def add_new_channel(self, nA, nB): a_signkey = SigningKey.generate() a_chankey = PrivateKey.generate() a_CIDkey = os.urandom(32) a_transports = nA.agent.individualize_transports(nA.agent.get_transports()) b_signkey = SigningKey.generate() b_chankey = PrivateKey.generate() b_CIDkey = os.urandom(32) b_transports = nB.agent.individualize_transports(nB.agent.get_transports()) a_rec = { "channel_pubkey": a_chankey.public_key.encode().encode("hex"), "CID_key": a_CIDkey.encode("hex"), "transports": a_transports.values(), } b_rec = { "channel_pubkey": b_chankey.public_key.encode().encode("hex"), "CID_key": b_CIDkey.encode("hex"), "transports": b_transports.values(), } q = ("INSERT INTO addressbook" " (petname, acked, next_outbound_seqnum," " my_signkey," " their_channel_record_json," " my_CID_key, next_CID_token," " highest_inbound_seqnum," " my_old_channel_privkey, my_new_channel_privkey," " they_used_new_channel_key, their_verfkey)" " VALUES(?,?,?,?,?,?,?,?,?,?,?,?)") vA=("petname-from-A", 1, 1, a_signkey.encode().encode("hex"), json.dumps(b_rec), a_CIDkey.encode("hex"), None, 0, a_chankey.encode().encode("hex"), a_chankey.encode().encode("hex"), 0, b_signkey.verify_key.encode().encode("hex"), ) vB=("petname-from-A", 1, 1, b_signkey.encode().encode("hex"), json.dumps(a_rec), b_CIDkey.encode("hex"), None, 0, b_chankey.encode().encode("hex"), b_chankey.encode().encode("hex"), 0, a_signkey.verify_key.encode().encode("hex"), ) nA.db.execute(q, vA) nA.db.commit() nB.db.execute(q, vB) nA.db.commit() entA = nA.db.execute("SELECT * FROM addressbook").fetchone() entB = nB.db.execute("SELECT * FROM addressbook").fetchone() return entA, entB
def test_nacl_encrypt_decrypt(): skbob = PrivateKey.generate() pkbob = skbob.public_key skalice = PrivateKey.generate() pkalice = skalice.public_key message_bytes = nacl.utils.random(SALT_SIZE) encrypted = nacl_encrypt(message_bytes, skbob, pkalice) decrypted = nacl_decrypt(encrypted, skalice, pkbob) assert decrypted == message_bytes
def test_box_seal( privalice, pubalice, privbob, pubbob, nonce, plaintext, ciphertext): pubalice = PublicKey(pubalice, encoder=HexEncoder) privalice = PrivateKey(privalice, encoder=HexEncoder) plaintext = binascii.unhexlify(plaintext) sealed = pubalice.seal(plaintext) unsealed = privalice.seal_open(sealed) assert plaintext == unsealed sealed2 = privalice.seal(plaintext) unsealed2 = privalice.seal_open(sealed2) assert plaintext == unsealed2
def get_node(node_to_ask, recipient_guid, public_key): def parse_response(response): if not response[0]: self.send_message( Node(unhexlify(recipient_guid)), nacl.signing.VerifyKey(public_key, encoder=nacl.encoding.HexEncoder) .to_curve25519_public_key() .encode(), objects.PlaintextMessage.Type.Value("DISPUTE_OPEN"), json.dumps(contract), order_id, store_only=True, ) if node_to_ask: enc_key = nacl.signing.VerifyKey( public_key, encoder=nacl.encoding.HexEncoder ).to_curve25519_public_key() skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, enc_key) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(contract, indent=4), nonce) d = self.protocol.callDisputeOpen(node_to_ask, pkephem, ciphertext) return d.addCallback(parse_response) else: return parse_response([False])
def authenticate(self, permissions=[]): #TODO check is needs to = None keys = PrivateKey.generate() nonce = nacl.utils.random(Box.NONCE_SIZE) payload = { 'app': { 'name': self.name, 'version': self.version, 'vendor': self.vendor, 'id': self.id }, 'publicKey': base64.b64encode(keys.public_key.__bytes__()), 'nonce': base64.b64encode(nonce), 'permissions': permissions } headers = { 'Content-Type': 'application/json' } r = self._post('auth', headers, payload) if r.status_code == 200: responseJson = r.json() cipherText = base64.b64decode(responseJson['encryptedKey']) self.token = responseJson['token'] self.permissions = responseJson['permissions'] self.publicKey = base64.b64decode(responseJson['publicKey']) box = Box(keys, PublicKey(self.publicKey)) data = box.decrypt(cipherText, nonce=nonce) self.symmetricKey = data[0:PrivateKey.SIZE] self.symmetricNonce = data[PrivateKey.SIZE:] return True else: return False
def send_message(self, receiving_node, public_key, message_type, message, subject=None): """ Sends a message to another node. If the node isn't online it will be placed in the dht for the node to pick up later. """ pro = Profile().get() if len(message) > 1500: return p = objects.Plaintext_Message() p.sender_guid = self.kserver.node.id p.signed_pubkey = self.kserver.node.signed_pubkey p.encryption_pubkey = PrivateKey(self.signing_key.encode()).public_key.encode() p.type = message_type p.message = message if subject is not None: p.subject = subject if pro.handle: p.handle = pro.handle if pro.avatar_hash: p.avatar_hash = pro.avatar_hash p.timestamp = int(time.time()) signature = self.signing_key.sign(p.SerializeToString())[:64] p.signature = signature skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(p.SerializeToString(), nonce) def get_response(response): if not response[0]: self.kserver.set(digest(receiving_node.id), pkephem, ciphertext) self.protocol.callMessage(receiving_node, pkephem, ciphertext).addCallback(get_response)
def send_rekey(self): self.pkey = PrivateKey.generate() msg = six.int2byte(Message.rekey) + encode_varint(self.my_seq) + self.pkey.public_key._public_key mac = self.get_mac(msg) self.my_seq += 1 self._send(msg + mac) self.state = ClientState.rekey
def test_list_request(self): serverkey = PrivateKey.generate() RT = "01234567" # 8 bytes req, tmppub = retrieval.encrypt_list_request(serverkey.public_key.encode(), RT) got_tmppub, boxed0 = server.decrypt_list_request_1(req) ts, got_RT = server.decrypt_list_request_2(got_tmppub, boxed0, serverkey) self.failUnlessEqual(RT, got_RT)
def get_node(node_to_ask): def parse_response(response): if response[0] and response[1][0] == "True": return True elif not response[0]: contract_dict = json.loads(json.dumps(contract.contract, indent=4), object_pairs_hook=OrderedDict) del contract_dict["vendor_order_confirmation"] order_id = digest(json.dumps(contract_dict, indent=4)).encode("hex") self.send_message(Node(unhexlify(guid)), nacl.signing.VerifyKey( contract.contract["buyer_order"]["order"]["id"]["pubkeys"]["guid"], encoder=nacl.encoding.HexEncoder).to_curve25519_public_key().encode(), objects.PlaintextMessage.Type.Value("ORDER_CONFIRMATION"), json.dumps(contract.contract["vendor_order_confirmation"]), order_id, store_only=True) return True else: return False if node_to_ask: public_key = nacl.signing.VerifyKey( contract.contract["buyer_order"]["order"]["id"]["pubkeys"]["guid"], encoder=nacl.encoding.HexEncoder).to_curve25519_public_key() skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, public_key) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce) d = self.protocol.callOrderConfirmation(node_to_ask, pkephem, ciphertext) return d.addCallback(parse_response) else: return parse_response([False])
def respond_to_rekey(self, message): # Verify length if not len(message) == 34 + self._mac_length: _logger.info('Invalid length of rekey') # TODO: Multi-byte asequence numbers should also be allowed return # Verify MAC msg, sig = message[:-self._mac_length], message[-self._mac_length:] if not self.verify_mac(message): _logger.info('Invalid MAC on rekey') return # Verify sequence number if not self.validate_and_update_others_seqnum(msg): _logger.info('Invalid sequence number on rekey') return client_pubkey = msg[2:] self.pkey = PrivateKey.generate() self.new_master_key = self.derive_shared_key(client_pubkey) msg = six.int2byte(Message.rekey_response) + encode_varint(self.my_seq) + self.pkey.public_key._public_key self.state = ServerState.rekey full_msg = msg + self.get_mac(msg) self._send(full_msg) self.my_seq += 1
def purchase(self, node_to_ask, contract): """ Send an order message to the vendor. Args: node_to_ask: a `dht.node.Node` object contract: a complete `Contract` object containing the buyer's order """ def parse_response(response): try: address = contract.contract["buyer_order"]["order"]["payment"]["address"] chaincode = contract.contract["buyer_order"]["order"]["payment"]["chaincode"] masterkey_b = contract.contract["buyer_order"]["order"]["id"]["pubkeys"]["bitcoin"] buyer_key = derive_childkey(masterkey_b, chaincode) amount = contract.contract["buyer_order"]["order"]["payment"]["amount"] listing_hash = contract.contract["buyer_order"]["order"]["ref_hash"] verify_key = nacl.signing.VerifyKey(node_to_ask.signed_pubkey[64:]) verify_key.verify( str(address) + str(amount) + str(listing_hash) + str(buyer_key), response[1][0]) return response[1][0] except Exception: return False public_key = contract.contract["vendor_offer"]["listing"]["id"]["pubkeys"]["encryption"] skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce) d = self.protocol.callOrder(node_to_ask, pkephem, ciphertext) self.log.info("purchasing contract %s from %s" % (contract.get_contract_id().encode("hex"), node_to_ask)) return d.addCallback(parse_response)
def create_node(so, stdout=sys.stdout, stderr=sys.stderr): basedir = so["basedir"] if os.path.exists(basedir): print >>stderr, "basedir '%s' already exists, refusing to touch it" % basedir return 1 os.mkdir(basedir) dbfile = os.path.join(basedir, "petmail.db") db = database.get_db(dbfile, stderr) db.execute("INSERT INTO node (webhost, webport) VALUES (?,?)", (so["webhost"], so["webport"])) db.execute("INSERT INTO services (name) VALUES (?)", ("client",)) db.execute("INSERT INTO `client_profile`" " (`name`, `icon_data`) VALUES (?,?)", ("","")) privkey = PrivateKey.generate() TID_tokenid, TID_privkey, TID_token0 = rrid.create() server_desc = { "transport_privkey": privkey.encode().encode("hex"), "TID_private_key": TID_privkey.encode("hex"), "local_TID0": TID_token0.encode("hex"), "local_TID_tokenid": TID_tokenid.encode("hex"), } db.execute("INSERT INTO mailbox_server_config" " (private_descriptor_json, enable_retrieval)" " VALUES (?,?)", (json.dumps(server_desc), 0)) db.commit() print >>stdout, "node created in %s" % basedir return 0
def test_wrong_types(): priv = PrivateKey.generate() check_type_error(("PrivateKey must be created from a 32 bytes long " "raw secret key"), PrivateKey, 12) check_type_error(("PrivateKey must be created from a 32 bytes long " "raw secret key"), PrivateKey, priv) check_type_error(("PrivateKey must be created from a 32 bytes long " "raw secret key"), PrivateKey, priv.public_key) check_type_error("PublicKey must be created from 32 bytes", PublicKey, 13) check_type_error("PublicKey must be created from 32 bytes", PublicKey, priv) check_type_error("PublicKey must be created from 32 bytes", PublicKey, priv.public_key) check_type_error("Box must be created from a PrivateKey and a PublicKey", Box, priv, "not a public key") check_type_error("Box must be created from a PrivateKey and a PublicKey", Box, priv.encode(), priv.public_key.encode()) check_type_error("Box must be created from a PrivateKey and a PublicKey", Box, priv, priv.public_key.encode()) check_type_error("Box must be created from a PrivateKey and a PublicKey", Box, priv.encode(), priv.public_key) check_type_error("seed must be a 32 bytes long", PrivateKey.from_seed, b"1")
