def _check_encryption(self, rsaObj):
plaintext = a2b_hex(self.plaintext)
ciphertext = a2b_hex(self.ciphertext)
# Test encryption
new_ciphertext2 = rsaObj._encrypt(bytes_to_long(plaintext))
self.assertEqual(bytes_to_long(ciphertext), new_ciphertext2)
def _test_signing(self, dsaObj):
k = bytes_to_long(a2b_hex(self.k))
m_hash = bytes_to_long(a2b_hex(self.m_hash))
r = bytes_to_long(a2b_hex(self.r))
s = bytes_to_long(a2b_hex(self.s))
(r_out, s_out) = dsaObj._sign(m_hash, k)
self.assertEqual((r, s), (r_out, s_out))
def _check_decryption(self, rsaObj):
plaintext = bytes_to_long(a2b_hex(self.plaintext))
ciphertext = bytes_to_long(a2b_hex(self.ciphertext))
# Test plain decryption
new_plaintext = rsaObj._decrypt(ciphertext)
self.assertEqual(plaintext, new_plaintext)
def _check_public_key(self, dsaObj):
k = bytes_to_long(a2b_hex(self.k))
m_hash = bytes_to_long(a2b_hex(self.m_hash))
# Check capabilities
self.assertEqual(0, dsaObj.has_private())
self.assertEqual(1, dsaObj.can_sign())
self.assertEqual(0, dsaObj.can_encrypt())
# Check that private parameters are all missing
self.assertEqual(0, hasattr(dsaObj, 'x'))
# Sanity check key data
self.assertEqual(1, dsaObj.p > dsaObj.q) # p > q
self.assertEqual(160, size(dsaObj.q)) # size(q) == 160 bits
self.assertEqual(0, (dsaObj.p - 1) % dsaObj.q) # q is a divisor of p-1
# Public-only key objects should raise an error when .sign() is called
self.assertRaises(TypeError, dsaObj._sign, m_hash, k)
# Check __eq__ and __ne__
self.assertEqual(dsaObj.publickey() == dsaObj.publickey(),
True) # assert_
self.assertEqual(dsaObj.publickey() != dsaObj.publickey(),
False) # failIf
def _check_encryption(self, rsaObj):
plaintext = a2b_hex(self.plaintext)
ciphertext = a2b_hex(self.ciphertext)
# Test encryption
new_ciphertext2 = rsaObj._encrypt(bytes_to_long(plaintext))
self.assertEqual(bytes_to_long(ciphertext), new_ciphertext2)
def readProductKey(verifyingPublicKeyInstance, licenseIdSize, productIdSize,
expirationTimeSize, hashSize, productKey):
try:
productKey = productKey.strip().replace('-', '').replace(' ', '')
productKeyBytes = b32decode(
(productKey + '=' * (-len(productKey) % 8)).encode('utf-8'))
productKeyLong = bytes_to_long(productKeyBytes)
longValue = verifyingPublicKeyInstance._encrypt(productKeyLong)
bitString = ('{:0' + str(licenseIdSize + productIdSize +
expirationTimeSize + hashSize * 8) +
'b}').format(longValue)
licenseId = int(bitString[:licenseIdSize], 2)
productId = int(bitString[licenseIdSize:licenseIdSize + productIdSize],
2)
expirationTime = int(
bitString[licenseIdSize + productIdSize:licenseIdSize +
productIdSize + expirationTimeSize], 2)
computedHash = int(
bitString[licenseIdSize + productIdSize + expirationTimeSize:], 2)
shake = SHAKE256.new()
shake.update(bitString[:licenseIdSize + productIdSize +
expirationTimeSize].encode('utf-8'))
if computedHash != bytes_to_long(shake.read(hashSize)):
raise InvalidProductKey()
return licenseId, productId, expirationTime
except:
raise InvalidProductKey()
def _test_signing(self, dsaObj):
k = bytes_to_long(a2b_hex(self.k))
m_hash = bytes_to_long(a2b_hex(self.m_hash))
r = bytes_to_long(a2b_hex(self.r))
s = bytes_to_long(a2b_hex(self.s))
(r_out, s_out) = dsaObj._sign(m_hash, k)
self.assertEqual((r, s), (r_out, s_out))
def _check_decryption(self, rsaObj):
plaintext = bytes_to_long(a2b_hex(self.plaintext))
ciphertext = bytes_to_long(a2b_hex(self.ciphertext))
# Test plain decryption
new_plaintext = rsaObj._decrypt(ciphertext)
self.assertEqual(plaintext, new_plaintext)
def create_ref_keys():
key_lines = load_file("ecc_p256.txt").splitlines()
private_key_d = bytes_to_long(compact(key_lines[2:5]))
public_key_xy = compact(key_lines[6:11])
assert bord(public_key_xy[0]) == 4 # Uncompressed
public_key_x = bytes_to_long(public_key_xy[1:33])
public_key_y = bytes_to_long(public_key_xy[33:])
return (ECC.construct(curve="P-256", d=private_key_d),
ECC.construct(curve="P-256", point_x=public_key_x, point_y=public_key_y))
def create_ref_keys():
key_lines = load_file("ecc_p256.txt").splitlines()
private_key_d = bytes_to_long(compact(key_lines[2:5]))
public_key_xy = compact(key_lines[6:11])
assert bord(public_key_xy[0]) == 4 # Uncompressed
public_key_x = bytes_to_long(public_key_xy[1:33])
public_key_y = bytes_to_long(public_key_xy[33:])
return (ECC.construct(curve="P-256", d=private_key_d),
ECC.construct(curve="P-256", point_x=public_key_x, point_y=public_key_y))
def xy(self):
modulus_bytes = self.size_in_bytes()
