tlslite.keyexchange module
Handling of cryptographic operations for key exchange
- class tlslite.keyexchange.ADHKeyExchange(cipherSuite, clientHello, serverHello, dhParams=None, dhGroups=None)[source]
Bases:
KeyExchange
Handling of anonymous Diffie-Hellman Key exchange
FFDHE without signing serverKeyExchange useful for anonymous DH
- __init__(cipherSuite, clientHello, serverHello, dhParams=None, dhGroups=None)[source]
Initialize KeyExchange. privateKey is the signing private key
- makeServerKeyExchange()[source]
Prepare server side of anonymous key exchange with selected parameters
- class tlslite.keyexchange.AECDHKeyExchange(cipherSuite, clientHello, serverHello, acceptedCurves, defaultCurve=23)[source]
Bases:
KeyExchange
Handling of anonymous Eliptic curve Diffie-Hellman Key exchange
ECDHE without signing serverKeyExchange useful for anonymous ECDH
- __init__(cipherSuite, clientHello, serverHello, acceptedCurves, defaultCurve=23)[source]
Initialize KeyExchange. privateKey is the signing private key
- class tlslite.keyexchange.AuthenticatedKeyExchange(cipherSuite, clientHello, serverHello, privateKey=None)[source]
Bases:
KeyExchange
Common methods for key exchanges that authenticate Server Key Exchange
Methods for signing Server Key Exchange message
- class tlslite.keyexchange.DHE_RSAKeyExchange(cipherSuite, clientHello, serverHello, privateKey, dhParams=None, dhGroups=None)[source]
Bases:
AuthenticatedKeyExchange
,ADHKeyExchange
Handling of authenticated ephemeral Diffe-Hellman Key exchange.
- __init__(cipherSuite, clientHello, serverHello, privateKey, dhParams=None, dhGroups=None)[source]
Create helper object for Diffie-Hellamn key exchange.
- Parameters:
dhParams (2-element tuple of int) – Diffie-Hellman parameters that will be used by server. First element of the tuple is the generator, the second is the prime. If not specified it will use a secure set (currently a 2048-bit safe prime).
- class tlslite.keyexchange.ECDHE_RSAKeyExchange(cipherSuite, clientHello, serverHello, privateKey, acceptedCurves, defaultCurve=23)[source]
Bases:
AuthenticatedKeyExchange
,AECDHKeyExchange
Helper class for conducting ECDHE key exchange
- class tlslite.keyexchange.ECDHKeyExchange(group, version)[source]
Bases:
RawDHKeyExchange
Implementation of the Elliptic Curve Diffie-Hellman key exchange.
- __init__(group, version)[source]
Set the parameters of the key exchange
Sets group on which the KEX will take part and protocol version used.
- calc_public_value(private, point_format='uncompressed')[source]
Calculate public value for given private key.
- Parameters:
private – Private key for the selected key exchange group.
point_format (str) – The point format to use for the ECDH public key. Applies only to NIST curves.
Calculate the shared key.
- Parameters:
- Return type:
- Returns:
shared key
- :raises TLSIllegalParameterException
when the paramentrs for point are invalid.
- :raises TLSDecodeError
when the the valid_point_formats is empty.
- class tlslite.keyexchange.FFDHKeyExchange(group, version, generator=None, prime=None)[source]
Bases:
RawDHKeyExchange
Implemenation of the Finite Field Diffie-Hellman key exchange.
- __init__(group, version, generator=None, prime=None)[source]
Set the parameters of the key exchange
Sets group on which the KEX will take part and protocol version used.
- calc_public_value(private, point_format=None)[source]
Calculate the public value for given private value.
- Parameters:
point_format – ignored, used for compatibility with ECDH groups
- Return type:
Calculate the shared key.
- Parameters:
valid_point_formats – ignored, used for compatibility with ECDH groups
- Return type:
- class tlslite.keyexchange.KEMKeyExchange(group, version)[source]
Bases:
object
Implementation of the Hybrid KEM key exchange groups.
