Python cryptography.hazmat.backends.default_backend() Examples
The following are 30
code examples of cryptography.hazmat.backends.default_backend().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
cryptography.hazmat.backends
, or try the search function
.
.
Example #1
| Source File: test_ipa.py From custodia with GNU General Public License v3.0 | 8 votes |
|
def setup_method(self, method):
super(TestCustodiaIPACertRequests, self).setup_method(method)
cert = x509.load_pem_x509_certificate(CERT_PEM, default_backend())
cert_der = cert.public_bytes(serialization.Encoding.DER)
cert_stripped = base64.b64encode(cert_der)
ca = x509.load_pem_x509_certificate(CA_PEM, default_backend())
ca_der = ca.public_bytes(serialization.Encoding.DER)
self.m_api.Command.cert_request.return_value = {
u'result': {
u'subject': 'dummy subject',
u'request_id': 1,
u'serial_number': 1,
u'certificate': cert_stripped,
u'certificate_chain': (
cert_der,
ca_der,
)
}
}
Example #2
| Source File: 0262e50e90e0_add_ssh_keypair_into_keypair.py From backend.ai-manager with GNU Lesser General Public License v3.0 | 8 votes |
|
def generate_ssh_keypair():
key = rsa.generate_private_key(
backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048
)
private_key = key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.TraditionalOpenSSL,
crypto_serialization.NoEncryption()
).decode("utf-8")
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH
).decode("utf-8")
return (public_key, private_key)
Example #3
| Source File: utils.py From wechatpy with MIT License | 7 votes |
|
def rsa_encrypt(data, pem, b64_encode=True):
"""
rsa 加密
:param data: 待加密字符串/binary
:param pem: RSA public key 内容/binary
:param b64_encode: 是否对输出进行 base64 encode
:return: 如果 b64_encode=True 的话,返回加密并 base64 处理后的 string;否则返回加密后的 binary
"""
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
encoded_data = to_binary(data)
pem = to_binary(pem)
public_key = serialization.load_pem_public_key(pem, backend=default_backend())
encrypted_data = public_key.encrypt(
encoded_data, padding=padding.OAEP(mgf=padding.MGF1(hashes.SHA1()), algorithm=hashes.SHA1(), label=None,),
)
if b64_encode:
encrypted_data = base64.b64encode(encrypted_data).decode("utf-8")
return encrypted_data
Example #4
| Source File: keypair.py From backend.ai-manager with GNU Lesser General Public License v3.0 | 7 votes |
|
def generate_ssh_keypair() -> Tuple[str, str]:
'''
Generate RSA keypair for SSH/SFTP connection.
'''
key = rsa.generate_private_key(
backend=crypto_default_backend(),
public_exponent=65537,
key_size=2048
)
private_key = key.private_bytes(
crypto_serialization.Encoding.PEM,
crypto_serialization.PrivateFormat.TraditionalOpenSSL,
crypto_serialization.NoEncryption()
).decode("utf-8")
public_key = key.public_key().public_bytes(
crypto_serialization.Encoding.OpenSSH,
crypto_serialization.PublicFormat.OpenSSH
).decode("utf-8")
return (public_key, private_key)
Example #5
| Source File: algorithms.py From gist-alfred with MIT License | 6 votes |
|
def prepare_key(self, key):
if isinstance(key, RSAPrivateKey) or \
isinstance(key, RSAPublicKey):
return key
if isinstance(key, string_types):
key = force_bytes(key)
try:
if key.startswith(b'ssh-rsa'):
key = load_ssh_public_key(key, backend=default_backend())
else:
key = load_pem_private_key(key, password=None, backend=default_backend())
except ValueError:
key = load_pem_public_key(key, backend=default_backend())
else:
raise TypeError('Expecting a PEM-formatted key.')
