def __init__(self, signed_se, verification_cert_raw):
verification_cert = x509.load_pem_x509_certificate(
data=verification_cert_raw,
backend=default_backend()
)
self.signed_se = signed_se
self.ski_ext = verification_cert.extensions.get_extension_for_class(
extclass=x509.SubjectKeyIdentifier
)
self.verification_cert_kid_b64 = base64url_encode(
self.ski_ext.value.digest
).decode('ascii')
self.verification_public_key_pem = verification_cert.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
).decode('ascii')
self.verification_cert_x5t_s256_b64 = base64url_encode(
verification_cert.fingerprint(hashes.SHA256())
).decode('ascii')
self.certificate_chain = ''
self.run()
def __init__(self, wallet, **kwargs):
self.jwk_data = wallet.jwk_data
self.jwk = jwk.construct(self.jwk_data, algorithm="RS256")
self.id = kwargs.get('id', '')
self.last_tx = wallet.get_last_transaction_id()
self.owner = self.jwk_data.get('n')
self.tags = []
self.quantity = kwargs.get('quantity', '0')
data = kwargs.get('data', '')
if type(data) is bytes:
self.data = base64url_encode(data)
else:
self.data = base64url_encode(data.encode('ascii'))
self.target = kwargs.get('target', '')
self.to = kwargs.get('to', '')
self.api_url = "https://arweave.net"
reward = kwargs.get('reward', None)
if reward != None:
self.reward = reward
else:
self.reward = self.get_reward(self.data)
self.signature = ''
self.status = None
def __init__(self, wallet, **kwargs):
self.jwk_data = wallet.jwk_data
self.jwk = jwk.construct(self.jwk_data, algorithm="RS256")
self.wallet = wallet
self.id = kwargs.get('id', '')
self.last_tx = wallet.get_last_transaction_id()
self.owner = self.jwk_data.get('n')
self.tags = []
self.format = kwargs.get('format', 2)
self.api_url = API_URL
self.chunks = None
data = kwargs.get('data', '')
self.data_size = len(data)
if type(data) is bytes:
self.data = base64url_encode(data)
else:
self.data = base64url_encode(data.encode('utf-8'))
if self.data is None:
self.data = ''
self.file_handler = kwargs.get('file_handler', None)
if self.file_handler:
self.uses_uploader = True
self.data_size = os.stat(kwargs['file_path']).st_size
else:
self.uses_uploader = False
if kwargs.get('transaction'):
self.from_serialized_transaction(kwargs.get('transaction'))
else:
self.data_root = ""
self.data_tree = []
self.target = kwargs.get('target', '')
self.to = kwargs.get('to', '')
if self.target == '' and self.to != '':
self.target = self.to
self.quantity = kwargs.get('quantity', '0')
if float(self.quantity) > 0:
if self.target == '':
raise ArweaveTransactionException(
"Unable to send {} AR without specifying a target address".format(self.quantity))
# convert to winston
self.quantity = ar_to_winston(float(self.quantity))
reward = kwargs.get('reward', None)
if reward is not None:
self.reward = reward
self.signature = ''
self.status = None
def sign(self, wallet):
data_to_sign = self.get_signature_data()
raw_signature = wallet.sign(data_to_sign)
self.signature = base64url_encode(raw_signature)
self.id = base64url_encode(hashlib.sha256(raw_signature).digest())
def create_tag(name, value, v2):
if v2:
b64name = name
b64value = value
else:
b64name = base64url_encode(name.encode('ascii')).decode()
b64value = base64url_encode(value.encode('ascii')).decode()
return {"name": b64name, "value": b64value}
def set_keys(self):
for ec_priv_key in [0, 1, 2, 3, 4]:
public_key = bytearray()
assert atcab_get_pubkey(
ec_priv_key,
public_key) == Status.ATCA_SUCCESS, 'Reading Pub key failed'
x = utils.base64url_encode(public_key[0:32]).decode('ascii')
y = utils.base64url_encode(public_key[32:64]).decode('ascii')
self.set_publicJWK(str(ec_priv_key), 'EC', 'P-256', x, y, x5c=None)
def generatePkce(self, challengeMethod):
if challengeMethod != 'plain' and challengeMethod != 'S256':
