def client_handshake_begin(ecdsa_priv, ecdh_priv, server_pub, curve=identity.DEFAULT_KEYTYPE, kdf=DEFAULT_KDF): """ Start the handshake :param ecdsa_priv: long term signing privkey :param ecdh_priv: temporary session ecc privkey :param server_pub: server long term pub key :param curve: EC Curve name :param kdf: Key derivation mechanism :return: secret aes key, handshake message to send """ session_pub_str = ecdh_priv.get_verifying_key().to_pem() # sign our session key signature = identity.sign_string(ecdsa_priv, session_pub_str + kdf + curve.openssl_name) message = { "pub": ecdsa_priv.get_verifying_key().to_pem(), "session": session_pub_str, "signature": signature, "keytype": curve.openssl_name, "kdf": kdf, } shared = identity.ecdh(ecdh_priv, server_pub) secret = derive_key(kdf, shared) return secret, message
def client_handshake_finish(client_priv, secret, challenge): """ Sign the challenge from the server's handshake response :param client_priv: :param secret: :param challenge: :return: """ pubkeyhash = identity.pubkeyhash(client_priv.get_verifying_key()) plaintext = aes_decrypt_str(secret, challenge["iv"], challenge["challenge"]) signature = identity.sign_string(client_priv, plaintext) return {"signature": signature, "fingerprint": pubkeyhash }
def test_generate_sign(tmpdir): """ Test key generation :param tmpdir: :return: """ datafolder = tmpdir.strpath identity.first_run(datafolder) keyfile = identity.get_priv_keyfilename(datafolder) assert os.path.isfile(keyfile) key = identity.load(keyfile) signature = identity.sign_string(key, "hello") pub = identity.loadpub(identity.get_pub_keyfilename(datafolder)) assert identity.verify_string(pub, signature, "hello")
def send_data(signer, sessionkey, data): """ Encrypt some data and sign it :param signer: signing key :param sessionkey: encryption key :param data: message (expected string) :return: dict containing fingerprint, signature, iv and ciphertext """ ctext, iv = aes_encrypt_str(sessionkey, str(data)) signature = identity.sign_string(signer, ctext) pubkeyhash = hashlib.sha512(signer.get_verifying_key().to_der()).hexdigest() return { "fingerprint": pubkeyhash, "signature": signature, "iv": iv, "ciphertext": ctext }