def test_f_verifier_from_key_bytes():
check = Verifier(algorithm=ALGORITHM,
key=VALUES["ecc_private_key_prime"].public_key())
test = Verifier.from_key_bytes(
algorithm=ALGORITHM,
key_bytes=VALUES["ecc_private_key_prime_public_bytes"])
assert check.key.public_numbers() == test.key.public_numbers()
def with_verification_key(self, verification_key):
# type: (bytes) -> DecryptionMaterials
"""Get new decryption materials that also include this verification key.
.. versionadded:: 1.5.0
:param bytes verification_key: Verification key
:rtype: DecryptionMaterials
"""
if self.verification_key is not None:
raise AttributeError("Verification key is already set.")
if self.algorithm.signing_algorithm_info is None:
raise SignatureKeyError("Algorithm suite does not support signing keys.")
new_materials = copy.copy(self)
# Verify that the verification key matches the algorithm
Verifier.from_key_bytes(algorithm=new_materials.algorithm, key_bytes=verification_key)
new_materials._setattr( # simplify access to copies pylint: disable=protected-access
"verification_key", verification_key
)
return new_materials
def _load_verification_key_from_encryption_context(self, algorithm,
encryption_context):
"""Loads the verification key from the encryption context if used by algorithm suite.
:param algorithm: Algorithm for which to generate signing key
:type algorithm: aws_encryption_sdk.identifiers.Algorithm
:param dict encryption_context: Encryption context from request
:returns: Raw verification key
:rtype: bytes
:raises SerializationError: if algorithm suite requires message signing and no verification key is found
"""
encoded_verification_key = encryption_context.get(
ENCODED_SIGNER_KEY, None)
if algorithm.signing_algorithm_info is not None and encoded_verification_key is None:
raise SerializationError(
"No signature verification key found in header for signed algorithm."
)
if algorithm.signing_algorithm_info is None:
if encoded_verification_key is not None:
raise SerializationError(
"Signature verification key found in header for non-signed algorithm."
)
return None
verifier = Verifier.from_encoded_point(
algorithm=algorithm, encoded_point=encoded_verification_key)
return verifier.key_bytes()
def test_verifier_verify(patch_default_backend, patch_serialization, patch_ec,
patch_prehashed, patch_build_hasher,
patch_set_signature_type):
algorithm = MagicMock()
public_key = MagicMock()
verifier = Verifier(algorithm=algorithm, key=public_key)
verifier.verify(sentinel.signature)
verifier._hasher.finalize.assert_called_once_with()
algorithm.signing_hash_type.assert_called_once_with()
patch_prehashed.assert_called_once_with(
algorithm.signing_hash_type.return_value)
patch_ec.ECDSA.assert_called_once_with(patch_prehashed.return_value)
public_key.verify.assert_called_once_with(
signature=sentinel.signature,
data=verifier._hasher.finalize.return_value,
signature_algorithm=patch_ec.ECDSA.return_value)
def _read_header(self):
"""Reads the message header from the input stream.
:returns: tuple containing deserialized header and header_auth objects
:rtype: tuple of aws_encryption_sdk.structures.MessageHeader
and aws_encryption_sdk.internal.structures.MessageHeaderAuthentication
:raises CustomMaximumValueExceeded: if frame length is greater than the custom max value
"""
header, raw_header = aws_encryption_sdk.internal.formatting.deserialize.deserialize_header(self.source_stream)
if (
self.config.max_body_length is not None
and header.content_type == ContentType.FRAMED_DATA
and header.frame_length > self.config.max_body_length
):
raise CustomMaximumValueExceeded(
'Frame Size in header found larger than custom value: {found} > {custom}'.format(
found=header.frame_length,
custom=self.config.max_body_length
)
)
decrypt_materials_request = DecryptionMaterialsRequest(
encrypted_data_keys=header.encrypted_data_keys,
algorithm=header.algorithm,
encryption_context=header.encryption_context
)
decryption_materials = self.config.materials_manager.decrypt_materials(request=decrypt_materials_request)
if decryption_materials.verification_key is None:
self.verifier = None
else:
self.verifier = Verifier.from_key_bytes(
algorithm=header.algorithm,
key_bytes=decryption_materials.verification_key
)
if self.verifier is not None:
self.verifier.update(raw_header)
