def test_rsa_provider_init_invalid_passphrase(self): private_key = RSA.generate(2048) public_key = private_key.publickey() passphrase = random_string(6) invalid_passphrase = random_string(8) with open('./rsa-test.private_key.pem', 'wb') as f: f.write(private_key.exportKey(passphrase=passphrase)) with open('./rsa-test.public_key.pem', 'wb') as f: f.write(public_key.exportKey(passphrase=passphrase)) self.assertRaises(ClientError, LocalRsaProvider, dir='./', key='rsa-test', passphrase=invalid_passphrase) silently_remove('./rsa-test.public_key.pem') silently_remove('./rsa-test.private_key.pem') private_key_str = RsaKey.exportKey(private_key, passphrase=passphrase) public_key_str = RsaKey.exportKey(public_key, passphrase=passphrase) self.assertRaises(ClientError, RsaProvider, key_pair={ 'private_key': private_key_str, 'public_key': public_key_str }, passphrase=invalid_passphrase)
def pack(self, command: Union[str, bytes, bytearray], data: Union[str, bytes, bytearray], encrypt: bool, type_: int = 0, *, key: RSA.RsaKey = None) -> Packet: if not (isinstance(type_, int) and -1 < type_ < 256): raise ValueError('Unsupported type') if isinstance(command, (str, bytes, bytearray)): if isinstance(command, str): command = command.encode('utf8') elif isinstance(command, bytearray): command = bytes(command) else: raise ValueError('Unsupported command type') if isinstance(data, (str, bytes, bytearray)): if isinstance(data, str): data = data.encode('utf8') if isinstance(data, bytes): data = bytearray(data) if len(data) > 4294967295: raise ValueError('data max length is 4294967295 bytes') else: raise TypeError('Unsupported data type') if not key: pass elif key and not isinstance(key, RSA.RsaKey): raise TypeError('key must be RSA key') else: if not key.can_encrypt(): raise KeyError('key can not encrypt data') if encrypt: cipher: PKCS1_OAEP.PKCS1OAEP_Cipher = PKCS1_OAEP.new( key if key else self.key, SHA3_256, randfunc=Random.new().read) chunk: int = 65535 if ((key.size_in_bytes() if key else self.key.size_in_bytes()) - 66) > 65535 else \ (key.size_in_bytes() if key else self.key.size_in_bytes()) - 66 encrypted = bytearray() for i in (data[i:i + chunk] for i in range(0, data.__len__(), chunk)): encrypted.extend(cipher.encrypt(i)) return Packet( Header( Flags( type_, encrypt, key.size_in_bytes() if key else self.key.size_in_bytes() if encrypt else 0, len(encrypted) if encrypt else len(data)), command, b'\x00' * 32), encrypted if encrypt else data)
def store_keys(privkey: RsaKey, pubkey: RsaKey): try: priv_file: BinaryIO = open(".config/rsa_private.key", "wb") pub_file: BinaryIO = open(".config/rsa_public.key", "wb") priv_file.write(privkey.export_key()) pub_file.write(pubkey.export_key()) priv_file.close() pub_file.close() except Exception as e: print(e) print("Cannot store keys in .config dir. Exiting...") raise SystemExit
def generate_dispatcher_input( my_bls_public_key: str, my_bls_public_key_shares: List[str], my_bls_private_key_shares: List[int], my_rsa_key: RsaKey, all_rsa_public_keys: List[str], ) -> Tuple[List[Dict[str, Any]], int]: """ Generate dispatcher input data. """ input_data = [] my_rsa_public_key_ssh = my_rsa_key.publickey().export_key( "OpenSSH").decode("ascii") my_index = -1 for i in range(len(all_rsa_public_keys)): recipient_rsa_public_key = RSA.import_key(all_rsa_public_keys[i]) recipient_bls_private_key_share = my_bls_private_key_shares[i] if recipient_rsa_public_key == my_rsa_key.publickey(): my_index = i continue encrypted_data = { "public_key": my_bls_public_key, "public_key_shares": my_bls_public_key_shares, "private_key_share": str(recipient_bls_private_key_share), } enc_session_key, nonce, tag, ciphertext = rsa_encrypt( recipient_public_key=recipient_rsa_public_key, data=json.dumps(encrypted_data), ) signature = rsa_sign(my_rsa_key, ciphertext) input_data.append({ "sender_rsa_public_key": my_rsa_public_key_ssh, "recipient_rsa_public_key": recipient_rsa_public_key.export_key("OpenSSH").decode("ascii"), "enc_session_key": enc_session_key.hex(), "ciphertext": ciphertext.hex(), "nonce": nonce.hex(), "tag": tag.hex(), "signature": signature.hex(), }) return input_data, my_index
