def test_load_ssh_public_key_ecdsa_nist_p256_missing_data(self, backend): ssh_key = ( b"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAy" b"NTYAAABBBGG2MfkHXp0UkxUyllDzWNBAImsvt5t7pFtTXegZK2WbGxml8zMrgWi5" b"teIg1TO03/FD9hbpBFgBeix3NrCF= root@cloud-server-01" ) with pytest.raises(ValueError): load_ssh_public_key(ssh_key, backend)
def test_load_ssh_public_key_ecdsa_nist_p256_bad_curve_name(self, backend): ssh_key = ( # The curve name in here is changed to be "nistp255". b"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAy" b"NTUAAABBBGG2MfkHXp0UkxUyllDzWNBAImsvt5t7pFtTXegZK2WbGxml8zMrgWi5" b"teIg1TO03/FD9hbpBFgBeix3NrCFPls= root@cloud-server-01" ) with pytest.raises(ValueError): load_ssh_public_key(ssh_key, backend)
def test_load_ssh_public_key_ecdsa_nist_p256_compressed(self, backend): # If we ever implement compressed points, note that this is not a valid # one, it just has the compressed marker in the right place. ssh_key = ( b"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAy" b"NTYAAABBAWG2MfkHXp0UkxUyllDzWNBAImsvt5t7pFtTXegZK2WbGxml8zMrgWi5" b"teIg1TO03/FD9hbpBFgBeix3NrCFPls= root@cloud-server-01" ) with pytest.raises(NotImplementedError): load_ssh_public_key(ssh_key, backend)
def test_load_ssh_public_key_truncated_int(self, backend): ssh_key = b'ssh-rsa AAAAB3NzaC1yc2EAAAA=' with pytest.raises(ValueError): load_ssh_public_key(ssh_key, backend) ssh_key = b'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAACKr+IHXo' with pytest.raises(ValueError): load_ssh_public_key(ssh_key, backend)
def test_load_ssh_public_key_rsa_extra_data_after_modulo(self, backend): ssh_key = ( b"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDu/XRP1kyK6Cgt36gts9XAk" b"FiiuJLW6RU0j3KKVZSs1I7Z3UmU9/9aVh/rZV43WQG8jaR6kkcP4stOR0DEtll" b"PDA7ZRBnrfiHpSQYQ874AZaAoIjgkv7DBfsE6gcDQLub0PFjWyrYQUJhtOLQEK" b"vY/G0vt2iRL3juawWmCFdTK3W3XvwAdgGk71i6lHt+deOPNEPN2H58E4odrZ2f" b"sxn/adpDqfb2sM0kPwQs0aWvrrKGvUaustkivQE4XWiSFnB0oJB/lKK/CKVKuy" b"///ImSCGHQRvhwariN2tvZ6CBNSLh3iQgeB0AkyJlng7MXB2qYq/Ci2FUOryCX" b"2MzHvnbvAQ== testkey@localhost" ) with pytest.raises(ValueError): load_ssh_public_key(ssh_key, backend)
def test_load_ssh_public_key_rsa_different_string(self, backend): ssh_key = ( # "AAAAB3NzA" the final A is capitalized here to cause the string # ssh-rsa inside the base64 encoded blob to be incorrect. It should # be a lower case 'a'. b"ssh-rsa AAAAB3NzAC1yc2EAAAADAQABAAABAQDDu/XRP1kyK6Cgt36gts9XAk" b"FiiuJLW6RU0j3KKVZSs1I7Z3UmU9/9aVh/rZV43WQG8jaR6kkcP4stOR0DEtll" b"PDA7ZRBnrfiHpSQYQ874AZaAoIjgkv7DBfsE6gcDQLub0PFjWyrYQUJhtOLQEK" b"vY/G0vt2iRL3juawWmCFdTK3W3XvwAdgGk71i6lHt+deOPNEPN2H58E4odrZ2f" b"sxn/adpDqfb2sM0kPwQs0aWvrrKGvUaustkivQE4XWiSFnB0oJB/lKK/CKVKuy" b"///ImSCGHQRvhwariN2tvZ6CBNSLh3iQgeB0AkyJlng7MXB2qYq/Ci2FUOryCX" b"2MzHvnbvAQ== testkey@localhost" ) with pytest.raises(ValueError): load_ssh_public_key(ssh_key, backend)
def test_load_ssh_public_key_dss_comment_with_spaces(self, backend): ssh_key = ( b"ssh-dss AAAAB3NzaC1kc3MAAACBALmwUtfwdjAUjU2Dixd5DvT0NDcjjr69UD" b"LqSD/Xt5Al7D3GXr1WOrWGpjO0NE9qzRCvMTU7zykRH6XjuNXB6Hvv48Zfm4vm" b"nHQHFmmMg2bI75JbnOwdzWnnPZJrVU4rS23dFFPqs5ug+EbhVVrcwzxahjcSjJ" b"7WEQSkVQWnSPbbAAAAFQDXmpD3DIkGvLSBf1GdUF4PHKtUrQAAAIB/bJFwss+2" b"fngmfG/Li5OyL7A9iVoGdkUaFaxEUROTp7wkm2z49fXFAir+/U31v50Tu98YLf" b"WvKlxdHcdgQYV9Ww5LIrhWwwD4UKOwC6w5S3KHVbi3pWUi7vxJFXOWfeu1mC/J" b"TWqMKR91j+rmOtdppWIZRyIVIqLcMdGO3m+2VgAAAIANFDz5KQH5NvoljpoRQi" b"RgyPjxWXiE7vjLElKj4v8KrpanAywBzdhIW1y/tzpGuwRwj5ihi8iNTHgSsoTa" b"j5AG5HPomJf5vJElxpu/2O9pHA52wcNObIQ7j+JA5uWusxNIbl+pF6sSiP8abr" b"z53N7tPF/IhHTjBHb1Ol7IFu9p9A== testkey@localhost extra" ) load_ssh_public_key(ssh_key, backend)
def __init__(self, ssh_public_key): """ Extracts the useful RSA Public Key information from an SSH Public Key file. :param ssh_public_key: SSH Public Key file contents. (i.e. 'ssh-rsa AAAAB3NzaC1yc2E..'). """ super(RSAPublicKey, self).__init__() self.type = SSHPublicKeyType.RSA split_ssh_public_key = ssh_public_key.split(' ') split_key_len = len(split_ssh_public_key) # is there a key comment at the end? if split_key_len > 2: self.key_comment = ' '.join(split_ssh_public_key[2:]) else: self.key_comment = '' public_key = serialization.load_ssh_public_key(ssh_public_key.encode('ascii'), default_backend()) ca_pub_numbers = public_key.public_numbers() if not isinstance(ca_pub_numbers, RSAPublicNumbers): raise TypeError("Public Key is not the correct type or format") self.key_size = public_key.key_size self.e = ca_pub_numbers.e self.n = ca_pub_numbers.n key_bytes = base64.b64decode(split_ssh_public_key[1]) fingerprint = hashlib.md5(key_bytes).hexdigest() self.fingerprint = 'RSA ' + ':'.join( fingerprint[i:i + 2] for i in range(0, len(fingerprint), 2))
