def _generate_data_key_pair(data, create_cipher=True): region_details = KMSBackend.get() kms = aws_stack.connect_to_service("kms") key_id = data.get("KeyId") key_spec = data.get("KeyPairSpec") or data.get("KeySpec") key = None public_format = None if key_spec.startswith("RSA"): rsa_key_sizes = { "RSA_2048": 2048, "RSA_3072": 3072, "RSA_4096": 4096, } key_size = rsa_key_sizes.get(key_spec) key = rsa.generate_private_key(public_exponent=65537, key_size=key_size) public_format = crypto_serialization.PublicFormat.PKCS1 if key_spec.startswith("ECC"): curve = None if key_spec == "ECC_NIST_P256": curve = ec.BrainpoolP256R1() elif key_spec == "ECC_NIST_P384": curve = ec.BrainpoolP384R1() elif key_spec == "ECC_NIST_P521": curve = ec.BrainpoolP512R1() elif key_spec == "ECC_SECG_P256K1": curve = ec.SECP256K1() key = ec.generate_private_key(curve) public_format = crypto_serialization.PublicFormat.SubjectPublicKeyInfo private_key = key.private_bytes( crypto_serialization.Encoding.DER, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption(), ) public_key = key.public_key().public_bytes( crypto_serialization.Encoding.DER, public_format) cipher_text_blob = None if create_cipher: cipher_text = kms.encrypt(KeyId=key_id, Plaintext=private_key)["CiphertextBlob"] cipher_text_blob = base64.b64encode(cipher_text) result = { "PrivateKeyCiphertextBlob": cipher_text_blob, "PrivateKeyPlaintext": base64.b64encode(private_key), "PublicKey": base64.b64encode(public_key), "KeyId": key_id, "KeyPairSpec": key_spec, "KeySpec": key_spec, "_key_": key, } region_details.key_pairs[key_id] = result return result
from cryptography.hazmat.backends.interfaces import EllipticCurveBackend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import ec from ..hazmat.primitives.test_ec import _skip_exchange_algorithm_unsupported _CURVES = { "secp224r1": ec.SECP224R1(), "secp256r1": ec.SECP256R1(), "secp384r1": ec.SECP384R1(), "secp521r1": ec.SECP521R1(), "secp256k1": ec.SECP256K1(), "brainpoolP224r1": None, "brainpoolP256r1": ec.BrainpoolP256R1(), "brainpoolP320r1": None, "brainpoolP384r1": ec.BrainpoolP384R1(), "brainpoolP512r1": ec.BrainpoolP512R1(), "brainpoolP224t1": None, "brainpoolP256t1": None, "brainpoolP320t1": None, "brainpoolP384t1": None, "brainpoolP512t1": None, } @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) @pytest.mark.wycheproof_tests( "ecdh_test.json", "ecdh_brainpoolP224r1_test.json", "ecdh_brainpoolP256r1_test.json", "ecdh_brainpoolP320r1_test.json",
'secp256r1', ), ( 'sha384', ec.SECP384R1(), 'secp384r1', ), ( 'sha512', ec.SECP521R1(), 'secp521r1', ), ( 'sha256', ec.BrainpoolP256R1(), 'brainpoolp256r1', ), ( 'sha384', ec.BrainpoolP384R1(), 'brainpoolp384r1', ), ( 'sha512', ec.BrainpoolP512R1(), 'brainpoolp512r1', )]) def test_tls_prf(hash_alg, hazmat_curve, curve): key = objects.ECCKey(0xe0f1) _, _ = optiga_ec.generate_pair(key, curve=curve) private_key = ec.generate_private_key(hazmat_curve, default_backend()) peer_public_key = private_key.public_key().public_bytes( encoding=serialization.Encoding.DER, format=serialization.PublicFormat.SubjectPublicKeyInfo) optiga_ec.ecdh(key, peer_public_key) ses = objects.AcquiredSession()
def _native_to_pkcs(pkey, key=None, algorithm=None): """ OPTIGA doesnt use and accept key information as part of the imput, so we need to append it after key_generation or strip for input :param pkey: a bytestring with the public key from OPTIGA :param key: A bytestring with key value from OPTIGA :param algorithm: A unicode string for an algorithm. :raises: - ValueError - when any of the parameters are not expected - TypeError - when any of the parameters are of the wrong type - OSError - when an error is returned by the core initialisation library :returns: A tuple of keys (public_key, private_key) """ _algorithms_map = { 'secp256r1': ('ec', b'0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\x08*\x86H\xce=\x03\x01\x07', ec.SECP256R1()), 'secp384r1': ('ec', b'0v0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00"', ec.SECP384R1()), 'secp521r1': ('ec', b'0\x81\x9b0\x10\x06\x07*\x86H\xce=\x02\x01\x06\x05+\x81\x04\x00#', ec.SECP521R1()), 'brainpoolp256r1': ('ec', b'0Z0\x14\x06\x07*\x86H\xce=\x02\x01\x06\t+$\x03\x03\x02\x08\x01\x01\x07', ec.BrainpoolP256R1()), 