def test_f_verifier_from_key_bytes(): check = Verifier(algorithm=ALGORITHM, key=VALUES["ecc_private_key_prime"].public_key()) test = Verifier.from_key_bytes( algorithm=ALGORITHM, key_bytes=VALUES["ecc_private_key_prime_public_bytes"]) assert check.key.public_numbers() == test.key.public_numbers()
def with_verification_key(self, verification_key): # type: (bytes) -> DecryptionMaterials """Get new decryption materials that also include this verification key. .. versionadded:: 1.5.0 :param bytes verification_key: Verification key :rtype: DecryptionMaterials """ if self.verification_key is not None: raise AttributeError("Verification key is already set.") if self.algorithm.signing_algorithm_info is None: raise SignatureKeyError("Algorithm suite does not support signing keys.") new_materials = copy.copy(self) # Verify that the verification key matches the algorithm Verifier.from_key_bytes(algorithm=new_materials.algorithm, key_bytes=verification_key) new_materials._setattr( # simplify access to copies pylint: disable=protected-access "verification_key", verification_key ) return new_materials
def _load_verification_key_from_encryption_context(self, algorithm, encryption_context): """Loads the verification key from the encryption context if used by algorithm suite. :param algorithm: Algorithm for which to generate signing key :type algorithm: aws_encryption_sdk.identifiers.Algorithm :param dict encryption_context: Encryption context from request :returns: Raw verification key :rtype: bytes :raises SerializationError: if algorithm suite requires message signing and no verification key is found """ encoded_verification_key = encryption_context.get( ENCODED_SIGNER_KEY, None) if algorithm.signing_algorithm_info is not None and encoded_verification_key is None: raise SerializationError( "No signature verification key found in header for signed algorithm." ) if algorithm.signing_algorithm_info is None: if encoded_verification_key is not None: raise SerializationError( "Signature verification key found in header for non-signed algorithm." ) return None verifier = Verifier.from_encoded_point( algorithm=algorithm, encoded_point=encoded_verification_key) return verifier.key_bytes()
def test_verifier_verify(patch_default_backend, patch_serialization, patch_ec, patch_prehashed, patch_build_hasher, patch_set_signature_type): algorithm = MagicMock() public_key = MagicMock() verifier = Verifier(algorithm=algorithm, key=public_key) verifier.verify(sentinel.signature) verifier._hasher.finalize.assert_called_once_with() algorithm.signing_hash_type.assert_called_once_with() patch_prehashed.assert_called_once_with( algorithm.signing_hash_type.return_value) patch_ec.ECDSA.assert_called_once_with(patch_prehashed.return_value) public_key.verify.assert_called_once_with( signature=sentinel.signature, data=verifier._hasher.finalize.return_value, signature_algorithm=patch_ec.ECDSA.return_value)
def _read_header(self): """Reads the message header from the input stream. :returns: tuple containing deserialized header and header_auth objects :rtype: tuple of aws_encryption_sdk.structures.MessageHeader and aws_encryption_sdk.internal.structures.MessageHeaderAuthentication :raises CustomMaximumValueExceeded: if frame length is greater than the custom max value """ header, raw_header = aws_encryption_sdk.internal.formatting.deserialize.deserialize_header(self.source_stream) if ( self.config.max_body_length is not None and header.content_type == ContentType.FRAMED_DATA and header.frame_length > self.config.max_body_length ): raise CustomMaximumValueExceeded( 'Frame Size in header found larger than custom value: {found} > {custom}'.format( found=header.frame_length, custom=self.config.max_body_length ) ) decrypt_materials_request = DecryptionMaterialsRequest( encrypted_data_keys=header.encrypted_data_keys, algorithm=header.algorithm, encryption_context=header.encryption_context ) decryption_materials = self.config.materials_manager.decrypt_materials(request=decrypt_materials_request) if decryption_materials.verification_key is None: self.verifier = None else: self.verifier = Verifier.from_key_bytes( algorithm=header.algorithm, key_bytes=decryption_materials.verification_key ) if self.verifier is not None: self.verifier.update(raw_header) header_auth = aws_encryption_sdk.internal.formatting.deserialize.deserialize_header_auth( stream=self.source_stream, algorithm=header.algorithm, verifier=self.verifier ) self._derived_data_key = derive_data_encryption_key( source_key=decryption_materials.data_key.data_key, algorithm=header.algorithm, message_id=header.message_id ) aws_encryption_sdk.internal.formatting.deserialize.validate_header( header=header, header_auth=header_auth, raw_header=raw_header, data_key=self._derived_data_key ) return header, header_auth
