def add_third_party_caveat(self, macaroon, location, key, key_id, **kwargs): derived_key = truncate_or_pad( generate_derived_key(convert_to_bytes(key)) ) old_key = truncate_or_pad(binascii.unhexlify(macaroon.signature_bytes)) box = SecretBox(key=old_key) verification_key_id = box.encrypt( derived_key, nonce=kwargs.get('nonce') ) caveat = Caveat( caveat_id=key_id, location=location, verification_key_id=verification_key_id ) macaroon.caveats.append(caveat) encode_key = binascii.unhexlify(macaroon.signature_bytes) macaroon.signature = sign_third_party_caveat( encode_key, caveat._verification_key_id, caveat._caveat_id ) return macaroon
def __init__(self, key=None, host='127.0.0.1', port=5199, have_sodium=HAVE_SODIUM): if have_sodium: if key: key = base64.b64decode(key) else: # libnacl won't like it if you send anything less then KEYBYTES key = '\0' * libnacl.crypto_secretbox_KEYBYTES self.__box = SecretBox(key=key) self.__my_nonce = rand_nonce() else: self.__box = None self.__my_nonce = '\0' self.__client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) logging.info('Connecting to %s:%d' % (host, port)) self.__client.connect((host, port)) logging.debug('Sending my nonce: %s' % self.__my_nonce.encode('hex')) self.__client.send(self.__my_nonce) if self.__box: self.__th_nonce = self.__client.recv( libnacl.crypto_secretbox_NONCEBYTES) else: self.__th_nonce = self.__client.recv(1) logging.debug('Got their nonce: %s' % self.__th_nonce.encode('hex'))
def dump_resource(request): docservice_key = getattr(request.registry, 'docservice_key', None) box = SecretBox(docservice_key.vk) data = request.context.serialize() json_data = dumps(data) encrypted_data = box.encrypt(json_data) return b64encode(encrypted_data)
def test_attrib_with_enc_passes(): secretBox = SecretBox() enc_data = secretBox.encrypt(json.dumps({'name': 'Alice'}).encode()).hex() msg = { TXN_TYPE: ATTRIB, TARGET_NYM: VALID_TARGET_NYM, ENC: enc_data } validator.validate(msg)
def testSendAttribSucceedsForNonEmptyEnc( looper, sdk_pool_handle, sdk_wallet_trustee): raw = json.dumps({ 'name': 'Alice' }) secretBox = SecretBox() new_wallet = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trustee) parameters = None sdk_add_attribute_and_check(looper, sdk_pool_handle, new_wallet, parameters, enc=secretBox.encrypt(raw.encode()).hex())
def test_delete(self, mock_error_handler, mock_context_unpack): response = self.app.delete('/tenders/abc/dump', status=403) self.assertEqual(response.status, '403 Forbidden') self.app.authorization = ('Basic', ('archivarius', '')) response = self.app.delete('/tenders/abc/dump') encrypted_dump = response.json['data']['tender'] box = SecretBox('a' * 32) decrypted_data = box.decrypt(b64decode(encrypted_dump)) decrypted_data = json.loads(decrypted_data) self.assertEqual(response.status, '200 OK') self.assertEqual(decrypted_data, tender.serialize.return_value)
def testSendAttribHasInvalidSyntaxIfRawAndEncPassedAtSameTime( looper, sdk_pool_handle, sdk_wallet_trustee): raw = json.dumps({ 'name': 'Alice' }) secretBox = SecretBox() new_wallet = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trustee) parameters = None with pytest.raises(RequestNackedException) as e: sdk_add_attribute_and_check(looper, sdk_pool_handle, new_wallet, parameters, xhash=secretBox.encrypt(raw.encode()).hex(), enc=raw) e.match('not a valid hash')
def testSendAttribHasInvalidSyntaxIfRawHashAndEncPassedAtSameTime( looper, sdk_pool_handle, sdk_wallet_trustee): raw = json.dumps({ 'name': 'Alice' }) secretBox = SecretBox() encryptedRaw = secretBox.encrypt(raw.encode()) new_wallet = sdk_add_new_nym(looper, sdk_pool_handle, sdk_wallet_trustee) parameters = raw with pytest.raises(RequestNackedException) as e: sdk_add_attribute_and_check(looper, sdk_pool_handle, new_wallet, parameters, xhash=sha256(encryptedRaw).hexdigest(), enc=encryptedRaw.hex()) e.match('only one field from raw, enc, hash is expected')
