-
Notifications
You must be signed in to change notification settings - Fork 240
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
native: Improve asymmetric key check in CryptographyHMACKey
Implement same is_pem_format in native backend.
- Loading branch information
Showing
4 changed files
with
79 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,3 @@ | ||
import re | ||
import math | ||
import warnings | ||
|
||
|
@@ -18,83 +17,12 @@ | |
from ..constants import ALGORITHMS | ||
from ..exceptions import JWEError, JWKError | ||
from ..utils import base64_to_long, base64url_decode, base64url_encode, ensure_binary, long_to_base64 | ||
from ..utils import is_pem_format, is_ssh_key | ||
from .base import Key | ||
|
||
_binding = None | ||
|
||
|
||
# Based on https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc | ||
# Based on https://github.com/hynek/pem/blob/7ad94db26b0bc21d10953f5dbad3acfdfacf57aa/src/pem/_core.py#L224-L252 | ||
_PEMS = { | ||
b"CERTIFICATE", | ||
b"TRUSTED CERTIFICATE", | ||
b"PRIVATE KEY", | ||
b"PUBLIC KEY", | ||
b"ENCRYPTED PRIVATE KEY", | ||
b"OPENSSH PRIVATE KEY", | ||
b"DSA PRIVATE KEY", | ||
b"RSA PRIVATE KEY", | ||
b"RSA PUBLIC KEY", | ||
b"EC PRIVATE KEY", | ||
b"DH PARAMETERS", | ||
b"NEW CERTIFICATE REQUEST", | ||
b"CERTIFICATE REQUEST", | ||
b"SSH2 PUBLIC KEY", | ||
b"SSH2 ENCRYPTED PRIVATE KEY", | ||
b"X509 CRL", | ||
} | ||
|
||
|
||
_PEM_RE = re.compile( | ||
b"----[- ]BEGIN (" | ||
+ b"|".join(_PEMS) | ||
+ b""")[- ]----\r? | ||
.+?\r? | ||
----[- ]END \\1[- ]----\r?\n?""", | ||
re.DOTALL, | ||
) | ||
|
||
|
||
def is_pem_format(key): | ||
""" | ||
Return True if the key is PEM format | ||
This function uses the list of valid PEM headers defined in | ||
_PEMS dict. | ||
""" | ||
return bool(_PEM_RE.search(key)) | ||
|
||
|
||
# Based on https://github.com/pyca/cryptography/blob/bcb70852d577b3f490f015378c75cba74986297b/src/cryptography/hazmat/primitives/serialization/ssh.py#L40-L46 | ||
_CERT_SUFFIX = b"[email protected]" | ||
_SSH_PUBKEY_RC = re.compile(br"\A(\S+)[ \t]+(\S+)") | ||
_SSH_KEY_FORMATS = [ | ||
b"ssh-ed25519", | ||
b"ssh-rsa", | ||
b"ssh-dss", | ||
b"ecdsa-sha2-nistp256", | ||
b"ecdsa-sha2-nistp384", | ||
b"ecdsa-sha2-nistp521", | ||
] | ||
|
||
|
||
def is_ssh_key(key): | ||
""" | ||
Return True if the key is a SSH key | ||
This function uses the list of valid SSH key format defined in | ||
_SSH_KEY_FORMATS dict. | ||
""" | ||
if any(string_value in key for string_value in _SSH_KEY_FORMATS): | ||
return True | ||
|
||
ssh_pubkey_match = _SSH_PUBKEY_RC.match(key) | ||
if ssh_pubkey_match: | ||
key_type = ssh_pubkey_match.group(1) | ||
if _CERT_SUFFIX == key_type[-len(_CERT_SUFFIX) :]: | ||
return True | ||
|
||
return False | ||
|
||
|
||
def get_random_bytes(num_bytes): | ||
""" | ||
Get random bytes | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
import re | ||
import base64 | ||
import struct | ||
|
||
|
@@ -105,3 +106,75 @@ def ensure_binary(s): | |
if isinstance(s, str): | ||
return s.encode("utf-8", "strict") | ||
raise TypeError(f"not expecting type '{type(s)}'") | ||
|
||
|
||
# Based on https://github.com/jpadilla/pyjwt/commit/9c528670c455b8d948aff95ed50e22940d1ad3fc | ||
# Based on https://github.com/hynek/pem/blob/7ad94db26b0bc21d10953f5dbad3acfdfacf57aa/src/pem/_core.py#L224-L252 | ||
_PEMS = { | ||
b"CERTIFICATE", | ||
b"TRUSTED CERTIFICATE", | ||
b"PRIVATE KEY", | ||
b"PUBLIC KEY", | ||
b"ENCRYPTED PRIVATE KEY", | ||
b"OPENSSH PRIVATE KEY", | ||
b"DSA PRIVATE KEY", | ||
b"RSA PRIVATE KEY", | ||
b"RSA PUBLIC KEY", | ||
b"EC PRIVATE KEY", | ||
b"DH PARAMETERS", | ||
b"NEW CERTIFICATE REQUEST", | ||
b"CERTIFICATE REQUEST", | ||
b"SSH2 PUBLIC KEY", | ||
b"SSH2 ENCRYPTED PRIVATE KEY", | ||
b"X509 CRL", | ||
} | ||
|
||
|
||
_PEM_RE = re.compile( | ||
b"----[- ]BEGIN (" | ||
+ b"|".join(_PEMS) | ||
+ b""")[- ]----\r? | ||
.+?\r? | ||
----[- ]END \\1[- ]----\r?\n?""", | ||
re.DOTALL, | ||
) | ||
|
||
|
||
def is_pem_format(key): | ||
""" | ||
Return True if the key is PEM format | ||
This function uses the list of valid PEM headers defined in | ||
_PEMS dict. | ||
""" | ||
return bool(_PEM_RE.search(key)) | ||
|
||
|
||
# Based on https://github.com/pyca/cryptography/blob/bcb70852d577b3f490f015378c75cba74986297b/src/cryptography/hazmat/primitives/serialization/ssh.py#L40-L46 | ||
_CERT_SUFFIX = b"[email protected]" | ||
_SSH_PUBKEY_RC = re.compile(br"\A(\S+)[ \t]+(\S+)") | ||
_SSH_KEY_FORMATS = [ | ||
b"ssh-ed25519", | ||
b"ssh-rsa", | ||
b"ssh-dss", | ||
b"ecdsa-sha2-nistp256", | ||
b"ecdsa-sha2-nistp384", | ||
b"ecdsa-sha2-nistp521", | ||
] | ||
|
||
|
||
def is_ssh_key(key): | ||
""" | ||
Return True if the key is a SSH key | ||
This function uses the list of valid SSH key format defined in | ||
_SSH_KEY_FORMATS dict. | ||
""" | ||
if any(string_value in key for string_value in _SSH_KEY_FORMATS): | ||
return True | ||
|
||
ssh_pubkey_match = _SSH_PUBKEY_RC.match(key) | ||
if ssh_pubkey_match: | ||
key_type = ssh_pubkey_match.group(1) | ||
if _CERT_SUFFIX == key_type[-len(_CERT_SUFFIX) :]: | ||
return True | ||
|
||
return False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters