def _export_subjectPublicKeyInfo(self, compress): # See 2.2 in RFC5480 and 2.3.3 in SEC1 # The first byte is: # - 0x02: compressed, only X-coordinate, Y-coordinate is even # - 0x03: compressed, only X-coordinate, Y-coordinate is odd # - 0x04: uncompressed, X-coordinate is followed by Y-coordinate # # PAI is in theory encoded as 0x00. order_bytes = _curve.order.size_in_bytes() if compress: first_byte = 2 + self.pointQ.y.is_odd() public_key = (bchr(first_byte) + self.pointQ.x.to_bytes(order_bytes)) else: public_key = (bchr(4) + self.pointQ.x.to_bytes(order_bytes) + self.pointQ.y.to_bytes(order_bytes)) unrestricted_oid = "1.2.840.10045.2.1" return _create_subject_public_key_info(unrestricted_oid, public_key, DerObjectId(_curve.oid))
def test_update(self): pieces = [bchr(10) * 200, bchr(20) * 300] h = self.shake.new() h.update(pieces[0]).update(pieces[1]) digest = h.read(10) h = self.shake.new() h.update(pieces[0] + pieces[1]) self.assertEqual(h.read(10), digest)
def test_update(self): pieces = [bchr(10) * 200, bchr(20) * 300] h = keccak.new(digest_bytes=64) h.update(pieces[0]).update(pieces[1]) digest = h.digest() h = keccak.new(digest_bytes=64) h.update(pieces[0] + pieces[1]) self.assertEqual(h.digest(), digest)
def test_nonce_length(self): # nonce can be of any length (but not empty) self.assertRaises(ValueError, AES.new, self.key_128, AES.MODE_GCM, nonce=b("")) for x in range(1, 128): cipher = AES.new(self.key_128, AES.MODE_GCM, nonce=bchr(1) * x) cipher.encrypt(bchr(1))
def _definite_form(length): """Build length octets according to BER/DER definite form. """ if length > 127: encoding = long_to_bytes(length) return bchr(len(encoding) + 128) + encoding return bchr(length)
def test_nonce_length(self): self.assertRaises(ValueError, AES.new, self.key_128, AES.MODE_CCM, nonce=b("")) self.assertRaises(ValueError, AES.new, self.key_128, AES.MODE_CCM, nonce=bchr(1) * 6) self.assertRaises(ValueError, AES.new, self.key_128, AES.MODE_CCM, nonce=bchr(1) * 14) for x in range(7, 13 + 1): AES.new(self.key_128, AES.MODE_CCM, nonce=bchr(1) * x)
def encode(self): """Return the DER INTEGER, fully encoded as a binary string.""" number = self.value self.payload = b'' while True: self.payload = bchr(int(number & 255)) + self.payload if 128 <= number <= 255: self.payload = bchr(0x00) + self.payload if -128 <= number <= 255: break number >>= 8 return DerObject.encode(self)
def runTest(self): self.assertRaises(ValueError, ARC2.new, bchr(0) * 4, ARC2.MODE_ECB) self.assertRaises(ValueError, ARC2.new, bchr(0) * 129, ARC2.MODE_ECB) self.assertRaises(ValueError, ARC2.new, bchr(0) * 16, ARC2.MODE_ECB, effective_keylen=39) self.assertRaises(ValueError, ARC2.new, bchr(0) * 16, ARC2.MODE_ECB, effective_keylen=1025)
def test_seek_tv(self): # Test Vector #4, A.1 from # http://tools.ietf.org/html/draft-nir-cfrg-chacha20-poly1305-04 key = bchr(0) + bchr(255) + bchr(0) * 30 nonce = bchr(0) * 8 cipher = ChaCha20.new(key=key, nonce=nonce) cipher.seek(64 * 2) expected_key_stream = unhexlify(b( "72d54dfbf12ec44b362692df94137f32" "8fea8da73990265ec1bbbea1ae9af0ca" "13b25aa26cb4a648cb9b9d1be65b2c09" "24a66c54d545ec1b7374f4872e99f096" )) ct = cipher.encrypt(bchr(0) * len(expected_key_stream)) self.assertEqual(expected_key_stream, ct)
def adjust_key_parity(key_in): """Set the parity bits in a TDES key. :param key_in: the TDES key whose bits need to be adjusted :type key_in: byte string :returns: a copy of ``key_in``, with the parity bits correctly set :rtype: byte string :raises ValueError: if the TDES key is not 16 or 24 bytes long :raises ValueError: if the TDES key degenerates into Single DES """ def parity_byte(key_byte): parity = 1 for i in range(1, 8): parity ^= (key_byte >> i) & 1 return (key_byte & 0xFE) | parity if len(key_in) not in key_size: raise ValueError("Not a valid TDES key") key_out = b"".join([bchr(parity_byte(bord(x))) for x in key_in]) if key_out[:8] == key_out[8:16] or key_out[-16:-8] == key_out[-8:]: raise ValueError("Triple DES key degenerates to single DES") return key_out
def _export_private_der(self, include_ec_params=True): assert self.has_private() # ECPrivateKey ::= SEQUENCE { # version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), # privateKey OCTET STRING, # parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, # publicKey [1] BIT STRING OPTIONAL # } # Public key - uncompressed form order_bytes = _curve.order.size_in_bytes() public_key = (bchr(4) + self.pointQ.x.to_bytes(order_bytes) + self.pointQ.y.to_bytes(order_bytes)) seq = [1, DerOctetString(self.d.to_bytes(order_bytes)), DerObjectId(_curve.oid, explicit=0), DerBitString(public_key, explicit=1)] if not include_ec_params: del seq[2] return DerSequence(seq).encode()
def test_nonce_length(self): # nonce can be of any length (but not empty) self.assertRaises(ValueError, AES.new, self.key_256, AES.MODE_SIV, nonce=b("")) for x in range(1, 128): cipher = AES.new(self.key_256, AES.MODE_SIV, nonce=bchr(1) * x) cipher.encrypt_and_digest(b'\x01')
def encode(self): """Return this DER element, fully encoded as a binary byte string.""" # Concatenate identifier octets, length octets, # and contents octets output_payload = self.payload # In case of an EXTERNAL tag, first encode the inner # element. if hasattr(self, "_inner_tag_octet"): output_payload = (bchr(self._inner_tag_octet) + self._definite_form(len(self.payload)) + self.payload) return (bchr(self._tag_octet) + self._definite_form(len(output_payload)) + output_payload)
def encode(self): """Return the DER OBJECT ID, fully encoded as a binary string.""" comps = [int(x) for x in self.value.split(".")] if len(comps) < 2: raise ValueError("Not a valid Object Identifier string") self.payload = bchr(40 * comps[0] + comps[1]) for v in comps[2:]: if v == 0: enc = [0] else: enc = [] while v: enc.insert(0, (v & 0x7F) | 0x80) v >>= 7 enc[-1] &= 0x7F self.payload += b''.join([bchr(x) for x in enc]) return DerObject.encode(self)
def _export_openssh(self, compress): if self.has_private(): raise ValueError("Cannot export OpenSSH private keys") desc = "ecdsa-sha2-nistp256" order_bytes = _curve.order.size_in_bytes() if compress: first_byte = 2 + self.pointQ.y.is_odd() public_key = (bchr(first_byte) + self.pointQ.x.to_bytes(order_bytes)) else: public_key = (bchr(4) + self.pointQ.x.to_bytes(order_bytes) + self.pointQ.y.to_bytes(order_bytes)) comps = (tobytes(desc), b("nistp256"), public_key) blob = b("").join([ struct.pack(">I", len(x)) + x for x in comps]) return desc + " " + tostr(binascii.b2a_base64(blob))