def test_dump_resource(self): request = MagicMock() context = { 'id': uuid.uuid4().hex, 'rev': '1-{}'.format(uuid.uuid4().hex), 'dateModified': datetime.now().isoformat(), 'doc_type': 'Tenders' } request.registry.docservice_key.vk = 'a' * 32 request.context.serialize.return_value = context res = dump_resource(request) box = SecretBox('a' * 32) decrypted_data = box.decrypt(b64decode(res)) decrypted_data = json.loads(decrypted_data) self.assertNotEqual(res, json.dumps(context)) self.assertEqual(decrypted_data, context)
def add_third_party_caveat(self, macaroon, location, key, key_id, **kwargs): derived_key = truncate_or_pad( generate_derived_key(convert_to_bytes(key))) old_key = truncate_or_pad(binascii.unhexlify(macaroon.signature_bytes)) box = SecretBox(key=old_key) verification_key_id = box.encrypt(derived_key, nonce=kwargs.get('nonce')) caveat = Caveat(caveat_id=key_id, location=location, verification_key_id=verification_key_id) macaroon.caveats.append(caveat) encode_key = binascii.unhexlify(macaroon.signature_bytes) macaroon.signature = sign_third_party_caveat( encode_key, caveat._verification_key_id, caveat._caveat_id) return macaroon
def testSendAttribSucceedsForNonEmptyEnc(be, do, poolNodesStarted, trusteeCli): uuidIdentifier = createUuidIdentifier() addNym(be, do, trusteeCli, idr=uuidIdentifier) raw = json.dumps({'name': 'Alice'}) secretBox = SecretBox() parameters = { 'dest': uuidIdentifier, 'enc': secretBox.encrypt(raw.encode()).hex() } be(trusteeCli) do('send ATTRIB dest={dest} enc={enc}', mapper=parameters, expect=ATTRIBUTE_ADDED, within=2)
def testSendAttribSucceedsForNonEmptyEnc( be, do, poolNodesStarted, trusteeCli): uuidIdentifier = createUuidIdentifier() addNym(be, do, trusteeCli, idr=uuidIdentifier) raw = json.dumps({ 'name': 'Alice' }) secretBox = SecretBox() parameters = { 'dest': uuidIdentifier, 'enc': secretBox.encrypt(raw.encode()).hex() } be(trusteeCli) do('send ATTRIB dest={dest} enc={enc}', mapper=parameters, expect=ATTRIBUTE_ADDED, within=2)
def testSendAttribHasInvalidSyntaxIfRawAndEncPassedAtSameTime( be, do, poolNodesStarted, trusteeCli): uuidIdentifier = createUuidIdentifier() addNym(be, do, trusteeCli, idr=uuidIdentifier) raw = json.dumps({ 'name': 'Alice' }) secretBox = SecretBox() parameters = { 'dest': uuidIdentifier, 'raw': raw, 'enc': secretBox.encrypt(raw.encode()).hex() } be(trusteeCli) do('send ATTRIB dest={dest} raw={raw} enc={enc}', mapper=parameters, expect=INVALID_SYNTAX, within=2)
def testSendAttribHasInvalidSyntaxIfRawAndEncPassedAtSameTime( be, do, poolNodesStarted, trusteeCli): uuidIdentifier = createUuidIdentifier() addNym(be, do, trusteeCli, idr=uuidIdentifier) raw = json.dumps({'name': 'Alice'}) secretBox = SecretBox() parameters = { 'dest': uuidIdentifier, 'raw': raw, 'enc': secretBox.encrypt(raw.encode()).hex() } be(trusteeCli) do('send ATTRIB dest={dest} raw={raw} enc={enc}', mapper=parameters, expect=INVALID_SYNTAX, within=2)
def __init__(self): libnacl = nacl = None try: import libnacl except ImportError: try: import nacl except ImportError: raise ImportError( 'Either libnacl or pynacl module' ' is required for this tool, neither one can be imported.') if libnacl: from libnacl.secret import SecretBox self.nonce_size = libnacl.crypto_secretbox_NONCEBYTES self.key_size = libnacl.crypto_secretbox_KEYBYTES self.key_encode = lambda key: b64_encode(key.sk) self.key_decode = lambda key_str, raw=False:\ SecretBox(key_str if raw else b64_decode(key_str)) self.random = libnacl.randombytes self.error = ValueError if nacl: import warnings with warnings.catch_warnings(record=True): # cffi warnings from nacl.exceptions import CryptoError from nacl.encoding import RawEncoder, URLSafeBase64Encoder from nacl.secret import SecretBox from nacl.utils import random self.nonce_size = SecretBox.NONCE_SIZE self.key_size = SecretBox.KEY_SIZE self.key_encode = lambda key: key.encode(URLSafeBase64Encoder ).decode().strip() self.key_decode = lambda key_str, raw=False:\ SecretBox(key_str, URLSafeBase64Encoder if not raw else RawEncoder) self.random = random self.error = CryptoError