raise ParamError('challengeMethod')
try:
codeVerifier = self.__generateVerifier(128)
logger.debug('codeVerifier=' + codeVerifier)
logger.debug('type(codeVerifier)=' + str(type(codeVerifier)))
if challengeMethod == 'plain':
codeChallenge = codeVerifier
elif challengeMethod == 'S256':
try: # Python3
codeVerifier_bytes = codeVerifier.encode()
logger.debug('type(hashlib.sha256(codeVerifier_bytes)=' +
str(type(hashlib.sha256(codeVerifier_bytes))))
logger.debug(
'hashlib.sha256(codeVerifier_bytes).digest()=' +
str(hashlib.sha256(codeVerifier_bytes).digest()))
logger.debug(
'type(hashlib.sha256(codeVerifier_bytes).digest()=' +
str(type(hashlib.sha256(codeVerifier_bytes).digest())))
logger.debug(
'base64url_encode(hashlib.sha256(codeVerifier_bytes).digest())='
+ str(
base64url_encode(
hashlib.sha256(codeVerifier_bytes).digest())))
logger.debug(
'type(base64url_encode(hashlib.sha256(codeVerifier_bytes).digest())='
+ str(
type(
base64url_encode(
hashlib.sha256(
codeVerifier_bytes).digest()))))
codeChallenge = base64url_encode(
hashlib.sha256(codeVerifier_bytes).digest()).decode(
'utf-8')
logger.debug('codeChallenge=' + codeChallenge)
logger.debug('type(codeChallenge)=' +
str(type(codeChallenge)))
except: # Python2
codeChallenge = base64url_encode(
hashlib.sha256(codeVerifier).digest())
else:
raise ParamError('challengeMethod')
self.session['challengeMethod'] = challengeMethod
self.session['codeVerifier'] = codeVerifier
self.session['codeChallenge'] = codeChallenge
except TypeError as exp:
logger.error('[OIDCTokenStore.generatePkce] [TypeError] ' +
str(exp))
raise
except Exception as exp:
logger.error('[OIDCTokenStore.generatePkce] ' + str(exp))
raise
def sign(self):
data_to_sign = self.get_signature_data()
raw_signature = self.wallet.sign(data_to_sign)
self.signature = base64url_encode(raw_signature)
self.id = base64url_encode(hashlib.sha256(raw_signature).digest())
if type(self.id) == bytes:
self.id = self.id.decode()
def _encode_claims(claims):
json_payload = json.dumps(
claims,
separators=(',', ':'),
).encode('utf-8')
return base64url_encode(json_payload)
def to_dict(self):
print("boom!")
return {
"dataHash": base64url_encode(self.data_hash).decode(),
"maxByteRange": self.max_byte_range,
"minByteRange": self.min_byte_range
}
def _encode_claims(claims):
json_payload = json.dumps(
claims,
separators=(',', ':'),
).encode('utf-8')
return base64url_encode(json_payload)
def get_chunk(self, idx):
if self.chunks is None:
raise ArweaveTransactionException("Chunks have not been prepared")
proof = self.chunks.get('proofs')[idx]
chunk = self.chunks.get('chunks')[idx]
self.file_handler.seek(chunk.min_byte_range)
chunk_data = self.file_handler.read(chunk.data_size)
return {
"data_root": self.data_root.decode(),
"data_size": str(self.data_size),
"data_path": base64url_encode(proof.proof),
"offset": str(proof.offset),
"chunk": base64url_encode(chunk_data)
}
def prepare_chunks(self):
if not self.chunks:
self.chunks = generate_transaction_chunks(self.file_handler)
self.data_root = base64url_encode(self.chunks.get('data_root'))
if not self.chunks:
self.chunks = {"chunks": [], "data_root": b'', "proof": []}
self.data_root = ''
def __init__(self, signed_se, verification_cert):
self.signed_se = signed_se
self.ski_ext = verification_cert.extensions.get_extension_for_class(
extclass=x509.SubjectKeyIdentifier)
self.verification_cert_kid_b64 = base64url_encode(
self.ski_ext.value.digest).decode("ascii")
self.verification_public_key_pem = (
verification_cert.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
).decode("ascii"))
self.verification_cert_x5t_s256_b64 = base64url_encode(
verification_cert.fingerprint(hashes.SHA256())).decode("ascii")
self.certificate_chain = ""
self.run()
def generate_at_hash(access_token):
"""
Get hash for JWT access token.