def test_load_ssh_public_key_rsa(self, backend): ssh_key = ( b"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDu/XRP1kyK6Cgt36gts9XAk" b"FiiuJLW6RU0j3KKVZSs1I7Z3UmU9/9aVh/rZV43WQG8jaR6kkcP4stOR0DEtll" b"PDA7ZRBnrfiHpSQYQ874AZaAoIjgkv7DBfsE6gcDQLub0PFjWyrYQUJhtOLQEK" b"vY/G0vt2iRL3juawWmCFdTK3W3XvwAdgGk71i6lHt+deOPNEPN2H58E4odrZ2f" b"sxn/adpDqfb2sM0kPwQs0aWvrrKGvUaustkivQE4XWiSFnB0oJB/lKK/CKVKuy" b"///ImSCGHQRvhwariN2tvZ6CBNSLh3iQgeB0AkyJlng7MXB2qYq/Ci2FUOryCX" b"2MzHvnbv testkey@localhost" ) key = load_ssh_public_key(ssh_key, backend) assert key is not None assert isinstance(key, rsa.RSAPublicKey) numbers = key.public_numbers() expected_e = 0x10001 expected_n = int( '00C3BBF5D13F59322BA0A0B77EA0B6CF570241628AE24B5BA454D' '23DCA295652B3523B67752653DFFD69587FAD9578DD6406F23691' 'EA491C3F8B2D391D0312D9653C303B651067ADF887A5241843CEF' '8019680A088E092FEC305FB04EA070340BB9BD0F1635B2AD84142' '61B4E2D010ABD8FC6D2FB768912F78EE6B05A60857532B75B75EF' 'C007601A4EF58BA947B7E75E38F3443CDD87E7C138A1DAD9D9FB3' '19FF69DA43A9F6F6B0CD243F042CD1A5AFAEB286BD46AEB2D922B' 'D01385D6892167074A0907F94A2BF08A54ABB2FFFFC89920861D0' '46F8706AB88DDADBD9E8204D48B87789081E074024C8996783B31' '7076A98ABF0A2D8550EAF2097D8CCC7BE76EF', 16) expected = rsa.RSAPublicNumbers(expected_e, expected_n) assert numbers == expected
def _get_publickey(path): with open(path, 'rb') as kfile: pk = serialization.load_ssh_public_key( kfile.read(), backend=default_backend() ) return pk
def prepare_key(key_path, key_type=None): if key_type is None: key_type = 'pub' try: assert key_type.strip().lower() in PUB_TYPES + PRIV_TYPES except: raise ValueError("The type of key is not qualified. " + key_type) if key_type in PUB_TYPES: with open(key_path, 'rb') as pk_stream: key = serialization.load_ssh_public_key( data=pk_stream.read(), backend=default_backend() ) elif key_type in PRIV_TYPES: with open(key_path, 'rb') as sk_stream: key = serialization.load_pem_private_key( data=sk_stream.read(), password=None, backend=default_backend() ) else: key = None return key
def test_generate_key_pair_1024_bits(self): bits = 1024 (private_key, public_key, fingerprint) = crypto.generate_key_pair(bits) pub_bytes = public_key.encode('utf-8') pkey = serialization.load_ssh_public_key( pub_bytes, backends.default_backend()) self.assertEqual(bits, pkey.key_size)
def test_encode_decode_with_rsa_sha512(self): # PEM-formatted RSA key with open('tests/testkey_rsa', 'r') as rsa_priv_file: priv_rsakey = load_pem_private_key(ensure_bytes(rsa_priv_file.read()), password=None, backend=default_backend()) jwt_message = jwt.encode(self.payload, priv_rsakey, algorithm='RS512') with open('tests/testkey_rsa.pub', 'r') as rsa_pub_file: pub_rsakey = load_ssh_public_key(ensure_bytes(rsa_pub_file.read()), backend=default_backend()) assert jwt.decode(jwt_message, pub_rsakey) load_output = jwt.load(jwt_message) jwt.verify_signature(key=pub_rsakey, *load_output) # string-formatted key with open('tests/testkey_rsa', 'r') as rsa_priv_file: priv_rsakey = rsa_priv_file.read() jwt_message = jwt.encode(self.payload, priv_rsakey, algorithm='RS512') with open('tests/testkey_rsa.pub', 'r') as rsa_pub_file: pub_rsakey = rsa_pub_file.read() assert jwt.decode(jwt_message, pub_rsakey) load_output = jwt.load(jwt_message) jwt.verify_signature(key=pub_rsakey, *load_output)
def validate(self, request): """Validate uploaded test results.""" super(TestResultValidator, self).validate(request) if request.headers.get('X-Signature') or \ request.headers.get('X-Public-Key'): try: sign = binascii.a2b_hex(request.headers.get('X-Signature', '')) except (binascii.Error, TypeError) as e: raise api_exc.ValidationError('Malformed signature', e) try: key = load_ssh_public_key( request.headers.get('X-Public-Key', ''), backend=backends.default_backend() ) except (binascii.Error, ValueError) as e: raise api_exc.ValidationError('Malformed public key', e) verifier = key.verifier(sign, padding.PKCS1v15(), hashes.SHA256()) verifier.update(request.body) try: verifier.verify() except InvalidSignature: raise api_exc.ValidationError('Signature verification failed') if self._is_empty_result(request): raise api_exc.ValidationError('Uploaded results must contain at ' 'least one passing test.')