def __init__(self, key=None, host='127.0.0.1', port=5199, have_sodium=HAVE_SODIUM, merge_nonces=False): if have_sodium: if key: key = base64.b64decode(key) else: # libnacl won't like it if you send anything less then KEYBYTES key = '\0' * libnacl.crypto_secretbox_KEYBYTES self.__merge_nonces = merge_nonces self.__box = SecretBox(key=key) self.__my_nonce = rand_nonce() else: self.__box = None self.__my_nonce = '\0' self.__client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) logging.info('Connecting to %s:%d' % (host, port)) self.__client.connect((host, port)) logging.debug('Sending my nonce: %s' % self.__my_nonce.encode('hex')) self.__client.send(self.__my_nonce) if self.__box: self.__th_nonce = self.__client.recv(libnacl.crypto_secretbox_NONCEBYTES) else: self.__th_nonce = self.__client.recv(1) logging.debug('Got their nonce: %s' % self.__th_nonce.encode('hex'))
def _send_request(looper, helpers, fees, wallets_count, address, owner, sdk_wallet_trustee, sdk_wallet_trustees, sdk_wallet_stewards, sdk_wallet_clients, sdk_wallet_trust_anchors): print(wallets_count) wallets = sdk_wallet_trustees[:wallets_count.get(TRUSTEE, 0)] + \ sdk_wallet_stewards[:wallets_count.get(STEWARD, 0)] + \ sdk_wallet_clients[:wallets_count.get(IDENTITY_OWNER, 0)] + \ sdk_wallet_trust_anchors[:wallets_count.get(TRUST_ANCHOR, 0)] # prepare owner parameter if owner == TRUSTEE: sender_wallet = sdk_wallet_trustees[0] elif owner == STEWARD: sender_wallet = sdk_wallet_stewards[0] elif owner == IDENTITY_OWNER: sender_wallet = sdk_wallet_clients[0] elif owner == TRUST_ANCHOR: sender_wallet = sdk_wallet_trust_anchors[0] else: sender_wallet = wallets[0] target_dest = sdk_wallet_trustee[1] if owner == "-1" else sender_wallet[1] # prepare data data = SecretBox().encrypt(json.dumps({'name': 'Jaime'}).encode()).hex() # create request request = add_attribute(looper, sender_wallet, None, target_dest, enc=data) request = sdk_json_to_request_object(json.loads(request)) request.signature = None request.signatures = None # add fees request = add_fees_request_with_address(helpers, fees, request, address) # sign request request = sdk_multi_sign_request_objects(looper, wallets, [request]) return helpers.sdk.sdk_send_and_check(request)
def decrypt(ciphertext, key): """Decrypt ciphertext using key.""" return SecretBox(key).decrypt(ciphertext)
def encrypt(self, signature, field_data): encrypt_key = truncate_or_pad(signature) box = SecretBox(key=encrypt_key) encrypted = box.encrypt(convert_to_bytes(field_data), nonce=self.nonce) return self._signifier + standard_b64encode(encrypted)
class Console(object): def __init__(self, key=None, host='127.0.0.1', port=5199, have_sodium=HAVE_SODIUM, merge_nonces=False): if have_sodium: if key: key = base64.b64decode(key) else: # libnacl won't like it if you send anything less then KEYBYTES key = '\0' * libnacl.crypto_secretbox_KEYBYTES self.__merge_nonces = merge_nonces self.__box = SecretBox(key=key) self.__my_nonce = rand_nonce() else: self.__box = None self.__my_nonce = '\0' self.__client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) logging.info('Connecting to %s:%d' % (host, port)) self.__client.connect((host, port)) logging.debug('Sending my nonce: %s' % self.