def test_key_wrap(self): # values from Jwe Appendix A.3 cek_oct = [ 4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 44, 207] cek_ci_oct = [ 232, 160, 123, 211, 183, 76, 245, 132, 200, 128, 123, 75, 190, 216, 22, 67, 201, 138, 193, 186, 9, 91, 122, 31, 246, 90, 28, 139, 57, 3, 76, 124, 193, 11, 98, 37, 173, 61, 104, 57] cek = ''.join(chr(i) for i in cek_oct) cek_ci = ''.join(chr(i) for i in cek_ci_oct) jwk_dict = { "kty": "oct", "k": "GawgguFyGrWKav7AX4VKUg" } kek = base64.base64url_decode(jwk_dict['k']) from jose.jwa.aes import aes_key_wrap, aes_key_unwrap rk = aes_key_wrap(kek, cek) self.assertEqual(rk, cek_ci) urk = aes_key_unwrap(kek, cek_ci) self.assertEqual(urk, cek)
def test_pbes2(self): # PBES2-HS256+A128KW from pbkdf2 import PBKDF2 from Crypto import Random klen = 16 # key length # Sender ---- cek = Random.get_random_bytes(klen) # CEK key = Random.get_random_bytes(klen) # shared key p2s = Random.get_random_bytes(32) # salt p2c = 4096 # iter count from Crypto.Hash import HMAC, SHA256, SHA384, SHA512 # Derive shared key to KEK by Alice kek_alice = PBKDF2(key, p2s, p2c, digestmodule=SHA256, macmodule=HMAC).read(klen) self.assertEqual(len(kek_alice), klen) # Wrap CEK to CEKCI with AES from jose.jwa.aes import aes_key_wrap cekci = aes_key_wrap(kek_alice, cek) # Recepient ---- # 'key' has been shared before a session. # 'p2s', 'p2c', and 'cekci' are delivered on a session # Derive shared key to KEY by Bob kek_bob = PBKDF2(key, p2s, p2c, digestmodule=SHA256, macmodule=HMAC).read(klen) self.assertEqual(kek_alice, kek_bob) # UnWrap CEKCI to CEK with AES from jose.jwa.aes import aes_key_unwrap cek_agreed = aes_key_unwrap(kek_bob, cekci) self.assertEqual(cek, cek_agreed)