def test_x448_unsupported(backend):
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM):
X448PublicKey.from_public_bytes(b"0" * 56)
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM):
X448PrivateKey.from_private_bytes(b"0" * 56)
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM):
X448PrivateKey.generate()
def test_x448_with_the_official_test_vectors(self) -> None:
sk_alice_ = X448PrivateKey.from_private_bytes(TestX448.sk_alice)
sk_bob_ = X448PrivateKey.from_private_bytes(TestX448.sk_bob)
self.assertEqual(X448.derive_public_key(sk_alice_), TestX448.pk_alice)
self.assertEqual(X448.derive_public_key(sk_bob_), TestX448.pk_bob)
shared_secret1 = X448.shared_key(sk_alice_, TestX448.pk_bob)
shared_secret2 = X448.shared_key(sk_bob_, TestX448.pk_alice)
self.assertEqual(shared_secret1, blake2b(TestX448.shared_secret))
self.assertEqual(shared_secret2, blake2b(TestX448.shared_secret))
def shared_secret(private_key: 'CK', public_key: 'CK') -> bytes:
""" Compute the shared secret. """
if public_key.crv == X25519:
d = X25519PrivateKey.from_private_bytes(private_key.d)
x = X25519PublicKey.from_public_bytes(public_key.x)
secret = d.exchange(x)
elif public_key.crv == X448:
d = X448PrivateKey.from_private_bytes(private_key.d)
x = X448PublicKey.from_public_bytes(public_key.x)
secret = d.exchange(x)
elif public_key.crv == P256:
d = ec.derive_private_key(int(hexlify(private_key.d), 16),
SECP256R1(), default_backend())
x = ec.EllipticCurvePublicNumbers(int(hexlify(public_key.x), 16),
int(hexlify(public_key.y), 16),
SECP256R1())
x = x.public_key()
secret = d.exchange(ec.ECDH(), x)
else:
raise CoseIllegalCurve(f"{public_key.crv} is unsupported")
return secret
def deserialize(cls, serialized_dh):
if not isinstance(serialized_dh, dict):
raise TypeError("serialized_dh must be of type: dict")
private_key = X448PrivateKey.from_private_bytes(
bytes.fromhex(serialized_dh["private_key"]))
return cls(private_key)
def test_x448(backend, wycheproof):
assert set(wycheproof.testgroup.items()) == {
("curve", "curve448"),
("type", "XdhComp"),
}
private_key = X448PrivateKey.from_private_bytes(
binascii.unhexlify(wycheproof.testcase["private"]))
public_key_bytes = binascii.unhexlify(wycheproof.testcase["public"])
if len(public_key_bytes) == 57:
assert wycheproof.acceptable
assert wycheproof.has_flag("NonCanonicalPublic")
with pytest.raises(ValueError):
X448PublicKey.from_public_bytes(public_key_bytes)
return
public_key = X448PublicKey.from_public_bytes(public_key_bytes)
assert wycheproof.valid or wycheproof.acceptable
expected = binascii.unhexlify(wycheproof.testcase["shared"])
if expected == b"\x00" * 56:
assert wycheproof.acceptable
# OpenSSL returns an error on all zeros shared key
with pytest.raises(ValueError):
private_key.exchange(public_key)
else:
assert private_key.exchange(public_key) == expected
def get_shared_secret(client_private_key, server_public_key,
cryptographic_group):
# x25519 (x00 x1d)
if cryptographic_group == b"\x00\x1d":
private_key = X25519PrivateKey.from_private_bytes(
client_private_key)
public_key = X25519PublicKey.from_public_bytes(server_public_key)
return private_key.exchange(public_key)
# x448 (x00 x1e)
elif cryptographic_group == b"\x00\x1e":
private_key = X448PrivateKey.from_private_bytes(client_private_key)
public_key = X448PublicKey.from_public_bytes(server_public_key)
return private_key.exchange(public_key)
# secp256r1 (x00 x17)
elif cryptographic_group == b"\x00\x17":
return Crypto_Helper.get_shared_secret_secpr1(
client_private_key, server_public_key, SECP256R1)
# secp384r1 (x00 x18)
elif cryptographic_group == b"\x00\x18":
return Crypto_Helper.get_shared_secret_secpr1(
client_private_key, server_public_key, SECP384R1)
# secp521r1 (x00 x19)
elif cryptographic_group == b"\x00\x19":
return Crypto_Helper.get_shared_secret_secpr1(
client_private_key, server_public_key, SECP521R1)
def test_rfc7748(self, vector, backend):
private = binascii.unhexlify(vector["input_scalar"])
public = binascii.unhexlify(vector["input_u"])
shared_key = binascii.unhexlify(vector["output_u"])
private_key = X448PrivateKey.from_private_bytes(private)
public_key = X448PublicKey.from_public_bytes(public)
computed_shared_key = private_key.exchange(public_key)
assert computed_shared_key == shared_key
def test_rfc7748(self, vector, backend):
private = binascii.unhexlify(vector["input_scalar"])
public = binascii.unhexlify(vector["input_u"])
shared_key = binascii.unhexlify(vector["output_u"])
private_key = X448PrivateKey.from_private_bytes(private)
public_key = X448PublicKey.from_public_bytes(public)
computed_shared_key = private_key.exchange(public_key)
assert computed_shared_key == shared_key
def test_rfc7748_1000_iteration(self, backend):
old_private = private = public = binascii.unhexlify(
b"05000000000000000000000000000000000000000000000000000000"
