def test_ed448_unsupported(backend):
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM):
Ed448PublicKey.from_public_bytes(b"0" * 57)
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM):
Ed448PrivateKey.from_private_bytes(b"0" * 57)
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM):
Ed448PrivateKey.generate()
def test_ed448_unsupported(backend):
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
):
Ed448PublicKey.from_public_bytes(b"0" * 57)
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
):
Ed448PrivateKey.from_private_bytes(b"0" * 57)
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
):
Ed448PrivateKey.generate()
def sign(self,
to_be_signed: bytes,
alg: Optional[CoseAlgorithms] = None,
curve: CoseEllipticCurves = None) -> bytes:
"""
Computes a digital signature over 'to_be_signed'. The parameter 'alg' and 'curve' parameters are optional in
case they are already provided by the key object self.
:param to_be_signed: Data over which the signature is calculated.
:param alg: An optional algorithm parameter.
:param curve: An optional curve parameter.
:return: the signature over the COSE object.
"""
self._check_key_conf(algorithm=alg,
key_operation=KeyOps.SIGN,
curve=curve)
if self.crv == CoseEllipticCurves.ED25519:
sk = Ed25519PrivateKey.from_private_bytes(self.d)
elif self._crv == CoseEllipticCurves.ED448:
sk = Ed448PrivateKey.from_private_bytes(self.d)
else:
raise CoseIllegalCurve(
f"Illegal curve for OKP singing: {self.crv}")
return sk.sign(to_be_signed)
def test_round_trip_private_serialization(
self, encoding, fmt, encryption, passwd, load_func, backend
):
key = Ed448PrivateKey.generate()
serialized = key.private_bytes(encoding, fmt, encryption)
loaded_key = load_func(serialized, passwd, backend)
assert isinstance(loaded_key, Ed448PrivateKey)
def from_jwk(jwk):
try:
if isinstance(jwk, str):
obj = json.loads(jwk)
elif isinstance(jwk, dict):
obj = jwk
else:
raise ValueError
except ValueError:
raise InvalidKeyError("Key is not valid JSON")
if obj.get("kty") != "OKP":
raise InvalidKeyError("Not an Octet Key Pair")
curve = obj.get("crv")
if curve != "Ed25519" and curve != "Ed448":
raise InvalidKeyError(f"Invalid curve: {curve}")
if "x" not in obj:
raise InvalidKeyError('OKP should have "x" parameter')
x = base64url_decode(obj.get("x"))
try:
if "d" not in obj:
if curve == "Ed25519":
return Ed25519PublicKey.from_public_bytes(x)
return Ed448PublicKey.from_public_bytes(x)
d = base64url_decode(obj.get("d"))
if curve == "Ed25519":
return Ed25519PrivateKey.from_private_bytes(d)
return Ed448PrivateKey.from_private_bytes(d)
except ValueError as err:
raise InvalidKeyError("Invalid key parameter") from err
def test_pub_priv_bytes_raw(self, vector, backend):
sk = binascii.unhexlify(vector["secret"])
pk = binascii.unhexlify(vector["public"])
private_key = Ed448PrivateKey.from_private_bytes(sk)
assert (
private_key.private_bytes(
serialization.Encoding.Raw,
serialization.PrivateFormat.Raw,
serialization.NoEncryption(),
)
== sk
)
assert (
private_key.public_key().public_bytes(
serialization.Encoding.Raw, serialization.PublicFormat.Raw
)
== pk
)
public_key = Ed448PublicKey.from_public_bytes(pk)
assert (
public_key.public_bytes(
serialization.Encoding.Raw, serialization.PublicFormat.Raw
)
== pk
)
def test_invalid_signature(self, backend):
key = Ed448PrivateKey.generate()
signature = key.sign(b"test data")
with pytest.raises(InvalidSignature):
key.public_key().verify(signature, b"wrong data")
with pytest.raises(InvalidSignature):
key.public_key().verify(b"0" * 64, b"test data")
def test_buffer_protocol(self, backend):
private_bytes = os.urandom(57)
key = Ed448PrivateKey.from_private_bytes(bytearray(private_bytes))
assert (key.private_bytes(
serialization.Encoding.Raw,
