def encrypt(self, key, iv="", cek=""):
"""
:param key: Shared symmetric key
:param iv:
:param cek:
:return:
"""
_msg = self.msg
b64_header = self._encoded_header()
cek, iv = self._generate_key_and_iv(self["enc"], cek, iv)
if isinstance(key, basestring):
kek = key
else:
kek = intarr2str(key)
# The iv for this function must be 64 bit
# Which is certainly different from the one above
jek = aes_wrap_key(kek, cek)
auth_data = b64_header
_enc = self["enc"]
ctxt, tag, cek = self.enc_setup(_enc, _msg, auth_data, cek, iv=iv)
return self.pack(b64_header, jek, iv, ctxt, tag)
def encrypt(self, key, iv="", cek=""):
"""
:param key: Shared symmetric key
:param iv:
:param cek:
:return:
"""
_msg = self.msg
b64_header = self._encoded_header()
cek, iv = self._generate_key_and_iv(self["enc"], cek, iv)
if isinstance(key, basestring):
kek = key
else:
kek = intarr2str(key)
# The iv for this function must be 64 bit
# Which is certainly different from the one above
jek = aes_wrap_key(kek, cek)
auth_data = b64_header
_enc = self["enc"]
ctxt, tag, cek = self.enc_setup(_enc, _msg, auth_data, cek, iv=iv)
return self.pack(b64_header, jek, iv, ctxt, tag)
def encrypt(self, key, iv="", cek="", **kwargs):
"""
:param key: Shared symmetric key
:param iv: initialization vector
:param cek:
:param kwargs: Extra keyword arguments, just ignore for now.
:return:
"""
_msg = self.msg
_args = {}
try:
_args["kid"] = kwargs["kid"]
except KeyError:
pass
b64_header = self._encoded_header(_args)
# If no iv and cek are given generate them
cek, iv = self._generate_key_and_iv(self["enc"], cek, iv)
if isinstance(key, basestring):
kek = key
else:
kek = intarr2str(key)
# The iv for this function must be 64 bit
# Which is certainly different from the one above
jek = aes_wrap_key(kek, cek)
auth_data = b64_header
_enc = self["enc"]
ctxt, tag, cek = self.enc_setup(_enc, _msg, auth_data, cek, iv=iv)
return self.pack(b64_header, jek, iv, ctxt, tag)
def test_jwe_09_a3():
#Example JWE using AES Key Wrap and AES GCM
msg = "Live long and prosper."
header = '{"alg":"A128KW","enc":"A128CBC-HS256"}'
b64_header = b64e(header)
assert b64_header == "eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0"
cek = intarr2str([4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250,
63, 170, 106, 206, 107, 124, 212, 45, 111, 107, 9, 219,
200, 177, 0, 240, 143, 156, 44, 207])
shared_key = [25, 172, 32, 130, 225, 114, 26, 181, 138, 106, 254, 192, 95,
133, 74, 82]
jek = aes_wrap_key(intarr2str(shared_key), cek)
assert str2intarr(jek) == [
232, 160, 123, 211, 183, 76, 245, 132, 200, 128, 123, 75, 190, 216,
22, 67, 201, 138, 193, 186, 9, 91, 122, 31, 246, 90, 28, 139, 57, 3,
76, 124, 193, 11, 98, 37, 173, 61, 104, 57]
b64_jek = b64e(jek)
assert b64_jek == "6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ"
iv = intarr2str([3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111,
116, 104, 101])
b64_iv = b64e(iv)
assert b64_iv == "AxY8DCtDaGlsbGljb3RoZQ"
aadp = b64_header
assert str2intarr(aadp) == [101, 121, 74, 104, 98, 71, 99, 105, 79, 105,
74, 66, 77, 84, 73, 52, 83, 49, 99, 105, 76,
67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66,
77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84,
77, 106, 85, 50, 73, 110, 48]
_jwe = JWe()
ctxt, tag, key = _jwe.enc_setup("A128CBC-HS256", msg, aadp, cek, iv=iv)
print str2intarr(ctxt)
assert str2intarr(ctxt) == [
40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
112, 56, 102]
assert str2intarr(tag) == [83, 73, 191, 98, 104, 205, 211, 128, 201, 189,
199, 133, 32, 38, 194, 85]
enc_cipher_text = b64e(ctxt)
assert enc_cipher_text == "KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY"
enc_authn_tag = b64e(tag)
assert enc_authn_tag == "U0m_YmjN04DJvceFICbCVQ"
def encrypt(self, key, iv="", cek="", **kwargs):
"""
:param key: Shared symmetric key
:param iv: initialization vector
:param cek:
:param kwargs: Extra keyword arguments, just ignore for now.
