From me at johnpacific.com  Fri Dec  1 14:47:24 2017
From: me at johnpacific.com (John Pacific)
Date: Fri, 1 Dec 2017 12:47:24 -0700
Subject: [Cryptography-dev] Using EC Point arithemtic in cryptography
Message-ID: <CAHr1PUNGfvZkCL8AQQUjm1dJ2JZjGKzBzhrD2njfC-GsVyMhfg@mail.gmail.com>

Hey, folks!

I'm working on prototyping this cryptosystem using cryptography. I'm
porting it from Charm-crypto in Python to this.

Charm crypto overrides some operators to perform scalar multiplication and
modular inverses -- ie: `*` and `~`. When these operators are used with an
EC element, it performs the overriden operation.

I am now in the need to perform some similar operations within the context
of cryptography.io and I can't seem to find a great way to do this.

I can access some OpenSSL functions like `EC_POINT_mul` and
`BN_mod_inverse` via `default_backend()._lib.EC_POINT_mul`, etc but I can't
find any documentation of how this is used within the context of
cryptography.io.

Do any of you wonderful folks have any pointers on this or maybe how to
perform some point arithmetic with the cryptography objects?


Thanks,

tux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20171201/bd616c01/attachment.html>

From alex.gaynor at gmail.com  Fri Dec  1 17:24:25 2017
From: alex.gaynor at gmail.com (Alex Gaynor)
Date: Fri, 1 Dec 2017 17:24:25 -0500
Subject: [Cryptography-dev] Using EC Point arithemtic in cryptography
In-Reply-To: <CAHr1PUNGfvZkCL8AQQUjm1dJ2JZjGKzBzhrD2njfC-GsVyMhfg@mail.gmail.com>
References: <CAHr1PUNGfvZkCL8AQQUjm1dJ2JZjGKzBzhrD2njfC-GsVyMhfg@mail.gmail.com>
Message-ID: <CAFRnB2UOox07G45kuDQEiMGgCC=52GoUizQpG2FLr_uC5Ba=VQ@mail.gmail.com>

Hi John,

We don't have an API for doing raw EC point arithmetic.
https://github.com/pyca/cryptography/pull/2919 is an issue proposing (and
implementing) it, but I've been very hesitant to expand the API like this.

Point multiplication can be accomplished with the ECDH API.

Alex

On Fri, Dec 1, 2017 at 2:47 PM, John Pacific <me at johnpacific.com> wrote:

> Hey, folks!
>
> I'm working on prototyping this cryptosystem using cryptography. I'm
> porting it from Charm-crypto in Python to this.
>
> Charm crypto overrides some operators to perform scalar multiplication and
> modular inverses -- ie: `*` and `~`. When these operators are used with an
> EC element, it performs the overriden operation.
>
> I am now in the need to perform some similar operations within the context
> of cryptography.io and I can't seem to find a great way to do this.
>
> I can access some OpenSSL functions like `EC_POINT_mul` and
> `BN_mod_inverse` via `default_backend()._lib.EC_POINT_mul`, etc but I
> can't find any documentation of how this is used within the context of
> cryptography.io.
>
> Do any of you wonderful folks have any pointers on this or maybe how to
> perform some point arithmetic with the cryptography objects?
>
>
> Thanks,
>
> tux
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
>


-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20171201/9ab56c6d/attachment.html>

From me at johnpacific.com  Fri Dec  1 17:38:23 2017
From: me at johnpacific.com (John Pacific)
Date: Fri, 1 Dec 2017 15:38:23 -0700
Subject: [Cryptography-dev] Using EC Point arithemtic in cryptography
In-Reply-To: <CAFRnB2UOox07G45kuDQEiMGgCC=52GoUizQpG2FLr_uC5Ba=VQ@mail.gmail.com>
References: <CAHr1PUNGfvZkCL8AQQUjm1dJ2JZjGKzBzhrD2njfC-GsVyMhfg@mail.gmail.com>
 <CAFRnB2UOox07G45kuDQEiMGgCC=52GoUizQpG2FLr_uC5Ba=VQ@mail.gmail.com>
Message-ID: <CAHr1PUMeE7dy1LwZ8jt9_6ek0sO5s653bA1PoMon2_tKwQQPoA@mail.gmail.com>

Hey, Alex!

