def encrypt(pubkey, password): """Encrypt password using given RSA public key and encode it with base64. The encrypted password can only be decrypted by someone with the private key (in this case, only Travis). """ key = load_key(pubkey) encrypted_password = key.encrypt(password, PKCS1v15()) return base64.b64encode(encrypted_password)
def _validate_signature(self, message): pubkey = self._get_pubkey(message["SigningCertURL"]) signature = self._get_signature(message) data = self._get_data_to_sign(message) try: pubkey.verify(signature, data, PKCS1v15(), SHA1()) except _InvalidSignature: raise InvalidMessage("Invalid Signature") from None
def validateSign(signature, data, pub_key): try: pub_key.verify(signature, data, PKCS1v15(), hashes.SHA1()) print("Verification Succeeded") return True except ValueError as ve: print(ve) print("Verification failed") return False
def mac(self, data): rsamac = self.signer( data, # PSS( # mgf=MGF1(hashes.SHA256()), # salt_length=PSS.MAX_LENGTH # ), PKCS1v15(), hashes.SHA256()) return rsamac
def test_init(self, one_key_of_many): key_pem, key_serialized = one_key_of_many if isinstance(key_pem, Path): private_key_pem_file = key_pem private_key_pem = None else: private_key_pem_file = None private_key_pem = key_pem login = "******" expiration_time = 20 read_only = True global_key = True label = f"{__project__} {__version__}" authentication_url = "http etc" connection_timeout = 30 token = AccessToken( login=login, private_key=private_key_pem, private_key_file=private_key_pem_file, expiration_time=expiration_time, read_only=read_only, global_key=global_key, label=label, authentication_url=authentication_url, connection_timeout=connection_timeout, ) assert token.login == login assert token.time_to_live == expiration_time assert token.read_only == read_only assert token.global_key == global_key assert token.label == label assert token.authentication_url == authentication_url assert token.connection_timeout == connection_timeout payload = ( "Apparently private keys can't be compared directly when extracted (salts?)." "But they MUST create the same signature when signing the same data!" ) assert token.private_key.sign( str.encode(payload), PKCS1v15(), SHA512() ) == key_serialized.sign(str.encode(payload), PKCS1v15(), SHA512())
def rsa_verify(timestamp, nonce, body, signature, certificate): sign_str = '%s\n%s\n%s\n' % (timestamp, nonce, body) public_key = certificate.public_key() message = sign_str.encode('UTF-8') signature = b64decode(signature) try: public_key.verify(signature, message, PKCS1v15(), SHA256()) except InvalidSignature: return False return True
def asymmetric_wrap(self, data, wrapping_cert, mechanism=None): """ :param data Data to be wrapped :param wrapping_cert Public key to wrap data :param mechanism algorithm of symmetric key to be wrapped Wrap (encrypt) data using the supplied asymmetric key """ public_key = wrapping_cert.public_key() return public_key.encrypt(data, PKCS1v15())
def sign(self, msg: bytes, algorithm=hashes.SHA256(), padding_=PKCS1v15()): """Signing with private key - pkcs1 encode and decrypt p = PinkSign(pubkey_path="/path/signCert.der", prikey_path="/path/signPri.key", prikey_password="******") s = p.sign(b'my message') # '\x00\x01\x02...' """ if self.prikey is None: raise ValueError("Private key is required for signing.") return self.prikey.sign(data=msg, padding=padding_, algorithm=algorithm)
def verify(self, data, sig): """Verify the signature on a block of data""" verifier = self._pub_key.verifier(sig, PKCS1v15(), SHA1()) verifier.update(data) try: verifier.verify() return True except InvalidSignature: return False
