Пример #1
0
    def test_corrupt_der_pkcs8(self, backend):
        # unenc-rsa-pkcs8 with a bunch of data missing.
        key_data = textwrap.dedent("""\
        MIICdQIBADALBgkqhkiG9w0BAQEEggJhMIICXQIBAAKBgQC7JHoJfg6yNzLMOWet
        8Z49a4KD0dCspMAYvo2YAMB7/wdEycocujbhJ2n/seONi+5XqTqqFkM5VBl8rmkk
        FPZk/7x0xmdsTPECSWnHK+HhoaNDFPR3j8jQhVo1laxiqcEhAHegi5cwtFosuJAv
        FiRC0Cgz+frQPFQEBsAV9RuasyQxqzxrR0Ow0qncBeGBWbYE6WZhqtcLAI895b+i
        +F4lbB4iD7T9QeIDMU/aIMXA81UO4cns1z4qDAHKeyLLrPQrJ/B4X7XC+egUWm5+
        hr1qmyAMusyXIBECQQDJWZ8piluf4yrYfsJAn6hF5T4RjTztbqvO0GVG2McHY7Uj
        NPSffhzHx/ll0fQEQji+OgydCCX8o3HZrgw5YfSJAkEA7e+rqdU5nO5ZG//PSEQb
        tjLnRiTzBH/elQhtdZ5nF7pcpNTi4k13zutmKcWW4GK75azcRGJUhu1kDM7QYAOd
        SQJAVNkYcifkvna7GmooL5VYEsQsqLbM4v0NF2TIGNfG3z1MGp75KrC5LhL97MNR
        we2p/bd2k0HYyCKUGnf2nMPDiQJBAI75pwittSoE240EobUGIDTSz8CJsXIxuDmL
        z+KOpdpPRR5TQmbEMEspjsFpFymMiuYPgmihQbO2cJl1qScY5OkCQQCJ6m5tcN8l
        Xxg/SNpjEIv+qAyUD96XVlOJlOIeLHQ8kYE0C6ZA+MsqYIzgAreJk88Yn0lU/X0/
        mu/UpE/BRZmR
        """).encode()
        bad_der = base64.b64decode(b"".join(key_data.splitlines()))

        with pytest.raises(ValueError):
            load_der_private_key(bad_der, None, backend)

        with pytest.raises(ValueError):
            load_der_private_key(bad_der, b"this password will not be used",
                                 backend)
Пример #2
0
    def test_corrupt_der_pkcs8(self, backend):
        # unenc-rsa-pkcs8 with a bunch of data missing.
        key_data = textwrap.dedent("""\
        MIICdQIBADALBgkqhkiG9w0BAQEEggJhMIICXQIBAAKBgQC7JHoJfg6yNzLMOWet
        8Z49a4KD0dCspMAYvo2YAMB7/wdEycocujbhJ2n/seONi+5XqTqqFkM5VBl8rmkk
        FPZk/7x0xmdsTPECSWnHK+HhoaNDFPR3j8jQhVo1laxiqcEhAHegi5cwtFosuJAv
        FiRC0Cgz+frQPFQEBsAV9RuasyQxqzxrR0Ow0qncBeGBWbYE6WZhqtcLAI895b+i
        +F4lbB4iD7T9QeIDMU/aIMXA81UO4cns1z4qDAHKeyLLrPQrJ/B4X7XC+egUWm5+
        hr1qmyAMusyXIBECQQDJWZ8piluf4yrYfsJAn6hF5T4RjTztbqvO0GVG2McHY7Uj
        NPSffhzHx/ll0fQEQji+OgydCCX8o3HZrgw5YfSJAkEA7e+rqdU5nO5ZG//PSEQb
        tjLnRiTzBH/elQhtdZ5nF7pcpNTi4k13zutmKcWW4GK75azcRGJUhu1kDM7QYAOd
        SQJAVNkYcifkvna7GmooL5VYEsQsqLbM4v0NF2TIGNfG3z1MGp75KrC5LhL97MNR
        we2p/bd2k0HYyCKUGnf2nMPDiQJBAI75pwittSoE240EobUGIDTSz8CJsXIxuDmL
        z+KOpdpPRR5TQmbEMEspjsFpFymMiuYPgmihQbO2cJl1qScY5OkCQQCJ6m5tcN8l
        Xxg/SNpjEIv+qAyUD96XVlOJlOIeLHQ8kYE0C6ZA+MsqYIzgAreJk88Yn0lU/X0/
        mu/UpE/BRZmR
        """).encode()
        bad_der = base64.b64decode(b"".join(key_data.splitlines()))

        with pytest.raises(ValueError):
            load_der_private_key(
                bad_der, None, backend
            )

        with pytest.raises(ValueError):
            load_der_private_key(
                bad_der, b"this password will not be used", backend
            )
Пример #3
0
def load_priv_key(data):
    key = None
    backend = None
    pw = None
    defbackend = default_backend()
    try:
        key = load_pem_private_key(data, None, defbackend)
    except ValueError:
        pass
    except TypeError:
        backend = load_pem_private_key
    if not backend:
        try:
            key = load_der_private_key(data, None, defbackend)
        except ValueError:
            pass
        except TypeError:
            backend = load_der_private_key
    if backend:
        while not key:
            try:
                key = load_der_private_key(data, getpass("Enter passphrase:"),
                                           defbackend)
            except TypeError:
                pass

    return key, pw
Пример #4
0
    def test_wrong_format(self, backend):
        key_data = b"---- NOT A KEY ----\n"

        with pytest.raises(ValueError):
            load_der_private_key(key_data, None, backend)

        with pytest.raises(ValueError):
            load_der_private_key(key_data, b"this password will not be used",
                                 backend)
Пример #5
0
    def test_wrong_format(self, backend):
        key_data = b"---- NOT A KEY ----\n"

        with pytest.raises(ValueError):
            load_der_private_key(
                key_data, None, backend
            )

        with pytest.raises(ValueError):
            load_der_private_key(
                key_data, b"this password will not be used", backend
            )
Пример #6
0
    def from_secret_exponent(cls, exponent, network=network.default, compressed=True, backend=default_backend()):
        """Create a private key from its secret exponent.