xb = bytearray(modulus_bytes)
yb = bytearray(modulus_bytes)
result = _ec_lib.ec_ws_get_xy(c_uint8_ptr(xb), c_uint8_ptr(yb),
c_size_t(modulus_bytes),
self._point.get())
if result:
raise ValueError("Error %d while encoding an EC point" % result)
return (Integer(bytes_to_long(xb)), Integer(bytes_to_long(yb)))
def create_ref_keys_p521():
key_len = 66
key_lines = load_file("ecc_p521.txt").splitlines()
private_key_d = bytes_to_long(compact(key_lines[2:7]))
public_key_xy = compact(key_lines[8:17])
assert bord(public_key_xy[0]) == 4 # Uncompressed
public_key_x = bytes_to_long(public_key_xy[1:key_len+1])
public_key_y = bytes_to_long(public_key_xy[key_len+1:])
return (ECC.construct(curve="P-521", d=private_key_d),
ECC.construct(curve="P-521", point_x=public_key_x, point_y=public_key_y))
def setUp(self):
global RSA, Random, bytes_to_long
from Cryptodome.PublicKey import RSA
from Cryptodome import Random
from Cryptodome.Util.number import bytes_to_long, inverse
self.n = bytes_to_long(a2b_hex(self.modulus))
self.p = bytes_to_long(a2b_hex(self.prime_factor))
# Compute q, d, and u from n, e, and p
self.q = self.n // self.p
self.d = inverse(self.e, (self.p-1)*(self.q-1))
self.u = inverse(self.p, self.q) # u = e**-1 (mod q)
self.rsa = RSA
def setUp(self):
global RSA, Random, bytes_to_long
from Cryptodome.PublicKey import RSA
from Cryptodome import Random
from Cryptodome.Util.number import bytes_to_long, inverse
self.n = bytes_to_long(a2b_hex(self.modulus))
self.p = bytes_to_long(a2b_hex(self.prime_factor))
# Compute q, d, and u from n, e, and p
self.q = self.n // self.p
self.d = inverse(self.e, (self.p-1)*(self.q-1))
self.u = inverse(self.p, self.q) # u = e**-1 (mod q)
self.rsa = RSA
def flag2(s, cipher, mac, flag):
bts = bytes_to_long(binascii.unhexlify(mac))
m = bytes_to_long(pad(flag.encode(), 16))
stream = m ^ bts
newstr = flag[:-4] + 'getflag'
nm = pad(newstr.encode(), 16)
mac = binascii.hexlify(long_to_bytes(bytes_to_long(nm) ^ stream))
s.sendlineafter('>', '1'.encode())
s.sendlineafter(':', binascii.hexlify(newstr.encode()))
message = s.recvline().decode().strip()
s.sendlineafter('>', '3'.encode())
s.sendlineafter(':', (message + '||' + mac.decode()).encode())
flag2 = s.recvline().decode().strip()
return flag2
def _check_public_key(self, rsaObj):
ciphertext = a2b_hex(self.ciphertext)
# Check capabilities
self.assertEqual(0, rsaObj.has_private())
# Check rsaObj.[ne] -> rsaObj.[ne] mapping
self.assertEqual(rsaObj.n, rsaObj.n)
self.assertEqual(rsaObj.e, rsaObj.e)
# Check that private parameters are all missing
self.assertEqual(0, hasattr(rsaObj, 'd'))
self.assertEqual(0, hasattr(rsaObj, 'p'))
self.assertEqual(0, hasattr(rsaObj, 'q'))
self.assertEqual(0, hasattr(rsaObj, 'u'))
# Sanity check key data
self.assertEqual(1, rsaObj.e > 1) # e > 1
# Public keys should not be able to sign or decrypt
self.assertRaises(TypeError, rsaObj._decrypt,
bytes_to_long(ciphertext))
# Check __eq__ and __ne__
self.assertEqual(rsaObj.publickey() == rsaObj.publickey(),True) # assert_
self.assertEqual(rsaObj.publickey() != rsaObj.publickey(),False) # failIf
def decrypt(self, init_value, ciphertext, auth_tag, auth_data=b''):
if init_value >= (1 << 96):
raise InvalidInputException('IV should be 96-bit')
if auth_tag >= (1 << 128):
raise InvalidInputException('Tag should be 128-bit')
if auth_tag != self.__ghash(auth_data, ciphertext) ^ bytes_to_long(
self._aes_ecb.encrypt(long_to_bytes(
(init_value << 32) | 1, 16))):
raise InvalidTagException
len_ciphertext = len(ciphertext)
if len_ciphertext > 0:
counter = Counter.new(nbits=32,
prefix=long_to_bytes(init_value, 12),
initial_value=2,
allow_wraparound=True)
aes_ctr = AES.new(self._master_key, AES.MODE_CTR, counter=counter)
if 0 != len_ciphertext % 16:
padded_ciphertext = ciphertext + \
b'\x00' * (16 - len_ciphertext % 16)
else:
padded_ciphertext = ciphertext
plaintext = aes_ctr.decrypt(padded_ciphertext)[:len_ciphertext]
else:
plaintext = b''
return plaintext
def sign(self, msg_hash):
"""Produce the PKCS#1 v1.5 signature of a message.
This function is named ``RSASSA-PKCS1-V1_5-SIGN``;
it is specified in section 8.2.1 of RFC3447.
:Parameters:
msg_hash : hash object
This is an object created with to the `Cryptodome.Hash` module.
It was used used to hash the message to sign.
:Return: The signature encoded as a byte string.
:Raise ValueError:
If the RSA key is not long enough when combined with the given
hash algorithm.
:Raise TypeError:
If the RSA key has no private half.