return key
Example #6
| Source File: enc_basic.py From XFLTReaT with MIT License | 6 votes |
|
def decrypt(self, shared_key, ciphertext): # the nonce should be 16 bytes long random data, but because of the # small message size, we just get 4bytes and use it 4 times (extend). # This is ugly, makes the encryption more vulnerable, but if you need # something strong, please use the enhanced encryption module. nonce = ciphertext[0:4] extended_nonce = nonce*4 algorithm = algorithms.ChaCha20(shared_key, extended_nonce) cipher = Cipher(algorithm, mode=None, backend=default_backend()) decryptor = cipher.decryptor() return decryptor.update(ciphertext[4:]) # server side. # Sending the pre-generated public key from the file to the client for # verification purposes + key exchange
Example #7
| Source File: enc_basic.py From XFLTReaT with MIT License | 6 votes |
|
def encryption_step_5(self, module, message, additional_data, cm):
client_ephemeral_public = message[len(self.cmh_struct_encryption[4][0]):]
c = module.lookup_client_pub(additional_data)
try:
public_numbers = ec.EllipticCurvePublicNumbers.from_encoded_point(self.curve, "\x04"+client_ephemeral_public)
except:
common.internal_print("Erroneous key received from the client. Are you sure you are using the same settings on both sides?", -1)
return module.cmh_struct[cm][4+module.is_caller_stateless()]
client_ephemeral_public_key = public_numbers.public_key(default_backend())
server_ephemeral_private_key = c.get_encryption().get_private_key()
c.get_encryption().set_shared_key(server_ephemeral_private_key.exchange(ec.ECDH(), client_ephemeral_public_key))
module.post_encryption_server(message[len(self.cmh_struct_encryption[4][0]):], additional_data)
common.internal_print("Encryption key agreed with the client.", 1)
return module.cmh_struct[cm][3]
# checking for the key file values in the config
Example #8
| Source File: utils.py From wechatpy with MIT License | 6 votes |
|
def rsa_decrypt(encrypted_data, pem, password=None):
"""
rsa 解密
:param encrypted_data: 待解密 bytes
:param pem: RSA private key 内容/binary
:param password: RSA private key pass phrase
:return: 解密后的 binary
"""
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
encrypted_data = to_binary(encrypted_data)
pem = to_binary(pem)
private_key = serialization.load_pem_private_key(pem, password, backend=default_backend())
data = private_key.decrypt(
encrypted_data, padding=padding.OAEP(mgf=padding.MGF1(hashes.SHA1()), algorithm=hashes.SHA1(), label=None,),
)
return data
Example #9
| Source File: crypt.py From pgrepup with GNU General Public License v3.0 | 6 votes |
|
def _get_key():
if this.key:
return this.key
secret = getpass.getpass()
try:
salt = config().get('Security', 'salt')
except NoOptionError:
salt = base64.urlsafe_b64encode(os.urandom(16))
config().set('Security', 'salt', salt)
kdf = PBKDF2HMAC(
algorithm=hashes.SHA256(),
length=32,
salt=salt,
iterations=100000,
backend=default_backend()
)
this.key = base64.urlsafe_b64encode(kdf.derive(secret))
return this.key
Example #10
| Source File: CloudConnector.py From im with GNU General Public License v3.0 | 6 votes |
|
def keygen():
"""
Generates a keypair using the cryptography lib and returns a tuple (public, private)
"""
key = rsa.generate_private_key(public_exponent=65537, key_size=2048,
backend=default_backend())
private = key.private_bytes(encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()
).decode()
public = key.public_key().public_bytes(encoding=serialization.Encoding.OpenSSH,
format=serialization.PublicFormat.OpenSSH
).decode()
return (public, private)
Example #11
| Source File: algorithms.py From gist-alfred with MIT License | 6 votes |
|
def prepare_key(self, key):
if isinstance(key, EllipticCurvePrivateKey) or \
isinstance(key, EllipticCurvePublicKey):
return key
if isinstance(key, string_types):
key = force_bytes(key)
# Attempt to load key. We don't know if it's
# a Signing Key or a Verifying Key, so we try
# the Verifying Key first.
try:
if key.startswith(b'ecdsa-sha2-'):
key = load_ssh_public_key(key, backend=default_backend())
else:
key = load_pem_public_key(key, backend=default_backend())
except ValueError:
key = load_pem_private_key(key, password=None, backend=default_backend())
else:
raise TypeError('Expecting a PEM-formatted key.')