"""
hash = hashlib.sha256()
hash.update(access_token.encode())
digest = hash.digest()
digest_truncated = digest[:(int(len(digest) / 2))]
at_hash = base64url_encode(digest_truncated).decode()
return at_hash
def _encode_payload(payload):
if isinstance(payload, Mapping):
try:
payload = json.dumps(
payload,
separators=(',', ':'),
)
except ValueError:
pass
return base64url_encode(six.ensure_binary(payload))
def _encode_payload(payload):
if isinstance(payload, Mapping):
try:
payload = json.dumps(
payload,
separators=(',', ':'),
).encode('utf-8')
except ValueError:
pass
return base64url_encode(payload)
def _encode_payload(payload):
if isinstance(payload, Mapping):
try:
payload = json.dumps(
payload,
separators=(',', ':'),
).encode('utf-8')
except ValueError:
pass
return base64url_encode(payload)
def hash(data):
if type(data) == list:
byte_str = b''
for line in data:
byte_str += line
data = byte_str
digest = hashlib.sha256(data).digest()
b64_str = base64url_encode(digest)
return digest
def get_signature_data(self):
self.reward = self.get_reward(
self.data_size,
target_address=self.target if len(self.target) > 0 else None)
if int(self.data_size
) > 0 and self.data_root == "" and not self.uses_uploader:
if type(self.data) == str:
root_hash = compute_root_hash(io.StringIO(self.data))
if type(self.data) == bytes:
root_hash = compute_root_hash(io.BytesIO(self.data))
self.data_root = base64url_encode(root_hash)
if self.format == 1:
tag_str = ""
for tag in self.tags:
name, value = decode_tag(tag)
tag_str += "{}{}".format(name.decode(), value.decode())
owner = base64url_decode(self.jwk_data['n'].encode())
target = base64url_decode(self.target)
data = base64url_decode(self.data)
quantity = self.quantity.encode()
reward = self.reward.encode()
last_tx = base64url_decode(self.last_tx.encode())
signature_data = owner + target + data + quantity + reward + last_tx + tag_str.encode(
)
if self.format == 2:
if self.uses_uploader:
self.prepare_chunks()
tag_list = [[tag['name'].encode(), tag['value'].encode()]
for tag in self.tags]
signature_data_list = [
"2".encode(),
base64url_decode(self.jwk_data['n'].encode()),
base64url_decode(self.target.encode()),
str(self.quantity).encode(),
self.reward.encode(),
base64url_decode(self.last_tx.encode()), tag_list,
str(self.data_size).encode(),
base64url_decode(self.data_root)
]
signature_data = deep_hash(signature_data_list)
return signature_data
def _encode_header(algorithm, additional_headers=None):
header = {"typ": "JWT", "alg": algorithm}
if additional_headers:
header.update(additional_headers)
json_header = json.dumps(
header,
separators=(',', ':'),
).encode('utf-8')
return base64url_encode(json_header)
def _sign_header_and_claims(encoded_header, encoded_claims, algorithm, key_data):
signing_input = b'.'.join([encoded_header, encoded_claims])
try:
key = jwk.construct(key_data, algorithm)
signature = key.sign(signing_input)
except Exception as e:
raise JWSError(e)
encoded_signature = base64url_encode(signature)
encoded_string = b'.'.join([encoded_header, encoded_claims, encoded_signature])
return encoded_string.decode('utf-8')
def _sign_header_and_claims(encoded_header, encoded_claims, algorithm, key_data):
signing_input = b'.'.join([encoded_header, encoded_claims])
try:
key = jwk.construct(key_data, algorithm)
signature = key.sign(signing_input)
except Exception as e:
raise JWSError(e)
encoded_signature = base64url_encode(signature)
encoded_string = b'.'.join([encoded_header, encoded_claims, encoded_signature])
return encoded_string.decode('utf-8')
def _encode_header(algorithm, additional_headers=None):
header = {"typ": "JWT", "alg": algorithm}
if additional_headers:
header.update(additional_headers)
json_header = json.dumps(
header,
separators=(",", ":"),
sort_keys=True,
).encode("utf-8")
return base64url_encode(json_header)
def _sign_header_and_claims(encoded_header, encoded_claims, algorithm, key):
signing_input = b".".join([encoded_header, encoded_claims])
try:
if not isinstance(key, Key):
key = jwk.construct(key, algorithm)
signature = key.sign(signing_input)
except Exception as e:
raise JWSError(e)
encoded_signature = base64url_encode(signature)
encoded_string = b".".join([encoded_header, encoded_claims, encoded_signature])
return encoded_string.decode("utf-8")
def _sign_header_and_claims(encoded_header, encoded_claims, algorithm, key):
signing_input = b'.'.join([encoded_header, encoded_claims])
try:
alg_obj = get_algorithm_object(algorithm)
key = alg_obj.prepare_key(key)
signature = alg_obj.sign(signing_input, key)
except Exception as e:
raise JWSError(e)
encoded_signature = base64url_encode(signature)
encoded_string = b'.'.join([encoded_header, encoded_claims, encoded_signature])
return encoded_string.decode('utf-8')
def _encode_header(algorithm, additional_headers=None):
header = {
"typ": "JWT",
"alg": algorithm
}
if additional_headers:
header.update(additional_headers)
json_header = json.dumps(
header,
separators=(',', ':'),
).encode('utf-8')
return base64url_encode(json_header)
def test_1_7_4_generatePkce_s256_normal(self):
"Generating Plain CodeChallenge from OIDCTokenStore Model."
