def add_new_channel(self, nA, nB): a_signkey = SigningKey.generate() a_chankey = PrivateKey.generate() a_CIDkey = os.urandom(32) a_transports = nA.agent.individualize_transports(nA.agent.get_transports()) b_signkey = SigningKey.generate() b_chankey = PrivateKey.generate() b_CIDkey = os.urandom(32) b_transports = nB.agent.individualize_transports(nB.agent.get_transports()) a_rec = { "channel_pubkey": a_chankey.public_key.encode().encode("hex"), "CID_key": a_CIDkey.encode("hex"), "transports": a_transports.values(), } b_rec = { "channel_pubkey": b_chankey.public_key.encode().encode("hex"), "CID_key": b_CIDkey.encode("hex"), "transports": b_transports.values(), } q = ("INSERT INTO addressbook" " (petname, acked, next_outbound_seqnum," " my_signkey," " their_channel_record_json," " my_CID_key, next_CID_token," " highest_inbound_seqnum," " my_old_channel_privkey, my_new_channel_privkey," " they_used_new_channel_key, their_verfkey)" " VALUES(?,?,?,?,?,?,?,?,?,?,?,?)") vA=("petname-from-A", 1, 1, a_signkey.encode().encode("hex"), json.dumps(b_rec), a_CIDkey.encode("hex"), None, 0, a_chankey.encode().encode("hex"), a_chankey.encode().encode("hex"), 0, b_signkey.verify_key.encode().encode("hex"), ) vB=("petname-from-A", 1, 1, b_signkey.encode().encode("hex"), json.dumps(a_rec), b_CIDkey.encode("hex"), None, 0, b_chankey.encode().encode("hex"), b_chankey.encode().encode("hex"), 0, a_signkey.verify_key.encode().encode("hex"), ) nA.db.execute(q, vA) nA.db.commit() nB.db.execute(q, vB) nA.db.commit() entA = nA.db.execute("SELECT * FROM addressbook").fetchone() entB = nB.db.execute("SELECT * FROM addressbook").fetchone() return entA, entB
def test_nacl_encrypt_decrypt(): skbob = PrivateKey.generate() pkbob = skbob.public_key skalice = PrivateKey.generate() pkalice = skalice.public_key message_bytes = nacl.utils.random(SALT_SIZE) encrypted = nacl_encrypt(message_bytes, skbob, pkalice) decrypted = nacl_decrypt(encrypted, skalice, pkbob) assert decrypted == message_bytes
def purchase(self, node_to_ask, contract): """ Send an order message to the vendor. Args: node_to_ask: a `dht.node.Node` object contract: a complete `Contract` object containing the buyer's order """ def parse_response(response): try: address = contract.contract["buyer_order"]["order"]["payment"]["address"] verify_key = nacl.signing.VerifyKey(node_to_ask.signed_pubkey[64:]) verify_key.verify(str(address), response[1][0]) return response[1][0] except Exception: return False public_key = contract.contract["vendor_offer"]["listing"]["id"]["pubkeys"]["encryption"] skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce) d = self.protocol.callOrder(node_to_ask, pkephem, ciphertext) return d.addCallback(parse_response)
def create_node(so, stdout=sys.stdout, stderr=sys.stderr): basedir = so["basedir"] if os.path.exists(basedir): print >>stderr, "basedir '%s' already exists, refusing to touch it" % basedir return 1 os.mkdir(basedir) dbfile = os.path.join(basedir, "petmail.db") db = database.get_db(dbfile, stderr) db.execute("INSERT INTO node (webhost, webport) VALUES (?,?)", (so["webhost"], so["webport"])) db.execute("INSERT INTO services (name) VALUES (?)", ("client",)) db.execute("INSERT INTO `client_profile`" " (`name`, `icon_data`) VALUES (?,?)", ("","")) privkey = PrivateKey.generate() TID_tokenid, TID_privkey, TID_token0 = rrid.create() server_desc = { "transport_privkey": privkey.encode().encode("hex"), "TID_private_key": TID_privkey.encode("hex"), "local_TID0": TID_token0.encode("hex"), "local_TID_tokenid": TID_tokenid.encode("hex"), } db.execute("INSERT INTO mailbox_server_config" " (private_descriptor_json, enable_retrieval)" " VALUES (?,?)", (json.dumps(server_desc), 0)) db.commit() print >>stdout, "node created in %s" % basedir return 0
def storeAccount(phrase, uid, auth, alias): """ Store new account information @param phrase: new passphrase as bytes @param uid: user id @param auth: authentication token @param alias: user set alias for profile @return: Profile ID of newly created profile and safe """ con = getCursor() # random phrase buffer buffer = nacl.utils.random(nacl.secret.SecretBox.KEY_SIZE) # create safe (db encryption) safe = SecretBox(b''.join((phrase, buffer[len(phrase) - 32:]))) # create new signing_key and verify_key (message signing) skey = nacl.signing.SigningKey.generate() # create new private and public key (message encryption) mkey = PrivateKey.generate() con.execute("INSERT INTO profiles (uid, auth, signing_key, verify_key, private_key, public_key, buffer, alias) " "VALUES (?, ?, ?, ?, ?, ?, ?, ?)", list(encrypt(safe, uid, auth, skey._seed, skey.verify_key.encode(encoder=nacl.encoding.HexEncoder), mkey._private_key, mkey.public_key._public_key)) + [buffer, alias]) profileId = con.lastrowid return profileId, safe
def authenticate(self, permissions=[]): #TODO check is needs to = None keys = PrivateKey.generate() nonce = nacl.utils.random(Box.NONCE_SIZE) payload = { 'app': { 'name': self.name, 'version': self.version, 'vendor': self.vendor, 'id': self.id }, 'publicKey': base64.b64encode(keys.public_key.__bytes__()), 'nonce': base64.b64encode(nonce), 'permissions': permissions } headers = { 'Content-Type': 'application/json' } r = self._post('auth', headers, payload) if r.status_code == 200: responseJson = r.json() cipherText = base64.b64decode(responseJson['encryptedKey']) self.token = responseJson['token'] self.permissions = responseJson['permissions'] self.publicKey = base64.b64decode(responseJson['publicKey']) box = Box(keys, PublicKey(self.publicKey)) data = box.decrypt(cipherText, nonce=nonce) self.symmetricKey = data[0:PrivateKey.SIZE] self.symmetricNonce = data[PrivateKey.SIZE:] return True else: return False