return key
Example #12
| Source File: _cert_chain_analyzer.py From sslyze with GNU Affero General Public License v3.0 | 6 votes |
|
def _verify_certificate_chain(server_certificate_chain: List[str], trust_store: TrustStore) -> PathValidationResult:
server_chain_as_x509s = [X509(pem_cert) for pem_cert in server_certificate_chain]
chain_verifier = CertificateChainVerifier.from_file(trust_store.path)
verified_chain: Optional[List[Certificate]]
try:
openssl_verify_str = None
verified_chain_as_509s = chain_verifier.verify(server_chain_as_x509s)
verified_chain = [
load_pem_x509_certificate(x509_cert.as_pem().encode("ascii"), backend=default_backend())
for x509_cert in verified_chain_as_509s
]
except CertificateChainVerificationFailed as e:
verified_chain = None
openssl_verify_str = e.openssl_error_string
return PathValidationResult(
trust_store=trust_store, verified_certificate_chain=verified_chain, openssl_error_string=openssl_verify_str
)
Example #13
| Source File: test_key_pair_authentication.py From snowflake-connector-python with Apache License 2.0 | 6 votes |
|
def generate_key_pair(key_length):
private_key = rsa.generate_private_key(backend=default_backend(),
public_exponent=65537,
key_size=key_length)
private_key_der = private_key.private_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption())
public_key_pem = private_key.public_key().public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.SubjectPublicKeyInfo) \
.decode("utf-8")
# strip off header
public_key_der_encoded = ''.join(public_key_pem.split('\n')[1:-2])
return private_key_der, public_key_der_encoded
Example #14
| Source File: test_key_pair_authentication.py From snowflake-connector-python with Apache License 2.0 | 6 votes |
|
def generate_key_pair(key_length):
private_key = rsa.generate_private_key(backend=default_backend(),
public_exponent=65537,
key_size=key_length)
private_key_der = private_key.private_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption())
public_key_pem = private_key.public_key().public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.SubjectPublicKeyInfo) \
.decode("utf-8")
# strip off header
public_key_der_encoded = ''.join(public_key_pem.split('\n')[1:-2])
return private_key_der, public_key_der_encoded
Example #15
| Source File: keybag.py From pyaff4 with Apache License 2.0 | 6 votes |
|
def create(vek, keySizeBytes, certificatePath):
#print("VEK: " + str(binascii.hexlify(vek)))
publicKeyPem = open(certificatePath).read()
publicKey = RSA.importKey(publicKeyPem)
# Convert from PEM to DER
lines = publicKeyPem.replace(" ", '').split()
publicKeyDer = binascii.a2b_base64(''.join(lines[1:-1]))
cert = x509.load_pem_x509_certificate(SmartStr(publicKeyPem), default_backend())
subjectName = cert.subject.rfc4514_string()
serial = cert.serial_number
cipher = PKCS1_OAEP.new(key=publicKey, hashAlgo=SHA256, mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
wrapped_key = cipher.encrypt(vek)
#print("WrappedKey: " + str(binascii.hexlify(wrapped_key)))
return CertEncryptedKeyBag(subjectName, serial, keySizeBytes, wrapped_key)
Example #16
| Source File: hidden_service.py From stem with GNU Lesser General Public License v3.0 | 6 votes |
|
