def test_generate_sign_verify(self):
msg = b'1234567890ABCDEFGH'
k1 = rsa_key.RSAKey()
k1.generate(1024)
sig = k1.sign(msg)
assert k1.verify(sig, msg, signature_as_digits=True)
k2 = rsa_key.RSAKey()
k2.fromString(k1.toPublicString())
assert k2.verify(sig, msg) is True
sig_raw = k1.sign(msg, as_digits=False)
assert k2.verify(sig_raw, msg, signature_as_digits=False) is True
def test_many_times(self):
for _ in range(10):
k1 = rsa_key.RSAKey()
k1.generate(1024)
k2 = rsa_key.RSAKey()
k2.fromString(k1.toPublicString())
for _ in range(100):
msg = cipher.make_key()
sig = k1.sign(msg)
if not k2.verify(sig, msg):
assert False, (k1.toPrivateString(), msg, sig)
def generate_key(key_id, label='', key_size=4096, keys_folder=None):
"""
"""
if key_id in known_keys():
lg.warn('key "%s" already exists' % key_id)
return None
if not label:
label = 'key%s' % utime.make_timestamp()
if _Debug:
lg.out(
_DebugLevel, 'my_keys.generate_key "%s" of %d bits, label=%r' %
(key_id, key_size, label))
key_object = rsa_key.RSAKey()
key_object.generate(key_size)
key_object.label = label
known_keys()[key_id] = key_object
if _Debug:
lg.out(_DebugLevel, ' key %s generated' % key_id)
if not keys_folder:
keys_folder = settings.KeyStoreDir()
save_key(key_id, keys_folder=keys_folder)
events.send('key-generated',
data=dict(
key_id=key_id,
label=label,
key_size=key_size,
))
return key_object
def load_local_keys(keys_folder=None):
"""
"""
if not keys_folder:
keys_folder = settings.KeyStoreDir()
if _Debug:
lg.out(_DebugLevel,
'my_keys.load_local_keys will read files from %s' % keys_folder)
known_keys().clear()
count = 0
for key_filename in os.listdir(keys_folder):
key_filepath = os.path.join(keys_folder, key_filename)
try:
key_object = rsa_key.RSAKey()
key_object.fromFile(key_filepath)
except:
lg.exc()
continue
if not key_object.isPublic():
if not validate_key(key_object):
lg.warn('validation failed for %s' % key_filepath)
continue
key_id = key_filename.replace('.private', '').replace('.public', '')
if not is_valid_key_id(key_id):
lg.warn('key_id is not valid: %s' % key_id)
continue
known_keys()[key_id] = key_object
count += 1
if _Debug:
lg.out(_DebugLevel, ' %d keys loaded' % count)
def load_key(key_id, keys_folder=None):
global _LatestLocalKeyID
if not is_valid_key_id(key_id):
lg.warn('key is not valid: %r' % key_id)
return False
key_dict = read_key_file(key_id, keys_folder=keys_folder)
try:
key_object = rsa_key.RSAKey()
key_object.fromDict(key_dict)
except:
lg.exc()
return False
if not key_object.isPublic():
if not validate_key(key_object):
lg.warn('validation failed for: %r' % key_id)
return False
known_keys()[key_id] = key_object
if key_dict.get('need_to_convert'):
save_key(key_id, keys_folder=keys_folder)
lg.info('key %r format converted to JSON' % key_id)
else:
if key_object.local_key_id is not None:
if _LatestLocalKeyID < key_object.local_key_id:
_LatestLocalKeyID = key_object.local_key_id
save_latest_local_key_id(keys_folder=keys_folder)
local_keys()[key_object.local_key_id] = key_id
local_keys_index()[
key_object.toPublicString()] = key_object.local_key_id
if _Debug:
lg.out(
_DebugLevel,
'my_keys.load_key %r label=%r is_private=%r local_key_id=%r from %s'
% (
key_id,
key_object.label,
not key_object.isPublic(),
key_object.local_key_id,
keys_folder,
))
else:
lg.warn('for key %r local_key_id was not set' % key_id)
events.send('key-loaded',
data=dict(
key_id=key_id,
label=key_object.label,
key_size=key_object.size(),
))
listeners.push_snapshot('key',
snap_id=key_id,
data=make_key_info(
key_object=key_object,
key_id=key_id,
event='key-loaded',
include_private=False,
include_local_id=True,
include_signature=True,
include_label=True,
))
return True
def DecryptOpenSSHPrivateKey(privkeystring, inp):
"""
Decrypt ``inp`` string with a Private Key provided as string in PEM format.
"""
priv_key = rsa_key.RSAKey()
priv_key.fromString(privkeystring)
result = priv_key.decrypt(inp)
return result
def EncryptOpenSSHPublicKey(pubkeystring, inp):
"""
Encrypt ``inp`` string with given Public Key.