def validate(self, request): """Validate uploaded test results.""" super(PubkeyValidator, self).validate(request) body = json.loads(request.body.decode('utf-8')) key_format = body['raw_key'].strip().split()[0] if key_format not in ('ssh-dss', 'ssh-rsa', 'pgp-sign-rsa', 'pgp-sign-dss'): raise api_exc.ValidationError('Public key has unsupported format') try: sign = binascii.a2b_hex(body['self_signature']) except (binascii.Error, TypeError) as e: raise api_exc.ValidationError('Malformed signature', e) try: key = load_ssh_public_key(body['raw_key'].encode('utf-8'), backend=backends.default_backend()) except (binascii.Error, ValueError) as e: raise api_exc.ValidationError('Malformed public key', e) verifier = key.verifier(sign, padding.PKCS1v15(), hashes.SHA256()) verifier.update('signature'.encode('utf-8')) try: verifier.verify() except InvalidSignature: raise api_exc.ValidationError('Signature verification failed')
def test_load_ssh_public_key_ecdsa_nist_p521(self, backend): _skip_curve_unsupported(backend, ec.SECP521R1()) ssh_key = ( b"ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1" b"MjEAAACFBAGTrRhMSEgF6Ni+PXNz+5fjS4lw3ypUILVVQ0Av+0hQxOx+MyozELon" b"I8NKbrbBjijEs1GuImsmkTmWsMXS1j2A7wB4Kseh7W9KA9IZJ1+TMrzWUEwvOOXi" b"wT23pbaWWXG4NaM7vssWfZBnvz3S174TCXnJ+DSccvWBFnKP0KchzLKxbg== " b"root@cloud-server-01" ) key = load_ssh_public_key(ssh_key, backend) expected_x = int( "54124123120178189598842622575230904027376313369742467279346415219" "77809037378785192537810367028427387173980786968395921877911964629" "142163122798974160187785455", 10 ) expected_y = int( "16111775122845033200938694062381820957441843014849125660011303579" "15284560361402515564433711416776946492019498546572162801954089916" "006665939539407104638103918", 10 ) assert key.public_numbers() == ec.EllipticCurvePublicNumbers( expected_x, expected_y, ec.SECP521R1() )
def test_load_ssh_public_key_dss_different_string(self, backend): ssh_key = ( # "AAAAB3NzA" the final A is capitalized here to cause the string # ssh-dss inside the base64 encoded blob to be incorrect. It should # be a lower case 'a'. b"ssh-dss AAAAB3NzAC1kc3MAAACBALmwUtfwdjAUjU2Dixd5DvT0NDcjjr69UD" b"LqSD/Xt5Al7D3GXr1WOrWGpjO0NE9qzRCvMTU7zykRH6XjuNXB6Hvv48Zfm4vm" b"nHQHFmmMg2bI75JbnOwdzWnnPZJrVU4rS23dFFPqs5ug+EbhVVrcwzxahjcSjJ" b"7WEQSkVQWnSPbbAAAAFQDXmpD3DIkGvLSBf1GdUF4PHKtUrQAAAIB/bJFwss+2" b"fngmfG/Li5OyL7A9iVoGdkUaFaxEUROTp7wkm2z49fXFAir+/U31v50Tu98YLf" b"WvKlxdHcdgQYV9Ww5LIrhWwwD4UKOwC6w5S3KHVbi3pWUi7vxJFXOWfeu1mC/J" b"TWqMKR91j+rmOtdppWIZRyIVIqLcMdGO3m+2VgAAAIANFDz5KQH5NvoljpoRQi" b"RgyPjxWXiE7vjLElKj4v8KrpanAywBzdhIW1y/tzpGuwRwj5ihi8iNTHgSsoTa" b"j5AG5HPomJf5vJElxpu/2O9pHA52wcNObIQ7j+JA5uWusxNIbl+pF6sSiP8abr" b"z53N7tPF/IhHTjBHb1Ol7IFu9p9A== testkey@localhost" ) with pytest.raises(ValueError): load_ssh_public_key(ssh_key, backend)
def build_signature_verifier(cls, public_key_binary, signature): public_key = crypto_serial.load_ssh_public_key( public_key_binary, crypto_backend() ) return public_key.verifier( signature, crypto_padding.PKCS1v15(), crypto_hashes.SHA512() )
def generate_fingerprint(public_key): try: pub_bytes = public_key.encode('utf-8') # Test that the given public_key string is a proper ssh key. The # returned object is unused since pyca/cryptography does not have a # fingerprint method. serialization.load_ssh_public_key( pub_bytes, backends.default_backend()) pub_data = base64.b64decode(public_key.split(' ')[1]) digest = hashes.Hash(hashes.MD5(), backends.default_backend()) digest.update(pub_data) md5hash = digest.finalize() raw_fp = binascii.hexlify(md5hash) if six.PY3: raw_fp = raw_fp.decode('ascii') return ':'.join(a + b for a, b in zip(raw_fp[::2], raw_fp[1::2])) except Exception: raise exception.InvalidKeypair( reason=_('failed to generate fingerprint'))
def decode_token(request): """Validate request signature. ValidationError rises if request is not valid. """ if not request.headers.get(const.JWT_TOKEN_HEADER): return try: auth_schema, token = request.headers.get( const.JWT_TOKEN_HEADER).split(' ', 1) except ValueError: raise api_exc.ValidationError("Token is not valid") if auth_schema != 'Bearer': raise api_exc.ValidationError( "Authorization schema 'Bearer' should be used") try: token_data = jwt.decode(token, algorithms='RS256', verify=False) except jwt.InvalidTokenError: raise api_exc.ValidationError("Token is not valid") openid = token_data.get(const.USER_OPENID) if not openid: raise api_exc.ValidationError("Token does not contain user's openid") pubkeys = db.get_user_pubkeys(openid) for pubkey in pubkeys: try: pubkey_string = '%s %s' % (pubkey['format'], pubkey['pubkey']) pubkey_obj = serialization.load_ssh_public_key( pubkey_string.encode('utf-8'), backend=backends.default_backend() ) pem_pubkey = pubkey_obj.public_bytes( serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo) except (ValueError, IndexError, TypeError, binascii.Error): pass else: try: token_data = jwt.decode( token, key=pem_pubkey, options={'verify_signature': True, 'verify_exp': True, 'require_exp': True}, leeway=const.JWT_VALIDATION_LEEWAY) # NOTE(sslipushenko) If at least one key is valid, let # the validation pass return token_data except jwt.InvalidTokenError: pass # NOTE(sslipushenko) If all user's keys are not valid, the validation fails raise api_exc.ValidationError("Token is not valid")