serialization.PrivateFormat.Raw,
serialization.NoEncryption(),
) == private_bytes)
def test_buffer_protocol(self, backend):
private_bytes = os.urandom(57)
key = Ed448PrivateKey.from_private_bytes(bytearray(private_bytes))
assert key.private_bytes(
serialization.Encoding.Raw,
serialization.PrivateFormat.Raw,
serialization.NoEncryption()
) == private_bytes
def test_invalid_signature(self, backend):
key = Ed448PrivateKey.generate()
signature = key.sign(b"test data")
with pytest.raises(InvalidSignature):
key.public_key().verify(signature, b"wrong data")
with pytest.raises(InvalidSignature):
key.public_key().verify(b"0" * 64, b"test data")
def sign(cls, key: 'OKP', data: bytes) -> bytes:
if key.crv.fullname == 'ED25519':
sk = Ed25519PrivateKey.from_private_bytes(key.d)
elif key.crv.fullname == 'ED448':
sk = Ed448PrivateKey.from_private_bytes(key.d)
else:
raise CoseException(f"Illegal curve for OKP singing: {key.crv}")
return sk.sign(data)
def test_invalid_public_bytes(self, backend):
key = Ed448PrivateKey.generate().public_key()
with pytest.raises(ValueError):
key.public_bytes(
serialization.Encoding.Raw,
serialization.PublicFormat.SubjectPublicKeyInfo,
)
with pytest.raises(ValueError):
key.public_bytes(serialization.Encoding.PEM,
serialization.PublicFormat.PKCS1)
with pytest.raises(ValueError):
key.public_bytes(serialization.Encoding.PEM,
serialization.PublicFormat.Raw)
def test_sign_input(self, vector, backend):
if vector.get("context") is not None:
pytest.skip("ed448 contexts are not currently supported")
sk = binascii.unhexlify(vector["secret"])
pk = binascii.unhexlify(vector["public"])
message = binascii.unhexlify(vector["message"])
signature = binascii.unhexlify(vector["signature"])
private_key = Ed448PrivateKey.from_private_bytes(sk)
computed_sig = private_key.sign(message)
assert computed_sig == signature
public_key = private_key.public_key()
assert (public_key.public_bytes(serialization.Encoding.Raw,
serialization.PublicFormat.Raw) == pk)
public_key.verify(signature, message)
def test_pub_priv_bytes_raw(self, vector, backend):
sk = binascii.unhexlify(vector["secret"])
pk = binascii.unhexlify(vector["public"])
private_key = Ed448PrivateKey.from_private_bytes(sk)
assert private_key.private_bytes(
serialization.Encoding.Raw,
serialization.PrivateFormat.Raw,
serialization.NoEncryption()
) == sk
assert private_key.public_key().public_bytes(
serialization.Encoding.Raw, serialization.PublicFormat.Raw
) == pk
public_key = Ed448PublicKey.from_public_bytes(pk)
assert public_key.public_bytes(
serialization.Encoding.Raw, serialization.PublicFormat.Raw
) == pk
def test_sign_input(self, vector, backend):
if vector.get("context") is not None:
pytest.skip("ed448 contexts are not currently supported")
sk = binascii.unhexlify(vector["secret"])
pk = binascii.unhexlify(vector["public"])
message = binascii.unhexlify(vector["message"])
signature = binascii.unhexlify(vector["signature"])
private_key = Ed448PrivateKey.from_private_bytes(sk)
computed_sig = private_key.sign(message)
assert computed_sig == signature
public_key = private_key.public_key()
assert public_key.public_bytes(
serialization.Encoding.Raw, serialization.PublicFormat.Raw
) == pk
public_key.verify(signature, message)
def test_cryptography_okp_public_key_ed448():
ed448_private_key = Ed448PrivateKey.generate()
ed448_public_number = ed448_private_key.public_key().public_bytes(
Encoding.Raw, PublicFormat.Raw)
okp_key = OKPCredentialPublicKey(
kty=COSEKeyType.Value.OKP,
crv=OKPKeyType.Value.ED448,
x=ed448_public_number,
)
converted_public_key = cryptography_okp_public_key(okp_key)
converted_public_number = converted_public_key.public_bytes(
Encoding.Raw, PublicFormat.Raw)
assert ed448_public_number == converted_public_number
