def encode(self,
key: SymmetricKey,
alg: Optional[CoseAlgorithms] = None,
mac_params: Optional[List[RcptParams]] = None,
tagged: bool = True,
mac: bool = True) -> bytes:
""" Encodes and protects the COSE_Mac message. """
# encode/encrypt the base fields
if mac:
message = [self.encode_phdr(), self.encode_uhdr(), self.payload, self.compute_tag(alg=alg, key=key)]
else:
message = [self.encode_phdr(), self.encode_uhdr(), self.payload]
if mac_params is None:
mac_params = []
if len(self.recipients) == len(mac_params):
if len(mac_params) > 0:
message.append(CoseRecipient.recursive_encode(self.recipients, mac_params))
else:
raise ValueError("List with cryptographic parameters should have the same length as the recipient list.")
if tagged:
message = cbor2.dumps(cbor2.CBORTag(self.cbor_tag, message))
else:
message = cbor2.dumps(message)
return message
def from_cose_obj(cls, cose_obj: list) -> 'EncMessage':
msg = super().from_cose_obj(cose_obj)
try:
msg.recipients = [
CoseRecipient.from_recipient_obj(r) for r in cose_obj.pop(0)
]
except (IndexError, ValueError):
msg.recipients = []
return msg
def test_cose_mac_creation(self):
for name_test, (p, u, x, pld, r_p, r_u, key, solution) in self.test_cose_mac_creation_params.items():
mac_msg = MacMessage()
with self.subTest(name=name_test):
mac_msg.protected_header = p
mac_msg.unprotected_header = u
mac_msg.external_aad = x
mac_msg.payload = pld
rcp = CoseRecipient()
rcp.protected_header = r_p
rcp.unprotected_header = r_u
mac_msg.recipients = rcp
mac_msg.key = key
try:
alg = mac_msg.find_in_headers('alg')
except KeyError:
alg = mac_msg.find_in_recipients('alg')
mac_msg.compute_auth_tag(alg)
self.assertEqual(mac_msg.encode(), solution)
def from_cose_obj(cls, cose_obj) -> 'MacMessage':
msg = super().from_cose_obj(cose_obj)
msg.auth_tag = cose_obj.pop(0)
try:
msg.recipients = [CoseRecipient.from_recipient_obj(r) for r in cose_obj.pop(0)]
except (IndexError, ValueError):
msg.recipients = None
return msg
def test_mac_direct_encoding(setup_mac_tests: tuple) -> None:
_, test_input, test_output, test_intermediate, fail = setup_mac_tests
mac = MacMessage(phdr=test_input['mac'].get('protected', {}),
uhdr=test_input['mac'].get('unprotected', {}),
payload=test_input.get('plaintext', '').encode('utf-8'),
external_aad=unhexlify(test_input['mac'].get(
"external", b'')))
assert mac._mac_structure == unhexlify(test_intermediate["ToMac_hex"])
alg = extract_alg(test_input["mac"])
# set up the CEK and KEK
cek = create_cose_key(SymmetricKey,
test_input['mac']['recipients'][0]['key'],
alg=alg,
usage=KeyOps.MAC_CREATE)
kek = create_cose_key(SymmetricKey,
test_input['mac']['recipients'][0]['key'],
alg=CoseAlgorithms.DIRECT.id,
usage=KeyOps.WRAP)
assert cek.k == unhexlify(test_intermediate["CEK_hex"])
recipient = test_input["mac"]["recipients"][0]
recipient = CoseRecipient(phdr=recipient.get('protected', {}),
uhdr=recipient.get('unprotected', {}),
payload=cek.k)
mac.recipients.append(recipient)
# verify encoding (with automatic tag computation)
if fail:
assert mac.encode(cek, mac_params=[RcptParams(key=kek)
]) != unhexlify(test_output)
else:
assert mac.encode(cek, mac_params=[RcptParams(key=kek)
]) == unhexlify(test_output)
def test_encrypt_x25519_wrap_decode(
setup_encrypt_x25519_direct_tests: tuple) -> None:
_, test_input, test_output, test_intermediate, fail = setup_encrypt_x25519_direct_tests
# DECODING
# parse message and test for headers
md: EncMessage = CoseMessage.decode(unhexlify(test_output))
assert md.phdr == extract_phdr(test_input, 'enveloped')
assert md.uhdr == extract_uhdr(test_input, 'enveloped', 1)
# check for external data and verify internal _enc_structure
md.external_aad = unhexlify(test_input['enveloped'].get('external', b''))
assert md._enc_structure == unhexlify(test_intermediate['AAD_hex'])
recipient = test_input['enveloped']['recipients'][0]
assert md.recipients[0].phdr == recipient.get('protected', {})
# do not verify unprotected header since it contains the ephemeral public key of the sender
# assert m.recipients[0].uhdr == rcpt.get('unprotected', {})
rcvr_skey, sender_key = setup_okp_receiver_keys(