        The secret exponent should be an unsigned integer (d), strictly between
        0 and the elliptic curve order (n). Bitcoin's curve order is:

        n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141
        """

        # NOTE: This implementation is only temporary. Whenever cryptography
        # implements the from_private_number_and_curve method, change what
        # follows to:
        #
        #   try:
        #       private_numbers = ec.EllipticCurvePrivateNumbers.from_private_value_and_curve(exponent, network.curve, backend)
        #   except ??:
        #       raise InvalidExponent()
        #
        #   key = private_numbers.private_key(backend)

        import hashlib
        import ecdsa
        from cryptography.hazmat.primitives.serialization import load_der_private_key

        try:
            sig_key = ecdsa.SigningKey.from_secret_exponent(exponent, curve=ecdsa.curves.SECP256k1, hashfunc=hashlib.sha256)
        except AssertionError:
            raise InvalidExponent()

        key = load_der_private_key(sig_key.to_der(), password=None, backend=backend)

        return cls(key, network, compressed)
Пример #7
0
    def authenticate(self, authenticator, account, user, password):
        account = account.upper()
        user = user.upper()

        now = datetime.utcnow()

        try:
            private_key = load_der_private_key(data=self._private_key, password=None, backend=default_backend())
        except Exception as e:
            raise ProgrammingError(
                msg=u'Failed to load private key: {}\nPleas provide a valid unencrypted rsa private '
                    u'key in DER format as bytes object'.format(str(e)),
                errno=ER_INVALID_PRIVATE_KEY
            )

        if not isinstance(private_key, RSAPrivateKey):
            raise ProgrammingError(
                msg=u'Private key type ({}) not supported.\nPleas provide a valid rsa private '
                    u'key in DER format as bytes object'.format(private_key.__class__.__name__),
                errno=ER_INVALID_PRIVATE_KEY
            )

        public_key_fp = self.calculate_public_key_fingerprint(private_key)

        payload = {
            self.ISSUER: "{}.{}.{}".format(account, user, public_key_fp),
            self.SUBJECT: "{}.{}".format(account, user),
            self.ISSUE_TIME: now,
            self.EXPIRE_TIME: now + self.LIFETIME
        }

        self._jwt_token = jwt.encode(payload, private_key,
                                     algorithm=self.ALGORITHM).decode('utf-8')

        return self._jwt_token
Пример #8
0
def leer_llave_privada(key_bytes: bytes, password: str) -> rsa.RSAPrivateKey:
    try:
        return serialization.load_der_private_key(key_bytes, password=password.encode())
    except ValueError as e:
        if 'Incorrect password' in str(e):
            raise exceptions.crypto.IncorrectPasswordError()
        raise e
Пример #9
0
    def load_private_key(self, key_bytes: bytes, password: Optional[str]) \
            -> Tuple[keys.PrivateKeyInfo, keys.PublicKeyInfo]:
        from cryptography.hazmat.primitives import serialization
        from oscrypto import keys as oskeys

        # use oscrypto parser here to parse the key to a PrivateKeyInfo object
        # (It handles unarmoring/decryption/... without worrying about the
        # key type, while load_der/pem_private_key would fail to process
        # PSS-exclusive keys)
        priv_key_info = oskeys.parse_private(key_bytes, password)
        assert isinstance(priv_key_info, keys.PrivateKeyInfo)
        if priv_key_info.algorithm == 'rsassa_pss':
            # these keys can't be loaded directly in pyca/cryptography,
            # so we have to give it a nudge
            priv_key_copy = priv_key_info.copy()
            priv_key_copy['private_key_algorithm'] = {'algorithm': 'rsa'}
            key_bytes = priv_key_copy.dump()
        else:
            key_bytes = priv_key_info.dump()

        priv_key = serialization.load_der_private_key(key_bytes, password=None)
        pub_key_bytes = priv_key.public_key().public_bytes(
            encoding=serialization.Encoding.DER,
            format=serialization.PublicFormat.SubjectPublicKeyInfo)
        pub_key_info = keys.PublicKeyInfo.load(pub_key_bytes)
        if priv_key_info.algorithm == 'rsassa_pss':
            # if the private key was a PSS-exclusive one, copy the parameters
            # back from the original (since we stripped them going in)
            # We use .native to get around asn1crypto's type checking
            pub_key_info['algorithm'] = \
                priv_key_info['private_key_algorithm'].native
        return priv_key_info, pub_key_info
Пример #10
0
def main(argv):
    if len(argv) > 0:
        password = argv[0].encode()
    else:
        password = b'test'

    private_key = ec.generate_private_key(ec.SECP256K1(), default_backend())
    serialized_private = private_key.private_bytes(
        encoding=serialization.Encoding.DER,
        format=serialization.PrivateFormat.PKCS8,
        encryption_algorithm=serialization.BestAvailableEncryption(password)
    )

    serialized_public = private_key.public_key().public_bytes(
        encoding=serialization.Encoding.DER,
        format=serialization.PublicFormat.SubjectPublicKeyInfo
    )

    private_key = serialization.load_der_private_key(serialized_private, password, default_backend())

    with open('resources/default_pki/private.der', 'wb') as private_file:
        private_file.write(serialized_private)

    with open('resources/default_pki/public.der', 'wb') as public_file:
        public_file.write(serialized_public)

    print('save pki in : resources/default_pki/')
Пример #11
0
    def _get_normalized_payload(self, encoded_bytes, secret_type):
        """Normalizes the bytes of the object.

