def test_invalid_digest_size(self, backend):
with pytest.raises(ValueError):
hashes.BLAKE2s(digest_size=33)
with pytest.raises(ValueError):
hashes.BLAKE2s(digest_size=0)
with pytest.raises(ValueError):
hashes.BLAKE2s(digest_size=-1)
def hash(sorceFile_name, hashFunction_name):
#define hash funcition
if hashFunction_name == "MD5":
hashFunction = hashes.MD5()
elif hashFunction_name == "SHA-384":
hashFunction = hashes.SHA384()
elif hashFunction_name == "SHA-512":
hashFunction = hashes.SHA512()
elif hashFunction_name == "BLAKE-2":
hashFunction = hashes.BLAKE2s(32)
else:
hashFunction = hashes.SHA256()
#block length
blockLength = 32
#open sorce file
sorceFile = open(sorceFile_name, 'r')
#messa digest init
digest = hashes.Hash(hashFunction)
block = "."
while block != "":
#read block
block = sorceFile.read(blockLength)
#update digest
digest.update(block.encode())
#get hash
h = digest.finalize()
#close file
sorceFile.close()
return h
def __init__(self, app, pipeline, id=None, config=None):
super().__init__(app, pipeline, id, config)
self.Backend = default_backend()
algorithm = self.Config['algorithm'].upper()
if algorithm == "SHA224":
self.Algorithm = hashes.SHA224()
elif algorithm == "SHA256":
self.Algorithm = hashes.SHA256()
elif algorithm == "SHA384":
self.Algorithm = hashes.SHA384()
elif algorithm == "SHA512":
self.Algorithm = hashes.SHA512()
elif algorithm == "SHA1":
self.Algorithm = hashes.SHA1()
elif algorithm == "MD5":
self.Algorithm = hashes.MD5()
elif algorithm == "BLAKE2B":
digest_size = int(self.Config['digest_size'])
self.Algorithm = hashes.BLAKE2b(digest_size)
elif algorithm == "BLAKE2S":
digest_size = int(self.Config['digest_size'])
self.Algorithm = hashes.BLAKE2s(digest_size)
else:
L.error("Unknown hashing algorithm '{}'".format(
self.Config['algorithm']))
raise RuntimeError("Unknown hashing algorithm '{}'".format(
self.Config['algorithm']))
class TestBLAKE2s256(object):
test_b2s = generate_hash_test(
load_hash_vectors,
os.path.join("hashes", "blake2"),
["blake2s.txt"],
hashes.BLAKE2s(digest_size=32),
)
def test_blake2s(self, backend):
h = hmac.HMAC(b"0" * 32, hashes.BLAKE2s(digest_size=32), backend)
h.update(b"test")
digest = h.finalize()
assert digest == binascii.unhexlify(
b"51477cc5bdf1faf952cf97bb934ee936de1f4d5d7448a84eeb6f98d23b392166"
)
def dechachacry(data, salt, nonce):
keyraw = salt + bytes(getpass(), "UTF-8")
key = hashes.Hash(hashes.BLAKE2s(32), backend=default_backend())
key.update(keyraw)
key = key.finalize()
algorithm = algorithms.ChaCha20(key, nonce)
cipher = Cipher(algorithm, mode=None, backend=default_backend())
decrypt = cipher.decryptor()
return decrypt.update(data)
def issueCreate(self):
self.enable_help = False
tipo = "create"
# client cannot create account without citizen card
assert self.cc.citizen_card_detected()
self.cc.save_certificates(self.id) # saves the citizen card certicates
attribs = self.cc.get_cert_attributes()
attributes = attribs[0]
log(logging.DEBUG, "%s" % json.dumps(tipo))
try:
for file in glob.glob('client_certificates/'+str(self.id)+'/EC de Autenticação do Cartão de Cidadão*.cer'):
spt = file.split('/')
cert_name = spt[-1]
#Linux & Mac
cert = open("client_certificates/"+str(self.id)+"/"+cert_name, "rb").read()
#Windows
#cert = open("client_certificates\\"+cert_name, "rb").read()
certificate = crypto.load_certificate(crypto.FILETYPE_ASN1, cert)
#self.uuid = int(input("UUID: "))
self.uuid = int(self.cc.get_digest_pub_key(certificate))
log(logging.DEBUG, "%s" % json.dumps(self.uuid))
except ValueError:
log(logging.ERROR,"USER UNIVERSAL ID MUST BE A INTEGER")
log(logging.ERROR,"USER UNIVERSAL ID NOT VALID")
return None