__my_nonce.encode('hex')) self.__client.send(self.__my_nonce) if self.__box: self.__th_nonce = self.__client.recv(libnacl.crypto_secretbox_NONCEBYTES) else: self.__th_nonce = self.__client.recv(1) logging.debug('Got their nonce: %s' % self.__th_nonce.encode('hex')) @staticmethod def increment_nonce(nonce): count = unpack("!I", nonce[0:4])[0] count += 1 return pack("!I", count) + nonce[4:] def _send(self, msg): self.__client.send(pack("!I", len(msg))) self.__client.send(msg) def _recvbits(self, bits): data = self.__client.recv(bits) while len(data) < bits: data += self.__client.recv(bits - len(data)) return data def _recv(self): bits = self._recvbits(4) length = unpack("!I", bits)[0] logging.debug('Got length of %d' % length) return self._recvbits(length) def _reading_nonce(self): if self.__merge_nonces: half_nonce_size = len(self.__my_nonce) / 2 return self.__my_nonce[0:half_nonce_size] + self.__th_nonce[half_nonce_size:] else: return self.__th_nonce def _writing_nonce(self): if self.__merge_nonces: half_nonce_size = len(self.__my_nonce) / 2 return self.__th_nonce[0:half_nonce_size] + self.__my_nonce[half_nonce_size:] else: return self.__my_nonce def disconnect(self): self.__client.close() def execute(self, msg): logging.info("Sending: %s" % msg) if self.__box: msg = self.__box.encrypt(msg, nonce=self._writing_nonce(), pack_nonce=False)[1] logging.info("Cipher text: %s" % msg.encode('hex')) self._send(msg) logging.info("Waiting for response...") msg = self._recv() if self.__box: logging.info("Cipher text: %s" % msg.encode('hex')) msg = self.__box.decrypt(msg, nonce=self._reading_nonce()) self.__my_nonce = Console.increment_nonce(self.__my_nonce) logging.debug('Our new nonce: %s' % self.__my_nonce.encode('hex')) self.__th_nonce = Console.increment_nonce(self.__th_nonce) logging.debug('Their new nonce: %s' % self.__th_nonce.encode('hex')) logging.info("Received: %s" % msg) return msg
from indy.ledger import build_get_attrib_request from libnacl.secret import SecretBox from hashlib import sha256 from plenum.common.exceptions import RequestNackedException from plenum.test.helper import sdk_get_and_check_replies from indy_node.test.helper import createUuidIdentifier, sdk_add_attribute_and_check, \ sdk_get_attribute_and_check, modify_field from plenum.test.pool_transactions.helper import sdk_sign_and_send_prepared_request attrib_name = 'dateOfBirth' secretBox = SecretBox() enc_data = secretBox.encrypt(json.dumps({'name': 'Alice'}).encode()).hex() hash_data = sha256(json.dumps({'name': 'Alice'}).encode()).hexdigest() @pytest.fixture(scope="module") def send_raw_attrib(looper, sdk_pool_handle, sdk_wallet_trustee): rep = sdk_add_attribute_and_check( looper, sdk_pool_handle, sdk_wallet_trustee, json.dumps({attrib_name: { 'dayOfMonth': 23, 'year': 1984, 'month': 5 }})) return rep
def _extract_caveat_key(self, signature, caveat): key = truncate_or_pad(signature) box = SecretBox(key=key) decrypted = box.decrypt(caveat._verification_key_id) return decrypted
def decrypt(self, signature, field_data): key = truncate_or_pad(signature) box = SecretBox(key=key) encoded = convert_to_bytes(field_data[len(self.signifier):]) decrypted = box.decrypt(standard_b64decode(encoded)) return convert_to_string(decrypted)