"""
# See 8.2.1 in RFC3447
modBits = Cryptodome.Util.number.size(self._key.n)
k = ceil_div(modBits, 8) # Convert from bits to bytes
# Step 1
em = _EMSA_PKCS1_V1_5_ENCODE(msg_hash, k)
# Step 2a (OS2IP)
em_int = bytes_to_long(em)
# Step 2b (RSASP1)
m_int = self._key._decrypt(em_int)
# Step 2c (I2OSP)
signature = long_to_bytes(m_int, k)
return signature
def getrandbits(self, k):
"""Return an integer with k random bits."""
if self._randfunc is None:
self._randfunc = Random.new().read
mask = (1 << k) - 1
return mask & bytes_to_long(self._randfunc(ceil_div(k, 8)))
def decrypt(self, cipher):
"""
:type cipher long
:param cipher: 密文
:return:
"""
cipher = self.encoding_2_long(cipher, self.cipher_encoding)
if self.d is not None:
d = self.d
else:
d = inverse(self.e, (self.p - 1) * (self.q - 1))
if self.n is not None:
n = self.n
else:
n = self.p * self.q
rsa = RSA.construct((n, self.e, d))
if self.padding == 'PKCS1_OAEP':
rsa = PKCS1_OAEP.new(rsa)
plain = rsa.decrypt(long_to_bytes(cipher))
elif self.padding == 'PKCS1_v1_5':
rsa = PKCS1_v1_5.new(rsa)
plain = rsa.decrypt(long_to_bytes(cipher), True)
else:
plain = pow(cipher, d, n)
return self.long_2_encoding(plain, self.plain_encoding)
plain = self.long_2_encoding(bytes_to_long(plain), self.plain_encoding)
return plain
def _encrypt(key, message):
mod_bits = size(key.n)
k = ceil_div(mod_bits, 8)
m_len = len(message)
# Step 1
if m_len > k - 11:
raise ValueError("Plaintext is too long.")
# Step 2a
ps = []
while len(ps) != k - m_len - 3:
new_byte = bchr(0xFF)
if bord(new_byte[0]) == 0x00:
continue
ps.append(new_byte)
ps = b("").join(ps)
assert (len(ps) == k - m_len - 3)
# Step 2b
em = b('\x00\x01') + ps + bchr(0x00) + message
# Step 3a (OS2IP)
em_int = bytes_to_long(em)
# Step 3b (RSAEP)
if not 0 < em_int < key._n:
raise ValueError("Plaintext too large")
m_int = int(pow(Integer(em_int), key._d, key._n))
# Step 3c (I2OSP)
c = long_to_bytes(m_int, k)
return c
def sign(self, msg_hash):
"""Produce the PKCS#1 v1.5 signature of a message.
This function is named ``RSASSA-PKCS1-V1_5-SIGN``;
it is specified in section 8.2.1 of RFC3447.
:Parameters:
msg_hash : hash object
This is an object created with to the `Cryptodome.Hash` module.
It was used used to hash the message to sign.
:Return: The signature encoded as a byte string.
:Raise ValueError:
If the RSA key is not long enough when combined with the given
hash algorithm.
:Raise TypeError:
If the RSA key has no private half.
"""
# See 8.2.1 in RFC3447
modBits = Cryptodome.Util.number.size(self._key.n)
k = ceil_div(modBits,8) # Convert from bits to bytes
# Step 1
em = _EMSA_PKCS1_V1_5_ENCODE(msg_hash, k)
# Step 2a (OS2IP)
em_int = bytes_to_long(em)
# Step 2b (RSASP1)
m_int = self._key._decrypt(em_int)
# Step 2c (I2OSP)
signature = long_to_bytes(m_int, k)
return signature
def sign(self, msg_hash):
"""Create the PKCS#1 v1.5 signature of a message.
This function is also called ``RSASSA-PKCS1-V1_5-SIGN`` and
it is specified in
`section 8.2.1 of RFC8017 <https://tools.ietf.org/html/rfc8017#page-36>`_.
:parameter msg_hash:
This is an object from the :mod:`Cryptodome.Hash` package.
It has been used to digest the message to sign.
:type msg_hash: hash object
:return: the signature encoded as a *byte string*.
:raise ValueError: if the RSA key is not long enough for the given hash algorithm.
:raise TypeError: if the RSA key has no private half.
"""
# See 8.2.1 in RFC3447
modBits = Cryptodome.Util.number.size(self._key.n)
k = ceil_div(modBits, 8) # Convert from bits to bytes
# Step 1
em = _EMSA_PKCS1_V1_5_ENCODE(msg_hash, k)
# Step 2a (OS2IP)
em_int = bytes_to_long(em)
# Step 2b (RSASP1)
m_int = self._key._decrypt(em_int)
# Step 2c (I2OSP)
signature = long_to_bytes(m_int, k)
return signature
def encrypt(self, plain):
"""
:type plain long
:param plain: 明文
:return:
"""
plain = self.encoding_2_long(plain, self.plain_encoding)
rsa = RSA.construct((
self.n,
self.e,
))
# 最佳非对称加密填充(OAEP)
if self.padding == 'PKCS1_OAEP':
rsa = PKCS1_OAEP.new(rsa)
cipher = rsa.encrypt(long_to_bytes(plain))
elif self.padding == 'PKCS1_v1_5':
rsa = PKCS1_v1_5.new(rsa)
cipher = rsa.encrypt(long_to_bytes(plain))
else:
cipher = pow(plain, self.e, self.n)
return self.long_2_encoding(cipher, self.cipher_encoding)
cipher = self.long_2_encoding(bytes_to_long(cipher),
self.cipher_encoding)
return cipher
def get_each_aes(bytes_data, bytes_key, bytes_iv):
results = []
# ECB
res = AES.new(bytes_key, AES.MODE_ECB).encrypt(bytes_data)
results.append(("ECB", res))
# no iv CTR
res = AES.new(bytes_key, AES.MODE_CTR).encrypt(bytes_data)
results.append(("CTR", res))
c = Counter.new(128, initial_value=bytes_to_long(bytes_iv))
res = AES.new(bytes_key, AES.MODE_CTR, counter=c).encrypt(bytes_data)
results.append(("CTR-iv", res))
res = AES.new(bytes_key, AES.MODE_CBC, bytes_iv).encrypt(bytes_data)
results.append(("CBC", res))
res = AES.new(bytes_key, AES.MODE_CFB, bytes_iv).encrypt(bytes_data)
results.append(("CFB", res))
res = AES.new(bytes_key, AES.MODE_OFB, bytes_iv).encrypt(bytes_data)
results.append(("OFB", res))
res = AES.new(bytes_key, AES.MODE_GCM, bytes_iv).encrypt(bytes_data)
results.append(("GCM", res))