def test_degradation(self): sub_key1 = bchr(1) * 8 sub_key2 = bchr(255) * 8 # K1 == K2 self.assertRaises(ValueError, DES3.adjust_key_parity, sub_key1 * 2 + sub_key2) # K2 == K3 self.assertRaises(ValueError, DES3.adjust_key_parity, sub_key1 + sub_key2 * 2) # K1 == K2 == K3 self.assertRaises(ValueError, DES3.adjust_key_parity, sub_key1 * 3) # K1 == K2 (with different parity) self.assertRaises(ValueError, DES3.adjust_key_parity, sub_key1 + strxor_c(sub_key1, 1) + sub_key2)
def runTest(self): key = RSA.generate(1024) hashed = SHA1.new(b("Test")) good_signature = PKCS1_PSS.new(key).sign(hashed) verifier = PKCS1_PSS.new(key.publickey()) self.assertEqual(verifier.verify(hashed, good_signature), True) # Flip a few bits in the signature bad_signature = strxor(good_signature, bchr(1) * len(good_signature)) self.assertEqual(verifier.verify(hashed, bad_signature), False)
def runTest(self): key = RSA.importKey(PKCS1_15_NoParams.rsakey) hashed = SHA1.new(b("Test")) good_signature = PKCS1_v1_5.new(key).sign(hashed) verifier = PKCS1_v1_5.new(key.publickey()) self.assertEqual(verifier.verify(hashed, good_signature), True) # Flip a few bits in the signature bad_signature = strxor(good_signature, bchr(1) * len(good_signature)) self.assertEqual(verifier.verify(hashed, bad_signature), False)
def _generate_domain(L, randfunc): """Generate a new set of DSA domain parameters""" N = {1024: 160, 2048: 224, 3072: 256}.get(L) if N is None: raise ValueError("Invalid modulus length (%d)" % L) outlen = SHA256.digest_size * 8 n = (L + outlen - 1) // outlen - 1 # ceil(L/outlen) -1 b_ = L - 1 - (n * outlen) # Generate q (A.1.1.2) q = Integer(4) upper_bit = 1 << (N - 1) while test_probable_prime(q, randfunc) != PROBABLY_PRIME: seed = randfunc(64) U = Integer.from_bytes(SHA256.new(seed).digest()) & (upper_bit - 1) q = U | upper_bit | 1 assert (q.size_in_bits() == N) # Generate p (A.1.1.2) offset = 1 upper_bit = 1 << (L - 1) while True: V = [ SHA256.new(seed + Integer(offset + j).to_bytes()).digest() for j in iter_range(n + 1) ] V = [Integer.from_bytes(v) for v in V] W = sum([V[i] * (1 << (i * outlen)) for i in iter_range(n)], (V[n] & ((1 << b_) - 1)) * (1 << (n * outlen))) X = Integer(W + upper_bit) # 2^{L-1} < X < 2^{L} assert (X.size_in_bits() == L) c = X % (q * 2) p = X - (c - 1) # 2q divides (p-1) if p.size_in_bits() == L and \ test_probable_prime(p, randfunc) == PROBABLY_PRIME: break offset += n + 1 # Generate g (A.2.3, index=1) e = (p - 1) // q for count in itertools.count(1): U = seed + b"ggen" + bchr(1) + Integer(count).to_bytes() W = Integer.from_bytes(SHA256.new(U).digest()) g = pow(W, e, p) if g != 1: break return (p, q, g, seed)
def runTest(self): key = b'0' * 16 h = SHA256.new() for length in range(160): nonce = '{0:04d}'.format(length).encode('utf-8') data = bchr(length) * length cipher = AES.new(key, AES.MODE_GCM, nonce=nonce, **self._extra_params) ct, tag = cipher.encrypt_and_digest(data) h.update(ct) h.update(tag) self.assertEqual(h.hexdigest(), "7b7eb1ffbe67a2e53a912067c0ec8e62ebc7ce4d83490ea7426941349811bdf4")
