def _rsa_sig_determine_padding(backend, key, padding, algorithm): if not isinstance(padding, AsymmetricPadding): raise TypeError("Expected provider of AsymmetricPadding.") pkey_size = backend._lib.EVP_PKEY_size(key._evp_pkey) backend.openssl_assert(pkey_size > 0) if isinstance(padding, PKCS1v15): padding_enum = backend._lib.RSA_PKCS1_PADDING elif isinstance(padding, PSS): if not isinstance(padding._mgf, MGF1): raise UnsupportedAlgorithm( "Only MGF1 is supported by this backend.", _Reasons.UNSUPPORTED_MGF, ) # Size of key in bytes - 2 is the maximum # PSS signature length (salt length is checked later) if pkey_size - algorithm.digest_size - 2 < 0: raise ValueError("Digest too large for key size. Use a larger " "key or different digest.") padding_enum = backend._lib.RSA_PKCS1_PSS_PADDING else: raise UnsupportedAlgorithm( "{} is not supported by this backend.".format(padding.name), _Reasons.UNSUPPORTED_PADDING, ) return padding_enum
def _enc_dec_rsa(backend, key, data, padding): if not isinstance(padding, AsymmetricPadding): raise TypeError("Padding must be an instance of AsymmetricPadding.") if isinstance(padding, PKCS1v15): padding_enum = backend._lib.RSA_PKCS1_PADDING elif isinstance(padding, OAEP): padding_enum = backend._lib.RSA_PKCS1_OAEP_PADDING if not isinstance(padding._mgf, MGF1): raise UnsupportedAlgorithm( "Only MGF1 is supported by this backend.", _Reasons.UNSUPPORTED_MGF, ) if not backend.rsa_padding_supported(padding): raise UnsupportedAlgorithm( "This combination of padding and hash algorithm is not " "supported by this backend.", _Reasons.UNSUPPORTED_PADDING, ) else: raise UnsupportedAlgorithm( "{} is not supported by this backend.".format(padding.name), _Reasons.UNSUPPORTED_PADDING, ) return _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding)
def __init__(self, algorithm, length, info, backend=None): backend = _get_backend(backend) if not isinstance(backend, HMACBackend): raise UnsupportedAlgorithm( "Backend object does not implement HMACBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) self._algorithm = algorithm self._backend = backend max_length = 255 * algorithm.digest_size if length > max_length: raise ValueError( "Can not derive keys larger than {} octets.".format( max_length)) self._length = length if info is None: info = b"" else: utils._check_bytes("info", info) self._info = info self._used = False
def signature_hash_algorithm(self): oid = self.signature_algorithm_oid try: return x509._SIG_OIDS_TO_HASH[oid] except KeyError: raise UnsupportedAlgorithm( "Signature algorithm OID:{} not recognized".format(oid))
def exchange(self, algorithm, peer_public_key): if not ( self._backend.elliptic_curve_exchange_algorithm_supported( algorithm, self.curve ) ): raise UnsupportedAlgorithm( "This backend does not support the ECDH algorithm.", _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM, ) if peer_public_key.curve.name != self.curve.name: raise ValueError( "peer_public_key and self are not on the same curve" ) group = self._backend._lib.EC_KEY_get0_group(self._ec_key) z_len = (self._backend._lib.EC_GROUP_get_degree(group) + 7) // 8 self._backend.openssl_assert(z_len > 0) z_buf = self._backend._ffi.new("uint8_t[]", z_len) peer_key = self._backend._lib.EC_KEY_get0_public_key( peer_public_key._ec_key ) r = self._backend._lib.ECDH_compute_key( z_buf, z_len, peer_key, self._ec_key, self._backend._ffi.NULL ) self._backend.openssl_assert(r > 0) return self._backend._ffi.buffer(z_buf)[:z_len]
def __init__(self, key, length, algorithm, backend=None, enforce_key_length=True): backend = _get_backend(backend) if not isinstance(backend, HMACBackend): raise UnsupportedAlgorithm( "Backend object does not implement HMACBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) if len(key) < 16 and enforce_key_length is True: raise ValueError("Key length has to be at least 128 bits.") if not isinstance(length, six.integer_types): raise TypeError("Length parameter must be an integer type.") if length < 6 or length > 8: raise ValueError("Length of HOTP has to be between 6 to 8.") if not isinstance(algorithm, (SHA1, SHA256, SHA512)): raise TypeError("Algorithm must be SHA1, SHA256 or SHA512.") self._key = key self._length = length self._algorithm = algorithm self._backend = backend