        Barbican expects certificates, public keys, and private keys in PEM
        format, but Castellan expects these objects to be DER encoded bytes
        instead.
        """
        if secret_type == 'public':
            key = serialization.load_der_public_key(
                encoded_bytes,
                backend=backends.default_backend())
            return key.public_bytes(
                encoding=serialization.Encoding.PEM,
                format=serialization.PublicFormat.SubjectPublicKeyInfo)
        elif secret_type == 'private':
            key = serialization.load_der_private_key(
                encoded_bytes,
                backend=backends.default_backend(),
                password=None)
            return key.private_bytes(
                encoding=serialization.Encoding.PEM,
                format=serialization.PrivateFormat.PKCS8,
                encryption_algorithm=serialization.NoEncryption())
        elif secret_type == 'certificate':
            cert = cryptography_x509.load_der_x509_certificate(
                encoded_bytes,
                backend=backends.default_backend())
            return cert.public_bytes(encoding=serialization.Encoding.PEM)
        else:
            return encoded_bytes
Пример #12
0
def split_pkcs12(app: Flask):
    """Split up .p12 containers if necessary."""
    with app.app_context():
        push_certificate_path = app.config['PUSH_CERTIFICATE']
        if not os.path.exists(push_certificate_path):
            raise RuntimeError('You specified a push certificate at: {}, but it does not exist.'.format(push_certificate_path))

        # We can handle loading PKCS#12 but APNS2Client specifically requests PEM encoded certificates
        push_certificate_basename, ext = os.path.splitext(push_certificate_path)
        if ext.lower() == '.p12':
            pem_key_path = push_certificate_basename + '.key'
            pem_certificate_path = push_certificate_basename + '.crt'

            if not os.path.exists(pem_key_path) or not os.path.exists(pem_certificate_path):
                app.logger.info('You provided a PKCS#12 push certificate, we will have to encode it as PEM to continue...')
                app.logger.info('.key and .crt files will be saved in the same location')

                with open(push_certificate_path, 'rb') as fd:
                    if 'PUSH_CERTIFICATE_PASSWORD' in app.config:
                        key, certificate, intermediates = parse_pkcs12(fd.read(), bytes(app.config['PUSH_CERTIFICATE_PASSWORD'], 'utf8'))
                    else:
                        key, certificate, intermediates = parse_pkcs12(fd.read())

                crypto_key = serialization.load_der_private_key(key.dump(), None, default_backend())
                with open(pem_key_path, 'wb') as fd:
                    fd.write(crypto_key.private_bytes(
                        encoding=serialization.Encoding.PEM,
                        format=serialization.PrivateFormat.PKCS8,
                        encryption_algorithm=serialization.NoEncryption()))

                crypto_cert = x509.load_der_x509_certificate(certificate.dump(), default_backend())
                with open(pem_certificate_path, 'wb') as fd:
                    fd.write(crypto_cert.public_bytes(serialization.Encoding.PEM))
Пример #13
0
def bootstrap():
    global trust_anchor, signer
    import_safebag("sec/server.safebag", "1234")
    import_cert("sec/server.ndncert")

    with open("sec/server.safebag", "r") as safebag:
        wire = safebag.read()
        wire = base64.b64decode(wire)
        wire = parse_and_check_tl(wire, SecurityV2TypeNumber.SAFE_BAG)
        bag = SafeBag.parse(wire)
        testbed_signed = CertificateV2Value.parse(bag.certificate_v2)
        server_key_name = Name.to_str(testbed_signed.name[:-2])
        privateKey = serialization.load_der_private_key(
            bytes(bag.encrypted_key_bag),
            password=b'1234',
            backend=default_backend())
        server_prv_key = privateKey.private_bytes(Encoding.DER,
                                                  PrivateFormat.PKCS8,
                                                  NoEncryption())
        signer = Sha256WithEcdsaSigner(server_key_name, server_prv_key)

    with open("sec/testbed.anchor", "r") as ndncert:
        wire = ndncert.read()
        wire = base64.b64decode(wire)
        trust_anchor = parse_certificate(wire)
Пример #14
0
 def bytes_to_key(
     key_data: bytes,
     password: typ.Optional[bytes] = None,
 ) -> crtyp.PrivateKeyWithSerialization:
     return serialization.load_der_private_key(data=key_data,
                                               password=password,
                                               backend=default_backend())
Пример #15
0
def load_private_key_file(path):
    """
    Loads the private key from the specified file (can be DER or PEM encoded).

    Args:
        path (str) : Path of the private key file to load.

    Returns:
        The loaded private key (cryptography private key, not OpenSSL private key!)

    """
    with open(path, 'rb') as f:
        data = f.read()

    try:
        key = load_pem_private_key(data, None, default_backend())
        log_debug(
            "Successfully loaded PEM encoded private key from {0}.".format(
                path))
        return key
    except ValueError:
        pass

    try:
        key = load_der_private_key(data, None, default_backend())
        log_debug(
            "Successfully loaded DER encoded private key from {0}.".format(
                path))
        return key
    except ValueError:
        pass

    raise ValueError(
        "The private key file was loaded successfully, but it does not seem to be a PEM/DER encoded private key."
    )
Пример #16
0
    def decrypt(keyBits, encryptedData, params):
        """
        Decrypt the encryptedData using the keyBits according the encrypt params.

        :param Blob keyBits: The key value (PKCS8-encoded private key).
        :param Blob encryptedData: The data to decrypt.
        :param EncryptParams params: This decrypts according to
          params.getAlgorithmType().
        :return: The decrypted data.
        :rtype: Blob
        """
        privateKey = serialization.load_der_private_key(
          keyBits.toBytes(), password = None, backend = default_backend())

        if params.getAlgorithmType() == EncryptAlgorithmType.RsaOaep:
            paddingObject = padding.OAEP(
              mgf = padding.MGF1(algorithm = hashes.SHA1()),
              algorithm = hashes.SHA1(), label = None)
            result = privateKey.decrypt(encryptedData.toBytes(), paddingObject)
        elif params.getAlgorithmType() == EncryptAlgorithmType.RsaPkcs:
            paddingObject = padding.PKCS1v15()
            result = privateKey.decrypt(encryptedData.toBytes(), paddingObject)
        else:
            raise RuntimeError("unsupported encryption mode")

        return Blob(result, False)
Пример #17
0
    def _check_or_add_account(self):
        if 'account' in self._config:
            account = self._config['account']
            with open(account['key'], 'rb') as f:
                data = f.read()

            if account['key_type'] == 'raw':
                key = data
            elif account['key_type'] == 'pem':
                key = serialization.load_pem_private_key(data, None, backend)
            elif account['key_type'] == 'der':
                key = serialization.load_der_private_key(data, None, backend)
            else:
                raise RuntimeError('Unknown key type: ' + account['key_type'])

            registration = account['registration']
        else:
            registration, key = self._add_account()

        links, account = self._client.registration(key, registration)
        agreement = links.get('terms-of-service', {}).get('url')
        if account.get('agreement') != agreement:
            log('account', 'accepting {} in 5 seconds...'.format(agreement))
            time.sleep(5)
            self._client.registration(key, registration, agreement)
            log('account', 'done')

