Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def __init__(self, credential_id, app_id):
assert isinstance(credential_id, six.binary_type)
assert isinstance(app_id, six.binary_type)
# Note: do not use in production, no garantees is provided this is
# cryptographically safe to use.
priv_key_params = ConcatKDFHash(
algorithm=hashes.SHA256(),
length=32,
otherinfo=credential_id + app_id,
backend=default_backend(),
).derive(self._priv_key_bytes)
self.app_id = app_id
self.priv_key = ec.derive_private_key(
bytes2int(priv_key_params), ec.SECP256R1(), default_backend()
)
self.pub_key = self.priv_key.public_key()
self.public_key_bytes = self.pub_key.public_bytes(
serialization.Encoding.X962, serialization.PublicFormat.UncompressedPoint
)
self.credential_id = self.key_handle = credential_id
def verify(self, message, signature):
if self[-1] != 1:
raise ValueError("Unsupported elliptic curve")
ec.EllipticCurvePublicNumbers(
bytes2int(self[-2]), bytes2int(self[-3]), ec.SECP256R1()
).public_key(default_backend()).verify(
signature, message, ec.ECDSA(self._HASH_ALG)
)
def public_key(self):
if self.sign_alg == TpmAlgAsym.RSA:
exponent = self.parameters.exponent
modulus = bytes2int(self.unique)
return rsa.RSAPublicNumbers(exponent, modulus).public_key(default_backend())
elif self.sign_alg == TpmAlgAsym.ECC:
return ec.EllipticCurvePublicNumbers(
bytes2int(self.unique.x),
bytes2int(self.unique.y),
self.parameters.to_curve(),
).public_key(default_backend())
raise NotImplementedError(
"public_key not implemented for {0!r}".format(self.sign_alg)
)
sk = ec.generate_private_key(ec.SECP256R1(), be)
pn = sk.public_key().public_numbers()
key_agreement = {
1: 2,
3: -25, # Per the spec, "although this is NOT the algorithm actually used"
-1: 1,
-2: int2bytes(pn.x, 32),
-3: int2bytes(pn.y, 32),
}
resp = self.ctap.client_pin(
PinProtocolV1.VERSION, PinProtocolV1.CMD.GET_KEY_AGREEMENT
)
pk = resp[PinProtocolV1.RESULT.KEY_AGREEMENT]
x = bytes2int(pk[-2])
y = bytes2int(pk[-3])
pk = ec.EllipticCurvePublicNumbers(x, y, ec.SECP256R1()).public_key(be)
shared_secret = sha256(sk.exchange(ec.ECDH(), pk)) # x-coordinate, 32b
return key_agreement, shared_secret
def __init__(self, _):
super(RegistrationData, self).__init__()
if six.indexbytes(self, 0) != 0x05:
raise ValueError("Reserved byte != 0x05")
self.public_key = self[1:66]
kh_len = six.indexbytes(self, 66)
self.key_handle = self[67 : 67 + kh_len]
cert_offs = 67 + kh_len
cert_len = six.indexbytes(self, cert_offs + 1)
if cert_len > 0x80:
n_bytes = cert_len - 0x80
cert_len = (
bytes2int(self[cert_offs + 2 : cert_offs + 2 + n_bytes]) + n_bytes
)
cert_len += 2
self.certificate = self[cert_offs : cert_offs + cert_len]
self.signature = self[cert_offs + cert_len :]
def verify(self, message, signature):
rsa.RSAPublicNumbers(bytes2int(self[-2]), bytes2int(self[-1])).public_key(
default_backend()
).verify(signature, message, padding.PKCS1v15(), self._HASH_ALG)
def public_key(self):
if self.sign_alg == TpmAlgAsym.RSA:
exponent = self.parameters.exponent
modulus = bytes2int(self.unique)
return rsa.RSAPublicNumbers(exponent, modulus).public_key(default_backend())
elif self.sign_alg == TpmAlgAsym.ECC:
return ec.EllipticCurvePublicNumbers(
bytes2int(self.unique.x),
bytes2int(self.unique.y),
self.parameters.to_curve(),
).public_key(default_backend())
raise NotImplementedError(
"public_key not implemented for {0!r}".format(self.sign_alg)
)