def _run_login_encryption(self): # Set up protocol encryption with the client, then return. server_token = b'\x89\x82\x9a\x01' # Guaranteed to be random. self.write_packet( clientbound.login.EncryptionRequestPacket( server_id='', verify_token=server_token, public_key=self.server.public_key_bytes)) packet = self.read_packet() assert isinstance(packet, serverbound.login.EncryptionResponsePacket) private_key = self.server.private_key client_token = private_key.decrypt(packet.verify_token, PKCS1v15()) assert client_token == server_token shared_secret = private_key.decrypt(packet.shared_secret, PKCS1v15()) cipher = create_AES_cipher(shared_secret) enc, dec = cipher.encryptor(), cipher.decryptor() self.socket = EncryptedSocketWrapper(self.socket, enc, dec) self.socket_file = EncryptedFileObjectWrapper(self.socket_file, dec)
def generar_firma(self, texto, algo="sha1"): sha_algo = SHA1 if algo == 'sha256': sha_algo = SHA256 if type(texto) is not bytes: texto = texto.encode() signature = self.key.sign(texto, padding=PKCS1v15(), algorithm=sha_algo()) text = base64.b64encode(signature).decode() return text
def _verify_signature_with_pubkey(self, signed_info_c14n, raw_signature, key_value, signature_alg): if "ecdsa-" in signature_alg: ec_key_value = self._find(key_value, "ECKeyValue", namespace="dsig11") named_curve = self._find(ec_key_value, "NamedCurve", namespace="dsig11") public_key = self._find(ec_key_value, "PublicKey", namespace="dsig11") key_data = b64decode(public_key.text)[1:] x = bytes_to_long(key_data[:len(key_data) // 2]) y = bytes_to_long(key_data[len(key_data) // 2:]) curve_class = self.known_ecdsa_curves[named_curve.get("URI")] key = ec.EllipticCurvePublicNumbers( x=x, y=y, curve=curve_class()).public_key(backend=default_backend()) verifier = key.verifier( raw_signature, ec.ECDSA(self._get_signature_digest_method(signature_alg))) elif "dsa-" in signature_alg: dsa_key_value = self._find(key_value, "DSAKeyValue") p = self._get_long(dsa_key_value, "P") q = self._get_long(dsa_key_value, "Q") g = self._get_long(dsa_key_value, "G", require=False) y = self._get_long(dsa_key_value, "Y") pn = dsa.DSAPublicNumbers( y=y, parameter_numbers=dsa.DSAParameterNumbers(p=p, q=q, g=g)) key = pn.public_key(backend=default_backend()) sig_as_der_seq = der_encoder.encode( DERSequenceOfIntegers([ bytes_to_long(raw_signature[:len(raw_signature) // 2]), bytes_to_long(raw_signature[len(raw_signature) // 2:]) ])) verifier = key.verifier( sig_as_der_seq, self._get_signature_digest_method(signature_alg)) elif "rsa-" in signature_alg: rsa_key_value = self._find(key_value, "RSAKeyValue") modulus = self._get_long(rsa_key_value, "Modulus") exponent = self._get_long(rsa_key_value, "Exponent") key = rsa.RSAPublicNumbers( e=exponent, n=modulus).public_key(backend=default_backend()) verifier = key.verifier( raw_signature, padding=PKCS1v15(), algorithm=self._get_signature_digest_method(signature_alg)) else: raise NotImplementedError() verifier.update(signed_info_c14n) verifier.verify()
def sign_data(self, data, private_key=None, padding=PKCS1v15(), hash_algorithm=SHA256()): if private_key is None: private_key = self.private_key return private_key.sign(data=data.encode(CHARACTER_ENCODING), padding=padding, algorithm=hash_algorithm)
def test_load_response(self): resp = _load_data( os.path.join("x509", "ocsp", "resp-sha256.der"), ocsp.load_der_ocsp_response, ) from cryptography.hazmat.backends.openssl.backend import backend issuer = _load_cert( os.path.join("x509", "letsencryptx3.pem"), x509.load_pem_x509_certificate, backend ) assert resp.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL assert (resp.signature_algorithm_oid == x509.SignatureAlgorithmOID.RSA_WITH_SHA256) assert isinstance(resp.signature_hash_algorithm, hashes.SHA256) assert resp.signature == base64.b64decode( b"I9KUlyLV/2LbNCVu1BQphxdNlU/jBzXsPYVscPjW5E93pCrSO84GkIWoOJtqsnt" b"78DLcQPnF3W24NXGzSGKlSWfXIsyoXCxnBm0mIbD5ZMnKyXEnqSR33Z9He/A+ML" b"A8gbrDUipGNPosesenkKUnOtFIzEGv29hV5E6AMP2ORPVsVlTAZegPJFbbVIWc0" b"rZGFCXKxijDxtUtgWzBhpBAI50JbPHi+IVuaOe4aDJLYgZ0BIBNa6bDI+rScyoy" b"5U0DToV7SZn6CoJ3U19X7BHdYn6TLX0xi43eXuzBGzdHnSzmsc7r/DvkAKJm3vb" b"dVECXqe/gFlXJUBcZ25jhs70MUA==" ) assert