mirror of
https://github.com/thegeeklab/ansible-later.git
synced 2024-11-09 23:00:40 +00:00
150 lines
5.4 KiB
Python
150 lines
5.4 KiB
Python
|
# This file is dual licensed under the terms of the Apache License, Version
|
||
|
|
# 2.0, and the BSD License. See the LICENSE file in the root of this repository
|
||
|
|
# for complete details.
|
||
|
|
|
||
|
|
from __future__ import absolute_import, division, print_function
|
||
|
|
|
||
|
|
import warnings
|
||
|
|
|
||
|
|
from cryptography import utils
|
||
|
|
from cryptography.hazmat.backends.openssl.utils import _evp_pkey_derive
|
||
|
|
from cryptography.hazmat.primitives import serialization
|
||
|
|
from cryptography.hazmat.primitives.asymmetric.x25519 import (
|
||
|
|
X25519PrivateKey, X25519PublicKey
|
||
|
|
)
|
||
|
|
|
||
|
|
|
||
|
|
_X25519_KEY_SIZE = 32
|
||
|
|
|
||
|
|
|
||
|
|
@utils.register_interface(X25519PublicKey)
|
||
|
|
class _X25519PublicKey(object):
|
||
|
|
def __init__(self, backend, evp_pkey):
|
||
|
|
self._backend = backend
|
||
|
|
self._evp_pkey = evp_pkey
|
||
|
|
|
||
|
|
def public_bytes(self, encoding=None, format=None):
|
||
|
|
if encoding is None or format is None:
|
||
|
|
if encoding is not None or format is not None:
|
||
|
|
raise ValueError("Both encoding and format are required")
|
||
|
|
else:
|
||
|
|
warnings.warn(
|
||
|
|
"public_bytes now requires encoding and format arguments. "
|
||
|
|
"Support for calling without arguments will be removed in "
|
||
|
|
"cryptography 2.7",
|
||
|
|
utils.DeprecatedIn25,
|
||
|
|
)
|
||
|
|
encoding = serialization.Encoding.Raw
|
||
|
|
format = serialization.PublicFormat.Raw
|
||
|
|
if (
|
||
|
|
encoding is serialization.Encoding.Raw or
|
||
|
|
format is serialization.PublicFormat.Raw
|
||
|
|
):
|
||
|
|
if (
|
||
|
|
encoding is not serialization.Encoding.Raw or
|
||
|
|
format is not serialization.PublicFormat.Raw
|
||
|
|
):
|
||
|
|
raise ValueError(
|
||
|
|
"When using Raw both encoding and format must be Raw"
|
||
|
|
)
|
||
|
|
|
||
|
|
return self._raw_public_bytes()
|
||
|
|
|
||
|
|
if (
|
||
|
|
encoding in serialization._PEM_DER and
|
||
|
|
format is not serialization.PublicFormat.SubjectPublicKeyInfo
|
||
|
|
):
|
||
|
|
raise ValueError(
|
||
|
|
"format must be SubjectPublicKeyInfo when encoding is PEM or "
|
||
|
|
"DER"
|
||
|
|
)
|
||
|
|
|
||
|
|
return self._backend._public_key_bytes(
|
||
|
|
encoding, format, self, self._evp_pkey, None
|
||
|
|
)
|
||
|
|
|
||
|
|
def _raw_public_bytes(self):
|
||
|
|
ucharpp = self._backend._ffi.new("unsigned char **")
|
||
|
|
res = self._backend._lib.EVP_PKEY_get1_tls_encodedpoint(
|
||
|
|
self._evp_pkey, ucharpp
|
||
|
|
)
|
||
|
|
self._backend.openssl_assert(res == 32)
|
||
|
|
self._backend.openssl_assert(ucharpp[0] != self._backend._ffi.NULL)
|
||
|
|
data = self._backend._ffi.gc(
|
||
|
|
ucharpp[0], self._backend._lib.OPENSSL_free
|
||
|
|
)
|
||
|
|
