def deserialize(self): """ Starting with information gathered from the on-the-wire representation of an elliptic curve key initiate an Elliptic Curve. """ if not (self.x and self.y and self.crv): DeSerializationNotPossible() try: if not isinstance(self.x, six.integer_types): self.x = deser(self.x) if not isinstance(self.y, six.integer_types): self.y = deser(self.y) except TypeError: raise DeSerializationNotPossible() except ValueError as err: raise DeSerializationNotPossible("%s" % err) self.curve = NISTEllipticCurve.by_name(self.crv) if self.d: try: if isinstance(self.d, six.string_types): self.d = deser(self.d) except ValueError as err: raise DeSerializationNotPossible(str(err))
def ec_init(spec): """ :param spec: Key specifics of the form {"type": "EC", "crv": "P-256", "use": ["sig"]}, :return: A KeyBundle instance """ _key = NISTEllipticCurve.by_name(spec["crv"]) kb = KeyBundle(keytype="EC", keyusage=spec["use"]) for use in spec["use"]: priv, pub = _key.key_pair() ec = ECKey(x=pub[0], y=pub[1], d=priv, crv=spec["crv"]) ec.serialize() ec.use = use kb.append(ec) return kb
def enc_setup(self, msg, auth_data, key=None, **kwargs): encrypted_key = "" # Generate the input parameters try: apu = b64d(kwargs["apu"]) except KeyError: apu = b64d(Random.get_random_bytes(16)) try: apv = b64d(kwargs["apv"]) except KeyError: apv = b64d(Random.get_random_bytes(16)) # Generate an ephemeral key pair curve = NISTEllipticCurve.by_name(key.crv) if "epk" in kwargs: eprivk = ECKey(kwargs["epk"]) else: (eprivk, epk) = curve.key_pair() params = { "apu": b64e(apu), "apv": b64e(apv), } cek, iv = self._generate_key_and_iv(self.enc) if self.alg == "ECDH-ES": try: dk_len = KEYLEN[self.enc] except KeyError: raise Exception("Unknown key length for algorithm %s" % self.enc) cek = ecdh_derive_key(curve, eprivk, key, apu, apv, self.enc, dk_len) elif self.alg in [ "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW" ]: _pre, _post = self.alg.split("+") klen = int(_post[1:4]) kek = ecdh_derive_key(curve, eprivk, key, apu, apv, _post, klen) encrypted_key = aes_wrap_key(kek, cek) else: raise Exception("Unsupported algorithm %s" % self.alg) return cek, encrypted_key, iv, params
def enc_setup(self, msg, auth_data, key=None, **kwargs): encrypted_key = "" # Generate the input parameters try: apu = b64d(kwargs["apu"]) except KeyError: apu = b64d(Random.get_random_bytes(16)) try: apv = b64d(kwargs["apv"]) except KeyError: apv = b64d(Random.get_random_bytes(16)) # Generate an ephemeral key pair curve = NISTEllipticCurve.by_name(key.crv) if "epk" in kwargs: eprivk = ECKey(kwargs["epk"]) else: (eprivk, epk) = curve.key_pair() params = { "apu": b64e(apu), "apv": b64e(apv), } cek, iv = self._generate_key_and_iv(self.enc) if self.alg == "ECDH-ES": try: dk_len = KEYLEN[self.enc] except KeyError: raise Exception( "Unknown key length for algorithm %s" % self.enc) cek = ecdh_derive_key(curve, eprivk, key, apu, apv, self.enc, dk_len) elif self.alg in ["ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"]: _pre, _post = self.alg.split("+") klen = int(_post[1:4]) kek = ecdh_derive_key(curve, eprivk, key, apu, apv, _post, klen) encrypted_key = aes_wrap_key(kek, cek) else: raise Exception("Unsupported algorithm %s" % self.alg) return cek, encrypted_key, iv, params
