def set_passwd(self, sign, xchg, password: bytes):
"""
Set or replace the password by encrypting the private keys and storing
the results.
:param sign: The signature key.
:param xchg: The encryption key.
:param password: The password for encrypting the keys.
"""
# Verify key if key has been set
if self.sign_priv:
try:
Ed25519PublicKey.from_public_bytes(self.sign).verify(
self.sign_sig, sign)
Ed25519PublicKey.from_public_bytes(self.sign).verify(
self.xchg_sig, xchg)
except cryptography.exceptions.InvalidSignature as e:
raise SignatureMismatch(self.xchg_sig) from e
# Do the actual encryption
session = _gen_login_key(password, self.identity)
self.sign_iv = urandom(16)
context = Cipher(algorithms.ChaCha20(session, self.sign_iv), None,
default_backend()).encryptor()
self.sign_priv = context.update(sign) + context.finalize()
self.xchg_iv = urandom(16)
context = Cipher(algorithms.ChaCha20(session, self.xchg_iv), None,
default_backend()).encryptor(
) # Nonce reuse is considered bad practice
self.xchg_priv = context.update(xchg) + context.finalize()
def validate(self, descriptor):
"""
Validate our descriptor content matches its ed25519 signature. Supported
descriptor types include...
* :class:`~stem.descriptor.server_descriptor.RelayDescriptor`
* :class:`~stem.descriptor.hidden_service.HiddenServiceDescriptorV3`
:param stem.descriptor.__init__.Descriptor descriptor: descriptor to validate
:raises:
* **ValueError** if signing key or descriptor are invalid
* **TypeError** if descriptor type is unsupported
* **ImportError** if cryptography module with ed25519 support is unavailable
"""
import stem.descriptor.server_descriptor
try:
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
from cryptography.exceptions import InvalidSignature
except ImportError:
raise ImportError('Certificate validation requires cryptography 2.6 or later')
if isinstance(descriptor, stem.descriptor.server_descriptor.RelayDescriptor):
signed_content = hashlib.sha256(Ed25519CertificateV1._signed_content(descriptor)).digest()
signature = stem.util.str_tools._decode_b64(descriptor.ed25519_signature)
# verify that we're created from this descriptor's signing key
if descriptor.ed25519_master_key:
signing_key = base64.b64decode(stem.util.str_tools._to_bytes(descriptor.ed25519_master_key) + b'=')
else:
signing_key = self.signing_key()
if not signing_key:
raise ValueError('Server descriptor missing an ed25519 signing key')
try:
key = Ed25519PublicKey.from_public_bytes(signing_key)
key.verify(self.signature, base64.b64decode(stem.util.str_tools._to_bytes(self.to_base64()))[:-ED25519_SIGNATURE_LENGTH])
except InvalidSignature:
raise ValueError('Ed25519KeyCertificate signing key is invalid (signature forged or corrupt)')
elif isinstance(descriptor, stem.descriptor.hidden_service.HiddenServiceDescriptorV3):
signed_content = Ed25519CertificateV1._signed_content(descriptor)
signature = stem.util.str_tools._decode_b64(descriptor.signature)
else:
raise TypeError('Certificate validation only supported for server and hidden service descriptors, not %s' % type(descriptor).__name__)
try:
key = Ed25519PublicKey.from_public_bytes(self.key)
key.verify(signature, signed_content)
except InvalidSignature:
raise ValueError('Descriptor Ed25519 certificate signature invalid (signature forged or corrupt)')
def test_ed25519_unsupported(backend):
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM):
Ed25519PublicKey.from_public_bytes(b"0" * 32)
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM):
Ed25519PrivateKey.from_private_bytes(b"0" * 32)
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM):
Ed25519PrivateKey.generate()
def test_ed25519_unsupported(backend):
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
):
Ed25519PublicKey.from_public_bytes(b"0" * 32)
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
):
Ed25519PrivateKey.from_private_bytes(b"0" * 32)
with raises_unsupported_algorithm(
_Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM
):
Ed25519PrivateKey.generate()
def _validate_server_desc_signing_key(self, descriptor):
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
from cryptography.exceptions import InvalidSignature
if descriptor.ed25519_master_key:
signing_key = base64.b64decode(
stem.util.str_tools._to_bytes(descriptor.ed25519_master_key) +
b'=')
else:
signing_key = self.signing_key()
if not signing_key:
raise ValueError(
'Server descriptor missing an ed25519 signing key')
try:
key = Ed25519PublicKey.from_public_bytes(signing_key)
key.verify(
self.signature,
base64.b64decode(stem.util.str_tools._to_bytes(
self.encoded))[:-ED25519_SIGNATURE_LENGTH])
except InvalidSignature:
raise ValueError(
'Ed25519KeyCertificate signing key is invalid (signature forged or corrupt)'
)
def cryptography_okp_public_key(
credential_public_key: OKPCredentialPublicKey) -> OKPPublicKey:
"""Convert an `OKPCredentialPublicKey` into a cryptography `OKPPublicKey`.