def test_invalid_public_bytes(self, backend):
key = Ed448PrivateKey.generate().public_key()
with pytest.raises(ValueError):
key.public_bytes(
serialization.Encoding.Raw,
serialization.PublicFormat.SubjectPublicKeyInfo
)
with pytest.raises(ValueError):
key.public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.PKCS1
)
with pytest.raises(ValueError):
key.public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.Raw
)
def test_invalid_private_bytes(self, backend):
key = Ed448PrivateKey.generate()
with pytest.raises(ValueError):
key.private_bytes(
serialization.Encoding.Raw,
serialization.PrivateFormat.Raw,
None,
)
with pytest.raises(ValueError):
key.private_bytes(
serialization.Encoding.Raw,
serialization.PrivateFormat.PKCS8,
None,
)
with pytest.raises(ValueError):
key.private_bytes(
serialization.Encoding.PEM,
serialization.PrivateFormat.Raw,
serialization.NoEncryption(),
)
def test_invalid_private_bytes(self, backend):
key = Ed448PrivateKey.generate()
with pytest.raises(ValueError):
key.private_bytes(
serialization.Encoding.Raw,
serialization.PrivateFormat.Raw,
None
)
with pytest.raises(ValueError):
key.private_bytes(
serialization.Encoding.Raw,
serialization.PrivateFormat.PKCS8,
None
)
with pytest.raises(ValueError):
key.private_bytes(
serialization.Encoding.PEM,
serialization.PrivateFormat.Raw,
serialization.NoEncryption()
)
def generate_key(crv: Union[Type['CoseCurve'], str, int],
optional_params: dict = None) -> 'OKPKey':
"""
Generate a random OKPKey COSE key object.
:param crv: Specify an elliptic curve.
:param optional_params: Optional key attributes for the :class:`~cose.keys.okp.OKPKey` object, e.g., \
:class:`~cose.keys.keyparam.KpAlg` or :class:`~cose.keys.keyparam.KpKid`.
:returns: A COSE `OKPKey` key.
"""
if type(crv) == str or type(crv) == int:
crv = CoseCurve.from_id(crv)
if crv == X25519:
private_key = X25519PrivateKey.generate()
elif crv == Ed25519:
private_key = Ed25519PrivateKey.generate()
elif crv == Ed448:
private_key = Ed448PrivateKey.generate()
elif crv == X448:
private_key = X448PrivateKey.generate()
else:
raise CoseIllegalCurve(
f"Curve must be of type {X25519}, {X448}, {Ed25519}, or {Ed448}"
)
encoding = Encoding(serialization.Encoding.Raw)
private_format = PrivateFormat(serialization.PrivateFormat.Raw)
public_format = PublicFormat(serialization.PublicFormat.Raw)
encryption = serialization.NoEncryption()
return OKPKey(crv=crv,
x=private_key.public_key().public_bytes(
encoding, public_format),
d=private_key.private_bytes(encoding, private_format,
encryption),
optional_params=optional_params)
def test_invalid_length_from_private_bytes(self, backend):
with pytest.raises(ValueError):
Ed448PrivateKey.from_private_bytes(b"a" * 56)
with pytest.raises(ValueError):
Ed448PrivateKey.from_private_bytes(b"a" * 58)
def test_invalid_length_from_private_bytes(self, backend):
with pytest.raises(ValueError):
Ed448PrivateKey.from_private_bytes(b"a" * 56)
with pytest.raises(ValueError):
Ed448PrivateKey.from_private_bytes(b"a" * 58)
def test_invalid_type_private_bytes(self, backend):
with pytest.raises(TypeError):
Ed448PrivateKey.from_private_bytes(object())
def test_invalid_type_private_bytes(self, backend):
with pytest.raises(TypeError):
Ed448PrivateKey.from_private_bytes(object())
def test_generate(self, backend):
key = Ed448PrivateKey.generate()
assert key
assert key.public_key()
def test_generate(self, backend):
key = Ed448PrivateKey.generate()
assert key
assert key.public_key()
def __init__(self, params: Dict[int, Any]):
super().__init__(params)
self._public_key: Any = None
self._private_key: Any = None
self._hash_alg: Any = None
self._x = None
self._d = None
# Validate kty.
if params[1] != 1:
raise ValueError("kty(1) should be OKP(1).")