digest = hashes.Hash(hashes.BLAKE2s(32), backend = default_backend())
digest.update(getpass.getpass("Password: "******"_"+str(password)
signature = self.cc.sign(to_sign).decode() # bytes
# Generate a random number for the CTR mode
ctr = counterMode()
# Cipher the message with the session key
msg = AES_encrypt(self.client_session_key, ctr, json.dumps({"type": tipo, "uuid":self.uuid,
"pass": base64.b64encode(password).decode('utf-8'),
"signature": signature,
"to_sign": to_sign,
"cert_attributes": attributes})+TERMINATOR)
self.socket.send(base64.b64encode(msg)+"\n".encode('utf-8')+base64.b64encode(ctr))
def enchachacry(data):
nonce = bytes(token_hex(8), "UTF-8")
salt = bytes(token_hex(8), "UTF-8")
keyraw = salt + bytes(getpass(), "UTF-8")
key = hashes.Hash(hashes.BLAKE2s(32), backend=default_backend())
key.update(keyraw)
key = key.finalize()
algorithm = algorithms.ChaCha20(key, nonce)
cipher = Cipher(algorithm, mode=None, backend=default_backend())
marker = bytes(
b"\x8c\x14\xf6t\xea\xd5\xe3\x88Z\xa8~\xceE\x02w\\\xf4/w\xfa\xc6\xc5g}")
encrypt = cipher.encryptor()
return (marker + salt + nonce + encrypt.update(data))
def __init__(self):
a = str(time())
b = str(time())
c = str(time())
nonce = bytes((a[len(a) - 5:] + b[len(b) - 5:] + c[len(c) - 6:]),
"UTF-8")
key = urandom(32)
hasher = hashes.Hash(hashes.BLAKE2s(32), backend=default_backend())
hasher.update(key)
key = hasher.finalize()
algorithm = algorithms.ChaCha20(key, nonce)
cipher = Cipher(algorithm, mode=None, backend=default_backend())
self.encryptor = cipher.encryptor()
def main():
# Derive a secret key from 3 secrets generated from at least 2 keys.
backend = default_backend()
hkdf = HKDF(
algorithm=hashes.BLAKE2s(32),
length=32,
salt=public_bytes(ephemeral_key),
info=b'MofN-Encryption-demo',
backend=backend
)
key = hkdf.derive(ephemeral_alice_joe + b'\x01' +
ephemeral_alice_bob + b'\x02' + ephemeral_bob_joe)
print(base64.b64encode(key))
class TestBLAKE2s(object):
test_blake2s = generate_base_hash_test(
hashes.BLAKE2s(digest_size=32), digest_size=32,
)
def test_invalid_digest_size(self, backend):
with pytest.raises(ValueError):
hashes.BLAKE2s(digest_size=33)
with pytest.raises(ValueError):
hashes.BLAKE2s(digest_size=0)
with pytest.raises(ValueError):
hashes.BLAKE2s(digest_size=-1)
def rsa_decryption(ciphertext, private_key, hashFunction_name=None):
#define hash funcition
if hashFunction_name == "SHA-384":
hashFunction = hashes.SHA384()
elif hashFunction_name == "SHA-512":
hashFunction = hashes.SHA512()
elif hashFunction_name == "BLAKE-2":
hashFunction = hashes.BLAKE2s(32)
else:
hashFunction = hashes.SHA256()
#decryption
plaintext = private_key.decrypt(
ciphertext,
padding.OAEP(mgf=padding.MGF1(algorithm=hashFunction),
algorithm=hashFunction,
label=None))
#decode message
plaintext = plaintext.decode()
return plaintext
def hash(sorceFile_name: str, hashFunction_name: str) -> bytes:
"""Function that read a file and generate the Hash according chosen hash function
Args:
sorceFile_name (str): source file name to generate hash
hashFunction_name (str): hash function to be used ("SHA-256",
"SHA-384", "SHA-512", "MD5", "BLAKE-2")
Returns:
bytes: generated hash
"""
# define hash funcition
if hashFunction_name == "MD5":
hashFunction = hashes.MD5()
elif hashFunction_name == "SHA-384":
hashFunction = hashes.SHA384()
elif hashFunction_name == "SHA-512":
hashFunction = hashes.SHA512()
elif hashFunction_name == "BLAKE-2":
hashFunction = hashes.BLAKE2s(32)
else:
hashFunction = hashes.SHA256()
# block length
blockLength = 32
# open sorce file
sorceFile = open(sorceFile_name, 'r')
# messa digest init
digest = hashes.Hash(hashFunction)
block = "."