return self._backend._ffi.buffer(data, res)[:]
|
||
|
|
|
||
|
|
|
||
|
|
@utils.register_interface(X25519PrivateKey)
|
||
|
|
class _X25519PrivateKey(object):
|
||
|
|
def __init__(self, backend, evp_pkey):
|
||
|
|
self._backend = backend
|
||
|
|
self._evp_pkey = evp_pkey
|
||
|
|
|
||
|
|
def public_key(self):
|
||
|
|
bio = self._backend._create_mem_bio_gc()
|
||
|
|
res = self._backend._lib.i2d_PUBKEY_bio(bio, self._evp_pkey)
|
||
|
|
self._backend.openssl_assert(res == 1)
|
||
|
|
evp_pkey = self._backend._lib.d2i_PUBKEY_bio(
|
||
|
|
bio, self._backend._ffi.NULL
|
||
|
|
)
|
||
|
|
self._backend.openssl_assert(evp_pkey != self._backend._ffi.NULL)
|
||
|
|
evp_pkey = self._backend._ffi.gc(
|
||
|
|
evp_pkey, self._backend._lib.EVP_PKEY_free
|
||
|
|
)
|
||
|
|
return _X25519PublicKey(self._backend, evp_pkey)
|
||
|
|
|
||
|
|
def exchange(self, peer_public_key):
|
||
|
|
if not isinstance(peer_public_key, X25519PublicKey):
|
||
|
|
raise TypeError("peer_public_key must be X25519PublicKey.")
|
||
|
|
|
||
|
|
return _evp_pkey_derive(
|
||
|
|
self._backend, self._evp_pkey, peer_public_key
|
||
|
|
)
|
||
|
|
|
||
|
|
def private_bytes(self, encoding, format, encryption_algorithm):
|
||
|
|
if (
|
||
|
|
encoding is serialization.Encoding.Raw or
|
||
|
|
format is serialization.PublicFormat.Raw
|
||
|
|
):
|
||
|
|
if (
|
||
|
|
format is not serialization.PrivateFormat.Raw or
|
||
|
|
encoding is not serialization.Encoding.Raw or not
|
||
|
|
isinstance(encryption_algorithm, serialization.NoEncryption)
|
||
|
|
):
|
||
|
|
raise ValueError(
|
||
|
|
"When using Raw both encoding and format must be Raw "
|
||
|
|
"and encryption_algorithm must be NoEncryption"
|
||
|
|
)
|
||
|
|
|
||
|
|
return self._raw_private_bytes()
|
||
|
|
|
||
|
|
if (
|
||
|
|
encoding in serialization._PEM_DER and
|
||
|
|
format is not serialization.PrivateFormat.PKCS8
|
||
|
|
):
|
||
|
|
raise ValueError(
|
||
|
|
"format must be PKCS8 when encoding is PEM or DER"
|
||
|
|
)
|
||
|
|
|
||
|
|
return self._backend._private_key_bytes(
|
||
|
|
encoding, format, encryption_algorithm, self._evp_pkey, None
|
||
|
|
)
|
||
|
|
|
||
|
|
def _raw_private_bytes(self):
|
||
|
|
# When we drop support for CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 we can
|
||
|
|
# switch this to EVP_PKEY_new_raw_private_key
|
||
|
|
# The trick we use here is serializing to a PKCS8 key and just
|
||
|
|
# using the last 32 bytes, which is the key itself.
|
||
|
|
bio = self._backend._create_mem_bio_gc()
|
||
|
|
res = self._backend._lib.i2d_PKCS8PrivateKey_bio(
|
||
|
|
bio, self._evp_pkey,
|
||
|
|
self._backend._ffi.NULL, self._backend._ffi.NULL,
|
||
|
|
0, self._backend._ffi.NULL, self._backend._ffi.NULL
|
||
|
|
)
|
||
|
|
self._backend.openssl_assert(res == 1)
|
||
|
|
pkcs8 = self._backend._read_mem_bio(bio)
|
||
|
|
self._backend.openssl_assert(len(pkcs8) == 48)
|
||
|
|
return pkcs8[-_X25519_KEY_SIZE:]
|