Args:
credential_public_key (EC2CredentialPublicKey): The key to convert.
Returns:
A cryptography `EC2PublicKey`.
Raises:
UnimplementedError: If the conversion logic for the given type of
CredentialPublicKey has not been implemented.
PublicKeyConversionError: If the provided key could not be converted
into a valid cryptography `EC2PublicKey`.
"""
try:
if credential_public_key.crv.name == 'ED25519':
return Ed25519PublicKey.from_public_bytes(credential_public_key.x)
elif credential_public_key.crv.name == 'ED448':
return Ed448PublicKey.from_public_bytes(credential_public_key.x)
else:
raise UnimplementedError(
'Unsupported cryptography OKP curve {}'.format(
credential_public_key.crv.name))
except ValueError:
raise PublicKeyConversionError('Invalid OKP public key')
def from_jwk(jwk):
try:
if isinstance(jwk, str):
obj = json.loads(jwk)
elif isinstance(jwk, dict):
obj = jwk
else:
raise ValueError
except ValueError:
raise InvalidKeyError("Key is not valid JSON")
if obj.get("kty") != "OKP":
raise InvalidKeyError("Not an Octet Key Pair")
curve = obj.get("crv")
if curve != "Ed25519":
raise InvalidKeyError(f"Invalid curve: {curve}")
if "x" not in obj:
raise InvalidKeyError('OKP should have "x" parameter')
x = base64url_decode(obj.get("x"))
try:
if "d" not in obj:
return Ed25519PublicKey.from_public_bytes(x)
d = base64url_decode(obj.get("d"))
return Ed25519PrivateKey.from_private_bytes(d)
except ValueError as err:
raise InvalidKeyError("Invalid key parameter") from err
def test_load_public_bytes(self, backend):
public_key = Ed25519PrivateKey.generate().public_key()
public_bytes = public_key.public_bytes(serialization.Encoding.Raw,
serialization.PublicFormat.Raw)
public_key2 = Ed25519PublicKey.from_public_bytes(public_bytes)
assert public_bytes == public_key2.public_bytes(
serialization.Encoding.Raw, serialization.PublicFormat.Raw)
def verify(self,
to_be_verified: bytes,
signature: bytes,
alg: Optional[CoseAlgorithms] = None,
curve: Optional[CoseEllipticCurves] = None) -> bool:
"""
Verifies the digital signature over 'to_be_verified'. The parameter 'alg' and 'curve' parameters are optional in
case they are already provided by the key object self.
:param to_be_verified: Data that was signed.
:param signature: Signature to verify.
:param alg: An optional algorithm parameter.
:param curve: An optional curve
:return: True when the signature is valid and False if the signature is invalid.
"""
self._check_key_conf(algorithm=alg,
key_operation=KeyOps.VERIFY,
curve=curve)
if self.crv == CoseEllipticCurves.ED25519:
vk = Ed25519PublicKey.from_public_bytes(self.x)
elif self._crv == CoseEllipticCurves.ED448:
vk = Ed448PublicKey.from_public_bytes(self.x)
else:
raise CoseIllegalCurve(
f"Illegal curve for OKP singing: {self.crv}")
try:
vk.verify(signature, to_be_verified)
return True
except InvalidSignature:
return False
def test_new_auth_key_from_public_key():
key_bytes = bytes.fromhex("447fc3be296803c2303951c7816624c7566730a5cc6860a4a1bd3c04731569f5")
public_key = Ed25519PublicKey.from_public_bytes(key_bytes)
auth_key = AuthKey.from_public_key(public_key)
assert auth_key.hex() == "459c77a38803bd53f3adee52703810e3a74fd7c46952c497e75afb0a7932586d"
assert auth_key.prefix().hex() == "459c77a38803bd53f3adee52703810e3"
assert auth_key.account_address().to_hex() == "a74fd7c46952c497e75afb0a7932586d"
def test_decode_example_jws():
example = "eyJhbGciOiJFZERTQSJ9.U2FtcGxlIHNpZ25lZCBwYXlsb2FkLg.dZvbycl2Jkl3H7NmQzL6P0_lDEW42s9FrZ8z-hXkLqYyxNq8yOlDjlP9wh3wyop5MU2sIOYvay-laBmpdW6OBQ"
public_key = "bd47e3e7afb94debbd82e10ab7d410a885b589db49138628562ac2ec85726129"
key = Ed25519PublicKey.from_public_bytes(bytes.fromhex(public_key))
headers, body = jws.decode(example.encode("utf-8"), key.verify)
assert body == "Sample signed payload."