'brainpoolp384r1': ('ec', b'0z0\x14\x06\x07*\x86H\xce=\x02\x01\x06\t+$\x03\x03\x02\x08\x01\x01\x0b', ec.BrainpoolP384R1()), 'brainpoolp512r1': ('ec', b'0\x81\x9b0\x14\x06\x07*\x86H\xce=\x02\x01\x06\t+$\x03\x03\x02\x08\x01\x01\r', ec.BrainpoolP512R1()) } if algorithm not in _algorithms_map: raise ValueError( '{0} isn\'t supported. Use one of {1}'.format(algorithm, _algorithms_map.keys()) ) if not isinstance(pkey, (bytes, bytearray)): raise TypeError( 'pkey is of unsupported types (pkey type = {0}), ' 'should be either bytes or bytearray'.format(type(pkey)) ) if key is not None and not isinstance(key, (bytes, bytearray)): raise TypeError( 'key is of unsupported types (key type = {0}), ' 'should be either bytes or bytearray'.format(type(key)) ) _type = _algorithms_map[algorithm][0] if _type == 'ec': prefix = _algorithms_map[algorithm][1] pyca_curve = _algorithms_map[algorithm][2] public_key = prefix + pkey if key is not None: print(int.from_bytes(key[2:], 'big')) private_key = ec.derive_private_key(int.from_bytes(key[2:], 'big'), pyca_curve, default_backend()) private_key = private_key.private_bytes(encoding=serialization.Encoding.DER, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption()) else: private_key = None return public_key, private_key
with pytest.raises(IOError): key_object = objects.ECCKey(0xe0f1) pkey, _ = optiga_ec.generate_pair( key_object, curve='secp384r1', key_usage=['authentication', 'signature']) # key agreement hasnt been selected, thus an error optiga_ec.ecdh(key_object, pkey) @pytest.mark.parametrize("curve, hazmat_curve", [('secp256r1', ec.SECP256R1()), ('secp384r1', ec.SECP384R1()), ('secp521r1', ec.SECP521R1()), ('brainpoolp256r1', ec.BrainpoolP256R1()), ('brainpoolp384r1', ec.BrainpoolP384R1()), ('brainpoolp512r1', ec.BrainpoolP512R1())]) def test_ecdh_internal(curve, hazmat_curve): key_object = objects.ECCKey(0xe0f1) _, _ = optiga_ec.generate_pair(key_object, curve) private_key = ec.generate_private_key(hazmat_curve, default_backend()) peer_public_key = private_key.public_key().public_bytes( encoding=serialization.Encoding.DER, format=serialization.PublicFormat.SubjectPublicKeyInfo) optiga_ec.ecdh(key_object, peer_public_key) @pytest.mark.parametrize("curve, hazmat_curve", [('secp256r1', ec.SECP256R1()), ('secp384r1', ec.SECP384R1()), ('secp521r1', ec.SECP521R1()),
def _generate_data_key_pair(data, create_cipher=True): region_details = KMSBackend.get() kms = aws_stack.connect_to_service("kms") key_id = data.get("KeyId") key_spec = data.get("KeyPairSpec") or data.get("KeySpec") or data.get( "CustomerMasterKeySpec") key = None public_format = None if key_spec.startswith("RSA"): rsa_key_sizes = { "RSA_2048": 2048, "RSA_3072": 3072, "RSA_4096": 4096, } key_size = rsa_key_sizes.get(key_spec) key = rsa.generate_private_key(public_exponent=65537, key_size=key_size) public_format = crypto_serialization.PublicFormat.PKCS1 if key_spec.startswith("ECC"): curve = None if key_spec == "ECC_NIST_P256": curve = ec.BrainpoolP256R1() elif key_spec == "ECC_NIST_P384": curve = ec.BrainpoolP384R1() elif key_spec == "ECC_NIST_P521": curve = ec.BrainpoolP512R1() elif key_spec == "ECC_SECG_P256K1": curve = ec.SECP256K1() key = ec.generate_private_key(curve) public_format = crypto_serialization.PublicFormat.SubjectPublicKeyInfo private_key = key.private_bytes( crypto_serialization.Encoding.DER, crypto_serialization.PrivateFormat.PKCS8, crypto_serialization.NoEncryption(), ) public_key = key.public_key().public_bytes( crypto_serialization.Encoding.DER, public_format) cipher_text_blob = None if create_cipher: cipher_text = kms.encrypt(KeyId=key_id, Plaintext=private_key)["CiphertextBlob"] cipher_text_blob = base64.b64encode(cipher_text) region = region_details.get_current_request_region() result = { "PrivateKeyCiphertextBlob": cipher_text_blob, "PrivateKeyPlaintext": base64.b64encode(private_key), "PublicKey": base64.b64encode(public_key), "KeyId": key_id, "KeyPairSpec": key_spec, "KeySpec": key_spec, "KeyUsage": "SIGN_VERIFY", "Policy": data.get("Policy"), "Region": region, "Description": data.get("Description"), "Arn": aws_stack.kms_key_arn(key_id), "_key_": key, } region_details.key_pairs[key_id] = result key = Key("", result["KeyUsage"], key_spec, result["Description"], region) key.id = key_id return {**key.to_dict()["KeyMetadata"], **result}