tokenstore = OIDCTokenStore(self.opId, self.session)
cc = tokenstore.generatePkce('S256')
self.assertEquals(
self.session[settings.OIDC_TOKENSTORE_COOKIENAME +
self.opId]['challengeMethod'], 'S256')
try:
codeChallenge = base64url_encode(
hashlib.sha256(
self.session[settings.OIDC_TOKENSTORE_COOKIENAME +
self.opId]
['codeVerifier'].encode()).digest()).decode('utf-8')
self.assertEquals(
self.session[settings.OIDC_TOKENSTORE_COOKIENAME +
self.opId]['codeChallenge'], codeChallenge)
except:
self.assertEquals(
self.session[settings.OIDC_TOKENSTORE_COOKIENAME +
self.opId]['codeChallenge'],
base64url_encode(
hashlib.sha256(
self.session[settings.OIDC_TOKENSTORE_COOKIENAME +
self.opId]['codeVerifier']).digest()))
def _sign_header_and_claims(encoded_header, encoded_claims, algorithm, key):
signing_input = b'.'.join([encoded_header, encoded_claims])
try:
alg_obj = get_algorithm_object(algorithm)
key = alg_obj.prepare_key(key)
signature = alg_obj.sign(signing_input, key)
except Exception as e:
raise JWSError(e)
encoded_signature = base64url_encode(signature)
encoded_string = b'.'.join(
[encoded_header, encoded_claims, encoded_signature])
return encoded_string.decode('utf-8')
def _encode_header(algorithm, additional_headers=None):
header = {
"typ": "JWT",
"alg": algorithm
}
if additional_headers:
header.update(additional_headers)
json_header = six.ensure_binary(json.dumps(
header,
separators=(',', ':'),
sort_keys=True,
))
return base64url_encode(json_header)
async def _verify_signature(app, jws, payload):
jws_header_b64, _, signature_b64 = jws.split('.')
signature = base64url_decode(signature_b64.encode())
header_str = base64url_decode(jws_header_b64.encode())
header = json.loads(header_str)
if header.get('jku') != app.config.expected_jwks_uri:
return False
response = await app.aiohttp_session.get(app.config.expected_jwks_uri)
jwks = await response.json()
# Get the first key with ID matching the header's
raw_key = next(k for k in jwks['keys'] if k.get('kid') == header['kid'])
key = jwk.construct(raw_key)
payload_b64 = base64url_encode(payload).decode()
secured_input = f'{jws_header_b64}.{payload_b64}'
return key.verify(secured_input.encode(), signature)
def generate_manifest(signer_certificate,
device_certificate,
log_key_path=LOGGING_KEY,
log_cert_path=LOGGING_CERT):
device_entry = {
'version': 1,
'model': 'ATECC608A',
'partNumber': 'ATECC608A-TFLXTLS',
'manufacturer': {
'organizationName': 'Microchip Technology Inc',
'organizationalUnitName': 'Secure Products Group'
},
'provisioner': {
'organizationName': 'Microchip Technology Inc',
'organizationalUnitName': 'Secure Products Group'
},
'distributor': {
'organizationName': 'Microchip Technology Inc',
'organizationalUnitName': 'Microchip Direct'
}
}
device_entry[
'provisioningTimestamp'] = device_certificate.not_valid_before.strftime(
'%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z'
serial_number = bytearray(9)
assert atcab_read_serial_number(serial_number) == Status.ATCA_SUCCESS
device_entry['uniqueId'] = serial_number.hex()
device_entry['publicKeySet'] = {
'keys': [{
'kid':
'0',
'kty':
'EC',
'crv':
'P-256',
'x':
None,
'y':
None,
'x5c': [
base64.b64encode(
device_certificate.public_bytes(
encoding=serialization.Encoding.DER)).decode('ascii'),
base64.b64encode(
signer_certificate.public_bytes(
encoding=serialization.Encoding.DER)).decode('ascii')
]
}, {
'kid': '1',
'kty': 'EC',
'crv': 'P-256',
'x': None,
'y': None,
}, {
'kid': '2',
'kty': 'EC',
'crv': 'P-256',
'x': None,
'y': None,
}, {
'kid': '3',
'kty': 'EC',
'crv': 'P-256',
'x': None,
'y': None,
}, {
'kid': '4',
'kty': 'EC',
'crv': 'P-256',
'x': None,
'y': None,
}]
}
print('Generating manifest file...', end='')
for key in device_entry['publicKeySet']['keys']:
public_key = bytearray(64)