def _layer_cipher(constant: bytes, revision_counter: int, subcredential: bytes, blinded_key: bytes, salt: bytes) -> Tuple['cryptography.hazmat.primitives.ciphers.Cipher', Callable[[bytes], bytes]]: # type: ignore
try:
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
except ImportError:
raise ImportError('Layer encryption/decryption requires the cryptography module')
kdf = hashlib.shake_256(blinded_key + subcredential + struct.pack('>Q', revision_counter) + salt + constant)
keys = kdf.digest(S_KEY_LEN + S_IV_LEN + MAC_LEN)
secret_key = keys[:S_KEY_LEN]
secret_iv = keys[S_KEY_LEN:S_KEY_LEN + S_IV_LEN]
mac_key = keys[S_KEY_LEN + S_IV_LEN:]
cipher = Cipher(algorithms.AES(secret_key), modes.CTR(secret_iv), default_backend())
mac_prefix = struct.pack('>Q', len(mac_key)) + mac_key + struct.pack('>Q', len(salt)) + salt
return cipher, lambda ciphertext: hashlib.sha3_256(mac_prefix + ciphertext).digest()
Example #17
| Source File: EncryptedPfx.py From ADFSpoof with Apache License 2.0 | 6 votes |
|
def _derive_keys(self, password=None):
label = encode(self.encryption_oid) + encode(self.mac_oid)
context = self.nonce.asOctets()
backend = default_backend()
kdf = KBKDFHMAC(
algorithm=hashes.SHA256(),
mode=Mode.CounterMode,
length=48,
rlen=4,
llen=4,
location=CounterLocation.BeforeFixed,
label=label,
context=context,
fixed=None,
backend=backend
)
key = kdf.derive(password)
if self.DEBUG:
sys.stderr.write("Derived key: {0}\n".format(key))
self.encryption_key = key[0:16]
self.mac_key = key[16:]
Example #18
| Source File: jwk.py From jwcrypto with GNU Lesser General Public License v3.0 | 5 votes |
|
def _get_public_key(self, arg=None):
if self._params['kty'] == 'oct':
return self._key['k']
elif self._params['kty'] == 'RSA':
return self._rsa_pub(self._key).public_key(default_backend())
elif self._params['kty'] == 'EC':
return self._ec_pub(self._key, arg).public_key(default_backend())
elif self._params['kty'] == 'OKP':
return self._okp_pub(self._key)
else:
raise NotImplementedError
Example #19
| Source File: file_svc.py From caldera with Apache License 2.0 | 5 votes |
|
def _get_encryptor(self):
generated_key = PBKDF2HMAC(algorithm=hashes.SHA256(),
length=32,
salt=bytes(self.get_config('crypt_salt'), 'utf-8'),
iterations=2 ** 20,
backend=default_backend())
return Fernet(base64.urlsafe_b64encode(generated_key.derive(bytes(self.get_config('encryption_key'), 'utf-8'))))
Example #20
| Source File: file_decryptor.py From caldera with Apache License 2.0 | 5 votes |
|
def get_encryptor(salt, key):
generated_key = PBKDF2HMAC(algorithm=hashes.SHA256(),
length=32,
salt=bytes(salt, 'utf-8'),
iterations=2 ** 20,
backend=default_backend())
return Fernet(base64.urlsafe_b64encode(generated_key.derive(bytes(key, 'utf-8'))))
Example #21
| Source File: sshkeys.py From ToonRooter with MIT License | 5 votes |
|
def generate_key_pair(password=None):
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
key_encryption_algorithm = serialization.NoEncryption()
if password:
key_encryption_algorithm = serialization.BestAvailableEncryption(password)
private_pem = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=key_encryption_algorithm
)
public_key = private_key.public_key()
public_openssh = public_key.public_bytes(
encoding=serialization.Encoding.OpenSSH,
format=serialization.PublicFormat.OpenSSH
)
return (public_openssh, private_pem)
Example #22