"""
pub_key = rsa_key.RSAKey()
pub_key.fromString(pubkeystring)
result = pub_key.encrypt(inp)
return result
def unserialize_key_to_object(raw_string):
try:
key_object = rsa_key.RSAKey()
key_object.fromString(raw_string)
except:
lg.exc()
return None
return key_object
def load_key(key_id, keys_folder=None):
"""
"""
if not is_valid_key_id(key_id):
lg.warn('key_id is not valid: %s' % key_id)
return False
if not keys_folder:
keys_folder = settings.KeyStoreDir()
key_filepath = os.path.join(keys_folder, '%s.private' % key_id)
is_private = True
if not os.path.exists(key_filepath):
key_filepath = os.path.join(keys_folder, '%s.public' % key_id)
is_private = False
key_raw = local_fs.ReadTextFile(key_filepath)
if not key_raw:
lg.warn('failed reading key from %r' % key_filepath)
return False
key_raw_strip = key_raw.strip()
need_to_convert = False
try:
if key_raw_strip.startswith('{') and key_raw_strip.endswith('}'):
key_dict = jsn.loads_text(key_raw_strip)
else:
key_dict = {
'label': key_id,
'body': key_raw_strip,
}
need_to_convert = True
except:
lg.exc()
return False
try:
key_object = rsa_key.RSAKey()
key_object.fromDict(key_dict)
except:
lg.exc()
return False
if not key_object.isPublic():
if not validate_key(key_object):
lg.warn('validation failed for %s' % key_filepath)
return False
known_keys()[key_id] = key_object
if _Debug:
lg.out(
_DebugLevel,
'my_keys.load_key %r label=%r is_private=%r from %s' % (
key_id,
key_object.label,
is_private,
keys_folder,
))
if need_to_convert:
save_key(key_id, keys_folder=keys_folder)
lg.info('key %r format converted to JSON' % key_id)
return True
def VerifySignature(pubkeystring, hashcode, signature):
"""
Verify signature, this calls function ``Crypto.PublicKey.RSA.verify`` to
verify.
:param keystring: PublicKey in openssh format.
:param hashcode: input data to verify, we use method ``Hash`` to prepare that.
:param signature: string with signature to verify.
Return True if signature is correct, otherwise False.
"""
pub_key = rsa_key.RSAKey()
pub_key.fromString(pubkeystring)
result = pub_key.verify(signature, hashcode)
return result
def LoadMyKey(keyfilename=None):
global _MyKeyObject
if keyfilename is None:
keyfilename = settings.KeyFileName()
if os.path.exists(keyfilename + '_location'):
newkeyfilename = bpio.ReadTextFile(keyfilename + '_location').strip()
if os.path.exists(newkeyfilename):
keyfilename = newkeyfilename
if os.path.exists(keyfilename):
_MyKeyObject = rsa_key.RSAKey()
_MyKeyObject.fromFile(keyfilename)
if _Debug:
lg.out(_DebugLevel,
'key.InitMyKey loaded private key from %s' % (keyfilename))
return ValidateKey()
return False
def load_local_keys(keys_folder=None):
"""
"""
if not keys_folder:
keys_folder = settings.KeyStoreDir()
if _Debug:
lg.out(_DebugLevel,
'my_keys.load_local_keys will read files from %s' % keys_folder)
known_keys().clear()
count = 0
for key_filename in os.listdir(keys_folder):
key_filepath = os.path.join(keys_folder, key_filename)
key_id = key_filename.replace('.private', '').replace('.public', '')
if not is_valid_key_id(key_id):
lg.warn('key_id is not valid: %s' % key_id)
continue
key_raw = local_fs.ReadTextFile(key_filepath)
if not key_raw:
lg.warn('failed reading key from %r' % key_filepath)
continue
key_raw_strip = key_raw.strip()
try:
if key_raw_strip.startswith('{') and key_raw_strip.endswith('}'):
key_dict = jsn.loads_text(key_raw_strip)
else:
key_dict = {
'label': key_id,
'body': key_raw_strip,
}
except:
lg.exc()
continue
try:
key_object = rsa_key.RSAKey()
key_object.fromDict(key_dict)
except:
lg.exc()
continue
if not key_object.isPublic():
if not validate_key(key_object):
lg.warn('validation failed for %s' % key_filepath)
continue
known_keys()[key_id] = key_object