#print('reading slot {} public key'.format(key['kid']))
assert atcab_get_pubkey(int(key['kid']),
public_key) == Status.ATCA_SUCCESS
key['x'] = utils.base64url_encode(public_key[0:32]).decode('ascii')
key['y'] = utils.base64url_encode(public_key[32:64]).decode('ascii')
# If a logging key and certificate was provided create a manifest file
log_key, log_cert = certs_handler.load_key_and_cert(
log_key_path, log_cert_path)
# Generate the key and certificate ids for JWS
log_key_id = certs_handler.jws_b64encode(
log_cert.extensions.get_extension_for_class(
x509.SubjectKeyIdentifier).value.digest)
log_cert_id = certs_handler.jws_b64encode(
log_cert.fingerprint(hashes.SHA256()))
# Precompute the JWT header
jws_header = {
'typ': 'JWT',
'alg': 'ES256',
'kid': log_key_id,
'x5t#S256': log_cert_id
}
jws_header = certs_handler.jws_b64encode(
json.dumps(jws_header).encode('ascii'))
manifest = json.dumps(
[certs_handler.create_signed_entry(device_entry, log_key, jws_header)],
indent=2).encode('ascii')
filename = common_helper.make_valid_filename(
device_entry['uniqueId'].upper()) + '_manifest' + '.json'
with open(filename, 'wb') as f:
f.write(manifest)
print('OK (saved to {})'.format(filename))
def to_dict(self):
return {
'alg': self._algorithm,
'kty': 'oct',
'k': base64url_encode(self.prepared_key),
}
def generate_manifest_file(esp, args, init_mfg):
retval = init_mfg.exec_cmd(esp._port, "print-chip-info")
serial.esp_cmd_check_ok(retval, "print-chip-info")
# find index fo SN in string
index = retval[1]['Return'].find("Serial Number:")
index += len("Serial Number:")
serial_number_hex = retval[1]['Return'][index:]
serial_number_hex = serial_number_hex.strip()
serial_number_hex = serial_number_hex.replace(' ','')
print('Serial Number:')
print(serial_number_hex.upper())
if args.print_atecc608a_type is True:
# only print chip info and exit.
exit(0)
print("Generating Manifest")
certs = []
retval = init_mfg.exec_cmd(esp._port, "get-tngtls-root-cert")
serial.esp_cmd_check_ok(retval, "get-tngtls-root-cert")
index = retval[1]['Return'].find("Root Cert Len:")
index += len("Root Cert Len:")
root_cert_size = retval[1]['Return'][index:index + 3]
root_cert_size = int(root_cert_size)
root_cert_der = bytearray(root_cert_size)
index = retval[1]['Return'].find("Certificate:")
index += len("Certificate:")
root_cert_hex = retval[1]['Return'][index + 1:]
root_cert_hex = root_cert_hex.strip()
root_cert_der = bytearray.fromhex(root_cert_hex)
root_cert = x509.load_der_x509_certificate(root_cert_der, default_backend())
certs.insert(0, root_cert)
print(get_common_name(root_cert.subject))
print(root_cert.public_bytes(encoding=Encoding.PEM).decode('utf-8'))
print('TNG Root Public Key:')
print(root_cert.public_key().public_bytes(
format=PublicFormat.SubjectPublicKeyInfo,
encoding=Encoding.PEM
).decode('utf-8'))
retval = init_mfg.exec_cmd(esp._port, "get-tngtls-signer-cert")
serial.esp_cmd_check_ok(retval, "get-tngtls-signer-cert")
index = retval[1]['Return'].find("Signer Cert Len:")
index += len("Signer Cert Len:")
signer_cert_size = retval[1]['Return'][index:index + 3]
signer_cert_size = int(signer_cert_size)
signer_cert_der = bytearray(signer_cert_size)
index = retval[1]['Return'].find("Certificate:")
index += len("Certificate:")
signer_cert_hex = retval[1]['Return'][index:]
signer_cert_hex = signer_cert_hex.strip()
signer_cert_der = bytearray.fromhex(signer_cert_hex)
print('TNG Signer Certificate:')
signer_cert = x509.load_der_x509_certificate(signer_cert_der, default_backend())
certs.insert(0, signer_cert)
print(get_common_name(signer_cert.subject))
print(signer_cert.public_bytes(encoding=Encoding.PEM).decode('utf-8'))
print('TNG Signer Public Key:')
print(signer_cert.public_key().public_bytes(
format=PublicFormat.SubjectPublicKeyInfo,
encoding=Encoding.PEM
).decode('utf-8'))