def get_node(node_to_ask): def parse_response(response): if response[0] and response[1][0] == "True": return True elif not response[0]: contract_dict = json.loads(json.dumps(contract.contract, indent=4), object_pairs_hook=OrderedDict) del contract_dict["vendor_order_confirmation"] order_id = digest(json.dumps(contract_dict, indent=4)).encode("hex") self.send_message(Node(unhexlify(guid)), nacl.signing.VerifyKey( contract.contract["buyer_order"]["order"]["id"]["pubkeys"]["guid"], encoder=nacl.encoding.HexEncoder).to_curve25519_public_key().encode(), objects.PlaintextMessage.Type.Value("ORDER_CONFIRMATION"), json.dumps(contract.contract["vendor_order_confirmation"]), order_id, store_only=True) return True else: return False if node_to_ask: public_key = nacl.signing.VerifyKey( contract.contract["buyer_order"]["order"]["id"]["pubkeys"]["guid"], encoder=nacl.encoding.HexEncoder).to_curve25519_public_key() skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, public_key) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce) d = self.protocol.callOrderConfirmation(node_to_ask, pkephem, ciphertext) return d.addCallback(parse_response) else: return parse_response([False])
def send_message(self, receiving_node, public_key, message_type, message, subject=None): """ Sends a message to another node. If the node isn't online it will be placed in the dht for the node to pick up later. """ pro = Profile().get() if len(message) > 1500: return p = objects.Plaintext_Message() p.sender_guid = self.kserver.node.id p.signed_pubkey = self.kserver.node.signed_pubkey p.encryption_pubkey = PrivateKey(self.signing_key.encode()).public_key.encode() p.type = message_type p.message = message if subject is not None: p.subject = subject if pro.handle: p.handle = pro.handle if pro.avatar_hash: p.avatar_hash = pro.avatar_hash p.timestamp = int(time.time()) signature = self.signing_key.sign(p.SerializeToString())[:64] p.signature = signature skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(p.SerializeToString(), nonce) def get_response(response): if not response[0]: self.kserver.set(digest(receiving_node.id), pkephem, ciphertext) self.protocol.callMessage(receiving_node, pkephem, ciphertext).addCallback(get_response)
def purchase(self, node_to_ask, contract): """ Send an order message to the vendor. Args: node_to_ask: a `dht.node.Node` object contract: a complete `Contract` object containing the buyer's order """ def parse_response(response): try: address = contract.contract["buyer_order"]["order"]["payment"]["address"] chaincode = contract.contract["buyer_order"]["order"]["payment"]["chaincode"] masterkey_b = contract.contract["buyer_order"]["order"]["id"]["pubkeys"]["bitcoin"] buyer_key = derive_childkey(masterkey_b, chaincode) amount = contract.contract["buyer_order"]["order"]["payment"]["amount"] listing_hash = contract.contract["buyer_order"]["order"]["ref_hash"] verify_key = nacl.signing.VerifyKey(node_to_ask.signed_pubkey[64:]) verify_key.verify( str(address) + str(amount) + str(listing_hash) + str(buyer_key), response[1][0]) return response[1][0] except Exception: return False public_key = contract.contract["vendor_offer"]["listing"]["id"]["pubkeys"]["encryption"] skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce) d = self.protocol.callOrder(node_to_ask, pkephem, ciphertext) self.log.info("purchasing contract %s from %s" % (contract.get_contract_id().encode("hex"), node_to_ask)) return d.addCallback(parse_response)
def get_node(node_to_ask): def parse_response(response): if response[0] and response[1][0] == "True": return True elif not response[0]: contract_dict = json.loads(json.dumps(contract.contract, indent=4), object_pairs_hook=OrderedDict) del contract_dict["vendor_order_confirmation"] del contract_dict["buyer_receipt"] order_id = digest(json.dumps(contract_dict, indent=4)).encode("hex") self.send_message(Node(unhexlify(guid)), contract.contract["vendor_offer"]["listing"]["id"]["pubkeys"]["encryption"], objects.Plaintext_Message.Type.Value("RECEIPT"), json.dumps(contract.contract["buyer_receipt"]), order_id, store_only=True) return True else: return False if node_to_ask: public_key = contract.contract["vendor_offer"]["listing"]["id"]["pubkeys"]["encryption"] skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce) d = self.protocol.callCompleteOrder(node_to_ask, pkephem, ciphertext) return d.addCallback(parse_response) else: return parse_response([False])
def key_gen(self): """Generate a private key""" import base64, zlib from nacl.public import PrivateKey privObj = PrivateKey.generate() privKey = base64.b64encode(zlib.compress(str(privObj), 9)) return privObj, privKey