        return key
Пример #18
0
    def _decode_key(self, data):
        pkformat, data = data
        if pkformat == self.FORMAT_ORIGINAL:
            try:
                key = serialization.load_der_private_key(
                    data, password=None, backend=default_backend())
            except ValueError as e:
                raise SSHException(str(e))

        elif pkformat == self.FORMAT_OPENSSH:
            msg = Message(data)
            n = msg.get_mpint()
            e = msg.get_mpint()
            d = msg.get_mpint()
            iqmp = msg.get_mpint()
            p = msg.get_mpint()
            q = msg.get_mpint()

            public_numbers = rsa.RSAPublicNumbers(e=e, n=n)
            key = rsa.RSAPrivateNumbers(
                p=p,
                q=q,
                d=d,
                dmp1=d % (p - 1),
                dmq1=d % (q - 1),
                iqmp=iqmp,
                public_numbers=public_numbers,
            ).private_key(default_backend())
        else:
            raise SSHException('unknown private key format.')

        if not isinstance(key, rsa.RSAPrivateKey):
            raise SSHException("Invalid key type")

        self.key = key
Пример #19
0
 def _decode_key(self, data):
     pkformat, data = data
     if pkformat == self._PRIVATE_KEY_FORMAT_ORIGINAL:
         try:
             key = serialization.load_der_private_key(
                 data, password=None, backend=default_backend()
             )
         except ValueError as e:
             raise SSHException(str(e))
     elif pkformat == self._PRIVATE_KEY_FORMAT_OPENSSH:
         n, e, d, iqmp, p, q = self._uint32_cstruct_unpack(data, "iiiiii")
         public_numbers = rsa.RSAPublicNumbers(e=e, n=n)
         key = rsa.RSAPrivateNumbers(
             p=p,
             q=q,
             d=d,
             dmp1=d % (p - 1),
             dmq1=d % (q - 1),
             iqmp=iqmp,
             public_numbers=public_numbers,
         ).private_key(default_backend())
     else:
         self._got_bad_key_format_id(pkformat)
     assert isinstance(key, rsa.RSAPrivateKey)
     self.key = key
Пример #20
0
    def decrypt(keyBits, encryptedData, params):
        """
        Decrypt the encryptedData using the keyBits according the encrypt params.

        :param Blob keyBits: The key value (PKCS8-encoded private key).
        :param Blob encryptedData: The data to decrypt.
        :param EncryptParams params: This decrypts according to
          params.getAlgorithmType().
        :return: The decrypted data.
        :rtype: Blob
        """
        privateKey = serialization.load_der_private_key(
            keyBits.toBytes(), password=None, backend=default_backend())

        if params.getAlgorithmType() == EncryptAlgorithmType.RsaOaep:
            paddingObject = padding.OAEP(
                mgf=padding.MGF1(algorithm=hashes.SHA1()),
                algorithm=hashes.SHA1(),
                label=None)
            result = privateKey.decrypt(encryptedData.toBytes(), paddingObject)
        elif params.getAlgorithmType() == EncryptAlgorithmType.RsaPkcs:
            paddingObject = padding.PKCS1v15()
            result = privateKey.decrypt(encryptedData.toBytes(), paddingObject)
        else:
            raise RuntimeError("unsupported encryption mode")

        return Blob(result, False)
Пример #21
0
async def load_private_key(path):
    _, ext = os.path.splitext(path)
    async with aiofiles.open(path, mode='rb') as f:
        if ext == ".pem":
            return serialization.load_pem_private_key(await f.read(), password=None, backend=default_backend())
        else:
            return serialization.load_der_private_key(await f.read(), password=None, backend=default_backend())
Пример #22
0
    def sign_der(pri_key_string, raw_data, password=None):
        """

        signature data with private key string

        Args:
            pri_key_string:base64 private key string
            raw_data: string data
            password:

        Returns:base64 encoded signature string

        """
        try:
            password = examine_password(password)
            pri_key_string_bytes = Encoder.str_to_base64_byte(pri_key_string)
            loaded_private_key = serialization.load_der_private_key(
                pri_key_string_bytes,
                password=password,
                backend=default_backend())
            signature_string = loaded_private_key.sign(
                raw_data.encode(encoding="utf-8"), ec.ECDSA(hashes.SHA256()))
            return Encoder.bytes_to_base64_str(signature_string)
        except Exception:
            logger.exception("signature error")
            return None
Пример #23
0
    def _decode_key(self, _raw):
        pkformat, data = _raw
        if pkformat == self.FORMAT_ORIGINAL:
            try:
                key = serialization.load_der_private_key(
                    data, password=None, backend=default_backend()
                )
            except (ValueError, TypeError, AssertionError, UnsupportedAlgorithm) as e:
                raise SSHException(str(e))

        elif pkformat == self.FORMAT_OPENSSH:
            msg = Message(data)
            curve_name = msg.get_text()
            verkey = msg.get_binary()  # noqa: F841
            sigkey = msg.get_mpint()
            curve = self._ECDSA_CURVES.get_by_key_format_identifier("ecdsa-sha2-" + curve_name)
            if not curve:
                raise SSHException("Invalid key curve identifier")
            try:
                key = ec.derive_private_key(sigkey, curve.curve_class(), default_backend())
            except (AttributeError, TypeError) as e:
                raise SSHException(str(e))
        else:
            raise SSHException('unknown private key format.')

        if not isinstance(key, ec.EllipticCurvePrivateKey):
            raise SSHException("Invalid key type")

        self.signing_key = key
        self.verifying_key = key.public_key()
        curve_class = key.curve.__class__
        self.ecdsa_curve = self._ECDSA_CURVES.get_by_curve_class(curve_class)
Пример #24
0
    def __init__(self, loc_privkey=None, raw_keypair=None):
        """
        Init - Initializes the class object