def ssh_encrypt_text(ssh_public_key, text): """Encrypt text with an ssh public key. If text is a Unicode string, encode it to UTF-8. """ if isinstance(text, six.text_type): text = text.encode('utf-8') try: pub_bytes = ssh_public_key.encode('utf-8') pub_key = serialization.load_ssh_public_key( pub_bytes, backends.default_backend()) return pub_key.encrypt(text, padding.PKCS1v15()) except Exception as exc: raise exception.EncryptionFailure(reason=six.text_type(exc))
def __init__(self, public=None, private=None, sep=':', salt=None, max_delta=60): assert public or private, "Must provide either a public key or a private key, or both." self.private_key = None if not private else serialization.load_der_private_key( private, None, default_backend()) self.public_key = None if not public else serialization.load_ssh_public_key( public, default_backend()) self.sep = sep self.salt = salt or 'ca.clsi.cmcf' self.max_delta = max_delta
def test_load_ssh_public_key_dss(self, backend): ssh_key = ( b"ssh-dss AAAAB3NzaC1kc3MAAACBALmwUtfwdjAUjU2Dixd5DvT0NDcjjr69UD" b"LqSD/Xt5Al7D3GXr1WOrWGpjO0NE9qzRCvMTU7zykRH6XjuNXB6Hvv48Zfm4vm" b"nHQHFmmMg2bI75JbnOwdzWnnPZJrVU4rS23dFFPqs5ug+EbhVVrcwzxahjcSjJ" b"7WEQSkVQWnSPbbAAAAFQDXmpD3DIkGvLSBf1GdUF4PHKtUrQAAAIB/bJFwss+2" b"fngmfG/Li5OyL7A9iVoGdkUaFaxEUROTp7wkm2z49fXFAir+/U31v50Tu98YLf" b"WvKlxdHcdgQYV9Ww5LIrhWwwD4UKOwC6w5S3KHVbi3pWUi7vxJFXOWfeu1mC/J" b"TWqMKR91j+rmOtdppWIZRyIVIqLcMdGO3m+2VgAAAIANFDz5KQH5NvoljpoRQi" b"RgyPjxWXiE7vjLElKj4v8KrpanAywBzdhIW1y/tzpGuwRwj5ihi8iNTHgSsoTa" b"j5AG5HPomJf5vJElxpu/2O9pHA52wcNObIQ7j+JA5uWusxNIbl+pF6sSiP8abr" b"z53N7tPF/IhHTjBHb1Ol7IFu9p9A== testkey@localhost" ) key = load_ssh_public_key(ssh_key, backend) assert key is not None assert isinstance(key, dsa.DSAPublicKey) numbers = key.public_numbers() expected_y = int( "d143cf92901f936fa258e9a11422460c8f8f1597884eef8cb1252a3e2ff0aae" "96a7032c01cdd8485b5cbfb73a46bb04708f98a18bc88d4c7812b284da8f900" "6e473e89897f9bc9125c69bbfd8ef691c0e76c1c34e6c843b8fe240e6e5aeb3" "13486e5fa917ab1288ff1a6ebcf9dcdeed3c5fc88474e30476f53a5ec816ef6" "9f4", 16 ) expected_p = int( "b9b052d7f07630148d4d838b17790ef4f43437238ebebd5032ea483fd7b7902" "5ec3dc65ebd563ab586a633b4344f6acd10af31353bcf29111fa5e3b8d5c1e8" "7befe3c65f9b8be69c740716698c8366c8ef925b9cec1dcd69e73d926b554e2" "b4b6ddd1453eab39ba0f846e1555adcc33c5a8637128c9ed61104a45505a748" "f6db", 16 ) expected_q = 1230879958723280233885494314531920096931919647917 expected_g = int( "7f6c9170b2cfb67e78267c6fcb8b93b22fb03d895a0676451a15ac44511393a" "7bc249b6cf8f5f5c5022afefd4df5bf9d13bbdf182df5af2a5c5d1dc7604185" "7d5b0e4b22b856c300f850a3b00bac394b728755b8b7a56522eefc491573967" "debb5982fc94d6a8c291f758feae63ad769a5621947221522a2dc31d18ede6f" "b656", 16 ) expected = dsa.DSAPublicNumbers( expected_y, dsa.DSAParameterNumbers(expected_p, expected_q, expected_g) ) assert numbers == expected
def load_public_key_from_disc(openssh_file: str) -> rsa.RSAPublicKey: """ Loads a pem file into a RSAPublicKey Object. :param openssh_file: The file containing the public RSA key :return: RSAPublicKey Object. """ try: with open(openssh_file, "rb") as key_file: public_key = serialization.load_ssh_public_key( key_file.read(), backend=default_backend()) return public_key except: print("Error reading the pem file.") return None
def rsa_encrypt(data, rsa_pub_key_bytes): """ `rsa_pub_key_bytes` is a byte sequence with the public key """ if isinstance(data, text_type): data = data.encode('utf-8') if isinstance(rsa_pub_key_bytes, text_type): rsa_pub_key_bytes = rsa_pub_key_bytes.encode('utf-8') if rsa_pub_key_bytes.startswith(b'-----'): key = serialization.load_pem_public_key(rsa_pub_key_bytes, backend=default_backend()) elif rsa_pub_key_bytes.startswith(b'ssh-rsa '): key = serialization.load_ssh_public_key(rsa_pub_key_bytes, backend=default_backend()) else: key = serialization.load_der_public_key(rsa_pub_key_bytes, backend=default_backend()) return key.encrypt(data, OAEP(MGF1(SHA1()), SHA1(), label=None))
def _load_key(key, ssh_type): key = to_bytes(key) if key.startswith(ssh_type): return load_ssh_public_key(key, backend=default_backend()) if b'PUBLIC' in key: return load_pem_public_key(key, backend=default_backend()) if b'PRIVATE' in key: return load_pem_private_key(key, password=None, backend=default_backend()) try: return load_pem_private_key(key, password=None, backend=default_backend()) except ValueError: return load_pem_public_key(key, backend=default_backend())