:return:
"""
_msg = self.msg
_args = {}
try:
_args["kid"] = kwargs["kid"]
except KeyError:
pass
b64_header = self._encoded_header(_args)
# If no iv and cek are given generate them
cek, iv = self._generate_key_and_iv(self["enc"], cek, iv)
if isinstance(key, basestring):
kek = key
else:
kek = intarr2str(key)
# The iv for this function must be 64 bit
# Which is certainly different from the one above
jek = aes_wrap_key(kek, cek)
auth_data = b64_header
_enc = self["enc"]
ctxt, tag, cek = self.enc_setup(_enc, _msg, auth_data, cek, iv=iv)
return self.pack(b64_header, jek, iv, ctxt, tag)
def enc_setup(self, msg, auth_data, key=None, **kwargs):
encrypted_key = ""
# Generate the input parameters
try:
apu = b64d(kwargs["apu"])
except KeyError:
apu = b64d(Random.get_random_bytes(16))
try:
apv = b64d(kwargs["apv"])
except KeyError:
apv = b64d(Random.get_random_bytes(16))
# Generate an ephemeral key pair
curve = NISTEllipticCurve.by_name(key.crv)
if "epk" in kwargs:
epk = ECKey(key=kwargs["epk"], private=False)
eprivk = ECKey(kwargs["epk"], private=True)
else:
(eprivk, epk) = curve.key_pair()
# Derive the KEK and encrypt
params = {
"apu": b64e(apu),
"apv": b64e(apv),
#"epk": exportKey(epk, "EC", curve)
}
cek, iv = self._generate_key_and_iv(self.enc)
if self.alg == "ECDH-ES":
try:
dk_len = KEYLEN[self.enc]
except KeyError:
raise Exception("Unknown key length for algorithm %s" %
self.enc)
cek = ecdh_derive_key(curve, eprivk, key, apu, apv, self.enc,
dk_len)
elif self.alg in [
"ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"
]:
_pre, _post = self.alg.split("+")
klen = int(_post[1:4])
kek = ecdh_derive_key(curve, eprivk, key, apu, apv, _post, klen)
encrypted_key = aes_wrap_key(kek, cek)
else:
raise Exception("Unsupported algorithm %s" % self.alg)
return cek, encrypted_key, iv, params
def enc_setup(self, msg, auth_data, key=None, **kwargs):
encrypted_key = ""
# Generate the input parameters
try:
apu = b64d(kwargs["apu"])
except KeyError:
apu = b64d(Random.get_random_bytes(16))
try:
apv = b64d(kwargs["apv"])
except KeyError:
apv = b64d(Random.get_random_bytes(16))
# Generate an ephemeral key pair
curve = NISTEllipticCurve.by_name(key.crv)
if "epk" in kwargs:
epk = ECKey(key=kwargs["epk"], private=False)
eprivk = ECKey(kwargs["epk"], private=True)
else:
(eprivk, epk) = curve.key_pair()
# Derive the KEK and encrypt
params = {
"apu": b64e(apu),
"apv": b64e(apv),
#"epk": exportKey(epk, "EC", curve)
}
cek, iv = self._generate_key_and_iv(self.enc)
if self.alg == "ECDH-ES":
try:
dk_len = KEYLEN[self.enc]
except KeyError:
raise Exception(
"Unknown key length for algorithm %s" % self.enc)
cek = ecdh_derive_key(curve, eprivk, key, apu, apv, self.enc,
dk_len)
elif self.alg in ["ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"]:
_pre, _post = self.alg.split("+")
klen = int(_post[1:4])
kek = ecdh_derive_key(curve, eprivk, key, apu, apv, _post, klen)
encrypted_key = aes_wrap_key(kek, cek)
else:
raise Exception("Unsupported algorithm %s" % self.alg)
return cek, encrypted_key, iv, params
def test_jwe_09_a3():
#Example JWE using AES Key Wrap and AES GCM
msg = "Live long and prosper."
header = '{"alg":"A128KW","enc":"A128CBC-HS256"}'
b64_header = b64e(header)
assert b64_header == "eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0"
cek = intarr2str([
4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106,
206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156,
44, 207
])
shared_key = [
25, 172, 32, 130, 225, 114, 26, 181, 138, 106, 254, 192, 95, 133, 74,
82
]
jek = aes_wrap_key(intarr2str(shared_key), cek)
assert str2intarr(jek) == [
232, 160, 123, 211, 183, 76, 245, 132, 200, 128, 123, 75, 190, 216, 22,
67, 201, 138, 193, 186, 9, 91, 122, 31, 246, 90, 28, 139, 57, 3, 76,
124, 193, 11, 98, 37, 173, 61, 104, 57
]
b64_jek = b64e(jek)
assert b64_jek == "6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ"
iv = intarr2str([
3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, 101
])
b64_iv = b64e(iv)
assert b64_iv == "AxY8DCtDaGlsbGljb3RoZQ"
aadp = b64_header
assert str2intarr(aadp) == [
101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 66, 77, 84, 73, 52,
83, 49, 99, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105, 74, 66,
77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85, 50, 73,
110, 48
]
_jwe = JWe()
ctxt, tag, key = _jwe.enc_setup("A128CBC-HS256", msg, aadp, cek, iv=iv)
print str2intarr(ctxt)
assert str2intarr(ctxt) == [
40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6, 75,
129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143, 112, 56,
102
]
assert str2intarr(tag) == [
83, 73, 191, 98, 104, 205, 211, 128, 201, 189, 199, 133, 32, 38, 194,
85
]
enc_cipher_text = b64e(ctxt)
assert enc_cipher_text == "KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY"
enc_authn_tag = b64e(tag)
assert enc_authn_tag == "U0m_YmjN04DJvceFICbCVQ"