From 3e357f704008f38261aee011a9fe674dc43cc0ae Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Fri, 9 Jun 2017 02:31:30 -1000
Subject: X25519 Support (#3686)

* early days

* sort of working

* more things

* remove private_bytes

* public bytes, interface fix

* load public keys

* x25519 support basically done now

* private_bytes is gone

* some reminders

* doctest this too

* remove a thing that doesn't matter

* x25519 supported checks

* libressl has the NID, but a different API, so check for OpenSSL

* pep8

* add missing coverage

* update to use reasons

* expand test a little

* add changelog entry

* review feedback
---
 .../hazmat/backends/openssl/backend.py             | 54 ++++++++++++++++
 src/cryptography/hazmat/backends/openssl/x25519.py | 71 ++++++++++++++++++++++
 .../hazmat/primitives/asymmetric/x25519.py         | 54 ++++++++++++++++
 3 files changed, 179 insertions(+)
 create mode 100644 src/cryptography/hazmat/backends/openssl/x25519.py
 create mode 100644 src/cryptography/hazmat/primitives/asymmetric/x25519.py

(limited to 'src')

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index c003b6d3..d17b38ca 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -43,6 +43,9 @@ from cryptography.hazmat.backends.openssl.hmac import _HMACContext
 from cryptography.hazmat.backends.openssl.rsa import (
     _RSAPrivateKey, _RSAPublicKey
 )
+from cryptography.hazmat.backends.openssl.x25519 import (
+    _X25519PrivateKey, _X25519PublicKey
+)
 from cryptography.hazmat.backends.openssl.x509 import (
     _Certificate, _CertificateRevocationList,
     _CertificateSigningRequest, _RevokedCertificate
@@ -1772,6 +1775,57 @@ class Backend(object):
         self.openssl_assert(res > 0)
         return self._ffi.buffer(pp[0], res)[:]
 