        Args:
            loc_privkey: loc_privkey
            raw_keypair: raw_keypair

        Returns: None

        Raises:
            CMException: invalid secp256r1 private key
        """
        if loc_privkey:
            self.PrivKey = serialization.load_der_private_key(
                loc_privkey,
                password=None,
                backend=_backend,
            )
            if not hasattr(self.PrivKey, 'curve') or not isinstance(
                    self.PrivKey.curve, ec.SECP256R1):
                raise CMException('invalid secp256r1 private key')
        elif isinstance(raw_keypair, (tuple, list)) and len(raw_keypair) == 2:
            self._load_raw_keypair(*raw_keypair)
        else:
            self.generate_keypair()
Пример #25
0
    def _decode_key(self, data):
        pkformat, data = data
        if pkformat == self._PRIVATE_KEY_FORMAT_ORIGINAL:
            try:
                key = serialization.load_der_private_key(
                    data, password=None, backend=default_backend())
            except (ValueError, AssertionError) as e:
                raise SSHException(str(e))
        elif pkformat == self._PRIVATE_KEY_FORMAT_OPENSSH:
            try:
                msg = Message(data)
                curve_name = msg.get_text()
                verkey = msg.get_binary()  # noqa: F841
                sigkey = msg.get_mpint()
                name = "ecdsa-sha2-" + curve_name
                curve = self._ECDSA_CURVES.get_by_key_format_identifier(name)
                if not curve:
                    raise SSHException("Invalid key curve identifier")
                key = ec.derive_private_key(sigkey, curve.curve_class(),
                                            default_backend())
            except Exception as e:
                # PKey._read_private_key_openssh() should check or return
                # keytype - parsing could fail for any reason due to wrong type
                raise SSHException(str(e))
        else:
            self._got_bad_key_format_id(pkformat)

        self.signing_key = key
        self.verifying_key = key.public_key()
        curve_class = key.curve.__class__
        self.ecdsa_curve = self._ECDSA_CURVES.get_by_curve_class(curve_class)
Пример #26
0
    def __load_private_byte(self, private_bytes, private_pass=None):
        """private load from bytes string

        :param private_bytes: private byte
        :param private_pass: private password
        :return:
        """

        try:
            try:
                self.__peer_pri = serialization.load_der_private_key(
                    private_bytes, private_pass, default_backend())
            except Exception as e:
                # try pem type private load
                self.__peer_pri = serialization.load_pem_private_key(
                    private_bytes, private_pass, default_backend())

        except ValueError as e:
            logging.exception(f"error {e}")
            util.exit_and_msg("Invalid Password")

        # 키 쌍 검증
        sign = self.sign_data(b'TEST')
        if self.verify_data(b'TEST', sign) is False:
            util.exit_and_msg("Invalid Signature(Peer Certificate load test)")
Пример #27
0
def loadRSAPrivateKey(privateKeyFile, keyType):

    # Function for opening the private key files, reading the content and serializing it
    try:
        with open(privateKeyFile, "rb") as keyFile:

            if keyType == 'der':
                try:
                    privateKey = serialization.load_der_private_key(
                        keyFile.read(),
                        password=None,
                        backend=default_backend())
                except ValueError:
                    sys.exit(
                        "ValueError: Could not deserialize key data, please check key file for modifications"
                    )

            elif keyType == "pem":
                try:
                    privateKey = serialization.load_pem_private_key(
                        keyFile.read(),
                        password=None,
                        backend=default_backend())
                except ValueError:
                    sys.exit(
                        "ValueError: Could not deserialize key data, please check key file for modifications"
                    )
            else:
                sys.exit("ERROR: Unknown key type.")
    except IOError:
        sys.exit("ERROR: No such private key file, verify arguments again!")

    return privateKey
Пример #28
0
def load_private_key(path):
    _, ext = os.path.splitext(path)
    with open(path, "rb") as f:
        if ext == ".pem":
            return serialization.load_pem_private_key(f.read(), password=None, backend=default_backend())
        else:
            return serialization.load_der_private_key(f.read(), password=None, backend=default_backend())
Пример #29
0
def load_signing_key(signing_key):
    if isinstance(signing_key, EllipticCurvePrivateKey):
        return signing_key
    elif isinstance(signing_key, (str, unicode)):
        invalid_strings = [b'-----BEGIN PUBLIC KEY-----']
        invalid_string_matches = [
            string_value in signing_key
            for string_value in invalid_strings
        ]
        if any(invalid_string_matches):
            raise ValueError(
                'Signing key must be a private key, not a public key.')

        try:
            return load_der_private_key(
                signing_key, password=None, backend=backend)
        except:
            try:
                return load_pem_private_key(
                    signing_key, password=None, backend=backend)
            except Exception as e:
                raise ValueError(
                    'Signing key must be a valid private key PEM or DER.')
    else:
        raise ValueError('Signing key must be in string or unicode format.')
Пример #30
0
def load_signing_key(signing_key, crypto_backend=default_backend()):
    """ Optional: crypto backend object from the "cryptography" python library
    """
    if not isinstance(crypto_backend, (Backend, MultiBackend)):
        raise ValueError('backend must be a valid Backend object')

    if isinstance(signing_key, EllipticCurvePrivateKey):
        return signing_key
    elif isinstance(signing_key, (str, unicode)):
        invalid_strings = [b'-----BEGIN PUBLIC KEY-----']
        invalid_string_matches = [
            string_value in signing_key
            for string_value in invalid_strings
        ]
        if any(invalid_string_matches):
            raise ValueError(
                'Signing key must be a private key, not a public key.')

        try:
            return load_der_private_key(
                signing_key, password=None, backend=crypto_backend)
        except:
            try:
                return load_pem_private_key(
                    signing_key, password=None, backend=crypto_backend)
            except Exception as e:
                raise ValueError(
                    'Signing key must be a valid private key PEM or DER.')
    else:
        raise ValueError('Signing key must be in string or unicode format.')
Пример #31
0
    def deriveEncryptKey(keyBits):
        """
        Derive a new encrypt key from the given decrypt key value.

