def decrypt_data(encrypted_data, passphrase): """ Decrypta un payload in ingresso utilizzando la passphrase inserita :param encrypted_data: payload cryptato da decryptare :param passphrase: password da utilizzare per il decrypt :return: payload decryptato """ try: if type(passphrase) == bytes: hash_passphrase = hashlib.sha512(passphrase).digest() else: hash_passphrase = hashlib.sha512(passphrase.encode()).digest() key_base64 = base64.urlsafe_b64encode(hash_passphrase) kjs = json.dumps({ 'k': key_base64.decode('utf-8', 'strict'), 'kty': 'oct' }) key = jwk.JWK.from_json(kjs) jwetoken = jwe.JWE() jwetoken.deserialize(encrypted_data, key=key) return jwetoken.payload.decode() except Exception as e: LOG.error("Exception: {}".format(str(e)), extra=set_client_ip()) return None
async def generate_validation_token(data, ttl=3660): data = data or {} claims = { "iat": int(time.time()), "exp": int(time.time() + ttl), } claims.update(data) payload = orjson.dumps(claims) jwetoken = jwe.JWE(payload, json_encode({ "alg": "A256KW", "enc": "A256CBC-HS512" })) jwetoken.add_recipient(get_jwk_key()) token = jwetoken.serialize(compact=True) last_time = time.time() + ttl datetime_format = app_settings.get("datetime_format") default_timezone = app_settings.get("default_timezone", "UTC") tz = pytz.timezone(default_timezone) if datetime_format is None: last_date = datetime.fromtimestamp(last_time, tz=tz).isoformat() else: last_date = datetime.fromtimestamp(last_time, tz=tz).strftime(datetime_format) return token, last_date
def decrypt_verify_and_get_payload(private_encryption_key, public_signature_key, content): # decrypt jwetoken = jwe.JWE() jwetoken.deserialize(content, key=private_encryption_key) logging.debug(f'Payload correctly decrypted using our private key') if json.loads(jwetoken.objects['protected'] )['alg'] != 'RSA-OAEP-256' or json.loads( jwetoken.objects['protected'])['enc'] != 'A256CBC-HS512': raise Exception( 'Unsupported encryption' ) # we have to check those, otherwise other encryptions can be used as an attack vector logging.debug(f'JWE payload: {jwetoken.payload}') # verify jwstoken = jws.JWS() jwstoken.deserialize(jwetoken.payload) if json.loads(jwstoken.objects['protected'])['alg'] != 'RS512': raise Exception( 'Unsupported signature algorithm' ) # we have to check, otherwise other algorithms can be used as an attack vector jwstoken.verify(public_signature_key ) # if there's no exception, the signature is valid return jwstoken.payload
def encrypt_data(payload, passphrase): """ Crypta un payload in ingresso utilizzando la passphrase inserita :param payload: oggetto da cryptare :param passphrase: password da utilizzare per l'encrypt :return: payload cryptato """ try: if type(passphrase) == bytes: hash_passphrase = hashlib.sha512(passphrase).digest() else: hash_passphrase = hashlib.sha512(passphrase.encode()).digest() key_base64 = base64.urlsafe_b64encode(hash_passphrase) kjs = json.dumps({ 'k': key_base64.decode('utf-8', 'strict'), 'kty': 'oct' }) key = jwk.JWK.from_json(kjs) token = jwe.JWE(payload, json_encode({ "alg": "dir", "enc": "A256CBC-HS512" })) token.add_recipient(key) return token.serialize(compact=True) except Exception as e: LOG.warning("Exception: {}".format(str(e)), extra=set_client_ip()) return None
def test_generate_oct_key(self): key = jwk.JWK(generate='oct', size=128) E = jwe.JWE('test', '{"alg":"A128KW","enc":"A128GCM"}') E.add_recipient(key) e = E.serialize() E.deserialize(e, key) self.assertEqual(E.payload.decode('utf-8'), 'test')