# Validate crv.
if -1 not in params:
raise ValueError("crv(-1) not found.")
self._crv = params[-1]
if not isinstance(self._crv, int):
raise ValueError("crv(-1) should be int.")
if self._crv not in [4, 5, 6, 7]:
raise ValueError(
f"Unsupported or unknown crv(-1) for OKP: {self._crv}.")
if self._crv in [4, 5]:
if not self._alg:
raise ValueError("X25519/X448 needs alg explicitly.")
if self._alg in [-25, -27]:
self._hash_alg = hashes.SHA256
elif self._alg in [-26, -28]:
self._hash_alg = hashes.SHA512
else:
raise ValueError(
f"Unsupported or unknown alg used with X25519/X448: {self._alg}."
)
# Validate alg and key_ops.
if self._key_ops:
if set(self._key_ops) & set([3, 4, 5, 6, 9, 10]):
raise ValueError(
"Unknown or not permissible key_ops(4) for OKP.")
else:
if self._crv in [4, 5]:
self._key_ops = [7, 8] if -4 in params else []
else: # self._crv in [6, 7]
self._key_ops = [1, 2] if -4 in params else [2]
if self._alg:
if self._alg in COSE_ALGORITHMS_SIG_OKP.values():
if -4 in params:
# private key for signing.
if not (set(self._key_ops) & set([1, 2])):
raise ValueError("Invalid key_ops for signing key.")
if set(self._key_ops) & set([7, 8]):
raise ValueError(
"Signing key should not be used for key derivation."
)
else:
# public key for signing.
if 2 not in self._key_ops or len(self._key_ops) != 1:
raise ValueError("Invalid key_ops for public key.")
elif self._alg in COSE_ALGORITHMS_CKDM_KEY_AGREEMENT.values():
if -4 in params:
# private key for key derivation.
if not (set(self._key_ops) & set([7, 8])):
raise ValueError("Invalid key_ops for key derivation.")
if set(self._key_ops) & set([1, 2]):
raise ValueError(
"Private key for ECDHE should not be used for signing."
)
else:
# public key for key derivation.
if self._key_ops:
raise ValueError(
"Public key for ECDHE should not have key_ops.")
else:
raise ValueError(
f"Unsupported or unknown alg(3) for OKP: {self._alg}.")
else:
if -4 in params:
# private key.
if set(self._key_ops) & set([1, 2]):
# private key for signing.
if set(self._key_ops) & set([7, 8]):
raise ValueError(
"OKP private key should not be used for both signing and key derivation."
)
self._alg = -8 # EdDSA
else:
# public key.
if 2 in self._key_ops:
if len(self._key_ops) > 1:
raise ValueError("Invalid key_ops for public key.")
else:
raise ValueError("Invalid key_ops for public key.")
if self._alg in COSE_ALGORITHMS_CKDM_KEY_AGREEMENT_ES.values():
if -2 not in params:
return
# Validate x.
if -2 not in params:
raise ValueError("x(-2) not found.")
if not isinstance(params[-2], bytes):
raise ValueError("x(-2) should be bytes(bstr).")
self._x = params[-2]
try:
if -4 not in params:
if self._crv == 4: # X25519
self._public_key = X25519PublicKey.from_public_bytes(
self._x)
elif self._crv == 5: # X448
self._public_key = X448PublicKey.from_public_bytes(self._x)
elif self._crv == 6: # Ed25519
self._public_key = Ed25519PublicKey.from_public_bytes(
self._x)
else: # self._crv == 7 (Ed448)
self._public_key = Ed448PublicKey.from_public_bytes(
self._x)
self._key = self._public_key
return
except ValueError as err:
raise ValueError("Invalid key parameter.") from err
if not isinstance(params[-4], bytes):
raise ValueError("d(-4) should be bytes(bstr).")