# Note that this is a simple cryptographic validation and does not check
# any of the actual certificate data (validity dates, extensions, names,
# etc...)
print('Validate Signer Certificate:')
root_cert.public_key().verify(
signature=signer_cert.signature,
data=signer_cert.tbs_certificate_bytes,
signature_algorithm=ec.ECDSA(signer_cert.signature_hash_algorithm)
)
print('OK\n')
print('TNG Device Certificate:')
retval = init_mfg.exec_cmd(esp._port, "get-tngtls-device-cert")
serial.esp_cmd_check_ok(retval, "get-tngtls-device-cert")
index = retval[1]['Return'].find("Device Cert Len:")
index += len("Device Cert Len:")
device_cert_size = retval[1]['Return'][index:index + 3]
device_cert_size = int(device_cert_size)
device_cert_der = bytearray(device_cert_size)
index = retval[1]['Return'].find("Certificate:")
index += len("Certificate:")
device_cert_hex = retval[1]['Return'][index:]
device_cert_hex = device_cert_hex.strip()
device_cert_der = bytearray.fromhex(device_cert_hex)
device_cert = x509.load_der_x509_certificate(device_cert_der, default_backend())
certs.insert(0, device_cert)
print(get_common_name(device_cert.subject))
device_cert_pem = device_cert.public_bytes(encoding=Encoding.PEM).decode('utf-8')
print(device_cert_pem)
print("Saving device cert to output_files")
with open(os.path.join(args.basepath, "device_cert.pem"), "w+") as dev_cert_file:
dev_cert_file.write(device_cert_pem)
print('TNG Device Public Key:')
# Note that we could, of course, pull this from the device certificate above.
# However, this demonstrates the tng_atcacert_device_public_key() function.
print(device_cert.public_key().public_bytes(
format=PublicFormat.SubjectPublicKeyInfo,
encoding=Encoding.PEM
).decode('utf-8'))
print('Validate Device Certificate:')
signer_cert.public_key().verify(
signature=device_cert.signature,
data=device_cert.tbs_certificate_bytes,
signature_algorithm=ec.ECDSA(device_cert.signature_hash_algorithm)
)
print('OK\n')
device_entry = {
'version': 1,
'model': 'ATECC608A',
'partNumber': 'ATECC608A-TNGTLS',
'manufacturer': {
'organizationName': 'Microchip Technology Inc',
'organizationalUnitName': 'Secure Products Group'
},
'provisioner': {
'organizationName': 'Microchip Technology Inc',
'organizationalUnitName': 'Secure Products Group'
},
'distributor': {
'organizationName': 'Microchip Technology Inc',
'organizationalUnitName': 'Microchip Direct'
}
}
device_entry['provisioningTimestamp'] = device_cert.not_valid_before.strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] + 'Z'
print(serial_number_hex)
device_entry['uniqueId'] = serial_number_hex
device_entry['publicKeySet'] = {
'keys': [
{
'kid': '0',
'kty': 'EC',
'crv': 'P-256',
'x': None,
'y': None,
'x5c': [
base64.b64encode(device_cert_der).decode('ascii'),
base64.b64encode(signer_cert_der).decode('ascii')
]
},
{'kid': '1', 'kty': 'EC', 'crv': 'P-256', 'x': None, 'y': None},
{'kid': '2', 'kty': 'EC', 'crv': 'P-256', 'x': None, 'y': None},
{'kid': '3', 'kty': 'EC', 'crv': 'P-256', 'x': None, 'y': None},
{'kid': '4', 'kty': 'EC', 'crv': 'P-256', 'x': None, 'y': None}
]
}
for key in device_entry['publicKeySet']['keys']:
public_key = bytearray(64)
print('reading slot {} public key'.format(key['kid']))
retval = init_mfg.exec_cmd(esp._port, "generate-pubkey {}".format(key['kid']))
serial.esp_cmd_check_ok(retval, "pub-key-gen")
index = retval[1]['Return'].find("Public Key:")
index += len("Public Key:")
public_key_hex = retval[1]['Return'][index:]
public_key_hex = public_key_hex.strip()
public_key = bytearray.fromhex(public_key_hex)
key['x'] = utils.base64url_encode(public_key[0:32]).decode('ascii')