def encrypt(self, body=None): ''' :param body: Body message to be 1) signed and 2) encrypted. **REQUIRED** :returns: String as a result of signature and encryption of input message body ''' jwsKeySet = self.__getJwkKeySet(location = self.clientPrivateKeySetLocation) jwkSignKey = self.__findJwkKeyByAlgorithm(jwkKeySet = jwsKeySet, algorithm = self.signAlgorithm) privateKeyToSign = jwk.JWK(**jwkSignKey) jwsToken = cryptoJWS.JWS(body.encode('utf-8')) jwsToken.add_signature(privateKeyToSign, None, json_encode({ "alg": self.signAlgorithm, "kid": jwkSignKey['kid'], "exp": self.__getJwsExpirationTime() })) signedBody = jwsToken.serialize(True) jweKeySet = self.__getJwkKeySet(location = self.hyperwalletKeySetLocation) jwkEncryptKey = self.__findJwkKeyByAlgorithm(jwkKeySet = jweKeySet, algorithm = self.encryptionAlgorithm) publicKeyToEncrypt = jwk.JWK(**jwkEncryptKey) protected_header = { "alg": self.encryptionAlgorithm, "enc": self.encryptionMethod, "typ": "JWE", "kid": jwkEncryptKey['kid'], } jweToken = jwe.JWE(signedBody.encode('utf-8'), recipient=publicKeyToEncrypt, protected=protected_header) return jweToken.serialize(True)
def craft_payload(x, y, scalar): payload = "My Encrypted message" protected_header = { "alg": "ECDH-ES", "enc": "A256CBC-HS512", "typ": "JWE", "kid": public_key.thumbprint(), } aes_key = derive_key(scalar, point_x=x, point_y=y, alg='A256CBC-HS512', bitsize=512, headers={ 'alg': 'ECDH-ES', 'enc': 'A256CBC-HS512', 'kid': 'efH3qk1QxpmNvqhY3zXoSEfgml8_7unKoKrvoDIcB1c', 'typ': 'JWE' }) # print(aes_key.hex()) jwetoken = jwe.JWE(payload.encode(), recipient=public_key, protected=protected_header, point_x=x, point_y=y, aes_key=aes_key) return jwetoken.serialize(compact=True)
def _save_session(self, session_id, user_id, data, legacy=False): raw_data = json.dumps(vars(data)) protected_header = { 'alg': 'dir', 'enc': 'A256GCM', 'kid': '1,1', } if legacy: plaintext = base64url_encode(raw_data) else: plaintext = raw_data jwe_token = jwe.JWE( plaintext=plaintext, protected=protected_header, recipient=self.key ) session_model = EQSession( session_id, user_id, jwe_token.serialize(compact=True) ) data_access.put(session_model)
def decrypt_and_verify(self, content): # decrypt jwetoken = jwe.JWE() jwetoken.deserialize(content, key=encryption_private_key) if json.loads(jwetoken.objects['protected'])['alg'] != 'RSA-OAEP-256' or json.loads(jwetoken.objects['protected'])['enc'] != 'A256CBC-HS512': raise Exception('Unsupported encryption') # we have to check those, otherwise other encryptions can be used as an attack vector # verify jwstoken = jws.JWS() jwstoken.deserialize(jwetoken.payload) if signature_public_key is None: jku = json.loads(jwstoken.objects['protected'])['jku'] kid = json.loads(jwstoken.objects['protected'])['kid'] #NOTE: to be certain to use a valid public key, one would have to check the # domain name and SSL certificate's Common Name against a whitelisted list keys = requests.get(jku).content keyset = jwk.JWKSet() keyset.import_keyset(keys) verification_key = keyset.get_key(kid) else: verification_key = signature_public_key if json.loads(jwstoken.objects['protected'])['alg'] != 'RS512': raise Exception('Unsupported signature algorithm') # we have to check, otherwise other algorithms can be used as an attack vector jwstoken.verify(verification_key) # if there's no exception, the signature is valid return jwstoken.payload