def load_public_key(pubkey_file): ''' Loads the public key stored in the file indicated by the pubkey_file parameter and returns it The `pubkey_file` parameter indicates the absolute path to the file storing the public key. The key returned is a RSAPublicKey instance. ''' with open(pubkey_file, "rb") as key_file: pubkey = serialization.load_ssh_public_key( key_file.read(), backend=default_backend() ) return pubkey
def encryptMessage(self, publicKeyPem, outputPath, message): # Load public ssh key with open(publicKeyPem, "rb") as key_file: public_key = serialization.load_ssh_public_key( key_file.read(), backend=default_backend()) # Create cipher text (byte type) with public key and from variable message which is byte encoded ciphertext = public_key.encrypt( message.encode(), padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA1()), algorithm=hashes.SHA1(), label=None)) # Write byte encoded text to file path from variable ciphertext f = open(outputPath, "wb") f.write(ciphertext) f.close()
def key_from_encoding(data, password=None): try: cert = load_pem_x509_certificate(data, backend=default_backend()) key = cert.public_key() return key except ValueError: pass try: key = load_pem_public_key(data, backend=default_backend()) return key except ValueError: pass try: pkey = load_pem_private_key(data, password=password, backend=default_backend()) key = pkey.public_key() return key except ValueError: pass try: key = load_ssh_public_key(data, backend=default_backend()) return key except (ValueError, UnsupportedAlgorithm): pass try: cert = load_der_x509_certificate(data, backend=default_backend()) key = cert.public_key() return key except ValueError: pass try: key = load_der_public_key(data, backend=default_backend()) return key except ValueError: pass try: pkey = load_der_private_key(data, password=password, backend=default_backend()) key = pkey.public_key() return key except ValueError: pass raise ValueError("Unsupported key format")
def prepare_key(self, key): if isinstance(key, (RSAPrivateKey, RSAPublicKey)): return key if not isinstance(key, (bytes, str)): raise TypeError("Expecting a PEM-formatted key.") key = force_bytes(key) try: if key.startswith(b"ssh-rsa"): key = load_ssh_public_key(key) else: key = load_pem_private_key(key, password=None) except ValueError: key = load_pem_public_key(key) return key
def encrypt_ssh(prefix, blob, user_key): # See: https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/ user_key_value = user_key.value if not user_key_value.startswith(prefix): user_key_value = prefix + " " + user_key_value if not isinstance(user_key_value, six.binary_type): user_key_value = user_key_value.encode("utf8") pub_key = serialization.load_ssh_public_key(user_key_value, openssl_backend) if not isinstance(blob, six.binary_type): blob = blob.encode("utf8") raw = pub_key.encrypt( blob, padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None)) return base64.b64encode(raw)
def test_create_keypair(self): resp = self.app.post('/compute/v2.0/os-keypairs', params=json.dumps(create_keypair_req(keypair1)), status=200) jresp = json.loads(resp.body) fingerprint = jresp['keypair']['fingerprint'] public_key = str(jresp['keypair']['public_key']) private_key = str(jresp['keypair']['private_key']) self.assertEqual(jresp, create_keypair_resp(keypair1, fingerprint=fingerprint, public_key=public_key, private_key=private_key)) # Encrypt a test message using the returned public key message = b'!!! test message' encrypted = crypto_serialization.load_ssh_public_key( public_key, backend=crypto_default_backend() ).encrypt( message, crypto_padding.OAEP( mgf=crypto_padding.MGF1(algorithm=crypto_hashes.SHA1()), algorithm=crypto_hashes.SHA1(), label=None ) ) # Decrypt the (encrypted) test message using the returned private key decrypted = crypto_serialization.load_pem_private_key( private_key, password=None, backend=crypto_default_backend() ).decrypt( encrypted, crypto_padding.OAEP( mgf=crypto_padding.MGF1(algorithm=crypto_hashes.SHA1()), algorithm=crypto_hashes.SHA1(), label=None ) ) # Verify the decrypted message self.assertEqual(decrypted, message)
def __init__(self, data: _STR_TYPE): """ Creates a new ``PublicKey`` representing the given public bytes. Changing the produced object will NOT change the underlying bytes. The new object must first be exported. :param data: The public key byte-data. :raises ValueError: If the given key data bytes cannot be loaded, and thus may not represent a valid private key. """ if isinstance(data, str): data = data.encode() if not isinstance(data, bytes): raise TypeError("Value of 'data' must be bytes") args = (data, default_backend()) # (1) Try loading public key as DER try: super().__init__(key=serialization.load_der_public_key(*args)) self.encoding = EncodingType.DER return except ValueError: pass # (2) Try loading public key as PEM try: super().__init__(key=serialization.load_pem_public_key(*args)) self.encoding = EncodingType.PEM return except ValueError: pass # (3) Try loading public key as OpenSSH try: super().__init__(key=serialization.load_ssh_public_key(*args)) self.encoding = EncodingType.OpenSSH return except (ValueError, serialization.UnsupportedAlgorithm): pass raise ValueError("Could not find a suitable encoding for 'data' " "bytes, the data may not be a valid public key")
