def enc_setup(self, msg, auth_data, key=None, **kwargs):
encrypted_key = ""
# Generate the input parameters
try:
apu = b64d(kwargs["apu"])
except KeyError:
apu = b64d(Random.get_random_bytes(16))
try:
apv = b64d(kwargs["apv"])
except KeyError:
apv = b64d(Random.get_random_bytes(16))
# Generate an ephemeral key pair
curve = NISTEllipticCurve.by_name(key.crv)
if "epk" in kwargs:
epk = ECKey(key=kwargs["epk"], private=False)
eprivk = ECKey(kwargs["epk"], private=True)
else:
(eprivk, epk) = curve.key_pair()
# Derive the KEK and encrypt
params = {
"apu": b64e(apu),
"apv": b64e(apv),
#"epk": exportKey(epk, "EC", curve)
}
cek, iv = self._generate_key_and_iv(self.enc)
if self.alg == "ECDH-ES":
try:
dk_len = KEYLEN[self.enc]
except KeyError:
raise Exception("Unknown key length for algorithm %s" %
self.enc)
cek = ecdh_derive_key(curve, eprivk, key, apu, apv, self.enc,
dk_len)
elif self.alg in [
"ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"
]:
_pre, _post = self.alg.split("+")
klen = int(_post[1:4])
kek = ecdh_derive_key(curve, eprivk, key, apu, apv, _post, klen)
encrypted_key = aes_wrap_key(kek, cek)
else:
raise Exception("Unsupported algorithm %s" % self.alg)
return cek, encrypted_key, iv, params
def enc_setup(self, msg, auth_data, key=None, **kwargs):
encrypted_key = ""
# Generate the input parameters
try:
apu = b64d(kwargs["apu"])
except KeyError:
apu = b64d(Random.get_random_bytes(16))
try:
apv = b64d(kwargs["apv"])
except KeyError:
apv = b64d(Random.get_random_bytes(16))
# Generate an ephemeral key pair
curve = NISTEllipticCurve.by_name(key.crv)
if "epk" in kwargs:
epk = ECKey(key=kwargs["epk"], private=False)
eprivk = ECKey(kwargs["epk"], private=True)
else:
(eprivk, epk) = curve.key_pair()
# Derive the KEK and encrypt
params = {
"apu": b64e(apu),
"apv": b64e(apv),
#"epk": exportKey(epk, "EC", curve)
}
cek, iv = self._generate_key_and_iv(self.enc)
if self.alg == "ECDH-ES":
try:
dk_len = KEYLEN[self.enc]
except KeyError:
raise Exception(
"Unknown key length for algorithm %s" % self.enc)
cek = ecdh_derive_key(curve, eprivk, key, apu, apv, self.enc,
dk_len)
elif self.alg in ["ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"]:
_pre, _post = self.alg.split("+")
klen = int(_post[1:4])
kek = ecdh_derive_key(curve, eprivk, key, apu, apv, _post, klen)
encrypted_key = aes_wrap_key(kek, cek)
else:
raise Exception("Unsupported algorithm %s" % self.alg)
return cek, encrypted_key, iv, params
def dec_setup(self, token, key=None, **kwargs):
self.headers = token.headers
self.iv = token.initialization_vector()
self.ctxt = token.ciphertext()
self.tag = token.authentication_tag()
# Handle EPK / Curve
if "epk" not in self.headers or "crv" not in self.headers["epk"]:
raise Exception(
"Ephemeral Public Key Missing in ECDH-ES Computation")
epubkey = ECKey(**self.headers["epk"])
apu = apv = ""
if "apu" in self.headers:
apu = b64d(self.headers["apu"].encode())
if "apv" in self.headers:
apv = b64d(self.headers["apv"].encode())
if self.headers["alg"] == "ECDH-ES":
try:
dk_len = KEYLEN[self.headers["enc"]]
except KeyError:
raise Exception("Unknown key length for algorithm")
self.cek = ecdh_derive_key(epubkey.curve, key.d,
(epubkey.x, epubkey.y), apu, apv,
str(self.headers["enc"]).encode(),