try:
self._d = params[-4]
if self._crv == 4: # X25519
self._private_key = X25519PrivateKey.from_private_bytes(
self._d)
elif self._crv == 5: # X448
self._private_key = X448PrivateKey.from_private_bytes(self._d)
elif self._crv == 6: # Ed25519
self._private_key = Ed25519PrivateKey.from_private_bytes(
self._d)
else: # self._crv == 7 (Ed448)
self._private_key = Ed448PrivateKey.from_private_bytes(self._d)
self._key = self._private_key
except ValueError as err:
raise ValueError("Invalid key parameter.") from err
return
def test_attest_android_key():
client_data_hash = b'client-data-hash'
auth_data = b'auth-data'
certificate, private_key, public_key = generate_elliptic_curve_x509_certificate_android(
SECP256R1(), client_data_hash)
public_numbers = private_key.private_numbers().public_numbers
x = public_numbers.x.to_bytes(P_256_COORDINATE_BYTE_LENGTH, 'big')
y = public_numbers.y.to_bytes(P_256_COORDINATE_BYTE_LENGTH, 'big')
public_key_android = b'\x04' + x + y
verification_data = auth_data + client_data_hash
credential_public_key = EC2CredentialPublicKey(
x=x,
y=y,
kty=COSEKeyType.Name.EC2,
crv=EC2Curve.Name.P_256,
)
attested_credential_data = AttestedCredentialData(
aaguid=TEST_AAGUID,
credential_id_length=TEST_CREDENTIAL_ID_LENGTH,
credential_id=TEST_CREDENTIAL_ID,
credential_public_key=credential_public_key,
)
signature = generate_signature(private_key, verification_data)
invalid_att_stmt = AndroidKeyAttestationStatement(
alg=COSEAlgorithmIdentifier.Name.ES256, sig=b'', x5c=[])
att_obj = AttestationObject(
auth_data=AuthenticatorData(
rp_id_hash=TEST_RP_ID_HASH,
flags=0,
sign_count=0,
attested_credential_data=attested_credential_data,
extensions=None),
fmt=AttestationStatementFormatIdentifier.FIDO_U2F,
att_stmt=invalid_att_stmt)
with pytest.raises(AttestationError):
attest(invalid_att_stmt, att_obj, auth_data, client_data_hash)
der_certificate = certificate.public_bytes(Encoding.DER)
valid_att_stmt = AndroidKeyAttestationStatement(
alg=COSEAlgorithmIdentifier.Name.ES256,
sig=signature,
x5c=[der_certificate])
att_obj.att_stmt = valid_att_stmt
assert attest(valid_att_stmt, att_obj, auth_data,
client_data_hash) == (AttestationType.BASIC, [certificate])
unverified_att_stmt = AndroidKeyAttestationStatement(
alg=COSEAlgorithmIdentifier.Name.ES256,
sig=b'bad-signature',
x5c=[der_certificate])
att_obj.att_stmt = unverified_att_stmt
with pytest.raises(AttestationError):
attest(unverified_att_stmt, att_obj, auth_data, client_data_hash)
invalid_pk = rsa.generate_private_key(65537, 4096, default_backend())
invalid_pubk = invalid_pk.public_key()
invalid_certificate = generate_x509_certificate(invalid_pubk, invalid_pk,
hashes.SHA256())
invalid_signature = invalid_pk.sign(verification_data, PKCS1v15(),
hashes.SHA256())
invalid_der_certificate = invalid_certificate.public_bytes(Encoding.DER)
invalid_att_stmt = AndroidKeyAttestationStatement(
alg=COSEAlgorithmIdentifier.Name.ES256,
sig=invalid_signature,
x5c=[invalid_der_certificate])
att_obj.att_stmt = invalid_att_stmt
with pytest.raises(AttestationError):
attest(invalid_att_stmt, att_obj, auth_data, client_data_hash)
att_obj.att_stmt = valid_att_stmt
while True:
random_pk = generate_private_key(SECP256R1(), default_backend())