def test_load_ssh_public_key_ecdsa_nist_p384(self, backend): _skip_curve_unsupported(backend, ec.SECP384R1()) ssh_key = ( b"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAz" b"ODQAAABhBMzucOm9wbwg4iMr5QL0ya0XNQGXpw4wM5f12E3tWhdcrzyGHyel71t1" b"4bvF9JZ2/WIuSxUr33XDl8jYo+lMQ5N7Vanc7f7i3AR1YydatL3wQfZStQ1I3rBa" b"qQtRSEU8Tg== root@cloud-server-01") key = load_ssh_public_key(ssh_key, backend) expected_x = int( "31541830871345183397582554827482786756220448716666815789487537666" "592636882822352575507883817901562613492450642523901", 10) expected_y = int( "15111413269431823234030344298767984698884955023183354737123929430" "995703524272335782455051101616329050844273733614670", 10) assert key.public_numbers() == ec.EllipticCurvePublicNumbers( expected_x, expected_y, ec.SECP384R1())
def get_signing_pubkey(client, secret_url): """ Gets a PEM file from the vault, and returns one of RSAPublicKey, DSAPublicKey, or EllipticCurvePublicKey depending on the contents of the secret. """ try: raw_pubkey = client.get_secret(secret_url).value return load_ssh_public_key(str(raw_pubkey), default_backend()) except KeyVaultErrorException as err: raise RuntimeError( "could not get signing key public numbers from vault: {}".format( err)) except ValueError as err: raise RuntimeError( "could not load public key from vault: {}".format(err)) except cryptography_exceptions.UnsupportedAlgorithm as err: raise RuntimeError( "key in vault is not a supported type: {}".format(err))
def prepare_key(self, key): if isinstance(key, (Ed25519PrivateKey, Ed25519PublicKey)): return key if isinstance(key, (bytes, str)): if isinstance(key, str): key = key.encode("utf-8") str_key = key.decode("utf-8") if "-----BEGIN PUBLIC" in str_key: return load_pem_public_key(key) if "-----BEGIN PRIVATE" in str_key: return load_pem_private_key(key, password=None) if str_key[0:4] == "ssh-": return load_ssh_public_key(key) raise TypeError("Expecting a PEM-formatted or OpenSSH key.")
def test_encode_decode_rsa_related_algorithms(self, jws, payload, algo): # PEM-formatted RSA key with open(key_path("testkey_rsa.priv"), "rb") as rsa_priv_file: priv_rsakey = load_pem_private_key(rsa_priv_file.read(), password=None) jws_message = jws.encode(payload, priv_rsakey, algorithm=algo) with open(key_path("testkey_rsa.pub"), "rb") as rsa_pub_file: pub_rsakey = load_ssh_public_key(rsa_pub_file.read()) jws.decode(jws_message, pub_rsakey, algorithms=[algo]) # string-formatted key with open(key_path("testkey_rsa.priv")) as rsa_priv_file: priv_rsakey = rsa_priv_file.read() jws_message = jws.encode(payload, priv_rsakey, algorithm=algo) with open(key_path("testkey_rsa.pub")) as rsa_pub_file: pub_rsakey = rsa_pub_file.read() jws.decode(jws_message, pub_rsakey, algorithms=[algo])
def test_load_ssh_public_key_ecdsa_nist_p256(self, backend): _skip_curve_unsupported(backend, ec.SECP256R1()) ssh_key = ( b"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAy" b"NTYAAABBBGG2MfkHXp0UkxUyllDzWNBAImsvt5t7pFtTXegZK2WbGxml8zMrgWi5" b"teIg1TO03/FD9hbpBFgBeix3NrCFPls= root@cloud-server-01") key = load_ssh_public_key(ssh_key, backend) assert isinstance(key, ec.EllipticCurvePublicKey) expected_x = int( "44196257377740326295529888716212621920056478823906609851236662550" "785814128027", 10) expected_y = int( "12257763433170736656417248739355923610241609728032203358057767672" "925775019611", 10) assert key.public_numbers() == ec.EllipticCurvePublicNumbers( expected_x, expected_y, ec.SECP256R1())
def prepare_key(self, key): if isinstance(key, RSAPrivateKey) or \ isinstance(key, RSAPublicKey): return key if isinstance(key, string_types): key = force_bytes(key) try: if key.startswith(b'ssh-rsa'): key = load_ssh_public_key(key, backend=default_backend()) else: key = load_pem_private_key(key, password=None, backend=default_backend()) except ValueError: key = load_pem_public_key(key, backend=default_backend()) else: raise TypeError('Expecting a PEM-formatted key.') return key
def _fromString_PUBLIC_OPENSSH(cls, data): """ Return a public key object corresponding to this OpenSSH public key string. The format of an OpenSSH public key string is:: <key type> <base64-encoded public key blob> @type data: L{bytes} @param data: The key data. @return: A new key. @rtype: L{twisted.conch.ssh.keys.Key} @raises BadKeyError: if the blob type is unknown. """ # ECDSA keys don't need base64 decoding which is required # for RSA or DSA key. if data.startswith(b'ecdsa-sha2'): return cls(load_ssh_public_key(data, default_backend())) blob = decodebytes(data.split()[1]) return cls._fromString_BLOB(blob)
