示例#1
0
    def _load_keys(self, private_key, private_key_password, public_key):
        private_key_bytes = strings.to_bytes(private_key)
        private_key_password_bytes = strings.to_bytes(private_key_password)
        public_key_bytes = strings.to_bytes(public_key)

        self.private_key = serialization.load_pem_private_key(data=private_key_bytes,
                                                              password=private_key_password_bytes,
                                                              backend=backend)
        self.public_key = serialization.load_pem_public_key(data=public_key_bytes, backend=backend)
示例#2
0
    def __init__(self):
        private_key_bytes = strings.to_bytes(settings.EQ_SUBMISSION_SR_PRIVATE_SIGNING_KEY)
        public_key_bytes = strings.to_bytes(settings.EQ_SUBMISSION_SDX_PUBLIC_KEY)
        self.private_key = serialization.load_pem_private_key(private_key_bytes,
                                                              password=strings.to_bytes(settings.EQ_SUBMISSION_SR_PRIVATE_SIGNING_KEY_PASSWORD),
                                                              backend=backend)

        self.public_key = serialization.load_pem_public_key(public_key_bytes, backend=backend)

        # first generate a random key
        self.cek = os.urandom(32)  # 256 bit random CEK

        # now generate a random IV
        self.iv = os.urandom(12)  # 96 bit random IV
示例#3
0
    def _generate_key(user_id, user_ik, pepper):
        sha256 = hashlib.sha256()
        sha256.update(to_str(user_id).encode('utf-8'))
        sha256.update(to_str(user_ik).encode('utf-8'))
        sha256.update(to_str(pepper).encode('utf-8'))

        # we only need the first 32 characters for the CEK
        return to_bytes(sha256.hexdigest()[:32])
 def generate_ik(token):
     logger.debug("About to generate a user ignition key")
     collection_exercise_sid, eq_id, form_type, ru_ref = UserIDGenerator._get_token_data(token)
     logger.debug("Using values %s, %s, %s and %s with a salt to generate a user ik", ru_ref, collection_exercise_sid, eq_id, form_type)
     salt = to_bytes(settings.EQ_SERVER_SIDE_STORAGE_USER_IK_SALT)
     ik = UserIDGenerator._generate(collection_exercise_sid, eq_id, form_type, ru_ref, salt)
     if settings.EQ_DEV_MODE:
         logger.debug("User IK is %s", to_str(ik))
     return to_str(ik)
示例#5
0
def generate_key(user_id, user_ik, pepper=settings.EQ_SERVER_SIDE_STORAGE_ENCRYPTION_KEY_PEPPER):
    sha256 = hashlib.sha256()
    sha256.update(to_str(user_id).encode('utf-8'))
    sha256.update(to_str(user_ik).encode('utf-8'))
    sha256.update(to_str(pepper).encode('utf-8'))

    # we only need the first 32 characters for the CEK
    cek = sha256.hexdigest()[:32]
    return to_bytes(cek)
def generate_key(user_id, user_ik, pepper=settings.EQ_SERVER_SIDE_STORAGE_ENCRYPTION_KEY_PEPPER):
    sha256 = hashlib.sha256()
    sha256.update(to_str(user_id).encode('utf-8'))
    sha256.update(to_str(user_ik).encode('utf-8'))
    sha256.update(to_str(pepper).encode('utf-8'))

    # we only need the first 32 characters for the CEK
    cek = sha256.hexdigest()[:32]
    return to_bytes(cek)
    def __init__(self):
        if settings.EQ_USER_AUTHENTICATION_RRM_PRIVATE_KEY is None:
            raise Exception("EQ_USER_AUTHENTICATION_RRM_PRIVATE_KEY is None (check EQ_DEV_MODE?)")
        if settings.EQ_USER_AUTHENTICATION_RRM_PRIVATE_KEY_PASSWORD is None:
            raise Exception("EQ_USER_AUTHENTICATION_RRM_PRIVATE_KEY_PASSWORD is None (check EQ_DEV_MODE?)")
        if settings.EQ_USER_AUTHENTICATION_SR_PUBLIC_KEY is None:
            raise Exception("EQ_USER_AUTHENTICATION_SR_PUBLIC_KEY is None (check EQ_DEV_MODE?)")

        private_key = strings.to_bytes(settings.EQ_USER_AUTHENTICATION_RRM_PRIVATE_KEY)
        private_key_password = strings.to_bytes(settings.EQ_USER_AUTHENTICATION_RRM_PRIVATE_KEY_PASSWORD)
        public_key = strings.to_bytes(settings.EQ_USER_AUTHENTICATION_SR_PUBLIC_KEY)
        self.private_key = serialization.load_pem_private_key(private_key, password=private_key_password, backend=backend)
        self.public_key = serialization.load_pem_public_key(public_key, backend=backend)

