+from Cryptodome.Util._raw_api import (load_pycryptodome_raw_lib, VoidPointer,

+ SmartPointer, c_size_t, c_uint8_ptr,

+ c_ulonglong, null_pointer)

+

+from Cryptodome.Hash import SHA512, SHAKE256

+void ec_ws_free_point(EcPoint *ecp);

+_ed25519_lib = load_pycryptodome_raw_lib("Cryptodome.PublicKey._ed25519", """

+typedef void Point;

+int ed25519_new_point(Point **out,

+ const uint8_t x[32],

+ const uint8_t y[32],

+ size_t modsize,

+ const void *context);

+int ed25519_clone(Point **P, const Point *Q);

+void ed25519_free_point(Point *p);

+int ed25519_cmp(const Point *p1, const Point *p2);

+int ed25519_neg(Point *p);

+int ed25519_get_xy(uint8_t *xb, uint8_t *yb, size_t modsize, Point *p);

+int ed25519_double(Point *p);

+int ed25519_add(Point *P1, const Point *P2);

+int ed25519_scalar(Point *P, uint8_t *scalar, size_t scalar_len, uint64_t seed);

+""")

+

+_ed448_lib = load_pycryptodome_raw_lib("Cryptodome.PublicKey._ed448", """

+typedef void EcContext;

+typedef void PointEd448;

+int ed448_new_context(EcContext **pec_ctx);

+void ed448_context(EcContext *ec_ctx);

+void ed448_free_context(EcContext *ec_ctx);

+int ed448_new_point(PointEd448 **out,

+ const uint8_t x[56],

+ const uint8_t y[56],

+ size_t len,

+ const EcContext *context);

+int ed448_clone(PointEd448 **P, const PointEd448 *Q);

+void ed448_free_point(PointEd448 *p);

+int ed448_cmp(const PointEd448 *p1, const PointEd448 *p2);

+int ed448_neg(PointEd448 *p);

+int ed448_get_xy(uint8_t *xb, uint8_t *yb, size_t len, const PointEd448 *p);

+int ed448_double(PointEd448 *p);

+int ed448_add(PointEd448 *P1, const PointEd448 *P2);

+int ed448_scalar(PointEd448 *P, const uint8_t *scalar, size_t scalar_len, uint64_t seed);

+""")

+

+

+def lib_func(ecc_obj, func_name):

+ if ecc_obj._curve.desc == "Ed25519":

+ result = getattr(_ed25519_lib, "ed25519_" + func_name)

+ elif ecc_obj._curve.desc == "Ed448":

+ result = getattr(_ed448_lib, "ed448_" + func_name)

+ else:

+ result = getattr(_ec_lib, "ec_ws_" + func_name)

+ return result

+

+#

+# _curves is a database of curve parameters. Items are indexed by their

+# human-friendly name, suchas "P-256". Each item has the following fields:

+# - p: the prime number that defines the finite field for all modulo operations

+# - b: the constant in the Short Weierstrass curve equation

+# - order: the number of elements in the group with the generator below

+# - Gx the affine coordinate X of the generator point

+# - Gy the affine coordinate Y of the generator point

+# - G the generator, as an EccPoint object

+# - modulus_bits the minimum number of bits for encoding the modulus p

+# - oid an ASCII string with the registered ASN.1 Object ID

+# - context a raw pointer to memory holding a context for all curve operations (can be NULL)

+# - desc an ASCII string describing the curve

+# - openssh the ASCII string used in OpenSSH id files for public keys on this curve

+# - name the ASCII string which is also a valid key in _curves

+

+

+_Curve = namedtuple("_Curve", "p b order Gx Gy G modulus_bits oid context desc openssh name")

+p192_names = ["p192", "NIST P-192", "P-192", "prime192v1", "secp192r1",

+ "nistp192"]

+

+

+def init_p192():

+ p = 0xfffffffffffffffffffffffffffffffeffffffffffffffff

+ b = 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1

+ order = 0xffffffffffffffffffffffff99def836146bc9b1b4d22831

+ Gx = 0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012

+ Gy = 0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811

+

+ p192_modulus = long_to_bytes(p, 24)

+ p192_b = long_to_bytes(b, 24)

+ p192_order = long_to_bytes(order, 24)

+

+ ec_p192_context = VoidPointer()