b"00000000000000000000000000000000000000000000000000000000")
shared_key = binascii.unhexlify(
b"aa3b4749d55b9daf1e5b00288826c467274ce3ebbdd5c17b975e09d4"
b"af6c67cf10d087202db88286e2b79fceea3ec353ef54faa26e219f38")
private_key = X448PrivateKey.from_private_bytes(private)
public_key = X448PublicKey.from_public_bytes(public)
for _ in range(1000):
computed_shared_key = private_key.exchange(public_key)
private_key = X448PrivateKey.from_private_bytes(
computed_shared_key)
public_key = X448PublicKey.from_public_bytes(old_private)
old_private = computed_shared_key
assert computed_shared_key == shared_key
def test_buffer_protocol(self, backend):
private_bytes = binascii.unhexlify(
b"9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28d"
b"d9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b")
key = X448PrivateKey.from_private_bytes(bytearray(private_bytes))
assert key.private_bytes(serialization.Encoding.Raw,
serialization.PrivateFormat.Raw,
serialization.NoEncryption()) == private_bytes
def test_buffer_protocol(self, backend):
private_bytes = binascii.unhexlify(
b"9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28d"
b"d9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b"
)
key = X448PrivateKey.from_private_bytes(bytearray(private_bytes))
assert key.private_bytes(
serialization.Encoding.Raw,
serialization.PrivateFormat.Raw,
serialization.NoEncryption()
) == private_bytes
def test_rfc7748_1000_iteration(self, backend):
old_private = private = public = binascii.unhexlify(
b"05000000000000000000000000000000000000000000000000000000"
b"00000000000000000000000000000000000000000000000000000000"
)
shared_key = binascii.unhexlify(
b"aa3b4749d55b9daf1e5b00288826c467274ce3ebbdd5c17b975e09d4"
b"af6c67cf10d087202db88286e2b79fceea3ec353ef54faa26e219f38"
)
private_key = X448PrivateKey.from_private_bytes(private)
public_key = X448PublicKey.from_public_bytes(public)
for _ in range(1000):
computed_shared_key = private_key.exchange(public_key)
private_key = X448PrivateKey.from_private_bytes(
computed_shared_key
)
public_key = X448PublicKey.from_public_bytes(old_private)
old_private = computed_shared_key
assert computed_shared_key == shared_key
def test_pub_priv_bytes_raw(self, private_bytes, public_bytes, backend):
private_key = X448PrivateKey.from_private_bytes(private_bytes)
assert private_key.private_bytes(
serialization.Encoding.Raw, serialization.PrivateFormat.Raw,
serialization.NoEncryption()) == private_bytes
assert private_key.public_key().public_bytes(
serialization.Encoding.Raw,
serialization.PublicFormat.Raw) == public_bytes
public_key = X448PublicKey.from_public_bytes(public_bytes)
assert public_key.public_bytes(
serialization.Encoding.Raw,
serialization.PublicFormat.Raw) == public_bytes
def test_pub_priv_bytes_raw(self, private_bytes, public_bytes, backend):
private_key = X448PrivateKey.from_private_bytes(private_bytes)
assert private_key.private_bytes(
serialization.Encoding.Raw,
serialization.PrivateFormat.Raw,
serialization.NoEncryption()
) == private_bytes
assert private_key.public_key().public_bytes(
serialization.Encoding.Raw, serialization.PublicFormat.Raw
) == public_bytes
public_key = X448PublicKey.from_public_bytes(public_bytes)
assert public_key.public_bytes(
serialization.Encoding.Raw, serialization.PublicFormat.Raw
) == public_bytes
def shared_secret(private_key: Key, public_key: Key) -> bytes:
""" Compute the shared secret. """
if public_key.crv == CoseEllipticCurves.X25519:
d = X25519PrivateKey.from_private_bytes(private_key.d)
x = X25519PublicKey.from_public_bytes(public_key.x)
elif public_key.crv == CoseEllipticCurves.X448:
d = X448PrivateKey.from_private_bytes(private_key.d)
x = X448PublicKey.from_public_bytes(public_key.x)
elif public_key.crv == CoseEllipticCurves.P_256:
d = ec.derive_private_key(int(hexlify(private_key.d), 16),
config_cose(public_key.crv).curve[1](),
default_backend())
x = ec.EllipticCurvePublicNumbers(
int(hexlify(public_key.x), 16), int(hexlify(public_key.y), 16),
config_cose(public_key.crv).curve[1]())
else:
raise CoseIllegalCurve(f"{public_key.crv} is unsupported")
secret = d.exchange(x)
return secret
def test_invalid_length_from_private_bytes(self, backend):
with pytest.raises(ValueError):
X448PrivateKey.from_private_bytes(b"a" * 55)
with pytest.raises(ValueError):
X448PrivateKey.from_private_bytes(b"a" * 57)
def test_invalid_length_from_private_bytes(self, backend):
with pytest.raises(ValueError):
X448PrivateKey.from_private_bytes(b"a" * 55)
with pytest.raises(ValueError):
X448PrivateKey.from_private_bytes(b"a" * 57)
def __init__(self, params: Dict[int, Any]):
super().__init__(params)
self._public_key: Any = None
self._private_key: Any = None
self._hash_alg: Any = None
self._x = None
self._d = None
# Validate kty.
if params[1] != 1:
raise ValueError("kty(1) should be OKP(1).")
