replaces cryptography.hazmat.primitives.BLAKE2b with hashlib.Blake2b from Python standardlib

2021-01-21 13:57:02 -08:00 · 2021-01-21 13:57:02 -08:00 · d2e3558e3b
parent 38b2aae3fb
commit d2e3558e3b
6 changed files with 794 additions and 470 deletions
--- a/2
+++ b/2
@ -9,6 +9,7 @@ setuptools = "*"
 cryptography = ">=2.3"
 pynacl = "*"
 pysha3 = "*"
+hkdf = "*"
 # NuCypher
 bytestring-splitter = "*"
 constant-sorrow = ">=0.1.0a7"
@ -36,6 +37,7 @@ sphinx-autobuild = "*"
 sphinx_rtd_theme = "*"
 # Overrides vulnerable versions allowed by codecov and sphinx:
 requests = ">=2.20.0"
+umbral = {editable = true, path = "."}

 [pipenv]
 allow_prereleases = true
--- a/Pipfile.lock
+++ b/Pipfile.lock
--- a/setup.py
+++ b/setup.py
@ -63,6 +63,7 @@ INSTALL_REQUIRES = [
    'pysha3',
    'constant-sorrow>=0.1.0a7',
    'bytestring-splitter',
+    'hkdf'
 ]

 DEV_INSTALL_REQUIRES = [
--- a/tests/unit/test_serialization_property_based.py
+++ b/tests/unit/test_serialization_property_based.py
@ -104,12 +104,12 @@ def test_pubkey_roundtrip(p):
    k = UmbralPublicKey(p, params)
    assert(k == UmbralPublicKey.from_bytes(k.to_bytes(), params=params))

-# @given(binary(min_size=1))
-# #@settings(max_examples=20, suppress_health_check=[HealthCheck.hung_test])
-# def test_privkey_roundtrip(p):
-#     insecure_scrypt_cost = 5   # This is deliberately insecure, just to make it faster
-#     k = UmbralPrivateKey.gen_key()
-#     rt = UmbralPrivateKey.from_bytes(k.to_bytes(password=p, _scrypt_cost=insecure_scrypt_cost),
-#                                      password=p,
-#                                      _scrypt_cost=insecure_scrypt_cost)
-#     assert(k.get_pubkey() == rt.get_pubkey())
+@given(binary(min_size=1))
+@settings(max_examples=20)
+def test_privkey_roundtrip(p):
+    insecure_scrypt_cost = 5   # This is deliberately insecure, just to make it faster
+    k = UmbralPrivateKey.gen_key()
+    rt = UmbralPrivateKey.from_bytes(k.to_bytes(password=p, _scrypt_cost=insecure_scrypt_cost),
+                                     password=p,
+                                     _scrypt_cost=insecure_scrypt_cost)
+    assert(k.get_pubkey() == rt.get_pubkey())
--- a/umbral/keys.py
+++ b/umbral/keys.py
@ -21,8 +21,6 @@ from typing import Callable, Optional, Any
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.backends.openssl.ec import _EllipticCurvePrivateKey, _EllipticCurvePublicKey
 from cryptography.exceptions import InternalError
-from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.kdf.hkdf import HKDF
 from cryptography.hazmat.primitives.kdf.scrypt import Scrypt as CryptographyScrypt
 from nacl.secret import SecretBox

@ -34,6 +32,8 @@ from umbral.point import Point
 from umbral.curve import Curve
 from umbral.random_oracles import hash_to_curvebn

+from hkdf import Hkdf
+from hashlib import blake2b

 __SALT_SIZE = 32

@ -407,13 +407,11 @@ class UmbralKeyingMaterial:
        """
        params = params if params is not None else default_params()

-        key_material = HKDF(
-            algorithm=hashes.BLAKE2b(64),
-            length=64,
-            salt=salt,
-            info=b"NuCypher/KeyDerivation/"+label,
-            backend=default_backend()
-        ).derive(self.__keying_material)
+        key_material = Hkdf(
+            salt,
+            self.__keying_material,
+            hash=blake2b,
+        ).expand(info=b"NuCypher/KeyDerivation/"+label, length=64)

        bn_key = hash_to_curvebn(key_material, params=params)
        return UmbralPrivateKey(bn_key, params)
--- a/umbral/random_oracles.py
+++ b/umbral/random_oracles.py
@ -18,9 +18,6 @@ from abc import abstractmethod, ABC
 from typing import Optional, Type

 from cryptography.hazmat.backends.openssl import backend
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.kdf.hkdf import HKDF
 from cryptography.exceptions import InternalError

 import sha3
@ -31,6 +28,8 @@ from umbral.point import Point
 from umbral.params import UmbralParameters
 from umbral.config import default_params

+from hkdf import Hkdf
+from hashlib import blake2b

 class Hash(ABC):

@ -66,7 +65,7 @@ class Hash(ABC):
 class Blake2b(Hash):
    def __init__(self, customization_string: bytes = b''):
        # TODO: use a Blake2b implementation that supports personalization (see #155)
-        self._blake2b = hashes.Hash(hashes.BLAKE2b(64), backend=backend)
+        self._blake2b = blake2b(digest_size=64)
        super().__init__(customization_string)

    def update(self, data: bytes) -> None:
@ -78,7 +77,7 @@ class Blake2b(Hash):
        return replica

    def finalize(self) -> bytes:
-        return self._blake2b.finalize()
+        return self._blake2b.digest()


 class ExtendedKeccak(Hash):
@ -116,12 +115,14 @@ def kdf(ecpoint: Point,
        ) -> bytes:

    data = ecpoint.to_bytes(is_compressed=True)
-    hkdf = HKDF(algorithm=hashes.BLAKE2b(64),
-                length=key_length,
-                salt=salt,
-                info=info,
-                backend=default_backend())
-    return hkdf.derive(data)
+
+    salt = salt or b''
+    info = info or b''
+    return Hkdf(
+            salt,
+            data,
+            hash=blake2b,
+        ).expand(info=info, length=key_length)


 # TODO: Common API for all hash_to_curvebn functions.