+ result = _ec_lib.ec_ws_new_context(ec_p192_context.address_of(),

+ c_uint8_ptr(p192_modulus),

+ c_uint8_ptr(p192_b),

+ c_uint8_ptr(p192_order),

+ c_size_t(len(p192_modulus)),

+ c_ulonglong(getrandbits(64))

+ )

+ if result:

+ raise ImportError("Error %d initializing P-192 context" % result)

+

+ context = SmartPointer(ec_p192_context.get(), _ec_lib.ec_free_context)

+ p192 = _Curve(Integer(p),

+ Integer(b),

+ Integer(order),

+ Integer(Gx),

+ Integer(Gy),

+ None,

+ 192,

+ "1.2.840.10045.3.1.1", # ANSI X9.62 / SEC2

+ context,

+ "NIST P-192",

+ "ecdsa-sha2-nistp192",

+ "p192")

+ global p192_names

+ _curves.update(dict.fromkeys(p192_names, p192))

+

+

+init_p192()

+del init_p192

+

+

+p224_names = ["p224", "NIST P-224", "P-224", "prime224v1", "secp224r1",

+ "nistp224"]

+

+

+def init_p224():

+ p = 0xffffffffffffffffffffffffffffffff000000000000000000000001

+ b = 0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4

+ order = 0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d

+ Gx = 0xb70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21

+ Gy = 0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34

+

+ p224_modulus = long_to_bytes(p, 28)

+ p224_b = long_to_bytes(b, 28)

+ p224_order = long_to_bytes(order, 28)

+

+ ec_p224_context = VoidPointer()

+ result = _ec_lib.ec_ws_new_context(ec_p224_context.address_of(),

+ c_uint8_ptr(p224_modulus),

+ c_uint8_ptr(p224_b),

+ c_uint8_ptr(p224_order),

+ c_size_t(len(p224_modulus)),

+ c_ulonglong(getrandbits(64))

+ )

+ if result:

+ raise ImportError("Error %d initializing P-224 context" % result)

+

+ context = SmartPointer(ec_p224_context.get(), _ec_lib.ec_free_context)

+ p224 = _Curve(Integer(p),

+ Integer(b),

+ Integer(order),

+ Integer(Gx),

+ Integer(Gy),

+ None,

+ 224,

+ "1.3.132.0.33", # SEC 2

+ context,

+ "NIST P-224",

+ "ecdsa-sha2-nistp224",

+ "p224")

+ global p224_names

+ _curves.update(dict.fromkeys(p224_names, p224))

+

+

+init_p224()

+del init_p224

+

+

+ "1.2.840.10045.3.1.7", # ANSI X9.62 / SEC2

+ "ecdsa-sha2-nistp256",

+ "p256")

+ "ecdsa-sha2-nistp384",

+ "p384")

+ "ecdsa-sha2-nistp521",

+ "p521")

+ed25519_names = ["ed25519", "Ed25519"]

+

+

+def init_ed25519():

+ p = 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed # 2**255 - 19

+ order = 0x1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed

+ Gx = 0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a

+ Gy = 0x6666666666666666666666666666666666666666666666666666666666666658

+

+ ed25519 = _Curve(Integer(p),

+ None,

+ Integer(order),

+ Integer(Gx),

+ Integer(Gy),

+ None,

+ 255,

+ "1.3.101.112", # RFC8410

+ None,

+ "Ed25519", # Used throughout; do not change

+ "ssh-ed25519",

+ "ed25519")

+ global ed25519_names

+ _curves.update(dict.fromkeys(ed25519_names, ed25519))

+

+

+init_ed25519()

+del init_ed25519

+

+

+ed448_names = ["ed448", "Ed448"]

+

+

+def init_ed448():

+ p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff # 2**448 - 2**224 - 1

+ order = 0x3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3

+ Gx = 0x4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e

+ Gy = 0x693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14

+

+ ed448_context = VoidPointer()

+ result = _ed448_lib.ed448_new_context(ed448_context.address_of())

+ if result:

+ raise ImportError("Error %d initializing Ed448 context" % result)

+

+ context = SmartPointer(ed448_context.get(), _ed448_lib.ed448_free_context)

+

+ ed448 = _Curve(Integer(p),

+ None,

+ Integer(order),

+ Integer(Gx),

+ Integer(Gy),

+ None,

+ 448,

+ "1.3.101.113", # RFC8410

+ context,

+ "Ed448", # Used throughout; do not change

+ None,

+ "ed448")

+ global ed448_names

+ _curves.update(dict.fromkeys(ed448_names, ed448))

+

+

+init_ed448()

+del init_ed448

+

+

+ """A class to model a point on an Elliptic Curve.