        :param Blob keyBits: The key value of the decrypt key (PKCS8-encoded
          private key).
        :return: The new encrypt key (DER-encoded public key).
        :rtype: EncryptKey
        """
        # Decode the PKCS #8 private key.
        parsedNode = DerNode.parse(keyBits.buf(), 0)
        pkcs8Children = parsedNode.getChildren()
        algorithmIdChildren = DerNode.getSequence(pkcs8Children,
                                                  1).getChildren()
        oidString = algorithmIdChildren[0].toVal()

        if oidString != RsaAlgorithm.RSA_ENCRYPTION_OID:
            raise RuntimeError("The PKCS #8 private key is not RSA_ENCRYPTION")

        privateKey = serialization.load_der_private_key(
            keyBits.toBytes(), password=None, backend=default_backend())
        publicKeyDer = privateKey.public_key().public_bytes(
            encoding=serialization.Encoding.DER,
            format=serialization.PublicFormat.SubjectPublicKeyInfo)
        return EncryptKey(Blob(publicKeyDer, False))
Пример #32
0
def _get_pubkey_from_der_private_key(filedata, backend):
    """Load the filedata as a DER private key"""
    try:
        privkey = serialization.load_der_private_key(filedata, None, backend=backend)
        return privkey.public_key(), None
    except Exception:
        return None, None
Пример #33
0
def parse_private_key(data, password):
    """
    Identifies, decrypts and returns a cryptography private key object.
    """
    # PEM
    if is_pem(data):
        if b"ENCRYPTED" in data:
            if password is None:
                raise TypeError("No password provided for encrypted key.")
        try:
            return serialization.load_pem_private_key(
                data, password, backend=default_backend()
            )
        except ValueError:
            # Cryptography raises ValueError if decryption fails.
            raise
        except Exception as e:
            logger.debug("Failed to parse PEM private key ", exc_info=e)

    # PKCS12
    if is_pkcs12(data):
        return _parse_pkcs12(data, password)[0]

    # DER
    try:
        return serialization.load_der_private_key(
            data, password, backend=default_backend()
        )
    except Exception as e:
        logger.debug("Failed to parse private key as DER", exc_info=e)

    # All parsing failed
    raise ValueError("Could not parse private key.")
Пример #34
0
def load_signing_key(signing_key, crypto_backend=default_backend()):
    """ Optional: crypto backend object from the "cryptography" python library
    """
    if not isinstance(crypto_backend, (Backend, MultiBackend)):
        raise ValueError('backend must be a valid Backend object')

    if isinstance(signing_key, EllipticCurvePrivateKey):
        return signing_key
    elif isinstance(signing_key, (str, unicode)):
        invalid_strings = [b'-----BEGIN PUBLIC KEY-----']
        invalid_string_matches = [
            string_value in signing_key for string_value in invalid_strings
        ]
        if any(invalid_string_matches):
            raise ValueError(
                'Signing key must be a private key, not a public key.')

        try:
            return load_der_private_key(signing_key,
                                        password=None,
                                        backend=crypto_backend)
        except:
            try:
                return load_pem_private_key(signing_key,
                                            password=None,
                                            backend=crypto_backend)
            except Exception as e:
                raise ValueError(
                    'Signing key must be a valid private key PEM or DER.')
    else:
        raise ValueError('Signing key must be in string or unicode format.')
Пример #35
0
    def _create_x509_certificate(
        key_der, subject_name
    ):  #type(Union[EllipticCurvePrivateKey,RSAPrivateKey], str) -> Certificate
        signing_key = serialization.load_der_private_key(
            key_der, password=None, backend=default_backend())
        builder = CertificateBuilder()
        builder = builder.subject_name(
            x509.Name([
                x509.NameAttribute(NameOID.COMMON_NAME, subject_name),
            ]))
        builder = builder.issuer_name(
            x509.Name([
                x509.NameAttribute(NameOID.COMMON_NAME, subject_name),
            ]))

        one_day = datetime.timedelta(1, 0, 0)
        builder = builder.not_valid_before(datetime.datetime.today() - one_day)
        builder = builder.not_valid_after(datetime.datetime.today() +
                                          (one_day * 30))
        builder = builder.serial_number(x509.random_serial_number())
        builder = builder.public_key(signing_key.public_key())
        builder = builder.add_extension(SubjectAlternativeName(
            [x509.DNSName(subject_name)]),
                                        critical=False)
        builder = builder.add_extension(BasicConstraints(ca=False,
                                                         path_length=None),
                                        critical=True)
        return builder.sign(private_key=signing_key,
                            algorithm=hashes.SHA256(),
                            backend=default_backend()).public_bytes(
                                serialization.Encoding.DER)
Пример #36
0
def get_raw_private_key_der(der_file: str, password: str):
    """ Split given der file to get separated key pair consisting of public and private keys.

    Args:
        der_file (str): Path to .der file containing public and private keys
        password (str): Password to decrypt Keys. It can be None, and then KEY is not encrypted.

    Returns:
        hex string: return a hex string containing extracted and decrypted private KEY from given .der file.
    """
    try:
        with open(der_file, 'rb') as file:
            key_data = file.read()
            if password is None:
                log.warning(
                    "KEY password has not been provided. It means that DAC key is not encrypted."
                )
            keys = load_der_private_key(key_data,
                                        password,
                                        backend=default_backend())
            private_key = keys.private_numbers().private_value.to_bytes(
                32, byteorder='big')

            return private_key

    except IOError or ValueError:
        return None
Пример #37
0
def get_prv_key_from_safe_bag(id_name):
    """
    Export the safebag with password 1234 using ndnsec-export command line tool.
    The function then parse the exported safe bag and return the private key bytes.

    :param id_name: the NDN identity name
    """
    p = subprocess.run(['ndnsec-export', id_name, '-P', '1234'],
                       stdout=subprocess.PIPE)
    wire = base64.b64decode(p.stdout)
    logging.debug('result from ndnsec-export')
    logging.debug(wire)
    wire = parse_and_check_tl(wire, SecurityV2TypeNumber.SAFE_BAG)
    bag = SafeBag.parse(wire)
    # Don't use unwrap because the key returned is still in DER format
    #key = unwrap(bytes(bag.encrypted_key_bag), '1234')[1]
    privateKey = serialization.load_der_private_key(bytes(
        bag.encrypted_key_bag),
                                                    password=b'1234',
                                                    backend=default_backend())
    ecc_key = ECC.import_key(
        privateKey.private_bytes(Encoding.DER, PrivateFormat.PKCS8,
                                 NoEncryption()))
    logging.debug("pub key: ")
    logging.debug(ecc_key.pointQ.xy)
    logging.debug("prv key: ")
    logging.debug(ecc_key.d)
    cert_prv_key = ecc_key.d.to_bytes()
    logging.info("Private KEY: ")
    logging.info(cert_prv_key)
    return cert_prv_key
Пример #38
0
def load_privkey(bs: bytes) -> rsa.RSAPrivateKey:
    """
    Parse a DER-encoded RSA private key from a byte string.
    """
    key = serialization.load_der_private_key(bs, None, default_backend())
    if not isinstance(key, rsa.RSAPrivateKey):
        raise Exception('Not an RSA private key')
    return key
Пример #39
0
 def from_secret_der(cls, der_key):
     """
     Read a der_key, convert it a private key
     :param path: der formatted key
     :return:
     """
     secret_bytes = load_der_private_key(der_key, None, default_backend())
     return cls(secret_bytes=secret_bytes)
Пример #40
0
    def setUp(self):
        with open(os.path.join(KEY_LOCATION, "priv_key.bin"), "rb") as f:
            self.private_key = f.read()
        self.private_key = load_der_private_key(self.private_key, None,
                                                default_backend())