def test_wrong_types(): priv = PrivateKey.generate() check_type_error(("PrivateKey must be created from a 32 bytes long " "raw secret key"), PrivateKey, 12) check_type_error(("PrivateKey must be created from a 32 bytes long " "raw secret key"), PrivateKey, priv) check_type_error(("PrivateKey must be created from a 32 bytes long " "raw secret key"), PrivateKey, priv.public_key) check_type_error("PublicKey must be created from 32 bytes", PublicKey, 13) check_type_error("PublicKey must be created from 32 bytes", PublicKey, priv) check_type_error("PublicKey must be created from 32 bytes", PublicKey, priv.public_key) check_type_error("Box must be created from a PrivateKey and a PublicKey", Box, priv, "not a public key") check_type_error("Box must be created from a PrivateKey and a PublicKey", Box, priv.encode(), priv.public_key.encode()) check_type_error("Box must be created from a PrivateKey and a PublicKey", Box, priv, priv.public_key.encode()) check_type_error("Box must be created from a PrivateKey and a PublicKey", Box, priv.encode(), priv.public_key) check_type_error("seed must be a 32 bytes long", PrivateKey.from_seed, b"1")
def send_rekey(self): self.pkey = PrivateKey.generate() msg = six.int2byte(Message.rekey) + encode_varint(self.my_seq) + self.pkey.public_key._public_key mac = self.get_mac(msg) self.my_seq += 1 self._send(msg + mac) self.state = ClientState.rekey
def test_list_request(self): serverkey = PrivateKey.generate() RT = "01234567" # 8 bytes req, tmppub = retrieval.encrypt_list_request(serverkey.public_key.encode(), RT) got_tmppub, boxed0 = server.decrypt_list_request_1(req) ts, got_RT = server.decrypt_list_request_2(got_tmppub, boxed0, serverkey) self.failUnlessEqual(RT, got_RT)
def respond_to_rekey(self, message): # Verify length if not len(message) == 34 + self._mac_length: _logger.info('Invalid length of rekey') # TODO: Multi-byte asequence numbers should also be allowed return # Verify MAC msg, sig = message[:-self._mac_length], message[-self._mac_length:] if not self.verify_mac(message): _logger.info('Invalid MAC on rekey') return # Verify sequence number if not self.validate_and_update_others_seqnum(msg): _logger.info('Invalid sequence number on rekey') return client_pubkey = msg[2:] self.pkey = PrivateKey.generate() self.new_master_key = self.derive_shared_key(client_pubkey) msg = six.int2byte(Message.rekey_response) + encode_varint(self.my_seq) + self.pkey.public_key._public_key self.state = ServerState.rekey full_msg = msg + self.get_mac(msg) self._send(full_msg) self.my_seq += 1
def get_node(node_to_ask, recipient_guid, public_key): def parse_response(response): if not response[0]: self.send_message( Node(unhexlify(recipient_guid)), nacl.signing.VerifyKey(public_key, encoder=nacl.encoding.HexEncoder) .to_curve25519_public_key() .encode(), objects.PlaintextMessage.Type.Value("DISPUTE_OPEN"), json.dumps(contract), order_id, store_only=True, ) if node_to_ask: enc_key = nacl.signing.VerifyKey( public_key, encoder=nacl.encoding.HexEncoder ).to_curve25519_public_key() skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, enc_key) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(contract, indent=4), nonce) d = self.protocol.callDisputeOpen(node_to_ask, pkephem, ciphertext) return d.addCallback(parse_response) else: return parse_response([False])
def __new__(cls, microdescriptor): relay_identity = decodeMicrodescriptorIdentifier(microdescriptor) relay_ntor_onion_key = base64.b64decode(microdescriptor.ntor_onion_key) secret_key = PrivateKey.generate() public_key = secret_key.public_key return super(NTorState, cls).__new__( cls, relay_identity, relay_ntor_onion_key, secret_key, public_key)
def getauth(secret=''): if secret != '': try: return nacl.public.PrivateKey(secret,encoder=nacl.encoding.HexEncoder) except: raise err.api('invalid secret') else: return PrivateKey.generate()
def generate_key_hex(self): """ Generate a new private key and return a pair with the hex encodings of (priv_key, pub_key). """ key = PrivateKey.generate() priv_key = key.encode(encoder=HexEncoder) pub_key = key.public_key.encode(encoder=HexEncoder) return priv_key.decode('ascii'), pub_key.decode('ascii')
def test_list_entry(self): symkey = os.urandom(32) tmppriv = PrivateKey.generate() tmppub = tmppriv.public_key.encode() entry, fetch_token, delete_token = server.create_list_entry(symkey, tmppub, 1234) got_fetch_token, got_delete_token, length = retrieval.decrypt_list_entry(entry, symkey, tmppub) self.failUnlessEqual(fetch_token, got_fetch_token) self.failUnlessEqual(delete_token, got_delete_token) self.failUnlessEqual(length, 1234)
def test_sealed_box_too_short_msg(): empty_plaintext = b'' k = PrivateKey.generate() enc_box = SealedBox(k.public_key) dec_box = SealedBox(k) msg = enc_box.encrypt(empty_plaintext) with pytest.raises(CryptoError): dec_box.decrypt(msg[:-1])
def generate_key(self): """ Generate a new private key and return a pair with the base64 encodings of (priv_key, pub_key). """ key = PrivateKey.generate() priv_key = key.encode(encoder=Base64Encoder) pub_key = key.public_key.encode(encoder=Base64Encoder) return (u'{}'.format(priv_key), u'{}'.format(pub_key))
