U gc@sddlmZddlZddlZddlZddlmZmZmZm Z m Z ddl m Z ddl mZmZmZmZddlmZmZmZddlmZmZddlmZd d lmZmZmZd d lmZ Gd d d e!Z"Gddde#Z$ddZ%ddZ&d6ddZ'ddZ(d7ddZ)ddZ*ddZ+ddZ,d d!Z-d"d#Z.d$d%Z/d&d'Z0d(d)Z1d*d+Z2d8d,d-Z3e4d.krddl5Z5d/Z6ed0j78Z9d1Z:e55Z;eqe?d2e55e;e:d3d4e55Z;ee6Z>qe?d5e55e;e:d3d4dS)9)print_functionN)bordtobytestostrbchr is_string)Integer) DerObjectIdDerOctetString DerSequence DerBitString)_expand_subject_public_key_info_create_subject_public_key_info _extract_subject_public_key_info)SHA512SHAKE256)get_random_bytes)EccPoint EccXPoint_curves)CurveIDc@s eZdZdS)UnsupportedEccFeatureN)__name__ __module__ __qualname__rrr?rIrJrTxr<xy)rLextrar[resultyrrr__repr__s  zEccKey.__repr__cCs |jdk S)zJ``True`` if this key can be used for making signatures or decrypting data.N)r5rLrrrrSszEccKey.has_privatec Cs~d|kr|jjksnt|jj}tjd|d}|j|}|||}|jj|j|}||||||}||fS)Nrr) min_inclusive max_exclusive) r;rKAssertionErrorr random_ranger5inverseGr[) rLzkrKZblindZblind_dZ inv_blind_krsrrr_signs z EccKey._signcCsR|jj}|d|}|jj|||}|j||d|}||j|dkS)Nrr)r;rKrfrgrTr[)rLrhrsrKZsinvZpoint1Zpoint2rrr_verifys zEccKey._verifycCs|std|jSNzThis is not a private ECC key)rSr:r5rarrrr szEccKey.dcCs|std|jSro)rSr:r6rarrrr!sz EccKey.seedcCs |jdkr|jj|j|_|jSN)r7r;rgr5rarrrrTs z EccKey.pointQcCst|jj|jdS)z^A matching ECC public key. Returns: a new :class:`EccKey` object )rr")rr;r<rTrarrr public_keyszEccKey.public_keycCsl|jjstd|j}|rH|jjr0d}nd}||jj|}n d|jj||jj|}|S)Nz/SEC1 format is only supported for NIST P curves) r;Zis_weierstrassr:rT size_in_bytesr_is_oddr[to_bytes)rLcompress modulus_bytes first_byterqrrr _export_SEC1s      zEccKey._export_SEC1cCs|jj\}}|jjtjkrFt|jddd}|d@d>|dB|d<n:|jjtjkrxt|jddd}|d@d>|d<nt d t |S) Nr%r*r+rr'r-r2zNot an EdDSA key to export) rTr\r;r>r?r@rErwrGr:bytes)rLr[r_r^rrr_export_eddsa_public s zEccKey._export_eddsa_publiccCs<|jjstd|jj}|j}t|j|dd}t|S)NzNot a Montgomery key to exportr*r+) r; is_montgomeryr:rTr[rurErwr})rLr[Z field_sizer^rrr_export_montgomery_public,s  z EccKey._export_montgomery_publiccCsb|jjr|jj}|}d}n8|jjr<|jj}|}d}nd}||}t|jj}t|||S)N1.2.840.10045.2.1) r;rXoidr~rrr{r r)rLrxrrqparamsrrr_export_subjectPublicKeyInfo4s  z#EccKey._export_subjectPublicKeyInfoTcCsx|s t|j}d|jj||jj|}dt|j|t |j j ddt |ddg}|sl|d=t |S)Nrtrrexplicitr$)rSrdrTrur[rwr_r r r r;rr r encode)rLinclude_ec_paramsryrqseqrrr_export_rfc5915_private_derFs    z"EccKey._export_rfc5915_private_dercKsddlm}|dddk r,d|kr,td|jdk rR|jj}t|j}d}nd}|j dd}t |jj}|j ||fd |i|}|S) NrPKCS8 passphrase protectionz3At least the 'protection' parameter must be presentrF)rZ key_params) Cryptodome.IOrgetr:r6r;rr rrr wrap)rLrMrr private_keyrr^rrr _export_pkcs8as$    zEccKey._export_pkcs8cCs"ddlm}||}||dS)NrPEMz PUBLIC KEY)rrrr)rLrxr encoded_derrrr_export_public_pemvs  zEccKey._export_public_pemcKs&ddlm}|}|j|d|f|S)NrrzEC PRIVATE KEY)rrrrrLrrMrrrrr_export_private_pem|s zEccKey._export_private_pemcCs ddlm}|}||dS)Nrrz PRIVATE KEY)rrrr)rLrrrrr(_export_private_clear_pkcs8_in_clear_pems