def GetHMAC(): """Return a HMAC object suitable for validating file upload URLs.""" # Just get some random string. private_key = config_lib.CONFIG["PrivateKeys.server_key"].SerializeToString() hmac_secret = hashlib.sha256(private_key).hexdigest() return rdf_crypto.HMAC(hmac_secret)
def testM2CryptoCompatibility(self):
message = "HMAC by M2Crypto!"
signature = "99cae3ec7b41ceb6e6619f2f85368cb3ae118b70".decode("hex")
key = rdf_crypto.EncryptionKey.FromHex("94bd4e0ecc8397a8b2cdbc4b127ee7b0")
h = rdf_crypto.HMAC(key)
self.assertEqual(h.HMAC(message), signature)
h.Verify(message, signature)
def testSHA256(self):
"""Tests that both types of signatures are ok."""
key = rdf_crypto.EncryptionKey.GenerateKey()
message = "Hello World!"
h = rdf_crypto.HMAC(key)
signature_sha1 = h.HMAC(message)
signature_sha256 = h.HMAC(message, use_sha256=True)
self.assertNotEqual(signature_sha1, signature_sha256)
h.Verify(message, signature_sha1)
h.Verify(message, signature_sha256)
def testHMAC(self):
"""A basic test for the HMAC class."""
key = rdf_crypto.EncryptionKey.GenerateKey()
message = "Hello World!"
h = rdf_crypto.HMAC(key)
signature = h.HMAC(message)
h.Verify(message, signature)
broken_message = message + "!"
self.assertRaises(rdf_crypto.VerificationError, h.Verify,
broken_message, signature)
broken_signature = self._Tamper(signature)
self.assertRaises(rdf_crypto.VerificationError, h.Verify,
"Hello World!", broken_signature)
def __init__(self,
readers_public_key,
writers_private_key,
fd,
chunk_size=1024 * 1024):
"""Constructor.
Args:
readers_public_key: The public key of the destined reader of this
stream. The stream will be encrypted with the readers public key.
writers_private_key: The private_key of the writer of this stream. Data
will be signed using this private key.
fd: A file like object we read from.
chunk_size: This will be the size of the parts.
"""
self.fd = fd
self.readers_public_key = readers_public_key
self.writers_private_key = writers_private_key
self.chunk_size = chunk_size
# Prepare the initial header.
self.cipher_properties = flows.CipherProperties.GetInializedKeys()
self.cipher = crypto.AES128CBCCipher(
self.cipher_properties.key, self.cipher_properties.metadata_iv)
self.hmac = crypto.HMAC(self.cipher_properties.hmac_key.RawBytes())
serialized_cipher = self.cipher_properties.SerializeToString()
signature = SignaturePart(
encrypted_cipher=readers_public_key.Encrypt(serialized_cipher),
signature=writers_private_key.Sign(serialized_cipher),
)
# First part is the encrypted cipher.
self.encrypted_buffer = BufferedReader()
self.encrypted_buffer.write(
self._get_part(signature.SerializeToString(),
PART_TYPE_ENCRYPTED_CIPHER))
self.eof = False
def _VerifyHMAC(self, comms=None):
"""Verifies the HMAC.
This method raises a DecryptionError if the received HMAC does not
verify. If the HMAC verifies correctly, True is returned.
Args:
comms: The comms RdfValue to verify.
Raises:
DecryptionError: The HMAC did not verify.
Returns:
True
"""
# Check the encrypted message integrity using HMAC.
if self.hmac_type == "SIMPLE_HMAC":
msg = comms.encrypted
digest = comms.hmac
elif self.hmac_type == "FULL_HMAC":
msg = "".join([
comms.encrypted, comms.encrypted_cipher,
comms.encrypted_cipher_metadata,
comms.packet_iv.SerializeToString(),
struct.pack("<I", comms.api_version)
])
digest = comms.full_hmac
else:
raise DecryptionError("HMAC type no supported.")
try:
rdf_crypto.HMAC(self.cipher.hmac_key).Verify(msg, digest)
except rdf_crypto.VerificationError as e:
raise DecryptionError("HMAC verification failed: %s" % e)
return True
def GetHMAC(self):
return rdf_crypto.HMAC(self.hmac_key.RawBytes())
def GetHMAC(cls):
# Just get some random string.
private_key = config.CONFIG["PrivateKeys.server_key"]
hmac_secret = hashlib.sha256(
private_key.SerializeToString()).hexdigest()
return rdf_crypto.HMAC(hmac_secret)
def HMAC(self, *data):
return rdf_crypto.HMAC(self.cipher.hmac_key).HMAC("".join(data))
def HMAC(self, *data):
hmac = rdf_crypto.HMAC(self.cipher.hmac_key)
return hmac.HMAC("".join(data))