X448 support (#4580)

* x448 support This work was originally authored by derwolfe * update docs to have a more useful derived key length * error if key is not a valid length in from_public_bytes * one more * switch to using evp_pkey_keygen_gc for x448 keygen * review feedback * switch to using evp_pkey_derive * nit fix
author: Paul Kehrer <paul.l.kehrer@gmail.com> 2018-11-23 10:44:37 +0800
committer: Alex Gaynor <alex.gaynor@gmail.com> 2018-11-22 20:44:37 -0600
commit: 6f88e01af8f5d6db7082d155f3faf88dfb48e864 (patch)
tree: 42fb14caa9d24a6eca1ae9d07b69a4a502e5c200 /src/cryptography
parent: 579dfcf48f013dddfd3447e6dc38cfdc0b17145c (diff)
download: cryptography-6f88e01af8f5d6db7082d155f3faf88dfb48e864.tar.gz
3 files changed, 145 insertions, 0 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index d00f61337..f0b09daca 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -55,6 +55,9 @@ from cryptography.hazmat.backends.openssl.rsa import (
 from cryptography.hazmat.backends.openssl.x25519 import (
     _X25519PrivateKey, _X25519PublicKey
 )
+from cryptography.hazmat.backends.openssl.x448 import (
+    _X448PrivateKey, _X448PublicKey
+)
 from cryptography.hazmat.backends.openssl.x509 import (
     _Certificate, _CertificateRevocationList,
     _CertificateSigningRequest, _RevokedCertificate
@@ -2080,6 +2083,32 @@ class Backend(object):
     def x25519_supported(self):
         return self._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
 
+    def x448_load_public_bytes(self, data):
+        if len(data) != 56:
+            raise ValueError("An X448 public key is 56 bytes long")
+
+        evp_pkey = self._lib.EVP_PKEY_new_raw_public_key(
+            self._lib.NID_X448, self._ffi.NULL, data, len(data)
+        )
+        self.openssl_assert(evp_pkey != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+        return _X448PublicKey(self, evp_pkey)
+
+    def x448_load_private_bytes(self, data):
+        evp_pkey = self._lib.EVP_PKEY_new_raw_private_key(
+            self._lib.NID_X448, self._ffi.NULL, data, len(data)
+        )
+        self.openssl_assert(evp_pkey != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+        return _X448PrivateKey(self, evp_pkey)
+
+    def x448_generate_key(self):
+        evp_pkey = self._evp_pkey_keygen_gc(self._lib.NID_X448)
+        return _X448PrivateKey(self, evp_pkey)
+
+    def x448_supported(self):
+        return not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+
     def derive_scrypt(self, key_material, salt, length, n, r, p):
         buf = self._ffi.new("unsigned char[]", length)
         res = self._lib.EVP_PBE_scrypt(
diff --git a/src/cryptography/hazmat/backends/openssl/x448.py b/src/cryptography/hazmat/backends/openssl/x448.py
new file mode 100644
index 000000000..a10aa8217
--- /dev/null
+++ b/src/cryptography/hazmat/backends/openssl/x448.py
@@ -0,0 +1,55 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography import utils
+from cryptography.hazmat.backends.openssl.utils import _evp_pkey_derive
+from cryptography.hazmat.primitives.asymmetric.x448 import (
+    X448PrivateKey, X448PublicKey
+)
+
+_X448_KEY_SIZE = 56
+
+
+@utils.register_interface(X448PublicKey)
+class _X448PublicKey(object):
+    def __init__(self, backend, evp_pkey):
+        self._backend = backend
+        self._evp_pkey = evp_pkey
+
+    def public_bytes(self):
+        buf = self._backend._ffi.new("unsigned char []", _X448_KEY_SIZE)
+        buflen = self._backend._ffi.new("size_t *", _X448_KEY_SIZE)
+        res = self._backend._lib.EVP_PKEY_get_raw_public_key(
+            self._evp_pkey, buf, buflen
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _X448_KEY_SIZE)
+        return self._backend._ffi.buffer(buf, _X448_KEY_SIZE)[:]
+
+
+@utils.register_interface(X448PrivateKey)
+class _X448PrivateKey(object):
+    def __init__(self, backend, evp_pkey):
+        self._backend = backend
+        self._evp_pkey = evp_pkey
+
+    def public_key(self):
+        buf = self._backend._ffi.new("unsigned char []", _X448_KEY_SIZE)
+        buflen = self._backend._ffi.new("size_t *", _X448_KEY_SIZE)
+        res = self._backend._lib.EVP_PKEY_get_raw_public_key(
+            self._evp_pkey, buf, buflen
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(buflen[0] == _X448_KEY_SIZE)
+        return self._backend.x448_load_public_bytes(buf)
+
+    def exchange(self, peer_public_key):
+        if not isinstance(peer_public_key, X448PublicKey):
+            raise TypeError("peer_public_key must be X448PublicKey.")
+
+        return _evp_pkey_derive(
+            self._backend, self._evp_pkey, peer_public_key
+        )
diff --git a/src/cryptography/hazmat/primitives/asymmetric/x448.py b/src/cryptography/hazmat/primitives/asymmetric/x448.py
new file mode 100644
index 000000000..69bfa408f
--- /dev/null
+++ b/src/cryptography/hazmat/primitives/asymmetric/x448.py
@@ -0,0 +1,61 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+
+
+@six.add_metaclass(abc.ABCMeta)
+class X448PublicKey(object):
+    @classmethod
+    def from_public_bytes(cls, data):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.x448_supported():
+            raise UnsupportedAlgorithm(
+                "X448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+            )
+
+        return backend.x448_load_public_bytes(data)
+
+    @abc.abstractmethod
+    def public_bytes(self):
+        """
+        The serialized bytes of the public key.
+        """
+
+
+@six.add_metaclass(abc.ABCMeta)
+class X448PrivateKey(object):
+    @classmethod
+    def generate(cls):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.x448_supported():
+            raise UnsupportedAlgorithm(
+                "X448 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+            )
+        return backend.x448_generate_key()
+
+    @classmethod
+    def _from_private_bytes(cls, data):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        return backend.x448_load_private_bytes(data)
+
+    @abc.abstractmethod
+    def public_key(self):
+        """
+        The serialized bytes of the public key.
+        """
+
+    @abc.abstractmethod
+    def exchange(self, peer_public_key):
+        """
+        Performs a key exchange operation using the provided peer's public key.
+        """
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2018-11-23 10:44:37 +0800
committer	Alex Gaynor <alex.gaynor@gmail.com>	2018-11-22 20:44:37 -0600
commit	6f88e01af8f5d6db7082d155f3faf88dfb48e864 (patch)
tree	42fb14caa9d24a6eca1ae9d07b69a4a502e5c200 /src/cryptography
parent	579dfcf48f013dddfd3447e6dc38cfdc0b17145c (diff)
download	cryptography-6f88e01af8f5d6db7082d155f3faf88dfb48e864.tar.gz