+ The class supports operators for:

+ * Comparing two points: ``if S == T: ...`` or ``if S != T: ...``

+ :ivar xy: The tuple with affine X- and Y- coordinates

+ new_point = lib_func(self, "new_point")

+ free_func = lib_func(self, "free_point")

+

+ try:

+ context = self._curve.context.get()

+ except AttributeError:

+ context = null_pointer

+ result = new_point(self._point.address_of(),

+ c_uint8_ptr(xb),

+ c_uint8_ptr(yb),

+ c_size_t(modulus_bytes),

+ context)

+

+ self._point = SmartPointer(self._point.get(), free_func)

+ clone = lib_func(self, "clone")

+ free_func = lib_func(self, "free_point")

+

+ result = clone(self._point.address_of(),

+ point._point.get())

+

+ self._point = SmartPointer(self._point.get(), free_func)

+ cmp_func = lib_func(self, "cmp")

+ return 0 == cmp_func(self._point.get(), point._point.get())

+

+ # Only needed for Python 2

+ def __ne__(self, point):

+ return not self == point

+ neg_func = lib_func(self, "neg")

+ result = neg_func(np._point.get())

+ def _is_eddsa(self):

+ return self._curve.name in ("ed25519", "ed448")

+

+ """``True`` if this is the *point-at-infinity*."""

+

+ if self._is_eddsa():

+ return self.x == 0

+ else:

+ return self.xy == (0, 0)

+ """Return the *point-at-infinity* for the curve."""

+

+ if self._is_eddsa():

+ return EccPoint(0, 1, self._curve_name)

+ else:

+ return EccPoint(0, 0, self._curve_name)

+ get_xy = lib_func(self, "get_xy")

+ result = get_xy(c_uint8_ptr(xb),

+ c_uint8_ptr(yb),

+ c_size_t(modulus_bytes),

+ self._point.get())

+ Returns:

+ This same object (to enable chaining).

+ double_func = lib_func(self, "double")

+ result = double_func(self._point.get())

+ add_func = lib_func(self, "add")

+ result = add_func(self._point.get(), point._point.get())

+ scalar_func = lib_func(self, "scalar")

+ result = scalar_func(self._point.get(),

+ c_uint8_ptr(sb),

+ c_size_t(len(sb)),

+ c_ulonglong(getrandbits(64)))

+p192_G = EccPoint(_curves['p192'].Gx, _curves['p192'].Gy, "p192")

+p192 = _curves['p192']._replace(G=p192_G)

+_curves.update(dict.fromkeys(p192_names, p192))

+del p192_G, p192, p192_names

+

+p224_G = EccPoint(_curves['p224'].Gx, _curves['p224'].Gy, "p224")

+p224 = _curves['p224']._replace(G=p224_G)

+_curves.update(dict.fromkeys(p224_names, p224))

+del p224_G, p224, p224_names

+

+ed25519_G = EccPoint(_curves['Ed25519'].Gx, _curves['Ed25519'].Gy, "Ed25519")

+ed25519 = _curves['Ed25519']._replace(G=ed25519_G)

+_curves.update(dict.fromkeys(ed25519_names, ed25519))

+del ed25519_G, ed25519, ed25519_names

+

+ed448_G = EccPoint(_curves['Ed448'].Gx, _curves['Ed448'].Gy, "Ed448")

+ed448 = _curves['Ed448']._replace(G=ed448_G)

+_curves.update(dict.fromkeys(ed448_names, ed448))

+del ed448_G, ed448, ed448_names

+

+ :ivar curve: The name of the curve as defined in the `ECC table`_.

+ :ivar pointQ: an ECC point representating the public component.

+ :ivar d: A scalar that represents the private component

+ in NIST P curves. It is smaller than the

+ order of the generator point.

+

+ :ivar seed: A seed that representats the private component

+ in EdDSA curves

+ (Ed25519, 32 bytes; Ed448, 57 bytes).

+ :vartype seed: bytes

+ The name of the curve.

+ Mandatory for a private key one NIST P curves.

+ It must be in the range ``[1..order-1]``.