z/EccKey._export_private_clear_pkcs8_in_clear_pemcKsDddlm}|std|kr$td|jfd|i|}||dS)Nrrrz5At least the 'protection' parameter should be presentrzENCRYPTED PRIVATE KEY)rrrdr:rrrrrr,_export_private_encrypted_pkcs8_in_clear_pems  z3EccKey._export_private_encrypted_pkcs8_in_clear_pemc Cs|rtd|jj}|dkr0td|jn|dkrR|}t|t|f}nv|j}|rd|jj }t ||jj |}n d|jj ||jj |}|dd}t|t||f}ddd |D}|d tt|S) Nz"Cannot export OpenSSH private keysz Cannot export %s keys as OpenSSH ssh-ed25519r$rt-cSs g|]}tdt||qS)>I)structpackrA).0r[rrr sz*EccKey._export_openssh.. )rSr:r;opensshrr~rrTrur_rvrr[rwsplitjoinrrY b2a_base64) rLrxdescrqcompsryrzmiddleZblobrrr_export_opensshs.    zEccKey._export_opensshcKs|}|d}|dkr&td||dd}|r,|dd}t|rdt|}|sdtd|d d }|dkr|jjrtd |jjrtd d |krtd|dkr|r|r|j |f|S| Sn|j |f|SnJ|dkr|r|std|r|j fd|i|S| Sn td|n|r>td||dkrR||S|dkrf||S|dkrz||S|dkr|jjr|S|jjr|S||Sn ||SdS)aExport this ECC key. Args: format (string): The output format: - ``'DER'``. The key will be encoded in ASN.1 DER format (binary). For a public key, the ASN.1 ``subjectPublicKeyInfo`` structure defined in `RFC5480`_ will be used. For a private key, the ASN.1 ``ECPrivateKey`` structure defined in `RFC5915`_ is used instead (possibly within a PKCS#8 envelope, see the ``use_pkcs8`` flag below). - ``'PEM'``. The key will be encoded in a PEM_ envelope (ASCII). - ``'OpenSSH'``. The key will be encoded in the OpenSSH_ format (ASCII, public keys only). - ``'SEC1'``. The public key (i.e., the EC point) will be encoded into ``bytes`` according to Section 2.3.3 of `SEC1`_ (which is a subset of the older X9.62 ITU standard). Only for NIST P-curves. - ``'raw'``. The public key will be encoded as ``bytes``, without any metadata. * For NIST P-curves: equivalent to ``'SEC1'``. * For Ed25519 and Ed448: ``bytes`` in the format defined in `RFC8032`_. * For Curve25519 and Curve448: ``bytes`` in the format defined in `RFC7748`_. passphrase (bytes or string): (*Private keys only*) The passphrase to protect the private key. use_pkcs8 (boolean): (*Private keys only*) If ``True`` (default and recommended), the `PKCS#8`_ representation will be used. It must be ``True`` for Ed25519, Ed448, Curve25519, and Curve448. If ``False`` and a passphrase is present, the obsolete PEM encryption will be used. protection (string): When a private key is exported with password-protection and PKCS#8 (both ``DER`` and ``PEM`` formats), this parameter MUST be present, For all possible protection schemes, refer to :ref:`the encryption parameters of PKCS#8`. It is recommended to use ``'PBKDF2WithHMAC-SHA512AndAES128-CBC'``. compress (boolean): If ``True``, the method returns a more compact representation of the public key, with the X-coordinate only. If ``False`` (default), the method returns the full public key. This parameter is ignored for Ed25519/Ed448/Curve25519/Curve448, as compression is mandatory. prot_params (dict): When a private key is exported with password-protection and PKCS#8 (both ``DER`` and ``PEM`` formats), this