assert headers == {"alg": "EdDSA"}
def checkSignature(message, signature, public_key_bytes):
public_key = Ed25519PublicKey.from_public_bytes(public_key_bytes)
try:
public_key.verify(signature, message)
except InvalidSignature:
return False
finally:
return True
def test_deserialize_example_jws():
example = "eyJhbGciOiJFZERTQSJ9.U2FtcGxlIHNpZ25lZCBwYXlsb2FkLg.dZvbycl2Jkl3H7NmQzL6P0_lDEW42s9FrZ8z-hXkLqYyxNq8yOlDjlP9wh3wyop5MU2sIOYvay-laBmpdW6OBQ"
public_key = "bd47e3e7afb94debbd82e10ab7d410a885b589db49138628562ac2ec85726129"
body, sig, msg = offchain.jws.deserialize_string(example.encode("utf-8"))
assert body == "Sample signed payload."
key = Ed25519PublicKey.from_public_bytes(bytes.fromhex(public_key))
key.verify(sig, msg)
def test_load_public_bytes(self, backend):
public_key = Ed25519PrivateKey.generate().public_key()
public_bytes = public_key.public_bytes(
serialization.Encoding.Raw, serialization.PublicFormat.Raw
)
public_key2 = Ed25519PublicKey.from_public_bytes(public_bytes)
assert public_bytes == public_key2.public_bytes(
serialization.Encoding.Raw, serialization.PublicFormat.Raw
)
def valid_signature_raw(sig, pub, text):
public_key = Ed25519PublicKey.from_public_bytes(
bytearray.fromhex(pub).decode())
try:
public_key.verify(bytearray.fromhex(
sig).decode(), text.encode('utf-8'))
return True
except:
return False
def loadKey(self, data):
self.private_key = Ed25519PrivateKey.from_private_bytes(
bytes.fromhex(data['private_key']))
self.public_key_bytes = bytes.fromhex(data['public_key'])
self.public_key = Ed25519PublicKey.from_public_bytes(
self.public_key_bytes)
self.nid = bytes.fromhex(data['myNID'])
self.rsa_private_key = rsa.generate_private_key(public_exponent=65537,
key_size=2048)
def cryptography_okp_public_key(
credential_public_key: OKPCredentialPublicKey) -> PublicKey:
if credential_public_key.crv.name == 'ED25519':
return Ed25519PublicKey.from_public_bytes(credential_public_key.x)
elif credential_public_key.crv.name == 'ED448':
return Ed448PublicKey.from_public_bytes(credential_public_key.x)
else:
raise UnimplementedError(
'Unsupported cryptography OKP curve {}'.format(
credential_public_key.crv.name))
def load_peer(self, peer_pub_bytes, peer_sig_pub_bytes):
self.peer_pub_bytes = peer_pub_bytes
self.peer_pub = X25519PublicKey.from_public_bytes(self.peer_pub_bytes)
self.peer_sig_pub_bytes = peer_sig_pub_bytes
self.peer_sig_pub = Ed25519PublicKey.from_public_bytes(
self.peer_sig_pub_bytes)
if not hasattr(self.peer_pub, "curve"):
self.peer_pub.curve = Link.CURVE
def verifying_key_from_string(public_key_bytes):
"""
Load a verifying key from a string of bytes (which includes the
PUBLIC_KEY_PREFIX)
:returns: a public_key
"""
if not isinstance(public_key_bytes, six.binary_type):
raise ValueError('public_key_bytes must be bytes')
return Ed25519PublicKey.from_public_bytes(
a2b(remove_prefix(public_key_bytes, PUBLIC_KEY_PREFIX)))
def valid_sig(self):
if (self.sender == 'coinbase'):
return True
else:
# all nicknames end with .coof, if the sender ends with .coof then we need to get the pubkey from the db
if (self.sender.endswith('.coof')):
read = get(key=self.sender, collection_name='nicknames.db')
if (read == None):
return False
else:
public_key = Ed25519PublicKey.from_public_bytes(
bytearray.fromhex(read).decode())
else:
public_key = Ed25519PublicKey.from_public_bytes(
bytearray.fromhex(self.sender).decode())
try:
public_key.verify(bytearray.fromhex(
self.signature).decode(), self.hash.encode('utf-8'))
return True
except:
return False
def loadKey(data):
private_bytes = data['private']
private_key = Ed25519PrivateKey.from_private_bytes(
bytes.fromhex(data['private']))
public_bytes = data['public']
public_key = Ed25519PublicKey.from_public_bytes(
bytes.fromhex(data['public']))
nid = data['nid']
print('私钥', private_bytes)
print('公钥', public_bytes)
print('nid ', nid)
return private_key, public_key, nid
def verify(cls, key: 'OKP', data: bytes, signature: bytes) -> bool:
if key.crv.fullname == 'ED25519':
vk = Ed25519PublicKey.from_public_bytes(key.x)
elif key.crv.fullname == 'ED448':
vk = Ed448PublicKey.from_public_bytes(key.x)
else:
raise CoseException(f"Illegal curve for OKP singing: {key.crv}")
try:
vk.verify(signature, data)
return True
except InvalidSignature:
return False
def ed25519_public_key_from_string(string):
"""Create an ed25519 public key from ``string``, which is a seed.
Args:
string (str): the string to use as a seed.
Returns:
Ed25519PublicKey: the public key
"""
try:
return Ed25519PublicKey.from_public_bytes(base64.b64decode(string))
except (UnsupportedAlgorithm, Base64Error) as exc:
raise ScriptWorkerEd25519Error("Can't create Ed25519PublicKey: {}!".format(str(exc)))
def decoded_public_key_to_cryptography(
public_key: Union[DecodedOKPPublicKey, DecodedEC2PublicKey,
DecodedRSAPublicKey]
) -> Union[Ed25519PublicKey, EllipticCurvePublicKey, RSAPublicKey]:
"""Convert raw decoded public key parameters (crv, x, y, n, e, etc...) into
public keys using primitives from the cryptography.io library
"""
if isinstance(public_key, DecodedEC2PublicKey):
"""
alg is -7 (ES256), where kty is 2 (with uncompressed points) and
crv is 1 (P-256).
https://www.w3.org/TR/webauthn-2/#sctn-public-key-easy
"""
x = int(codecs.encode(public_key.x, "hex"), 16)
y = int(codecs.encode(public_key.y, "hex"), 16)
curve = get_ec2_curve(public_key.crv)
ecc_pub_key = EllipticCurvePublicNumbers(x, y, curve).public_key(
default_backend())
return ecc_pub_key
elif isinstance(public_key, DecodedRSAPublicKey):
"""
alg is -257 (RS256)
https://www.w3.org/TR/webauthn-2/#sctn-public-key-easy
"""
e = int(codecs.encode(public_key.e, "hex"), 16)
n = int(codecs.encode(public_key.n, "hex"), 16)
rsa_pub_key = RSAPublicNumbers(e, n).public_key(default_backend())
return rsa_pub_key
elif isinstance(public_key, DecodedOKPPublicKey):
"""
-8 (EdDSA), where crv is 6 (Ed25519).
https://www.w3.org/TR/webauthn-2/#sctn-public-key-easy
"""
if (public_key.alg != COSEAlgorithmIdentifier.EDDSA
or public_key.crv != COSECRV.ED25519):
raise UnsupportedPublicKey(
f"OKP public key with alg {public_key.alg} and crv {public_key.crv} is not supported"
)
okp_pub_key = Ed25519PublicKey.from_public_bytes(public_key.x)
return okp_pub_key
else:
raise UnsupportedPublicKey(
f"Unrecognized decoded public key: {public_key}")
def validate(self, descriptor):
"""
Validate our descriptor content matches its ed25519 signature. Supported
descriptor types include...