def process_ssh_line(self, data, name, idx): """ Processes single SSH key :param data: :param name: :param idx: :return: """ data = data.strip() if 'ssh-rsa' not in data: return # strip ssh params / adjustments try: data = data[data.find('ssh-rsa'):] except: pass from cryptography.hazmat.primitives.serialization import load_ssh_public_key from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey try: key_obj = load_ssh_public_key(data, self.get_backend()) self.num_ssh += 1 if not isinstance(key_obj, RSAPublicKey): return self.num_rsa += 1 numbers = key_obj.public_numbers() if self.has_fingerprint(numbers.n): logger.warning('Fingerprint found in the SSH key %s idx %s ' % (name, idx)) js = collections.OrderedDict() js['type'] = 'ssh-rsa' js['fname'] = name js['idx'] = idx js['mod'] = numbers.n js['ssh'] = data print(json.dumps(js)) except Exception as e: logger.debug('Exception in processing SSH public key %s idx %s : %s' % (name, idx, e)) self.trace_logger.log(e)
def encrypt_file(self, file_name, client_pub_key): if not os.path.isfile(file_name): return #calculate the MAX_SIZE in GB file_size = os.path.getsize(file_name) * 0.000000001 if file_size > Config.MAX_SIZE_LIMIT: return public_key = serialization.load_ssh_public_key( bytes(client_pub_key, 'utf-8'), backend=default_backend() ) #write the AES encryption key into a seperate file keyb64 = base64.b64encode(self.key) ivb64 = base64.b64encode(self.iv) t = bytes(keyb64.decode(self.encoding) + ";" + ivb64.decode(self.encoding), self.encoding) cipher = public_key.encrypt( t, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA1(), label=None ) ) cipher = base64.b64encode(cipher) with open(file_name, 'rb') as fo: plaintext = fo.read() enc = self.encrypt(plaintext, self.key) with open(file_name + ".supergirl", 'wb') as fo: fo.write(enc) with open(file_name + ".kryptonian", 'wb') as info: info.write(cipher) os.remove(file_name)
def encrypt_handshake(session_key): # TODO: Implement this function # Open public key file with open("id_rsa.pem", "rb") as file: # Loading public key public_key = serialization.load_ssh_public_key( file.read(), backend=default_backend() ) # Encrypting session key and initialization vector to send to server encrypted = public_key.encrypt( s_key + b"\x20" + iv, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None ) ) return encrypted pass
def __init__(self, setup): self.backend = cryptography.hazmat.backends.default_backend() self.oaep = padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA1()), algorithm=hashes.SHA1(), label=None ) if setup.keydata.startswith(b'ssh-rsa'): self.private_key = None self.public_key = load_ssh_public_key(setup.keydata, self.backend) else: try: self.private_key = load_pem_private_key(setup.keydata, password=setup.default_passphrase, backend=self.backend) except TypeError: if setup.default_passphrase: # No need to interactively prompt - we failed raise passphrase = user_password('Enter passphrase for [%s]: ' % setup.keyfile) self.private_key = load_pem_private_key(setup.keydata, password=passphrase, backend=self.backend) self.public_key = self.private_key.public_key()
def MyRSAEncrypt(filepath, rsa_pub_path): ciphertext, tag, iv, key, file_extension = MyfileEncrypt(filepath) # Written in collaboration with @ChrisMeyer7088 with open(rsa_pub_path, 'rb') as pub_file: pub = serialization.load_ssh_public_key( pub_file.read(), backend=default_backend() ) pub_file.close() key_encby_rsa = pub.encrypt( key, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA1()), algorithm=hashes.SHA1(), label=None ) ) return (ciphertext, tag, iv, key_encby_rsa, file_extension)
def test_encode_decode_with_rsa_sha512(self, jws, payload): # PEM-formatted RSA key with open('tests/keys/testkey_rsa', 'r') as rsa_priv_file: priv_rsakey = load_pem_private_key(ensure_bytes(rsa_priv_file.read()), password=None, backend=default_backend()) jws_message = jws.encode(payload, priv_rsakey, algorithm='RS512') with open('tests/keys/testkey_rsa.pub', 'r') as rsa_pub_file: pub_rsakey = load_ssh_public_key(ensure_bytes(rsa_pub_file.read()), backend=default_backend()) jws.decode(jws_message, pub_rsakey) # string-formatted key with open('tests/keys/testkey_rsa', 'r') as rsa_priv_file: priv_rsakey = rsa_priv_file.read() jws_message = jws.encode(payload, priv_rsakey, algorithm='RS512') with open('tests/keys/testkey_rsa.pub', 'r') as rsa_pub_file: pub_rsakey = rsa_pub_file.read() jws.decode(jws_message, pub_rsakey)
def prepare_key(self, key): if isinstance(key, (Ed25519PrivateKey, Ed25519PublicKey)): return key if isinstance(key, string_types): if isinstance(key, text_type): key = key.encode("utf-8") str_key = key.decode('utf-8') if '-----BEGIN PUBLIC' in str_key: return load_pem_public_key(key, backend=default_backend()) if '-----BEGIN PRIVATE' in str_key: return load_pem_private_key(key, password=None, backend=default_backend()) if str_key[0:4] == 'ssh-': return load_ssh_public_key(key, backend=default_backend()) raise TypeError("Expecting a PEM-formatted or OpenSSH key.")