# SIV keylen is restricted. prob not SIV.
# res = AES.new(bytes_key, AES.MODE_SIV, bytes_iv).encrypt(bytes_data)
# results.append(("SIV", res))
# OCB takes a 15 byte nonce. don't think so.
# res = AES.new(bytes_key, AES.MODE_OCB, bytes_iv).encrypt(bytes_data)
# results.append(("OCB", res))
return results
def encrypt(msg,fl=Public_file):
"""
we not have docstring here
"""
encrypted = None
try:
f = open(fl,'r')
except FileNotFoundError:
print('Man! You not have file that have public key!')
choice = None
while choice == None:
choice = input("Create(y/n)? ")
if choice == 'y' or choice == 'yes':
key_menu()
else:
print("Warning! An error coming! Force Quit!!!!")
raise SystemExit
else:
n = int(f.readline())
e = int(f.readline())
f.close()
m = bytes_to_long(str(msg).encode('utf-8'))
encrypted = pow(m,e,n)
return encrypted
def Enc_first(cheque):
key = get_random_bytes(32)
salt = get_random_bytes(16)
ctr = Counter.new(128, initial_value=bytes_to_long(salt))
cipher = AES.new(key, AES.MODE_CTR, counter=ctr)
cipher_text = cipher.encrypt(bytes(json.dumps(cheque), 'utf-8'))
HMAC_FIRST = b"BBuXaXBdHg+wLPjRJpf3N/NmLq5kuvzGQx3II15/j8o="
mk = hmac.new(b64decode(HMAC_FIRST), salt + cipher_text, hashlib.sha512)
dataDE = b64encode(mk.digest() + salt + cipher_text).decode('utf-8')
recipient_key = RSA.import_key(open('1RSAcert.pem').read())
cipher_rsa = PKCS1_OAEP.new(recipient_key)
dataAB = b64encode(cipher_rsa.encrypt(key)).decode('utf-8')
# шифрованный запрос
return {
"ab": dataAB,
"de": dataDE,
"kassaid": "122772",
"kassatoken": "5373167af64a6e02cae10c2bf5c6a7e4",
"check_type": "standart",
"test": "0"
}
def getrandbits(self, k):
"""Return an integer with k random bits."""
if self._randfunc is None:
self._randfunc = Random.new().read
mask = (1 << k) - 1
return mask & bytes_to_long(self._randfunc(ceil_div(k, 8)))
def sign(self, msg_hash):
"""Create the PKCS#1 v1.5 signature of a message.
This function is also called ``RSASSA-PKCS1-V1_5-SIGN`` and
it is specified in
`section 8.2.1 of RFC8017 <https://tools.ietf.org/html/rfc8017#page-36>`_.
:parameter msg_hash:
This is an object from the :mod:`Cryptodome.Hash` package.
It has been used to digest the message to sign.
:type msg_hash: hash object
:return: the signature encoded as a *byte string*.
:raise ValueError: if the RSA key is not long enough for the given hash algorithm.
:raise TypeError: if the RSA key has no private half.
"""
# See 8.2.1 in RFC3447
modBits = Cryptodome.Util.number.size(self._key.n)
k = ceil_div(modBits,8) # Convert from bits to bytes
# Step 1
em = _EMSA_PKCS1_V1_5_ENCODE(msg_hash, k)
# Step 2a (OS2IP)
em_int = bytes_to_long(em)
# Step 2b (RSASP1)
m_int = self._key._decrypt(em_int)
# Step 2c (I2OSP)
signature = long_to_bytes(m_int, k)
return signature
def test_repr(self):
(y, g, p, q) = [
bytes_to_long(a2b_hex(param))
for param in (self.y, self.g, self.p, self.q)
]
dsaObj = self.dsa.construct((y, g, p, q))
repr(dsaObj)
def extract_files(wak, out_dir, extract=True):
if extract:
out_dir = out_dir + "/"
print("[+] Extracting to {}".format(out_dir))
if not os.path.exists(out_dir):
os.makedirs(out_dir)
# multiprocessing this
for f in wak.file_list:
print("{:.50s}:[offs {:08X}][size {:08X}][pthl {:08X}]".format(
f.path, f.offset, f.size, f.pathlen))
if extract:
fdata = wak.datawak_contents[f.offset:f.offset + f.size]
f_iv = wak.prng.badprng_get16(0x165EC8F + f.tblidx)
c = Counter.new(128, initial_value=bytes_to_long(f_iv))
fdata_dec = AES.new(wak.prng.default_key, AES.MODE_CTR,
counter=c).decrypt(fdata)
out_filepath = os.path.abspath(out_dir + f.path)
out_filedir = os.path.split(out_filepath)[0]
if not os.path.exists(out_filedir):
os.makedirs(out_filedir)
with open(out_filepath, 'wb') as outfile:
outfile.write(fdata_dec)
print("[+] Complete, iterated {} files.".format(len(wak.file_list)))
def decrypt(self, init_value, ciphertext, auth_tag, auth_data=b''):
if init_value >= (1 << 96):
raise InvalidInputException('IV should be 96-bit')
if auth_tag >= (1 << 128):
raise InvalidInputException('Tag should be 128-bit')
if auth_tag != self.__ghash(
auth_data, ciphertext) ^ bytes_to_long(
self._aes_ecb.encrypt(
long_to_bytes((init_value << 32) | 1, 16))):
raise InvalidTagException
len_ciphertext = len(ciphertext)
if len_ciphertext > 0:
counter = Counter.new(
nbits=32,
prefix=long_to_bytes(init_value, 12),
initial_value=2,
allow_wraparound=True)
aes_ctr = AES.new(self._master_key, AES.MODE_CTR, counter=counter)