def startInvitation(self, petname, code, transports): #print "invite", petname, code.encode("hex") stretched = stretch(code) inviteKey = SigningKey(stretched) inviteID = inviteKey.verify_key.encode(Hex) mySigningKey = SigningKey.generate() myCIDkey = os.urandom(32) myTempPrivkey = PrivateKey.generate() # create my channel record tids = ",".join([str(tid) for tid in sorted(transports.keys())]) channel_key = PrivateKey.generate() pub_crec = { "channel_pubkey": channel_key.public_key.encode(Hex), "CID_key": myCIDkey.encode("hex"), "transports": transports.values(), } priv_data = { "my_signkey": mySigningKey.encode(Hex), "my_CID_key": myCIDkey.encode("hex"), "my_old_channel_privkey": channel_key.encode(Hex), "my_new_channel_privkey": channel_key.encode(Hex), "transport_ids": tids, } db = self.db c = db.execute("SELECT inviteID FROM invitations") if inviteID in [str(row[0]) for row in c.fetchall()]: raise CommandError("invitation code already in use") iid = db.insert("INSERT INTO `invitations`" " (code, petname, inviteKey," " inviteID," " myTempPrivkey, mySigningKey," " my_channel_record, my_private_channel_data," " myMessages, theirMessages, nextExpectedMessage)" " VALUES (?,?,?, ?, ?,?, ?,?, ?,?,?)", (code.encode("hex"), petname, stretched.encode("hex"), inviteID, myTempPrivkey.encode(Hex), mySigningKey.encode(Hex), json.dumps(pub_crec), json.dumps(priv_data), "", "", 1), "invitations") self.subscribe(inviteID) i = Invitation(iid, self.db, self) i.sendFirstMessage() self.db.commit()
def __init__(self, relay): ''' :param stem.descriptor.server_descriptor.RelayDescriptor relay: the relay that we're doing an ntor handshake with ''' self._signing_key = tools.signingKeyToSHA1(relay.signing_key) self._ntor_onion_key = base64.b64decode(relay.ntor_onion_key) self._secret_key = PrivateKey.generate() self._public_key = self._secret_key.public_key self.is_bad = False
def asymmetricEncryption(toEncrypt): #generiranje privatnog kljuca posiljatelja koji mora ostati tajan skSender = PrivateKey.generate() #generiranje javnog kljuca posiljatelja pkSender = skSender.public_key #generiranje privatnog kljuca primatelja koji mora ostati tajan skReceiver = PrivateKey.generate() #generiranje javnog kljuca primatelja pkReceiver = skReceiver.public_key #"kutija" s posiljateljevim privatnim kljucem i primateljevim javnim kljucem #sluzi za enkriptiranje poruke senderBox = Box(skSender, pkReceiver) #broj koji se koristi samo jednom, ne smatra se tajnim i moze ga se slati uz enkriptiranu poruku #dobar izvor za nonce su nasumicna 24 byta nonce = nacl.utils.random(Box.NONCE_SIZE) #enkriptiranje poruke koja ce potom biti dulja za tocno 40 byta od originalne poruke #razlog tome je informacija o autentifikaciji i nonce koji se pohranjuju uz nju encrypted = senderBox.encrypt(toEncrypt, nonce, encoder = nacl.encoding.Base64Encoder) return pkSender, skReceiver, encrypted
def test_sealed_box_zero_length_plaintext(): empty_plaintext = b'' k = PrivateKey.generate() enc_box = SealedBox(k.public_key) dec_box = SealedBox(k) msg = enc_box.encrypt(empty_plaintext) decoded = dec_box.decrypt(msg) assert decoded == empty_plaintext
def setUp(self): super(RekeyCompleteTest, self).setUp() self.session.send_rekey() rekey_msg = self.channel.sent_messages.pop(0).msg self.client_pubkey = rekey_msg[2:-self.mac_len] pkey = PrivateKey.generate() msg = b'\x83\x00' + pkey.public_key._public_key mac = self.get_mac(msg) response = self.get_response(msg + mac).msg self.new_shared_key = crypto_scalarmult(pkey._private_key, self.client_pubkey)
def test_wrong_types(): priv = PrivateKey.generate() check_type_error(("SealedBox must be created from a PublicKey" " or a PrivateKey"), SealedBox, priv.encode()) check_type_error(("SealedBox must be created from a PublicKey" " or a PrivateKey"), SealedBox, priv.public_key.encode()) with pytest.raises(TypeError): SealedBox(priv, priv.public_key)
def generate_keypair(kB, client_id): """Given a kbR and a client_id returned from the FxA auth server returns a key pair (public+encrypted private key) """ kBr = get_kBr(kB, client_id) priv = PrivateKey.generate() pub = priv.public_key pub = binascii.hexlify(pub.encode()) priv = binascii.hexlify(priv.encode()) encrypted_priv = encrypt_data(priv, kBr) return pub, priv, encrypted_priv
def test_responds_to_valid_rekey_response(self): pkey = PrivateKey.generate() msg = b'\x83\x02' + pkey.public_key._public_key mac = self.get_mac(msg) response = self.get_response(msg + mac).msg self.assert_message_type(response, 0x04) self.assertEqual(len(response), 1 + self.mac_len) shared_key = crypto_scalarmult(pkey._private_key, self.client_pubkey) mac_func = getattr(hashlib, self.mac) expected_mac = mac_func(shared_key + response[:-self.mac_len]).digest()[:self.mac_len] self.assertEqual(response[-self.mac_len:], expected_mac) self.assertEqual(self.session.state, ClientState.wait_for_rekey_complete)
def __init__( self, nursery: trio.Nursery, key: PrivateKey = None, whitelist: Optional[PublicKey] = None ): self.nursery = nursery self.contexts: Dict[IPv4Address, UDPContext] = {} self.conn_cb: Optional[Callable[[UDPContext], None]] = None self.sock = trio.socket.socket( socket.AF_INET, socket.SOCK_DGRAM ) self.key = PrivateKey.generate() if key is None else key self.whitelist = whitelist
def generate_keys(): logging.info("generating public-private key pair") # create public/private pair private_key = PrivateKey.generate() public_key = private_key.public_key key_length = private_key.SIZE * 8 # get key strings public_key = public_key.encode(encoder=nacl.encoding.HexEncoder).decode() private_key = private_key.encode(encoder=nacl.encoding.HexEncoder).decode() # return key pair as dictionary return({ "key_length_bits": key_length, "public_key": public_key, "private_key": private_key })