Thanks for the response! I've been using the ECDH API for the scalar
multiplication, but my last remaining need is for `BN_mod_inverse` and I
can't seem to find anything on that quite yet. No pointers here, I guess?


Thanks!

-John

On Fri, Dec 1, 2017 at 3:24 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:

> Hi John,
>
> We don't have an API for doing raw EC point arithmetic. https://github.
> com/pyca/cryptography/pull/2919 is an issue proposing (and implementing)
> it, but I've been very hesitant to expand the API like this.
>
> Point multiplication can be accomplished with the ECDH API.
>
> Alex
>
> On Fri, Dec 1, 2017 at 2:47 PM, John Pacific <me at johnpacific.com> wrote:
>
>> Hey, folks!
>>
>> I'm working on prototyping this cryptosystem using cryptography. I'm
>> porting it from Charm-crypto in Python to this.
>>
>> Charm crypto overrides some operators to perform scalar multiplication
>> and modular inverses -- ie: `*` and `~`. When these operators are used with
>> an EC element, it performs the overriden operation.
>>
>> I am now in the need to perform some similar operations within the
>> context of cryptography.io and I can't seem to find a great way to do
>> this.
>>
>> I can access some OpenSSL functions like `EC_POINT_mul` and
>> `BN_mod_inverse` via `default_backend()._lib.EC_POINT_mul`, etc but I
>> can't find any documentation of how this is used within the context of
>> cryptography.io.
>>
>> Do any of you wonderful folks have any pointers on this or maybe how to
>> perform some point arithmetic with the cryptography objects?
>>
>>
>> Thanks,
>>
>> tux
>>
>> _______________________________________________
>> Cryptography-dev mailing list
>> Cryptography-dev at python.org
>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>
>>
>
>
> --
> "I disapprove of what you say, but I will defend to the death your right
> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: D1B3 ADC0 E023 8CA6
>
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20171201/51801eb6/attachment.html>

From alex.gaynor at gmail.com  Fri Dec  1 17:41:05 2017
From: alex.gaynor at gmail.com (Alex Gaynor)
Date: Fri, 1 Dec 2017 17:41:05 -0500
Subject: [Cryptography-dev] Using EC Point arithemtic in cryptography
In-Reply-To: <CAHr1PUMeE7dy1LwZ8jt9_6ek0sO5s653bA1PoMon2_tKwQQPoA@mail.gmail.com>
References: <CAHr1PUNGfvZkCL8AQQUjm1dJ2JZjGKzBzhrD2njfC-GsVyMhfg@mail.gmail.com>
 <CAFRnB2UOox07G45kuDQEiMGgCC=52GoUizQpG2FLr_uC5Ba=VQ@mail.gmail.com>
 <CAHr1PUMeE7dy1LwZ8jt9_6ek0sO5s653bA1PoMon2_tKwQQPoA@mail.gmail.com>
Message-ID: <CAFRnB2WBNb__3rjnZgGhB-_m797i=57ge0pnHGhriSPYBk9qoA@mail.gmail.com>

Nope, we don't have a public API for modular inverse.

Alex

On Fri, Dec 1, 2017 at 5:38 PM, John Pacific <me at johnpacific.com> wrote:

> Hey, Alex!
>
> Thanks for the response! I've been using the ECDH API for the scalar
> multiplication, but my last remaining need is for `BN_mod_inverse` and I
> can't seem to find anything on that quite yet. No pointers here, I guess?
>
>
> Thanks!
>
> -John
>
> On Fri, Dec 1, 2017 at 3:24 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:
>
>> Hi John,
>>
>> We don't have an API for doing raw EC point arithmetic.
>> https://github.com/pyca/cryptography/pull/2919 is an issue proposing
>> (and implementing) it, but I've been very hesitant to expand the API like
>> this.
>>
>> Point multiplication can be accomplished with the ECDH API.
>>
>> