def test_key_length(self, backend): kdf = KBKDFHMAC(hashes.SHA1(), Mode.CounterMode, 85899345920, 4, 4, CounterLocation.BeforeFixed, b'label', b'context', None, backend=backend) with pytest.raises(ValueError): kdf.derive(b'material')
def test_buffer_protocol(self, backend): kdf = KBKDFHMAC(hashes.SHA256(), Mode.CounterMode, 10, 4, 4, CounterLocation.BeforeFixed, b'label', b'context', None, backend=backend) key = kdf.derive(bytearray(b"material")) assert key == b'\xb7\x01\x05\x98\xf5\x1a\x12L\xc7.'
def test_invalid_key(self, backend): kdf = KBKDFHMAC(hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b'label', b'context', None, backend=backend) key = kdf.derive(b"material") kdf = KBKDFHMAC(hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b'label', b'context', None, backend=backend) with pytest.raises(InvalidKey): kdf.verify(b"material2", key)
def kbkdf_counter_mode_test(backend, params): supported_algorithms = { 'hmac_sha1': hashes.SHA1, 'hmac_sha224': hashes.SHA224, 'hmac_sha256': hashes.SHA256, 'hmac_sha384': hashes.SHA384, 'hmac_sha512': hashes.SHA512, } supported_counter_locations = { "before_fixed": CounterLocation.BeforeFixed, "after_fixed": CounterLocation.AfterFixed, } algorithm = supported_algorithms.get(params.get('prf')) if algorithm is None or not backend.hmac_supported(algorithm()): pytest.skip("KBKDF does not support algorithm: {}".format( params.get('prf') )) ctr_loc = supported_counter_locations.get(params.get("ctrlocation")) if ctr_loc is None or not isinstance(ctr_loc, CounterLocation): pytest.skip("Does not support counter location: {}".format( params.get('ctrlocation') )) ctrkdf = KBKDFHMAC( algorithm(), Mode.CounterMode, params['l'] // 8, params['rlen'] // 8, None, ctr_loc, None, None, binascii.unhexlify(params['fixedinputdata']), backend=backend) ko = ctrkdf.derive(binascii.unhexlify(params['ki'])) assert binascii.hexlify(ko) == params["ko"]
def test_unicode_error_context(self, backend): with pytest.raises(TypeError): KBKDFHMAC( hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b"label", "context", # type: ignore[arg-type] None, backend=backend, )
def test_invalid_backend(self, backend): with raises_unsupported_algorithm(_Reasons.BACKEND_MISSING_INTERFACE): KBKDFHMAC( hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b"label", b"context", None, backend=object(), )
def test_l(self, backend): with pytest.raises(ValueError): KBKDFHMAC( hashes.SHA1(), Mode.CounterMode, 32, 4, None, CounterLocation.BeforeFixed, b"label", b"context", None, backend=backend, )
def test_unsupported_mode(self, backend): with pytest.raises(TypeError): KBKDFHMAC( hashes.SHA256(), None, # type: ignore[arg-type] 32, 4, 4, CounterLocation.BeforeFixed, b"label", b"context", None, backend=backend, )
def test_unsupported_location(self, backend): with pytest.raises(TypeError): KBKDFHMAC( hashes.SHA256(), Mode.CounterMode, 32, 4, 4, None, # type: ignore[arg-type] b"label", b"context", None, backend=backend, )
def test_unsupported_parameters(self, backend): with pytest.raises(ValueError): KBKDFHMAC( hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b"label", b"context", b"fixed", backend=backend, )
def test_unsupported_hash(self, backend): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): KBKDFHMAC( object(), # type: ignore[arg-type] Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b"label", b"context", None, backend=backend, )
def test_l_type(self, backend): with pytest.raises(TypeError): KBKDFHMAC( hashes.SHA1(), Mode.CounterMode, 32, 4, b"l", # type: ignore[arg-type] CounterLocation.BeforeFixed, b"label", b"context", None, backend=backend, )
def test_unsupported_algorithm(self, backend): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): KBKDFHMAC( DummyHashAlgorithm(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b"label", b"context", None, backend=backend, )
def kbkdf_counter_mode_test(backend, params): supported_algorithms = { 'hmac_sha1': hashes.SHA1, 'hmac_sha224': hashes.SHA224, 'hmac_sha256': hashes.SHA256, 'hmac_sha384': hashes.SHA384, 'hmac_sha512': hashes.SHA512, } supported_counter_locations = { "before_fixed": CounterLocation.BeforeFixed, "after_fixed": CounterLocation.AfterFixed, } algorithm = supported_algorithms.get(params.get('prf')) if algorithm is None or not backend.hmac_supported(algorithm()): pytest.skip("KBKDF does not support algorithm: {0}".format( params.get('prf'))) ctr_loc = supported_counter_locations.get(params.get("ctrlocation")) if ctr_loc is None or not isinstance(ctr_loc, CounterLocation): pytest.skip("Does not support counter location: {0}".format( params.get('ctrlocation'))) ctrkdf = KBKDFHMAC(algorithm(), Mode.CounterMode, params['l'] // 8, params['rlen'] // 8, None, ctr_loc, None, None, binascii.unhexlify(params['fixedinputdata']), backend=backend) ko = ctrkdf.derive(binascii.unhexlify(params['ki'])) assert binascii.hexlify(ko) == params["ko"]
def _smb3kdf(self, ki, label, context): """ See SMB 3.x key derivation function https://blogs.msdn.microsoft.com/openspecification/2017/05/26/smb-2-and-smb-3-security-in-windows-10-the-anatomy-of-signing-and-cryptographic-keys/ :param ki: The session key is the KDK used as an input to the KDF :param label: The purpose of this derived key as bytes string :param context: The context information of this derived key as bytes string :return: Key derived by the KDF as specified by [SP800-108] 5.1 """ kdf = KBKDFHMAC( algorithm=hashes.SHA256(), mode=Mode.CounterMode, length=16, rlen=4, llen=4, location=CounterLocation.BeforeFixed, label=label, context=context, fixed=None, backend=default_backend() ) return kdf.derive(ki)
def test_already_finalized(self): kdf = KBKDFHMAC(hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b'label', b'context', None, backend=default_backend()) kdf.derive(b'material') with pytest.raises(AlreadyFinalized): kdf.derive(b'material2') kdf = KBKDFHMAC(hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b'label', b'context', None, backend=default_backend()) key = kdf.derive(b'material') with pytest.raises(AlreadyFinalized): kdf.verify(b'material', key) kdf = KBKDFHMAC(hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b'label', b'context', None, backend=default_backend()) kdf.verify(b'material', key) with pytest.raises(AlreadyFinalized): kdf.verify(b"material", key)
def test_already_finalized(self, backend): kdf = KBKDFHMAC( hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b"label", b"context", None, backend=backend, ) kdf.derive(b"material") with pytest.raises(AlreadyFinalized): kdf.derive(b"material2") kdf = KBKDFHMAC( hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b"label", b"context", None, backend=backend, ) key = kdf.derive(b"material") with pytest.raises(AlreadyFinalized): kdf.verify(b"material", key) kdf = KBKDFHMAC( hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b"label", b"context", None, backend=backend, ) kdf.verify(b"material", key) with pytest.raises(AlreadyFinalized): kdf.verify(b"material", key)
def test_unicode_error_key_material(self, backend): with pytest.raises(TypeError): kdf = KBKDFHMAC(hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b'label', b'context', None, backend=backend) kdf.derive(u'material')
def test_already_finalized(self, backend): kdf = KBKDFHMAC(hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b'label', b'context', None, backend=backend) kdf.derive(b'material') with pytest.raises(AlreadyFinalized): kdf.derive(b'material2') kdf = KBKDFHMAC(hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b'label', b'context', None, backend=backend) key = kdf.derive(b'material') with pytest.raises(AlreadyFinalized): kdf.verify(b'material', key) kdf = KBKDFHMAC(hashes.SHA256(), Mode.CounterMode, 32, 4, 4, CounterLocation.BeforeFixed, b'label', b'context', None, backend=backend) kdf.verify(b'material', key) with pytest.raises(AlreadyFinalized): kdf.verify(b"material", key)
backend=backend) # An instance of PBKDF2HMACBackend else: # The KBKDF (Key Based Key Derivation Function) used here is defined by the NIST SP 800-108 document, to be used # to derive additional keys from a key that has been established through an automated key-establishment scheme label = b'KBKDF HMAC Label' context = b'KBKDF HMAC Context' kdf = KBKDFHMAC( algorithm=hash_algo, # An instance of HashAlgorithm mode=Mode. CounterMode, # The desired mode of the PRF.A value from the Mode enum length=32, # The desired length of the derived key in bytes rlen= 4, # An integer that indicates the length of the counter in bytes llen= 4, # An integer that indicates the length of the length in bytes location=CounterLocation. BeforeFixed, # The desired location of the counter label= label, # Application specific label information. Byte string or None context= context, # Application specific context information. Byte string or None fixed= None, # Instead of specifying label and context, supply your own fixed data backend=backend) # A cryptography backend HashBackend instance # Derive a new key from the shared secret derived_key = kdf.derive(password) # Make sure shared keys agree print(Fore.GREEN + '\nDerived AES key ({} bits): {}'.format( len(derived_key) * 8,
def _derive_urlsafe_key(*, label, context): backend = default_backend() kdf = KBKDFHMAC(algorithm=hashes.SHA256(), mode=Mode.CounterMode, length=32, rlen=4, llen=4, location=CounterLocation.BeforeFixed, label=label, context=context, fixed=None, backend=backend) key = kdf.derive(settings.SECRET_KEY.encode()) return urlsafe_b64encode(key)