def __init__(self, salt, length, n, r, p, backend=None): backend = _get_backend(backend) if not isinstance(backend, ScryptBackend): raise UnsupportedAlgorithm( "Backend object does not implement ScryptBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) self._length = length utils._check_bytes("salt", salt) if n < 2 or (n & (n - 1)) != 0: raise ValueError("n must be greater than 1 and be a power of 2.") if r < 1: raise ValueError("r must be greater than or equal to 1.") if p < 1: raise ValueError("p must be greater than or equal to 1.") self._used = False self._salt = salt self._n = n self._r = r self._p = p self._backend = backend
def __init__(self, backend, algorithm, ctx=None): if not backend.cmac_algorithm_supported(algorithm): raise UnsupportedAlgorithm( "This backend does not support CMAC.", _Reasons.UNSUPPORTED_CIPHER, ) self._backend = backend self._key = algorithm.key self._algorithm = algorithm self._output_length = algorithm.block_size // 8 if ctx is None: registry = self._backend._cipher_registry adapter = registry[type(algorithm), CBC] evp_cipher = adapter(self._backend, algorithm, CBC) ctx = self._backend._lib.CMAC_CTX_new() self._backend.openssl_assert(ctx != self._backend._ffi.NULL) ctx = self._backend._ffi.gc(ctx, self._backend._lib.CMAC_CTX_free) key_ptr = self._backend._ffi.from_buffer(self._key) res = self._backend._lib.CMAC_Init( ctx, key_ptr, len(self._key), evp_cipher, self._backend._ffi.NULL, ) self._backend.openssl_assert(res == 1) self._ctx = ctx
def private_bytes(self, encoding, format, encryption_algorithm): if format is not serialization.PrivateFormat.PKCS8: raise ValueError( "DH private keys support only PKCS8 serialization") if not self._backend._lib.Cryptography_HAS_EVP_PKEY_DHX: q = self._backend._ffi.new("BIGNUM **") self._backend._lib.DH_get0_pqg( self._dh_cdata, self._backend._ffi.NULL, q, self._backend._ffi.NULL, ) if q[0] != self._backend._ffi.NULL: raise UnsupportedAlgorithm( "DH X9.42 serialization is not supported", _Reasons.UNSUPPORTED_SERIALIZATION, ) return self._backend._private_key_bytes( encoding, format, encryption_algorithm, self, self._evp_pkey, self._dh_cdata, )
def _rsa_sig_setup(backend, padding, algorithm, key, data, init_func): padding_enum = _rsa_sig_determine_padding(backend, key, padding, algorithm) evp_md = backend._evp_md_non_null_from_algorithm(algorithm) pkey_ctx = backend._lib.EVP_PKEY_CTX_new(key._evp_pkey, backend._ffi.NULL) backend.openssl_assert(pkey_ctx != backend._ffi.NULL) pkey_ctx = backend._ffi.gc(pkey_ctx, backend._lib.EVP_PKEY_CTX_free) res = init_func(pkey_ctx) backend.openssl_assert(res == 1) res = backend._lib.EVP_PKEY_CTX_set_signature_md(pkey_ctx, evp_md) if res == 0: backend._consume_errors() raise UnsupportedAlgorithm( "{} is not supported by this backend for RSA signing.".format( algorithm.name), _Reasons.UNSUPPORTED_HASH, ) res = backend._lib.EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, padding_enum) backend.openssl_assert(res > 0) if isinstance(padding, PSS): res = backend._lib.EVP_PKEY_CTX_set_rsa_pss_saltlen( pkey_ctx, _get_rsa_pss_salt_length(padding, key, algorithm)) backend.openssl_assert(res > 0) mgf1_md = backend._evp_md_non_null_from_algorithm( padding._mgf._algorithm) res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, mgf1_md) backend.openssl_assert(res > 0) return pkey_ctx
def _sn_to_elliptic_curve(backend, sn): try: return ec._CURVE_TYPES[sn]() except KeyError: raise UnsupportedAlgorithm( "{} is not a supported elliptic curve".format(sn), _Reasons.UNSUPPORTED_ELLIPTIC_CURVE, )
def generate(cls): from thirdparty.cryptography.hazmat.backends.openssl.backend import backend if not backend.x25519_supported(): raise UnsupportedAlgorithm( "X25519 is not supported by this version of OpenSSL.", _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM, ) return backend.x25519_generate_key()
def __init__(self, key): from thirdparty.cryptography.hazmat.backends.openssl.backend import backend if not backend.poly1305_supported(): raise UnsupportedAlgorithm( "poly1305 is not supported by this version of OpenSSL.", _Reasons.UNSUPPORTED_MAC, ) self._ctx = backend.create_poly1305_ctx(key)