def _from_string(self, key, passphrase=None): key_bytes = key.encode('utf-8') if key.startswith('ssh-rsa'): self._public = serialization.load_ssh_public_key( key_bytes, backend=default_backend(), ) elif 'PUBLIC' in key: # Is there a better test? pro detection for sure self._public = serialization.load_pem_public_key( key_bytes, backend=default_backend(), ) else: if passphrase: passphrase = passphrase.encode('utf-8') self._private = serialization.load_pem_private_key( key_bytes, password=passphrase, backend=default_backend(), )
def prepare_RS_key(key): if isinstance(key, interfaces.RSAPrivateKey) or \ isinstance(key, interfaces.RSAPublicKey): return key if isinstance(key, basestring): if isinstance(key, unicode): key = key.encode('utf-8') try: if key.startswith(b'ssh-rsa'): key = load_ssh_public_key(key, backend=default_backend()) else: key = load_pem_private_key(key, password=None, backend=default_backend()) except ValueError: key = load_pem_public_key(key, backend=default_backend()) else: raise TypeError('Expecting a PEM-formatted key.') return key
def _check_privatekey(): if self.privatekey_content is None and not os.path.exists( self.privatekey_path): return False try: with open(self.path, 'rb') as public_key_fh: publickey_content = public_key_fh.read() self.diff_before = self.diff_after = self._get_info( publickey_content) if self.return_content: self.publickey_bytes = publickey_content if self.backend == 'cryptography': if self.format == 'OpenSSH': # Read and dump public key. Makes sure that the comment is stripped off. current_publickey = crypto_serialization.load_ssh_public_key( publickey_content, backend=default_backend()) publickey_content = current_publickey.public_bytes( crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH) else: current_publickey = crypto_serialization.load_pem_public_key( publickey_content, backend=default_backend()) publickey_content = current_publickey.public_bytes( crypto_serialization.Encoding.PEM, crypto_serialization.PublicFormat. SubjectPublicKeyInfo) else: publickey_content = crypto.dump_publickey( crypto.FILETYPE_PEM, crypto.load_publickey(crypto.FILETYPE_PEM, publickey_content)) except Exception as dummy: return False try: desired_publickey = self._create_publickey(module) except OpenSSLBadPassphraseError as exc: raise PublicKeyError(exc) return publickey_content == desired_publickey
def prepare_key(self, key): if isinstance(key, RSAPrivateKey) or isinstance(key, RSAPublicKey): return key if is_string_type(key): if not isinstance(key, binary_type): key = key.encode("utf-8") try: if key.startswith(b"ssh-rsa"): key = load_ssh_public_key(key, backend=default_backend()) else: key = load_pem_private_key( key, password=None, backend=default_backend() ) except ValueError: key = load_pem_public_key(key, backend=default_backend()) else: raise TypeError("Expecting a PEM-formatted key.") return key
def test_encode_decode_with_rsa_sha512(self, jws, payload): # PEM-formatted RSA key with open("tests/keys/testkey_rsa.priv", "r") as rsa_priv_file: priv_rsakey = load_pem_private_key( force_bytes(rsa_priv_file.read()), password=None, ) jws_message = jws.encode(payload, priv_rsakey, algorithm="RS512") with open("tests/keys/testkey_rsa.pub", "r") as rsa_pub_file: pub_rsakey = load_ssh_public_key(force_bytes(rsa_pub_file.read())) jws.decode(jws_message, pub_rsakey, algorithms=["RS512"]) # string-formatted key with open("tests/keys/testkey_rsa.priv", "r") as rsa_priv_file: priv_rsakey = rsa_priv_file.read() jws_message = jws.encode(payload, priv_rsakey, algorithm="RS512") with open("tests/keys/testkey_rsa.pub", "r") as rsa_pub_file: pub_rsakey = rsa_pub_file.read() jws.decode(jws_message, pub_rsakey, algorithms=["RS512"])
def test_load_ssh_public_key_ecdsa_nist_p384(self, backend): _skip_curve_unsupported(backend, ec.SECP384R1()) ssh_key = ( b"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAz" b"ODQAAABhBMzucOm9wbwg4iMr5QL0ya0XNQGXpw4wM5f12E3tWhdcrzyGHyel71t1" b"4bvF9JZ2/WIuSxUr33XDl8jYo+lMQ5N7Vanc7f7i3AR1YydatL3wQfZStQ1I3rBa" b"qQtRSEU8Tg== root@cloud-server-01" ) key = load_ssh_public_key(ssh_key, backend) expected_x = int( "31541830871345183397582554827482786756220448716666815789487537666" "592636882822352575507883817901562613492450642523901", 10 ) expected_y = int( "15111413269431823234030344298767984698884955023183354737123929430" "995703524272335782455051101616329050844273733614670", 10 ) assert key.public_numbers() == ec.EllipticCurvePublicNumbers( expected_x, expected_y, ec.SECP384R1() )