def setup_keys(self, dh_object, public_key, private_key):
"""Set up private and public key into DiffieHellman object."""
public_numbers = DHPublicNumbers(base64ToLong(public_key),
dh_object.parameter_numbers)
private_numbers = DHPrivateNumbers(base64ToLong(private_key),
public_numbers)
dh_object.private_key = private_numbers.private_key(default_backend())
def test_public(self):
dh = DiffieHellman.fromDefaults()
self.setup_keys(dh, self.server_public_key, self.server_private_key)
warning_msg = "Attribute 'public' is deprecated. Use 'public_key' instead."
with ShouldWarn(DeprecationWarning(warning_msg)):
warnings.simplefilter('always')
self.assertEqual(dh.public, base64ToLong(self.server_public_key))
def test_public(self):
dh = DiffieHellman.fromDefaults()
self.setup_keys(dh, self.server_public_key, self.server_private_key)
warning_msg = "Attribute 'public' is deprecated. Use 'public_key' instead."
with ShouldWarn(DeprecationWarning(warning_msg)):
warnings.simplefilter('always')
self.assertEqual(dh.public, base64ToLong(self.server_public_key))
def test_exchange_dynamic(self):
# Test complete key exchange with random values
# Consumer part
consumer_dh = DiffieHellman.fromDefaults()
consumer_public_key = consumer_dh.public_key
# Server part
secret = os.urandom(32)
server_dh = DiffieHellman.fromDefaults()
mac_key = server_dh.xorSecret(base64ToLong(consumer_public_key),
secret, sha256)
server_public_key = server_dh.public_key
# Consumer part
shared_secret = consumer_dh.xorSecret(base64ToLong(server_public_key),
mac_key, sha256)
# Check secret was negotiated correctly
self.assertEqual(secret, shared_secret)
def test_getSharedSecret(self):
# Test the deprecated method
consumer_dh = DiffieHellman.fromDefaults()
self.setup_keys(consumer_dh, self.consumer_public_key, self.consumer_private_key)
warning_msg = "Method 'getSharedSecret' is deprecated in favor of '_get_shared_secret'."
with ShouldWarn(DeprecationWarning(warning_msg)):
warnings.simplefilter('always')
self.assertEqual(consumer_dh.getSharedSecret(self.server_public_key), base64ToLong(self.shared_secret))
def test_base64ToLong():
f = open(os.path.join(os.path.dirname(__file__), 'n2b64'))
try:
for line in f:
parts = line.strip().split(' ')
assert int(parts[1]) == cryptutil.base64ToLong(parts[0])
finally:
f.close()
def test_base64ToLong(self):
f = open(os.path.join(os.path.dirname(__file__), 'n2b64'))
try:
for line in f:
parts = line.strip().split(' ')
assert int(parts[1]) == cryptutil.base64ToLong(parts[0])
finally:
f.close()
def __init__(self, modulus, generator):
"""Create a new instance.
@type modulus: six.text_type, Union[six.integer_types] are deprecated
@type generator: six.text_type, Union[six.integer_types] are deprecated
"""
if isinstance(modulus, six.integer_types):
warnings.warn("Modulus should be passed as base64 encoded string.")
else:
modulus = cryptutil.base64ToLong(modulus)
if isinstance(generator, six.integer_types):
warnings.warn("Generator should be passed as base64 encoded string.")
else:
generator = cryptutil.base64ToLong(generator)
self.parameter_numbers = DHParameterNumbers(modulus, generator)
parameters = self.parameter_numbers.parameters(default_backend())
self.private_key = parameters.generate_private_key()
def _get_shared_secret(self, public_key):
"""Return a shared secret.
@param public_key: Base64 encoded public key of the other party.
@type public_key: six.text_type
@rtype: six.binary_type
"""
public_numbers = DHPublicNumbers(cryptutil.base64ToLong(public_key), self.parameter_numbers)
return self.private_key.exchange(public_numbers.public_key(default_backend()))
def __init__(self, modulus, generator):
"""Create a new instance.