def encrypt_internal_payload(payload): global PUB_INTERNAL_KEY if PUB_INTERNAL_KEY is None and app_settings['internal_key']['pub']: PUB_INTERNAL_KEY = jwk.JWK.from_pem( app_settings['internal_key']['pub']) try: protected_header = { "alg": "RSA-OAEP-256", "enc": "A256CBC-HS512", "typ": "JWE", "kid": PUB_INTERNAL_KEY.thumbprint(), } if isinstance(payload, dict): payload['_timestamp'] = datetime.datetime.utcnow().isoformat() payload = json.dumps(payload) elif isinstance(payload, str) or isinstance(payload, bytes): data = json.loads(payload) data['_timestamp'] = datetime.datetime.utcnow().isoformat() payload = json.dumps(data) jwetoken = jwe.JWE(payload.encode('utf-8'), recipient=PUB_INTERNAL_KEY, protected=protected_header) return jwetoken.serialize(compact=True) except jwe.InvalidJWEOperation: # expired token logger.warn(f'Invalid operation on jwe encrypt', exc_info=True) return except jwe.InvalidJWEData: logger.warn(f'Error decrypting JWT token', exc_info=True) return
def decryptJWE(raw_jwe, privateKey): with open(privateKey, "rb") as pemfile: key_content = pemfile.read() prik = jw_jwt.JWK.from_pem(key_content) e = jw_jwe.JWE() e.deserialize(raw_jwe, prik) return json.loads(e.payload.decode('utf-8'))
def decrypt(self, body): ''' :param body: Body message to be 1) decrypted and 2) check for correct signature. **REQUIRED** :returns: Decrypted body message ''' jweKeySet = self.__getJwkKeySet( location=self.clientPrivateKeySetLocation) jwkDecryptKey = self.__findJwkKeyByAlgorithm( jwkKeySet=jweKeySet, algorithm=self.encryptionAlgorithm) privateKeyToDecrypt = jwk.JWK(**jwkDecryptKey) jweToken = jwe.JWE() jweToken.deserialize(body, key=privateKeyToDecrypt) payload = jweToken.payload self.__checkJwsExpiration(payload) jwsKeySet = self.__getJwkKeySet( location=self.hyperwalletKeySetLocation) jwkCheckSignKey = self.__findJwkKeyByAlgorithm( jwkKeySet=jwsKeySet, algorithm=self.signAlgorithm) return jws.verify(payload, json.dumps(jwkCheckSignKey), algorithms=self.signAlgorithm)
def encrypt(self, payload, header, key): jwetoken = jwe.JWE(payload.encode('utf-8'), header) params = dict() params['kty'] = 'oct' params['k'] = base64url_encode(key) jwetoken.add_recipient(jwk.JWK(**params)) print("JWE encryption successful") return jwetoken.serialize(compact=True)
def get_decrypted_person_data(self, person_data: str) -> dict: jwetoken = jwe.JWE() private_key = jwk.JWK.from_pem(force_bytes(self.private_key)) jwetoken.deserialize(person_data, key=private_key) decoded = force_text(jwetoken.payload) decoded = decoded.strip('"') log.debug('decoded = %s', decoded) return jwt.decode(decoded, self.public_key, algorithms=['RS256'])
def create_jwe(header, payload, sign_key, enc_key): jws_token = jws.JWS(json_encode(payload)) jws_token.add_signature(sign_key, None, json_encode({'alg': 'ES256'})) jwe_token = jwe.JWE(jws_token.serialize(compact=True), json_encode(header)) jwe_token.add_recipient(enc_key) return jwe_token.serialize(compact=True)
def get_decrypted_person_data(person_data: str) -> dict: jwetoken = jwe.JWE() private_key = jwk.JWK.from_pem(force_bytes(settings.MYINFO_PRIVATE_KEY)) jwetoken.deserialize(person_data, key=private_key) decoded = force_text(jwetoken.payload) decoded = decoded.strip('"') log.debug("decoded = %s", decoded) return jwt.decode(decoded, myinfo_public_key, algorithms=["RS256"])
def decrypt(self, encPayload): if type(encPayload) is str: payload = json.loads(encPayload) if payload.get('encData', False): config = Configuration() jwetoken = jwe.JWE() jwetoken.deserialize(payload["encData"], key=self.loadPem(config.decryption_private_key_path)) return jwetoken.payload return encPayload
def extract_token_claims(self, encrypted_token: bytearray) -> Optional[Claims]: try: jwe_token = jwe.JWE() jwe_token.deserialize(encrypted_token.decode('utf-8'), key=self.__private_key) return Claims.parse(content=jwe_token.payload) except jwe.JWException as err: return None
