def deserialize(self):
"""
Starting with information gathered from the on-the-wire representation
of an elliptic curve key initiate an Elliptic Curve.
"""
if not (self.x and self.y and self.crv):
DeSerializationNotPossible()
try:
if not isinstance(self.x, six.integer_types):
self.x = deser(self.x)
if not isinstance(self.y, six.integer_types):
self.y = deser(self.y)
except TypeError:
raise DeSerializationNotPossible()
except ValueError as err:
raise DeSerializationNotPossible("%s" % err)
self.curve = NISTEllipticCurve.by_name(self.crv)
if self.d:
try:
if isinstance(self.d, six.string_types):
self.d = deser(self.d)
except ValueError as err:
raise DeSerializationNotPossible(str(err))
def ec_init(spec):
"""
:param spec: Key specifics of the form
{"type": "EC", "crv": "P-256", "use": ["sig"]},
:return: A KeyBundle instance
"""
_key = NISTEllipticCurve.by_name(spec["crv"])
kb = KeyBundle(keytype="EC", keyusage=spec["use"])
for use in spec["use"]:
priv, pub = _key.key_pair()
ec = ECKey(x=pub[0], y=pub[1], d=priv, crv=spec["crv"])
ec.serialize()
ec.use = use
kb.append(ec)
return kb
def ec_init(spec):
"""
:param spec: Key specifics of the form
{"type": "EC", "crv": "P-256", "use": ["sig"]},
:return: A KeyBundle instance
"""
_key = NISTEllipticCurve.by_name(spec["crv"])
kb = KeyBundle(keytype="EC", keyusage=spec["use"])
for use in spec["use"]:
priv, pub = _key.key_pair()
ec = ECKey(x=pub[0], y=pub[1], d=priv, crv=spec["crv"])
ec.serialize()
ec.use = use
kb.append(ec)
return kb
def enc_setup(self, msg, auth_data, key=None, **kwargs):
encrypted_key = ""
# Generate the input parameters
try:
apu = b64d(kwargs["apu"])
except KeyError:
apu = b64d(Random.get_random_bytes(16))
try:
apv = b64d(kwargs["apv"])
except KeyError:
apv = b64d(Random.get_random_bytes(16))
# Generate an ephemeral key pair
curve = NISTEllipticCurve.by_name(key.crv)
if "epk" in kwargs:
eprivk = ECKey(kwargs["epk"])
else:
(eprivk, epk) = curve.key_pair()
params = {
"apu": b64e(apu),
"apv": b64e(apv),
}
cek, iv = self._generate_key_and_iv(self.enc)
if self.alg == "ECDH-ES":
try:
dk_len = KEYLEN[self.enc]
except KeyError:
raise Exception("Unknown key length for algorithm %s" %
self.enc)
cek = ecdh_derive_key(curve, eprivk, key, apu, apv, self.enc,
dk_len)
elif self.alg in [
"ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"
]:
_pre, _post = self.alg.split("+")
klen = int(_post[1:4])
kek = ecdh_derive_key(curve, eprivk, key, apu, apv, _post, klen)
encrypted_key = aes_wrap_key(kek, cek)
else:
raise Exception("Unsupported algorithm %s" % self.alg)
return cek, encrypted_key, iv, params
def enc_setup(self, msg, auth_data, key=None, **kwargs):
encrypted_key = ""
# Generate the input parameters
try:
apu = b64d(kwargs["apu"])
except KeyError:
apu = b64d(Random.get_random_bytes(16))
try:
apv = b64d(kwargs["apv"])
except KeyError:
apv = b64d(Random.get_random_bytes(16))
# Generate an ephemeral key pair
curve = NISTEllipticCurve.by_name(key.crv)
if "epk" in kwargs:
eprivk = ECKey(kwargs["epk"])
else:
(eprivk, epk) = curve.key_pair()
params = {
"apu": b64e(apu),
"apv": b64e(apv),
}
cek, iv = self._generate_key_and_iv(self.enc)
if self.alg == "ECDH-ES":
try:
dk_len = KEYLEN[self.enc]
except KeyError:
raise Exception(
"Unknown key length for algorithm %s" % self.enc)
cek = ecdh_derive_key(curve, eprivk, key, apu, apv, self.enc,
dk_len)
elif self.alg in ["ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"]:
_pre, _post = self.alg.split("+")
klen = int(_post[1:4])
kek = ecdh_derive_key(curve, eprivk, key, apu, apv, _post, klen)
encrypted_key = aes_wrap_key(kek, cek)
else:
raise Exception("Unsupported algorithm %s" % self.alg)
return cek, encrypted_key, iv, params
def deserialize(self):
"""
Starting with information gathered from the on-the-wire representation
of an elliptic curve key initiate an Elliptic Curve.