def generate(cls): from thirdparty.cryptography.hazmat.backends.openssl.backend import backend if not backend.ed448_supported(): raise UnsupportedAlgorithm( "ed448 is not supported by this version of OpenSSL.", _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, ) return backend.ed448_generate_key()
def from_private_bytes(cls, data): from thirdparty.cryptography.hazmat.backends.openssl.backend import backend if not backend.ed448_supported(): raise UnsupportedAlgorithm( "ed448 is not supported by this version of OpenSSL.", _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, ) return backend.ed448_load_private_bytes(data)
def generate_private_key(public_exponent, key_size, backend=None): backend = _get_backend(backend) if not isinstance(backend, RSABackend): raise UnsupportedAlgorithm( "Backend object does not implement RSABackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) _verify_rsa_parameters(public_exponent, key_size) return backend.generate_rsa_private_key(public_exponent, key_size)
def from_public_bytes(cls, data): from thirdparty.cryptography.hazmat.backends.openssl.backend import backend if not backend.x448_supported(): raise UnsupportedAlgorithm( "X448 is not supported by this version of OpenSSL.", _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM, ) return backend.x448_load_public_bytes(data)
def __init__(self, algorithm, length, salt, iterations, backend=None): backend = _get_backend(backend) if not isinstance(backend, PBKDF2HMACBackend): raise UnsupportedAlgorithm( "Backend object does not implement PBKDF2HMACBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) if not backend.pbkdf2_hmac_supported(algorithm): raise UnsupportedAlgorithm( "{} is not supported for PBKDF2 by this backend.".format( algorithm.name), _Reasons.UNSUPPORTED_HASH, ) self._used = False self._algorithm = algorithm self._length = length utils._check_bytes("salt", salt) self._salt = salt self._iterations = iterations self._backend = backend
def __init__(self, algorithm, mode, backend=None): backend = _get_backend(backend) if not isinstance(backend, CipherBackend): raise UnsupportedAlgorithm( "Backend object does not implement CipherBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) if not isinstance(algorithm, CipherAlgorithm): raise TypeError("Expected interface of CipherAlgorithm.") if mode is not None: mode.validate_for_algorithm(algorithm) self.algorithm = algorithm self.mode = mode self._backend = backend
def __init__(self, algorithm, length, otherinfo, backend=None): backend = _get_backend(backend) _common_args_checks(algorithm, length, otherinfo) self._algorithm = algorithm self._length = length self._otherinfo = otherinfo if self._otherinfo is None: self._otherinfo = b"" if not isinstance(backend, HashBackend): raise UnsupportedAlgorithm( "Backend object does not implement HashBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) self._backend = backend self._used = False
def __init__(self, algorithm, backend=None, ctx=None): backend = _get_backend(backend) if not isinstance(backend, CMACBackend): raise UnsupportedAlgorithm( "Backend object does not implement CMACBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) if not isinstance(algorithm, ciphers.BlockCipherAlgorithm): raise TypeError("Expected instance of BlockCipherAlgorithm.") self._algorithm = algorithm self._backend = backend if ctx is None: self._ctx = self._backend.create_cmac_ctx(self._algorithm) else: self._ctx = ctx
def __init__(self, key, algorithm, backend=None, ctx=None): backend = _get_backend(backend) if not isinstance(backend, HMACBackend): raise UnsupportedAlgorithm( "Backend object does not implement HMACBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) if not isinstance(algorithm, hashes.HashAlgorithm): raise TypeError("Expected instance of hashes.HashAlgorithm.") self._algorithm = algorithm self._backend = backend self._key = key if ctx is None: self._ctx = self._backend.create_hmac_ctx(key, self.algorithm) else: self._ctx = ctx