key['y'] = utils.base64url_encode(public_key[32:64]).decode('ascii')
# If a logging key and certificate was provided create a manifest file
log_key = cert_sign.load_privatekey(args.signer_privkey)
log_cert = cert_sign.load_certificate(args.signer_cert)
# Generate the key and certificate ids for JWS
log_key_id = jws_b64encode(log_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier).value.digest)
log_cert_id = jws_b64encode(log_cert.fingerprint(hashes.SHA256()))
# Precompute the JWT header
jws_header = {'typ': 'JWT', 'alg': 'ES256', 'kid': log_key_id, 'x5t#S256': log_cert_id}
jws_header = jws_b64encode(json.dumps(jws_header).encode('ascii'))
manifest = json.dumps([create_signed_entry(device_entry, log_key, jws_header)], indent=2).encode('ascii')
filename = make_valid_filename(device_entry['uniqueId']) + '_manifest' + '.json'
os.getcwd()
with open(os.path.join(args.basepath, filename), 'wb') as f:
f.write(manifest)
print('Created: ' + filename)
def verifySig(self,
issuer=None,
clientId=None,
clientSecret=None,
accessToken=None,
sigAlgSupported=[],
JWKSet=[]):
if not issuer or issuer is None:
raise ParamError('issuer')
if not clientId or clientId is None:
raise ParamError('clientId')
if not clientSecret or clientSecret is None:
raise ParamError('clientSecret')
#if not sigAlgSupported or sigAlgSupported is None:
# raise ParamError('sigAlgSupported')
c = {}
try:
if 'id_token' not in self.session.keys(
) or 'id_token_decoded' not in self.session.keys():
return c
if 'id_token_decoded' in self.session.keys():
id_token_decoded = json.loads(self.session['id_token_decoded'])
if 'id_token' in self.session.keys():
id_token = self.session['id_token']
except Exception as exp:
logger.error('[OIDCTokenStore.verifySig] id_token Load Error : ' +
str(exp))
raise
try:
c['issMatching'] = None
if 'iss' in id_token_decoded.keys():
if id_token_decoded['iss'] == issuer:
c['issMatching'] = True
else:
c['issMatching'] = False
except Exception as exp:
logger.error('[OIDCTokenStore.verifySig] iss Matching Error : ' +
str(exp))
raise
try:
c['audMatching'] = None
if 'aud' in id_token_decoded.keys():
if clientId in id_token_decoded['aud']:
c['audMatching'] = True
else:
c['audMatching'] = False
except Exception as exp:
logger.error('[OIDCTokenStore.verifySig] aud Matching Error : ' +
str(exp))
raise
try:
c['azpMatching'] = None
if 'azp' in id_token_decoded.keys():
if clientId in id_token_decoded['azp']:
c['azpMatching'] = True
else:
c['azpMatching'] = False
except Exception as exp:
logger.error('[OIDCTokenStore.verifySig] azp Matching Error : ' +
str(exp))
raise
try:
c['expIntegrity'] = None
if 'exp' in id_token_decoded.keys():
if int(time.mktime(datetime.now().timetuple())) < int(
id_token_decoded['exp']):
c['expIntegrity'] = True
else:
c['expIntegrity'] = False
except Exception as exp:
logger.error('[OIDCTokenStore.verifySig] exp Integrity Error : ' +
str(exp))
raise
try:
c['nbfIntegrity'] = None
if 'nbf' in id_token_decoded.keys():
if int(time.mktime(datetime.now().timetuple())) >= int(
id_token_decoded['nbf']):
c['nbfIntegrity'] = True
else:
c['nbfIntegrity'] = False
except Exception as exp:
logger.error('[OIDCTokenStore.verifySig] nbf Integrity Error : ' +
str(exp))
raise
try:
c['iatIntegrity'] = None
if 'iat' in id_token_decoded.keys():
if (int(time.mktime(datetime.now().timetuple())) -
self.leeway) < int(id_token_decoded['iat']):
c['iatIntegrity'] = True
else:
c['iatIntegrity'] = False
except Exception as exp:
logger.error('[OIDCTokenStore.verifySig] iat Integrity Error : ' +
str(exp))
raise
try:
c['sigAlg'] = None
c['sigType'] = None
c['sigVerify'] = None
idTokenHeaders, idTokenBody, idTokenSig = id_token.split('.')