def _compute_nonce(self, mhash): """Generate k in a deterministic way""" # See section 3.2 in RFC6979.txt # Step a h1 = mhash.digest() # Step b mask_v = bchr(1) * mhash.digest_size # Step c nonce_k = bchr(0) * mhash.digest_size for int_oct in 0, 1: # Step d/f nonce_k = HMAC.new( nonce_k, mask_v + bchr(int_oct) + self._int2octets(self._private_key) + self._bits2octets(h1), mhash).digest() # Step e/g mask_v = HMAC.new(nonce_k, mask_v, mhash).digest() nonce = -1 while not (0 < nonce < self._order): # Step h.C (second part) if nonce != -1: nonce_k = HMAC.new(nonce_k, mask_v + bchr(0), mhash).digest() mask_v = HMAC.new(nonce_k, mask_v, mhash).digest() # Step h.A mask_t = b("") # Step h.B while len(mask_t) < self._order_bytes: mask_v = HMAC.new(nonce_k, mask_v, mhash).digest() mask_t += mask_v # Step h.C (first part) nonce = self._bits2int(mask_t) return nonce
def test3(self): for keylen, taglen, result in self.tv3: key = bchr(0) * (keylen // 8 - 1) + bchr(taglen) C = b("") for i in range(128): S = bchr(0) * i N = long_to_bytes(3 * i + 1, 12) cipher = AES.new(key, AES.MODE_OCB, nonce=N, mac_len=taglen // 8) cipher.update(S) C += cipher.encrypt(S) + cipher.encrypt() + cipher.digest() N = long_to_bytes(3 * i + 2, 12) cipher = AES.new(key, AES.MODE_OCB, nonce=N, mac_len=taglen // 8) C += cipher.encrypt(S) + cipher.encrypt() + cipher.digest() N = long_to_bytes(3 * i + 3, 12) cipher = AES.new(key, AES.MODE_OCB, nonce=N, mac_len=taglen // 8) cipher.update(S) C += cipher.encrypt() + cipher.digest() N = long_to_bytes(385, 12) cipher = AES.new(key, AES.MODE_OCB, nonce=N, mac_len=taglen // 8) cipher.update(C) result2 = cipher.encrypt() + cipher.digest() self.assertEqual(unhexlify(b(result)), result2)
def runTest(self): sub_key1 = bchr(1) * 8 sub_key2 = bchr(255) * 8 # K1 == K2 self.assertRaises(ValueError, DES3.new, sub_key1 * 2 + sub_key2, DES3.MODE_ECB) # K2 == K3 self.assertRaises(ValueError, DES3.new, sub_key1 + sub_key2 * 2, DES3.MODE_ECB) # K1 == K2 == K3 self.assertRaises(ValueError, DES3.new, sub_key1 *3, DES3.MODE_ECB) # K2 == K3 (parity is ignored) self.assertRaises(ValueError, DES3.new, sub_key1 + sub_key2 + strxor_c(sub_key2, 0x1), DES3.MODE_ECB)
def test_asn1_encoding(self): """Verify ASN.1 encoding""" self.description = "ASN.1 encoding test" hash_obj = SHA256.new() signer = DSS.new(self.key_priv, 'fips-186-3', 'der') signature = signer.sign(hash_obj) # Verify that output looks like a DER SEQUENCE self.assertEqual(bord(signature[0]), 48) signer.verify(hash_obj, signature) # Verify that ASN.1 parsing fails as expected signature = bchr(7) + signature[1:] self.assertRaises(ValueError, signer.verify, hash_obj, signature)
def random(cls, **kwargs): """Generate a random natural integer of a certain size. :Keywords: exact_bits : positive integer The length in bits of the resulting random Integer number. The number is guaranteed to fulfil the relation: 2^bits > result >= 2^(bits - 1) max_bits : positive integer The maximum length in bits of the resulting random Integer number. The number is guaranteed to fulfil the relation: 2^bits > result >=0 randfunc : callable A function that returns a random byte string. The length of the byte string is passed as parameter. Optional. If not provided (or ``None``), randomness is read from the system RNG. :Return: a Integer object """ exact_bits = kwargs.pop("exact_bits", None) max_bits = kwargs.pop("max_bits", None) randfunc = kwargs.pop("randfunc", None) if randfunc is None: randfunc = Random.new().read if exact_bits is None and max_bits is None: raise ValueError( "Either 'exact_bits' or 'max_bits' must be specified") if exact_bits is not None and max_bits is not None: raise ValueError( "'exact_bits' and 'max_bits' are mutually exclusive") bits = exact_bits or max_bits bytes_needed = ((bits - 1) // 8) + 1 significant_bits_msb = 8 - (bytes_needed * 8 - bits) msb = bord(randfunc(1)[0]) if exact_bits is not None: msb |= 1 << (significant_bits_msb - 1) msb &= (1 << significant_bits_msb) - 1 return cls.from_bytes(bchr(msb) + randfunc(bytes_needed - 1))