def keyMake(node, path): ## create a public, private, and signature key set # generate the encryption keypair key = PrivateKey.generate() # generate the signature key sig = nacl.signing.SigningKey.generate() verify = sig.verify_key sig_hex = verify.encode(encoder=nacl.encoding.HexEncoder) # write all of the keys to file with open(path + '/' + node + '.sig', 'w+') as signing_key: pickle.dump(sig, signing_key) with open(path + '/' + node + '.sighex', 'w+') as verify_hex: pickle.dump(sig_hex, verify_hex) with open(path + '/' + node + '.private', 'w+') as private: pickle.dump(key, private) with open(path + '/' + node + '.public', 'w+') as public: pickle.dump(key.public_key, public)
def __init__(self, application_namespace): # Save the application namespace self.application_namespace = application_namespace # Generate a private key self.private_key = PrivateKey.generate() # Generate a signing key self.signing_key = SigningKey.generate() # Create subject for incoming payloads self.incoming_payload = rx.subject.Subject() # Create a set of reachable instances self.reachable_peers: Set[InstanceReference] = set() # Create subject for newly reachable instances self.incoming_greeting = rx.subject.Subject()
def __init__(self, nursery: trio.Nursery, addr: IPv4Address = ("0.0.0.0", 12000), key: PrivateKey = None, max_rounds: int = 2): self.nursery = nursery self.addr = addr self.max_rounds = max_rounds if key is None: self.key = PrivateKey.generate() else: self.key = PrivateKey(bytes.fromhex(key)) self.nodes: Dict[PublicKey, BoxerRemoteNode] = {} self.fights: Dict[str, BoxerFight] = {} self.fightidmngr = SessionIDManager()
def test_rekey(self): pkey = PrivateKey.generate() msg = b'\x03\x00' + pkey.public_key._public_key response = self.send_with_mac(msg).msg self.assertEqual(len(response), 34 + self.mac_len) self.assert_correct_mac(response) self.assertEqual(six.byte2int(response[1:]), 0x00) self.assert_message_type(response, 0x83) server_pubkey = response[2:-self.mac_len] new_shared_secret = crypto_scalarmult(pkey._private_key, server_pubkey) # Send confirm self.session_key = new_shared_secret msg = b'\x04' response = self.send_with_mac(msg).msg self.assert_correct_mac(response) self.assert_message_type(response, 0x84) self.assertEqual(self.session_key, self.channel.shared_key)
def __init__(self, server, reader, writer): self.proxy_writer = None self.proxy_reader = None self.__reader = reader self.client_writer = writer self.key = PrivateKey.generate() self.client_key = None self.proxy_pub_key = self.key.public_key self.proxy_pub_key_b64 = self.key.public_key.encode( encoder=nacl.encoding.Base64Encoder) self.aes_key = None self.encrypt = False self.AES = None self.server = server self.logger = server.logger
def get_cybersource_test_settings(private_key=None): """ Generates a valid set of settings for CyberSource """ if private_key is None: private_key = PrivateKey.generate() return { "CYBERSOURCE_WSDL_URL": (f"http://localhost/service/CyberSourceTransaction_{SERVICE_VERSION}.wsdl" ), "CYBERSOURCE_MERCHANT_ID": "merchant_id", "CYBERSOURCE_TRANSACTION_KEY": "transaction_key", "CYBERSOURCE_INQUIRY_LOG_NACL_ENCRYPTION_KEY": Base64Encoder.encode(bytes(private_key.public_key)), }
def read_config_file(commandlineoptions=None): global config_file if os.path.exists(config_file): with open(config_file, 'r') as f: return yaml.load(f) else: # generate the config file for the client including the secret key # which must be kept secret config = dict() config['own_sk'] = PrivateKey.generate() config['registration_successful'] = False config['server_pk'] = PublicKey( commandlineoptions.server_pk_str.decode('hex')) config['contact_list'] = list() config['username'] = "******" config['status_msg'] = "Testing OnionPIR..." save_config_file(config) return config
def apply(document, config): """ Generates a deploy key, injects config/master keys and performs the extra deployment time encryption of secrets. """ url = util.rget(document, 'secretary', 'url') if not url: return config # Check for encrypted secrets found = False for key, value in config.get('env', {}).iteritems(): envelopes = extractEnvelopes(value) found = found or envelopes # e.g. dots aren't valid in a shell identifier, so `secretary decrypt -e` wouldn't work with them if envelopes and not _SHELL_IDENTIFIER_RE.match(key): raise RuntimeError(( "The env var '%s' has an encrypted value but its name is not a valid shell script identifier and not supported by Secretary. " + "Only alphanumeric characters and underscores are supported, starting with an alphabetic or underscore character." + "Please check https://github.com/meltwater/lighter#secrets-management ." ) % key) # Avoid adding public keys if no secrets present if not found: return config result = deepcopy(config) masterKey = decodePublicKey( util.rget(document, 'secretary', 'master', 'publickey')) result['env'] = result.get('env', {}) result['env']['SECRETARY_URL'] = url result['env']['MASTER_PUBLIC_KEY'] = encodeKey(masterKey) # Autogenerate a deploy key deployKey = PrivateKey.generate() result['env']['DEPLOY_PRIVATE_KEY'] = KeyValue(encodeKey(deployKey)) result['env']['DEPLOY_PUBLIC_KEY'] = KeyValue( encodeKey(deployKey.public_key)) return result
def generate_keys(): # Generate applications public and private key # In practice, these would be set externally and stored outside the repository sk = PrivateKey.generate() pk = sk.public_key # write to filesfor access if they don't exist sk_path = os.path.join(os.path.dirname(__file__), "..", "private_key") if not os.path.exists(sk_path): # write as binary with open(sk_path, 'wb') as f: sk_bytes = bytes(sk) f.write(sk_bytes) pk_path = os.path.join(os.path.dirname(__file__), "..", "public_key") if not os.path.exists(pk_path): with open(pk_path, 'wb') as f: pk_bytes = bytes(pk) f.write(pk_bytes)