idTokenHeaders_padding = idTokenHeaders.replace('-', '+').replace(
'_', '/') + ('=' * (len(idTokenHeaders) % 4))
idTokenHeaders_decoded = json.loads(
base64.b64decode(idTokenHeaders_padding))
idTokenBody_padding = idTokenBody.replace('-', '+').replace(
'_', '/') + ('=' * (len(idTokenBody) % 4))
idTokenBody_b64decoded = base64.b64decode(idTokenBody_padding)
if 'alg' in idTokenHeaders_decoded.keys():
if (idTokenHeaders_decoded['alg'] in keyMap['hmacType'].keys()
and idTokenHeaders_decoded['alg']
in sigAlgSupported) or JWKSet == "":
c['sigType'] = 'Symmetric'
c['sigAlg'] = idTokenHeaders_decoded['alg']
dmod = keyMap['hmacType'][idTokenHeaders_decoded['alg']]
sig_digest = hmac.new(
clientSecret.encode(),
'.'.join([idTokenHeaders, idTokenBody]).encode(),
digestmod=dmod).digest()
sig = base64.b64encode(sig_digest).decode('utf-8').replace(
'+', '-').replace('/', '_').replace('=', '')
logger.debug('sig =' + sig)
logger.debug('idTokenSig=' + idTokenSig)
c['sigVerify'] = (sig == idTokenSig)
elif idTokenHeaders_decoded['alg'] in [
'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512'
] and idTokenHeaders_decoded['alg'] in sigAlgSupported:
c['sigType'] = 'Asymmetric'
c['sigAlg'] = idTokenHeaders_decoded['alg']
try: # Python3
jwkstr = json.dumps(JWKSet).encode()
except: # Python2
jwkstr = json.dumps(JWKSet).decode('utf-8')
logger.debug('type(jwkstr)=' + str(type(jwkstr)))
result = jws.verify(
id_token,
jwkstr,
algorithms=idTokenHeaders_decoded['alg'])
logger.debug('verify result=' + str(result))
if json.dumps(json.loads(result)) == json.dumps(
json.loads(idTokenBody_b64decoded)):
c['sigVerify'] = True
logger.debug('verify is True')
else:
c['sigVerify'] = False
logger.debug('verify is False')
elif idTokenHeaders_decoded['alg'] == 'none':
c['sigType'] = 'Unsecured'
c['sigAlg'] = idTokenHeaders_decoded['alg']
else:
c['sigType'] = 'Unknown'
c['sigAlg'] = idTokenHeaders_decoded['alg']
except Exception as exp:
logger.error('[OIDCTokenStore.verifySig] sig Validation Error : ' +
str(exp))
raise
try:
c['sigATHash'] = None
logger.debug('accessToken=' + str(accessToken))
logger.debug('type(accessToken)=' + str(type(accessToken)))
if accessToken is not None:
logger.debug('1')
if 'at_hash' in id_token_decoded.keys():
try: # Python3
accessToken_bytes = accessToken.encode()
logger.debug('accessToken_bytes=' +
str(accessToken_bytes))
logger.debug('type(accessToken_bytes)=' +
str(type(accessToken_bytes)))
digest = hashlib.sha256(accessToken_bytes).digest()
computed_hash = base64url_encode(
digest[:len(digest) // 2]).decode('utf-8').replace(
'=', '')
logger.debug('digest=' + str(digest))
logger.debug('type(digest)=' + str(type(digest)))
logger.debug(
'base64url_encode(digest[:len(digest)//2]).decode("utf-8").replace("=","")='
+
base64url_encode(digest[:len(digest) // 2]).decode(
'utf-8').replace('=', ''))
logger.debug(
'type(base64url_encode(digest[:len(digest)//2]).decode("utf-8").replace("=",""))='
+ str(
type(
base64url_encode(digest[:len(digest) // 2])
.decode('utf-8').replace('=', ''))))
logger.debug('id_token_decoded["at_hash"]=' +
id_token_decoded['at_hash'])
except: # Python2
digest = hashlib.sha256(accessToken).digest()
computed_hash = base64url_encode(
digest[:len(digest) // 2]).replace('=', '')
if id_token_decoded['at_hash'] == computed_hash:
c['sigATHash'] = True
else:
c['sigATHash'] = False
except Exception as exp:
logger.error(
'[OIDCTokenStore.verifySig] at_hash Validation Error : ' +
str(exp))
raise
return c