random_public_numbers = random_pk.private_numbers().public_numbers
rx = random_public_numbers.x.to_bytes(P_256_COORDINATE_BYTE_LENGTH,
'big')
ry = random_public_numbers.y.to_bytes(P_256_COORDINATE_BYTE_LENGTH,
'big')
if rx != x or ry != y:
break
att_obj.auth_data.attested_credential_data.credential_public_key = (
EC2CredentialPublicKey(
x=rx,
y=ry,
kty=COSEKeyType.Name.EC2,
crv=EC2Curve.Name.P_256,
))
with pytest.raises(AttestationError):
attest(valid_att_stmt, att_obj, auth_data, client_data_hash)
invalid_certificate, invalid_pk, invalid_pubk = generate_elliptic_curve_x509_certificate(
SECP256R1())
invalid_public_numbers = invalid_pk.private_numbers().public_numbers
x = invalid_public_numbers.x.to_bytes(P_256_COORDINATE_BYTE_LENGTH, 'big')
y = invalid_public_numbers.y.to_bytes(P_256_COORDINATE_BYTE_LENGTH, 'big')
att_obj.auth_data.attested_credential_data.credential_public_key = (
EC2CredentialPublicKey(
x=x,
y=y,
kty=COSEKeyType.Name.EC2,
crv=EC2Curve.Name.P_256,
))
invalid_signature = generate_signature(invalid_pk, verification_data)
invalid_der_certificate = invalid_certificate.public_bytes(Encoding.DER)
invalid_att_stmt = AndroidKeyAttestationStatement(
alg=COSEAlgorithmIdentifier.Name.ES256,
sig=invalid_signature,
x5c=[invalid_der_certificate])
with pytest.raises(AttestationError):
attest(invalid_att_stmt, att_obj, auth_data, client_data_hash)
invalid_certificate, invalid_pk, invalid_pubk = generate_elliptic_curve_x509_certificate_android_raw(
SECP256R1(), b'invalid')
invalid_public_numbers = invalid_pk.private_numbers().public_numbers
x = invalid_public_numbers.x.to_bytes(P_256_COORDINATE_BYTE_LENGTH, 'big')
y = invalid_public_numbers.y.to_bytes(P_256_COORDINATE_BYTE_LENGTH, 'big')
att_obj.auth_data.attested_credential_data.credential_public_key = (
EC2CredentialPublicKey(
x=x,
y=y,
kty=COSEKeyType.Name.EC2,
crv=EC2Curve.Name.P_256,
))
invalid_signature = generate_signature(invalid_pk, verification_data)
invalid_der_certificate = invalid_certificate.public_bytes(Encoding.DER)
invalid_att_stmt = AndroidKeyAttestationStatement(
alg=COSEAlgorithmIdentifier.Name.ES256,
sig=invalid_signature,
x5c=[invalid_der_certificate])
with pytest.raises(AttestationError):
attest(invalid_att_stmt, att_obj, auth_data, client_data_hash)
okp_pk = Ed25519PrivateKey.generate()
okp_pubk = okp_pk.public_key()
okp_certificate = generate_x509_certificate(
okp_pubk, okp_pk, None, generate_android_extensions(client_data_hash))
x = okp_pubk.public_bytes(Encoding.Raw, PublicFormat.Raw)
att_obj.auth_data.attested_credential_data.credential_public_key = (
OKPCredentialPublicKey(
x=x,
kty=COSEKeyType.Name.OKP,
crv=OKPCurve.Name.ED25519,
))
okp_signature = okp_pk.sign(verification_data)
okp_der_certificate = okp_certificate.public_bytes(Encoding.DER)
okp_att_stmt = AndroidKeyAttestationStatement(
alg=COSEAlgorithmIdentifier.Name.ES256,
sig=okp_signature,
x5c=[okp_der_certificate])
assert attest(okp_att_stmt, att_obj, auth_data,
client_data_hash) == (AttestationType.BASIC,
[okp_certificate])
okp_pk = Ed448PrivateKey.generate()
okp_pubk = okp_pk.public_key()
okp_certificate = generate_x509_certificate(
okp_pubk, okp_pk, None, generate_android_extensions(client_data_hash))
x = okp_pubk.public_bytes(Encoding.Raw, PublicFormat.Raw)