if 0 != len_ciphertext % 16:
padded_ciphertext = ciphertext + \
b'\x00' * (16 - len_ciphertext % 16)
else:
padded_ciphertext = ciphertext
plaintext = aes_ctr.decrypt(padded_ciphertext)[:len_ciphertext]
else:
plaintext = b''
return plaintext
def _check_public_key(self, rsaObj):
ciphertext = a2b_hex(self.ciphertext)
# Check capabilities
self.assertEqual(0, rsaObj.has_private())
# Check rsaObj.[ne] -> rsaObj.[ne] mapping
self.assertEqual(rsaObj.n, rsaObj.n)
self.assertEqual(rsaObj.e, rsaObj.e)
# Check that private parameters are all missing
self.assertEqual(0, hasattr(rsaObj, 'd'))
self.assertEqual(0, hasattr(rsaObj, 'p'))
self.assertEqual(0, hasattr(rsaObj, 'q'))
self.assertEqual(0, hasattr(rsaObj, 'u'))
# Sanity check key data
self.assertEqual(1, rsaObj.e > 1) # e > 1
# Public keys should not be able to sign or decrypt
self.assertRaises(TypeError, rsaObj._decrypt,
bytes_to_long(ciphertext))
# Check __eq__ and __ne__
self.assertEqual(rsaObj.publickey() == rsaObj.publickey(),True) # assert_
self.assertEqual(rsaObj.publickey() != rsaObj.publickey(),False) # failIf
def test_construct_bad_key5(self):
(y, g, p, q, x) = [bytes_to_long(a2b_hex(param)) for param in (self.y, self.g, self.p, self.q, self.x)]
tup = (y, g, p, q, x+1)
self.assertRaises(ValueError, self.dsa.construct, tup)
tup = (y, g, p, q, q+10)
self.assertRaises(ValueError, self.dsa.construct, tup)
def encrypt(self, message):
# See 7.2.1 in RFC8017
modBits = Cryptodome.Util.number.size(self._key.n)
k = ceil_div(modBits, 8) # Convert from bits to bytes
mLen = len(message)
# Step 1
if mLen > k - 11:
raise ValueError("Plaintext is too long.")
# Step 2a
ps = []
while len(ps) != k - mLen - 3:
# Java 实现的时候是填充为 \xff,所以每次加密相同明文,得到的密文是一样的
ps.append(b'\xff')
ps = b"".join(ps)
assert (len(ps) == k - mLen - 3)
# Step 2b
# pkcs#1_v115 是 x00x02,Java里面是\x00\x01
em = b'\x00\x01' + ps + b'\x00' + _copy_bytes(None, None, message)
# Step 3a (OS2IP)
em_int = bytes_to_long(em)
# Step 3b (RSAEP)
m_int = self._key._encrypt(em_int)
# Step 3c (I2OSP)
c = long_to_bytes(m_int, k)
return c
def check_ecdsa(q,r,s,sha): q = Point(q) r = bytes_to_long(r) s = bytes_to_long(s) e = bytes_to_long(sha) s_inv = bn_inv(s,ec_N) w1 = (e*s_inv)%ec_N w2 = (r*s_inv)%ec_N r1 = w1 * ec_G + w2 * q rx = r1.x.tobignum()%ec_N return rx == r
def test_construct_4tuple(self):
"""DSA (default implementation) constructed key (4-tuple)"""
(y, g, p, q) = [
bytes_to_long(a2b_hex(param))
for param in (self.y, self.g, self.p, self.q)
]
dsaObj = self.dsa.construct((y, g, p, q))
self._test_verification(dsaObj)
def grow(self, seed, layer):
exp = pow(self.d, layer, self.phi)
seed = bytes_to_long(seed)
if seed >= self.n or seed < 0:
raise Exception
onion = pow(seed, exp, self.n)
return long_to_bytes(onion)
def sign(self, message):
if not self.keyObject:
raise ValueError('key object is not exist')
h = SHA1.new(message)
signature_bytes = pkcs1_15.new(self.keyObject).sign(h)
signature_int = number.bytes_to_long(signature_bytes)
signature = str(signature_int)
return signature
def gen_priv_key():
k = open("/dev/random","rb").read(30)
if len(k) != 30:
raise Exception("Failed to get random data")
k = bytes_to_long(k)
k = k % ec_N
return long_to_bytes(k,30)
def test_construct_bad_key4(self):
(y, g, p, q) = [bytes_to_long(a2b_hex(param)) for param in (self.y, self.g, self.p, self.q)]
tup = (y, g, p+1, q)
self.assertRaises(ValueError, self.dsa.construct, tup)
tup = (y, g, p, q+1)
self.assertRaises(ValueError, self.dsa.construct, tup)
tup = (y, 1L, p, q)
self.assertRaises(ValueError, self.dsa.construct, tup)
def _create_ctr_cipher(self, mac_tag):
"""Create a new CTR cipher from the MAC in SIV mode"""
tag_int = bytes_to_long(mac_tag)
return self._factory.new(
self._subkey_cipher,
self._factory.MODE_CTR,
initial_value=tag_int ^ (tag_int & 0x8000000080000000L),
nonce=b(""),
**self._cipher_params)
def encrypt(self, message):
"""Produce the PKCS#1 OAEP encryption of a message.
This function is named ``RSAES-OAEP-ENCRYPT``, and is specified in
section 7.1.1 of RFC3447.
:Parameters:
message : byte string
The message to encrypt, also known as plaintext. It can be of
variable length, but not longer than the RSA modulus (in bytes)
minus 2, minus twice the hash output size.
:Return: A byte string, the ciphertext in which the message is encrypted.
It is as long as the RSA modulus (in bytes).
:Raise ValueError:
If the RSA key length is not sufficiently long to deal with the given
message.