+ seed : bytes

+ Mandatory for a private key on the Ed25519 (32 bytes)

+ or Ed448 (57 bytes) curve.

+

+ Only one parameter among ``d``, ``seed`` or ``point`` may be used.

+ self._seed = kwargs_.pop("seed", None)

+ if curve_name is None and self._point:

+ curve_name = self._point._curve_name

+ raise ValueError("Unsupported curve (%s)" % curve_name)

+ self.curve = curve_name

+

+ count = int(self._d is not None) + int(self._seed is not None)

+ if count == 0:

+ raise ValueError("At lest one between parameters 'point', 'd' or 'seed' must be specified")

+ return

+

+ if count == 2:

+ raise ValueError("Parameters d and seed are mutually exclusive")

+

+ # NIST P curves work with d, EdDSA works with seed

+

+ if not self._is_eddsa():

+ if self._seed is not None:

+ raise ValueError("Parameter 'seed' can only be used with Ed25519 or Ed448")

+ raise ValueError("Parameter d must be an integer smaller than the curve order")

+ else:

+ if self._d is not None:

+ raise ValueError("Parameter d can only be used with NIST P curves")

+ # RFC 8032, 5.1.5

+ if self._curve.name == "ed25519":

+ if len(self._seed) != 32:

+ raise ValueError("Parameter seed must be 32 bytes long for Ed25519")

+ seed_hash = SHA512.new(self._seed).digest() # h

+ self._prefix = seed_hash[32:]

+ tmp = bytearray(seed_hash[:32])

+ tmp[0] &= 0xF8

+ tmp[31] = (tmp[31] & 0x7F) | 0x40

+ # RFC 8032, 5.2.5

+ elif self._curve.name == "ed448":

+ if len(self._seed) != 57:

+ raise ValueError("Parameter seed must be 57 bytes long for Ed448")

+ seed_hash = SHAKE256.new(self._seed).read(114) # h

+ self._prefix = seed_hash[57:]

+ tmp = bytearray(seed_hash[:57])

+ tmp[0] &= 0xFC

+ tmp[55] |= 0x80

+ tmp[56] = 0

+ self._d = Integer.from_bytes(tmp, byteorder='little')

+

+ def _is_eddsa(self):

+ return self._curve.desc in ("Ed25519", "Ed448")

+ if self._is_eddsa():

+ extra = ", seed=%s" % self._seed.hex()

+ else:

+ extra = ", d=%d" % int(self._d)

+ # ECDSA

+ # ECDSA

+ def seed(self):

+ if not self.has_private():

+ raise ValueError("This is not a private ECC key")

+ return self._seed

+

+ @property

+ def _export_SEC1(self, compress):

+ if self._is_eddsa():

+ raise ValueError("SEC1 format is unsupported for EdDSA curves")

+ #

+ if self.pointQ.y.is_odd():

+ first_byte = b'\x03'

+ else:

+ first_byte = b'\x02'

+ public_key = (first_byte +

+ return public_key

+ def _export_eddsa(self):

+ x, y = self.pointQ.xy

+ if self._curve.name == "ed25519":

+ result = bytearray(y.to_bytes(32, byteorder='little'))

+ result[31] = ((x & 1) << 7) | result[31]

+ elif self._curve.name == "ed448":

+ result = bytearray(y.to_bytes(57, byteorder='little'))

+ result[56] = (x & 1) << 7

+ else:

+ raise ValueError("Not an EdDSA key to export")

+ return bytes(result)

+

+ def _export_subjectPublicKeyInfo(self, compress):

+ if self._is_eddsa():

+ oid = self._curve.oid

+ public_key = self._export_eddsa()

+ params = None

+ else:

+ oid = "1.2.840.10045.2.1" # unrestricted

+ public_key = self._export_SEC1(compress)

+ params = DerObjectId(self._curve.oid)

+

+ return _create_subject_public_key_info(oid,

+ params)

+ def _export_rfc5915_private_der(self, include_ec_params=True):

+ if self._is_eddsa():

+ oid = self._curve.oid

+ private_key = DerOctetString(self._seed).encode()

+ params = None

+ else:

+ oid = "1.2.840.10045.2.1" # unrestricted

+ private_key = self._export_rfc5915_private_der(include_ec_params=False)

+ params = DerObjectId(self._curve.oid)