dictionary contains the parameters to use to derive the encryption key from the passphrase. For all possible values, refer to :ref:`the encryption parameters of PKCS#8`. The recommendation is to use ``{'iteration_count':21000}`` for PBKDF2, and ``{'iteration_count':131072}`` for scrypt. .. warning:: If you don't provide a passphrase, the private key will be exported in the clear! .. note:: When exporting a private key with password-protection and `PKCS#8`_ (both ``DER`` and ``PEM`` formats), any extra parameters to ``export_key()`` will be passed to :mod:`Cryptodome.IO.PKCS8`. .. _PEM: http://www.ietf.org/rfc/rfc1421.txt .. _`PEM encryption`: http://www.ietf.org/rfc/rfc1423.txt .. _OpenSSH: http://www.openssh.com/txt/rfc5656.txt .. _RFC5480: https://tools.ietf.org/html/rfc5480 .. _SEC1: https://www.secg.org/sec1-v2.pdf .. _RFC7748: https://tools.ietf.org/html/rfc7748 Returns: A multi-line string (for ``'PEM'`` and ``'OpenSSH'``) or ``bytes`` (for ``'DER'``, ``'SEC1'``, and ``'raw'``) with the encoded key. format)rDERZOpenSSHSEC1rawzUnknown format '%s'rxFrNzEmpty passphrase use_pkcs8Tz%'pkcs8' must be True for EdDSA curvesz#'pkcs8' must be True for Curve25519rz)'protection' is only supported for PKCS#8rrz8Private keys can only be encrpyted with DER using PKCS#8z2Private keys cannot be exported in the '%s' formatzUnexpected parameters: '%s'rr)copyr4r:rSrrr;rXrrrrrrrrr{r~rr)rLrMargsZ ext_formatrxrrrrr export_keysbZ                    zEccKey.export_keyN)T)rrr__doc__rQrVr`rSrlrnpropertyr r!rTrqr{r~rrrrrrrrrrrrrrr;s4b        rcKs |d}t|}|dt}|r2tdt|t|jtjkrX|d}t||d}nt|jtj kr~|d}t||d}nt|jtj kr|d}t||d}t| |j nTt|jtj kr|d}t||d}t| |j ntjd|j|d }t||d }|S) a5Generate a new private key on the given curve. Args: curve (string): Mandatory. It must be a curve name defined in the `ECC table`_. randfunc (callable): Optional. The RNG to read randomness from. If ``None``, :func:`Cryptodome.Random.get_random_bytes` is used. rrandfuncr#r%rr!r-r2r)rbrcr)rr )r4rrr8r9r>r?r@rrGrIvalidaterTrJrrerK)rMrNrrr!new_keyr rrrgenerateFs2     rcKs|d}t|}|dd}|dd}d|kr8td|jtjkrr|dk rZt|||d<tf|}||j n|jtj kr|dk rt|||d<tf|}||j n^d||fkrt ||||d<tf|}| r d|kr |j |j}|j||fkr td|S)aBuild a new ECC key (private or public) starting from some base components. In most cases, you will already have an existing key which you can read in with :func:`import_key` instead of this function. Args: curve (string): Mandatory. The name of the elliptic curve, as defined in the `ECC table`_. d (integer): Mandatory for a private key and a NIST P-curve (e.g., P-256). It must be an integer in the range ``[1..order-1]``. seed (bytes): Mandatory for a private key and curves Ed25519 (32 bytes), Curve25519 (32 bytes), Curve448 (56 bytes) and Ed448 (57 bytes). point_x (integer): The X coordinate (affine) of the ECC point. Mandatory for a public key. point_y (integer): The Y coordinate (affine) of the ECC point. Mandatory for a public key, except for Curve25519 and Curve448. Returns: :class:`EccKey` : a new ECC key object rpoint_xNpoint_yr"zUnknown keyword: pointz(Private and public ECC keys do not match)rr4r8r>r?rIrrrrTrJrrSrgr r\r:)rMrNrrrrZpub_keyrrr constructps0!         