"""
# TODO: Verify the key is RSA
# See 7.1.1 in RFC3447
modBits = Cryptodome.Util.number.size(self._key.n)
k = ceil_div(modBits,8) # Convert from bits to bytes
hLen = self._hashObj.digest_size
mLen = len(message)
# Step 1b
ps_len = k-mLen-2*hLen-2
if ps_len<0:
raise ValueError("Plaintext is too long.")
# Step 2a
lHash = self._hashObj.new(self._label).digest()
# Step 2b
ps = bchr(0x00)*ps_len
# Step 2c
db = lHash + ps + bchr(0x01) + message
# Step 2d
ros = self._randfunc(hLen)
# Step 2e
dbMask = self._mgf(ros, k-hLen-1)
# Step 2f
maskedDB = strxor(db, dbMask)
# Step 2g
seedMask = self._mgf(maskedDB, hLen)
# Step 2h
maskedSeed = strxor(ros, seedMask)
# Step 2i
em = bchr(0x00) + maskedSeed + maskedDB
# Step 3a (OS2IP)
em_int = bytes_to_long(em)
# Step 3b (RSAEP)
m_int = self._key._encrypt(em_int)
# Step 3c (I2OSP)
c = long_to_bytes(m_int, k)
return c
def verify(self, msg_hash, signature):
"""Verify that a certain PKCS#1 v1.5 signature is valid.
This method checks if the message really originates from someone
that holds the RSA private key.
really signed the message.
This function is named ``RSASSA-PKCS1-V1_5-VERIFY``;
it is specified in section 8.2.2 of RFC3447.
:Parameters:
msg_hash : hash object
The hash that was carried out over the message. This is an object
belonging to the `Cryptodome.Hash` module.
signature : byte string
The signature that needs to be validated.
:Raise ValueError:
if the signature is not valid.
"""
# See 8.2.2 in RFC3447
modBits = Cryptodome.Util.number.size(self._key.n)
k = ceil_div(modBits, 8) # Convert from bits to bytes
# Step 1
if len(signature) != k:
raise ValueError("Invalid signature")
# Step 2a (O2SIP)
signature_int = bytes_to_long(signature)
# Step 2b (RSAVP1)
em_int = self._key._encrypt(signature_int)
# Step 2c (I2OSP)
em1 = long_to_bytes(em_int, k)
# Step 3
try:
possible_em1 = [ _EMSA_PKCS1_V1_5_ENCODE(msg_hash, k, True) ]
# MD2/4/5 hashes always require NULL params in AlgorithmIdentifier.
# For all others, it is optional.
try:
algorithm_is_md = msg_hash.oid.startswith('1.2.840.113549.2.')
except AttributeError:
algorithm_is_md = False
if not algorithm_is_md: # MD2/MD4/MD5
possible_em1.append(_EMSA_PKCS1_V1_5_ENCODE(msg_hash, k, False))
except ValueError:
raise ValueError("Invalid signature")
# Step 4
# By comparing the full encodings (as opposed to checking each
# of its components one at a time) we avoid attacks to the padding
# scheme like Bleichenbacher's (see http://www.mail-archive.com/[email protected]/msg06537).
#
if em1 not in possible_em1:
raise ValueError("Invalid signature")
pass
def _create_ctr_cipher(self, v):
"""Create a new CTR cipher from V in SIV mode"""
v_int = bytes_to_long(v)
q = v_int & 0xFFFFFFFFFFFFFFFF7FFFFFFF7FFFFFFF
return self._factory.new(
self._subkey_cipher,
self._factory.MODE_CTR,
initial_value=q,
nonce=b"",
**self._cipher_params)
def _exercise_primitive(self, rsaObj):
# Since we're using a randomly-generated key, we can't check the test
# vector, but we can make sure encryption and decryption are inverse
# operations.
ciphertext = bytes_to_long(a2b_hex(self.ciphertext))
# Test decryption
plaintext = rsaObj._decrypt(ciphertext)
# Test encryption (2 arguments)
new_ciphertext2 = rsaObj._encrypt(plaintext)
self.assertEqual(ciphertext, new_ciphertext2)
def _decodeLen(self, s):
"""Decode DER length octets from a file."""
length = s.read_byte()
if length <= 127:
return length
payloadLength = bytes_to_long(s.read(length & 0x7F))
# According to DER (but not BER) the long form is used
# only when the length doesn't fit into 7 bits.
if payloadLength <= 127:
raise ValueError("Not a DER length tag (but still valid BER).")
return payloadLength
def _check_public_key(self, dsaObj):
k = bytes_to_long(a2b_hex(self.k))
m_hash = bytes_to_long(a2b_hex(self.m_hash))
# Check capabilities
self.assertEqual(0, dsaObj.has_private())
self.assertEqual(1, dsaObj.can_sign())
self.assertEqual(0, dsaObj.can_encrypt())
# Check that private parameters are all missing
self.assertEqual(0, hasattr(dsaObj, 'x'))
# Sanity check key data
self.assertEqual(1, dsaObj.p > dsaObj.q) # p > q
self.assertEqual(160, size(dsaObj.q)) # size(q) == 160 bits
self.assertEqual(0, (dsaObj.p - 1) % dsaObj.q) # q is a divisor of p-1
# Public-only key objects should raise an error when .sign() is called
self.assertRaises(TypeError, dsaObj._sign, m_hash, k)
# Check __eq__ and __ne__
self.assertEqual(dsaObj.publickey() == dsaObj.publickey(),True) # assert_
self.assertEqual(dsaObj.publickey() != dsaObj.publickey(),False) # failIf
def convert_tv(self, tv, as_longs=0):
"""Convert a test vector from textual form (hexadecimal ascii
to either integers or byte strings."""
key_comps = 'p','g','y','x'
tv2 = {}
for c in tv.keys():
tv2[c] = a2b_hex(tv[c])
if as_longs or c in key_comps or c in ('sig1','sig2'):
tv2[c] = bytes_to_long(tv2[c])
tv2['key']=[]
for c in key_comps:
tv2['key'] += [tv2[c]]
del tv2[c]
return tv2
def enc_setup(self, enc_alg, msg, auth_data, key=None, iv=""):
""" Encrypt JWE content.