def decrypt_message(message: bytes, receiver_private_key: RsaKey) -> bytes: """ Decrypts message, using the specified key to decrypt symmetric key firs :param message: message with the following structure: IV + encrypted symmetric key + encrypted message :param receiver_private_key: RsaKey to decrypt symmetric key :return: decrypted message """ iv = message[:IV_LEN] enc_aes_key = message[IV_LEN:IV_LEN + receiver_private_key.size_in_bytes()] # Assume encryption has been done with same key size enc_message = message[IV_LEN + receiver_private_key.size_in_bytes():] cipher_rsa = PKCS1_OAEP.new(receiver_private_key) aes_key = cipher_rsa.decrypt(enc_aes_key) cipher_aes = AES.new(aes_key, AES.MODE_CBC, iv) return unpad(cipher_aes.decrypt(enc_message), AES.block_size) # Padding have to be removed
def proto_to_pubkey(key: RsaPubKey) -> RsaKey: """ Reads an RsaPubKey proto message back into an RsaKey """ n = int.from_bytes(key.modulus, 'big') e = int.from_bytes(key.pub_exponent, 'big') return RsaKey(n=n, e=e)
def __init__(self, key: RSA.RsaKey = None): if not key: self.key = RSA.generate(4096, Random.new().read) elif key and isinstance(key, RSA.RsaKey) and key.has_private(): self.key: RSA.RsaKey = key else: raise TypeError('key must be private RSA key')
def save_private_key(key: RSA.RsaKey, password): filename = os.getcwd() + "/keys/private_key/private_key.txt" key, vector = encrypt_key(key.exportKey(), password) os.makedirs(os.path.dirname(filename), exist_ok=True) with open(filename, "wb") as f: f.write(key) f.write(vector) f.close()
def verify_signature(message: bytes, sender_public_key: RsaKey) -> bytes: """ Verifies if the message has a valid signature, raising SignatureNotAuthentic if not :param message: message to be verified :param sender_public_key: public key of the pretended sender :return: original message without signature if it is valid :raise: SignatureNotAuthentic if signature is not valid """ signature = message[:sender_public_key.size_in_bytes()] # Assume encryption has been done with same key size original_message = message[sender_public_key.size_in_bytes():] h = SHA256.new(original_message) verifier = pkcs1_15.new(sender_public_key) try: verifier.verify(h, signature) return original_message except ValueError: raise SignatureNotAuthentic
def save_ssid_pk(self, ssid: str, ap_pk: RsaKey): """ Saves an SSID/public key pair to the station's memory Args: ssid (str): The SSID to save ap_pk (RsaKey): The public key associated with the ssid """ self.saved.add((ssid, ap_pk.exportKey()))
def store_key(key: RsaKey, friendly_name: str = None): if not isinstance(key, RsaKey): raise ValueError('First argument must be an RsaKey!') name = friendly_name if friendly_name else str(uuid.uuid4()) file_name = f'{paths.PATH_WALLETS}/{name}.der' os.makedirs(os.path.dirname(file_name), exist_ok=True) with open(file_name, 'wb+') as file: file.write(key.exportKey(format='DER'))
def rsa_export_key(self, key_file: str, key: RSA.RsaKey) -> None: """Export RSA key to file Args: key_file (str): Path to RSA key file key (RSA.RsaKey): RSA key to export """ key_file_obj = Path(key_file).resolve() key_file_obj.parent.mkdir(parents=True, exist_ok=True) with key_file_obj.open('wb') as f: f.write(key.export_key())
def get_http_authentication(private_key: RsaKey, private_key_id: str) -> HTTPSignatureHeaderAuth: """ Get HTTP signature authentication for a request. """ key = private_key.exportKey() return HTTPSignatureHeaderAuth( headers=["(request-target)", "user-agent", "host", "date"], algorithm="rsa-sha256", key=key, key_id=private_key_id, )