rc Cs\tD]&\}}|r"|j|kr"qN||krqNq|rBtd|n td||j}t|d}|dkrt|dd|krtdt |d|d}t ||dd}n|d krFt|d|krtdt |dd}|d |d |j  |j}|dkr&| r&|j|}|d krN|rN|j|}ntd t|||d S) aConvert an encoded EC point into an EccKey object ec_point: byte string with the EC point (SEC1-encoded) curve_oid: string with the name the curve curve_name: string with the OID of the curve Either curve_id or curve_name must be specified Unsupported ECC curve (OID: %s)zUnsupported ECC curve (%s)rrr$zIncorrect EC point lengthNr$rzIncorrect EC point encodingrrr)ritemsrrprurrAr:rrFbsqrtrvZis_evenr) ec_point curve_oidrNZ _curve_namerryZ point_typer[r_rrr_import_public_ders4      rcGst|\}}}d}dtfdtfd}dtfdtfd}||kr|sNtd|zt|j}Wntk r|td YnXt ||d S||kr||\} } |rtd || |\} } t | | | d S||kr||\} } |rtd || |} t | | d St d|dS)z4Convert a subjectPublicKeyInfo into an EccKey objectrz 1.3.132.1.12z 1.3.132.1.13Ed25519Ed448z 1.3.101.112z 1.3.101.113 Curve25519Curve448z 1.3.101.110z 1.3.101.111z%Missing ECC parameters for ECC OID %szError decoding namedCurverz(Unexpected ECC parameters for ECC OID %s)rrr)rrzUnsupported ECC OID: %sN) r _import_ed25519_public_key_import_ed448_public_key_import_curve25519_public_key_import_curve448_public_keyr:r decodevaluerrr)encodedrMrrr nist_p_oids eddsa_oidsxdh_oidsrrNimport_eddsa_public_keyr[r_Zimport_xdh_public_keyrrr_import_subjectPublicKeyInfos:          rcCsztj|dd}|ddkr$tdt|dj}d}|t|krz>tdd||j}|dk rv||krvtd|}|d7}Wntk rYnX|dkrtd t D]\}}|j |krqqt d ||j } t|| krtd d} } |t|kr`z>tdd||j} t| |d } | jj} | jj} |d7}Wntk r^YnXt|}t||| | d S)Nr$rr)Z nr_elementsrrz!Incorrect ECC private key versionr$rzCurve mismatchzNo curve foundrzPrivate key is too smallr)rr rr)r rr:r payloadrAr rrrrrrrur rrTr[r_rrFr)rrrZec_private_keyZ scalar_bytesZ next_element parametersrNrryrrZpublic_key_encrqr rrr_import_rfc5915_der2sF           rc Csddlm}|||\}}}d}ddd}ddd }||krXt|j} t||| S||kr|dk rptd d} t|j } t ||| d S||kr||} |dk rtd | d} t|j } t ||| d St d |dS)Nrrrrrrrrrz.EdDSA ECC private key must not have parametersrz+%s ECC private key must not have parametersz!Unsupported ECC purpose (OID: %s)) rrunwrapr rrrr:r rrr) rrrZalgo_oidrrrrrrr!rNrrr _import_pkcs8ms8  rcGst|}t|Srp)rr)rrMZsp_inforrr_import_x509_certsrc Cs@z t||WStk r2}z|W5d}~XYntttfk rJYnXz t||WStk r~}z|W5d}~XYntttfk rYnXz t||WStk r}z|W5d}~XYntttfk rYnXz t||WStk r}z|W5d}~XYntttfk r2YnXtddS)NzNot an ECC DER key)rrr:r8 IndexErrorrrr)rrerrrrr _import_ders2    rc Cs|d}t|dkrtdz:t|d}g}t|dkrtd|ddd}||dd||d|d}q4|d|dkrtd|dd rt D]H\}}|j dkrq|j d sqt |j d d }|d|krqqtd |t |d |jd}n>|ddkrHt|d\} } td| | d}ntd|dWn.tttjfk rtd|dYnX|S)N rzNot an openssh public keyrrrrzMismatch in openssh public key ecdsa-sha2- ecdsa-sha2rr$zUnsupported ECC curve: r ssh-ed25519rrzUnsupported SSH key type: zError parsing SSH key type: )rrAr:rY a2b_base64runpackappend