* :class:`~stem.descriptor.server_descriptor.RelayDescriptor`
* :class:`~stem.descriptor.hidden_service.HiddenServiceDescriptorV3`
:param stem.descriptor.__init__.Descriptor descriptor: descriptor to validate
:raises:
* **ValueError** if signing key or descriptor are invalid
* **TypeError** if descriptor type is unsupported
* **ImportError** if cryptography module or ed25519 support unavailable
"""
if not stem.prereq.is_crypto_available(ed25519=True):
raise ImportError(
'Certificate validation requires the cryptography module and ed25519 support'
)
if isinstance(descriptor,
stem.descriptor.server_descriptor.RelayDescriptor):
signed_content = hashlib.sha256(
Ed25519CertificateV1._signed_content(descriptor)).digest()
signature = stem.util.str_tools._decode_b64(
descriptor.ed25519_signature)
self._validate_server_desc_signing_key(descriptor)
elif isinstance(
descriptor,
stem.descriptor.hidden_service.HiddenServiceDescriptorV3):
signed_content = Ed25519CertificateV1._signed_content(descriptor)
signature = stem.util.str_tools._decode_b64(descriptor.signature)
else:
raise TypeError(
'Certificate validation only supported for server and hidden service descriptors, not %s'
% type(descriptor).__name__)
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
from cryptography.exceptions import InvalidSignature
try:
key = Ed25519PublicKey.from_public_bytes(self.key)
key.verify(signature, signed_content)
except InvalidSignature:
raise ValueError(
'Descriptor Ed25519 certificate signature invalid (signature forged or corrupt)'
)
def ed25519_public_key_from_string(string):
"""Create an ed25519 public key from ``string``, which is a seed.
Args:
string (str): the string to use as a seed.
Returns:
Ed25519PublicKey: the public key
"""
try:
return Ed25519PublicKey.from_public_bytes(
base64.b64decode(string)
)
except (UnsupportedAlgorithm, Base64Error) as exc:
raise ScriptWorkerEd25519Error("Can't create Ed25519PublicKey: {}!".format(str(exc)))
def verify_tx(self, tx, timestamp=None):
global Ed25519PublicKey
logging.debug(tx)
if tx in self.mempool:
logging.debug("tx True already have")
return "already"
elif tx in self.valid_tx:
logging.debug("tx already in valid_tx")
if timestamp: #ak vola turo funkciu verify_block
return False #aby v blockchaine nemohli byt dve tie iste tx
return "already"
tx_type = tx[:2]
if not tx_type in ["00", "01", "02"]:
logging.debug(f"invalid tx type: {tx_type}")
return False
if tx_type == "00":
msg_size = 64 - 4
elif tx_type == "01":
msg_size = int(tx[34:38], 16) * 2
msg_size += 32
else:
msg_size = int(tx[2:6], 16) * 2
print(f"msg_size: {msg_size}")
if msg_size > 2000:
logging.debug("msg size je moc velka")
return False
sig = bytes.fromhex(tx[-128:])
sender_pub_key = Ed25519PublicKey.from_public_bytes(
bytes.fromhex(tx[-192:-128]))
try:
sender_pub_key.verify(sig, bytes.fromhex(tx[:-128]))
except:
logging.debug("tx sig False")
return False
tx_timestamp = int(tx[-264:-256], 16)
if timestamp:
timestamp = int(timestamp, 16)
if not -1800 <= timestamp - tx_timestamp <= 1800:
logging.debug("tx timestamp is old in block")
return False
#ked bude temp fork a dojdu dva bloky s tymi istymi tx tak ich budem ma t dva krat v db
elif not -1800 <= int(time()) - tx_timestamp <= 1800:
logging.debug("tx timestamp is old")
return False
logging.debug("tx True")
return True
def get_base_url_and_compliance_key(
self, account_address: typing.Union[diem_types.AccountAddress, str]
) -> typing.Tuple[str, Ed25519PublicKey]:
"""get base_url and compliance key
ParentVASP or Designated Dealer account role has base_url and compliance key setup, which
are used for offchain API communication.
"""
account = self.must_get_account(account_address)
if account.role.compliance_key and account.role.base_url:
key = Ed25519PublicKey.from_public_bytes(bytes.fromhex(account.role.compliance_key))
return (account.role.base_url, key)
if account.role.parent_vasp_address:
return self.get_base_url_and_compliance_key(account.role.parent_vasp_address)
raise ValueError(f"could not find base_url and compliance_key from account: {account}")
def verify1(self, credentials, session_pub_key, encrypted):
"""First verification step."""