recipient, md.recipients[0].uhdr.get(CoseHeaderKeys.EPHEMERAL_KEY))
# create context KDF
u = PartyInfo(nonce=unhexlify(test_input['rng_stream'][0])
) if "sender_key" in recipient else PartyInfo()
s = SuppPubInfo(
len(test_intermediate['CEK_hex']) * 4, md.recipients[0].encode_phdr())
kdf_ctx = CoseKDFContext(md.phdr[CoseHeaderKeys.ALG], u, PartyInfo(), s)
assert kdf_ctx.encode() == unhexlify(
test_intermediate['recipients'][0]['Context_hex'])
secret, kek_bytes = CoseRecipient.derive_kek(rcvr_skey,
sender_key,
context=kdf_ctx,
expose_secret=True)
assert secret == unhexlify(
test_intermediate['recipients'][0]['Secret_hex'])
assert kek_bytes == unhexlify(test_intermediate['CEK_hex'])
alg = extract_alg(test_input['enveloped'])
cek = SymmetricKey(k=kek_bytes)
nonce = extract_nonce(test_input, 1)
assert md.decrypt(nonce=nonce, alg=alg,
key=cek) == test_input['plaintext'].encode('utf-8')
def test_encrypt_encoding(setup_encrypt_tests: tuple) -> None:
title, test_input, test_output, test_intermediate, fail = setup_encrypt_tests
alg = extract_alg(test_input["enveloped"])
nonce = extract_nonce(
test_input,
0) if extract_nonce(test_input, 0) != b'' else extract_unsent_nonce(
test_input, "enveloped")
m = EncMessage(phdr=extract_phdr(test_input, 'enveloped'),
uhdr=extract_uhdr(test_input, 'enveloped'),
payload=test_input['plaintext'].encode('utf-8'),
external_aad=unhexlify(test_input['enveloped'].get(
'external', b'')))
# check for external data and verify internal _enc_structure
assert m._enc_structure == unhexlify(test_intermediate['AAD_hex'])
# set up the CEK and KEK
cek = create_cose_key(SymmetricKey,
test_input['enveloped']['recipients'][0]['key'],
alg=alg,
usage=KeyOps.ENCRYPT)
kek = create_cose_key(SymmetricKey,
test_input['enveloped']['recipients'][0]['key'],
alg=CoseAlgorithms.DIRECT.id,
usage=KeyOps.WRAP)
# create the recipients
r_info = test_input['enveloped']['recipients'][0]
recipient = CoseRecipient(phdr=r_info.get('protected', {}),
uhdr=r_info.get('unprotected', {}),
payload=cek.k)
m.recipients.append(recipient)
# verify encoding (with automatic encryption)
if fail:
assert m.encode(key=cek, nonce=nonce, enc_params=[RcptParams(
key=kek)]) != unhexlify(test_output)
else:
# test encoding/protection
assert m.encode(key=cek, nonce=nonce,
enc_params=[RcptParams(key=kek)
]) == unhexlify(test_output)
def test_encrypt_ecdh_wrap_decode(setup_encrypt_ecdh_wrap_tests: tuple):
_, test_input, test_output, test_intermediate, fail = setup_encrypt_ecdh_wrap_tests
# DECODING
# parse message and test for headers
md: EncMessage = CoseMessage.decode(unhexlify(test_output))
assert md.phdr == extract_phdr(test_input, 'enveloped')
assert md.uhdr == extract_uhdr(test_input, 'enveloped', 1)
# check for external data and verify internal _enc_structure
md.external_aad = unhexlify(test_input['enveloped'].get('external', b''))
assert md._enc_structure == unhexlify(test_intermediate['AAD_hex'])
recipient = test_input['enveloped']['recipients'][0]
assert md.recipients[0].phdr == recipient.get('protected', {})
# do not verify unprotected header since it contains the ephemeral public key of the sender
# assert m.recipients[0].uhdr == rcpt.get('unprotected', {})
rcvr_skey, sender_key = setup_ec_receiver_keys(
recipient, md.recipients[0].uhdr.get(CoseHeaderKeys.EPHEMERAL_KEY))
# create context KDF
s = SuppPubInfo(
len(test_intermediate['recipients'][0]['KEK_hex']) * 4,
md.recipients[0].encode_phdr())
if md.recipients[0].phdr[CoseHeaderKeys.ALG] in {
CoseAlgorithms.ECDH_ES_A192KW.id, CoseAlgorithms.ECDH_SS_A192KW.id
}:
kdf_ctx = CoseKDFContext(CoseAlgorithms.A192KW.id, PartyInfo(),
PartyInfo(), s)
elif md.recipients[0].phdr[CoseHeaderKeys.ALG] in {
CoseAlgorithms.ECDH_ES_A128KW.id, CoseAlgorithms.ECDH_SS_A128KW.id
}:
kdf_ctx = CoseKDFContext(CoseAlgorithms.A128KW.id, PartyInfo(),
PartyInfo(), s)
elif md.recipients[0].phdr[CoseHeaderKeys.ALG] in {
CoseAlgorithms.ECDH_ES_A256KW.id, CoseAlgorithms.ECDH_SS_A256KW.id
}:
kdf_ctx = CoseKDFContext(CoseAlgorithms.A256KW.id, PartyInfo(),
PartyInfo(), s)
else:
raise ValueError("Missed an algorithm?")