@type modulus: six.text_type, Union[six.integer_types] are deprecated
@type generator: six.text_type, Union[six.integer_types] are deprecated
"""
if isinstance(modulus, six.integer_types):
warnings.warn("Modulus should be passed as base64 encoded string.")
else:
modulus = cryptutil.base64ToLong(modulus)
if isinstance(generator, six.integer_types):
warnings.warn(
"Generator should be passed as base64 encoded string.")
else:
generator = cryptutil.base64ToLong(generator)
self.parameter_numbers = DHParameterNumbers(modulus, generator)
parameters = self.parameter_numbers.parameters(default_backend())
self.private_key = parameters.generate_private_key()
def test_getSharedSecret(self):
# Test the deprecated method
consumer_dh = DiffieHellman.fromDefaults()
self.setup_keys(consumer_dh, self.consumer_public_key,
self.consumer_private_key)
warning_msg = "Method 'getSharedSecret' is deprecated in favor of '_get_shared_secret'."
with ShouldWarn(DeprecationWarning(warning_msg)):
warnings.simplefilter('always')
self.assertEqual(
consumer_dh.getSharedSecret(self.server_public_key),
base64ToLong(self.shared_secret))
def _get_shared_secret(self, public_key):
"""Return a shared secret.
@param public_key: Base64 encoded public key of the other party.
@type public_key: six.text_type
@rtype: six.binary_type
"""
public_numbers = DHPublicNumbers(cryptutil.base64ToLong(public_key),
self.parameter_numbers)
return self.private_key.exchange(
public_numbers.public_key(default_backend()))
def fromQuery(cls, query):
"""
@param query: The associate request's query parameters
@type query: {str:str}
@returntype: L{DiffieHellmanServerSession}
@raises ProtocolError: When parameters required to establish the
session are missing.
"""
dh_modulus = query.get('openid.dh_modulus')
dh_gen = query.get('openid.dh_gen')
if (dh_modulus is None and dh_gen is not None or
dh_gen is None and dh_modulus is not None):
if dh_modulus is None:
missing = 'modulus'
else:
missing = 'generator'
raise ProtocolError('If non-default modulus or generator is '
'supplied, both must be supplied. Missing %s'
% (missing,))
if dh_modulus or dh_gen:
dh_modulus = cryptutil.base64ToLong(dh_modulus)
dh_gen = cryptutil.base64ToLong(dh_gen)
dh = DiffieHellman(dh_modulus, dh_gen)
else:
dh = DiffieHellman.fromDefaults()
consumer_pubkey = query.get('openid.dh_consumer_public')
if consumer_pubkey is None:
raise ProtocolError("Public key for DH-SHA1 session "
"not found in query %s" % (query,))
consumer_pubkey = cryptutil.base64ToLong(consumer_pubkey)
return cls(dh, consumer_pubkey)
def fromQuery(cls, query):
"""
@param query: The associate request's query parameters
@type query: {str:str}
@returntype: L{DiffieHellmanServerSession}
@raises ProtocolError: When parameters required to establish the
session are missing.
"""
dh_modulus = query.get('openid.dh_modulus')
dh_gen = query.get('openid.dh_gen')
if (dh_modulus is None and dh_gen is not None
or dh_gen is None and dh_modulus is not None):
if dh_modulus is None:
missing = 'modulus'
else:
missing = 'generator'
raise ProtocolError('If non-default modulus or generator is '
'supplied, both must be supplied. Missing %s' %
(missing, ))
if dh_modulus or dh_gen:
dh_modulus = cryptutil.base64ToLong(dh_modulus)
dh_gen = cryptutil.base64ToLong(dh_gen)
dh = DiffieHellman(dh_modulus, dh_gen)
else:
dh = DiffieHellman.fromDefaults()
consumer_pubkey = query.get('openid.dh_consumer_public')
if consumer_pubkey is None:
raise ProtocolError("Public key for DH-SHA1 session "
"not found in query %s" % (query, ))
consumer_pubkey = cryptutil.base64ToLong(consumer_pubkey)
return cls(dh, consumer_pubkey)
def test_xorSecret(self):
# Test key exchange - deprecated method
server_dh = DiffieHellman.fromDefaults()
self.setup_keys(server_dh, self.server_public_key, self.server_private_key)
def sha256(value):
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(value)
return digest.finalize()
warning_msg = "Method 'xorSecret' is deprecated, use 'xor_secret' instead."
with ShouldWarn(DeprecationWarning(warning_msg)):
warnings.simplefilter('always')
secret = server_dh.xorSecret(base64ToLong(self.consumer_public_key), base64.b64decode(self.secret), sha256)
self.assertEqual(secret, base64.b64decode(self.mac_key))
def test_xorSecret(self):
# Test key exchange - deprecated method
server_dh = DiffieHellman.fromDefaults()
self.setup_keys(server_dh, self.server_public_key,
self.server_private_key)
def sha256(value):
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(value)
return digest.finalize()
warning_msg = "Method 'xorSecret' is deprecated, use 'xor_secret' instead."
with ShouldWarn(DeprecationWarning(warning_msg)):
warnings.simplefilter('always')
secret = server_dh.xorSecret(
base64ToLong(self.consumer_public_key),
base64.b64decode(self.secret), sha256)
self.assertEqual(secret, base64.b64decode(self.mac_key))
def test_dh(self):
from openid.dh import DiffieHellman
from openid.server.server import DiffieHellmanServerSession
consumer_dh = DiffieHellman.fromDefaults()
cpub = consumer_dh.public
session = DiffieHellmanServerSession(DiffieHellman.fromDefaults(), cpub)
self.request = server.AssociateRequest(session)
response = self.request.answer(self.assoc)
rfg = response.fields.get
self.failUnlessEqual(rfg("assoc_type"), "HMAC-SHA1")
self.failUnlessEqual(rfg("assoc_handle"), self.assoc.handle)
self.failIf(rfg("mac_key"))
self.failUnlessEqual(rfg("session_type"), "DH-SHA1")
self.failUnless(rfg("enc_mac_key"))
self.failUnless(rfg("dh_server_public"))
enc_key = rfg("enc_mac_key").decode('base64')
spub = cryptutil.base64ToLong(rfg("dh_server_public"))
secret = consumer_dh.xorSecret(spub, enc_key)
self.failUnlessEqual(secret, self.assoc.secret)
}
params.update(assoc_session.getRequest())
params = dict([('openid.%s' % key, value) for key, value in params.items()])
response = {}
try:
data = urllib2.urlopen(urllib2.Request(endpoint, data=urllib.urlencode(params)))
response_data = data.read(1024 * 1024)
response = dict([tuple(arg.split(':', 1)) for arg in response_data.split()])
except urllib2.HTTPError, err:
logger.error('OpenID Association process failed. %s' % err)
raise err
required = ['dh_server_public', 'enc_mac_key', 'assoc_handle', 'assoc_type', 'session_type', 'expires_in', 'ns']
if not response or Set(required).difference(Set(response.keys())):
logger.error('There is a difference in expected OpenID keys')
raise Exception('OpenID response is not valid.')
dh_server_public = cryptutil.base64ToLong(response.get('dh_server_public'))
enc_mac_key = base64.b64decode(response.get('enc_mac_key'))
secret = assoc_session.dh.xorSecret(dh_server_public, enc_mac_key, assoc_session.hash_func)
return {
'server_url': endpoint,
'handle': response['assoc_handle'],
'secret': base64.b64encode(secret),
'lifetime': int(response['expires_in']),
'assoc_type': response['assoc_type'],
}
def test_init_int(self):
dh = DiffieHellman(base64ToLong(DEFAULT_DH_MODULUS), base64ToLong(DEFAULT_DH_GENERATOR))
self.assertTrue(dh.usingDefaultValues())
def test_init_int(self):
dh = DiffieHellman(base64ToLong(DEFAULT_DH_MODULUS),
base64ToLong(DEFAULT_DH_GENERATOR))
self.assertTrue(dh.usingDefaultValues())
def extractSecret(self, response):
spub = cryptutil.base64ToLong(response['dh_server_public'])
enc_mac_key = oidutil.fromBase64(response['enc_mac_key'])
return self.dh.xorSecret(spub, enc_mac_key)
try:
data = urllib2.urlopen(
urllib2.Request(endpoint, data=urllib.urlencode(params)))
response_data = data.read(1024 * 1024)
response = dict(
[tuple(arg.split(':', 1)) for arg in response_data.split()])
except urllib2.HTTPError, err:
logger.error('OpenID Association process failed. %s' % err)
raise err
required = [
'dh_server_public', 'enc_mac_key', 'assoc_handle', 'assoc_type',
'session_type', 'expires_in', 'ns'
]
if not response or Set(required).difference(Set(response.keys())):
logger.error('There is a difference in expected OpenID keys')
raise Exception('OpenID response is not valid.')
dh_server_public = cryptutil.base64ToLong(response.get('dh_server_public'))
enc_mac_key = base64.b64decode(response.get('enc_mac_key'))
secret = assoc_session.dh.xorSecret(dh_server_public, enc_mac_key,
assoc_session.hash_func)
return {
'server_url': endpoint,
'handle': response['assoc_handle'],
'secret': base64.b64encode(secret),
'lifetime': int(response['expires_in']),
'assoc_type': response['assoc_type'],
}
def setup_keys(self, dh_object, public_key, private_key):
"""Set up private and public key into DiffieHellman object."""
public_numbers = DHPublicNumbers(base64ToLong(public_key), dh_object.parameter_numbers)
private_numbers = DHPrivateNumbers(base64ToLong(private_key), public_numbers)
dh_object.private_key = private_numbers.private_key(default_backend())