:param enc_alg: The JWE "enc" value specifying the encryption algorithm
:param msg: The plain text message
:param auth_data: Additional authenticated data
:param key: Key (CEK)
:return: Tuple (ciphertext, tag), both as bytes
"""
key, iv = self._generate_key_and_iv(enc_alg, key, iv)
if enc_alg in ["A192GCM", "A128GCM", "A256GCM"]:
gcm = AES_GCM(bytes_to_long(key))
ctxt, tag = gcm.encrypt(bytes_to_long(iv), msg, auth_data)
tag = long_to_bytes(tag)
elif enc_alg in ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512"]:
assert enc_alg in SUPPORTED["enc"]
ctxt, tag = aes_cbc_hmac_encrypt(key, iv, auth_data, msg)
else:
raise NotSupportedAlgorithm(enc_alg)
return ctxt, tag, key
def testVerify2(self):
# Verify that decryption fails if ciphertext is not as long as
# RSA modulus
cipher = PKCS.new(self.key1024)
self.assertRaises(ValueError, cipher.decrypt, '\x00'*127, "---")
self.assertRaises(ValueError, cipher.decrypt, '\x00'*129, "---")
# Verify that decryption fails if there are less then 8 non-zero padding
# bytes
pt = b('\x00\x02' + '\xFF'*7 + '\x00' + '\x45'*118)
pt_int = bytes_to_long(pt)
ct_int = self.key1024._encrypt(pt_int)
ct = long_to_bytes(ct_int, 128)
self.assertEqual("---", cipher.decrypt(ct, "---"))
def __init__(self, encoded_value):
"""Initialize the element to a certain value.
The value passed as parameter is internally encoded as
a 128-bit integer, where each bit represents a polynomial
coefficient. The LSB is the constant coefficient.
"""
if isinstance(encoded_value, (int, long)):
self._value = encoded_value
elif len(encoded_value) == 16:
self._value = bytes_to_long(encoded_value)
else:
raise ValueError("The encoded value must be an integer or a 16 byte string")
def _decrypt(enc, key, ctxt, auth_data, iv, tag):
""" Decrypt JWE content.
:param enc: The JWE "enc" value specifying the encryption algorithm
:param key: Key (CEK)
:param iv : Initialization vector
:param auth_data: Additional authenticated data (AAD)
:param ctxt : Ciphertext
:param tag: Authentication tag
:return: plain text message or None if decryption failed
"""
if enc in ["A128GCM", "A192GCM", "A256GCM"]:
gcm = AES_GCM(bytes_to_long(key))
try:
text = gcm.decrypt(bytes_to_long(iv), ctxt, bytes_to_long(tag),
auth_data)
return text, True
except DecryptionFailed:
return None, False
elif enc in ["A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512"]:
return aes_cbc_hmac_decrypt(key, iv, auth_data, ctxt, tag)
else:
raise Exception("Unsupported encryption algorithm %s" % enc)
def sign(self, msg_hash):
"""Produce the PKCS#1 PSS signature of a message.
This function is named ``RSASSA-PSS-SIGN``, and is specified in
section 8.1.1 of RFC3447.
:Parameters:
msg_hash : hash object
The hash that was carried out over the message. This is an object
belonging to the `Cryptodome.Hash` module.
:Return: The PSS signature encoded as a byte string.
:Raise ValueError:
If the RSA key length is not sufficiently long to deal
with the given hash algorithm.
:Raise TypeError:
If the RSA key has no private half.
:attention: Modify the salt length and the mask generation
function only if you know what you are doing.
The receiver must use the same parameters too.
"""
# Set defaults for salt length and mask generation function
if self._saltLen is None:
sLen = msg_hash.digest_size
else:
sLen = self._saltLen
if self._mgfunc is None:
mgf = lambda x, y: MGF1(x, y, msg_hash)
else:
mgf = self._mgfunc
modBits = Cryptodome.Util.number.size(self._key.n)
# See 8.1.1 in RFC3447
k = ceil_div(modBits, 8) # k is length in bytes of the modulus
# Step 1
em = _EMSA_PSS_ENCODE(msg_hash, modBits-1, self._randfunc, mgf, sLen)
# Step 2a (OS2IP)
em_int = bytes_to_long(em)
# Step 2b (RSASP1)
m_int = self._key._decrypt(em_int)
# Step 2c (I2OSP)
signature = long_to_bytes(m_int, k)
return signature
def __init__(self, factory, key, nonce, mac_len, cipher_params):
"""EAX cipher mode"""
self.block_size = factory.block_size
"""The block size of the underlying cipher, in bytes."""
self.nonce = _copy_bytes(None, None, nonce)
"""The nonce originally used to create the object."""
self._mac_len = mac_len
self._mac_tag = None # Cache for MAC tag
# Allowed transitions after initialization
self._next = [self.update, self.encrypt, self.decrypt,
self.digest, self.verify]
# MAC tag length
if not (4 <= self._mac_len <= self.block_size):
raise ValueError("Parameter 'mac_len' must not be larger than %d"
% self.block_size)
# Nonce cannot be empty and must be a byte string
if len(self.nonce) == 0:
raise ValueError("Nonce cannot be empty in EAX mode")
if isinstance(nonce, unicode):
raise TypeError("nonce must be a byte string")
self._omac = [
CMAC.new(key,
b'\x00' * (self.block_size - 1) + struct.pack('B', i),
ciphermod=factory,
cipher_params=cipher_params)
for i in xrange(0, 3)
]
# Compute MAC of nonce
self._omac[0].update(self.nonce)
self._signer = self._omac[1]
# MAC of the nonce is also the initial counter for CTR encryption
counter_int = bytes_to_long(self._omac[0].digest())
self._cipher = factory.new(key,
factory.MODE_CTR,
initial_value=counter_int,
nonce=b"",
**cipher_params)
def encrypt(self, message):
"""Produce the PKCS#1 v1.5 encryption of a message.