def operator_key_pair_create(): try: privKey = PrivateKey.generate() pubKey = privKey.public_key key_pair_res = { "DID": ''.join(random.choices(string.ascii_uppercase + string.ascii_lowercase + string.digits, k=22)), "public_key": binascii.b2a_base64(bytes(pubKey)).decode("utf-8").strip(), "private_key": binascii.b2a_base64(bytes(privKey)).decode("utf-8").strip(), "timestamp": str(int(time.time())) } client_key_res = copy.deepcopy(key_pair_res) mongo_setup_provider.key_pair_col.insert_one(key_pair_res) return jwt.encode(client_key_res, os.environ["VPNAAS_KEY"], algorithm="HS256") except Exception as error: logger.error(error) sys.exit() #tl.start(block=False)
def NACL_sealedBox_encrypt(text): # Generate Bob's private key, as we've done in the Box example skbob = PrivateKey.generate() pkbob = skbob.public_key # Alice wishes to send a encrypted message to Bob, # but prefers the message to be untraceable sealed_box = SealedBox(pkbob) # This is Alice's message message = bytes(text,'utf-8') # Encrypt the message, it will carry the ephemeral key public part # to let Bob decrypt it encrypted = sealed_box.encrypt(message) #Now, Bob wants to read the secret message he just received; therefore he must create a SealedBox using his own #private key: unseal_box = SealedBox(skbob) # decrypt the received message plaintext = unseal_box.decrypt(encrypted) print(plaintext.decode('utf-8')) return True
def __init__(self, user, keyring, filename=None): """ we want to keep all the cryptographic functions as side-effect free as possible, so when we instantiate a keyring we'll do as much of the setup and I/O as possible. """ self.keyring = keyring if not filename: filename = keyring.lstrip('/key').replace('/', '.') filename = os.path.join(DIR, '{}.{}'.format(user, filename)) try: self._load_from_private_keyfile(filename) except FileNotFoundError: self.enc_key = PrivateKey.generate() self.signing_key = nacl.signing.SigningKey.generate() self.enc_key_id = uuid.uuid4().hex self.signing_key_id = uuid.uuid4().hex self._to_private_keyfile(filename)
def purchase(self, node_to_ask, contract): """ Send an order message to the vendor. Args: node_to_ask: a `dht.node.Node` object contract: a complete `Contract` object containing the buyer's order """ def parse_response(response): try: address = contract.contract["buyer_order"]["order"]["payment"][ "address"] chaincode = contract.contract["buyer_order"]["order"][ "payment"]["chaincode"] masterkey_b = contract.contract["buyer_order"]["order"]["id"][ "pubkeys"]["bitcoin"] buyer_key = derive_childkey(masterkey_b, chaincode) amount = contract.contract["buyer_order"]["order"]["payment"][ "amount"] listing_hash = contract.contract["buyer_order"]["order"][ "ref_hash"] verify_key = nacl.signing.VerifyKey( node_to_ask.signed_pubkey[64:]) verify_key.verify( str(address) + str(amount) + str(listing_hash) + str(buyer_key), response[1][0]) return response[1][0] except Exception: return False public_key = contract.contract["vendor_offer"]["listing"]["id"][ "pubkeys"]["encryption"] skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(contract.contract, indent=4), nonce) d = self.protocol.callOrder(node_to_ask, pkephem, ciphertext) self.log.info("purchasing contract %s from %s" % (contract.get_contract_id().encode("hex"), node_to_ask)) return d.addCallback(parse_response)
def test_login_failure_no_public_key(self): """ Test to login without public_key """ # our public / private key box box = PrivateKey.generate() # our hex encoded public / private keys user_session_private_key_hex = box.encode( encoder=nacl.encoding.HexEncoder).decode() user_session_public_key_hex = box.public_key.encode( encoder=nacl.encoding.HexEncoder).decode() server_crypto_box = Box( PrivateKey(user_session_private_key_hex, encoder=nacl.encoding.HexEncoder), PublicKey(settings.PUBLIC_KEY, encoder=nacl.encoding.HexEncoder)) login_info_nonce = nacl.utils.random(nacl.secret.SecretBox.NONCE_SIZE) encrypted = server_crypto_box.encrypt( json.dumps({ 'username': self.test_username, 'authkey': self.test_authkey, }).encode("utf-8"), login_info_nonce) login_info_encrypted = encrypted[len(login_info_nonce):] data = { 'login_info': nacl.encoding.HexEncoder.encode(login_info_encrypted).decode(), 'login_info_nonce': nacl.encoding.HexEncoder.encode(login_info_nonce).decode(), # 'public_key': user_session_public_key_hex, } url = reverse('authentication_login') models.Token.objects.all().delete() response = self.client.post(url, data) self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
