)
rsa_package = struct.pack(
'<B',
SiriusAPICrypto.rsa_operations[operation], # rsa operation
) + data
cmd = pkt.Packet('\x8b', '\x4c', rsa_package)
rsp = self._datalink.Exchange(cmd)
if (rsp is None):
print_err("Send fail")
return None
if rsp[2] != '\x00':
print_err("Rsa %s fail, code 0x%02x" % (operation, ord(rsp[2])))
return None
return rsp[3:]
import abc
import datetime
from enum import Enum
import six
from cryptography import x509
from cryptography.hazmat.primitives import hashes
from cryptography.x509.base import (_EARLIEST_UTC_TIME,
_convert_to_naive_utc_time,
_reject_duplicate_extension)
_OIDS_TO_HASH = {
"1.3.14.3.2.26": hashes.SHA1(),
"2.16.840.1.101.3.4.2.4": hashes.SHA224(),
"2.16.840.1.101.3.4.2.1": hashes.SHA256(),
"2.16.840.1.101.3.4.2.2": hashes.SHA384(),
"2.16.840.1.101.3.4.2.3": hashes.SHA512(),
}
class OCSPResponderEncoding(Enum):
HASH = "By Hash"
NAME = "By Name"
class OCSPResponseStatus(Enum):
SUCCESSFUL = 0
MALFORMED_REQUEST = 1
INTERNAL_ERROR = 2
output.append(binascii.hexlify(ct).decode("utf-8"))
return "\n".join(output)
def write_file(data, filename):
with open(filename, "w") as f:
f.write(data)
oaep_path = os.path.join(
"asymmetric", "RSA", "pkcs-1v2-1d2-vec", "oaep-vect.txt"
)
hashalgs = [
hashes.SHA1(),
hashes.SHA224(),
hashes.SHA256(),
hashes.SHA384(),
hashes.SHA512(),
]
for hashtuple in itertools.product(hashalgs, hashalgs):
if isinstance(hashtuple[0], hashes.SHA1) and isinstance(
hashtuple[1], hashes.SHA1
):
continue
write_file(
build_vectors(hashtuple[0], hashtuple[1], oaep_path),
"oaep-{0}-{1}.txt".format(hashtuple[0].name, hashtuple[1].name),
)
def create_test_list():
hash_msg_bitsizes = tuple(pow(2, _) for _ in range(8, 24))
symm_msg_bitsizes = tuple(pow(2, _) for _ in range(8, 24))
prng_msg_bitsizes = tuple(pow(2, _) for _ in range(8, 18))
return [
TestArgRange(TestPythonRandom, msgbits=prng_msg_bitsizes),
TestArgRange(TestPythonSysRandom, msgbits=prng_msg_bitsizes),
TestArgRange(TestPyCryptPRNG, msgbits=prng_msg_bitsizes),
TestArgRange(TestGenPrime, bits=(32, 64, 128, 256, 512)),
# cryptography symmetric ciphers
TestArgRange(TestCryptCipher, algorithms.AES, keybits=256, msgbits=symm_msg_bitsizes),
TestArgRange(TestCryptCipher, algorithms.TripleDES, keybits=64, msgbits=symm_msg_bitsizes),
TestArgRange(TestCryptCipher, algorithms.TripleDES, keybits=128, msgbits=symm_msg_bitsizes),
TestArgRange(TestCryptCipher, algorithms.TripleDES, keybits=192, msgbits=symm_msg_bitsizes),
TestArgRange(TestCryptCipher, algorithms.Blowfish, keybits=256, msgbits=symm_msg_bitsizes),
TestArgRange(TestCryptCipher, algorithms.CAST5, keybits=128, msgbits=symm_msg_bitsizes),
TestArgRange(TestCryptCipher, algorithms.ARC4, keybits=256, msgbits=symm_msg_bitsizes),
TestArgRange(TestCryptCipher, algorithms.IDEA, keybits=128, msgbits=symm_msg_bitsizes),
TestArgRange(TestCryptCipher, algorithms.SEED, keybits=128, msgbits=symm_msg_bitsizes),
TestArgRange(TestCryptCipher, algorithms.Camellia, keybits=256, msgbits=symm_msg_bitsizes),
# pycrypt symmetric ciphers
TestArgRange(TestPyCryptCipher, Crypto.Cipher.AES, keybits=256, msgbits=symm_msg_bitsizes),
TestArgRange(TestPyCryptCipher, Crypto.Cipher.DES, keybits=64, msgbits=symm_msg_bitsizes),
TestArgRange(TestPyCryptCipher, Crypto.Cipher.DES3, keybits=128, msgbits=symm_msg_bitsizes),
TestArgRange(TestPyCryptCipher, Crypto.Cipher.DES3, keybits=192, msgbits=symm_msg_bitsizes),
TestArgRange(TestPyCryptCipher, Crypto.Cipher.Blowfish, keybits=256, msgbits=symm_msg_bitsizes),
TestArgRange(TestPyCryptCipher, Crypto.Cipher.CAST, keybits=128, msgbits=symm_msg_bitsizes),
TestArgRange(TestPyCryptCipher, Crypto.Cipher.ARC4, keybits=256, msgbits=symm_msg_bitsizes),
TestArgRange(TestPyCryptCipher, Crypto.Cipher.XOR, keybits=256, msgbits=symm_msg_bitsizes),
TestArgRange(TestPyCryptCipher, Crypto.Cipher.ARC2, keybits=256, msgbits=symm_msg_bitsizes),
# cryptography hashes
TestArgRange(TestCryptHash, hashes.SHA224(), msgbits=hash_msg_bitsizes),
TestArgRange(TestCryptHash, hashes.SHA256(), msgbits=hash_msg_bitsizes),
TestArgRange(TestCryptHash, hashes.SHA384(), msgbits=hash_msg_bitsizes),
TestArgRange(TestCryptHash, hashes.SHA512(), msgbits=hash_msg_bitsizes),
TestArgRange(TestCryptHash, hashes.SHA1(), msgbits=hash_msg_bitsizes),
TestArgRange(TestCryptHash, hashes.MD5(), msgbits=hash_msg_bitsizes),
TestArgRange(TestCryptHash, hashes.RIPEMD160(), msgbits=hash_msg_bitsizes),
TestArgRange(TestCryptHash, hashes.Whirlpool(), msgbits=hash_msg_bitsizes),
# pycrypt hashes
TestArgRange(TestPyCryptHash, Crypto.Hash.SHA224, msgbits=hash_msg_bitsizes),
TestArgRange(TestPyCryptHash, Crypto.Hash.SHA256, msgbits=hash_msg_bitsizes),
TestArgRange(TestPyCryptHash, Crypto.Hash.SHA384, msgbits=hash_msg_bitsizes),
TestArgRange(TestPyCryptHash, Crypto.Hash.SHA512, msgbits=hash_msg_bitsizes),
TestArgRange(TestPyCryptHash, Crypto.Hash.SHA, msgbits=hash_msg_bitsizes),
TestArgRange(TestPyCryptHash, Crypto.Hash.MD5, msgbits=hash_msg_bitsizes),
TestArgRange(TestPyCryptHash, Crypto.Hash.RIPEMD, msgbits=hash_msg_bitsizes),
TestArgRange(TestPyCryptHash, Crypto.Hash.MD2, msgbits=hash_msg_bitsizes),
TestArgRange(TestPyCryptHash, Crypto.Hash.MD4, msgbits=hash_msg_bitsizes),
# cryptography rsa
TestArgRange(TestCryptRsa, modbits=(1024,2048,4096), msgbits=(2,256,512,1024)),
# PyCrypto rsa
TestArgRange(TestPyCryptRsa, modbits=(1024,2048,4096), msgbits=(2,256,512,1024)),
# now some tests to see how very simple operations perform
TestEval("pass"),
TestEval("1+2"),
TestEval("8*9"),
TestLambda(nop),
TestLambda(lambda: 1),
TestLambda(lambda: 1+2),
TestLambda(lambda: 1+2+3+4),
TestLambda(lambda: 8*9),
TestLambda(lambda: pow(1, 1, 2)),
# some elliptic curve crypto
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT571R1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT409R1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT283R1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT233R1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT163R2),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT571K1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT409K1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT283K1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT233K1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECT163K1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECP521R1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECP384R1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECP256R1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECP256K1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECP224R1),
TestCryptEc(cryptography.hazmat.primitives.asymmetric.ec.SECP192R1),
]
datetime:2019/6/13 9:46
software: PyCharm
description: Python 利用cryptography包进行rsa加密/解密, 签名/验证
'''
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import serialization, hashes
from cryptography.hazmat.primitives.serialization import NoEncryption,\
Encoding, PrivateFormat, PublicFormat
import base64
from cryptography.exceptions import InvalidSignature
ALGORITHM_DICT = {
'sha1': hashes.SHA1(),
'sha224': hashes.SHA224(),
'sha256': hashes.SHA256(),
'sha384': hashes.SHA384(),
'sha512': hashes.SHA512()
}
def generate_keys():
'''
生成公钥和私钥
:return:
'''
privkey = rsa.generate_private_key(
public_exponent=65537,
key_size=1024,
backend=default_backend(),
OID_RSA_WITH_SHA224 = ObjectIdentifier("1.2.840.113549.1.1.14")
OID_RSA_WITH_SHA256 = ObjectIdentifier("1.2.840.113549.1.1.11")
OID_RSA_WITH_SHA384 = ObjectIdentifier("1.2.840.113549.1.1.12")
OID_RSA_WITH_SHA512 = ObjectIdentifier("1.2.840.113549.1.1.13")
OID_ECDSA_WITH_SHA224 = ObjectIdentifier("1.2.840.10045.4.3.1")
OID_ECDSA_WITH_SHA256 = ObjectIdentifier("1.2.840.10045.4.3.2")
OID_ECDSA_WITH_SHA384 = ObjectIdentifier("1.2.840.10045.4.3.3")
OID_ECDSA_WITH_SHA512 = ObjectIdentifier("1.2.840.10045.4.3.4")
OID_DSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10040.4.3")
OID_DSA_WITH_SHA224 = ObjectIdentifier("2.16.840.1.101.3.4.3.1")
OID_DSA_WITH_SHA256 = ObjectIdentifier("2.16.840.1.101.3.4.3.2")
_SIG_OIDS_TO_HASH = {
OID_RSA_WITH_MD5.dotted_string: hashes.MD5(),
OID_RSA_WITH_SHA1.dotted_string: hashes.SHA1(),
OID_RSA_WITH_SHA224.dotted_string: hashes.SHA224(),
OID_RSA_WITH_SHA256.dotted_string: hashes.SHA256(),
OID_RSA_WITH_SHA384.dotted_string: hashes.SHA384(),
OID_RSA_WITH_SHA512.dotted_string: hashes.SHA512(),
OID_ECDSA_WITH_SHA224.dotted_string: hashes.SHA224(),
OID_ECDSA_WITH_SHA256.dotted_string: hashes.SHA256(),
OID_ECDSA_WITH_SHA384.dotted_string: hashes.SHA384(),
OID_ECDSA_WITH_SHA512.dotted_string: hashes.SHA512(),
OID_DSA_WITH_SHA1.dotted_string: hashes.SHA1(),
OID_DSA_WITH_SHA224.dotted_string: hashes.SHA224(),
OID_DSA_WITH_SHA256.dotted_string: hashes.SHA256()
}
OID_SERVER_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.1")
OID_CLIENT_AUTH = ObjectIdentifier("1.3.6.1.5.5.7.3.2")
OID_CODE_SIGNING = ObjectIdentifier("1.3.6.1.5.5.7.3.3")
from typing import Callable, Mapping, cast
from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.primitives import hashes as cr_hashes
from . import backend
from ... import hashes
_hash_factories: Mapping[hashes.HashAlgorithmId, Callable[
[hashes.HashParameters], cr_hashes.HashAlgorithm]] = {
hashes.HashAlgorithmId.MD5:
lambda params: cr_hashes.MD5(),
hashes.HashAlgorithmId.SHA1:
lambda params: cr_hashes.SHA1(),
hashes.HashAlgorithmId.SHA2_224:
lambda params: cr_hashes.SHA224(),
hashes.HashAlgorithmId.SHA2_256:
lambda params: cr_hashes.SHA256(),
hashes.HashAlgorithmId.SHA2_384:
lambda params: cr_hashes.SHA384(),
hashes.HashAlgorithmId.SHA2_512:
lambda params: cr_hashes.SHA512(),
hashes.HashAlgorithmId.BLAKE2B:
lambda params: cr_hashes.BLAKE2b(
cast(hashes.Blake2Params, params).length),
hashes.HashAlgorithmId.BLAKE2S:
lambda params: cr_hashes.BLAKE2s(
cast(hashes.Blake2Params, params).length),
}
from cryptography.hazmat.primitives import hashes, hmac
from cryptography.hazmat.primitives.asymmetric import padding, rsa, ec
from cryptography.exceptions import InvalidSignature, InvalidTag
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from datetime import timedelta
app = Flask(__name__)
app.config['SECRET_KEY'] = '1234'
folders = {'Archive': 'Archive\\'}
ALLOWED_EXTENSIONS = set(['pem'])
SHA_DIC = {
'SHA2': {
'224': hashes.SHA224(),
'256': hashes.SHA256(),
'384': hashes.SHA384(),
'512': hashes.SHA512(),
},
'SHA3': {
'224': hashes.SHA3_224(),
'256': hashes.SHA3_256(),
'384': hashes.SHA3_384(),
'512': hashes.SHA3_512(),
}
}
AES_DIC = {
'CBC': modes.CBC,
'CTR': modes.CTR,
def _publish_certificate(req: object, issuer: dict):
logger.info('Create a certificate builder...')
crt_builder = x509.CertificateBuilder()
crt_builder = crt_builder.subject_name(name=req._subject())
crt_builder = crt_builder.public_key(key=req._public_key())
for extension in req._extensions():
crt_builder = crt_builder.add_extension(extension=extension.value,
critical=extension.critical)
logger.info('Ready to sign the certificate request...')
if not isinstance(issuer['valid_year'], int):
issuer['valid_year'] = int(issuer['valid_year'])
if issuer['is_ca'] == 'true': issuer['is_ca'] = True
if issuer['is_ca'] == 'false': issuer['is_ca'] = False
crt_builder = crt_builder.not_valid_before(time=datetime.datetime.today())
crt_builder = crt_builder.not_valid_after(
time=datetime.datetime.today() +
datetime.timedelta(days=issuer['valid_year'] * 365))
crt_builder = crt_builder.serial_number(number=x509.random_serial_number())
crt_builder = crt_builder.add_extension(extension=x509.BasicConstraints(
ca=issuer['is_ca'], path_length=None),
critical=True)
logger.info(
'Select CA to sign the certificate signing request and output certificate'
)
if issuer['ca'] == 'SelfSign':
logger.debug('CA is self-signed')
crt_builder = crt_builder.issuer_name(name=req._subject())
ca_key = req.private_key()
else:
ca_dir = os.path.join(
os.path.dirname(os.path.dirname(os.path.abspath(__file__))),
'common_static/ca')
ca_file = "{}/{}.pfx".format(ca_dir, issuer['ca'])
logger.debug("CA file is located in {}".format(ca_file))
with open(file=ca_file, mode='rb') as f:
ca_bytes = f.read()
logger.debug('CA file content is \n{}'.format(ca_bytes))
crt_chain = ReadCertificateChain({
'bytes': ca_bytes,
'password': b'Cisco123!'
})
ca_crt = crt_chain.certificate(data_type='object')
ca_key = crt_chain.private_key(data_type='object')
crt_builder = crt_builder.issuer_name(name=ca_crt.subject)
hash_obj_list = {
hashes.MD5(),
hashes.SHA1(),
hashes.SHA224(),
hashes.SHA256(),
hashes.SHA384(),
hashes.SHA512(),
hashes.SHA512_224(),
hashes.SHA512_256(),
hashes.SHA3_224(),
hashes.SHA3_256(),
hashes.SHA3_384(),
hashes.SHA3_512()
}
for hash_obj in hash_obj_list:
if issuer['hash_alg'] == hash_obj.name:
hash_algor = hash_obj
break
else:
hash_algor = hashes.MD5()
return crt_builder.sign(private_key=ca_key,
algorithm=hash_algor,
backend=default_backend())
RSA_WITH_SHA256 = ObjectIdentifier("1.2.840.113549.1.1.11")
RSA_WITH_SHA384 = ObjectIdentifier("1.2.840.113549.1.1.12")
RSA_WITH_SHA512 = ObjectIdentifier("1.2.840.113549.1.1.13")
ECDSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10045.4.1")
ECDSA_WITH_SHA224 = ObjectIdentifier("1.2.840.10045.4.3.1")
ECDSA_WITH_SHA256 = ObjectIdentifier("1.2.840.10045.4.3.2")
ECDSA_WITH_SHA384 = ObjectIdentifier("1.2.840.10045.4.3.3")
ECDSA_WITH_SHA512 = ObjectIdentifier("1.2.840.10045.4.3.4")
DSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10040.4.3")
DSA_WITH_SHA224 = ObjectIdentifier("2.16.840.1.101.3.4.3.1")
DSA_WITH_SHA256 = ObjectIdentifier("2.16.840.1.101.3.4.3.2")
_SIG_OIDS_TO_HASH = {
SignatureAlgorithmOID.RSA_WITH_MD5.dotted_string: hashes.MD5(),
SignatureAlgorithmOID.RSA_WITH_SHA1.dotted_string: hashes.SHA1(),
SignatureAlgorithmOID.RSA_WITH_SHA224.dotted_string: hashes.SHA224(),
SignatureAlgorithmOID.RSA_WITH_SHA256.dotted_string: hashes.SHA256(),
SignatureAlgorithmOID.RSA_WITH_SHA384.dotted_string: hashes.SHA384(),
SignatureAlgorithmOID.RSA_WITH_SHA512.dotted_string: hashes.SHA512(),
SignatureAlgorithmOID.ECDSA_WITH_SHA1.dotted_string: hashes.SHA1(),
SignatureAlgorithmOID.ECDSA_WITH_SHA224.dotted_string: hashes.SHA224(),
SignatureAlgorithmOID.ECDSA_WITH_SHA256.dotted_string: hashes.SHA256(),
SignatureAlgorithmOID.ECDSA_WITH_SHA384.dotted_string: hashes.SHA384(),
SignatureAlgorithmOID.ECDSA_WITH_SHA512.dotted_string: hashes.SHA512(),
SignatureAlgorithmOID.DSA_WITH_SHA1.dotted_string: hashes.SHA1(),
SignatureAlgorithmOID.DSA_WITH_SHA224.dotted_string: hashes.SHA224(),
SignatureAlgorithmOID.DSA_WITH_SHA256.dotted_string: hashes.SHA256()
}
class ExtendedKeyUsageOID(object):
('RSA', 'SHA384'): sha384WithRSAEncryption,
('RSA', 'SHA512'): sha512WithRSAEncryption,
('DSA', 'SHA1'): rfc2459.id_dsa_with_sha1,
('DSA', 'SHA224'): id_dsa_with_sha224,
('DSA', 'SHA256'): id_dsa_with_sha256,
}
SIGNING_ALGORITHMS_INV = dict((v, k) for k, v in SIGNING_ALGORITHMS.items())
SIGNER_CONSTRUCTION = {
rfc2459.md5WithRSAEncryption:
(lambda key: key.signer(padding.PKCS1v15(), hashes.MD5())),
rfc2459.sha1WithRSAEncryption:
(lambda key: key.signer(padding.PKCS1v15(), hashes.SHA1())),
sha224WithRSAEncryption:
(lambda key: key.signer(padding.PKCS1v15(), hashes.SHA224())),
sha256WithRSAEncryption:
(lambda key: key.signer(padding.PKCS1v15(), hashes.SHA256())),
sha384WithRSAEncryption:
(lambda key: key.signer(padding.PKCS1v15(), hashes.SHA384())),
sha512WithRSAEncryption:
(lambda key: key.signer(padding.PKCS1v15(), hashes.SHA512())),
rfc2459.id_dsa_with_sha1: (lambda key: key.signer(hashes.SHA1())),
id_dsa_with_sha224: (lambda key: key.signer(hashes.SHA224())),
id_dsa_with_sha256: (lambda key: key.signer(hashes.SHA256())),
}
VERIFIER_CONSTRUCTION = {
rfc2459.md5WithRSAEncryption: (lambda key, signature: key.verifier(
signature, padding.PKCS1v15(), hashes.MD5())),
rfc2459.sha1WithRSAEncryption: (lambda key, signature: key.verifier(
#hash bloom filter 1
bit_vect1 = [0] * 2988288
#hash bloom filter 2
bit_vect2 = [0] * 2988288
print("starting bloom filter process...")
#for each line
for kkey in Tempkey:
TempHash = str(kkey)
TempHash = ' '.join(format(ord(x), 'b') for x in TempHash)
#bloom filter 1 setting bad passwords
b1_h1 = hashes.Hash(hashes.SHA224(), backend=backend)
b1_h1.update(TempHash.encode())
b1_h1_hval = b1_h1.finalize()
b1_h1_hval = hexlify(b1_h1_hval)
b1_h1_hval = int(b1_h1_hval, 16)
#calculated index for each bloomfilter
b1_h1_hval = int(b1_h1_hval) % (len(bit_vect1))
#set corresponding bloom filter index to 1
bit_vect1[b1_h1_hval] = 1
b1_h2 = hashes.Hash(hashes.SHA256(), backend=backend)
b1_h2.update(TempHash.encode())
b1_h2_hval = b1_h2.finalize()
b1_h2_hval = hexlify(b1_h2_hval)
ECDSA_WITH_SHA512 = ObjectIdentifier("1.2.840.10045.4.3.4")
DSA_WITH_SHA1 = ObjectIdentifier("1.2.840.10040.4.3")
DSA_WITH_SHA224 = ObjectIdentifier("2.16.840.1.101.3.4.3.1")
DSA_WITH_SHA256 = ObjectIdentifier("2.16.840.1.101.3.4.3.2")
ED25519 = ObjectIdentifier("1.3.101.112")
ED448 = ObjectIdentifier("1.3.101.113")
GOSTR3411_94_WITH_3410_2001 = ObjectIdentifier("1.2.643.2.2.3")
GOSTR3410_2012_WITH_3411_2012_256 = ObjectIdentifier("1.2.643.7.1.1.3.2")
GOSTR3410_2012_WITH_3411_2012_512 = ObjectIdentifier("1.2.643.7.1.1.3.3")
_SIG_OIDS_TO_HASH = {
SignatureAlgorithmOID.RSA_WITH_MD5: hashes.MD5(),
SignatureAlgorithmOID.RSA_WITH_SHA1: hashes.SHA1(),
SignatureAlgorithmOID._RSA_WITH_SHA1: hashes.SHA1(),
SignatureAlgorithmOID.RSA_WITH_SHA224: hashes.SHA224(),
SignatureAlgorithmOID.RSA_WITH_SHA256: hashes.SHA256(),
SignatureAlgorithmOID.RSA_WITH_SHA384: hashes.SHA384(),
SignatureAlgorithmOID.RSA_WITH_SHA512: hashes.SHA512(),
SignatureAlgorithmOID.ECDSA_WITH_SHA1: hashes.SHA1(),
SignatureAlgorithmOID.ECDSA_WITH_SHA224: hashes.SHA224(),
SignatureAlgorithmOID.ECDSA_WITH_SHA256: hashes.SHA256(),
SignatureAlgorithmOID.ECDSA_WITH_SHA384: hashes.SHA384(),
SignatureAlgorithmOID.ECDSA_WITH_SHA512: hashes.SHA512(),
SignatureAlgorithmOID.DSA_WITH_SHA1: hashes.SHA1(),
SignatureAlgorithmOID.DSA_WITH_SHA224: hashes.SHA224(),
SignatureAlgorithmOID.DSA_WITH_SHA256: hashes.SHA256(),
SignatureAlgorithmOID.ED25519: None,
SignatureAlgorithmOID.ED448: None,
SignatureAlgorithmOID.GOSTR3411_94_WITH_3410_2001: None,
SignatureAlgorithmOID.GOSTR3410_2012_WITH_3411_2012_256: None,
(options, args) = parser.parse_args()
# Init the com port
try:
comm = BluefinserialSend(options.serial, options.baud)
except Exception, e:
print e
parser.print_help()
sys.exit(-1)
print_ok("Use " + options.serial + " with baudrate = " + str(options.baud))
sirius_crypto = SiriusAPICrypto(comm)
digestEngine = [
hashes.Hash(hashes.SHA1(), backend=default_backend()),
hashes.Hash(hashes.SHA224(), backend=default_backend()),
hashes.Hash(hashes.SHA256(), backend=default_backend()),
hashes.Hash(hashes.SHA384(), backend=default_backend()),
hashes.Hash(hashes.SHA512(), backend=default_backend()),
]
DIGEST_ALGOS = ["SHA1", "SHA224", "SHA256", "SHA384", "SHA512"]
for idx, digest in enumerate(DIGEST_ALGOS):
# print the head of resulr
print("")
print_ok(">"*40)
print_ok("Testing %s" % (digest))
# get digest from sirius
digest_sirius = sirius_crypto.Sha(options.target, digest, options.message)
# self calculate
# 2.0, and the BSD License. See the LICENSE file in the root of this repository
# for complete details.
import binascii
import pytest
from cryptography.exceptions import InvalidSignature, UnsupportedAlgorithm
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import ec
from .utils import wycheproof_tests
_DIGESTS = {
"SHA-1": hashes.SHA1(),
"SHA-224": hashes.SHA224(),
"SHA-256": hashes.SHA256(),
"SHA-384": hashes.SHA384(),
"SHA-512": hashes.SHA512(),
"SHA3-224": hashes.SHA3_224(),
"SHA3-256": hashes.SHA3_256(),
"SHA3-384": hashes.SHA3_384(),
"SHA3-512": hashes.SHA3_512(),
}
@wycheproof_tests(
"ecdsa_test.json",
"ecdsa_brainpoolP224r1_sha224_test.json",
"ecdsa_brainpoolP256r1_sha256_test.json",
"ecdsa_brainpoolP320r1_sha384_test.json",
class CryptoUtils:
pwd_context = CryptContext(schemes=["pbkdf2_sha256"],
default="pbkdf2_sha256",
pbkdf2_sha256__default_rounds=30000)
algorithms = {
"sha256": hashes.SHA256(),
"sha224": hashes.SHA224(),
"sha384": hashes.SHA256(),
"sha512": hashes.SHA256(),
"blake2b": hashes.BLAKE2b(64),
"blake2s": hashes.BLAKE2s(32),
"sha3_256": hashes.SHA3_256(),
"sha3_224": hashes.SHA3_224(),
"sha3_384": hashes.SHA3_384(),
"sha3_512": hashes.SHA3_512()
}
@staticmethod
def hash(password):
return CryptoUtils.pwd_context.hash(password)
@staticmethod
def check_hash(password, hashed):
return CryptoUtils.pwd_context.verify(password, hashed)
@staticmethod
def make_key(password, algorithm, salt):
if algorithm not in CryptoUtils.algorithms:
raise casket.invalid_algorithm("Algorithm %s is not supported." %
(algorithm))
kdf = PBKDF2HMAC(algorithm=CryptoUtils.algorithms[algorithm],
length=32,
salt=salt,
iterations=100000,
backend=default_backend())
return base64.urlsafe_b64encode(kdf.derive(password))
@staticmethod
def encrypt_password(master_pswd,
plain_pswd,
salt=os.urandom(16),
algorithm="sha256"):
key = CryptoUtils.make_key(master_pswd.encode("utf-8"), algorithm,
salt)
cipher_suite = Fernet(key)
cipher_text = cipher_suite.encrypt(plain_pswd.encode("utf-8"))
enc_pswd = base64.b64encode(salt).decode('utf-8') + cipher_text.decode(
'utf-8')
return enc_pswd
@staticmethod
def decrypt_password(master_pswd, enc_pswd, algorithm="sha256"):
salt = base64.b64decode(enc_pswd[:24].encode("utf-8"))
key = CryptoUtils.make_key(master_pswd.encode("utf-8"), algorithm,
salt)
cipher_suite = Fernet(key)
plain_text = cipher_suite.decrypt(enc_pswd[24:].encode("utf-8"))
plain_text_utf8 = plain_text.decode("utf-8")
return plain_text_utf8
@staticmethod
def get_salt(encrypted_string):
return base64.b64decode(encrypted_string[:24].encode("utf-8"))
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.asymmetric import utils
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from openstack.image.iterable_chunked_file import IterableChunkedFile
HASH_METHODS = {
'SHA-224': hashes.SHA224(),
'SHA-256': hashes.SHA256(),
'SHA-384': hashes.SHA384(),
'SHA-512': hashes.SHA512(),
}
class ImageSigner:
"""Image file signature generator.
Generates signatures for files using a specified private key file.
"""
def __init__(self, hash_method='SHA-256', padding_method='RSA-PSS'):
padding_types = {
'RSA-PSS':
padding.PSS(mgf=padding.MGF1(HASH_METHODS[hash_method]),
class TestSHA224(object):
test_sha224 = generate_base_hash_test(
hashes.SHA224(),
digest_size=28,
)
skip_message="Does not support SHA1",
)
@pytest.mark.hmac
class TestHMAC_SHA1(object):
test_hmac_sha1 = generate_hmac_test(
load_hash_vectors,
"HMAC",
[
"rfc-2202-sha1.txt",
],
hashes.SHA1(),
)
@pytest.mark.supported(
only_if=lambda backend: backend.hmac_supported(hashes.SHA224()),
skip_message="Does not support SHA224",
)
@pytest.mark.hmac
class TestHMAC_SHA224(object):
test_hmac_sha224 = generate_hmac_test(
load_hash_vectors,
"HMAC",
[
"rfc-4231-sha224.txt",
],
hashes.SHA224(),
)
@pytest.mark.supported(
def create_csr(com_name, bumen_name, zuzhi_name, city_name, shengfen_name,
guojia_name, mysf, beiyong_name, myqd, qmsf, key_pass):
private_key = None
csr = None
key = None
try:
if bumen_name:
csr_subject_name = x509.CertificateSigningRequestBuilder(
).subject_name(
x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME, guojia_name),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME,
shengfen_name),
x509.NameAttribute(NameOID.LOCALITY_NAME, city_name),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, zuzhi_name),
x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME,
bumen_name),
x509.NameAttribute(NameOID.COMMON_NAME, com_name),
]))
else:
csr_subject_name = x509.CertificateSigningRequestBuilder(
).subject_name(
x509.Name([
# Provide various details about who we are.
x509.NameAttribute(NameOID.COUNTRY_NAME, guojia_name),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME,
shengfen_name),
x509.NameAttribute(NameOID.LOCALITY_NAME, city_name),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, zuzhi_name),
x509.NameAttribute(NameOID.COMMON_NAME, com_name),
]))
except Exception as e:
print(e)
return {'error': False, 'msg': u'提交内容错误!'}
try:
dns_name = [x509.DNSName(i) for i in beiyong_name.split(',')]
except Exception as e:
print(e)
return {'error': False, 'msg': u'备用名请用逗号隔开!'}
csr_add_extension = csr_subject_name.add_extension(
x509.SubjectAlternativeName(dns_name),
critical=False,
)
if mysf == 'RSA':
private_key = rsa.generate_private_key(public_exponent=65537,
key_size=int(myqd),
backend=default_backend())
if key_pass:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.BestAvailableEncryption(
key_pass),
)
else:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
if qmsf == 'MD5':
csr = csr_add_extension.sign(private_key, hashes.MD5(),
default_backend())
elif qmsf == 'SHA1':
csr = csr_add_extension.sign(private_key, hashes.SHA1(),
default_backend())
elif qmsf == 'SHA224':
csr = csr_add_extension.sign(private_key, hashes.SHA224(),
default_backend())
elif qmsf == 'SHA256':
csr = csr_add_extension.sign(private_key, hashes.SHA256(),
default_backend())
elif qmsf == 'SHA384':
csr = csr_add_extension.sign(private_key, hashes.SHA384(),
default_backend())
elif qmsf == 'SHA512':
csr = csr_add_extension.sign(private_key, hashes.SHA512(),
default_backend())
else:
csr = csr_add_extension.sign(private_key, hashes.SHA1(),
default_backend())
return {
'error': True,
'csr': csr.public_bytes(serialization.Encoding.PEM),
'priv_key': key
}
elif mysf == 'DSA':
private_key = dsa.generate_private_key(key_size=int(myqd),
backend=default_backend())
if key_pass:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.BestAvailableEncryption(
key_pass),
)
else:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
if qmsf == 'SHA1':
csr = csr_add_extension.sign(private_key, hashes.SHA1(),
default_backend())
elif qmsf == 'SHA224':
csr = csr_add_extension.sign(private_key, hashes.SHA224(),
default_backend())
elif qmsf == 'SHA256':
csr = csr_add_extension.sign(private_key, hashes.SHA256(),
default_backend())
else:
csr = csr_add_extension.sign(private_key, hashes.SHA1(),
default_backend())
return {
'error': True,
'csr': csr.public_bytes(serialization.Encoding.PEM),
'priv_key': key
}
elif mysf == 'ECDSA':
if myqd == 'P192':
private_key = ec.generate_private_key(curve=ec.SECP192R1(),
backend=default_backend())
elif myqd == 'P224':
private_key = ec.generate_private_key(curve=ec.SECP224R1(),
backend=default_backend())
elif myqd == 'P256':
private_key = ec.generate_private_key(curve=ec.SECP256R1(),
backend=default_backend())
elif myqd == 'P384':
private_key = ec.generate_private_key(curve=ec.SECP384R1(),
backend=default_backend())
elif myqd == 'P521':
private_key = ec.generate_private_key(curve=ec.SECP521R1(),
backend=default_backend())
else:
private_key = ec.generate_private_key(curve=ec.SECP256R1(),
backend=default_backend())
if key_pass:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.BestAvailableEncryption(
key_pass),
)
else:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
if qmsf == 'SHA1':
csr = csr_add_extension.sign(private_key, hashes.SHA1(),
default_backend())
elif qmsf == 'SHA224':
csr = csr_add_extension.sign(private_key, hashes.SHA224(),
default_backend())
elif qmsf == 'SHA256':
csr = csr_add_extension.sign(private_key, hashes.SHA256(),
default_backend())
elif qmsf == 'SHA384':
csr = csr_add_extension.sign(private_key, hashes.SHA384(),
default_backend())
elif qmsf == 'SHA512':
csr = csr_add_extension.sign(private_key, hashes.SHA512(),
default_backend())
else:
csr = csr_add_extension.sign(private_key, hashes.SHA1(),
default_backend())
return {
'error': True,
'csr': csr.public_bytes(serialization.Encoding.PEM),
'priv_key': key
}
key_pass),
)
else:
key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
if qmsf == 'MD5':
csr = csr_add_extension.sign(private_key, hashes.MD5(),
default_backend())
elif qmsf == 'SHA1':
csr = csr_add_extension.sign(private_key, hashes.SHA1(),
default_backend())
elif qmsf == 'SHA224':
csr = csr_add_extension.sign(private_key, hashes.SHA224(),
default_backend())
elif qmsf == 'SHA256':
csr = csr_add_extension.sign(private_key, hashes.SHA256(),
default_backend())
elif qmsf == 'SHA384':
csr = csr_add_extension.sign(private_key, hashes.SHA384(),
default_backend())
elif qmsf == 'SHA512':
csr = csr_add_extension.sign(private_key, hashes.SHA512(),
default_backend())
else:
csr = csr_add_extension.sign(private_key, hashes.SHA1(),
default_backend())
return {
'error': True,
class TestSHA224(object):
test_SHA224 = generate_base_hash_test(
hashes.SHA224(),
digest_size=28,
block_size=64,
)