header_auth = aws_encryption_sdk.internal.formatting.deserialize.deserialize_header_auth(
stream=self.source_stream,
algorithm=header.algorithm,
verifier=self.verifier
)
self._derived_data_key = derive_data_encryption_key(
source_key=decryption_materials.data_key.data_key,
algorithm=header.algorithm,
message_id=header.message_id
)
aws_encryption_sdk.internal.formatting.deserialize.validate_header(
header=header,
header_auth=header_auth,
raw_header=raw_header,
data_key=self._derived_data_key
)
return header, header_auth
def test_verifier_from_encoded_point(
patch_default_backend, patch_serialization,
patch_ecc_public_numbers_from_compressed_point, patch_base64,
patch_build_hasher):
mock_point_instance = MagicMock()
mock_point_instance.public_key.return_value = sentinel.public_key
patch_ecc_public_numbers_from_compressed_point.return_value = mock_point_instance
patch_base64.b64decode.return_value = sentinel.compressed_point
algorithm = MagicMock()
verifier = Verifier.from_encoded_point(
algorithm=algorithm, encoded_point=sentinel.encoded_point)
patch_base64.b64decode.assert_called_once_with(sentinel.encoded_point)
algorithm.signing_algorithm_info.assert_called_once_with()
patch_ecc_public_numbers_from_compressed_point.assert_called_once_with(
curve=algorithm.signing_algorithm_info.return_value,
compressed_point=sentinel.compressed_point)
mock_point_instance.public_key.assert_called_once_with(
patch_default_backend.return_value)
assert isinstance(verifier, Verifier)
def test_f_verifier_key_bytes():
test = Verifier(algorithm=ALGORITHM,
key=VALUES["ecc_private_key_prime"].public_key())
assert test.key_bytes() == VALUES["ecc_private_key_prime_public_bytes"]
def test_verifier_update(patch_default_backend, patch_serialization,
patch_build_hasher):
verifier = Verifier(algorithm=MagicMock(), key=MagicMock())
verifier.update(sentinel.data)
verifier._hasher.update.assert_called_once_with(sentinel.data)
def _read_header(self):
"""Reads the message header from the input stream.
:returns: tuple containing deserialized header and header_auth objects
:rtype: tuple of aws_encryption_sdk.structures.MessageHeader
and aws_encryption_sdk.internal.structures.MessageHeaderAuthentication
:raises CustomMaximumValueExceeded: if frame length is greater than the custom max value
"""
header, raw_header = deserialize_header(self.source_stream)
self.__unframed_bytes_read += len(raw_header)
validate_commitment_policy_on_decrypt(self.config.commitment_policy,
header.algorithm)
if (self.config.max_body_length is not None
and header.content_type == ContentType.FRAMED_DATA
and header.frame_length > self.config.max_body_length):
raise CustomMaximumValueExceeded(
"Frame Size in header found larger than custom value: {found:d} > {custom:d}"
.format(found=header.frame_length,
custom=self.config.max_body_length))
decrypt_materials_request = DecryptionMaterialsRequest(
encrypted_data_keys=header.encrypted_data_keys,
algorithm=header.algorithm,
encryption_context=header.encryption_context,
commitment_policy=self.config.commitment_policy,
)
decryption_materials = self.config.materials_manager.decrypt_materials(
request=decrypt_materials_request)
if decryption_materials.verification_key is None:
self.verifier = None
else:
self.verifier = Verifier.from_key_bytes(
algorithm=header.algorithm,
key_bytes=decryption_materials.verification_key)
if self.verifier is not None:
self.verifier.update(raw_header)
header_auth = deserialize_header_auth(version=header.version,
stream=self.source_stream,
algorithm=header.algorithm,
verifier=self.verifier)
self._derived_data_key = derive_data_encryption_key(
source_key=decryption_materials.data_key.data_key,
algorithm=header.algorithm,
message_id=header.message_id)
if header.algorithm.is_committing():
expected_commitment_key = calculate_commitment_key(
source_key=decryption_materials.data_key.data_key,
algorithm=header.algorithm,
message_id=header.message_id,
)
if not hmac.compare_digest(expected_commitment_key,
header.commitment_key):
raise MasterKeyProviderError(
"Key commitment validation failed. Key identity does not match the identity asserted in the "
"message. Halting processing of this message.")
validate_header(header=header,
header_auth=header_auth,
raw_header=raw_header,
data_key=self._derived_data_key)
return header, header_auth