+

+ oid,

+ key_params=params,

+ encoded_der = self._export_rfc5915_private_der()

+ if desc is None:

+ raise ValueError("Cannot export %s keys as OpenSSH" % self._curve.name)

+ elif desc == "ssh-ed25519":

+ public_key = self._export_eddsa()

+ comps = (tobytes(desc), tobytes(public_key))

+ modulus_bytes = self.pointQ.size_in_bytes()

+

+ if compress:

+ first_byte = 2 + self.pointQ.y.is_odd()

+ public_key = (bchr(first_byte) +

+ self.pointQ.x.to_bytes(modulus_bytes))

+ else:

+ public_key = (b'\x04' +

+ self.pointQ.x.to_bytes(modulus_bytes) +

+ self.pointQ.y.to_bytes(modulus_bytes))

+

+ middle = desc.split("-")[2]

+ comps = (tobytes(desc), tobytes(middle), public_key)

+ - ``'SEC1'``. The public key (i.e., the EC point) will be encoded

+ into ``bytes`` according to Section 2.3.3 of `SEC1`_

+ (which is a subset of the older X9.62 ITU standard).

+ Only for NIST P-curves.

+ - ``'raw'``. The public key will be encoded as ``bytes``,

+ without any metadata.

+

+ * For NIST P-curves: equivalent to ``'SEC1'``.

+ * For EdDSA curves: ``bytes`` in the format defined in `RFC8032`_.

+ will be used. It must be ``True`` for EdDSA curves.

+ If ``True``, the method returns a more compact representation

+ of the public key, with the X-coordinate only.

+

+ If ``False`` (default), the method returns the full public key.

+ This parameter is ignored for EdDSA curves, as compression is

+ mandatory.

+ .. _SEC1: https://www.secg.org/sec1-v2.pdf

+ A multi-line string (for ``'PEM'`` and ``'OpenSSH'``) or

+ ``bytes`` (for ``'DER'``, ``'SEC1'``, and ``'raw'``) with the encoded key.

+ if ext_format not in ("PEM", "DER", "OpenSSH", "SEC1", "raw"):

+

+ if not use_pkcs8 and self._is_eddsa():

+ raise ValueError("'pkcs8' must be True for EdDSA curves")

+

+ return self._export_rfc5915_private_der()

+ raise ValueError("Private keys cannot be exported "

+ "in the '%s' format" % ext_format)

+ elif ext_format == "SEC1":

+ return self._export_SEC1(compress)

+ elif ext_format == "raw":

+ if self._curve.name in ('ed25519', 'ed448'):

+ return self._export_eddsa()

+ else:

+ return self._export_SEC1(compress)

+ Mandatory. It must be a curve name defined in the `ECC table`_.

+ if _curves[curve_name].name == "ed25519":

+ seed = randfunc(32)

+ new_key = EccKey(curve=curve_name, seed=seed)

+ elif _curves[curve_name].name == "ed448":

+ seed = randfunc(57)

+ new_key = EccKey(curve=curve_name, seed=seed)

+ else:

+ d = Integer.random_range(min_inclusive=1,

+ max_exclusive=curve.order,

+ randfunc=randfunc)

+ new_key = EccKey(curve=curve_name, d=d)

+ return new_key

+ In most cases, you will already have an existing key

+ which you can read in with :func:`import_key` instead

+ of this function.

+ Args:

+ Mandatory. The name of the elliptic curve, as defined in the `ECC table`_.

+ Mandatory for a private key and a NIST P-curve (e.g., P-256):

+ the integer in the range ``[1..order-1]`` that represents the key.

+

+ seed (bytes):

+ Mandatory for a private key and an EdDSA curve.

+ It must be 32 bytes for Ed25519, and 57 bytes for Ed448.

+ Mandatory for a public key: the X coordinate (affine) of the ECC point.

+ Mandatory for a public key: the Y coordinate (affine) of the ECC point.

