def BuildPkinit_pa(req_body, now, diffieHellmanExchange, privKey, cert):
authenticator = {
'cusec': now.microsecond,
'ctime': now.replace(microsecond=0),
'nonce': 0,
'paChecksum': hashlib.sha1(req_body.dump()).digest()
}
dp = {'p': diffieHellmanExchange.p, 'g': diffieHellmanExchange.g, 'q': 0}
pka = {
'algorithm': '1.2.840.10046.2.1',
'parameters': keys.DomainParameters(dp)
}
spki = {
'algorithm': keys.PublicKeyAlgorithm(pka),
'public_key': diffieHellmanExchange.get_public_key()
}
authpack = {
'pkAuthenticator': PKAuthenticator(authenticator),
'clientPublicValue': keys.PublicKeyInfo(spki),
'clientDHNonce': diffieHellmanExchange.dh_nonce
}
authpack = AuthPack(authpack)
return sign_authpack_native(authpack.dump(),
privKey,
cert,
wrap_signed=True)
def ec_public_key_info(public_key_point, curve):
"""
Constructs the PublicKeyInfo for an ECPointBitString
:param private_key:
An asn1crypto.keys.ECPointBitString object
:param curve:
A unicode string of the curve name - one of secp256r1, secp384r1 or secp521r1
:raises:
ValueError - when any of the parameters contain an invalid value
:return:
An asn1crypto.keys.PublicKeyInfo object
"""
if curve not in set(['secp256r1', 'secp384r1', 'secp521r1']):
raise ValueError(
pretty_message(
'''
curve must be one of "secp256r1", "secp384r1", "secp521r1", not %s
''', repr(curve)))
return keys.PublicKeyInfo({
'algorithm':
keys.PublicKeyAlgorithm({
'algorithm':
'ec',
'parameters':
keys.ECDomainParameters(name='named', value=curve)
}),
'public_key':
public_key_point,
})
def subject_public_key(self, _value):
if not isinstance(_value, ecc.EccKey):
raise TypeError(
_pretty_message(
'''
subject_public_key must be an instance of
optigatrust.pk.EccKey,
not %s
''', _type_name(_value)))
pubkey_alg = keys.PublicKeyAlgorithm({
'algorithm':
_value.algorithm,
'parameters':
keys.ECDomainParameters('named', _value.curve)
})
pubkey_asn1 = core.BitString.load(_value.pkey)
pubkey_info = keys.PublicKeyInfo({
'algorithm':
pubkey_alg,
'public_key':
pubkey_asn1.cast(keys.ECPointBitString)
})
self._subject_public_key = pubkey_info
def test_ecdsa_p256_signverify():
LOGGER.info(
'Sign data with newly generated NIST P-256 key and verify result')
setup_keys()
ha = 'sha256'
s = ecdsa.sign(pytest.p256, pytest.tbs_str)
print('[{}]'.format(', '.join(hex(x) for x in list(s.signature))))
# Preparing an algoroithm
pubkey_alg = keys.PublicKeyAlgorithm({
'algorithm':
keys.PublicKeyAlgorithmId(pytest.p256.algorithm),
'parameters':
keys.ECDomainParameters(name='named', value=pytest.p256.curve)
})
# Preparing a PublicKeyInfo
pubkey_asn1 = core.BitString.load(pytest.p256.pkey)
pubkey_info = keys.PublicKeyInfo({
'algorithm':
pubkey_alg,
'public_key':
pubkey_asn1.cast(keys.ECPointBitString)
})
# Load a public key into the oscrypto engine to using it in the verify function
public = load_public_key(pubkey_info)
ecdsa_verify(public, s.signature, pytest.tbs_str, ha)
# Assert wrong text
with pytest.raises(SignatureError):
ecdsa_verify(public, s.signature, pytest.tbs_str_fail, ha)
# Assert wrong key
with pytest.raises(SignatureError):
# Preparing a PublicKeyInfo
pubkey_asn1 = core.BitString.load(pytest.p256_fail.pkey)
pubkey_info = keys.PublicKeyInfo({
'algorithm':
pubkey_alg,
'public_key':
pubkey_asn1.cast(keys.ECPointBitString)
})
# Load a public key into the oscrypto engine to using it in the verify function
public = load_public_key(pubkey_info)
ecdsa_verify(public, s.signature, pytest.tbs_str, ha)
def build_asreq(
self,
target=None,
cname=None,
kdcopts=['forwardable', 'renewable', 'proxiable', 'canonicalize']):
if isinstance(kdcopts, list):
kdcopts = set(kdcopts)
if cname is not None:
if isinstance(cname, str):
cname = [cname]
else:
cname = [self.cname]
if target is not None:
if isinstance(target, str):
target = [target]
else:
target = ['127.0.0.1']
now = datetime.datetime.now(datetime.timezone.utc)
kdc_req_body_data = {}
kdc_req_body_data['kdc-options'] = KDCOptions(kdcopts)
kdc_req_body_data['cname'] = PrincipalName({
'name-type':
NAME_TYPE.MS_PRINCIPAL.value,
'name-string':
cname
})
kdc_req_body_data['realm'] = 'WELLKNOWN:PKU2U'
kdc_req_body_data['sname'] = PrincipalName({
'name-type':
NAME_TYPE.MS_PRINCIPAL.value,
'name-string':
target
})
kdc_req_body_data['till'] = (now + datetime.timedelta(days=1)).replace(
microsecond=0)
kdc_req_body_data['rtime'] = (now +
datetime.timedelta(days=1)).replace(
microsecond=0)
kdc_req_body_data['nonce'] = secrets.randbits(31)
kdc_req_body_data['etype'] = [18, 17] # 23 breaks...
