Esempio n. 1
0
def proof_create(chall_id, chall_sk):
    chall_id = chall_id.encode('utf-8')

    assert isinstance(chall_id, bytes)
    assert isinstance(chall_sk, bytes)

    team_sk = TeamSecrets['sign_sk']

    membership_proof = pysodium.crypto_sign(chall_id, team_sk)
    proof = pysodium.crypto_sign(membership_proof, chall_sk)

    return b64encode(proof).decode('utf-8')
Esempio n. 2
0
    def data_received(self, data):
        res = b''

        if verbose:
            print('Data received: {!r}'.format(data))

        if data[64] == 0:
            res = self.create(data)
        elif data[64] == GET:
            # needs id, challenge, sig(id)
            # returns output from ./response | fail
            res = self.get(data)
        elif data[64] == CHANGE:
            # needs id, challenge, sig(id)
            # changes stored secret
            # returns output from ./response | fail
            res = self.change(data)
        elif data[64] == DELETE:
            # needs id, sig(id)
            # returns ok|fail
            res = self.delete(data)

        if verbose:
            print('Send: {!r}'.format(res))

        res = pysodium.crypto_sign(res, key)
        self.transport.write(res)

        if verbose:
            print('Close the client socket')
        self.transport.close()
Esempio n. 3
0
    def sync(self, pk, payload):
        """Update hg and return new event ids in topological order."""

        info = crypto_sign(dumps({c: self.height[h]
                for c, h in self.can_see[self.head].items()}), self.sk)
        msg = crypto_sign_open(self.network[pk](self.pk, info), pk)

        remote_head, remote_hg = loads(msg)
        new = tuple(toposort(remote_hg.keys() - self.hg.keys(),
                       lambda u: remote_hg[u].p))

        for h in new:
            ev = remote_hg[h]
            if self.is_valid_event(h, ev):
                self.add_event(h, ev)


        if self.is_valid_event(remote_head, remote_hg[remote_head]):
            h, ev = self.new_event(payload, (self.head, remote_head))
            # this really shouldn't fail, let's check it to be sure
            assert self.is_valid_event(h, ev)
            self.add_event(h, ev)
            self.head = h

        return new + (h,)
Esempio n. 4
0
 def test_crypto_sign_open(self):
     pk, sk = pysodium.crypto_sign_keypair()
     signed = pysodium.crypto_sign(b'howdy', sk)
     changed = signed[:pysodium.crypto_sign_BYTES] + b'0' + signed[
         pysodium.crypto_sign_BYTES + 1:]
     pysodium.crypto_sign_open(signed, pk)
     self.assertRaises(ValueError, pysodium.crypto_sign_open, changed, pk)
Esempio n. 5
0
 def savepublickeys(self):
     with open(get_pk_filename(self.basedir, self.name), 'wb') as fd:
         dates = '{:<32}{:<32}'.format(self.created.isoformat(),
                                       self.valid.isoformat())
         fd.write(
             nacl.crypto_sign(
                 self.mp + self.sp + self.cp + dates.encode() +
                 self.name.encode(), self.ms))
Esempio n. 6
0
def generate_innerbox(pk, sk, payload, version):
    ts = int(time.time()*1000)
    seq_ = seq.assign_seq()
    unused = 0
    to_sign = inner_pack.pack(version, ts, seq_, unused, payload)
    print(to_sign, payload)
    signed = pysodium.crypto_sign(to_sign, sk)
    return mid_pack.pack(pk, signed)
Esempio n. 7
0
 def doSphinx(self, message, host, b, pwd, cb):
   self.hostid=pysodium.crypto_generichash(host, self.getsalt(), 32)
   signed=pysodium.crypto_sign(message,self.getkey())
   loop = asyncio.get_event_loop()
   coro = loop.create_connection(lambda: SphinxClientProtocol(signed, loop, b, pwd, self, cb), address, port)
   try:
     loop.run_until_complete(coro)
     loop.run_forever()
   except:
     raise
Esempio n. 8
0
 def encrypt_keys(self, keyidxs, keys, topic, msgval=None):
   if (isinstance(topic,(bytes,bytearray))):
     self._logger.debug("passed a topic in bytes (should be string)")
     topic = topic.decode('utf-8')
   #
   # msgval should be a msgpacked chain.
   # The public key in the array is the public key to send the key to, using a
   # common DH-derived key between that public key and our private encryption key.
   # Then there is at least one more additional item, random bytes:
   # (3) random bytes
   # Currently items after this are ignored, and reserved for future use.
   #
   try:
     with self.__allowdenylist_lock:
       pk,_ = process_chain(msgval,topic,'key-encrypt-request',allowlist=self.__allowlist,denylist=self.__denylist)
     # Construct shared secret as sha256(topic || random0 || random1 || our_private*their_public)
     epk = self.__cryptokey.get_epk(topic, 'encrypt_keys')
     pks = [pk[2]]
     eks = self.__cryptokey.use_epk(topic, 'encrypt_keys',pks)
     ek = eks[0]
     eks[0] = epk
     random0 = pk[3]
     random1 = pysodium.randombytes(self.__randombytes)
     ss = pysodium.crypto_hash_sha256(topic.encode('utf-8') + random0 + random1 + ek)[0:pysodium.crypto_secretbox_KEYBYTES]
     nonce = pysodium.randombytes(pysodium.crypto_secretbox_NONCEBYTES)
     # encrypt keys and key indexes (MAC appended, nonce prepended)
     msg = []
     for i in range(0,len(keyidxs)):
       msg.append(keyidxs[i])
       msg.append(keys[i])
     msg = msgpack.packb(msg, use_bin_type=True)
     msg = nonce + pysodium.crypto_secretbox(msg,nonce,ss)
     # this is then put in a msgpack array with the appropriate max_age, poison, and public key(s)
     poison = msgpack.packb([['topics',[topic]],['usages',['key-encrypt']]], use_bin_type=True)
     msg = msgpack.packb([time()+self.__maxage,poison,eks,[random0,random1],msg], use_bin_type=True)
     # and signed with our signing key
     msg = self.__cryptokey.sign_spk(msg)
     # and finally put as last member of a msgpacked array chaining to ROT
     with self.__spk_chain_lock:
       tchain = self.__spk_chain.copy()
       if (len(tchain) == 0):
         poison = msgpack.packb([['topics',[topic]],['usages',['key-encrypt']],['pathlen',1]], use_bin_type=True)
         lastcert = msgpack.packb([time()+self.__maxage,poison,self.__cryptokey.get_spk()], use_bin_type=True)
         _,tempsk = pysodium.crypto_sign_seed_keypair(unhexlify(b'4c194f7de97c67626cc43fbdaf93dffbc4735352b37370072697d44254e1bc6c'))
         tchain.append(pysodium.crypto_sign(lastcert,tempsk))
         provision = msgpack.packb([msgpack.packb([0,b'\x90',self.__cryptokey.get_spk()]),self.__cryptokey.sign_spk(lastcert)], use_bin_type=True)
         self._logger.warning("Current signing chain is empty. Use %s to provision access and then remove temporary root of trust from allowedlist.", provision.hex())
     tchain.append(msg)
     msg = msgpack.packb(tchain, use_bin_type=True)
   except Exception as e:
     self._logger.warning("".join(format_exception_shim(e)))
     return None
   return msg
Esempio n. 9
0
 def doSphinx(self, message, b, pwd, cb):
     signed = pysodium.crypto_sign(message, self.getkey())
     sepk = self.getserverkey()
     sxpk = pysodium.crypto_sign_pk_to_box_pk(sepk)
     sealed = pysodium.crypto_box_seal(signed, sxpk)
     loop = asyncio.get_event_loop()
     coro = loop.create_connection(
         lambda: SphinxClientProtocol(sealed, loop, b, pwd, self, cb),
         address, port)
     try:
         loop.run_until_complete(coro)
         loop.run_forever()
     except:
         raise
Esempio n. 10
0
    def ask_sync(self, pk, info):
        """Respond to someone wanting to sync (only public method)."""

        # TODO: only send a diff? maybe with the help of self.height
        # TODO: thread safe? (allow to run while mainloop is running)

        cs = loads(crypto_sign_open(info, pk))

        subset = {h: self.hg[h] for h in bfs(
            (self.head,),
            lambda u: (p for p in self.hg[u].p
                       if self.hg[p].c not in cs or self.height[p] > cs[self.hg[p].c]))}
        msg = dumps((self.head, subset))
        return crypto_sign(msg, self.sk)
Esempio n. 11
0
def sign_message(message: bytes, secret: bytes) -> bytes:
    """
    Sign a message using a private signing key.

    Args:
        message: The message to sign
        secret: The private signing key

    Returns:
        The signature

    """
    result = pysodium.crypto_sign(message, secret)
    sig = result[:pysodium.crypto_sign_BYTES]
    return sig
Esempio n. 12
0
    def data_received(self, data):
        res = b''

        if verbose:
            print('Data received: {!r}'.format(data))

        esk, xsk, xpk = getkey(keydir)
        data = pysodium.crypto_box_seal_open(data, xpk, xsk)
        clearmem(xsk)

        if data[64] == 0:
            res = self.create(data)
        elif data[64] == GET:
            # needs id, challenge, sig(id)
            # returns output from ./response | fail
            res = self.get(data)
        elif data[64] == CHANGE:
            # needs id, challenge, sig(id)
            # changes stored secret
            # returns output from ./response | fail
            res = self.change(data)
        elif data[64] == DELETE:
            # needs id, sig(id)
            # returns ok|fail
            res = self.delete(data)
        elif data[64] == COMMIT:
            # needs id, sig(id)
            # returns ok|fail
            res = self.commit(data)

        if verbose:
            print('Send: {!r}'.format(res))

        res = pysodium.crypto_sign(res, esk)
        clearmem(esk)
        self.transport.write(res)

        if verbose:
            print('Close the client socket')
        self.transport.close()
Esempio n. 13
0
 def signed_epk(self, topic, epk=None):
   if (isinstance(topic,(bytes,bytearray))):
     self._logger.debug("passed a topic in bytes (should be string)")
     topic = topic.decode('utf-8')
   #
   # returns the public key of a current or given ephemeral key for the specified topic
   # (generating a new one if not present), signed by our signing key,
   # with a fresh random value, and with the chain to the ROT prepended.
   #
   try:
     if epk is None:
       epk = self.__cryptokey.get_epk(topic,'decrypt_keys')
     random0 = pysodium.randombytes(self.__randombytes)
     # we allow either direct-to-producer or via-controller key establishment
     poison = msgpack.packb([['topics',[topic]],['usages',['key-encrypt-request','key-encrypt-subscribe']]], use_bin_type=True)
     msg = msgpack.packb([time()+self.__maxage,poison,epk,random0], use_bin_type=True)
     # and signed with our signing key
     msg = self.__cryptokey.sign_spk(msg)
     # and finally put as last member of a msgpacked array chaining to ROT
     with self.__spk_chain_lock:
       tchain = self.__spk_chain.copy()
       if (len(tchain) == 0):
         # Use default for direct use when empty.
         self.__spk_direct_request = True
         poison = msgpack.packb([['topics',[topic]],['usages',['key-encrypt-request','key-encrypt-subscribe']],['pathlen',1]], use_bin_type=True)
         lastcert = msgpack.packb([time()+self.__maxage,poison,self.__cryptokey.get_spk()], use_bin_type=True)
      	  _,tempsk = pysodium.crypto_sign_seed_keypair(unhexlify(b'4c194f7de97c67626cc43fbdaf93dffbc4735352b37370072697d44254e1bc6c'))
         tchain.append(pysodium.crypto_sign(lastcert,tempsk))
      	  provision = msgpack.packb([msgpack.packb([0,b'\x90',self.__cryptokey.get_spk()]),self.__cryptokey.sign_spk(lastcert)], use_bin_type=True)
         self._logger.warning("Current signing chain is empty. Use %s to provision access and then remove temporary root of trust from allowedlist.", provision.hex())
     tchain.append(msg)
     msg = msgpack.packb(tchain, use_bin_type=True)
     return msg
   except Exception as e:
     self._logger.warning("".join(format_exception_shim(e)))
     pass
   return None
Esempio n. 14
0
    with open(nodeID + ".crypto", "wb") as f:
        f.write(
            msgpack.packb(
                [sk,
                 pysodium.randombytes(pysodium.crypto_secretbox_KEYBYTES)],
                use_bin_type=True))

poison = [['usages', _usages[key]]]
if len(topics) > 0:
    poison.append(['topics', topics])
if pathlen != -1:
    poison.append(['pathlen', pathlen])
poison = msgpack.packb(poison, use_bin_type=True)
msg = [time() + _lifetime, poison, pk]
if choice < 5:
    msg = pysodium.crypto_sign(msgpack.packb(msg, use_bin_type=True),
                               prov._sk[_keys[key]])
    chain = msgpack.packb(msgpack.unpackb(_msgchains[key], raw=False) + [msg],
                          use_bin_type=True)
else:
    print('New Chain Server', '(', hexlify(pk), '):',
          hexlify(msgpack.packb(msg, use_bin_type=True)))
    msg = unhexlify(input('ROT Signed Value (hex):'))
    chain = msgpack.packb([msg], use_bin_type=True)
    pk2 = process_chain(chain, None, None, allowlist=[_msgrot])
    assert len(pk2) >= 3, "Malformed ROT Signed Value"
print(nodeID, 'public key:', hexlify(pk))

# Third, write config
kcs = KafkaCryptoStore(nodeID + ".config", nodeID)
kcs.store_value('chain', chain, section='crypto')
if kcs.load_value('cryptokey') is None:
Esempio n. 15
0
print(query)


transportOut = TTransport.TMemoryBuffer()
protocolOut = TBinaryProtocol.TBinaryProtocol(transportOut)
query.write(protocolOut)
bytes = transportOut.getvalue()

sign_pk=None
sign_sk=None
with open("keys/sign_public.key", "rb") as in_file:
    sign_pk = in_file.read()
with open("keys/sign_private.key", "rb") as in_file:
    sign_sk = in_file.read()

signed = pysodium.crypto_sign(bytes, sign_sk)
base64bytes=base64.b64encode(signed)

#assert can verify and de-serialize
recoveredbytes=base64.b64decode(base64bytes)
plaintextbytes=pysodium.crypto_sign_open(recoveredbytes, sign_pk)
transportIn = TTransport.TMemoryBuffer(plaintextbytes)
protocolIn = TBinaryProtocol.TBinaryProtocol(transportIn)
recoveredqueries = Query()
recoveredqueries.read(protocolIn)
print(recoveredqueries)

queryFile = open ("queries/ucla.query", "wb")
querybytearray=bytearray(base64bytes)
queryFile.write(querybytearray)
Esempio n. 16
0
 def test_crypto_sign_open(self):
     pk, sk = pysodium.crypto_sign_keypair()
     signed = pysodium.crypto_sign(b'howdy', sk)
     changed = signed[:pysodium.crypto_sign_BYTES] + b'0' + signed[pysodium.crypto_sign_BYTES + 1:]
     pysodium.crypto_sign_open(signed, pk)
     self.assertRaises(ValueError, pysodium.crypto_sign_open, changed, pk)
Esempio n. 17
0
def encrypt_payload(payload, seckey):
    return crypto_sign(payload, seckey)
Esempio n. 18
0
            print("error: size has to be integer.")
            usage()
        saverules(datadir, id, sys.argv[4], size)
        b, c = challenge()
        message = [CREATE, id, c, pysodium.crypto_sign_sk_to_pk(sk)]
    elif sys.argv[1] == 'get':
        # needs id, challenge, sig(id)
        b, c = challenge()
        message = [GET, id, c]
        # returns output from ./response | fail
    elif sys.argv[1] == 'change':
        # needs id, challenge, sig(id)
        b, c = challenge()
        message = [CHANGE, id, c]
        # changes stored secret
        # returns output from ./response | fail
    elif sys.argv[1] == 'delete':
        # needs id, sig(id)
        message = [DELETE, id]
    else:
        usage()

    message = pysodium.crypto_sign(b''.join(message), sk)

    loop = asyncio.get_event_loop()
    coro = loop.create_connection(
        lambda: SphinxClientProtocol(message, loop, b), addr, port)
    loop.run_until_complete(coro)
    loop.run_forever()
    loop.close()
Esempio n. 19
0
 def sign(self, msg, master=False):
     signing_key = self.ms if master else self.ss
     return nacl.crypto_sign(msg, signing_key)
Esempio n. 20
0
 def savepublickeys(self):
     with open(get_pk_filename(self.basedir, self.name), 'wb') as fd:
         dates='{:<32}{:<32}'.format(self.created.isoformat(), self.valid.isoformat())
         name = self.name.encode('utf-8')
         datesb = dates.encode('utf-8')
         fd.write(nacl.crypto_sign(self.mp+self.sp+self.cp+datesb+name, self.ms))
Esempio n. 21
0
password = ''
while len(password) < 6:
    password = getpass('Provisioning Password (6+ chars): ')
prov = PasswordProvisioner(password, _rot)

# Generate signed chains
_signedprov = {
    'producer': None,
    'consumer': None,
    'prodcon': None,
}
for kn in _signedprov.keys():
    key = prov._pk[kn]
    poison = msgpack.packb([['usages', _usages[kn]]], use_bin_type=True)
    tosign = msgpack.packb([0, poison, key], use_bin_type=True)
    _signedprov[kn] = pysodium.crypto_sign(tosign, rot._sk)

_msgchains = {
    'producer':
    msgpack.packb([_signedprov[_keys['producer']]], use_bin_type=True),
    'consumer':
    msgpack.packb([_signedprov[_keys['consumer']]], use_bin_type=True),
    'prodcon':
    msgpack.packb([_signedprov[_keys['prodcon']]], use_bin_type=True),
    'prodcon-limited':
    msgpack.packb([_signedprov[_keys['prodcon-limited']]], use_bin_type=True),
    'consumer-limited':
    msgpack.packb([_signedprov[_keys['consumer-limited']]], use_bin_type=True),
    'controller':
    msgpack.packb([_signedprov[_keys['controller']]], use_bin_type=True),
}
Esempio n. 22
0
 def savepublickeys(self):
     with open(get_pk_filename(self.basedir, self.name), 'w') as fd:
         dates='{:<32}{:<32}'.format(self.created.isoformat(), self.valid.isoformat())
         fd.write(nacl.crypto_sign(self.mp+self.sp+self.cp+dates+self.name, self.ms))
Esempio n. 23
0
 def sign(self, msg, master=False):
     signing_key = self.ms if master else self.ss
     return nacl.crypto_sign(msg, signing_key)
Esempio n. 24
0
 def sign_spk(self, msg):
   return pysodium.crypto_sign(msg, self.__ssk)
Esempio n. 25
0
        mnemonic = ' '.join(sys.argv[1:16]).lower()
        email = sys.argv[16]
        password = sys.argv[17]
        eth_address = sys.argv[18].replace('0x', '')
        salt = unicodedata.normalize(
            "NFKD", (email + password).decode("utf8")).encode("utf8")
        try:
            seed = bitcoin.mnemonic_to_seed(mnemonic, salt)
        except:
            print("Invalid mnemonic")
            exit(1)
        pk, sk = pysodium.crypto_sign_seed_keypair(seed[0:32])
        pkh = blake2b(pk, 20).digest()

        msgHash = blake2b(eth_address.decode('hex'), 64).digest()
        sig = pysodium.crypto_sign(msgHash, sk)[:-len(msgHash)]
        declarationHash = blake2b(
            'I hereby cryptographically prove to be a contributor of Tezos Stiftung (CHE-290.597.458), a Swiss Foundation based in Gubelstrasse 11, 6300 Zug, Switzerland. I recognize and welcome the existence multiple implementations of Tezos. I ask and expect Tezos Stiftung to foster competition among them by funding and supporting their development, marketing and growth. Funds allotted to various Tezos implementations shall always be directly proportional to their market capitalization at the time of each distribution of funds. Distribution of funds to multiple existing Tezos implementations shall begin no later than January 1st 2019 and consistently continue throughout time. Following priorities autonomously set by each community, Tezos Stiftung shall distribute funds in the most appropriate, effective and transparent way.',
            64).digest()
        declarationSig = pysodium.crypto_sign(declarationHash,
                                              sk)[:-len(declarationHash)]
        print "TZL_addr:", tezos_pkh(pkh)
        print "TZL_pk:", pk.encode('hex')
        print "ETH_addrSignature:", sig.encode('hex')
        print "declarationSignature:", declarationSig.encode('hex')

    elif len(sys.argv) == 2:
        tz_input = sys.argv[1]
        assert (tz_input == bitcoin.bin_to_b58check(
            bitcoin.b58check_to_bin(tz_input)[2:], magicbyte=434591))
Esempio n. 26
0
# vim: set sw=4 sts=4 et tw=80 :
# -*- coding: utf-8 -*-

import binascii
import sys

import pysodium as s

if __name__ == '__main__':
    if len(sys.argv) < 2:
        sys.exit(1)

    if sys.argv[1] == 'gen':
        (public, secret) = s.crypto_sign_keypair()
        print "Secret: %s" % binascii.hexlify(secret)
        print "Public: %s" % binascii.hexlify(public)

        sys.exit(0)

    if sys.argv[1] == 'sign':
        if len(sys.argv) < 4:
            sys.exit(1)

        secret = sys.argv[2]
        token  = sys.argv[3]

        print "Signing using '%s': '%s'" % (secret, token)
        print "Token: %s" % binascii.hexlify(s.crypto_sign(token, binascii.unhexlify(secret)))

        sys.exit(0)
Esempio n. 27
0
import pysodium

pk=None
sk=None

with open("keys/sign_public.key", "rb") as in_file:
    pk = in_file.read()
with open("keys/sign_private.key", "rb") as in_file:
    sk = in_file.read()

signed = pysodium.crypto_sign(b'test', sk)
ret=pysodium.crypto_sign_open(signed, pk)
print(ret)