def show_cluster_config(cluster_id: str) -> dict: box = PrivateKey.generate() private_key_hex = box.encode(encoder=nacl.encoding.HexEncoder) public_key_hex = box.public_key.encode(encoder=nacl.encoding.HexEncoder) if not cluster_id or cluster_id == 'None': return { 'error': 'CLUSTER_ID required' } try: cluster = Fileserver_Cluster.objects.filter(pk=cluster_id).get() except Fileserver_Cluster.DoesNotExist: return { 'error': 'A cluster with this id was not found. You can use "fsclusterlist" to display all' } if cluster.links.count() == 0: return { 'error': ' Shard: Not found for this cluster. You can create one with "fsshardcreate TITLE \'Some description\'" and then link it to this cluster with "fsshardlink ' + str( cluster.id) + ' SHARD_ID"' } uni = string.ascii_letters + string.digits + string.punctuation print('SECRET_KEY: ' + repr((''.join([random.SystemRandom().choice(uni) for i in range(50)])).replace('\'', '"'))) print('PRIVATE_KEY: ' + repr(str(private_key_hex.decode()))) print('PUBLIC_KEY: ' + repr(str(public_key_hex.decode()))) print('SERVER_URL: ' + repr(settings.HOST_URL)) print('SERVER_PUBLIC_KEY: ' + repr(settings.PUBLIC_KEY)) print("CLUSTER_ID: '"+ str(cluster.id) +"'") print("CLUSTER_PRIVATE_KEY: '"+ str(decrypt_with_db_secret(cluster.auth_private_key)) +"'") shards = [] for links in cluster.links.all(): shards.append('{shard_id: ' + str(links.shard_id) + ', read: ' + str(links.read) + ', write: ' + str(links.write) + ', delete: ' + str(links.delete_capability) + ', allow_link_shares: ' + str(links.allow_link_shares) + ', engine: {class: \'local\', kwargs: {location: \'/opt/psono-shard/'+ str(links.shard_id) +'\'}}}') print("SHARDS: ["+','.join(shards)+"]") return {}
def get_node(node_to_ask, recipient_guid, public_key): def parse_response(response): if not response[0]: self.send_message(Node(unhexlify(recipient_guid)), public_key, objects.PlaintextMessage.Type.Value("DISPUTE_CLOSE"), dispute_json, order_id, store_only=True) if node_to_ask: skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt(json.dumps(dispute_json, indent=4), nonce) d = self.protocol.callDisputeClose(node_to_ask, pkephem, ciphertext) return d.addCallback(parse_response) else: return parse_response([False])
def fake_transport(): privkey = PrivateKey.generate() pubkey_hex = privkey.public_key.encode().encode("hex") TID_tokenid, TID_privkey, TID_token0 = rrid.create() private = { "privkey": privkey, "TID": (TID_tokenid, TID_privkey, TID_token0) } # this is what lives in our database. All channels that share the same # transport will use the same thing. db_record = { "for_sender": { "type": "test-return", "transport_pubkey": pubkey_hex, }, "for_recipient": { "TID": TID_token0.encode("hex") }, } return private, db_record
def rotate_user_key(args): """Rotates the user main key. Required when a device was removed to keep future content safe. Maximum rotation rate once per second, but please don't: it will just make the user identity block bloated, eventually blocking the user by upload limit. """ username = get_username(args) user_storage = LocalStorage(username) old_signing = _get_user_signingkey(username) old_private = _get_user_privatekey(username) timestamp = get_timestamp_seconds() with user_storage as us: us["signingkey"] = SigningKey.generate().encode() us["privatekey"] = PrivateKey.generate().encode() us["previous_keys"][timestamp] = { "signingkey": us["signingkey"], "privatekey": us["privatekey"], }
def setUp(self): box = PrivateKey.generate() private_key_hex = box.encode(encoder=nacl.encoding.HexEncoder) public_key_hex = box.public_key.encode( encoder=nacl.encoding.HexEncoder) private_key_hex = encrypt_with_db_secret(private_key_hex.decode()) public_key_hex = encrypt_with_db_secret(public_key_hex.decode()) self.cluster = models.Fileserver_Cluster.objects.create( title='Some Title', auth_public_key=public_key_hex, auth_private_key=private_key_hex, file_size_limit=0, ) self.shard = models.Fileserver_Shard.objects.create( title='Some Title', description='Some description', )
def new_shop(req: ShopCreateRequest): try: b64decode(req.shop_pub_key) except binascii.Error: raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail='公鑰錯誤') shop = Shop(name=req.name, shop_pub_key=req.shop_pub_key) private_key = PrivateKey.generate() box = SecretBox(SERVER_MASTER_SECRET) try: Secret(shop=shop, server_secret_key=b64encode( box.encrypt(private_key._private_key)).decode('ascii')) commit() except TransactionIntegrityError: rollback() raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail='公鑰已被使用') return b64encode(private_key.public_key._public_key).decode('ascii')
def __init__(self, reactor, host, port, serverKey, serverExtension, clientKey=None, clientExtension='\x00' * 16): self.reactor = reactor self.host = host self.port = port self.serverKey = serverKey self.serverExtension = serverExtension if clientKey is None: clientKey = PrivateKey.generate() self.clientKey = clientKey self.clientExtension = clientExtension self._funcs = [] self.setupClient() self.delayedCall = None
def get_wg_keys(self, ifname): private_key_path = f"/etc/syntropy-agent/privatekey-{ifname}" public_key_path = f"/etc/syntropy-agent/publickey-{ifname}" private_key = Path(private_key_path) public_key = Path(public_key_path) if not private_key.is_file() or not public_key.is_file(): privKey = PrivateKey.generate() pubKey = base64.b64encode(bytes(privKey.public_key)) privKey = base64.b64encode(bytes(privKey)) base64_privKey = privKey.decode('ascii') base64_pubKey = pubKey.decode('ascii') private_key.write_text(base64_privKey) public_key.write_text(base64_pubKey) private_key.chmod(0o600) public_key.chmod(0o600) if self.wg_kernel: return public_key.read_text().strip(), private_key.read_text( ).strip() else: return public_key.read_text().strip(), private_key_path
def start(): if not os.path.exists("keys.txt"): secretkey = PrivateKey.generate() publickey = secretkey.public_key publickey64 = publickey.encode(Base64Encoder).decode("utf8") secretkey64 = secretkey.encode(Base64Encoder).decode("utf8") with open("keys.txt", "w") as myfile: myfile.write(publickey64) myfile.write("\n") myfile.write(secretkey64) else: with open("keys.txt", "r") as myfile: publickey64 = myfile.readline() secretkey64 = myfile.readline() #publickey = nacl.public.PublicKey(publickey64, nacl.encoding.Base64Encoder) secretkey = nacl.public.PrivateKey(secretkey64, nacl.encoding.Base64Encoder) print(secretkey) return secretkey