+    def x25519_load_public_bytes(self, data):
+        evp_pkey = self._create_evp_pkey_gc()
+        res = self._lib.EVP_PKEY_set_type(evp_pkey, self._lib.NID_X25519)
+        backend.openssl_assert(res == 1)
+        res = self._lib.EVP_PKEY_set1_tls_encodedpoint(
+            evp_pkey, data, len(data)
+        )
+        backend.openssl_assert(res == 1)
+        return _X25519PublicKey(self, evp_pkey)
+
+    def x25519_load_private_bytes(self, data):
+        # OpenSSL only has facilities for loading PKCS8 formatted private
+        # keys using the algorithm identifiers specified in
+        # https://tools.ietf.org/html/draft-ietf-curdle-pkix-03.
+        # This is the standard PKCS8 prefix for a 32 byte X25519 key.
+        # The form is:
+        #    0:d=0  hl=2 l=  46 cons: SEQUENCE
+        #    2:d=1  hl=2 l=   1 prim: INTEGER           :00
+        #    5:d=1  hl=2 l=   5 cons: SEQUENCE
+        #    7:d=2  hl=2 l=   3 prim: OBJECT            :1.3.101.110
+        #    12:d=1  hl=2 l=  34 prim: OCTET STRING      (the key)
+        # Of course there's a bit more complexity. In reality OCTET STRING
+        # contains an OCTET STRING of length 32! So the last two bytes here
+        # are \x04\x20, which is an OCTET STRING of length 32.
+        pkcs8_prefix = b'0.\x02\x01\x000\x05\x06\x03+en\x04"\x04 '
+        bio = self._bytes_to_bio(pkcs8_prefix + data)
+        evp_pkey = backend._lib.d2i_PrivateKey_bio(bio.bio, self._ffi.NULL)
+        self.openssl_assert(evp_pkey != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
+        return _X25519PrivateKey(self, evp_pkey)
+
+    def x25519_generate_key(self):
+        evp_pkey_ctx = self._lib.EVP_PKEY_CTX_new_id(
+            self._lib.NID_X25519, self._ffi.NULL
+        )
+        self.openssl_assert(evp_pkey_ctx != self._ffi.NULL)
+        evp_pkey_ctx = self._ffi.gc(
+            evp_pkey_ctx, self._lib.EVP_PKEY_CTX_free
+        )
+        res = self._lib.EVP_PKEY_keygen_init(evp_pkey_ctx)
+        self.openssl_assert(res == 1)
+        evp_ppkey = self._ffi.new("EVP_PKEY **")
+        res = self._lib.EVP_PKEY_keygen(evp_pkey_ctx, evp_ppkey)
+        self.openssl_assert(res == 1)
+        self.openssl_assert(evp_ppkey[0] != self._ffi.NULL)
+        evp_pkey = self._ffi.gc(evp_ppkey[0], self._lib.EVP_PKEY_free)
+        return _X25519PrivateKey(self, evp_pkey)
+
+    def x25519_supported(self):
+        return self._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
+
     def derive_scrypt(self, key_material, salt, length, n, r, p):
         buf = self._ffi.new("unsigned char[]", length)
         res = self._lib.EVP_PBE_scrypt(
diff --git a/src/cryptography/hazmat/backends/openssl/x25519.py b/src/cryptography/hazmat/backends/openssl/x25519.py
new file mode 100644
index 00000000..f92b184b
--- /dev/null
+++ b/src/cryptography/hazmat/backends/openssl/x25519.py
@@ -0,0 +1,71 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography import utils
+from cryptography.hazmat.primitives.asymmetric.x25519 import (
+    X25519PrivateKey, X25519PublicKey
+)
+
+
+@utils.register_interface(X25519PublicKey)
+class _X25519PublicKey(object):
+    def __init__(self, backend, evp_pkey):
+        self._backend = backend
+        self._evp_pkey = evp_pkey
+
+    def public_bytes(self):
+        ucharpp = self._backend._ffi.new("unsigned char **")
+        res = self._backend._lib.EVP_PKEY_get1_tls_encodedpoint(
+            self._evp_pkey, ucharpp
+        )
+        self._backend.openssl_assert(res == 32)
+        self._backend.openssl_assert(ucharpp[0] != self._backend._ffi.NULL)
+        data = self._backend._ffi.gc(
+            ucharpp[0], self._backend._lib.OPENSSL_free
+        )
+        return self._backend._ffi.buffer(data, res)[:]
+
+
+@utils.register_interface(X25519PrivateKey)
+class _X25519PrivateKey(object):
+    def __init__(self, backend, evp_pkey):
+        self._backend = backend
+        self._evp_pkey = evp_pkey
+
+    def public_key(self):
+        bio = self._backend._create_mem_bio_gc()
+        res = self._backend._lib.i2d_PUBKEY_bio(bio, self._evp_pkey)
+        self._backend.openssl_assert(res == 1)
+        evp_pkey = self._backend._lib.d2i_PUBKEY_bio(
+            bio, self._backend._ffi.NULL
+        )
+        return _X25519PublicKey(self._backend, evp_pkey)
+
+    def exchange(self, peer_public_key):
+        if not isinstance(peer_public_key, X25519PublicKey):
+            raise TypeError("peer_public_key must be X25519PublicKey.")
+
+        ctx = self._backend._lib.EVP_PKEY_CTX_new(
+            self._evp_pkey, self._backend._ffi.NULL
+        )
+        self._backend.openssl_assert(ctx != self._backend._ffi.NULL)
+        ctx = self._backend._ffi.gc(ctx, self._backend._lib.EVP_PKEY_CTX_free)
+        res = self._backend._lib.EVP_PKEY_derive_init(ctx)
+        self._backend.openssl_assert(res == 1)
+        res = self._backend._lib.EVP_PKEY_derive_set_peer(
+            ctx, peer_public_key._evp_pkey
+        )
+        self._backend.openssl_assert(res == 1)
+        keylen = self._backend._ffi.new("size_t *")
+        res = self._backend._lib.EVP_PKEY_derive(
+            ctx, self._backend._ffi.NULL, keylen
+        )
+        self._backend.openssl_assert(res == 1)
+        self._backend.openssl_assert(keylen[0] > 0)
+        buf = self._backend._ffi.new("unsigned char[]", keylen[0])
+        res = self._backend._lib.EVP_PKEY_derive(ctx, buf, keylen)
+        self._backend.openssl_assert(res == 1)
+        return self._backend._ffi.buffer(buf, keylen[0])[:]
diff --git a/src/cryptography/hazmat/primitives/asymmetric/x25519.py b/src/cryptography/hazmat/primitives/asymmetric/x25519.py
new file mode 100644
index 00000000..5c4652ae
--- /dev/null
+++ b/src/cryptography/hazmat/primitives/asymmetric/x25519.py
@@ -0,0 +1,54 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
+
+
+@six.add_metaclass(abc.ABCMeta)
+class X25519PublicKey(object):
+    @classmethod
+    def from_public_bytes(cls, data):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.x25519_supported():
+            raise UnsupportedAlgorithm(
+                "X25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+            )
+        return backend.x25519_load_public_bytes(data)
+
+    @abc.abstractmethod
+    def public_bytes(self):
+        pass
+
+
+@six.add_metaclass(abc.ABCMeta)
+class X25519PrivateKey(object):
+    @classmethod
+    def generate(cls):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        if not backend.x25519_supported():
+            raise UnsupportedAlgorithm(
+                "X25519 is not supported by this version of OpenSSL.",
+                _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+            )
+        return backend.x25519_generate_key()
+
+    @classmethod
+    def _from_private_bytes(cls, data):
+        from cryptography.hazmat.backends.openssl.backend import backend
+        return backend.x25519_load_private_bytes(data)
+
+    @abc.abstractmethod
+    def public_key(self):
+        pass
+
+    @abc.abstractmethod
+    def exchange(self, peer_public_key):
+        pass
-- 
cgit v1.2.3