This function is named ``RSAES-PKCS1-V1_5-ENCRYPT``, and is specified in
section 7.2.1 of RFC3447.
For a complete example see `Cryptodome.Cipher.PKCS1_v1_5`.
:Parameters:
message : byte string
The message to encrypt, also known as plaintext. It can be of
variable length, but not longer than the RSA modulus (in bytes) minus 11.
:Return: A byte string, the ciphertext in which the message is encrypted.
It is as long as the RSA modulus (in bytes).
:Raise ValueError:
If the RSA key length is not sufficiently long to deal with the given
message.
"""
# See 7.2.1 in RFC3447
modBits = Cryptodome.Util.number.size(self._key.n)
k = ceil_div(modBits,8) # Convert from bits to bytes
mLen = len(message)
# Step 1
if mLen > k-11:
raise ValueError("Plaintext is too long.")
# Step 2a
ps = []
while len(ps) != k - mLen - 3:
new_byte = self._randfunc(1)
if bord(new_byte[0]) == 0x00:
continue
ps.append(new_byte)
ps = b("").join(ps)
assert(len(ps) == k - mLen - 3)
# Step 2b
em = b('\x00\x02') + ps + bchr(0x00) + message
# Step 3a (OS2IP)
em_int = bytes_to_long(em)
# Step 3b (RSAEP)
m_int = self._key._encrypt(em_int)
# Step 3c (I2OSP)
c = long_to_bytes(m_int, k)
return c
def verify(self, msg_hash, signature):
"""Verify that a certain PKCS#1 PSS signature is authentic.
This function checks if the party holding the private half
of the given RSA key has really signed the message.
This function is called ``RSASSA-PSS-VERIFY``, and is specified
in section 8.1.2 of RFC3447.
:Parameters:
msg_hash : hash object
The cryptographic hash computed over the message.
This is an object belonging to the `Cryptodome.Hash` module.
signature : byte string
The signature that needs to be validated.
:Raise ValueError:
if the signature is incorrect.
"""
# Set defaults for salt length and mask generation function
if self._saltLen is None:
sLen = msg_hash.digest_size
else:
sLen = self._saltLen
if self._mgfunc:
mgf = self._mgfunc
else:
mgf = lambda x, y: MGF1(x, y, msg_hash)
modBits = Cryptodome.Util.number.size(self._key.n)
# See 8.1.2 in RFC3447
k = ceil_div(modBits, 8) # Convert from bits to bytes
# Step 1
if len(signature) != k:
raise ValueError("Incorrect signature")
# Step 2a (O2SIP)
signature_int = bytes_to_long(signature)
# Step 2b (RSAVP1)
em_int = self._key._encrypt(signature_int)
# Step 2c (I2OSP)
emLen = ceil_div(modBits - 1, 8)
em = long_to_bytes(em_int, emLen)
# Step 3/4
_EMSA_PSS_VERIFY(msg_hash, em, modBits-1, mgf, sLen)
def encrypt(self, message):
"""Produce the PKCS#1 v1.5 encryption of a message.
This function is named ``RSAES-PKCS1-V1_5-ENCRYPT``, and it is specified in
`section 7.2.1 of RFC8017
<https://tools.ietf.org/html/rfc8017#page-28>`_.
:param message:
The message to encrypt, also known as plaintext. It can be of
variable length, but not longer than the RSA modulus (in bytes) minus 11.
:type message: bytes/bytearray/memoryview
:Returns: A byte string, the ciphertext in which the message is encrypted.
It is as long as the RSA modulus (in bytes).
:Raises ValueError:
If the RSA key length is not sufficiently long to deal with the given
message.
"""
# See 7.2.1 in RFC8017
modBits = Cryptodome.Util.number.size(self._key.n)
k = ceil_div(modBits,8) # Convert from bits to bytes
mLen = len(message)
# Step 1
if mLen > k - 11:
raise ValueError("Plaintext is too long.")
# Step 2a
ps = []
while len(ps) != k - mLen - 3:
new_byte = self._randfunc(1)
if bord(new_byte[0]) == 0x00:
continue
ps.append(new_byte)
ps = b"".join(ps)
assert(len(ps) == k - mLen - 3)
# Step 2b
em = b'\x00\x02' + ps + b'\x00' + _copy_bytes(None, None, message)
# Step 3a (OS2IP)
em_int = bytes_to_long(em)
# Step 3b (RSAEP)
m_int = self._key._encrypt(em_int)
# Step 3c (I2OSP)
c = long_to_bytes(m_int, k)
return c
def inplace_pow(self, exponent, modulus=None):
exp_value = int(exponent)
if exp_value < 0:
raise ValueError("Exponent must not be negative")
# No modular reduction
if modulus is None:
self._value = pow(self._value, exp_value)
return self
# With modular reduction
mod_value = int(modulus)
if mod_value < 0:
raise ValueError("Modulus must be positive")
if mod_value == 0:
raise ZeroDivisionError("Modulus cannot be zero")
# C extension only works with odd moduli
if (mod_value & 1) == 0:
self._value = pow(self._value, exp_value, mod_value)
return self
max_len = len(long_to_bytes(max(self._value, exp_value, mod_value)))
base_b = long_to_bytes(self._value, max_len)
exp_b = long_to_bytes(exp_value, max_len)
modulus_b = long_to_bytes(mod_value, max_len)
out = create_string_buffer(max_len)
error = _raw_montgomery.monty_pow(
base_b,
exp_b,
modulus_b,
out,
c_size_t(max_len),
c_ulonglong(getrandbits(64))
)
if error:
raise ValueError("monty_pow failed with error: %d" % error)
result = bytes_to_long(get_raw_buffer(out))
self._value = result
return self