+ new_key = EccKey(**kwargs)

+

+ # because EccKey will not do that automatically

+ if new_key.has_private() and 'point' in kwargs:

+ pub_key = curve.G * new_key.d

+ return new_key

+def _import_public_der(ec_point, curve_oid=None, curve_name=None):

+ ec_point: byte string with the EC point (SEC1-encoded)

+ curve_oid: string with the name the curve

+

+ Either curve_id or curve_name must be specified

+ for _curve_name, curve in _curves.items():

+ if curve_oid and curve.oid == curve_oid:

+ break

+ if curve_name == _curve_name:

+ if curve_oid:

+ raise UnsupportedEccFeature("Unsupported ECC curve (OID: %s)" % curve_oid)

+ else:

+ raise UnsupportedEccFeature("Unsupported ECC curve (%s)" % curve_name)

+ elif point_type in (0x02, 0x03):

+ # Right now, we only support Short Weierstrass curves

+ y = (x**3 - x*3 + curve.b).sqrt(curve.p)

+ return construct(curve=_curve_name, point_x=x, point_y=y)

+ nist_p_oids = (

+ "1.2.840.10045.2.1", # id-ecPublicKey (unrestricted)

+ "1.3.132.1.12", # id-ecDH

+ "1.3.132.1.13" # id-ecMQV

+ )

+ eddsa_oids = {

+ "1.3.101.112": ("Ed25519", _import_ed25519_public_key), # id-Ed25519

+ "1.3.101.113": ("Ed448", _import_ed448_public_key) # id-Ed448

+ }

+

+ if oid in nist_p_oids:

+ # See RFC5480

+

+ # Parameters are mandatory and encoded as ECParameters

+ # ECParameters ::= CHOICE {

+ # namedCurve OBJECT IDENTIFIER

+ # -- implicitCurve NULL

+ # -- specifiedCurve SpecifiedECDomain

+ # }

+ # implicitCurve and specifiedCurve are not supported (as per RFC)

+ if not params:

+ raise ValueError("Missing ECC parameters for ECC OID %s" % oid)

+ try:

+ curve_oid = DerObjectId().decode(params).value

+ except ValueError:

+ raise ValueError("Error decoding namedCurve")

+ # ECPoint ::= OCTET STRING

+ return _import_public_der(ec_point, curve_oid=curve_oid)

+ elif oid in eddsa_oids:

+ # See RFC8410

+ curve_name, import_eddsa_public_key = eddsa_oids[oid]

+ # Parameters must be absent

+ if params:

+ raise ValueError("Unexpected ECC parameters for ECC OID %s" % oid)

+ x, y = import_eddsa_public_key(ec_point)

+ return construct(point_x=x, point_y=y, curve=curve_name)

+ else:

+ raise UnsupportedEccFeature("Unsupported ECC OID: %s" % oid)

+def _import_rfc5915_der(encoded, passphrase, curve_oid=None):

+ public_key = _import_public_der(public_key_enc, curve_oid=curve_oid)

+ nist_p_oids = (

+ "1.2.840.10045.2.1", # id-ecPublicKey (unrestricted)

+ "1.3.132.1.12", # id-ecDH

+ "1.3.132.1.13" # id-ecMQV

+ )

+ eddsa_oids = {

+ "1.3.101.112": "Ed25519", # id-Ed25519

+ "1.3.101.113": "Ed448", # id-Ed448

+ }

+

+ if algo_oid in nist_p_oids:

+ curve_oid = DerObjectId().decode(params).value

+ return _import_rfc5915_der(private_key, passphrase, curve_oid)

+ elif algo_oid in eddsa_oids:

+ if params is not None:

+ raise ValueError("EdDSA ECC private key must not have parameters")

+ curve_oid = None

+ seed = DerOctetString().decode(private_key).payload

+ return construct(curve=eddsa_oids[algo_oid], seed=seed)

+ else:

+ return _import_rfc5915_der(encoded, passphrase)

+ parts = encoded.split(b' ')

+ if len(parts) not in (2, 3):

+ raise ValueError("Not an openssh public key")

+ try:

+ keystring = binascii.a2b_base64(parts[1])

+

+ keyparts = []

+ while len(keystring) > 4:

+ lk = struct.unpack(">I", keystring[:4])[0]

+ keyparts.append(keystring[4:4 + lk])

+ keystring = keystring[4 + lk:]

+

+ if parts[0] != keyparts[0]:

+ raise ValueError("Mismatch in openssh public key")

+

+ # NIST P curves

+ if parts[0].startswith(b"ecdsa-sha2-"):

+

+ for curve_name, curve in _curves.items():

+ if curve.openssh is None:

+ continue

+ if not curve.openssh.startswith("ecdsa-sha2"):

+ continue

+ middle = tobytes(curve.openssh.split("-")[2])

