def encrypt_in_domain(self, plain_text: bytes, use_domain_name: str) -> bytes:
assert isinstance(plain_text, bytes)
assert isinstance(use_domain_name, str)
self.__verify_bootstrapped_and_registered()
self.__update_config_by_elasped_time(MAX_ELASPED_TIME)
use_domain_for_encryption = self.__get_valid_use_domain_for_encryption(use_domain_name)
encryption_key_id_for_encryption = self.__get_encryption_key_id(use_domain_for_encryption)
symmetric_cipher = self.__get_symmetric_cipher(use_domain_for_encryption.symmetric_key_encryption_alg)
signing_key = self.__get_signing_key(use_domain_for_encryption)
digest = self.__get_digest_alg(use_domain_for_encryption.digest_algorithm)
key = p.Key(symmetric_cipher, self.__get_key(encryption_key_id_for_encryption))
# FIXME persister preferred keyid can cause delay if persister read from disk
aad = CiphertextAAD(encryption_key_id_for_encryption, self.persister.load(PERSISTER_PREFERRED_KEYID))
json_bytes = bytes(json.dumps(aad.__dict__), encoding='utf8')
pm_plain_text = p.Plaintext(plain_text, json_bytes)
random_device = p.RandomDevice()
cipher_text = self.__crypto_context.encrypt(key, pm_plain_text, random_device)
if not self.__crypto_context.sign(signing_key, pm_plain_text, digest, cipher_text):
self.logger.warning('Signing failed. Verification not required when decrypting.')
return self.__crypto_context.serialize(digest, cipher_text).encode(encoding='UTF-8')
def __gen_new_asymmetric_keypair(self, persister: Persister) -> PublicKey:
assert isinstance(persister, Persister)
rand = p.RandomDevice()
symm_cipher = DEFAULT_SYMM_CIPHER
asymm_cipher = self.__get_asymmetric_cipher(self.crypto_config.client_key_type, self.crypto_config.client_key_bitlength)
key = p.Key(asymm_cipher, symm_cipher, rand)
pub_pem = key.get_pub_pem()
priv_pem = key.get_priv_pem()
created_time = int(round(time.time()))
if created_time > sys.maxsize:
self.logger.error("Failed to detect a valid time for local asymmetric key creation time")
raise UnrecoverableClockSkewDetectedError("Failed to detect a valid time for local asymmetric key creation time")
pub_key = PublicKey(id="",
key=pub_pem,
creation_time=created_time,
key_type=self.crypto_config.client_key_type,
encoding="pem")
persister.save(PERSISTER_PRIV_KEY, priv_pem)
persister.save(PERSISTER_PUB_KEY, pub_pem)
persister.save(PERSISTER_ASYM_TYPE, self.crypto_config.client_key_type)
persister.save(PERSISTER_ASYM_CREATED_DATE_EPOCH, created_time)
persister.save(PERSISTER_ASYM_BITLEN, self.crypto_config.client_key_bitlength)
return pub_key
def test_asymmetric(self):
rand = p.RandomDevice()
context = p.CryptoContext()
for cipher in p.AsymmetricCipher.__members__:
if cipher == "UNSPECIFIED":
continue
for symmCipher in p.SymmetricCipher.__members__:
if symmCipher == "UNSPECIFIED":
continue
plaintext = p.Plaintext(get_random_data(), get_random_data())
key = p.Key(p.AsymmetricCipher.__members__[cipher],
p.SymmetricCipher.__members__[symmCipher], rand)
if cipher[:4] == "ECDH":
myKey = p.Key(p.AsymmetricCipher.__members__[cipher],
p.SymmetricCipher.__members__[symmCipher],
rand)
peerKey = p.Key(p.AsymmetricCipher.__members__[cipher],
p.SymmetricCipher.__members__[symmCipher],
rand)
key = p.Key(p.SymmetricCipher.__members__[symmCipher],
myKey, peerKey)
encrypted = context.encrypt(key, plaintext, rand)
self.assertTrue(
context.sign(key, plaintext, p.DigestAlgorithm.SHA_256,
encrypted))
serialized = context.serialize(p.DigestAlgorithm.SHA_256,
encrypted)
self.assertNotEqual(serialized, plaintext.data)
deserialized = context.deserialize(serialized)
# Assert the configs coming out are equal
self.assertEqual(key.get_config().mode, deserialized[1].mode)
self.assertEqual(key.get_config().symm_cipher,
deserialized[1].symm_cipher)
self.assertEqual(key.get_config().asymm_cipher,
deserialized[1].asymm_cipher)
# These won't be equal because the original key didn't have the digest algorithm set
self.assertNotEqual(key.get_config().digest_algorithm,
deserialized[1].digest_algorithm)
# Do the decrypt
result = context.decrypt(key, deserialized[0])
self.assertTrue(result[1])
self.assertEqual(result[0].data, plaintext.data)
# Verify
verified = context.verify(key, result[0], deserialized[0])
self.assertTrue(verified)
def test_sign_only(self):
rand = p.RandomDevice()
context = p.CryptoContext()
key = p.Key(p.RSA_2048, p.SymmetricCipher.CHACHA20_POLY1305, rand)
plaintext = p.Plaintext(get_random_data(), get_random_data())
blob = context.get_plaintext_blob(plaintext)
self.assertTrue(
context.sign(key, plaintext, p.DigestAlgorithm.SHA_256, blob))
serialized = context.serialize(p.DigestAlgorithm.SHA_256, blob)
self.assertNotEqual(serialized, plaintext.data)
deserialized = context.deserialize(serialized)
result = context.extract_plaintext_blob(deserialized[0])
self.assertTrue(context.verify(key, result, deserialized[0]))