def handle(self, *args, **options): uni = string.ascii_letters + string.digits + string.punctuation box = PrivateKey.generate() private_key_hex = box.encode(encoder=nacl.encoding.HexEncoder) public_key_hex = box.public_key.encode(encoder=nacl.encoding.HexEncoder) print('') print('# Copy paste this content into your settings.yml and replace existing occurrences') print('# ') print('# WARNING: Do this only for a fresh installation!') print('# Changing those variables afterwards will break the program e.g.:') print('# Activation links will not work, Server will not be able to read user emails, ...') print('') print('SECRET_KEY: ' + repr((''.join([random.SystemRandom().choice(uni) for i in range(50)])).replace('\'', '"'))) print('ACTIVATION_LINK_SECRET: ' + repr((''.join([random.SystemRandom().choice(uni) for i in range(50)])).replace('\'', '"'))) print('DB_SECRET: ' + repr((''.join([random.SystemRandom().choice(uni) for i in range(50)])).replace('\'', '"'))) print('EMAIL_SECRET_SALT: ' + repr(str(bcrypt.gensalt().decode()))) print('PRIVATE_KEY: ' + repr(str(private_key_hex.decode()))) print('PUBLIC_KEY: ' + repr(str(public_key_hex.decode()))) print('')
def decrypt(self, packetID, payload): if packetID == 20100: self.sessionKey = payload[4:] self.sk = PrivateKey.generate() self.pk = self.sk.public_key return payload elif packetID == 20103 and not self.sessionKey: return payload elif packetID == 22280 or (packetID == 20103 and self.sessionKey): nonce = Nonce(self.encryptNonce, self.pk, self.serverKey) decrypted = self.decryptPacket(payload, nonce) self.sharedKey = Box.decode(decrypted[24:56]) # Overwrite the previous sharedKey self.decryptNonce = Nonce(decrypted[:24]) return decrypted[56:] else: return self.decryptPacket(payload)
def get_node(node_to_ask): def parse_response(response): if response[0] and response[1][0] == "True": return True elif not response[0]: contract_dict = json.loads(json.dumps(contract.contract, indent=4), object_pairs_hook=OrderedDict) del contract_dict["vendor_order_confirmation"] order_id = digest(json.dumps(contract_dict, indent=4)).encode("hex") self.send_message( Node(unhexlify(guid)), contract.contract["buyer_order"]["order"]["id"] ["pubkeys"]["encryption"], objects.Plaintext_Message.Type.Value( "ORDER_CONFIRMATION"), json.dumps( contract.contract["vendor_order_confirmation"]), order_id, store_only=True) return True else: return False if node_to_ask: public_key = contract.contract["buyer_order"]["order"]["id"][ "pubkeys"]["encryption"] skephem = PrivateKey.generate() pkephem = skephem.public_key.encode(nacl.encoding.RawEncoder) box = Box(skephem, PublicKey(public_key, nacl.encoding.HexEncoder)) nonce = nacl.utils.random(Box.NONCE_SIZE) ciphertext = box.encrypt( json.dumps(contract.contract, indent=4), nonce) d = self.protocol.callOrderConfirmation( node_to_ask, pkephem, ciphertext) return d.addCallback(parse_response) else: return parse_response([False])
def setUp(self): box = PrivateKey.generate() self.cluster_private_key_hex = box.encode(encoder=nacl.encoding.HexEncoder).decode() self.cluster_public_key_hex = box.public_key.encode(encoder=nacl.encoding.HexEncoder).decode() private_key = encrypt_with_db_secret(self.cluster_private_key_hex) public_key = encrypt_with_db_secret(self.cluster_public_key_hex) self.cluster1 = Fileserver_Cluster.objects.create( title='Some Fileserver Cluster Title', auth_public_key=public_key, auth_private_key=private_key, file_size_limit=0, ) self.shard1 = Fileserver_Shard.objects.create( title='Some Shard Title', description='Some Shard Description', ) self.link1 = Fileserver_Cluster_Shard_Link.objects.create( cluster=self.cluster1, shard=self.shard1, read=True, write=True, ) token_hash = TokenAuthentication.user_token_to_token_hash('abc') self.fileserver1 = Fileserver_Cluster_Members.objects.create( create_ip='127.0.0.1', fileserver_cluster=self.cluster1, key=token_hash, public_key=binascii.hexlify(os.urandom(settings.USER_PUBLIC_KEY_LENGTH_BYTES)).decode(), secret_key=binascii.hexlify(os.urandom(settings.USER_PUBLIC_KEY_LENGTH_BYTES)).decode(), url='https://fs01.example.com/fileserver', read=True, write=True, delete_capability=True, valid_till=timezone.now() + datetime.timedelta(seconds=30), )
def _replyWithCookie(self, data, host_port): if len(data) != _helloStruct.size: return serverExtension, clientExtension, clientShortPubkey, nonce, encrypted = _helloStruct.unpack( data) serverLongClientShort = Box(self.serverKey.key, PublicKey(clientShortPubkey)) try: serverLongClientShort.decrypt(encrypted, 'CurveCP-client-H' + nonce) except CryptoError: return serverShortKey = PrivateKey.generate() unencryptedCookie = clientShortPubkey + str(serverShortKey) cookieNonce = self.serverKey.nonce(longterm=True) cookie = cookieNonce + self._secretBox.encrypt( unencryptedCookie, 'c' * 8 + cookieNonce).ciphertext boxData = str(serverShortKey.public_key) + cookie cookiePacket = ('RL3aNMXK' + clientExtension + serverExtension + cookieNonce + serverLongClientShort.encrypt( boxData, 'CurveCPK' + cookieNonce).ciphertext) self.transport.write(cookiePacket, host_port)