self._shared = self._verify_private.exchange(
X25519PublicKey.from_public_bytes(session_pub_key)
)
session_key = hkdf_expand(
"Pair-Verify-Encrypt-Salt", "Pair-Verify-Encrypt-Info", self._shared
)
chacha = chacha20.Chacha20Cipher(session_key, session_key)
decrypted_tlv = hap_tlv8.read_tlv(
chacha.decrypt(encrypted, nounce="PV-Msg02".encode())
)
identifier = decrypted_tlv[TlvValue.Identifier]
signature = decrypted_tlv[TlvValue.Signature]
if identifier != credentials.atv_id:
raise exceptions.AuthenticationError("incorrect device response")
info = session_pub_key + bytes(identifier) + self._public_bytes
ltpk = Ed25519PublicKey.from_public_bytes(bytes(credentials.ltpk))
try:
ltpk.verify(bytes(signature), bytes(info))
except InvalidSignature as ex:
raise exceptions.AuthenticationError("signature error") from ex
device_info = self._public_bytes + credentials.client_id + session_pub_key
device_signature = Ed25519PrivateKey.from_private_bytes(credentials.ltsk).sign(
device_info
)
tlv = hap_tlv8.write_tlv(
{
TlvValue.Identifier: credentials.client_id,
TlvValue.Signature: device_signature,
}
)
return chacha.encrypt(tlv, nounce="PV-Msg03".encode())
def test_ed25519_signature(backend, wycheproof):
# We want to fail if/when wycheproof adds more edwards curve tests
# so we can add them as well.
assert wycheproof.testgroup["key"]["curve"] == "edwards25519"
key = Ed25519PublicKey.from_public_bytes(
binascii.unhexlify(wycheproof.testgroup["key"]["pk"]))
if wycheproof.valid or wycheproof.acceptable:
key.verify(
binascii.unhexlify(wycheproof.testcase["sig"]),
binascii.unhexlify(wycheproof.testcase["msg"]),
)
else:
with pytest.raises(InvalidSignature):
key.verify(
binascii.unhexlify(wycheproof.testcase["sig"]),
binascii.unhexlify(wycheproof.testcase["msg"]),
)
def load_public_key(self, pub_bytes):
"""
Load a public key into the instance.
:param pub_bytes: The public key as *bytes*.
:returns: True if the key was loaded, otherwise False.
"""
try:
self.pub_bytes = pub_bytes[:Identity.KEYSIZE // 8 // 2]
self.sig_pub_bytes = pub_bytes[Identity.KEYSIZE // 8 // 2:]
self.pub = X25519PublicKey.from_public_bytes(self.pub_bytes)
self.sig_pub = Ed25519PublicKey.from_public_bytes(
self.sig_pub_bytes)
self.update_hashes()
except Exception as e:
RNS.log(
"Error while loading public key, the contained exception was: "
+ str(e), RNS.LOG_ERROR)
def test_ed25519_signature(backend, wycheproof):
# We want to fail if/when wycheproof adds more edwards curve tests
# so we can add them as well.
assert wycheproof.testgroup["key"]["curve"] == "edwards25519"
key = Ed25519PublicKey.from_public_bytes(
binascii.unhexlify(wycheproof.testgroup["key"]["pk"])
)
if wycheproof.valid or wycheproof.acceptable:
key.verify(
binascii.unhexlify(wycheproof.testcase["sig"]),
binascii.unhexlify(wycheproof.testcase["msg"]),
)
else:
with pytest.raises(InvalidSignature):
key.verify(
binascii.unhexlify(wycheproof.testcase["sig"]),
binascii.unhexlify(wycheproof.testcase["msg"]),
)
def auth_key(self) -> AuthKey:
return AuthKey.from_public_key(
Ed25519PublicKey.from_public_bytes(self.public_key_bytes()))
def __init__(self, store_id: str, store_key: str):
self.store_id = store_id
self.store_key = store_key
self.public_key: Ed25519PublicKey = Ed25519PublicKey.from_public_bytes(
bytes(bytearray.fromhex(config.PUBLIC_KEY)))
def public_key_from_string(key_str):
"""Create an Ed25519PublicKey from a base64-encoded string."""
return Ed25519PublicKey.from_public_bytes(
base64.b64decode(key_str)
)
def test_invalid_length_from_public_bytes(self, backend):
with pytest.raises(ValueError):
Ed25519PublicKey.from_public_bytes(b"a" * 31)
with pytest.raises(ValueError):
Ed25519PublicKey.from_public_bytes(b"a" * 33)
def test_invalid_type_public_bytes(self, backend):
with pytest.raises(TypeError):
Ed25519PublicKey.from_public_bytes(object())