kdc_req_body_data['addresses'] = [
HostAddress({
'addr-type': 20,
'address': b'127.0.0.1'
})
] # not sure if this is needed
kdc_req_body = KDC_REQ_BODY(kdc_req_body_data)
checksum = hashlib.sha1(kdc_req_body.dump()).digest()
authenticator = {}
authenticator['cusec'] = now.microsecond
authenticator['ctime'] = now.replace(microsecond=0)
authenticator['nonce'] = secrets.randbits(31)
authenticator['paChecksum'] = checksum
dp = {}
dp['p'] = self.diffie.p
dp['g'] = self.diffie.g
dp['q'] = 0 # mandatory parameter, but it is not needed
pka = {}
pka['algorithm'] = '1.2.840.10046.2.1'
pka['parameters'] = keys.DomainParameters(dp)
spki = {}
spki['algorithm'] = keys.PublicKeyAlgorithm(pka)
spki['public_key'] = self.diffie.get_public_key()
authpack = {}
authpack['pkAuthenticator'] = PKAuthenticator(authenticator)
authpack['clientPublicValue'] = keys.PublicKeyInfo(spki)
authpack['clientDHNonce'] = self.diffie.dh_nonce
authpack = AuthPack(authpack)
signed_authpack = self.sign_authpack(authpack.dump(),
wrap_signed=False)
# ??????? This is absolutely nonsense,
payload = length_encode(len(signed_authpack)) + signed_authpack
payload = b'\x80' + payload
signed_authpack = b'\x30' + length_encode(len(payload)) + payload
pa_data_1 = {}
pa_data_1['padata-type'] = PaDataType.PK_AS_REQ.value
pa_data_1['padata-value'] = signed_authpack
asreq = {}
asreq['pvno'] = 5
asreq['msg-type'] = 10
asreq['padata'] = [pa_data_1]
asreq['req-body'] = kdc_req_body
return AS_REQ(asreq).dump()
def build_asreq_pkinit(
self,
supported_encryption_method,
kdcopts=['forwardable', 'renewable', 'renewable-ok']):
from asn1crypto import keys
if supported_encryption_method.value == 23:
raise Exception(
'RC4 encryption is not supported for certificate auth!')
now = datetime.datetime.now(datetime.timezone.utc)
kdc_req_body_data = {}
kdc_req_body_data['kdc-options'] = KDCOptions(set(kdcopts))
kdc_req_body_data['cname'] = PrincipalName({
'name-type':
NAME_TYPE.PRINCIPAL.value,
'name-string': [self.usercreds.username]
})
kdc_req_body_data['realm'] = self.usercreds.domain.upper()
kdc_req_body_data['sname'] = PrincipalName({
'name-type':
NAME_TYPE.SRV_INST.value,
'name-string': ['krbtgt', self.usercreds.domain.upper()]
})
kdc_req_body_data['till'] = (now + datetime.timedelta(days=1)).replace(
microsecond=0)
kdc_req_body_data['rtime'] = (now +
datetime.timedelta(days=1)).replace(
microsecond=0)
kdc_req_body_data['nonce'] = secrets.randbits(31)
kdc_req_body_data['etype'] = [supported_encryption_method.value
] #[18,17] # 23 breaks...
kdc_req_body = KDC_REQ_BODY(kdc_req_body_data)
checksum = hashlib.sha1(kdc_req_body.dump()).digest()
authenticator = {}
authenticator['cusec'] = now.microsecond
authenticator['ctime'] = now.replace(microsecond=0)
authenticator['nonce'] = secrets.randbits(31)
authenticator['paChecksum'] = checksum
dp = {}
dp['p'] = self.usercreds.dhparams.p
dp['g'] = self.usercreds.dhparams.g
dp['q'] = 0 # mandatory parameter, but it is not needed
pka = {}
pka['algorithm'] = '1.2.840.10046.2.1'
pka['parameters'] = keys.DomainParameters(dp)
spki = {}
spki['algorithm'] = keys.PublicKeyAlgorithm(pka)
spki['public_key'] = self.usercreds.dhparams.get_public_key()
authpack = {}
authpack['pkAuthenticator'] = PKAuthenticator(authenticator)
authpack['clientPublicValue'] = keys.PublicKeyInfo(spki)
authpack['clientDHNonce'] = self.usercreds.dhparams.dh_nonce
authpack = AuthPack(authpack)
signed_authpack = self.usercreds.sign_authpack(authpack.dump(),
wrap_signed=True)
payload = PA_PK_AS_REQ()
payload['signedAuthPack'] = signed_authpack
pa_data_1 = {}
pa_data_1['padata-type'] = PaDataType.PK_AS_REQ.value
pa_data_1['padata-value'] = payload.dump()
pa_data_0 = {}
pa_data_0['padata-type'] = int(PADATA_TYPE('PA-PAC-REQUEST'))
pa_data_0['padata-value'] = PA_PAC_REQUEST({
'include-pac': True
}).dump()
asreq = {}
asreq['pvno'] = 5
asreq['msg-type'] = 10
asreq['padata'] = [pa_data_0, pa_data_1]
asreq['req-body'] = kdc_req_body
return AS_REQ(asreq)