def __enter__(self) -> typing.Tuple[PrivateKey, PrivateKey]: """ Provides a pair of private keys. """ # Derive the key from the passphrase. derived = util.derive_passphrase(self.passphrase) sign_box = SecretBox(derived) enc_box = SecretBox(derived) # Decrypt, using the two nonces. s_d = sign_box.decrypt(self.key._private_signing_seed, self.key._private_signing_nonce) e_d = enc_box.decrypt(self.key._private_key_raw, self.key._private_nonce) # Generate a SigningKey out of the seed. self.sign = SigningKey(s_d) self.encrypt = PrivateKey(e_d) # Update the key's public keys. if self.key._public_key is None: self.key._public_key = self.encrypt.public_key if self.key._public_signing_key is None: self.key._public_signing_key = self.sign.verify_key return self.encrypt, self.sign
def storeAccount(phrase, uid, auth, alias): """ Store new account information @param phrase: new passphrase as bytes @param uid: user id @param auth: authentication token @param alias: user set alias for profile @return: Profile ID of newly created profile and safe """ con = getCursor() # random phrase buffer buffer = nacl.utils.random(nacl.secret.SecretBox.KEY_SIZE) # create safe (db encryption) safe = SecretBox(b''.join((phrase, buffer[len(phrase) - 32:]))) # create new signing_key and verify_key (message signing) skey = nacl.signing.SigningKey.generate() # create new private and public key (message encryption) mkey = PrivateKey.generate() con.execute("INSERT INTO profiles (uid, auth, signing_key, verify_key, private_key, public_key, buffer, alias) " "VALUES (?, ?, ?, ?, ?, ?, ?, ?)", list(encrypt(safe, uid, auth, skey._seed, skey.verify_key.encode(encoder=nacl.encoding.HexEncoder), mkey._private_key, mkey.public_key._public_key)) + [buffer, alias]) profileId = con.lastrowid return profileId, safe
def __new__(cls, microdescriptor): relay_identity = decodeMicrodescriptorIdentifier(microdescriptor) relay_ntor_onion_key = base64.b64decode(microdescriptor.ntor_onion_key) secret_key = PrivateKey.generate() public_key = secret_key.public_key return super(NTorState, cls).__new__( cls, relay_identity, relay_ntor_onion_key, secret_key, public_key)
def get_node(node_to_ask): def parse_response(response): if response[0] and response[1][0] == "True": return True elif not response[0]: contract_dict = json.loads(json.dumps(contract.contract, indent=4), object_pairs_hook=OrderedDict) del contract_dict["vendor_order_confirmation"] del contract_dict["buyer_receipt"] order_id = digest(json.dumps(contract_dict, indent=4)).encode("hex") self.send_message(Node(unhexlify(guid)), contract.contract["vendor_offer"]["listing"]["id"]["pubkeys"]["encryption"], objects.Plaintext_Message.Type.Value("RECEIPT"), json.dumps(contract.contract["buyer_receipt"]), order_id, store_only=True) return True else: return False if node_to_ask: public_key = contract.contract["vendor_offer"]["listing"]["id"]["pubkeys"]["encryption"] skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce) d = self.protocol.callCompleteOrder(node_to_ask, pkephem, ciphertext) return d.addCallback(parse_response) else: return parse_response([False])
def key_gen(self): """Generate a private key""" import base64, zlib from nacl.public import PrivateKey privObj = PrivateKey.generate() privKey = base64.b64encode(zlib.compress(str(privObj), 9)) return privObj, privKey
def purchase(self, node_to_ask, contract): """ Send an order message to the vendor. Args: node_to_ask: a `dht.node.Node` object contract: a complete `Contract` object containing the buyer's order """ def parse_response(response): try: address = contract.contract["buyer_order"]["order"]["payment"]["address"] verify_key = nacl.signing.VerifyKey(node_to_ask.signed_pubkey[64:]) verify_key.verify(str(address), response[1][0]) return response[1][0] except Exception: return False public_key = contract.contract["vendor_offer"]["listing"]["id"]["pubkeys"]["encryption"] skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce) d = self.protocol.callOrder(node_to_ask, pkephem, ciphertext) return d.addCallback(parse_response)
class IDPrivateKey: def __init__(self, password = None, email = None): if email is None: self.salt = defaultsalt else: self.salt = email if password is not None: self.generate_key(password) def generate_key(self, password): self.pri = PrivateKey(scrypt(sha512(password,encoder = RawEncoder), self.salt, N = 1<<17, r = 8, p = 1, buflen = 32), encoder = RawEncoder) pub = PublicID() pub.salt = self.salt pub.key = self.pri.public_key.encode() self.pub = pub def to_private_key(self): return self.pri def to_public_key(self): return self.pub def pri_base58(self): return b58encode(self.pri.encode(encoder = RawEncoder)) def pub_base58(self): return self.pub.base58()
def getauth(secret=''): if secret != '': try: return nacl.public.PrivateKey(secret,encoder=nacl.encoding.HexEncoder) except: raise err.api('invalid secret') else: return PrivateKey.generate()
