def with_signing_key(self, signing_key):
# type: (bytes) -> EncryptionMaterials
"""Get new encryption materials that also include this signing key.
.. versionadded:: 1.5.0
:param bytes signing_key: Signing key
:rtype: EncryptionMaterials
:raises AttributeError: if signing key is already set
:raises SignatureKeyError: if algorithm suite does not support signing keys
"""
if self.signing_key is not None:
raise AttributeError("Signing key is already set.")
if self.algorithm.signing_algorithm_info is None:
raise SignatureKeyError("Algorithm suite does not support signing keys.")
new_materials = copy.copy(self)
# Verify that the signing key matches the algorithm
Signer.from_key_bytes(algorithm=new_materials.algorithm, key_bytes=signing_key)
new_materials._setattr("signing_key", signing_key) # simplify access to copies pylint: disable=protected-access
return new_materials
def test_f_signer_from_key_bytes():
check = Signer(algorithm=ALGORITHM, key=VALUES['ecc_private_key_prime'])
test = Signer.from_key_bytes(
algorithm=ALGORITHM,
key_bytes=VALUES['ecc_private_key_prime_private_bytes'])
assert check.key.private_numbers(
).private_value == test.key.private_numbers().private_value
def test_signer_key_bytes_cycle():
key = ec.generate_private_key(curve=ec.SECP384R1, backend=default_backend())
signer = Signer(algorithm=aws_encryption_sdk.Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, key=key)
key_bytes = signer.key_bytes()
new_signer = Signer.from_key_bytes(
algorithm=aws_encryption_sdk.Algorithm.AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384, key_bytes=key_bytes
)
assert new_signer.key.private_numbers().private_value == signer.key.private_numbers().private_value
def test_signer_key_bytes(patch_default_backend, patch_serialization,
patch_build_hasher):
private_key = MagicMock()
signer = Signer(MagicMock(), key=private_key)
test = signer.key_bytes()
assert test is private_key.private_bytes.return_value
private_key.private_bytes.assert_called_once_with(
encoding=patch_serialization.Encoding.DER,
format=patch_serialization.PrivateFormat.PKCS8,
encryption_algorithm=patch_serialization.NoEncryption.return_value)
def test_signer_encoded_public_key(patch_default_backend, patch_serialization,
patch_build_hasher,
patch_ecc_encode_compressed_point,
patch_base64):
patch_ecc_encode_compressed_point.return_value = sentinel.compressed_point
patch_base64.b64encode.return_value = sentinel.encoded_point
private_key = MagicMock()
signer = Signer(MagicMock(), key=private_key)
test_key = signer.encoded_public_key()
patch_ecc_encode_compressed_point.assert_called_once_with(private_key)
patch_base64.b64encode.assert_called_once_with(sentinel.compressed_point)
assert test_key == sentinel.encoded_point
def test_signer_finalize(patch_default_backend, patch_serialization,
patch_build_hasher,
patch_ecc_static_length_signature):
algorithm = MagicMock()
private_key = MagicMock()
signer = Signer(algorithm, key=private_key)
test_signature = signer.finalize()
patch_build_hasher.return_value.finalize.assert_called_once_with()
patch_ecc_static_length_signature.assert_called_once_with(
key=private_key,
algorithm=algorithm,
digest=patch_build_hasher.return_value.finalize.return_value)
assert test_signature is patch_ecc_static_length_signature.return_value
def _prep_message(self):
"""Performs initial message setup.
:raises MasterKeyProviderError: if primary master key is not a member of supplied MasterKeyProvider
:raises MasterKeyProviderError: if no Master Keys are returned from key_provider
"""
validate_commitment_policy_on_encrypt(self.config.commitment_policy,
self.config.algorithm)
try:
plaintext_length = self.stream_length
except NotSupportedError:
plaintext_length = None
encryption_materials_request = EncryptionMaterialsRequest(
algorithm=self.config.algorithm,
encryption_context=self.config.encryption_context.copy(),
frame_length=self.config.frame_length,
plaintext_rostream=aws_encryption_sdk.internal.utils.streams.
ROStream(self.source_stream),
plaintext_length=plaintext_length,
commitment_policy=self.config.commitment_policy,
)
self._encryption_materials = self.config.materials_manager.get_encryption_materials(
request=encryption_materials_request)
if self.config.algorithm is not None and self._encryption_materials.algorithm != self.config.algorithm:
raise ActionNotAllowedError(
("Cryptographic materials manager provided algorithm suite"
" differs from algorithm suite in request.\n"
"Required: {requested}\n"
"Provided: {provided}").format(
requested=self.config.algorithm,
provided=self._encryption_materials.algorithm))
if self._encryption_materials.signing_key is None:
self.signer = None
else:
self.signer = Signer.from_key_bytes(
algorithm=self._encryption_materials.algorithm,
key_bytes=self._encryption_materials.signing_key)
aws_encryption_sdk.internal.utils.validate_frame_length(
frame_length=self.config.frame_length,
algorithm=self._encryption_materials.algorithm)
message_id = aws_encryption_sdk.internal.utils.message_id(
self._encryption_materials.algorithm.message_id_length())
self._derived_data_key = derive_data_encryption_key(
source_key=self._encryption_materials.data_encryption_key.data_key,
algorithm=self._encryption_materials.algorithm,
message_id=message_id,
)
self._header = self.generate_header(message_id)
self._write_header()
if self.content_type == ContentType.NO_FRAMING:
self._prep_non_framed()
self._message_prepped = True
def _generate_signing_key_and_update_encryption_context(
self, algorithm, encryption_context):
"""Generates a signing key based on the provided algorithm.
:param algorithm: Algorithm for which to generate signing key
:type algorithm: aws_encryption_sdk.identifiers.Algorithm
:param dict encryption_context: Encryption context from request
:returns: Signing key bytes
:rtype: bytes or None
"""
_LOGGER.debug("Generating signing key")
if algorithm.signing_algorithm_info is None:
return None
signer = Signer(algorithm=algorithm,
key=generate_ecc_signing_key(algorithm=algorithm))
encryption_context[ENCODED_SIGNER_KEY] = to_str(
signer.encoded_public_key())
return signer.key_bytes()
def test_signer_from_key_bytes(patch_default_backend, patch_serialization,
patch_build_hasher):
_algorithm = MagicMock()
signer = Signer.from_key_bytes(algorithm=_algorithm,
key_bytes=sentinel.key_bytes)
patch_serialization.load_der_private_key.assert_called_once_with(
data=sentinel.key_bytes,
password=None,
backend=patch_default_backend.return_value)
assert isinstance(signer, Signer)
assert signer.algorithm is _algorithm
assert signer.key is patch_serialization.load_der_private_key.return_value
def test_f_signer_key_bytes():
test = Signer(algorithm=ALGORITHM, key=VALUES['ecc_private_key_prime'])
assert test.key_bytes() == VALUES['ecc_private_key_prime_private_bytes']
def test_signer_update(patch_default_backend, patch_serialization,
patch_build_hasher):
signer = Signer(MagicMock(), key=MagicMock())
signer.update(sentinel.data)
patch_build_hasher.return_value.update.assert_called_once_with(
sentinel.data)