class Console(object): def __init__(self, key=None, host='127.0.0.1', port=5199, have_sodium=HAVE_SODIUM): if have_sodium: if key: key = base64.b64decode(key) else: # libnacl won't like it if you send anything less then KEYBYTES key = '\0' * libnacl.crypto_secretbox_KEYBYTES self.__box = SecretBox(key=key) self.__my_nonce = rand_nonce() else: self.__box = None self.__my_nonce = '\0' self.__client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) logging.info('Connecting to %s:%d' % (host, port)) self.__client.connect((host, port)) logging.debug('Sending my nonce: %s' % self.__my_nonce.encode('hex')) self.__client.send(self.__my_nonce) if self.__box: self.__th_nonce = self.__client.recv( libnacl.crypto_secretbox_NONCEBYTES) else: self.__th_nonce = self.__client.recv(1) logging.debug('Got their nonce: %s' % self.__th_nonce.encode('hex')) @staticmethod def increment_nonce(nonce): count = unpack("!I", nonce[0:4])[0] count += 1 return pack("!I", count) + nonce[4:] def _send(self, msg): self.__client.send(pack("!I", len(msg))) self.__client.send(msg) def _recvbits(self, bits): data = self.__client.recv(bits) while len(data) < bits: data += self.__client.recv(bits - len(data)) return data def _recv(self): bits = self._recvbits(4) length = unpack("!I", bits)[0] logging.debug('Got length of %d' % length) return self._recvbits(length) def disconnect(self): self.__client.close() def execute(self, msg): logging.info("Sending: %s" % msg) if self.__box: msg = self.__box.encrypt(msg, nonce=self.__my_nonce, pack_nonce=False)[1] logging.info("Cipher text: %s" % msg.encode('hex')) self.__my_nonce = Console.increment_nonce(self.__my_nonce) logging.debug('New nonce: %s' % self.__my_nonce.encode('hex')) self._send(msg) logging.info("Waiting for response...") msg = self._recv() if self.__box: logging.info("Cipher text: %s" % msg.encode('hex')) msg = self.__box.decrypt(msg, nonce=self.__th_nonce) self.__th_nonce = Console.increment_nonce(self.__th_nonce) logging.debug('New nonce: %s' % self.__th_nonce.encode('hex')) logging.info("Received: %s" % msg) return msg
if net["name"] == netname: netid = net["id"] print("Got network id: %s" % netid, file=sys.stderr) break #Get the client's hostid and decrypt it. to_read = int.from_bytes(sys.stdin.buffer.read(1), byteorder='big') hkdf_salt=b'' while len(hkdf_salt) < to_read: hkdf_salt += sys.stdin.buffer.read(to_read - len(hkdf_salt)) to_read = int.from_bytes(sys.stdin.buffer.read(1), byteorder='big') ciphertext=b'' while len(ciphertext) < to_read: ciphertext += sys.stdin.buffer.read(to_read - len(ciphertext)) to_server_key = get_subkey("to_server", hkdf_salt) hostid = SecretBox(to_server_key).decrypt(ciphertext).decode() print("Get hostid %s from client" % hostid, file=sys.stderr) #Now authorize the client print("Authorizing", file=sys.stderr) zt_post("controller/network/%s/member/%s" % (netid, hostid), { 'authorized': True, 'activeBridge': True }) #Encrypt and send back the network id. from_server_key = get_subkey("from_server", hkdf_salt) ciphertext = SecretBox(from_server_key).encrypt(netid.encode()) assert(len(ciphertext) < 256) sys.stdout.buffer.write(len(ciphertext).to_bytes(1, byteorder='big') + ciphertext) print("Finished", file=sys.stderr)
import pytest import json from libnacl.secret import SecretBox from hashlib import sha256 from indy_client.test.cli.constants import INVALID_SYNTAX from indy_client.test.cli.helper import createUuidIdentifier, addNym attrib_name = 'dateOfBirth' secretBox = SecretBox() enc_data = secretBox.encrypt(json.dumps({'name': 'Alice'}).encode()).hex() hash_data = sha256(json.dumps({'name': 'Alice'}).encode()).hexdigest() FOUND_ATTRIBUTE = 'Found attribute' ATTRIBUTE_ADDED = 'Attribute added for nym {valid_dest}' RETURNED_RAW_DATA = [FOUND_ATTRIBUTE, attrib_name, 'dayOfMonth', 'year', 'month'] RETURNED_ENC_DATA = [FOUND_ATTRIBUTE, enc_data] RETURNED_HASH_DATA = [FOUND_ATTRIBUTE, hash_data] ATTR_NOT_FOUND = 'Attr not found' @pytest.fixture(scope="module") def send_raw_attrib(be, do, poolNodesStarted, trusteeCli): valid_identifier = createUuidIdentifier() invalid_identifier = createUuidIdentifier() addNym(be, do, trusteeCli, idr=valid_identifier)