def deserialize(self): """ Starting with information gathered from the on-the-wire representation of an elliptic curve key initiate an Elliptic Curve. """ try: if not isinstance(self.x, six.integer_types): self.x = deser(self.x) if not isinstance(self.y, six.integer_types): self.y = deser(self.y) except TypeError: raise DeSerializationNotPossible() except ValueError as err: raise DeSerializationNotPossible("%s" % err) self.curve = NISTEllipticCurve.by_name(self.crv) if self.d: try: if isinstance(self.d, str): self.d = deser(self.d) except ValueError as err: raise DeSerializationNotPossible(str(err))
def enc_setup(self, msg, auth_data, key=None, **kwargs): encrypted_key = "" self.msg = msg self.auth_data = auth_data # Generate the input parameters try: apu = b64d(kwargs["apu"]) except KeyError: apu = Random.get_random_bytes(16) try: apv = b64d(kwargs["apv"]) except KeyError: apv = Random.get_random_bytes(16) # Handle Local Key and Ephemeral Public Key if not key: raise Exception("EC Key Required for ECDH-ES JWE Encrpytion Setup") # Generate an ephemeral key pair if none is given curve = NISTEllipticCurve.by_name(key.crv) if "epk" in kwargs: epk = kwargs["epk"] if isinstance(kwargs["epk"], ECKey) else ECKey(kwargs["epk"]) else: raise Exception( "Ephemeral Public Key (EPK) Required for ECDH-ES JWE " "Encryption Setup") params = { "apu": b64e(apu), "apv": b64e(apv), "epk": epk.serialize(False) } cek = iv = None if 'cek' in kwargs and kwargs['cek']: cek = kwargs['cek'] if 'iv' in kwargs and kwargs['iv']: iv = kwargs['iv'] cek, iv = self._generate_key_and_iv(self.enc, cek=cek, iv=iv) if self.alg == "ECDH-ES": try: dk_len = KEYLEN[self.enc] except KeyError: raise Exception( "Unknown key length for algorithm %s" % self.enc) cek = ecdh_derive_key(curve, epk.d, (key.x, key.y), apu, apv, str(self.enc).encode(), dk_len) elif self.alg in ["ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"]: _pre, _post = self.alg.split("+") klen = int(_post[1:4]) kek = ecdh_derive_key(curve, epk.d, (key.x, key.y), apu, apv, str(_post).encode(), klen) encrypted_key = aes_wrap_key(kek, cek) else: raise Exception("Unsupported algorithm %s" % self.alg) return cek, encrypted_key, iv, params, epk
msg = _jwe1.decrypt(jwt, [_key]) assert msg == plain def test_rsa_with_kid(): encryption_keys = [RSAKey(use="enc", key=rsa, kid="some-key-id")] jwe = JWE("some content", alg="RSA-OAEP", enc="A256CBC-HS512") jwe.encrypt(keys=encryption_keys, kid="some-key-id") if __name__ == "__main__": test_rsa_with_kid() # Test ECDH-ES curve = NISTEllipticCurve.by_name('P-256') remotepriv, remotepub = curve.key_pair() localpriv, localpub = curve.key_pair() localkey = ECKey(crv=curve.name(), d=localpriv, x=localpub[0], y=localpub[1]) remotekey = ECKey(crv=curve.name(), d=remotepriv, x=remotepub[0], y=remotepub[1]) def test_ecdh_encrypt_decrypt_direct_key(): jwenc = JWE_EC(plain, alg="ECDH-ES", enc="A128GCM") cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain, '', key=remotekey,
assert msg == plain def test_rsa_with_kid(): encryption_keys = [RSAKey(use="enc", key=rsa, kid="some-key-id")] jwe = JWE("some content", alg="RSA-OAEP", enc="A256CBC-HS512") jwe.encrypt(keys=encryption_keys, kid="some-key-id") if __name__ == "__main__": test_rsa_with_kid() # Test ECDH-ES curve = NISTEllipticCurve.by_name('P-256') remotepriv, remotepub = curve.key_pair() localpriv, localpub = curve.key_pair() localkey = ECKey(crv=curve.name(), d=localpriv, x=localpub[0], y=localpub[1]) remotekey = ECKey(crv=curve.name(), d=remotepriv, x=remotepub[0], y=remotepub[1]) def test_ecdh_encrypt_decrypt_direct_key(): jwenc = JWE_EC(plain, alg="ECDH-ES", enc="A128GCM") cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain, '', key=remotekey, epk=localkey) kwargs = {} kwargs['params'] = params