| Source File: tests.py From jwcrypto with GNU Lesser General Public License v3.0 | 5 votes |
|
def test_import_pyca_keys(self):
rsa1 = rsa.generate_private_key(65537, 1024, default_backend())
krsa1 = jwk.JWK.from_pyca(rsa1)
self.assertEqual(krsa1.key_type, 'RSA')
krsa2 = jwk.JWK.from_pyca(rsa1.public_key())
self.assertEqual(krsa1.get_op_key('verify').public_numbers().n,
krsa2.get_op_key('verify').public_numbers().n)
ec1 = ec.generate_private_key(ec.SECP256R1(), default_backend())
kec1 = jwk.JWK.from_pyca(ec1)
self.assertEqual(kec1.key_type, 'EC')
kec2 = jwk.JWK.from_pyca(ec1.public_key())
self.assertEqual(kec1.get_op_key('verify').public_numbers().x,
kec2.get_op_key('verify').public_numbers().x)
self.assertRaises(jwk.InvalidJWKValue,
jwk.JWK.from_pyca, dict())
Example #23
| Source File: jwk.py From jwcrypto with GNU Lesser General Public License v3.0 | 5 votes |
|
def _get_private_key(self, arg=None):
if self._params['kty'] == 'oct':
return self._key['k']
elif self._params['kty'] == 'RSA':
return self._rsa_pri(self._key).private_key(default_backend())
elif self._params['kty'] == 'EC':
return self._ec_pri(self._key, arg).private_key(default_backend())
elif self._params['kty'] == 'OKP':
return self._okp_pri(self._key)
else:
raise NotImplementedError
Example #24
| Source File: jwk.py From jwcrypto with GNU Lesser General Public License v3.0 | 5 votes |
|
def thumbprint(self, hashalg=hashes.SHA256()):
"""Returns the key thumbprint as specified by RFC 7638.
:param hashalg: A hash function (defaults to SHA256)
"""
t = {'kty': self._params['kty']}
for name, val in iteritems(JWKValuesRegistry[t['kty']]):
if val.required:
t[name] = self._key[name]
digest = hashes.Hash(hashalg, backend=default_backend())
digest.update(bytes(json_encode(t).encode('utf8')))
return base64url_encode(digest.finalize())
Example #25
| Source File: jwa.py From jwcrypto with GNU Lesser General Public License v3.0 | 5 votes |
|
def __init__(self, hashfn):
self.backend = default_backend()
self.hashfn = hashfn
Example #26
| Source File: jwa.py From jwcrypto with GNU Lesser General Public License v3.0 | 5 votes |
|
def __init__(self):
self.backend = default_backend()
Example #27
| Source File: jwa.py From jwcrypto with GNU Lesser General Public License v3.0 | 5 votes |
|
def wrap(self, key, bitsize, cek, headers):
rk = self._get_key(key, 'encrypt')
if not cek:
cek = _randombits(bitsize)
ek = aes_key_wrap(rk, cek, default_backend())
return {'cek': cek, 'ek': ek}
Example #28
| Source File: jwa.py From jwcrypto with GNU Lesser General Public License v3.0 | 5 votes |
|
def unwrap(self, key, bitsize, ek, headers):
rk = self._get_key(key, 'decrypt')
cek = aes_key_unwrap(rk, ek, default_backend())
if _bitsize(cek) != bitsize:
raise InvalidJWEKeyLength(bitsize, _bitsize(cek))
return cek
Example #29
| Source File: jwa.py From jwcrypto with GNU Lesser General Public License v3.0 | 5 votes |
|
def __init__(self, hashfn):
self.backend = default_backend()
self.hashfn = hashfn
self.blocksize = algorithms.AES.block_size
self.wrap_key_size = self.keysize * 2
Example #30
| Source File: jwa.py From jwcrypto with GNU Lesser General Public License v3.0 | 5 votes |
|
def __init__(self):
self.backend = default_backend()
self.aeskwmap = {128: _A128KW, 192: _A192KW, 256: _A256KW}