# Validate crv.
if -1 not in params:
raise ValueError("crv(-1) not found.")
self._crv = params[-1]
if not isinstance(self._crv, int):
raise ValueError("crv(-1) should be int.")
if self._crv not in [4, 5, 6, 7]:
raise ValueError(
f"Unsupported or unknown crv(-1) for OKP: {self._crv}.")
if self._crv in [4, 5]:
if not self._alg:
raise ValueError("X25519/X448 needs alg explicitly.")
if self._alg in [-25, -27]:
self._hash_alg = hashes.SHA256
elif self._alg in [-26, -28]:
self._hash_alg = hashes.SHA512
else:
raise ValueError(
f"Unsupported or unknown alg used with X25519/X448: {self._alg}."
)
# Validate alg and key_ops.
if self._key_ops:
if set(self._key_ops) & set([3, 4, 5, 6, 9, 10]):
raise ValueError(
"Unknown or not permissible key_ops(4) for OKP.")
else:
if self._crv in [4, 5]:
self._key_ops = [7, 8] if -4 in params else []
else: # self._crv in [6, 7]
self._key_ops = [1, 2] if -4 in params else [2]
if self._alg:
if self._alg in COSE_ALGORITHMS_SIG_OKP.values():
if -4 in params:
# private key for signing.
if not (set(self._key_ops) & set([1, 2])):
raise ValueError("Invalid key_ops for signing key.")
if set(self._key_ops) & set([7, 8]):
raise ValueError(
"Signing key should not be used for key derivation."
)
else:
# public key for signing.
if 2 not in self._key_ops or len(self._key_ops) != 1:
raise ValueError("Invalid key_ops for public key.")
elif self._alg in COSE_ALGORITHMS_CKDM_KEY_AGREEMENT.values():
if -4 in params:
# private key for key derivation.
if not (set(self._key_ops) & set([7, 8])):
raise ValueError("Invalid key_ops for key derivation.")
if set(self._key_ops) & set([1, 2]):
raise ValueError(
"Private key for ECDHE should not be used for signing."
)
else:
# public key for key derivation.
if self._key_ops:
raise ValueError(
"Public key for ECDHE should not have key_ops.")
else:
raise ValueError(
f"Unsupported or unknown alg(3) for OKP: {self._alg}.")
else:
if -4 in params:
# private key.
if set(self._key_ops) & set([1, 2]):
# private key for signing.
if set(self._key_ops) & set([7, 8]):
raise ValueError(
"OKP private key should not be used for both signing and key derivation."
)
self._alg = -8 # EdDSA
else:
# public key.
if 2 in self._key_ops:
if len(self._key_ops) > 1:
raise ValueError("Invalid key_ops for public key.")
else:
raise ValueError("Invalid key_ops for public key.")
if self._alg in COSE_ALGORITHMS_CKDM_KEY_AGREEMENT_ES.values():
if -2 not in params:
return
# Validate x.
if -2 not in params:
raise ValueError("x(-2) not found.")
if not isinstance(params[-2], bytes):
raise ValueError("x(-2) should be bytes(bstr).")
self._x = params[-2]
try:
if -4 not in params:
if self._crv == 4: # X25519
self._public_key = X25519PublicKey.from_public_bytes(
self._x)
elif self._crv == 5: # X448
self._public_key = X448PublicKey.from_public_bytes(self._x)
elif self._crv == 6: # Ed25519
self._public_key = Ed25519PublicKey.from_public_bytes(
self._x)
else: # self._crv == 7 (Ed448)
self._public_key = Ed448PublicKey.from_public_bytes(
self._x)
self._key = self._public_key
return
except ValueError as err:
raise ValueError("Invalid key parameter.") from err
if not isinstance(params[-4], bytes):
raise ValueError("d(-4) should be bytes(bstr).")
try:
self._d = params[-4]
if self._crv == 4: # X25519
self._private_key = X25519PrivateKey.from_private_bytes(
self._d)
elif self._crv == 5: # X448
self._private_key = X448PrivateKey.from_private_bytes(self._d)
elif self._crv == 6: # Ed25519
self._private_key = Ed25519PrivateKey.from_private_bytes(
self._d)
else: # self._crv == 7 (Ed448)
self._private_key = Ed448PrivateKey.from_private_bytes(self._d)
self._key = self._private_key
except ValueError as err:
raise ValueError("Invalid key parameter.") from err
return