resp.tbs_response_bytes == base64.b64decode( b"MIHWoUwwSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzA" b"hBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzGA8yMDE4MDgzMDExMT" b"UwMFowdTBzMEswCQYFKw4DAhoFAAQUfuZq53Kas/z4oiBkbBahLWBxCF0EFKhKa" b"mMEfd265tE5t6ZFZe/zqOyhAhIDHHh6fckClQB7xfIiCztSevCAABgPMjAxODA4" b"MzAxMTAwMDBaoBEYDzIwMTgwOTA2MTEwMDAwWg==" ) issuer.public_key().verify( resp.signature, resp.tbs_response_bytes, PKCS1v15(), resp.signature_hash_algorithm ) assert resp.certificates == [] assert resp.responder_key_hash is None assert resp.responder_name == issuer.subject assert resp.produced_at == datetime.datetime(2018, 8, 30, 11, 15) assert resp.certificate_status == ocsp.OCSPCertStatus.GOOD assert resp.revocation_time is None assert resp.revocation_reason is None assert resp.this_update == datetime.datetime(2018, 8, 30, 11, 0) assert resp.next_update == datetime.datetime(2018, 9, 6, 11, 0) assert resp.issuer_key_hash == ( b'\xa8Jjc\x04}\xdd\xba\xe6\xd19\xb7\xa6Ee\xef\xf3\xa8\xec\xa1' ) assert resp.issuer_name_hash == ( b'~\xe6j\xe7r\x9a\xb3\xfc\xf8\xa2 dl\x16\xa1-`q\x08]' ) assert isinstance(resp.hash_algorithm, hashes.SHA1) assert resp.serial_number == 271024907440004808294641238224534273948400 assert len(resp.extensions) == 0
def sign_raw(self, data: bytes, digest_algorithm: str, dry_run=False) -> bytes: from cryptography.hazmat.primitives import serialization priv_key = serialization.load_der_private_key( self.signing_key.dump(), password=None ) from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 padding = PKCS1v15() hash_algo = get_pyca_cryptography_hash(digest_algorithm) return priv_key.sign(data, padding, hash_algo)
def check_certificate_against_public_key( cert: Certificate, public_key: RSAPublicKey, ) -> None: # Check if the signature of the certificate matches the public key public_key.verify( cert.signature, cert.tbs_certificate_bytes, PKCS1v15(), SHA256(), )
def generate_presigned_cookies(self, path, expires_at=None): # https://gist.github.com/mjohnsullivan/31064b04707923f82484c54981e4749e expires_at = expires_at or pendulum.now('utc') + self.lifetime url = self.generate_unsigned_url(path) policy = self.generate_cookie_policy(url, expires_at) signature = self.get_private_key().sign(policy, PKCS1v15(), SHA1()) return { 'ExpiresAt': expires_at.to_iso8601_string(), 'CloudFront-Policy': self._encode(policy), 'CloudFront-Signature': self._encode(signature), 'CloudFront-Key-Pair-Id': self.get_key_pair()['keyId'], }
def encryptInitiatorPassword(): PASS = "******" cert_file_path = os.path.join(os.path.dirname(__file__), CERTIFICATE_FILE) cert_file = open(cert_file_path, 'rb') cert_data = cert_file.read() cert_file.close() cert = x509.load_pem_x509_certificate(cert_data, default_backend()) PASS = str.encode(PASS) # If you are using python 3 pub_key = cert.public_key() cipher = pub_key.encrypt(PASS, padding=PKCS1v15()) return b64encode(cipher)
def sign(self, payload): if sign_rsa_pss: signature = self.key.sign(data=bytes(payload), padding=PSS(mgf=MGF1(SHA256()), salt_length=32), algorithm=SHA256()) else: signature = self.key.sign(data=bytes(payload), padding=PKCS1v15(), algorithm=SHA256()) assert len(signature) == self.sig_len() return signature
def validate_certificate(self, debug=False): certificate = self.client_certificate ca_public_key = None ca_cert = None with open(path("TC_CA.cert.pem"), "rb") as cert_file: ca_cert = load_pem_x509_certificate(cert_file.read()) ca_public_key = ca_cert.public_key() if ca_cert.subject.get_attributes_for_oid(NameOID.COUNTRY_NAME)[0].value != \ certificate.issuer.get_attributes_for_oid(NameOID.COUNTRY_NAME)[0].value: debug and print("Mismatched field: %s" % NameOID.COUNTRY_NAME) return False if ca_cert.subject.get_attributes_for_oid(NameOID.STATE_OR_PROVINCE_NAME)[0].value != \ certificate.issuer.get_attributes_for_oid(NameOID.STATE_OR_PROVINCE_NAME)[0].value: debug and print( "Mismatched field: %s" % NameOID.STATE_OR_PROVINCE_NAME) return False if ca_cert.subject.get_attributes_for_oid(NameOID.LOCALITY_NAME)[0].value != \ certificate.issuer.get_attributes_for_oid(NameOID.LOCALITY_NAME)[0].value: debug and print("Mismatched field: %s" % NameOID.LOCALITY_NAME) return False if ca_cert.subject.get_attributes_for_oid(NameOID.ORGANIZATION_NAME)[0].value != \ certificate.issuer.get_attributes_for_oid(NameOID.ORGANIZATION_NAME)[0].value: debug and print("Mismatched field: %s" % NameOID.ORGANIZATION_NAME) return False if ca_cert.subject.get_attributes_for_oid(NameOID.ORGANIZATIONAL_UNIT_NAME)[0].value != \ certificate.issuer.get_attributes_for_oid(NameOID.ORGANIZATIONAL_UNIT_NAME)[0].value: debug and print( "Mismatched field: %s" % NameOID.ORGANIZATIONAL_UNIT_NAME) return False if ca_cert.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value != \ certificate.issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value: debug and print("Mismatched field: %s" % NameOID.COMMON_NAME) return False if certificate.subject.get_attributes_for_oid( NameOID.COMMON_NAME)[0].value != "TC Client": debug and print( "Wrong field (server cert): %s" % NameOID.COMMON_NAME) return False ca_public_key.verify(certificate.signature, certificate.tbs_certificate_bytes, PKCS1v15(), certificate.signature_hash_algorithm) return True
def __init__( self, signature_cert_chain_url_key=SIGNATURE_CERT_CHAIN_URL_HEADER, signature_key=SIGNATURE_HEADER, padding=PKCS1v15(), hash_algorithm=SHA256()): # type: (str, str, AsymmetricPadding, HashAlgorithm) -> None """Verifier that performs request signature verification. This is a concrete implementation of :py:class:`AbstractVerifier` class, handling the request signature verification of the input request. This verifier uses the Cryptography module x509 functions to validate the signature chain in the input request. The verification follows the mechanism explained here : https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#checking-the-signature-of-the-request The constructor takes the header key names for retrieving Signature Certificate Chain and Signature. They are defaulted to the header names present in the :py:mod:`ask_sdk_webservice_support.conf`. Additionally, one can also provide the Padding and the Hash Algorithm functions that is used to verify the input body. These are defaulted as :py:class:`cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15` and :py:class:`cryptography.hazmat.primitives.hashes.SHA256` instances respectively. A certificate cache is initialized, to store certificate chains for faster retrieval and validation in subsequent input dispatch. :param signature_cert_chain_url_key: Header key to be used, to retrieve Signature Certificate Chain URL from headers :type signature_cert_chain_url_key: str :param signature_key: Header key to be used, to retrieve Signature from headers :type signature_key: str :param padding: Asymmetric padding algorithm instance to be used to verify the hash value of the request body with the decrypted signature. Defaulted to `PKCS1v15` :type padding: cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding :param hash_algorithm: Hash algorithm instance to be used to verify the hash value of the request body with the decrypted signature. Defaulted to `SHA256` :type hash_algorithm: cryptography.hazmat.primitives.hashes.HashAlgorithm """ self._signature_cert_chain_url_key = signature_cert_chain_url_key self._signature_key = signature_key self._padding = padding self._hash_algorithm = hash_algorithm self._cert_cache = {} # type: Dict[str, bytes]
def calculate_response(challenge, user_id, password): obj = decode(challenge) out = { 1: [49], 2: obj[2], 3: obj[3], 8: [ord(c) for c in user_id], 9: [ord(c) for c in password], } encoded = encode(out) pub_key = RSAPublicNumbers(ba2num(obj[5]), ba2num(obj[4])).public_key(default_backend()) encrypted = pub_key.encrypt(ba2bytes(encoded), PKCS1v15()) return bytes2hex(encrypted)