def generate_key(self): """ Generate a new private key and return a pair with the base64 encodings of (priv_key, pub_key). """ key = PrivateKey.generate() priv_key = key.encode(encoder=Base64Encoder) pub_key = key.public_key.encode(encoder=Base64Encoder) return (u'{}'.format(priv_key), u'{}'.format(pub_key))
def test_list_entry(self): symkey = os.urandom(32) tmppriv = PrivateKey.generate() tmppub = tmppriv.public_key.encode() entry, fetch_token, delete_token = server.create_list_entry(symkey, tmppub, 1234) got_fetch_token, got_delete_token, length = retrieval.decrypt_list_entry(entry, symkey, tmppub) self.failUnlessEqual(fetch_token, got_fetch_token) self.failUnlessEqual(delete_token, got_delete_token) self.failUnlessEqual(length, 1234)
def generate_key_hex(self): """ Generate a new private key and return a pair with the hex encodings of (priv_key, pub_key). """ key = PrivateKey.generate() priv_key = key.encode(encoder=HexEncoder) pub_key = key.public_key.encode(encoder=HexEncoder) return priv_key.decode('ascii'), pub_key.decode('ascii')
def test_sealed_box_too_short_msg(): empty_plaintext = b'' k = PrivateKey.generate() enc_box = SealedBox(k.public_key) dec_box = SealedBox(k) msg = enc_box.encrypt(empty_plaintext) with pytest.raises(CryptoError): dec_box.decrypt(msg[:-1])
def startInvitation(self, petname, code, transports): #print "invite", petname, code.encode("hex") stretched = stretch(code) inviteKey = SigningKey(stretched) inviteID = inviteKey.verify_key.encode(Hex) mySigningKey = SigningKey.generate() myCIDkey = os.urandom(32) myTempPrivkey = PrivateKey.generate() # create my channel record tids = ",".join([str(tid) for tid in sorted(transports.keys())]) channel_key = PrivateKey.generate() pub_crec = { "channel_pubkey": channel_key.public_key.encode(Hex), "CID_key": myCIDkey.encode("hex"), "transports": transports.values(), } priv_data = { "my_signkey": mySigningKey.encode(Hex), "my_CID_key": myCIDkey.encode("hex"), "my_old_channel_privkey": channel_key.encode(Hex), "my_new_channel_privkey": channel_key.encode(Hex), "transport_ids": tids, } db = self.db c = db.execute("SELECT inviteID FROM invitations") if inviteID in [str(row[0]) for row in c.fetchall()]: raise CommandError("invitation code already in use") iid = db.insert("INSERT INTO `invitations`" " (code, petname, inviteKey," " inviteID," " myTempPrivkey, mySigningKey," " my_channel_record, my_private_channel_data," " myMessages, theirMessages, nextExpectedMessage)" " VALUES (?,?,?, ?, ?,?, ?,?, ?,?,?)", (code.encode("hex"), petname, stretched.encode("hex"), inviteID, myTempPrivkey.encode(Hex), mySigningKey.encode(Hex), json.dumps(pub_crec), json.dumps(priv_data), "", "", 1), "invitations") self.subscribe(inviteID) i = Invitation(iid, self.db, self) i.sendFirstMessage() self.db.commit()
def test_sealed_box_zero_length_plaintext(): empty_plaintext = b'' k = PrivateKey.generate() enc_box = SealedBox(k.public_key) dec_box = SealedBox(k) msg = enc_box.encrypt(empty_plaintext) decoded = dec_box.decrypt(msg) assert decoded == empty_plaintext
def __init__(self, relay): ''' :param stem.descriptor.server_descriptor.RelayDescriptor relay: the relay that we're doing an ntor handshake with ''' self._signing_key = tools.signingKeyToSHA1(relay.signing_key) self._ntor_onion_key = base64.b64decode(relay.ntor_onion_key) self._secret_key = PrivateKey.generate() self._public_key = self._secret_key.public_key self.is_bad = False
def asymmetricEncryption(toEncrypt): #generiranje privatnog kljuca posiljatelja koji mora ostati tajan skSender = PrivateKey.generate() #generiranje javnog kljuca posiljatelja pkSender = skSender.public_key #generiranje privatnog kljuca primatelja koji mora ostati tajan skReceiver = PrivateKey.generate() #generiranje javnog kljuca primatelja pkReceiver = skReceiver.public_key #"kutija" s posiljateljevim privatnim kljucem i primateljevim javnim kljucem #sluzi za enkriptiranje poruke senderBox = Box(skSender, pkReceiver) #broj koji se koristi samo jednom, ne smatra se tajnim i moze ga se slati uz enkriptiranu poruku #dobar izvor za nonce su nasumicna 24 byta nonce = nacl.utils.random(Box.NONCE_SIZE) #enkriptiranje poruke koja ce potom biti dulja za tocno 40 byta od originalne poruke #razlog tome je informacija o autentifikaciji i nonce koji se pohranjuju uz nju encrypted = senderBox.encrypt(toEncrypt, nonce, encoder = nacl.encoding.Base64Encoder) return pkSender, skReceiver, encrypted
def setUp(self): super(RekeyCompleteTest, self).setUp() self.session.send_rekey() rekey_msg = self.channel.sent_messages.pop(0).msg self.client_pubkey = rekey_msg[2:-self.mac_len] pkey = PrivateKey.generate() msg = b'\x83\x00' + pkey.public_key._public_key mac = self.get_mac(msg) response = self.get_response(msg + mac).msg self.new_shared_key = crypto_scalarmult(pkey._private_key, self.client_pubkey)
def get_cybersource_test_settings(private_key=None): """ Generates a valid set of settings for CyberSource """ if private_key is None: private_key = PrivateKey.generate() return { "CYBERSOURCE_WSDL_URL": (f"http://localhost/service/CyberSourceTransaction_{SERVICE_VERSION}.wsdl" ), "CYBERSOURCE_MERCHANT_ID": "merchant_id", "CYBERSOURCE_TRANSACTION_KEY": "transaction_key", "CYBERSOURCE_INQUIRY_LOG_NACL_ENCRYPTION_KEY": Base64Encoder.encode(bytes(private_key.public_key)), }
def keyMake(node, path): ## create a public, private, and signature key set # generate the encryption keypair key = PrivateKey.generate() # generate the signature key sig = nacl.signing.SigningKey.generate() verify = sig.verify_key sig_hex = verify.encode(encoder=nacl.encoding.HexEncoder) # write all of the keys to file with open(path + '/' + node + '.sig', 'w+') as signing_key: pickle.dump(sig, signing_key) with open(path + '/' + node + '.sighex', 'w+') as verify_hex: pickle.dump(sig_hex, verify_hex) with open(path + '/' + node + '.private', 'w+') as private: pickle.dump(key, private) with open(path + '/' + node + '.public', 'w+') as public: pickle.dump(key.public_key, public)
def generate_keys(): logging.info("generating public-private key pair") # create public/private pair private_key = PrivateKey.generate() public_key = private_key.public_key key_length = private_key.SIZE * 8 # get key strings public_key = public_key.encode(encoder=nacl.encoding.HexEncoder).decode() private_key = private_key.encode(encoder=nacl.encoding.HexEncoder).decode() # return key pair as dictionary return({ "key_length_bits": key_length, "public_key": public_key, "private_key": private_key })
def test_box_encryption(skalice, pkalice, skbob, pkbob, nonce, plaintext, ciphertext): pkalice = PublicKey(pkalice, encoder=HexEncoder) skbob = PrivateKey(skbob, encoder=HexEncoder) box = Box(skbob, pkalice) encrypted = box.encrypt( binascii.unhexlify(plaintext), binascii.unhexlify(nonce), encoder=HexEncoder, ) expected = binascii.hexlify( binascii.unhexlify(nonce) + binascii.unhexlify(ciphertext), ) assert encrypted == expected assert encrypted.nonce == nonce assert encrypted.ciphertext == ciphertext
def create_keychain(self): print "Generating GUID, stand by..." g = GUID() self.guid = g.guid self.guid_privkey = g.privkey self.signing_key = nacl.signing.SigningKey(self.guid_privkey) self.guid_signed_pubkey = g.signed_pubkey self.db.set_key("guid", self.guid_privkey, self.guid_signed_pubkey) self.bitcoin_master_privkey = bitcoin.bip32_master_key( bitcoin.sha256(self.guid_privkey)) self.bitcoin_master_pubkey = bitcoin.bip32_privtopub( self.bitcoin_master_privkey) self.db.set_key("bitcoin", self.bitcoin_master_privkey, self.bitcoin_master_pubkey) self.encryption_key = PrivateKey(self.guid_privkey) self.encryption_pubkey = self.encryption_key.public_key.encode()
def test_rekey(self): pkey = PrivateKey.generate() msg = b'\x03\x00' + pkey.public_key._public_key response = self.send_with_mac(msg).msg self.assertEqual(len(response), 34 + self.mac_len) self.assert_correct_mac(response) self.assertEqual(six.byte2int(response[1:]), 0x00) self.assert_message_type(response, 0x83) server_pubkey = response[2:-self.mac_len] new_shared_secret = crypto_scalarmult(pkey._private_key, server_pubkey) # Send confirm self.session_key = new_shared_secret msg = b'\x04' response = self.send_with_mac(msg).msg self.assert_correct_mac(response) self.assert_message_type(response, 0x84) self.assertEqual(self.session_key, self.channel.shared_key)
def read_config_file(commandlineoptions=None): global config_file if os.path.exists(config_file): with open(config_file, 'r') as f: return yaml.load(f) else: # generate the config file for the client including the secret key # which must be kept secret config = dict() config['own_sk'] = PrivateKey.generate() config['registration_successful'] = False config['server_pk'] = PublicKey( commandlineoptions.server_pk_str.decode('hex')) config['contact_list'] = list() config['username'] = "******" config['status_msg'] = "Testing OnionPIR..." save_config_file(config) return config
def operator_key_pair_create(): try: privKey = PrivateKey.generate() pubKey = privKey.public_key key_pair_res = { "DID": ''.join(random.choices(string.ascii_uppercase + string.ascii_lowercase + string.digits, k=22)), "public_key": binascii.b2a_base64(bytes(pubKey)).decode("utf-8").strip(), "private_key": binascii.b2a_base64(bytes(privKey)).decode("utf-8").strip(), "timestamp": str(int(time.time())) } client_key_res = copy.deepcopy(key_pair_res) mongo_setup_provider.key_pair_col.insert_one(key_pair_res) return jwt.encode(client_key_res, os.environ["VPNAAS_KEY"], algorithm="HS256") except Exception as error: logger.error(error) sys.exit() #tl.start(block=False)
def NACL_sealedBox_encrypt(text): # Generate Bob's private key, as we've done in the Box example skbob = PrivateKey.generate() pkbob = skbob.public_key # Alice wishes to send a encrypted message to Bob, # but prefers the message to be untraceable sealed_box = SealedBox(pkbob) # This is Alice's message message = bytes(text,'utf-8') # Encrypt the message, it will carry the ephemeral key public part # to let Bob decrypt it encrypted = sealed_box.encrypt(message) #Now, Bob wants to read the secret message he just received; therefore he must create a SealedBox using his own #private key: unseal_box = SealedBox(skbob) # decrypt the received message plaintext = unseal_box.decrypt(encrypted) print(plaintext.decode('utf-8')) return True