"""
try:
if not isinstance(self.x, six.integer_types):
self.x = deser(self.x)
if not isinstance(self.y, six.integer_types):
self.y = deser(self.y)
except TypeError:
raise DeSerializationNotPossible()
except ValueError as err:
raise DeSerializationNotPossible("%s" % err)
self.curve = NISTEllipticCurve.by_name(self.crv)
if self.d:
try:
if isinstance(self.d, str):
self.d = deser(self.d)
except ValueError as err:
raise DeSerializationNotPossible(str(err))
def enc_setup(self, msg, auth_data, key=None, **kwargs):
encrypted_key = ""
self.msg = msg
self.auth_data = auth_data
# Generate the input parameters
try:
apu = b64d(kwargs["apu"])
except KeyError:
apu = Random.get_random_bytes(16)
try:
apv = b64d(kwargs["apv"])
except KeyError:
apv = Random.get_random_bytes(16)
# Handle Local Key and Ephemeral Public Key
if not key:
raise Exception("EC Key Required for ECDH-ES JWE Encrpytion Setup")
# Generate an ephemeral key pair if none is given
curve = NISTEllipticCurve.by_name(key.crv)
if "epk" in kwargs:
epk = kwargs["epk"] if isinstance(kwargs["epk"], ECKey) else ECKey(kwargs["epk"])
else:
raise Exception(
"Ephemeral Public Key (EPK) Required for ECDH-ES JWE "
"Encryption Setup")
params = {
"apu": b64e(apu),
"apv": b64e(apv),
"epk": epk.serialize(False)
}
cek = iv = None
if 'cek' in kwargs and kwargs['cek']:
cek = kwargs['cek']
if 'iv' in kwargs and kwargs['iv']:
iv = kwargs['iv']
cek, iv = self._generate_key_and_iv(self.enc, cek=cek, iv=iv)
if self.alg == "ECDH-ES":
try:
dk_len = KEYLEN[self.enc]
except KeyError:
raise Exception(
"Unknown key length for algorithm %s" % self.enc)
cek = ecdh_derive_key(curve, epk.d, (key.x, key.y), apu, apv,
str(self.enc).encode(), dk_len)
elif self.alg in ["ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"]:
_pre, _post = self.alg.split("+")
klen = int(_post[1:4])
kek = ecdh_derive_key(curve, epk.d, (key.x, key.y), apu, apv,
str(_post).encode(), klen)
encrypted_key = aes_wrap_key(kek, cek)
else:
raise Exception("Unsupported algorithm %s" % self.alg)
return cek, encrypted_key, iv, params, epk
msg = _jwe1.decrypt(jwt, [_key])
assert msg == plain
def test_rsa_with_kid():
encryption_keys = [RSAKey(use="enc", key=rsa, kid="some-key-id")]
jwe = JWE("some content", alg="RSA-OAEP", enc="A256CBC-HS512")
jwe.encrypt(keys=encryption_keys, kid="some-key-id")
if __name__ == "__main__":
test_rsa_with_kid()
# Test ECDH-ES
curve = NISTEllipticCurve.by_name('P-256')
remotepriv, remotepub = curve.key_pair()
localpriv, localpub = curve.key_pair()
localkey = ECKey(crv=curve.name(), d=localpriv, x=localpub[0], y=localpub[1])
remotekey = ECKey(crv=curve.name(),
d=remotepriv,
x=remotepub[0],
y=remotepub[1])
def test_ecdh_encrypt_decrypt_direct_key():
jwenc = JWE_EC(plain, alg="ECDH-ES", enc="A128GCM")
cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain,
'',
key=remotekey,
assert msg == plain
def test_rsa_with_kid():
encryption_keys = [RSAKey(use="enc", key=rsa,
kid="some-key-id")]
jwe = JWE("some content", alg="RSA-OAEP", enc="A256CBC-HS512")
jwe.encrypt(keys=encryption_keys, kid="some-key-id")
if __name__ == "__main__":
test_rsa_with_kid()
# Test ECDH-ES
curve = NISTEllipticCurve.by_name('P-256')
remotepriv, remotepub = curve.key_pair()
localpriv, localpub = curve.key_pair()
localkey = ECKey(crv=curve.name(), d=localpriv, x=localpub[0], y=localpub[1])
remotekey = ECKey(crv=curve.name(), d=remotepriv, x=remotepub[0], y=remotepub[1])
def test_ecdh_encrypt_decrypt_direct_key():
jwenc = JWE_EC(plain, alg="ECDH-ES", enc="A128GCM")
cek, encrypted_key, iv, params, ret_epk = jwenc.enc_setup(plain, '',
key=remotekey,
epk=localkey)
kwargs = {}
kwargs['params'] = params