startswithrrrrrrrrrr8Error) rpartsZ keystringZkeypartsZlkrNrrZecc_keyr[r_rrr_import_openssh_publics<       rcCsddlm}m}m}m}|||\}}ddtdfi}|dr||\} }| tkr`td| t| } | j dd } ||\} }t | d d krt d t | d | dkrt dt | dd| } t | d| d}||\}}t |}|| d}n`||krX||\}}}||\} }|| \} }||\}}|d|}||d}n t d|||\}}||tf| |d|S)Nr)import_openssh_private_generic read_bytes read_string check_paddingrrr%rzUnsupported ECC curve %sr|rrz/Only uncompressed OpenSSH EC keys are supportedr$zIncorrect public key length)r r)r!rzUnsupport SSH agent key type:)rr)Z_opensshrrrrrrrrZ modulus_bitsrr:rArrFr)datapasswordrrrrZkey_typeZ decryptedZ eddsa_keysZecdsa_curve_namerryrqrrrr rrNrZseed_lenZprivate_public_keyr!_Zpaddedrrr_import_openssh_private_eccs@               rc Cst|dkrtdtd}d}t|}|dd?}|ddM<tj|dd }||krbtd |d krnd S|d d |}|d ||d |}z:||}|||} t| |} | d @|kr|| } Wntk rtdYnX| |fS)aiImport an Ed25519 ECC public key, encoded as raw bytes as described in RFC8032_. Args: encoded (bytes): The Ed25519 public key to import. It must be 32 bytes long. Returns: x and y (integer) Raises: ValueError: when the given key cannot be parsed. .. _RFC8032: https://datatracker.ietf.org/doc/html/rfc8032 r%z9Incorrect length. Only Ed25519 public keys are supported.llx&(7Z/ ;(P8se:8 w6Rr'r|r(r*r+zInvalid Ed25519 key (y)rrrr$zInvalid Ed25519 public key)rAr:rrErFrf_tonelli_shanks rrr r_Zx_lsbruvZv_invZx2rrrrr!s.       rcCs>t|dkrtdt|}|ddM<tj|dd}|S)ahImport a Curve25519 ECC public key, encoded as raw bytes as described in RFC7748_. Args: encoded (bytes): The Curve25519 public key to import. It must be 32 bytes long. Returns: x (integer) Raises: ValueError: when the given key cannot be parsed. .. _RFC7748: https://datatracker.ietf.org/doc/html/rfc7748 r%zIncorrect Curve25519 key lengthr'r(r*r+)rAr:rErrF)rr[rrrrrNs  rcCs&t|dkrtdtj|dd}|S)adImport a Curve448 ECC public key, encoded as raw bytes as described in RFC7748_. Args: encoded (bytes): The Curve448 public key to import. It must be 56 bytes long. Returns: x (integer) Raises: ValueError: when the given key cannot be parsed. .. _RFC7748: https://datatracker.ietf.org/doc/html/rfc7748 r2zIncorrect Curve448 key lengthr*r+)rAr:rrF)rrrrrrjs rc Cst|dkrtdtdj}|d}|dd}t|dd?}tj|dd }||kr`td |d krld S|d d |}|d ||d |}z:||}|||} t| |} | d @|kr|| } Wntk rtdYnX| |fS)agImport an Ed448 ECC public key, encoded as raw bytes as described in RFC8032_. Args: encoded (bytes): The Ed448 public key to import. It must be 57 bytes long. Returns: x and y (integer) Raises: ValueError: when the given key cannot be parsed. .. _RFC8032: https://datatracker.ietf.org/doc/html/rfc8032 r-z7Incorrect length. Only Ed448 public keys are supported.Zcurve448iNr2r|r*r+zInvalid Ed448 key (y)rrr$zInvalid Ed448 public key) rAr:rrrrrFrfrrrrrrs,        rc Csddlm}t|}|dk r$t|}|drVt|}|||\}}}t||}|S|drt|}d} d} tj| d| d |tj d }|||\} }}|rd}zt | |}Wn@t k r} z| W5d} ~ XYnt k rt d YnX|S|d rt |St|dkr8t|dd kr8t ||St|dkrvt|ddkrv|dkrjt dt||dSt ddS)a Import an ECC key (public or