while block != "":
# read block
block = sorceFile.read(blockLength)
# update digest
digest.update(block.encode())
# get hash
h = digest.finalize()
# close file
sorceFile.close()
return h
lambda params: cr_hashes.MD5(),
hashes.HashAlgorithmId.SHA1:
lambda params: cr_hashes.SHA1(),
hashes.HashAlgorithmId.SHA2_224:
lambda params: cr_hashes.SHA224(),
hashes.HashAlgorithmId.SHA2_256:
lambda params: cr_hashes.SHA256(),
hashes.HashAlgorithmId.SHA2_384:
lambda params: cr_hashes.SHA384(),
hashes.HashAlgorithmId.SHA2_512:
lambda params: cr_hashes.SHA512(),
hashes.HashAlgorithmId.BLAKE2B:
lambda params: cr_hashes.BLAKE2b(
cast(hashes.Blake2Params, params).length),
hashes.HashAlgorithmId.BLAKE2S:
lambda params: cr_hashes.BLAKE2s(
cast(hashes.Blake2Params, params).length),
}
def create_hash(hash_alg: hashes.HashAlgorithm) -> cr_hashes.HashAlgorithm:
try:
func = _hash_factories[hash_alg.algorithm_id]
except KeyError as ex:
raise NotImplementedError(
f"Hash {hash_alg.algorithm_id} not supported") from ex
return func(hash_alg.parameters)
@dataclass(eq=False)
class CryptographyHash(hashes.HashFunction):
)
def test_invalid_digest_size(self, backend):
with pytest.raises(ValueError):
hashes.BLAKE2b(digest_size=65)
with pytest.raises(ValueError):
hashes.BLAKE2b(digest_size=0)
with pytest.raises(ValueError):
hashes.BLAKE2b(digest_size=-1)
@pytest.mark.supported(
only_if=lambda backend: backend.hash_supported(
hashes.BLAKE2s(digest_size=32)),
skip_message="Does not support BLAKE2s",
)
class TestBLAKE2s(object):
test_blake2s = generate_base_hash_test(
hashes.BLAKE2s(digest_size=32),
digest_size=32,
)
def test_invalid_digest_size(self, backend):
with pytest.raises(ValueError):
hashes.BLAKE2s(digest_size=33)
with pytest.raises(ValueError):
hashes.BLAKE2s(digest_size=0)
def hmac_hash(self, key, data):
hmac = HMAC(key=key,
algorithm=hashes.BLAKE2s(32),
backend=default_backend())
hmac.update(data=data)
return hmac.finalize()
class CryptoUtils:
pwd_context = CryptContext(schemes=["pbkdf2_sha256"],
default="pbkdf2_sha256",
pbkdf2_sha256__default_rounds=30000)
algorithms = {
"sha256": hashes.SHA256(),
"sha224": hashes.SHA224(),
"sha384": hashes.SHA256(),
"sha512": hashes.SHA256(),
"blake2b": hashes.BLAKE2b(64),
"blake2s": hashes.BLAKE2s(32),
"sha3_256": hashes.SHA3_256(),
"sha3_224": hashes.SHA3_224(),
"sha3_384": hashes.SHA3_384(),
"sha3_512": hashes.SHA3_512()
}
@staticmethod
def hash(password):
return CryptoUtils.pwd_context.hash(password)
@staticmethod
def check_hash(password, hashed):
return CryptoUtils.pwd_context.verify(password, hashed)
@staticmethod
def make_key(password, algorithm, salt):
if algorithm not in CryptoUtils.algorithms:
raise casket.invalid_algorithm("Algorithm %s is not supported." %
(algorithm))
kdf = PBKDF2HMAC(algorithm=CryptoUtils.algorithms[algorithm],
length=32,
salt=salt,
iterations=100000,
backend=default_backend())
return base64.urlsafe_b64encode(kdf.derive(password))
@staticmethod
def encrypt_password(master_pswd,
plain_pswd,
salt=os.urandom(16),
algorithm="sha256"):
key = CryptoUtils.make_key(master_pswd.encode("utf-8"), algorithm,
salt)
cipher_suite = Fernet(key)
cipher_text = cipher_suite.encrypt(plain_pswd.encode("utf-8"))
enc_pswd = base64.b64encode(salt).decode('utf-8') + cipher_text.decode(
'utf-8')
return enc_pswd