+ if keyparts[1] == middle:

+ break

+ else:

+ raise ValueError("Unsupported ECC curve: " + middle)

+ ecc_key = _import_public_der(keyparts[2], curve_oid=curve.oid)

+ # EdDSA

+ elif parts[0] == b"ssh-ed25519":

+ x, y = _import_ed25519_public_key(keyparts[1])

+ ecc_key = construct(curve="Ed25519", point_x=x, point_y=y)

+ else:

+ raise ValueError("Unsupported SSH key type: " + parts[0])

+

+ except (IndexError, TypeError, binascii.Error):

+ raise ValueError("Error parsing SSH key type: " + parts[0])

+

+ return ecc_key

+ key_type, decrypted = import_openssh_private_generic(data, password)

+

+ eddsa_keys = {

+ "ssh-ed25519": ("Ed25519", _import_ed25519_public_key, 32),

+ }

+

+ # https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent-04

+ if key_type.startswith("ecdsa-sha2"):

+

+ ecdsa_curve_name, decrypted = read_string(decrypted)

+ if ecdsa_curve_name not in _curves:

+ raise UnsupportedEccFeature("Unsupported ECC curve %s" % ecdsa_curve_name)

+ curve = _curves[ecdsa_curve_name]

+ modulus_bytes = (curve.modulus_bits + 7) // 8

+

+ public_key, decrypted = read_bytes(decrypted)

+

+ if bord(public_key[0]) != 4:

+ raise ValueError("Only uncompressed OpenSSH EC keys are supported")

+ if len(public_key) != 2 * modulus_bytes + 1:

+ raise ValueError("Incorrect public key length")

+ point_x = Integer.from_bytes(public_key[1:1+modulus_bytes])

+ point_y = Integer.from_bytes(public_key[1+modulus_bytes:])

+ private_key, decrypted = read_bytes(decrypted)

+ d = Integer.from_bytes(private_key)

+ params = {'d': d, 'curve': ecdsa_curve_name}

+ elif key_type in eddsa_keys:

+ curve_name, import_eddsa_public_key, seed_len = eddsa_keys[key_type]

+

+ public_key, decrypted = read_bytes(decrypted)

+ point_x, point_y = import_eddsa_public_key(public_key)

+

+ private_public_key, decrypted = read_bytes(decrypted)

+ seed = private_public_key[:seed_len]

+

+ params = {'seed': seed, 'curve': curve_name}

+ else:

+ raise ValueError("Unsupport SSH agent key type:" + key_type)

+ return construct(point_x=point_x, point_y=point_y, **params)

+

+

+def _import_ed25519_public_key(encoded):

+ """Import an Ed25519 ECC public key, encoded as raw bytes as described

+ in RFC8032_.

+

+ Args:

+ encoded (bytes):

+ The Ed25519 public key to import. It must be 32 bytes long.

+

+ Returns:

+ :class:`EccKey` : a new ECC key object

+

+ Raises:

+ ValueError: when the given key cannot be parsed.

+

+ .. _RFC8032: https://datatracker.ietf.org/doc/html/rfc8032

+ """

+

+ if len(encoded) != 32:

+ raise ValueError("Incorrect length. Only Ed25519 public keys are supported.")

+

+ p = Integer(0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed) # 2**255 - 19

+ d = 37095705934669439343138083508754565189542113879843219016388785533085940283555

+

+ y = bytearray(encoded)

+ x_lsb = y[31] >> 7

+ y[31] &= 0x7F

+ point_y = Integer.from_bytes(y, byteorder='little')

+ if point_y >= p:

+ raise ValueError("Invalid Ed25519 key (y)")

+ if point_y == 1:

+ return 0, 1

+ u = (point_y**2 - 1) % p

+ v = ((point_y**2 % p) * d + 1) % p

+ try:

+ v_inv = v.inverse(p)

+ x2 = (u * v_inv) % p

+ point_x = Integer._tonelli_shanks(x2, p)

+ if (point_x & 1) != x_lsb:

+ point_x = p - point_x

+ except ValueError:

+ raise ValueError("Invalid Ed25519 public key")

+ return point_x, point_y

+

+

+def _import_ed448_public_key(encoded):

+ """Import an Ed448 ECC public key, encoded as raw bytes as described

+ in RFC8032_.