private). Args: encoded (bytes or multi-line string): The ECC key to import. The function will try to automatically detect the right format. Supported formats for an ECC **public** key: * X.509 certificate: binary (DER) or ASCII (PEM). * X.509 ``subjectPublicKeyInfo``: binary (DER) or ASCII (PEM). * SEC1_ (or X9.62), as ``bytes``. NIST P curves only. You must also provide the ``curve_name`` (with a value from the `ECC table`_) * OpenSSH line, defined in RFC5656_ and RFC8709_ (ASCII). This is normally the content of files like ``~/.ssh/id_ecdsa.pub``. Supported formats for an ECC **private** key: * A binary ``ECPrivateKey`` structure, as defined in `RFC5915`_ (DER). NIST P curves only. * A `PKCS#8`_ structure (or the more recent Asymmetric Key Package, RFC5958_): binary (DER) or ASCII (PEM). * `OpenSSH 6.5`_ and newer versions (ASCII). Private keys can be in the clear or password-protected. For details about the PEM encoding, see `RFC1421`_/`RFC1423`_. passphrase (byte string): The passphrase to use for decrypting a private key. Encryption may be applied protected at the PEM level (not recommended) or at the PKCS#8 level (recommended). This parameter is ignored if the key in input is not encrypted. curve_name (string): For a SEC1 encoding only. This is the name of the curve, as defined in the `ECC table`_. .. note:: To import EdDSA private and public keys, when encoded as raw ``bytes``, use: * :func:`Cryptodome.Signature.eddsa.import_public_key`, or * :func:`Cryptodome.Signature.eddsa.import_private_key`. .. note:: To import X25519/X448 private and public keys, when encoded as raw ``bytes``, use: * :func:`Cryptodome.Protocol.DH.import_x25519_public_key` * :func:`Cryptodome.Protocol.DH.import_x25519_private_key` * :func:`Cryptodome.Protocol.DH.import_x448_public_key` * :func:`Cryptodome.Protocol.DH.import_x448_private_key` Returns: :class:`EccKey` : a new ECC key object Raises: ValueError: when the given key cannot be parsed (possibly because the pass phrase is wrong). .. _RFC1421: https://datatracker.ietf.org/doc/html/rfc1421 .. _RFC1423: https://datatracker.ietf.org/doc/html/rfc1423 .. _RFC5915: https://datatracker.ietf.org/doc/html/rfc5915 .. _RFC5656: https://datatracker.ietf.org/doc/html/rfc5656 .. _RFC8709: https://datatracker.ietf.org/doc/html/rfc8709 .. _RFC5958: https://datatracker.ietf.org/doc/html/rfc5958 .. _`PKCS#8`: https://datatracker.ietf.org/doc/html/rfc5208 .. _`OpenSSH 6.5`: https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf .. _SEC1: https://www.secg.org/sec1-v2.pdf rrNs-----BEGIN OPENSSH PRIVATE KEYs-----z-----BEGIN EC PARAMETERS-----z-----END EC PARAMETERS-----z.*?rW)flagsz(Invalid DER encoding inside the PEM file)rr0rzNo curve name was provided)rNzECC key format is not supported)rrrrrrrresubDOTALLrrr:rrArr) rrrNrZ text_encodedZopenssh_encodedmarkerZenc_flagr^Zecparams_startZ ecparams_endZ der_encodedZuefrrr import_keysHI          r__main__l_,)N$c hKf-5lksZ    *G 8C ;(!.7-, ~