def _get_signature_details_internal(self): setlocale(LC_ALL, 'en_US') date_str = datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT') if isinstance(self._provider, oci.auth.signers.InstancePrincipalsSecurityTokenSigner): self._provider.refresh_security_token() private_key = self._provider.private_key key_id = self._provider.api_key try: signature = private_key.sign(self._signing_content(date_str), PKCS1v15(), SHA256()) signature = b64encode(signature) except TypeError: signature = private_key.sign( self._signing_content(date_str).encode(), PKCS1v15(), SHA256()) signature = b64encode(signature).decode() sig_header = str.format(SignatureProvider.SIGNATURE_HEADER_FORMAT, SignatureProvider.SIGNING_HEADERS, key_id, 'rsa-sha256', signature, SignatureProvider.SIGNATURE_VERSION) return SignatureProvider.SignatureDetails(sig_header, date_str)
def verify(timestamp, nonce, body, signature, certificate): sign_str = '%s\n%s\n%s\n' % (timestamp, nonce, body) public_key_str = dump_public_key(certificate) public_key = load_pem_public_key(data=public_key_str.encode('UTF-8'), backend=default_backend()) message = sign_str.encode('UTF-8') signature = b64decode(signature) try: public_key.verify(signature, sign_str.encode('UTF-8'), PKCS1v15(), SHA256()) except InvalidSignature: return False return True
def _get_windows_instance_pass(self, instance_id, key_file): if not HAS_BOTO3: LOG.error("boto3 required when using Windows instances") sys.exit(1) if not HAS_CRYPTOGRAPHY: LOG.error("cryptography package required when using Windows instances") sys.exit(1) ec2_client = boto3.client("ec2") data_response = ec2_client.get_password_data(InstanceId=instance_id) decoded = b64decode(data_response["PasswordData"]) with open(key_file, "rb") as f: key = load_pem_private_key(f.read(), None, default_backend()) return key.decrypt(decoded, PKCS1v15())
def test_valid(self, sns_certificate, sns_privatekey, topics, data): response = pretend.stub(raise_for_status=lambda: None, content=sns_certificate) session = pretend.stub(get=lambda url: response) verifier = MessageVerifier(topics=topics, session=session) private_key = load_pem_private_key(sns_privatekey, password=None, backend=default_backend()) signature_bytes = private_key.sign(verifier._get_data_to_sign(data), PKCS1v15(), hashes.SHA1()) data["Signature"] = base64.b64encode(signature_bytes) verifier.verify(data)
def create_signature(self, private_key, digest_b64, algorithm=( "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")): data = b64decode(digest_b64) padding = PKCS1v15() algorithm = self._encode_string(algorithm) algorithm = algorithm.decode("utf-8") hash_algorithm = self.algorithms[algorithm][1]() signature = private_key.sign(data, padding, Prehashed(hash_algorithm)) return signature
def verifyMac(self, data, checkMac): try: self.verifier( checkMac, data, # PSS( # mgf=MGF1(hashes.SHA256()), # salt_length=PSS.MAX_LENGTH # ), PKCS1v15(), hashes.SHA256()) return True except InvalidSignature: return False
def verify(binary, signature, pubkey_data, raise_error=True): try: pubkey = serialization.load_pem_public_key(pubkey_data, backend=default_backend()) pubkey.verify(signature, binary, PKCS1v15(), SHA256()) # Raises InvalidSignature return True except InvalidSignature: if raise_error: raise else: return False
def _check_signature(self, message: Dict[str, str]): """ Checks Signature by comparing the message with the Signature :param message: Message :return: None if Signature matches, throws if Mismatch """ public_key = self._get_public_key(message) plaintext = self._get_text_to_sign(message).encode() signature = base64.b64decode(message.get('Signature')) try: public_key.verify(signature, plaintext, PKCS1v15(), SHA1()) # nosec except InvalidSignature: raise SnsSignatureFailureException("Signature mismatch")