        with open(os.path.join(KEY_LOCATION, "pub_key.bin"), "rb") as f:
            self.public_key = f.read()
        self.token = generate_shared_secret()
Пример #41
0
def read_private_key(key_fn):
    try:
        key_file = open(key_fn, "rb")
        pri_key = serialization.load_der_private_key(key_file.read(), password=None, backend=default_backend())
        # print("Pri key size: {}".format(pri_key.key_size))
        return pri_key
    except IOError as err_msg:
        print("Open key file failed. Please check the key file name. " + str(err_msg))
        raise IOError(err_msg)
Пример #42
0
    def _decode_key(self, data):
        try:
            key = serialization.load_der_private_key(
                data, password=None, backend=default_backend()
            )
        except ValueError as e:
            raise SSHException(str(e))

        assert isinstance(key, rsa.RSAPrivateKey)
        self.key = key
Пример #43
0
 def test_private_bytes_encrypted_der(self, backend, fmt, password):
     _skip_curve_unsupported(backend, ec.SECP256R1())
     key_bytes = load_vectors_from_file(
         os.path.join("asymmetric", "PKCS8", "ec_private_key.pem"), lambda pemfile: pemfile.read().encode()
     )
     key = serialization.load_pem_private_key(key_bytes, None, backend)
     serialized = key.private_bytes(serialization.Encoding.DER, fmt, serialization.BestAvailableEncryption(password))
     loaded_key = serialization.load_der_private_key(serialized, password, backend)
     loaded_priv_num = loaded_key.private_numbers()
     priv_num = key.private_numbers()
     assert loaded_priv_num == priv_num
Пример #44
0
    def from_der(cls, private_key):
        """Initialize VAPID using a private key in DER format.

        :param private_key: A private key in DER format and Base64-encoded.
        :type private_key: bytes

        """
        key = serialization.load_der_private_key(b64urldecode(private_key),
                                                 password=None,
                                                 backend=default_backend())
        return cls(key)
Пример #45
0
 def __init__(self, key_len=128, from_file=None):
     if from_file:
         with open(from_file, 'rb') as f:
             data = f.read()
         if data.startswith(b'-----'):
             self.ec_private = load_pem_private_key(data, None, backend=default_backend())
         else:
             self.ec_private = load_der_private_key(data, backend=default_backend())
     else:
         self.ec_private = ec.generate_private_key(self.curve[key_len](), default_backend())
     self.ec_public = self.ec_private.public_key()
Пример #46
0
    def sign(self, data, keyName, digestAlgorithm = DigestAlgorithm.SHA256):
        """
        Fetch the private key for keyName and sign the data, returning a
        signature Blob.

        :param data: Pointer the input byte buffer to sign.
        :type data: An array type with int elements
        :param Name keyName: The name of the signing key.
        :param digestAlgorithm: (optional) the digest algorithm. If omitted,
          use DigestAlgorithm.SHA256.
        :type digestAlgorithm: int from DigestAlgorithm
        :return: The signature Blob.
        :rtype: Blob
        """
        keyURI = keyName.toUri()

        if not self.doesKeyExist(keyName, KeyClass.PRIVATE):
            raise SecurityException(
              "FilePrivateKeyStorage.sign: private key doesn't exist")

        if digestAlgorithm != DigestAlgorithm.SHA256:
            raise SecurityException(
              "FilePrivateKeyStorage.sign: Unsupported digest algorithm")

        # Read the private key.
        base64Content = None
        with open(self.nameTransform(keyURI, ".pri")) as keyFile:
            base64Content = keyFile.read()
        der = Blob(base64.b64decode(base64Content), False)

        # Decode the PKCS #8 key to get the algorithm OID.
        parsedNode = DerNode.parse(der.buf(), 0)
        pkcs8Children = parsedNode.getChildren()
        algorithmIdChildren = DerNode.getSequence(pkcs8Children, 1).getChildren()
        oidString = algorithmIdChildren[0].toVal()

        privateKey = serialization.load_der_private_key(
          der.toBytes(), password = None, backend = default_backend())

        # Sign the data.
        data = Blob(data, False).toBytes()
        if (oidString == PublicKey.RSA_ENCRYPTION_OID or
            oidString == PublicKey.EC_ENCRYPTION_OID):
            if oidString == PublicKey.RSA_ENCRYPTION_OID:
                signer = privateKey.signer(padding.PKCS1v15(), hashes.SHA256())
            else:
                signer = privateKey.signer(ec.ECDSA(hashes.SHA256()))

            signer.update(data)
            signature = signer.finalize()
            return Blob(bytearray(signature), False)
        else:
            raise SecurityException(
              "FilePrivateKeyStorage.sign: Unrecognized private key type")
Пример #47
0
    def test_missing_password(self, key_path, password, backend):
        key_file = os.path.join("asymmetric", *key_path)

        with pytest.raises(TypeError):
            load_vectors_from_file(
                key_file,
                lambda derfile: load_der_private_key(
                    derfile.read(), password, backend
                ),
                mode="rb"
            )
Пример #48
0
    def _getRsaKey(self, iden):
        tokn = self.core.getTufoByProp('syn:token',iden)
        if tokn == None:
            return None

        keyb64 = tokn[1].get('syn:token:rsakey')
        if keyb64 == None:
            return None

