コード例 #1
0
    def encrypt_in_domain(self, plain_text: bytes, use_domain_name: str) -> bytes:
        assert isinstance(plain_text, bytes)
        assert isinstance(use_domain_name, str)

        self.__verify_bootstrapped_and_registered()
        self.__update_config_by_elasped_time(MAX_ELASPED_TIME)
        use_domain_for_encryption = self.__get_valid_use_domain_for_encryption(use_domain_name)
        encryption_key_id_for_encryption = self.__get_encryption_key_id(use_domain_for_encryption)

        symmetric_cipher = self.__get_symmetric_cipher(use_domain_for_encryption.symmetric_key_encryption_alg)
        signing_key = self.__get_signing_key(use_domain_for_encryption)
        digest = self.__get_digest_alg(use_domain_for_encryption.digest_algorithm)

        key = p.Key(symmetric_cipher, self.__get_key(encryption_key_id_for_encryption))

        # FIXME persister preferred keyid can cause delay if persister read from disk
        aad = CiphertextAAD(encryption_key_id_for_encryption, self.persister.load(PERSISTER_PREFERRED_KEYID))
        json_bytes = bytes(json.dumps(aad.__dict__), encoding='utf8')

        pm_plain_text = p.Plaintext(plain_text, json_bytes)
        random_device = p.RandomDevice()

        cipher_text = self.__crypto_context.encrypt(key, pm_plain_text, random_device)

        if not self.__crypto_context.sign(signing_key, pm_plain_text, digest, cipher_text):
            self.logger.warning('Signing failed. Verification not required when decrypting.')

        return self.__crypto_context.serialize(digest, cipher_text).encode(encoding='UTF-8')
コード例 #2
0
    def __gen_new_asymmetric_keypair(self, persister: Persister) -> PublicKey:
        assert isinstance(persister, Persister)
        rand = p.RandomDevice()

        symm_cipher = DEFAULT_SYMM_CIPHER
        asymm_cipher = self.__get_asymmetric_cipher(self.crypto_config.client_key_type, self.crypto_config.client_key_bitlength)

        key = p.Key(asymm_cipher, symm_cipher, rand)

        pub_pem = key.get_pub_pem()
        priv_pem = key.get_priv_pem()

        created_time = int(round(time.time()))
        if created_time > sys.maxsize:
            self.logger.error("Failed to detect a valid time for local asymmetric key creation time")
            raise UnrecoverableClockSkewDetectedError("Failed to detect a valid time for local asymmetric key creation time")

        pub_key = PublicKey(id="",
                            key=pub_pem,
                            creation_time=created_time,
                            key_type=self.crypto_config.client_key_type,
                            encoding="pem")

        persister.save(PERSISTER_PRIV_KEY, priv_pem)
        persister.save(PERSISTER_PUB_KEY, pub_pem)
        persister.save(PERSISTER_ASYM_TYPE, self.crypto_config.client_key_type)
        persister.save(PERSISTER_ASYM_CREATED_DATE_EPOCH, created_time)
        persister.save(PERSISTER_ASYM_BITLEN, self.crypto_config.client_key_bitlength)

        return pub_key
コード例 #3
0
    def test_asymmetric(self):
        rand = p.RandomDevice()
        context = p.CryptoContext()

        for cipher in p.AsymmetricCipher.__members__:
            if cipher == "UNSPECIFIED":
                continue

            for symmCipher in p.SymmetricCipher.__members__:
                if symmCipher == "UNSPECIFIED":
                    continue

                plaintext = p.Plaintext(get_random_data(), get_random_data())
                key = p.Key(p.AsymmetricCipher.__members__[cipher],
                            p.SymmetricCipher.__members__[symmCipher], rand)

                if cipher[:4] == "ECDH":
                    myKey = p.Key(p.AsymmetricCipher.__members__[cipher],
                                  p.SymmetricCipher.__members__[symmCipher],
                                  rand)
                    peerKey = p.Key(p.AsymmetricCipher.__members__[cipher],
                                    p.SymmetricCipher.__members__[symmCipher],
                                    rand)
                    key = p.Key(p.SymmetricCipher.__members__[symmCipher],
                                myKey, peerKey)

                encrypted = context.encrypt(key, plaintext, rand)
                self.assertTrue(
                    context.sign(key, plaintext, p.DigestAlgorithm.SHA_256,
                                 encrypted))
                serialized = context.serialize(p.DigestAlgorithm.SHA_256,
                                               encrypted)
                self.assertNotEqual(serialized, plaintext.data)

                deserialized = context.deserialize(serialized)

                # Assert the configs coming out are equal
                self.assertEqual(key.get_config().mode, deserialized[1].mode)
                self.assertEqual(key.get_config().symm_cipher,
                                 deserialized[1].symm_cipher)
                self.assertEqual(key.get_config().asymm_cipher,
                                 deserialized[1].asymm_cipher)
                # These won't be equal because the original key didn't have the digest algorithm set
                self.assertNotEqual(key.get_config().digest_algorithm,
                                    deserialized[1].digest_algorithm)

                # Do the decrypt
                result = context.decrypt(key, deserialized[0])
                self.assertTrue(result[1])
                self.assertEqual(result[0].data, plaintext.data)
                # Verify
                verified = context.verify(key, result[0], deserialized[0])
                self.assertTrue(verified)
コード例 #4
0
    def test_sign_only(self):
        rand = p.RandomDevice()
        context = p.CryptoContext()
        key = p.Key(p.RSA_2048, p.SymmetricCipher.CHACHA20_POLY1305, rand)

        plaintext = p.Plaintext(get_random_data(), get_random_data())
        blob = context.get_plaintext_blob(plaintext)
        self.assertTrue(
            context.sign(key, plaintext, p.DigestAlgorithm.SHA_256, blob))

        serialized = context.serialize(p.DigestAlgorithm.SHA_256, blob)
        self.assertNotEqual(serialized, plaintext.data)

        deserialized = context.deserialize(serialized)

        result = context.extract_plaintext_blob(deserialized[0])

        self.assertTrue(context.verify(key, result, deserialized[0]))