count += 1
if _Debug:
lg.out(_DebugLevel, ' %d keys loaded' % count)
return count
def GenerateNewKey(keyfilename=None):
global _MyKeyObject
if keyfilename is None:
keyfilename = settings.KeyFileName()
if os.path.exists(keyfilename + '_location'):
newkeyfilename = bpio.ReadTextFile(keyfilename + '_location').strip()
if os.path.exists(newkeyfilename):
keyfilename = newkeyfilename
if _Debug:
lg.out(_DebugLevel, 'key.InitMyKey generate new private key')
_MyKeyObject = rsa_key.RSAKey()
_MyKeyObject.generate(settings.getPrivateKeySize())
keystring = _MyKeyObject.toPrivateString()
bpio.WriteTextFile(keyfilename, keystring)
if _Debug:
lg.out(_DebugLevel, ' wrote %d bytes to %s' % (len(keystring), keyfilename))
del keystring
gc.collect()
def generate_key(key_id, key_size=4096, keys_folder=None):
"""
"""
if key_id in known_keys():
lg.warn('key "%s" already exists' % key_id)
return None
lg.out(4, 'my_keys.generate_key "%s" of %d bits' % (key_id, key_size))
key_object = rsa_key.RSAKey()
key_object.generate(key_size)
known_keys()[key_id] = key_object
if not keys_folder:
keys_folder = settings.KeyStoreDir()
key_string = key_object.toPrivateString()
key_filepath = os.path.join(keys_folder, key_id + '.private')
bpio.WriteTextFile(key_filepath, key_string)
if _Debug:
lg.out(_DebugLevel,
' key %s generated, saved to %s' % (key_id, key_filepath))
return key_object
def generate_key(key_id, label='', key_size=4096, keys_folder=None):
global _LatestLocalKeyID
key_id = latest_key_id(key_id)
if is_key_registered(key_id):
lg.warn('key %r already registered' % key_id)
return None
if not label:
label = 'key%s' % utime.make_timestamp()
if _Debug:
lg.out(
_DebugLevel, 'my_keys.generate_key %r of %d bits, label=%r' %
(key_id, key_size, label))
_LatestLocalKeyID += 1
save_latest_local_key_id(keys_folder=keys_folder)
key_object = rsa_key.RSAKey()
key_object.generate(key_size)
key_object.label = label
key_object.local_key_id = _LatestLocalKeyID
known_keys()[key_id] = key_object
if _Debug:
lg.out(_DebugLevel, ' key %r generated' % key_id)
if not keys_folder:
keys_folder = settings.KeyStoreDir()
save_key(key_id, keys_folder=keys_folder)
events.send('key-generated',
data=dict(
key_id=key_id,
label=label,
key_size=key_size,
))
listeners.push_snapshot('key',
snap_id=key_id,
data=make_key_info(
key_object=key_object,
key_id=key_id,
event='key-generated',
include_private=False,
include_local_id=True,
include_signature=True,
include_label=True,
))
return key_object
def test_signature_begins_with_zero_byte(self):
pk = '''-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDrwjGUyNKFsrZzyxlfdFkStPWokQsKqjlR77xre6shrRJxfbHm
aweImvH9+x0on30ORLjk2PeVa2tp+z7hn35wS8VBx+lKOrCHDPPq5uZuNLD1KJHN
slzWzCxnquHVbrbop533S90ZA4IEi5SP/NkPjv8O/dm2JQfZTBLnum7GeQIDAQAB
AoGABESrRiDOouoF4JnMN0yxciPBkNAzbXmAeSnIdP+zrPPnshNO/bdxVvlLKUh7
Eim1B2WaHVaKQPPFaZFJZadQECqBM4DlxbyPN/7Xj59A5WeTMRw0eBnBq2IXmVzy
WVlW/Uy0cB+vxWj2YDo5+QI5UZ2GkZMZ57SrmiNOuAtUoUkCQQDwS6ZuFTft+de5
vdrXjhft0ahsecGTKg08sEFjHTwI9UPMIr1T9ZYjmYIzTLcEls3uVXRQulN8VeaD
r5WpYBZdAkEA+yqi/TUihJryoRatY7Qb63oRbD7RfoGeItpyU3stQrrs4SXSe/j3
jP6VauaYvRHaT9IJpgHCjF0yIMXY6AZ2zQJACbZ1FrQC27qijp5u7xGORA2aajAN
s/4aJN7W9cOjvpTzVZf94RvnIq88xQgPyb6yujR4DB9L6pWqSJ5bRUpd/QJBAPp0
JrlFbdk7RWx614WPiTPDsnH1JiP3DoCEwfIa5yQej61ncL9soTV4e/hwX6hRkBd+
Q17FbIFZQW5Ku6OLJpUCQQDuJl6KW8e5fXaaGlOP8R8N1oidSf5Sz2LM04GIi2Pa
iDt483pngPnWcya4OTjsvJ74yPtkDlwXuA43PUah56LG
-----END RSA PRIVATE KEY-----'''
k = rsa_key.RSAKey()
k.fromString(pk)
msg = b'\xcf=8!7f\x85\x81\x05lc\xb1\xaas\x99\xda'
sig = k.sign(msg)
assert k.verify(sig, msg)
sig_raw = k.sign(msg, as_digits=False)
assert sig_raw[0:1] == b'\x00', sig_raw
assert k.verify(sig_raw, msg, signature_as_digits=False)