def parse_messages(messages): if messages is not None: for message in messages: try: value = objects.Value() value.ParseFromString(message) try: box = Box(PrivateKey(self.signing_key.encode()), PublicKey(value.valueKey)) ciphertext = value.serializedData plaintext = box.decrypt(ciphertext) p = objects.Plaintext_Message() p.ParseFromString(plaintext) signature = p.signature p.ClearField("signature") verify_key = nacl.signing.VerifyKey( p.signed_pubkey[64:]) verify_key.verify(p.SerializeToString(), signature) h = nacl.hash.sha512(p.signed_pubkey) pow_hash = h[64:128] if int(pow_hash[:6], 16) >= 50 or hexlify( p.sender_guid) != h[:40]: raise Exception('Invalid guid') if p.type == objects.Plaintext_Message.Type.Value( "ORDER_CONFIRMATION"): c = Contract(self.db, hash_value=unhexlify(p.subject)) c.accept_order_confirmation( self.protocol.multiplexer.ws, confirmation_json=p.message) else: listener.notify( p.sender_guid, p.encryption_pubkey, p.subject, objects.Plaintext_Message.Type.Name( p.type), p.message) except Exception: pass signature = self.signing_key.sign(value.valueKey)[:64] self.kserver.delete(self.kserver.node.id, value.valueKey, signature) except Exception: pass
def generate_keys(): # Generate applications public and private key # In practice, these would be set externally and stored outside the repository sk = PrivateKey.generate() pk = sk.public_key # write to filesfor access if they don't exist sk_path = os.path.join(os.path.dirname(__file__), "..", "private_key") if not os.path.exists(sk_path): # write as binary with open(sk_path, 'wb') as f: sk_bytes = bytes(sk) f.write(sk_bytes) pk_path = os.path.join(os.path.dirname(__file__), "..", "public_key") if not os.path.exists(pk_path): with open(pk_path, 'wb') as f: pk_bytes = bytes(pk) f.write(pk_bytes)
def rpc_complete_order(self, sender, pubkey, encrypted): try: box = Box( PrivateKey(self.signing_key.encode(nacl.encoding.RawEncoder)), PublicKey(pubkey)) order = box.decrypt(encrypted) c = Contract(self.db, contract=json.loads(order, object_pairs_hook=OrderedDict), testnet=self.multiplexer.testnet) contract_id = c.accept_receipt(self.multiplexer.ws, self.multiplexer.blockchain) self.router.addContact(sender) self.log.info("received receipt for order %s" % contract_id) return ["True"] except Exception: self.log.error("unable to parse receipt from %s" % sender) return ["False"]
def __init__(self, user, keyring, filename=None): """ we want to keep all the cryptographic functions as side-effect free as possible, so when we instantiate a keyring we'll do as much of the setup and I/O as possible. """ self.keyring = keyring if not filename: filename = keyring.lstrip('/key').replace('/', '.') filename = os.path.join(DIR, '{}.{}'.format(user, filename)) try: self._load_from_private_keyfile(filename) except FileNotFoundError: self.enc_key = PrivateKey.generate() self.signing_key = nacl.signing.SigningKey.generate() self.enc_key_id = uuid.uuid4().hex self.signing_key_id = uuid.uuid4().hex self._to_private_keyfile(filename)
def apply(document, config): """ Generates a deploy key, injects config/master keys and performs the extra deployment time encryption of secrets. """ url = util.rget(document, 'secretary', 'url') if not url: return config # Check for encrypted secrets found = False for key, value in config.get('env', {}).iteritems(): envelopes = extractEnvelopes(value) found = found or envelopes # e.g. dots aren't valid in a shell identifier, so `secretary decrypt -e` wouldn't work with them if envelopes and not _SHELL_IDENTIFIER_RE.match(key): raise RuntimeError(( "The env var '%s' has an encrypted value but its name is not a valid shell script identifier and not supported by Secretary. " + "Only alphanumeric characters and underscores are supported, starting with an alphabetic or underscore character." + "Please check https://github.com/meltwater/lighter#secrets-management ." ) % key) # Avoid adding public keys if no secrets present if not found: return config result = deepcopy(config) masterKey = decodePublicKey( util.rget(document, 'secretary', 'master', 'publickey')) result['env'] = result.get('env', {}) result['env']['SECRETARY_URL'] = url result['env']['MASTER_PUBLIC_KEY'] = encodeKey(masterKey) # Autogenerate a deploy key deployKey = PrivateKey.generate() result['env']['DEPLOY_PRIVATE_KEY'] = KeyValue(encodeKey(deployKey)) result['env']['DEPLOY_PUBLIC_KEY'] = KeyValue( encodeKey(deployKey.public_key)) return result
def parse_messages(messages): if messages is not None: self.log.info("retrieved %s message(s) from the dht" % len(messages)) for message in messages: try: value = objects.Value() value.ParseFromString(message) try: box = Box(PrivateKey(self.signing_key.encode()), PublicKey(value.valueKey)) ciphertext = value.serializedData plaintext = box.decrypt(ciphertext).decode("zlib") p = objects.PlaintextMessage() p.ParseFromString(plaintext) signature = p.signature p.ClearField("signature") verify_key = nacl.signing.VerifyKey(p.signed_pubkey[64:]) verify_key.verify(p.SerializeToString(), signature) h = nacl.hash.sha512(p.signed_pubkey) pow_hash = h[64:128] if int(pow_hash[:6], 16) >= 50 or p.sender_guid.encode("hex") != h[:40]: raise Exception('Invalid guid') if p.type == objects.PlaintextMessage.Type.Value("ORDER_CONFIRMATION"): c = Contract(self.db, hash_value=p.subject) c.accept_order_confirmation(self.protocol.get_notification_listener(), confirmation_json=p.message) elif p.type == objects.PlaintextMessage.Type.Value("RECEIPT"): c = Contract(self.db, hash_value=p.subject) c.accept_receipt(self.protocol.get_notification_listener(), self.protocol.multiplexer.blockchain, receipt_json=p.message) elif p.type == objects.PlaintextMessage.Type.Value("DISPUTE_OPEN"): process_dispute(json.loads(p.message, object_pairs_hook=OrderedDict), self.db, self.protocol.get_message_listener(), self.protocol.get_notification_listener(), self.protocol.multiplexer.testnet) else: listener.notify(p, signature) except Exception: pass signature = self.signing_key.sign(value.valueKey)[:64] self.kserver.delete(self.kserver.node.id, value.valueKey, signature) except Exception: pass
def _decrypt_and_set_private_key(self, private_key_store): if not self.password: raise AttributeError( 'No password found! Password must be set ahead!') secure_key = pwhash.argon2i.kdf( secret.SecretBox.KEY_SIZE, Base64Encoder.decode(self.password), Base64Encoder.decode(private_key_store['salt']), opslimit=private_key_store['ops'], memlimit=private_key_store['mem'], ) encrypted = Base64Encoder.decode(private_key_store['private_key']) box = secret.SecretBox(secure_key) try: self.private_key = PrivateKey(box.decrypt(encrypted)) self.public_key = self.private_key.public_key return True except Exception as e: print(e)
def purchase(self, node_to_ask, contract): """ Send an order message to the vendor. Args: node_to_ask: a `dht.node.Node` object contract: a complete `Contract` object containing the buyer's order """ def parse_response(response): try: address = contract.contract["buyer_order"]["order"]["payment"][ "address"] chaincode = contract.contract["buyer_order"]["order"][ "payment"]["chaincode"] masterkey_b = contract.contract["buyer_order"]["order"]["id"][ "pubkeys"]["bitcoin"] buyer_key = derive_childkey(masterkey_b, chaincode) amount = contract.contract["buyer_order"]["order"]["payment"][ "amount"] listing_hash = contract.contract["buyer_order"]["order"][ "ref_hash"] verify_key = nacl.signing.VerifyKey( node_to_ask.signed_pubkey[64:]) verify_key.verify( str(address) + str(amount) + str(listing_hash) + str(buyer_key), response[1][0]) return response[1][0] except Exception: return False public_key = contract.contract["vendor_offer"]["listing"]["id"][ "pubkeys"]["encryption"] skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce) d = self.protocol.callOrder(node_to_ask, pkephem, ciphertext) self.log.info("purchasing contract %s from %s" % (contract.get_contract_id().encode("hex"), node_to_ask)) return d.addCallback(parse_response)
def show_cluster_config(cluster_id: str) -> dict: box = PrivateKey.generate() private_key_hex = box.encode(encoder=nacl.encoding.HexEncoder) public_key_hex = box.public_key.encode(encoder=nacl.encoding.HexEncoder) if not cluster_id or cluster_id == 'None': return { 'error': 'CLUSTER_ID required' } try: cluster = Fileserver_Cluster.objects.filter(pk=cluster_id).get() except Fileserver_Cluster.DoesNotExist: return { 'error': 'A cluster with this id was not found. You can use "fsclusterlist" to display all' } if cluster.links.count() == 0: return { 'error': ' Shard: Not found for this cluster. You can create one with "fsshardcreate TITLE \'Some description\'" and then link it to this cluster with "fsshardlink ' + str( cluster.id) + ' SHARD_ID"' } uni = string.ascii_letters + string.digits + string.punctuation print('SECRET_KEY: ' + repr((''.join([random.SystemRandom().choice(uni) for i in range(50)])).replace('\'', '"'))) print('PRIVATE_KEY: ' + repr(str(private_key_hex.decode()))) print('PUBLIC_KEY: ' + repr(str(public_key_hex.decode()))) print('SERVER_URL: ' + repr(settings.HOST_URL)) print('SERVER_PUBLIC_KEY: ' + repr(settings.PUBLIC_KEY)) print("CLUSTER_ID: '"+ str(cluster.id) +"'") print("CLUSTER_PRIVATE_KEY: '"+ str(decrypt_with_db_secret(cluster.auth_private_key)) +"'") shards = [] for links in cluster.links.all(): shards.append('{shard_id: ' + str(links.shard_id) + ', read: ' + str(links.read) + ', write: ' + str(links.write) + ', delete: ' + str(links.delete_capability) + ', allow_link_shares: ' + str(links.allow_link_shares) + ', engine: {class: \'local\', kwargs: {location: \'/opt/psono-shard/'+ str(links.shard_id) +'\'}}}') print("SHARDS: ["+','.join(shards)+"]") return {}
def new_shop(req: ShopCreateRequest): try: b64decode(req.shop_pub_key) except binascii.Error: raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail='公鑰錯誤') shop = Shop(name=req.name, shop_pub_key=req.shop_pub_key) private_key = PrivateKey.generate() box = SecretBox(SERVER_MASTER_SECRET) try: Secret(shop=shop, server_secret_key=b64encode( box.encrypt(private_key._private_key)).decode('ascii')) commit() except TransactionIntegrityError: rollback() raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail='公鑰已被使用') return b64encode(private_key.public_key._public_key).decode('ascii')
def rotate_user_key(args): """Rotates the user main key. Required when a device was removed to keep future content safe. Maximum rotation rate once per second, but please don't: it will just make the user identity block bloated, eventually blocking the user by upload limit. """ username = get_username(args) user_storage = LocalStorage(username) old_signing = _get_user_signingkey(username) old_private = _get_user_privatekey(username) timestamp = get_timestamp_seconds() with user_storage as us: us["signingkey"] = SigningKey.generate().encode() us["privatekey"] = PrivateKey.generate().encode() us["previous_keys"][timestamp] = { "signingkey": us["signingkey"], "privatekey": us["privatekey"], }