assert kdf_ctx.encode() == unhexlify(
test_intermediate['recipients'][0]['Context_hex'])
secret, kek = CoseRecipient.derive_kek(rcvr_skey,
sender_key,
context=kdf_ctx,
expose_secret=True)
assert secret == unhexlify(
test_intermediate['recipients'][0]['Secret_hex'])
assert kek == unhexlify(test_intermediate['recipients'][0]['KEK_hex'])
r1 = md.recipients[0]
cek = r1.decrypt(key=SymmetricKey(k=kek, alg=r1.phdr[CoseHeaderKeys.ALG]))
assert cek == unhexlify(test_intermediate['CEK_hex'])
cek = SymmetricKey(k=cek, alg=extract_alg(test_input["enveloped"]))
pld = md.decrypt(key=cek, nonce=extract_nonce(test_input, 1))
assert pld == test_input['plaintext'].encode('utf-8')
def test_encrypt_ecdh_direct_decode_encode(
setup_encrypt_ecdh_direct_tests: tuple) -> None:
_, test_input, test_output, test_intermediate, fail = setup_encrypt_ecdh_direct_tests
# DECODING
# parse message and test for headers
md: EncMessage = CoseMessage.decode(unhexlify(test_output))
assert md.phdr == extract_phdr(test_input, 'enveloped')
assert md.uhdr == extract_uhdr(test_input, 'enveloped', 1)
# check for external data and verify internal _enc_structure
md.external_aad = unhexlify(test_input['enveloped'].get('external', b''))
assert md._enc_structure == unhexlify(test_intermediate['AAD_hex'])
# verify the receiver and set up the keying material
recipient = test_input['enveloped']['recipients'][0]
assert md.recipients[0].phdr == recipient.get('protected', {})
# do not verify unprotected header since it contains the ephemeral public key of the sender
# assert m.recipients[0].uhdr == rcpt.get('unprotected', {})
rcvr_skey, sender_key = setup_ec_receiver_keys(
recipient, md.recipients[0].uhdr.get(CoseHeaderKeys.EPHEMERAL_KEY))
# create context KDF
v = PartyInfo()
u = PartyInfo(nonce=unhexlify(test_input['rng_stream'][0])
) if "sender_key" in recipient else PartyInfo()
s = SuppPubInfo(
len(test_intermediate['CEK_hex']) * 4, md.recipients[0].encode_phdr())
kdf_ctx = CoseKDFContext(md.phdr[CoseHeaderKeys.ALG], u, v, s)
assert kdf_ctx.encode() == unhexlify(
test_intermediate['recipients'][0]['Context_hex'])
secret, kek_bytes = CoseRecipient.derive_kek(rcvr_skey,
sender_key,
context=kdf_ctx,
expose_secret=True)
assert secret == unhexlify(
test_intermediate['recipients'][0]['Secret_hex'])
assert kek_bytes == unhexlify(test_intermediate['CEK_hex'])
alg = extract_alg(test_input['enveloped'])
cek = SymmetricKey(k=kek_bytes)
nonce = extract_nonce(test_input, 1)
assert md.decrypt(nonce=nonce, alg=alg,
key=cek) == test_input['plaintext'].encode('utf-8')
# ENCODING
me = EncMessage(phdr=test_input['enveloped'].get("protected", {}),
uhdr=test_input['enveloped'].get("unprotected", {}),
payload=test_input['plaintext'].encode('utf-8'))
if 'rng_stream' in test_input:
me.uhdr_update(
{CoseHeaderKeys.IV: unhexlify(test_input['rng_stream'][1])})
# Set up recipients and keys
recipient = test_input['enveloped']['recipients'][0]
if 'sender_key' in recipient:
r1 = CoseRecipient(phdr=recipient.get('protected', {}))
r1.uhdr_update(
{CoseHeaderKeys.STATIC_KEY: sender_key.encode('crv', 'x', 'y')})
r1.uhdr_update(recipient.get('unprotected', {}))
r1.uhdr_update({
CoseHeaderKeys.PARTY_U_NONCE:
unhexlify(test_input['rng_stream'][0])
})
else:
r1 = CoseRecipient(phdr=recipient.get('protected', {}))
r1.uhdr_update(
{CoseHeaderKeys.EPHEMERAL_KEY: sender_key.encode('crv', 'x', 'y')})
r1.uhdr_update(recipient.get('unprotected', {}))
# append the first and only recipient
me.recipients.append(r1)
# set up cek
cek = SymmetricKey(k=kek_bytes, alg=alg)
kek = SymmetricKey(k=kek_bytes, alg=CoseAlgorithms.DIRECT.id)
# without sorting probably does not match because the order of the recipient elements is not the same
assert sorted(
me.encode(key=cek, nonce=nonce,
enc_params=[RcptParams(key=kek)
])) == sorted(unhexlify(test_output))