def is_correct(g, d): k = jwk.JWK(kty='EC', crv='P-256', d=base64url_encode(d.to_bytes(2, 'big')), x=base64url_encode(g.x.to_bytes(32, 'big')), y=base64url_encode(g.y.to_bytes(32, 'big'))) probe = jwe.JWE(payload, recipient=k, protected=header).serialize(True) response = requests.post('http://chal.cybersecurityrumble.de:1234/submit', probe.encode()) return response.content == b'{"status":"success"}\n'
def decrypt(self, jwe_payload, key): jwetoken = jwe.JWE() jwetoken.deserialize(raw_jwe=jwe_payload) params = dict() params['kty'] = 'oct' params['k'] = base64url_encode(key) print("JWE decryption successful.") jwetoken.decrypt(jwk.JWK(**params)) return jwetoken.payload
def decrypt(key: jwk.JWK, path: Path): """Decrypt and throw away envelope""" with path.open("rb") as fp: envelope = json.load(fp) jwetoken = jwe.JWE() jwetoken.deserialize(envelope["payload"]["encryptedData"]) jwetoken.decrypt(key) payload = gzip.decompress(jwetoken.payload).decode() return json.loads(payload)
def check_enc(self, plaintext, protected, key, vector): E = jwe.JWE(plaintext, protected) E.add_recipient(key) # Encrypt and serialize using compact e = E.serialize() # And test that we can decrypt our own E.deserialize(e, key) # Now test the Spec Test Vector E.deserialize(vector, key)
def _create_jwe(payload: Dict[Any, Any]) -> str: payload = dict(payload) payload["iat"] = math.floor(time.time()) jwetoken = jwe.JWE( json_encode(payload), json_encode({"alg": "dir", "enc": "A128GCM"}), recipient=_get_key(), ) return jwetoken.serialize(compact=True)
def jwe_decode_handler(token): key = jwk.JWK(**{ 'k': settings.jwe_secret, 'kty': JWE_DEFAULTS['JWE_KEY_TYPE'], }) jwe_token = jwe.JWE() jwe_token.deserialize(token) jwe_token.decrypt(key) return jwe_token.payload
def encrypt(msg): jwetoken = jwe.JWE(msg.encode(), recipient=public_key, protected={ "alg": "ECDH-ES", "enc": "A256CBC-HS512", "typ": "JWE", "kid": public_key.thumbprint(), }) return jwetoken.serialize(compact=True)
def test_A4(self): E = jwe.JWE(E_A4_ex['plaintext'], E_A4_ex['protected']) E.add_recipient(E_A4_ex['key1'], E_A4_ex['header1']) E.add_recipient(E_A4_ex['key2'], E_A4_ex['header2']) e = E.serialize() E.deserialize(e, E_A4_ex['key1']) E.deserialize(e, E_A4_ex['key2']) # Now test the Spec Test Vector E.deserialize(E_A4_ex['vector'], E_A4_ex['key1']) E.deserialize(E_A4_ex['vector'], E_A4_ex['key2'])
def decrypt(token: str) -> str: """Decrypt JWE token.""" try: jwetoken = jwe.JWE() jwetoken.deserialize(token) jwetoken.decrypt(settings.JWK_KEY) return jwetoken.payload except Exception as err: logger.debug(err) raise exceptions.InvalidTokenError(token)
def encrypt(message, encryption_certificate): """Encrypt a message for DCS""" protected_header = { "alg": "RSA-OAEP-256", "enc": "A128CBC-HS256", "typ": "JWE" } jwetoken = jwe.JWE(plaintext=message, recipient=encryption_certificate, protected=protected_header) return jwetoken.serialize(compact=True)
def encrypt_data(self, data): if isinstance(data, dict): data = json.dumps(data, for_json=True) protected_header = {"alg": "dir", "enc": "A256GCM", "kid": "1,1"} jwe_token = jwe.JWE( plaintext=data, protected=protected_header, recipient=self.key ) return jwe_token.serialize(compact=True)
def encrypt_payload(payload, public_key, compact=False): protected_header = { "alg": "RSA-OAEP-256", "enc": "A256CBC-HS512", "kid": public_key.thumbprint(), } jwetoken = jwe.JWE(payload, recipient=public_key, protected=protected_header) encypted_payload = jwetoken.serialize(compact) return encypted_payload