Caution, KEMs are not symmetric! While they client calls the same get_random_private_key(), calc_public_value(), and calc_shared_key() as in FFDH or ECDH, the server calls just the encapsulate_key() method.
- calc_public_value(private, point_format='uncompressed')[source]
Extract public values for the private key.
To be used only to generate the KeyShare in ClientHello.
- Parameters:
point_format (str) – Point format of the ECDH portion of the key exchange (effective only for NIST curves, valid is ‘uncompressed’ only)
Decapsulate the key share received from server.
- class tlslite.keyexchange.KeyExchange(cipherSuite, clientHello, serverHello, privateKey=None)[source]
Bases:
object
Common API for calculating Premaster secret
NOT stable, will get moved from this file
- __init__(cipherSuite, clientHello, serverHello, privateKey=None)[source]
Initialize KeyExchange. privateKey is the signing private key
- static calcVerifyBytes(version, handshakeHashes, signatureAlg, premasterSecret, clientRandom, serverRandom, prf_name=None, peer_tag=b'client', key_type='rsa')[source]
Calculate signed bytes for Certificate Verify
- static makeCertificateVerify(version, handshakeHashes, validSigAlgs, privateKey, certificateRequest, premasterSecret, clientRandom, serverRandom)[source]
Create a Certificate Verify message
- Parameters:
version – protocol version in use
handshakeHashes – the running hash of all handshake messages
validSigAlgs – acceptable signature algorithms for client side, applicable only to TLSv1.2 (or later)
certificateRequest – the server provided Certificate Request message
premasterSecret – the premaster secret, needed only for SSLv3
clientRandom – client provided random value, needed only for SSLv3
serverRandom – server provided random value, needed only for SSLv3
- makeClientKeyExchange()[source]
Create a ClientKeyExchange object
Returns a ClientKeyExchange for the second flight from client in the handshake.
- makeServerKeyExchange(sigHash=None)[source]
Create a ServerKeyExchange object
Returns a ServerKeyExchange object for the server’s initial leg in the handshake. If the key exchange method does not send ServerKeyExchange (e.g. RSA), it returns None.
- processClientKeyExchange(clientKeyExchange)[source]
Process ClientKeyExchange and return premaster secret
Processes the client’s ClientKeyExchange message and returns the premaster secret. Raises TLSLocalAlert on error.
- processServerKeyExchange(srvPublicKey, serverKeyExchange)[source]
Process the server KEX and return premaster secret
- class tlslite.keyexchange.RSAKeyExchange(cipherSuite, clientHello, serverHello, privateKey)[source]
Bases:
KeyExchange
Handling of RSA key exchange
NOT stable API, do NOT use
- __init__(cipherSuite, clientHello, serverHello, privateKey)[source]
Initialize KeyExchange. privateKey is the signing private key
- makeServerKeyExchange(sigHash=None)[source]
Don’t create a server key exchange for RSA key exchange
- class tlslite.keyexchange.RawDHKeyExchange(group, version)[source]
Bases:
object
Abstract class for performing Diffe-Hellman key exchange.
Provides a shared API for X25519, ECDHE and FFDHE key exchange.
- __init__(group, version)[source]
Set the parameters of the key exchange
Sets group on which the KEX will take part and protocol version used.
- calc_public_value(private, point_format=None)[source]
Calculate the public value from the provided private value.
Calcualte the shared key given our private and remote share value
- class tlslite.keyexchange.SRPKeyExchange(cipherSuite, clientHello, serverHello, privateKey, verifierDB, srpUsername=None, password=None, settings=None)[source]
Bases:
KeyExchange
Helper class for conducting SRP key exchange
- __init__(cipherSuite, clientHello, serverHello, privateKey, verifierDB, srpUsername=None, password=None, settings=None)[source]
Link Key Exchange options with verifierDB for SRP