def __init__( self, key, length, algorithm, time_step, backend=None, enforce_key_length=True, ): backend = _get_backend(backend) if not isinstance(backend, HMACBackend): raise UnsupportedAlgorithm( "Backend object does not implement HMACBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) self._time_step = time_step self._hotp = HOTP(key, length, algorithm, backend, enforce_key_length)
def parameter_bytes(self, encoding, format): if format is not serialization.ParameterFormat.PKCS3: raise ValueError("Only PKCS3 serialization is supported") if not self._backend._lib.Cryptography_HAS_EVP_PKEY_DHX: q = self._backend._ffi.new("BIGNUM **") self._backend._lib.DH_get0_pqg( self._dh_cdata, self._backend._ffi.NULL, q, self._backend._ffi.NULL, ) if q[0] != self._backend._ffi.NULL: raise UnsupportedAlgorithm( "DH X9.42 serialization is not supported", _Reasons.UNSUPPORTED_SERIALIZATION, ) return self._backend._parameter_bytes(encoding, format, self._dh_cdata)
def _hash_algorithm(backend, cert_id): asn1obj = backend._ffi.new("ASN1_OBJECT **") res = backend._lib.OCSP_id_get0_info( backend._ffi.NULL, asn1obj, backend._ffi.NULL, backend._ffi.NULL, cert_id, ) backend.openssl_assert(res == 1) backend.openssl_assert(asn1obj[0] != backend._ffi.NULL) oid = _obj2txt(backend, asn1obj[0]) try: return _OIDS_TO_HASH[oid] except KeyError: raise UnsupportedAlgorithm( "Signature algorithm OID: {} not recognized".format(oid) )
def __init__(self, algorithm, length, salt, info, backend=None): backend = _get_backend(backend) if not isinstance(backend, HMACBackend): raise UnsupportedAlgorithm( "Backend object does not implement HMACBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) self._algorithm = algorithm if salt is None: salt = b"\x00" * self._algorithm.digest_size else: utils._check_bytes("salt", salt) self._salt = salt self._backend = backend self._hkdf_expand = HKDFExpand(self._algorithm, length, info, backend)
def __init__(self, backend, algorithm, ctx=None): self._algorithm = algorithm self._backend = backend if ctx is None: ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new() ctx = self._backend._ffi.gc( ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free) evp_md = self._backend._evp_md_from_algorithm(algorithm) if evp_md == self._backend._ffi.NULL: raise UnsupportedAlgorithm( "{} is not a supported hash on this backend.".format( algorithm.name), _Reasons.UNSUPPORTED_HASH, ) res = self._backend._lib.EVP_DigestInit_ex(ctx, evp_md, self._backend._ffi.NULL) self._backend.openssl_assert(res != 0) self._ctx = ctx
def public_bytes(self, encoding, format): if format is not serialization.PublicFormat.SubjectPublicKeyInfo: raise ValueError("DH public keys support only " "SubjectPublicKeyInfo serialization") if not self._backend._lib.Cryptography_HAS_EVP_PKEY_DHX: q = self._backend._ffi.new("BIGNUM **") self._backend._lib.DH_get0_pqg( self._dh_cdata, self._backend._ffi.NULL, q, self._backend._ffi.NULL, ) if q[0] != self._backend._ffi.NULL: raise UnsupportedAlgorithm( "DH X9.42 serialization is not supported", _Reasons.UNSUPPORTED_SERIALIZATION, ) return self._backend._public_key_bytes(encoding, format, self, self._evp_pkey, None)
def __init__(self, algorithm, length, sharedinfo, backend=None): backend = _get_backend(backend) max_len = algorithm.digest_size * (2**32 - 1) if length > max_len: raise ValueError( "Can not derive keys larger than {} bits.".format(max_len)) if sharedinfo is not None: utils._check_bytes("sharedinfo", sharedinfo) self._algorithm = algorithm self._length = length self._sharedinfo = sharedinfo if not isinstance(backend, HashBackend): raise UnsupportedAlgorithm( "Backend object does not implement HashBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) self._backend = backend self._used = False
def __init__(self, algorithm, length, salt, otherinfo, backend=None): backend = _get_backend(backend) _common_args_checks(algorithm, length, otherinfo) self._algorithm = algorithm self._length = length self._otherinfo = otherinfo if self._otherinfo is None: self._otherinfo = b"" if salt is None: salt = b"\x00" * algorithm.block_size else: utils._check_bytes("salt", salt) self._salt = salt if not isinstance(backend, HMACBackend): raise UnsupportedAlgorithm( "Backend object does not implement HMACBackend.", _Reasons.BACKEND_MISSING_INTERFACE, ) self._backend = backend self._used = False