+

+ Args:

+ encoded (bytes):

+ The Ed448 public key to import. It must be 57 bytes long.

+

+ Returns:

+ :class:`EccKey` : a new ECC key object

+

+ Raises:

+ ValueError: when the given key cannot be parsed.

+

+ .. _RFC8032: https://datatracker.ietf.org/doc/html/rfc8032

+ """

+ if len(encoded) != 57:

+ raise ValueError("Incorrect length. Only Ed448 public keys are supported.")

+

+ p = Integer(0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff) # 2**448 - 2**224 - 1

+ d = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffff6756

+

+ y = encoded[:56]

+ x_lsb = bord(encoded[56]) >> 7

+ point_y = Integer.from_bytes(y, byteorder='little')

+ if point_y >= p:

+ raise ValueError("Invalid Ed448 key (y)")

+ if point_y == 1:

+ return 0, 1

+

+ u = (point_y**2 - 1) % p

+ v = ((point_y**2 % p) * d - 1) % p

+ try:

+ v_inv = v.inverse(p)

+ x2 = (u * v_inv) % p

+ point_x = Integer._tonelli_shanks(x2, p)

+ if (point_x & 1) != x_lsb:

+ point_x = p - point_x

+ except ValueError:

+ raise ValueError("Invalid Ed448 public key")

+ return point_x, point_y

+

+

+def import_key(encoded, passphrase=None, curve_name=None):

+ The function will try to automatically detect the right format.

+ Supported formats for an ECC **public** key:

+ * X.509 certificate: binary (DER) or ASCII (PEM).

+ * X.509 ``subjectPublicKeyInfo``: binary (DER) or ASCII (PEM).

+ * SEC1_ (or X9.62), as ``bytes``. NIST P curves only.

+ You must also provide the ``curve_name`` (with a value from the `ECC table`_)

+ * OpenSSH line, defined in RFC5656_ and RFC8709_ (ASCII).

+ This is normally the content of files like ``~/.ssh/id_ecdsa.pub``.

+ Supported formats for an ECC **private** key:

+ * A binary ``ECPrivateKey`` structure, as defined in `RFC5915`_ (DER).

+ NIST P curves only.

+ * A `PKCS#8`_ structure (or the more recent Asymmetric Key Package, RFC5958_): binary (DER) or ASCII (PEM).

+ * `OpenSSH 6.5`_ and newer versions (ASCII).

+ Encryption may be applied protected at the PEM level (not recommended)

+ or at the PKCS#8 level (recommended).

+ curve_name (string):

+ For a SEC1 encoding only. This is the name of the curve,

+ as defined in the `ECC table`_.

+

+ .. note::

+

+ To import EdDSA private and public keys, when encoded as raw ``bytes``, use:

+

+ * :func:`Cryptodome.Signature.eddsa.import_public_key`, or

+ * :func:`Cryptodome.Signature.eddsa.import_private_key`.

+

+ .. _RFC1421: https://datatracker.ietf.org/doc/html/rfc1421

+ .. _RFC1423: https://datatracker.ietf.org/doc/html/rfc1423

+ .. _RFC5915: https://datatracker.ietf.org/doc/html/rfc5915

+ .. _RFC5656: https://datatracker.ietf.org/doc/html/rfc5656

+ .. _RFC8709: https://datatracker.ietf.org/doc/html/rfc8709

+ .. _RFC5958: https://datatracker.ietf.org/doc/html/rfc5958

+ .. _`PKCS#8`: https://datatracker.ietf.org/doc/html/rfc5208

+ .. _`OpenSSH 6.5`: https://flak.tedunangst.com/post/new-openssh-key-format-and-bcrypt-pbkdf

+ .. _SEC1: https://www.secg.org/sec1-v2.pdf

+ ecparams_start = "-----BEGIN EC PARAMETERS-----"

+ ecparams_end = "-----END EC PARAMETERS-----"

+ text_encoded = re.sub(ecparams_start + ".*?" + ecparams_end, "",

+ text_encoded,

+ flags=re.DOTALL)

+ if encoded.startswith((b'ecdsa-sha2-', b'ssh-ed25519')):

+ # SEC1

+ if len(encoded) > 0 and bord(encoded[0]) in b'\x02\x03\x04':

+ if curve_name is None:

+ raise ValueError("No curve name was provided")

+ return _import_public_der(encoded, curve_name=curve_name)

+