diff --git a/requirements.txt b/requirements.txt index a080aa4..9d5dcb9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,2 @@ -fastecdsa==1.7.4 -git+https://github.com/fabiant7t/pycrypto#egg=pycrypto -pyusb==1.0.2 +cryptography>=2.1.4 +pyusb>=1.0.2 diff --git a/validitysensor/init_flash.py b/validitysensor/init_flash.py index f5e627b..641ab53 100644 --- a/validitysensor/init_flash.py +++ b/validitysensor/init_flash.py @@ -1,18 +1,19 @@ -from .tls import tls, hs_key, crt_hardcoded -from hashlib import sha256 -import hmac +import os from struct import pack, unpack from binascii import hexlify, unhexlify + +from hashlib import sha256 +import hmac +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import ec +from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes +from cryptography.hazmat.backends import default_backend + +from .tls import tls, hs_key, crt_hardcoded from .usb import usb from .flash import write_flash, erase_flash, flush_changes, PartitionInfo, get_flash_info from .sensor import reboot -from Crypto.Random import get_random_bytes -from Crypto.Cipher import AES -from fastecdsa.encoding.der import DEREncoder -from fastecdsa.curve import P256 -from fastecdsa.ecdsa import sign -from fastecdsa.keys import gen_private_key, get_public_key from .util import assert_status, unhex from .blobs import reset_blob @@ -33,6 +34,8 @@ deb2604834e2bb62e890b0ce405b3b8ef2fec2aab3e22bff23f89a58ff0dc015fece5d3ed3f5496a dbd0df42d534904de00b6389f68867646e9d7c3d0b1dffd74070b2d0f2049b9f1dc7b0c9651c59be3ea891674725e1f2f7a484a941615b80211105978369cf71 ''') +crypto_backend=default_backend() + def get_partition_signature(): if usb.usb_dev().idVendor == 0x138a: if usb.usb_dev().idProduct == 0x0090: @@ -53,9 +56,11 @@ def encrypt_key(client_private, client_public): l = 16 - (len(m) % 16) m = m + bytes([l])*l - iv = get_random_bytes(AES.block_size) - aes = AES.new(tls.psk_encryption_key, AES.MODE_CBC, iv) - c = iv + aes.encrypt(m) + iv = os.urandom(0x10) + cipher = Cipher(algorithms.AES(tls.psk_encryption_key), modes.CBC(iv), backend=crypto_backend) + encryptor = cipher.encryptor() + c = iv + encryptor.update(m) + encryptor.finalize() + sig = hmac.new(tls.psk_validation_key, c, sha256).digest() return b'\x02' + c + sig @@ -65,8 +70,8 @@ def make_cert(client_public): (b'\0'*0x24) + unhexlify('%064x' % client_public.y)[::-1] + (b'\0'*0x4c)) - s=sign(msg, hs_key()) - s=DEREncoder().encode_signature(s[0], s[1]) + pk = ec.derive_private_key(hs_key(), ec.SECP256R1(), backend=crypto_backend) + s=pk.sign(msg, ec.ECDSA(hashes.SHA256())) s=pack('