def test_verifier_from_encoded_point( patch_default_backend, patch_serialization, patch_ecc_public_numbers_from_compressed_point, patch_base64, patch_build_hasher): mock_point_instance = MagicMock() mock_point_instance.public_key.return_value = sentinel.public_key patch_ecc_public_numbers_from_compressed_point.return_value = mock_point_instance patch_base64.b64decode.return_value = sentinel.compressed_point algorithm = MagicMock() verifier = Verifier.from_encoded_point( algorithm=algorithm, encoded_point=sentinel.encoded_point) patch_base64.b64decode.assert_called_once_with(sentinel.encoded_point) algorithm.signing_algorithm_info.assert_called_once_with() patch_ecc_public_numbers_from_compressed_point.assert_called_once_with( curve=algorithm.signing_algorithm_info.return_value, compressed_point=sentinel.compressed_point) mock_point_instance.public_key.assert_called_once_with( patch_default_backend.return_value) assert isinstance(verifier, Verifier)
def test_f_verifier_key_bytes(): test = Verifier(algorithm=ALGORITHM, key=VALUES["ecc_private_key_prime"].public_key()) assert test.key_bytes() == VALUES["ecc_private_key_prime_public_bytes"]
def test_verifier_update(patch_default_backend, patch_serialization, patch_build_hasher): verifier = Verifier(algorithm=MagicMock(), key=MagicMock()) verifier.update(sentinel.data) verifier._hasher.update.assert_called_once_with(sentinel.data)
def _read_header(self): """Reads the message header from the input stream. :returns: tuple containing deserialized header and header_auth objects :rtype: tuple of aws_encryption_sdk.structures.MessageHeader and aws_encryption_sdk.internal.structures.MessageHeaderAuthentication :raises CustomMaximumValueExceeded: if frame length is greater than the custom max value """ header, raw_header = deserialize_header(self.source_stream) self.__unframed_bytes_read += len(raw_header) validate_commitment_policy_on_decrypt(self.config.commitment_policy, header.algorithm) if (self.config.max_body_length is not None and header.content_type == ContentType.FRAMED_DATA and header.frame_length > self.config.max_body_length): raise CustomMaximumValueExceeded( "Frame Size in header found larger than custom value: {found:d} > {custom:d}" .format(found=header.frame_length, custom=self.config.max_body_length)) decrypt_materials_request = DecryptionMaterialsRequest( encrypted_data_keys=header.encrypted_data_keys, algorithm=header.algorithm, encryption_context=header.encryption_context, commitment_policy=self.config.commitment_policy, ) decryption_materials = self.config.materials_manager.decrypt_materials( request=decrypt_materials_request) if decryption_materials.verification_key is None: self.verifier = None else: self.verifier = Verifier.from_key_bytes( algorithm=header.algorithm, key_bytes=decryption_materials.verification_key) if self.verifier is not None: self.verifier.update(raw_header) header_auth = deserialize_header_auth(version=header.version, stream=self.source_stream, algorithm=header.algorithm, verifier=self.verifier) self._derived_data_key = derive_data_encryption_key( source_key=decryption_materials.data_key.data_key, algorithm=header.algorithm, message_id=header.message_id) if header.algorithm.is_committing(): expected_commitment_key = calculate_commitment_key( source_key=decryption_materials.data_key.data_key, algorithm=header.algorithm, message_id=header.message_id, ) if not hmac.compare_digest(expected_commitment_key, header.commitment_key): raise MasterKeyProviderError( "Key commitment validation failed. Key identity does not match the identity asserted in the " "message. Halting processing of this message.") validate_header(header=header, header_auth=header_auth, raw_header=raw_header, data_key=self._derived_data_key) return header, header_auth