def write_pubkey(self, pubkey: RSA.RsaKey) -> None: """Write a pubkey to the endpoint.""" print(f"Sending a pubkey to {self.endpoint_addr}") self._sock.sendall( Message.of(pubkey.export_key(), ContentType.BINARY).to_bytes()) self._sent_pubkey = True if self._endpoint_pubkey is not None: self._connected = True print(f"Established connection to {self.endpoint_addr}")
def _decrypt_via_rsa_oaep(cipherdict: dict, key: RSA.RsaKey) -> bytes: """Decrypt a bytestring with PKCS#1 RSA OAEP (asymmetric algo). :param cipherdict: list of ciphertext chunks :param key: private RSA key :return: the decrypted bytestring""" _check_asymmetric_key_length_bits(key.size_in_bits()) decipher = PKCS1_OAEP.new(key, hashAlgo=RSA_OAEP_HASHER) encrypted_chunks = cipherdict["digest_list"] decrypted_chunks = [] for encrypted_chunk in encrypted_chunks: decrypted_chunk = decipher.decrypt(encrypted_chunk) decrypted_chunks.append(decrypted_chunk) return b"".join(decrypted_chunks)
def _encrypt_via_rsa_oaep(plaintext: bytes, key: RSA.RsaKey) -> dict: """Encrypt a bytestring with PKCS#1 RSA OAEP (asymmetric algo). :param plaintext: the bytes to cipher :param key: public RSA key :return: a dict with field `digest_list`, containing bytestring chunks of variable width.""" _check_asymmetric_key_length_bits(key.size_in_bits()) cipher = PKCS1_OAEP.new(key=key, hashAlgo=RSA_OAEP_HASHER) chunks = split_as_chunks(plaintext, chunk_size=RSA_OAEP_CHUNKS_SIZE, must_pad=False, accept_incomplete_chunk=True) encrypted_chunks = [] for chunk in chunks: encrypted_chunk = cipher.encrypt(chunk) encrypted_chunks.append(encrypted_chunk) return dict(digest_list=encrypted_chunks)
def user_register(self, username: str, email: str, public_key: RsaKey): """ Registers a new user :param username: :param email: :param public_key: :return: a dictionary with keys userID and ts """ url = API.base_url + "/users/register" body = { "nombre": username, "email": email, "publicKey": public_key.export_key("PEM").decode() } response = requests.post(url, headers=self.header, json=body) parsed_response = json.loads(response.text) if response.status_code != 200: raise api_exceptions[parsed_response["error_code"]] return parsed_response
def decrypt(data: bytes, mode: EncryptionMode, rec_privkey: RSA.RsaKey) -> bytes: """Decrypt given bytes using a specified encryption mode and.""" key_len = rec_privkey.size_in_bytes() enc_session_key = data[:key_len] cipher_rsa = PKCS1_OAEP.new(rec_privkey) if mode == EncryptionMode.ECB: iv = None ciphertext = data[key_len:] else: iv_end = key_len + AES.block_size iv = data[key_len:iv_end] ciphertext = data[iv_end:] try: session_key = cipher_rsa.decrypt(enc_session_key) except ValueError: session_key = os.urandom(16) cipher_aes = { EncryptionMode.ECB: AES.new(session_key, AES.MODE_ECB), EncryptionMode.CBC: AES.new(session_key, AES.MODE_CBC, cast(bytes, iv)), EncryptionMode.CFB: AES.new(session_key, AES.MODE_CFB, cast(bytes, iv)), EncryptionMode.OFB: AES.new(session_key, AES.MODE_OFB, cast(bytes, iv)), }[mode] try: data = unpad(cipher_aes.decrypt(ciphertext), AES.block_size) except ValueError: data = ("".join( random.SystemRandom().choice(string.printable) for _ in range(random.randint(5, 100)))).encode("utf-8") return data