def encode(self): """Return the DER OBJECT ID, fully encoded as a binary string.""" comps = list(map(int, self.value.split("."))) if len(comps) < 2: raise ValueError("Not a valid Object Identifier string") self.payload = bchr(40 * comps[0] + comps[1]) for v in comps[2:]: enc = [] while v: enc.insert(0, (v & 0x7F) | 0x80) v >>= 7 enc[-1] &= 0x7F self.payload += b('').join(map(bchr, enc)) return DerObject.encode(self)
def _export_openssh(self, compress): if self.has_private(): raise ValueError("Cannot export OpenSSH private keys") desc = self._curve.openssh modulus_bytes = self.pointQ.size_in_bytes() if compress: first_byte = 2 + self.pointQ.y.is_odd() public_key = (bchr(first_byte) + self.pointQ.x.to_bytes(modulus_bytes)) else: public_key = (b'\x04' + self.pointQ.x.to_bytes(modulus_bytes) + self.pointQ.y.to_bytes(modulus_bytes)) middle = desc.split("-")[2] comps = (tobytes(desc), tobytes(middle), public_key) blob = b"".join([struct.pack(">I", len(x)) + x for x in comps]) return desc + " " + tostr(binascii.b2a_base64(blob))
def test_wrap_around(self): # Counter is only 8 bits, so we can only encrypt/decrypt 256 blocks (=4096 bytes) counter = Counter.new(8, prefix=bchr(9) * 15) max_bytes = 4096 cipher = AES.new(self.key_128, AES.MODE_CTR, counter=counter) cipher.encrypt(b'9' * max_bytes) self.assertRaises(OverflowError, cipher.encrypt, b'9') cipher = AES.new(self.key_128, AES.MODE_CTR, counter=counter) self.assertRaises(OverflowError, cipher.encrypt, b'9' * (max_bytes + 1)) cipher = AES.new(self.key_128, AES.MODE_CTR, counter=counter) cipher.decrypt(b'9' * max_bytes) self.assertRaises(OverflowError, cipher.decrypt, b'9') cipher = AES.new(self.key_128, AES.MODE_CTR, counter=counter) self.assertRaises(OverflowError, cipher.decrypt, b'9' * (max_bytes + 1))
def to_bytes(self, block_size=0): """Convert the number into a byte string. This method encodes the number in network order and prepends as many zero bytes as required. It only works for non-negative values. :Parameters: block_size : integer The exact size the output byte string must have. If zero, the string has the minimal length. :Returns: A byte string. :Raise ValueError: If the value is negative or if ``block_size`` is provided and the length of the byte string would exceed it. """ if self < 0: raise ValueError("Conversion only valid for non-negative numbers") buf_len = (_gmp.mpz_sizeinbase(self._mpz_p, 2) + 7) // 8 if buf_len > block_size > 0: raise ValueError("Number is too big to convert to byte string" "of prescribed length") buf = create_string_buffer(buf_len) _gmp.mpz_export( buf, null_pointer, # Ignore countp 1, # Big endian c_size_t(1), # Each word is 1 byte long 0, # Endianess within a word - not relevant c_size_t(0), # No nails self._mpz_p) return bchr(0) * max(0, block_size - buf_len) + get_raw_buffer(buf)
def func(x): if (bord(x[0]) & 0x80): return bchr(0) + x else: return x