        # first generate a random key
        self.cek = os.urandom(32)  # 256 bit random CEK

        # now generate a random IV
        self.iv = os.urandom(12)  # 96 bit random IV
 def _generate(self, key_material, salt):
     kdf = PBKDF2HMAC(
         algorithm=hashes.SHA256(),
         length=32,
         salt=salt,
         iterations=self._iterations,
         backend=backend,
     )
     generated_key = kdf.derive(to_bytes(key_material))
     return binascii.hexlify(generated_key)
示例#9
0
 def _generate(collection_exercise_sid, eq_id, form_type, ru_ref, salt):
     key_material = ru_ref + collection_exercise_sid + eq_id + form_type
     kdf = PBKDF2HMAC(
         algorithm=hashes.SHA256(),
         length=32,
         salt=salt,
         iterations=settings.EQ_SERVER_SIDE_STORAGE_USER_ID_ITERATIONS,
         backend=backend)
     generated_key = kdf.derive(to_bytes(key_material))
     return binascii.hexlify(generated_key)
示例#10
0
 def _generate(self, collection_exercise_sid, eq_id, form_type, ru_ref,
               salt):
     key_material = ru_ref + collection_exercise_sid + eq_id + form_type
     kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
                      length=32,
                      salt=salt,
                      iterations=self._iterations,
                      backend=backend)
     generated_key = kdf.derive(to_bytes(key_material))
     return binascii.hexlify(generated_key)
 def generate_ik(token):
     collection_exercise_sid, eq_id, form_type, ru_ref = UserIDGenerator._get_token_data(
         token)
     logger.debug("generating user ik",
                  ru_ref=ru_ref,
                  ce_id=collection_exercise_sid,
                  eq_id=eq_id,
                  form_type=form_type)
     salt = to_bytes(settings.EQ_SERVER_SIDE_STORAGE_USER_IK_SALT)
     ik = UserIDGenerator._generate(collection_exercise_sid, eq_id,
                                    form_type, ru_ref, salt)
     return to_str(ik)
    def _generate_key(user_id: str, user_ik: str, pepper: str) -> jwk.JWK:
        sha256 = hashlib.sha256()
        sha256.update(to_str(user_id).encode("utf-8"))
        sha256.update(to_str(user_ik).encode("utf-8"))
        sha256.update(to_str(pepper).encode("utf-8"))

        # we only need the first 32 characters for the CEK
        cek = to_bytes(sha256.hexdigest()[:32])

        password = {"kty": "oct", "k": base64url_encode(cek)}

        return jwk.JWK(**password)
示例#13
0
 def generate_ik(token):
     logger.debug("About to generate a user ignition key")
     collection_exercise_sid, eq_id, form_type, ru_ref = UserIDGenerator._get_token_data(
         token)
     logger.debug(
         "Using values %s, %s, %s and %s with a salt to generate a user ik",
         ru_ref, collection_exercise_sid, eq_id, form_type)
     salt = to_bytes(settings.EQ_SERVER_SIDE_STORAGE_USER_IK_SALT)
     ik = UserIDGenerator._generate(collection_exercise_sid, eq_id,
                                    form_type, ru_ref, salt)
     if settings.EQ_DEV_MODE:
         logger.debug("User IK is %s", to_str(ik))
     return to_str(ik)
示例#14
0
 def __init__(self):
     self.logger = logging.getLogger(__name__)
     if settings.EQ_USER_AUTHENTICATION_RRM_PUBLIC_KEY is None or settings.EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY is None \
             or settings.EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY_PASSWORD is None:
             self.logger.fatal('KEYMAT not configured correctly.')
             raise OSError('KEYMAT not configured correctly.')
     else:
         super().__init__(settings.EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY, settings.EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY_PASSWORD)
         # oddly the python cryptography library needs these as bytes string
         rrm_public_key_as_bytes = strings.to_bytes(settings.EQ_USER_AUTHENTICATION_RRM_PUBLIC_KEY)
         self.rrm_public_key = serialization.load_pem_public_key(
             rrm_public_key_as_bytes,
             backend=backend,
         )
示例#15
0
    def __init__(self, private_key, private_key_password, public_key):
        # pylint: disable=maybe-no-member
        # password and key variables are dynamically assigned
        if private_key and private_key_password and public_key:

            super().__init__(private_key, private_key_password)
            # oddly the python cryptography library needs these as bytes string
            rrm_public_key_as_bytes = strings.to_bytes(public_key)
            self.rrm_public_key = serialization.load_pem_public_key(
                rrm_public_key_as_bytes,
                backend=backend,
            )
        else:
            raise OSError('keymat not configured correctly')
示例#16
0
    def generate_id(self, metadata):
        if metadata is None:
            raise ValueError('metadata is required')

        collection_exercise_sid, eq_id, form_type, ru_ref = UserIDGenerator._get_token_data(
            metadata)
        logger.debug('generating user id',
                     ru_ref=ru_ref,
                     ce_id=collection_exercise_sid,
                     eq_id=eq_id,
                     form_type=form_type)
        salt = to_bytes(self._user_id_salt)
        user_id = self._generate(collection_exercise_sid, eq_id, form_type,
                                 ru_ref, salt)
        return to_str(user_id)
示例#17
0
    def generate_ik(self, token):
        if token is None:
            raise ValueError('token is required')

        collection_exercise_sid, eq_id, form_type, ru_ref = UserIDGenerator._get_token_data(
            token)
        logger.debug('generating user ik',
                     ru_ref=ru_ref,
                     ce_id=collection_exercise_sid,
                     eq_id=eq_id,
                     form_type=form_type)
        salt = to_bytes(self._user_ik_salt)
        ik = self._generate(collection_exercise_sid, eq_id, form_type, ru_ref,
                            salt)
        return to_str(ik)
示例#18
0
    def _generate_key(user_id, user_ik, pepper):
        sha256 = hashlib.sha256()
        sha256.update(to_str(user_id).encode('utf-8'))
        sha256.update(to_str(user_ik).encode('utf-8'))
        sha256.update(to_str(pepper).encode('utf-8'))