def unpack(self, raw: Union[bytes, bytearray], key: RSA.RsaKey = None) -> Packet: if isinstance(raw, (bytes, bytearray)): if isinstance(raw, bytes): raw = bytearray(raw) header: Header = self.unpack_header(raw[:HEADER_SIZE]) if header.checksum != hashlib.blake2s(raw[HEADER_SIZE:]).digest(): raise PacketError('Data is corrupted (Bad checksum)') if header.flags.encrypted: cipher: PKCS1_OAEP.PKCS1OAEP_Cipher = PKCS1_OAEP.new( key if key and key.has_private() else self.key, SHA3_256) chunk: int = header.flags.cluster decrypted = bytearray() try: for i in (raw[HEADER_SIZE:][i:i + chunk] for i in range(0, raw.__len__() - HEADER_SIZE, chunk)): decrypted.extend(cipher.decrypt(i)) except ValueError: raise DamageError(f'Encrypted data is damaged') header.flags.size = len( decrypted) if header.flags.encrypted else len( raw[HEADER_SIZE:]) return Packet( header, decrypted if header.flags.encrypted else raw[HEADER_SIZE:], bytes(raw[44:76]) if header.flags.encrypted else None) else: raise TypeError('Raw must be bytes or bytearray')
def __add_host_key(self, new_key: RSA.RsaKey, hostname: str) -> None: self.acceptable_hosts.append(new_key) with open(f'{self.path}/{hostname}', 'w') as key_file: key_file.writelines(new_key.export_key(format='OpenSSH').decode('utf-8'))
def __init__(self, private_key: RSA.RsaKey): super().__init__(private_key.public_key()) # Override public key with private one self._rsa = private_key
def _save_keypair(self, key: RSA.RsaKey) -> None: self._priv = key.exportKey("PEM") self._pub = key.publickey().exportKey("DER")
def get_private_key(self, keys: RsaKey, passphrase: str) -> str: private_key = keys.exportKey(passphrase=passphrase, pkcs=self._pub_key_crypto_standard, protection=self._protection) return private_key.decode()
def from_rsa_obj(cls, rsa: RSA.RsaKey): if not rsa.has_private(): return XeCrypt_RSA(n=rsa._n, e=rsa._e) else: return XeCrypt_RSA(n=rsa._n, e=rsa._e, d=rsa._d, p=rsa._p, q=rsa._q, u=rsa._u)
def get_public_key(keys: RsaKey) -> str: public_key = keys.publickey().exportKey() return public_key.decode()
def save_public_key(key: RSA.RsaKey): filename = os.getcwd() + "/keys/public_key/public_key.txt" os.makedirs(os.path.dirname(filename), exist_ok=True) with open(filename, "wb") as f: f.write(key.exportKey()) f.close()
def decrypt(self, key: RSA.RsaKey, cipher: bytes): c = bytes_to_long(cipher) m = str(key._decrypt(c) & 1) self.wfile.write(m.encode())
OSS_STS_KEY = os.getenv("OSS_TEST_STS_KEY") OSS_STS_ARN = os.getenv("OSS_TEST_STS_ARN") OSS_PAYER_UID = os.getenv("OSS_TEST_PAYER_UID") OSS_PAYER_ID = os.getenv("OSS_TEST_PAYER_ACCESS_KEY_ID") OSS_PAYER_SECRET = os.getenv("OSS_TEST_PAYER_ACCESS_KEY_SECRET") OSS_INVENTORY_BUCKET_DESTINATION_ARN = os.getenv("OSS_TEST_RAM_ROLE_ARN") OSS_INVENTORY_BUCKET_DESTINATION_ACCOUNT = os.getenv("OSS_TEST_RAM_UID") OSS_AUTH_VERSION = None OSS_TEST_AUTH_SERVER_HOST = os.getenv("OSS_TEST_AUTH_SERVER_HOST") private_key = RSA.generate(1024) public_key = private_key.publickey() private_key_str = RsaKey.exportKey(private_key) public_key_str = RsaKey.exportKey(public_key) key_pair = {'private_key': private_key_str, 'public_key': public_key_str} private_key_compact = '''-----BEGIN RSA PRIVATE KEY----- MIICWwIBAAKBgQCokfiAVXXf5ImFzKDw+XO/UByW6mse2QsIgz3ZwBtMNu59fR5z ttSx+8fB7vR4CN3bTztrP9A6bjoN0FFnhlQ3vNJC5MFO1PByrE/MNd5AAfSVba93 I6sx8NSk5MzUCA4NJzAUqYOEWGtGBcom6kEF6MmR1EKib1Id8hpooY5xaQIDAQAB AoGAOPUZgkNeEMinrw31U3b2JS5sepG6oDG2CKpPu8OtdZMaAkzEfVTJiVoJpP2Y nPZiADhFW3e0ZAnak9BPsSsySRaSNmR465cG9tbqpXFKh9Rp/sCPo4Jq2n65yood JBrnGr6/xhYvNa14sQ6xjjfSgRNBSXD1XXNF4kALwgZyCAECQQDV7t4bTx9FbEs5 36nAxPsPM6aACXaOkv6d9LXI7A0J8Zf42FeBV6RK0q7QG5iNNd1WJHSXIITUizVF 6aX5NnvFAkEAybeXNOwUvYtkgxF4s28s6gn11c5HZw4/a8vZm2tXXK/QfTQrJVXp VwxmSr0FAajWAlcYN/fGkX1pWA041CKFVQJAG08ozzekeEpAuByTIOaEXgZr5MBQ gBbHpgZNBl8Lsw9CJSQI15wGfv6yDiLXsH8FyC9TKs+d5Tv4Cvquk0efOQJAd9OC lCKFs48hdyaiz9yEDsc57PdrvRFepVdj/gpGzD14mVerJbOiOF6aSV19ot27u4on
def parse_key(key: RSA.RsaKey) -> str: """Returns the string version of a RSA key""" return binascii.hexlify(key.exportKey( format='DER')).decode('ascii')
def set_key(self, key: RsaKey): self.config["SecureBox"]["key"] = key.export_key("PEM").decode()