@staticmethod
def decrypt_password(master_pswd, enc_pswd, algorithm="sha256"):
salt = base64.b64decode(enc_pswd[:24].encode("utf-8"))
key = CryptoUtils.make_key(master_pswd.encode("utf-8"), algorithm,
salt)
cipher_suite = Fernet(key)
plain_text = cipher_suite.decrypt(enc_pswd[24:].encode("utf-8"))
plain_text_utf8 = plain_text.decode("utf-8")
return plain_text_utf8
@staticmethod
def get_salt(encrypted_string):
return base64.b64decode(encrypted_string[:24].encode("utf-8"))
def issueLogin(self):
tipo = "login"
try:
self.uuid = int(input("User Universal Identification: "))
except:
log(logging.ERROR, "User Universal Identification must be an integer")
return None
digest = hashes.Hash(hashes.BLAKE2s(32), backend = default_backend())
digest.update(getpass.getpass("Password: "******"_"+str(password)
signature = self.cc.sign(to_sign).decode() # bytes
# Generate a random number for the CTR mode
ctr = counterMode()
# Cipher the message with the session key
msg = AES_encrypt(self.client_session_key, ctr, json.dumps({"type": tipo, "uuid": self.uuid,
"pass": base64.b64encode(password).decode('utf-8'),
"signature":signature,
"to_sign": to_sign})+TERMINATOR)
# Send the login parameters
socket.send(base64.b64encode(msg)+"\n".encode('utf-8')+base64.b64encode(ctr))
# Receive response
data = self.socket.recv(BUFSIZE)
data = data.split(b"\n")
msg = base64.b64decode(data[0])
ctr = base64.b64decode(data[1])
data = AES_decrypt(self.client_session_key, ctr, msg)
parsed = json.loads(data.decode('utf-8'))
try:
pwd = base64.b64decode(parsed["pass"])
#Checks if the password is correct
if password == pwd:
self.logged_in = True
self.id = parsed["id"]
int(self.id)
log(logging.DEBUG, "Login Successful")
log(logging.DEBUG, "USER ID: {}".format(self.id))
#Updates the public key in the server datatabase
pK = self.public_key.public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo)
# Generate a random number for the CTR mode
ctr = counterMode()
# Cipher the message with the session key
msg = AES_encrypt(self.client_session_key, ctr, json.dumps({"type": "update", "id": self.id, "public_key": pK.decode('utf-8'),
"signature": base64.b64encode(sign_msg(self.private_key, pK)).decode('utf-8')})+TERMINATOR)
# Send the update parameters
socket.send(base64.b64encode(msg)+"\n".encode('utf-8')+base64.b64encode(ctr))
# Update dirname to save messages
self.dirname = os.path.join(self.dirname,str(self.uuid))
else:
self.logged_in = False
log(logging.ERROR, "ERROR: password doesn't match")
except:
self.logged_in = False
log(logging.ERROR, "ERROR: {}".format(parsed['error']))
"sha3_384":
h.SHA3_384,
"sha3_512":
h.SHA3_512,
"sha512_224":
h.SHA512_224,
"sha512_256":
h.SHA512_256,
"shake128":
h.SHAKE128,
"shake256":
h.SHAKE256,
"blake2b":
lambda digest_size=None: h.BLAKE2b(digest_size or 64),
"blake2s":
lambda digest_size=None: h.BLAKE2s(digest_size or 32),
})
VAR_DIGEST_SIZE = frozenset((
"shake128",
"shake256",
"blake2b",
"blake2s",
))
XOFS = frozenset((
"shake128",
"shake256",
))
# the ASN.1 Object IDs
def hash(self, data):
digest = hashes.Hash(hashes.BLAKE2s(32), backend=default_backend())
digest.update(data)
return digest.finalize()
def _hash_blake2s(self, data):
digest = hashes.Hash(hashes.BLAKE2s(digest_size=self.hashlen), backend)
digest.update(data)
return digest.finalize()