dk_len)
elif self.headers["alg"] in [
"ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"
]:
_pre, _post = self.headers['alg'].split("+")
klen = int(_post[1:4])
kek = ecdh_derive_key(epubkey.curve, key.d, (epubkey.x, epubkey.y),
apu, apv,
str(_post).encode(), klen)
self.cek = aes_unwrap_key(kek, token.encrypted_key())
else:
raise Exception("Unsupported algorithm %s" % self.headers["alg"])
return self.cek
def dec_setup(self, token, key=None, **kwargs):
self.headers = token.headers
self.iv = token.initialization_vector()
self.ctxt = token.ciphertext()
self.tag = token.authentication_tag()
# Handle EPK / Curve
if "epk" not in self.headers or "crv" not in self.headers["epk"]:
raise Exception(
"Ephemeral Public Key Missing in ECDH-ES Computation")
epubkey = ECKey(**self.headers["epk"])
apu = apv = ""
if "apu" in self.headers:
apu = b64d(self.headers["apu"].encode())
if "apv" in self.headers:
apv = b64d(self.headers["apv"].encode())
if self.headers["alg"] == "ECDH-ES":
try:
dk_len = KEYLEN[self.headers["enc"]]
except KeyError:
raise Exception("Unknown key length for algorithm")
self.cek = ecdh_derive_key(epubkey.curve, key.d,
(epubkey.x, epubkey.y), apu, apv,
str(self.headers["enc"]).encode(),
dk_len)
elif self.headers["alg"] in ["ECDH-ES+A128KW", "ECDH-ES+A192KW",
"ECDH-ES+A256KW"]:
_pre, _post = self.headers['alg'].split("+")
klen = int(_post[1:4])
kek = ecdh_derive_key(epubkey.curve, key.d, (epubkey.x, epubkey.y),
apu, apv, str(_post).encode(), klen)
self.cek = aes_unwrap_key(kek, token.encrypted_key())
else:
raise Exception("Unsupported algorithm %s" % self.headers["alg"])
return self.cek
def enc_setup(self, msg, auth_data, key=None, **kwargs):
encrypted_key = ""
self.msg = msg
self.auth_data = auth_data
# Generate the input parameters
try:
apu = b64d(kwargs["apu"])
except KeyError:
apu = Random.get_random_bytes(16)
try:
apv = b64d(kwargs["apv"])
except KeyError:
apv = Random.get_random_bytes(16)
# Handle Local Key and Ephemeral Public Key
if not key:
raise Exception("EC Key Required for ECDH-ES JWE Encrpytion Setup")
# Generate an ephemeral key pair if none is given
curve = NISTEllipticCurve.by_name(key.crv)
if "epk" in kwargs:
epk = kwargs["epk"] if isinstance(kwargs["epk"], ECKey) else ECKey(kwargs["epk"])
else:
raise Exception(
"Ephemeral Public Key (EPK) Required for ECDH-ES JWE "
"Encryption Setup")
params = {
"apu": b64e(apu),
"apv": b64e(apv),
"epk": epk.serialize(False)
}
cek = iv = None
if 'cek' in kwargs and kwargs['cek']:
cek = kwargs['cek']
if 'iv' in kwargs and kwargs['iv']:
iv = kwargs['iv']
cek, iv = self._generate_key_and_iv(self.enc, cek=cek, iv=iv)
if self.alg == "ECDH-ES":
try:
dk_len = KEYLEN[self.enc]
except KeyError:
raise Exception(
"Unknown key length for algorithm %s" % self.enc)
cek = ecdh_derive_key(curve, epk.d, (key.x, key.y), apu, apv,
str(self.enc).encode(), dk_len)
elif self.alg in ["ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"]:
_pre, _post = self.alg.split("+")
klen = int(_post[1:4])
kek = ecdh_derive_key(curve, epk.d, (key.x, key.y), apu, apv,
str(_post).encode(), klen)
encrypted_key = aes_wrap_key(kek, cek)
else:
raise Exception("Unsupported algorithm %s" % self.alg)
return cek, encrypted_key, iv, params, epk
