def setup_keys(self, dh_object, public_key, private_key): """Set up private and public key into DiffieHellman object.""" public_numbers = DHPublicNumbers(base64ToLong(public_key), dh_object.parameter_numbers) private_numbers = DHPrivateNumbers(base64ToLong(private_key), public_numbers) dh_object.private_key = private_numbers.private_key(default_backend())
def test_public(self): dh = DiffieHellman.fromDefaults() self.setup_keys(dh, self.server_public_key, self.server_private_key) warning_msg = "Attribute 'public' is deprecated. Use 'public_key' instead." with ShouldWarn(DeprecationWarning(warning_msg)): warnings.simplefilter('always') self.assertEqual(dh.public, base64ToLong(self.server_public_key))
def test_exchange_dynamic(self): # Test complete key exchange with random values # Consumer part consumer_dh = DiffieHellman.fromDefaults() consumer_public_key = consumer_dh.public_key # Server part secret = os.urandom(32) server_dh = DiffieHellman.fromDefaults() mac_key = server_dh.xorSecret(base64ToLong(consumer_public_key), secret, sha256) server_public_key = server_dh.public_key # Consumer part shared_secret = consumer_dh.xorSecret(base64ToLong(server_public_key), mac_key, sha256) # Check secret was negotiated correctly self.assertEqual(secret, shared_secret)
def test_getSharedSecret(self): # Test the deprecated method consumer_dh = DiffieHellman.fromDefaults() self.setup_keys(consumer_dh, self.consumer_public_key, self.consumer_private_key) warning_msg = "Method 'getSharedSecret' is deprecated in favor of '_get_shared_secret'." with ShouldWarn(DeprecationWarning(warning_msg)): warnings.simplefilter('always') self.assertEqual(consumer_dh.getSharedSecret(self.server_public_key), base64ToLong(self.shared_secret))
def test_base64ToLong(): f = open(os.path.join(os.path.dirname(__file__), 'n2b64')) try: for line in f: parts = line.strip().split(' ') assert int(parts[1]) == cryptutil.base64ToLong(parts[0]) finally: f.close()
def test_base64ToLong(self): f = open(os.path.join(os.path.dirname(__file__), 'n2b64')) try: for line in f: parts = line.strip().split(' ') assert int(parts[1]) == cryptutil.base64ToLong(parts[0]) finally: f.close()
def __init__(self, modulus, generator): """Create a new instance. @type modulus: six.text_type, Union[six.integer_types] are deprecated @type generator: six.text_type, Union[six.integer_types] are deprecated """ if isinstance(modulus, six.integer_types): warnings.warn("Modulus should be passed as base64 encoded string.") else: modulus = cryptutil.base64ToLong(modulus) if isinstance(generator, six.integer_types): warnings.warn("Generator should be passed as base64 encoded string.") else: generator = cryptutil.base64ToLong(generator) self.parameter_numbers = DHParameterNumbers(modulus, generator) parameters = self.parameter_numbers.parameters(default_backend()) self.private_key = parameters.generate_private_key()
def _get_shared_secret(self, public_key): """Return a shared secret. @param public_key: Base64 encoded public key of the other party. @type public_key: six.text_type @rtype: six.binary_type """ public_numbers = DHPublicNumbers(cryptutil.base64ToLong(public_key), self.parameter_numbers) return self.private_key.exchange(public_numbers.public_key(default_backend()))
def __init__(self, modulus, generator): """Create a new instance. @type modulus: six.text_type, Union[six.integer_types] are deprecated @type generator: six.text_type, Union[six.integer_types] are deprecated """ if isinstance(modulus, six.integer_types): warnings.warn("Modulus should be passed as base64 encoded string.") else: modulus = cryptutil.base64ToLong(modulus) if isinstance(generator, six.integer_types): warnings.warn( "Generator should be passed as base64 encoded string.") else: generator = cryptutil.base64ToLong(generator) self.parameter_numbers = DHParameterNumbers(modulus, generator) parameters = self.parameter_numbers.parameters(default_backend()) self.private_key = parameters.generate_private_key()
def test_getSharedSecret(self): # Test the deprecated method consumer_dh = DiffieHellman.fromDefaults() self.setup_keys(consumer_dh, self.consumer_public_key, self.consumer_private_key) warning_msg = "Method 'getSharedSecret' is deprecated in favor of '_get_shared_secret'." with ShouldWarn(DeprecationWarning(warning_msg)): warnings.simplefilter('always') self.assertEqual( consumer_dh.getSharedSecret(self.server_public_key), base64ToLong(self.shared_secret))
def _get_shared_secret(self, public_key): """Return a shared secret. @param public_key: Base64 encoded public key of the other party. @type public_key: six.text_type @rtype: six.binary_type """ public_numbers = DHPublicNumbers(cryptutil.base64ToLong(public_key), self.parameter_numbers) return self.private_key.exchange( public_numbers.public_key(default_backend()))
def fromQuery(cls, query): """ @param query: The associate request's query parameters @type query: {str:str} @returntype: L{DiffieHellmanServerSession} @raises ProtocolError: When parameters required to establish the session are missing. """ dh_modulus = query.get('openid.dh_modulus') dh_gen = query.get('openid.dh_gen') if (dh_modulus is None and dh_gen is not None or dh_gen is None and dh_modulus is not None): if dh_modulus is None: missing = 'modulus' else: missing = 'generator' raise ProtocolError('If non-default modulus or generator is ' 'supplied, both must be supplied. Missing %s' % (missing,)) if dh_modulus or dh_gen: dh_modulus = cryptutil.base64ToLong(dh_modulus) dh_gen = cryptutil.base64ToLong(dh_gen) dh = DiffieHellman(dh_modulus, dh_gen) else: dh = DiffieHellman.fromDefaults() consumer_pubkey = query.get('openid.dh_consumer_public') if consumer_pubkey is None: raise ProtocolError("Public key for DH-SHA1 session " "not found in query %s" % (query,)) consumer_pubkey = cryptutil.base64ToLong(consumer_pubkey) return cls(dh, consumer_pubkey)
def fromQuery(cls, query): """ @param query: The associate request's query parameters @type query: {str:str} @returntype: L{DiffieHellmanServerSession} @raises ProtocolError: When parameters required to establish the session are missing. """ dh_modulus = query.get('openid.dh_modulus') dh_gen = query.get('openid.dh_gen') if (dh_modulus is None and dh_gen is not None or dh_gen is None and dh_modulus is not None): if dh_modulus is None: missing = 'modulus' else: missing = 'generator' raise ProtocolError('If non-default modulus or generator is ' 'supplied, both must be supplied. Missing %s' % (missing, )) if dh_modulus or dh_gen: dh_modulus = cryptutil.base64ToLong(dh_modulus) dh_gen = cryptutil.base64ToLong(dh_gen) dh = DiffieHellman(dh_modulus, dh_gen) else: dh = DiffieHellman.fromDefaults() consumer_pubkey = query.get('openid.dh_consumer_public') if consumer_pubkey is None: raise ProtocolError("Public key for DH-SHA1 session " "not found in query %s" % (query, )) consumer_pubkey = cryptutil.base64ToLong(consumer_pubkey) return cls(dh, consumer_pubkey)
def test_xorSecret(self): # Test key exchange - deprecated method server_dh = DiffieHellman.fromDefaults() self.setup_keys(server_dh, self.server_public_key, self.server_private_key) def sha256(value): digest = hashes.Hash(hashes.SHA256(), backend=default_backend()) digest.update(value) return digest.finalize() warning_msg = "Method 'xorSecret' is deprecated, use 'xor_secret' instead." with ShouldWarn(DeprecationWarning(warning_msg)): warnings.simplefilter('always') secret = server_dh.xorSecret(base64ToLong(self.consumer_public_key), base64.b64decode(self.secret), sha256) self.assertEqual(secret, base64.b64decode(self.mac_key))
def test_xorSecret(self): # Test key exchange - deprecated method server_dh = DiffieHellman.fromDefaults() self.setup_keys(server_dh, self.server_public_key, self.server_private_key) def sha256(value): digest = hashes.Hash(hashes.SHA256(), backend=default_backend()) digest.update(value) return digest.finalize() warning_msg = "Method 'xorSecret' is deprecated, use 'xor_secret' instead." with ShouldWarn(DeprecationWarning(warning_msg)): warnings.simplefilter('always') secret = server_dh.xorSecret( base64ToLong(self.consumer_public_key), base64.b64decode(self.secret), sha256) self.assertEqual(secret, base64.b64decode(self.mac_key))
def test_dh(self): from openid.dh import DiffieHellman from openid.server.server import DiffieHellmanServerSession consumer_dh = DiffieHellman.fromDefaults() cpub = consumer_dh.public session = DiffieHellmanServerSession(DiffieHellman.fromDefaults(), cpub) self.request = server.AssociateRequest(session) response = self.request.answer(self.assoc) rfg = response.fields.get self.failUnlessEqual(rfg("assoc_type"), "HMAC-SHA1") self.failUnlessEqual(rfg("assoc_handle"), self.assoc.handle) self.failIf(rfg("mac_key")) self.failUnlessEqual(rfg("session_type"), "DH-SHA1") self.failUnless(rfg("enc_mac_key")) self.failUnless(rfg("dh_server_public")) enc_key = rfg("enc_mac_key").decode('base64') spub = cryptutil.base64ToLong(rfg("dh_server_public")) secret = consumer_dh.xorSecret(spub, enc_key) self.failUnlessEqual(secret, self.assoc.secret)
} params.update(assoc_session.getRequest()) params = dict([('openid.%s' % key, value) for key, value in params.items()]) response = {} try: data = urllib2.urlopen(urllib2.Request(endpoint, data=urllib.urlencode(params))) response_data = data.read(1024 * 1024) response = dict([tuple(arg.split(':', 1)) for arg in response_data.split()]) except urllib2.HTTPError, err: logger.error('OpenID Association process failed. %s' % err) raise err required = ['dh_server_public', 'enc_mac_key', 'assoc_handle', 'assoc_type', 'session_type', 'expires_in', 'ns'] if not response or Set(required).difference(Set(response.keys())): logger.error('There is a difference in expected OpenID keys') raise Exception('OpenID response is not valid.') dh_server_public = cryptutil.base64ToLong(response.get('dh_server_public')) enc_mac_key = base64.b64decode(response.get('enc_mac_key')) secret = assoc_session.dh.xorSecret(dh_server_public, enc_mac_key, assoc_session.hash_func) return { 'server_url': endpoint, 'handle': response['assoc_handle'], 'secret': base64.b64encode(secret), 'lifetime': int(response['expires_in']), 'assoc_type': response['assoc_type'], }
def test_init_int(self): dh = DiffieHellman(base64ToLong(DEFAULT_DH_MODULUS), base64ToLong(DEFAULT_DH_GENERATOR)) self.assertTrue(dh.usingDefaultValues())
def extractSecret(self, response): spub = cryptutil.base64ToLong(response['dh_server_public']) enc_mac_key = oidutil.fromBase64(response['enc_mac_key']) return self.dh.xorSecret(spub, enc_mac_key)
try: data = urllib2.urlopen( urllib2.Request(endpoint, data=urllib.urlencode(params))) response_data = data.read(1024 * 1024) response = dict( [tuple(arg.split(':', 1)) for arg in response_data.split()]) except urllib2.HTTPError, err: logger.error('OpenID Association process failed. %s' % err) raise err required = [ 'dh_server_public', 'enc_mac_key', 'assoc_handle', 'assoc_type', 'session_type', 'expires_in', 'ns' ] if not response or Set(required).difference(Set(response.keys())): logger.error('There is a difference in expected OpenID keys') raise Exception('OpenID response is not valid.') dh_server_public = cryptutil.base64ToLong(response.get('dh_server_public')) enc_mac_key = base64.b64decode(response.get('enc_mac_key')) secret = assoc_session.dh.xorSecret(dh_server_public, enc_mac_key, assoc_session.hash_func) return { 'server_url': endpoint, 'handle': response['assoc_handle'], 'secret': base64.b64encode(secret), 'lifetime': int(response['expires_in']), 'assoc_type': response['assoc_type'], }