        # we only need the first 32 characters for the CEK
        cek = to_bytes(sha256.hexdigest()[:32])

        password = {
            'kty': 'oct',
            'k': base64url_encode(cek),
        }

        return jwk.JWK(**password)
示例#19
0
 def __init__(self):
     # pylint: disable=maybe-no-member
     # password and key variables are dynamically assigned
     if settings.EQ_USER_AUTHENTICATION_RRM_PUBLIC_KEY is None or settings.EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY is None \
             or settings.EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY_PASSWORD is None:
         logger.error('keymat not configured correctly')
         raise OSError('keymat not configured correctly')
     else:
         super().__init__(
             settings.EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY,
             settings.EQ_USER_AUTHENTICATION_SR_PRIVATE_KEY_PASSWORD)
         # oddly the python cryptography library needs these as bytes string
         rrm_public_key_as_bytes = strings.to_bytes(
             settings.EQ_USER_AUTHENTICATION_RRM_PUBLIC_KEY)
         self.rrm_public_key = serialization.load_pem_public_key(
             rrm_public_key_as_bytes,
             backend=backend,
         )
    def encrypt(self, json_data, cek):
        # 96 bit random IV
        iv = os.urandom(12)
        payload = self._base_64_encode(strings.to_bytes(json_data))
        jwe_protected_header = self._jwe_protected_header()

        cipher = Cipher(algorithms.AES(cek), modes.GCM(iv), backend=backend)
        encryptor = cipher.encryptor()

        encryptor.authenticate_additional_data(jwe_protected_header)

        ciphertext = encryptor.update(payload) + encryptor.finalize()

        tag = encryptor.tag

        encoded_ciphertext = self._base_64_encode(ciphertext)
        encoded_tag = self._base_64_encode(tag)

        # assemble result
        jwe = jwe_protected_header + b".." + self._base_64_encode(iv) + b"." + encoded_ciphertext + b"." + encoded_tag

        return strings.to_str(jwe)
示例#21
0
    def encrypt(self, json_data, cek):
        # 96 bit random IV
        iv = os.urandom(12)
        payload = self._base_64_encode(strings.to_bytes(json_data))
        jwe_protected_header = self._jwe_protected_header()

        cipher = Cipher(algorithms.AES(cek), modes.GCM(iv), backend=backend)
        encryptor = cipher.encryptor()

        encryptor.authenticate_additional_data(jwe_protected_header)

        ciphertext = encryptor.update(payload) + encryptor.finalize()

        tag = encryptor.tag

        encoded_ciphertext = self._base_64_encode(ciphertext)
        encoded_tag = self._base_64_encode(tag)

        # assemble result
        jwe = jwe_protected_header + b".." + self._base_64_encode(
            iv) + b"." + encoded_ciphertext + b"." + encoded_tag

        return strings.to_str(jwe)
示例#22
0
 def test_to_bytes_with_none(self):
     b = strings.to_bytes(None)
     self.assertEqual(b, None)
示例#23
0
 def test_to_bytes_with_bytes(self):
     b = strings.to_bytes(b'def')
     self.assertEqual(b, b'def')
示例#24
0
 def test_to_bytes_with_string(self):
     b = strings.to_bytes('abc')
     self.assertEqual(b, b'abc')
 def generate_ik(self, response_id):
     salt = to_bytes(self._user_ik_salt)
     user_ik = self._generate(response_id, salt)
     return to_str(user_ik)
示例#26
0
 def test_to_bytes_with_bytes(self):
     b = strings.to_bytes(b'def')
     self.assertEqual(b, b'def')
示例#27
0
 def test_to_bytes_with_string(self):
     b = strings.to_bytes("abc")
     self.assertEqual(b, b"abc")
 def _generate(collection_exercise_sid, eq_id, form_type, ru_ref, salt):
     key_material = ru_ref + collection_exercise_sid + eq_id + form_type
     kdf = PBKDF2HMAC(algorithm=hashes.SHA256(), length=32, salt=salt,
                      iterations=settings.EQ_SERVER_SIDE_STORAGE_USER_ID_ITERATIONS, backend=backend)
     generated_key = kdf.derive(to_bytes(key_material))
     return binascii.hexlify(generated_key)
示例#29
0
 def test_to_bytes_with_string(self):
     b = strings.to_bytes('abc')
     self.assertEqual(b, b'abc')
示例#30
0
 def test_to_bytes_with_none(self):
     b = strings.to_bytes(None)
     self.assertEqual(b, None)