att_obj.auth_data.attested_credential_data.credential_public_key = (
OKPCredentialPublicKey(
x=x,
kty=COSEKeyType.Name.OKP,
crv=OKPCurve.Name.ED448,
))
okp_signature = okp_pk.sign(verification_data)
okp_der_certificate = okp_certificate.public_bytes(Encoding.DER)
okp_att_stmt = AndroidKeyAttestationStatement(
alg=COSEAlgorithmIdentifier.Name.ES256,
sig=okp_signature,
x5c=[okp_der_certificate])
assert attest(okp_att_stmt, att_obj, auth_data,
client_data_hash) == (AttestationType.BASIC,
[okp_certificate])
def data():
mensaje= b"89392679556575597635196565386081702718512260749406173579320076828061414488077821523722981888265393212848183094"
#X25519 bench
start_time= time()
private_key = X25519PrivateKey.generate()
peer_public_key = X25519PrivateKey.generate().public_key()
k255=time()-start_time
#print("Generación llave X25519 en: " + str(k255) + " sec con tamaño: "+ str(sys.getsizeof(private_key))+" bytes")
private_key=0
#25519 sign
start_time= time()
private_key = Ed25519PrivateKey.generate()
signature = private_key.sign(mensaje)
s255=time()-start_time
#print("Generación firma X25519 en: " + str(s255) + " sec")
start_time= time()
public_key = private_key.public_key()
public_key.verify(signature, mensaje)
ver255=time()-start_time
#print("Verificación firma X25519 en: " + str(ver255) + " sec")
private_key=0
#448 Key Exchange
start_time=time()
private_key = X448PrivateKey.generate()
peer_public_key = X448PrivateKey.generate().public_key()
k448=time()-start_time
#print("Generación 448 llave en: " + str(k448) + " sec con tamaño: "+ str(sys.getsizeof(private_key))+" bytes")
private_key=0
#448 sign
private_key = Ed448PrivateKey.generate()
start_time= time()
signature = private_key.sign(mensaje)
s448=time()-start_time
#print("Generación 448 firma en: " + str(s448) + " sec")
start_time=time()
public_key = private_key.public_key()
public_key.verify(signature, mensaje)
ver448=time()-start_time
#print("Verificación 448 firma en: " + str(ver448) + " sec")
private_key=0
#RSA GENERATION
start_time=time()
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
)
krsa=time()-start_time
#print("Generación RSA llave en: " + str(krsa) + " sec con tamaño: "+ str(sys.getsizeof(private_key))+" bytes")
#RSA SINGING
start_time=time()
signature = private_key.sign(
mensaje,
padding.PSS(
mgf=padding.MGF1(hashes.SHA256()),
salt_length=padding.PSS.MAX_LENGTH
),
hashes.SHA256()
)
srsa=time()-start_time
#print("Generación RSA firma en: " + str(srsa) + " sec")
private_key=0
#DSA SINGING
start_time=time()
private_key = dsa.generate_private_key(
key_size=1024,
)
kdsa=time()-start_time
#print("Generación DSA llave en: " + str(kdsa) + " sec con tamaño: "+ str(sys.getsizeof(private_key))+" bytes")
start_time =time()
signature = private_key.sign(
mensaje,
hashes.SHA256()
)
sdsa=time()-start_time
#print("Generación DSA firma en: " + str(sdsa) + " sec")
return [k255,s255,ver255,k448,s448,ver448,krsa,srsa,kdsa,sdsa]
def test_round_trip_private_serialization(self, encoding, fmt, encryption,
passwd, load_func, backend):
key = Ed448PrivateKey.generate()
serialized = key.private_bytes(encoding, fmt, encryption)
loaded_key = load_func(serialized, passwd, backend)
assert isinstance(loaded_key, Ed448PrivateKey)