def fake_transport(): privkey = PrivateKey.generate() pubkey_hex = privkey.public_key.encode().encode("hex") TID_tokenid, TID_privkey, TID_token0 = rrid.create() private = { "privkey": privkey, "TID": (TID_tokenid, TID_privkey, TID_token0) } # this is what lives in our database. All channels that share the same # transport will use the same thing. db_record = { "for_sender": { "type": "test-return", "transport_pubkey": pubkey_hex, }, "for_recipient": { "TID": TID_token0.encode("hex") }, } return private, db_record
def decrypt(self, file): # read encrypted data from file with open(file) as f: content = f.read() f.close() content2 = self.str_to_bytestring(content) # decrypt encrypted data and write back to file private_key2 = PrivateKey( b'#"\xbf.\xe1[\xdd\x95\xe0s\xb7\xd8\xb5\xe3\xe3\x1e\xa1\x1c\xf7r\xec\xa3\\\xda\x7f4\x9cy\r7\xffJ' ) public_key1 = PublicKey( b"\xe6\xd2\xd1\x94\xde\x00s\xcew\xf1\xfc\x1a;\xacB]rqzu\xe8\rr\x19\x19p'\xbe\xe6z\xba " ) user_box2 = Box(private_key2, public_key1) decrypted = user_box2.decrypt(content2).decode("utf-8") with open(file, "w") as text_file: text_file.write(decrypted) text_file.close()
def get_node(node_to_ask, recipient_guid, public_key): def parse_response(response): if not response[0]: self.send_message(Node(unhexlify(recipient_guid)), public_key, objects.PlaintextMessage.Type.Value("DISPUTE_CLOSE"), dispute_json, order_id, store_only=True) if node_to_ask: skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(dispute_json, indent=4), nonce) d = self.protocol.callDisputeClose(node_to_ask, pkephem, ciphertext) return d.addCallback(parse_response) else: return parse_response([False])
def stream_encrypt(stream, target_pub, origin_priv): # XXX if known, we should use the data size in the zfill # so the len of the data can be checked when decrypted priv = PrivateKey(binascii.unhexlify(origin_priv)) pub = PublicKey(binascii.unhexlify(target_pub)) box = Box(priv, pub) pos = 0 def _encrypt(data, pos): data += str(pos).zfill(10) nonce = nacl.utils.random(Box.NONCE_SIZE) return binascii.hexlify(box.encrypt(data, nonce)) while True: data = stream.read(_CHUNK) if not data: break yield _encrypt(data, pos) pos += 1
def stream_decrypt(stream, origin_pub, target_priv): priv = PrivateKey(binascii.unhexlify(target_priv)) pub = PublicKey(binascii.unhexlify(origin_pub)) box = Box(priv, pub) pos = 0 while True: data = stream.read(_HEX_ENC_CHUNK) if not data: break data = box.decrypt(binascii.unhexlify(data)) found_pos = int(data[-_ENC_POS_SIZE:]) data = data[:-_ENC_POS_SIZE] if pos != found_pos: raise DecryptError('Mismatch') yield data pos += 1
def test_sealed_box_encryption(privalice, pubalice, plaintext, _encrypted): pubalice = PublicKey(pubalice, encoder=HexEncoder) privalice = PrivateKey(privalice, encoder=HexEncoder) box = SealedBox(pubalice) encrypted = box.encrypt( binascii.unhexlify(plaintext), encoder=HexEncoder, ) assert encrypted != _encrypted # since SealedBox.encrypt uses an ephemeral sender's keypair box2 = SealedBox(privalice) decrypted = box2.decrypt( encrypted, encoder=HexEncoder, ) assert binascii.hexlify(decrypted) == plaintext assert bytes(box) == bytes(box2)
def __init__(self, privk_path, pubk_path): with open(privk_path, "rb") as privk: self.privk = PrivateKey( load_pem_private_key( privk.read(), password=None, backend=default_backend(), ).private_bytes(Encoding.Raw, PrivateFormat.Raw, NoEncryption()), RawEncoder, ) with open(pubk_path, "rb") as pubk: self.pubk = PublicKey( load_pem_public_key( pubk.read(), backend=default_backend(), ).public_bytes(Encoding.Raw, PublicFormat.Raw), RawEncoder, ) self.box = Box(self.privk, self.pubk)
def setUp(self): box = PrivateKey.generate() private_key_hex = box.encode(encoder=nacl.encoding.HexEncoder) public_key_hex = box.public_key.encode( encoder=nacl.encoding.HexEncoder) private_key_hex = encrypt_with_db_secret(private_key_hex.decode()) public_key_hex = encrypt_with_db_secret(public_key_hex.decode()) self.cluster = models.Fileserver_Cluster.objects.create( title='Some Title', auth_public_key=public_key_hex, auth_private_key=private_key_hex, file_size_limit=0, ) self.shard = models.Fileserver_Shard.objects.create( title='Some Title', description='Some description', )
def create_from_private_key(self, private_key): priv = PrivateKey(bytes.fromhex(private_key)) publ = priv.public_key self.public_key = public_key = encode(publ._public_key) secret_key = encode(priv._private_key) base_filename = os.path.join(self.keys_dir, self.keyname) secret_key_file = "{0}.key_secret".format(base_filename) public_key_file = "{0}.key".format(base_filename) now = datetime.datetime.now() zmq.auth.certs._write_key_file( public_key_file, zmq.auth.certs._cert_public_banner.format(now), public_key) zmq.auth.certs._write_key_file( secret_key_file, zmq.auth.certs._cert_secret_banner.format(now), public_key, secret_key=secret_key)
def setup_secure_channel(self): if not self.connected or self.default_ssl: return False private_key = PrivateKey(read_encryption_key('server', 'private'), encoder=HexEncoder) client_public_key = PublicKey(read_encryption_key('client', 'public'), encoder=HexEncoder) print('Server: Keys loaded.') # Create a secret key and send it to the client box = Box(private_key, client_public_key) secret_key = random(SecretBox.KEY_SIZE) encrypted = box.encrypt(secret_key) send_message(self.socket, sign(self._signing_key, encrypted)) print('Server: Secret key sent.') # Setup symmetric encryption using the secret key self._set_secret_key(secret_key) return True