        rsader = base64.b64decode(keyb64)
        return c_serialization.load_der_private_key(rsader, password=None, backend=backend)
Пример #49
0
 def test_load_der_dsa_private_key(self, key_path, password, backend):
     key = load_vectors_from_file(
         os.path.join("asymmetric", *key_path),
         lambda derfile: load_der_private_key(
             derfile.read(), password, backend
         ),
         mode="rb"
     )
     assert key
     assert isinstance(key, dsa.DSAPrivateKey)
     _check_dsa_private_numbers(key.private_numbers())
Пример #50
0
        def __init__(self, keyType, keyData):
            self._keyType = keyType

            keyData = Blob(keyData, False).toBytes()

            if keyType == KeyType.ECDSA or keyType == KeyType.RSA:
                self._privateKey = serialization.load_der_private_key(
                  keyData, password = None, backend = default_backend())
            else:
                raise SecurityException(
                  "PrivateKey constructor: Unrecognized keyType")
Пример #51
0
def setUpModule():
    global private_key, public_key, token

    with open(os.path.join(KEY_LOCATION, "priv_key.bin"), "rb") as f:
        private_key = f.read()
    private_key = load_der_private_key(private_key, None, default_backend())

    with open(os.path.join(KEY_LOCATION, "pub_key.bin"), "rb") as f:
        public_key = f.read()

    token = generate_shared_secret()
Пример #52
0
    def _decode_key(self, data):
        try:
            key = serialization.load_der_private_key(
                data, password=None, backend=default_backend()
            )
        except ValueError as e:
            raise SSHException(str(e))

        self.signing_key = key
        self.verifying_key = key.public_key()
        self.size = key.curve.key_size
Пример #53
0
    def test_unused_password(self, key_path, backend):
        key_file = os.path.join("asymmetric", *key_path)
        password = b"this password will not be used"

        with pytest.raises(TypeError):
            load_vectors_from_file(
                key_file,
                lambda derfile: load_der_private_key(
                    derfile.read(), password, backend
                ),
                mode="rb"
            )
Пример #54
0
    def test_wrong_password(self, key_path, backend):
        key_file = os.path.join("asymmetric", *key_path)
        password = b"this password is wrong"

        with pytest.raises(ValueError):
            load_vectors_from_file(
                key_file,
                lambda derfile: load_der_private_key(
                    derfile.read(), password, backend
                ),
                mode="rb"
            )
Пример #55
0
    def _decode_key(self, data):
        try:
            key = serialization.load_der_private_key(
                data, password=None, backend=default_backend()
            )
        except (ValueError, AssertionError) as e:
            raise SSHException(str(e))

        self.signing_key = key
        self.verifying_key = key.public_key()
        curve_class = key.curve.__class__
        self.ecdsa_curve = self._ECDSA_CURVES.get_by_curve_class(curve_class)
Пример #56
0
    def test_encryption_using_generated_key(self):
        """Tests functionality of a generated asymmetric key pair."""
        test_model = order_models.OrderModel(**self.asymmetric_data)
        create_resp, order_ref = self.behaviors.create_order(test_model)
        self.assertEqual(create_resp.status_code, 202)

        order_resp = self.behaviors.get_order(order_ref)
        self.assertEqual(order_resp.status_code, 200)

        container_resp = self.container_behaviors.get_container(
            order_resp.model.container_ref)
        self.assertEqual(container_resp.status_code, 200)

        secret_dict = {}
        for secret in container_resp.model.secret_refs:
            self.assertIsNotNone(secret.secret_ref)
            secret_resp = self.secret_behaviors.get_secret(
                secret.secret_ref, "application/octet-stream")
            self.assertIsNotNone(secret_resp)
            secret_dict[secret.name] = secret_resp.content

        private_key = serialization.load_der_private_key(
            secret_dict['private_key'],
            password=None,
            backend=backends.default_backend()
        )
        public_key = serialization.load_der_public_key(
            secret_dict['public_key'],
            backend=backends.default_backend()
        )

        self.assertIsNotNone(private_key)
        self.assertIsNotNone(public_key)

        message = b'plaintext message'
        ciphertext = public_key.encrypt(
            message,
            padding.OAEP(
                mgf=padding.MGF1(algorithm=hashes.SHA1()),
                algorithm=hashes.SHA1(),
                label=None
            )
        )
        plaintext = private_key.decrypt(
            ciphertext,
            padding.OAEP(
                mgf=padding.MGF1(algorithm=hashes.SHA1()),
                algorithm=hashes.SHA1(),
                label=None
            )
        )
        self.assertEqual(message, plaintext)
Пример #57
0
def rsa_decrypt(data, rsa_priv_key_bytes):
    """
    When given some `data` and an RSA private key, decrypt the data
    """
    if isinstance(data, text_type):
        data = data.encode('utf-8')
    if isinstance(rsa_priv_key_bytes, text_type):
        rsa_priv_key_bytes = rsa_priv_key_bytes.encode('utf-8')
    if rsa_priv_key_bytes.startswith(b'-----'):
        key = serialization.load_pem_private_key(rsa_priv_key_bytes, password=None, backend=default_backend())
    else:
        key = serialization.load_der_private_key(rsa_priv_key_bytes, password=None, backend=default_backend())
    return key.decrypt(data, OAEP(MGF1(SHA1()), SHA1(), label=None))
Пример #58
0
 def _from_serialized(cls, condensed):
     try:
         ghid = Ghid.from_bytes(condensed['ghid'])
         keys = {
             'signature': serialization.load_der_private_key(
                 data = condensed['signature'],
                 password = None,
                 backend = CRYPTO_BACKEND
             ),
             'encryption': serialization.load_der_private_key(
                 data = condensed['encryption'],
                 password = None,
                 backend = CRYPTO_BACKEND
             ),
             'exchange': ECDHPrivate.load(condensed['exchange'])
         }
     except (TypeError, KeyError) as e:
         raise TypeError(
             'serialization must be compatible with _serialize.'
         ) from e
         
     return cls(keys=keys, ghid=ghid)
Пример #59
0
    def test_load_der_ec_private_key(self, key_path, password, backend):
        _skip_curve_unsupported(backend, ec.SECP256R1())
        key = load_vectors_from_file(
            os.path.join("asymmetric", *key_path),
            lambda derfile: load_der_private_key(
                derfile.read(), password, backend
            ),
            mode="rb"
        )

        assert key
        assert isinstance(key, ec.EllipticCurvePrivateKey)
        assert key.curve.name == "secp256r1"
        assert key.curve.key_size == 256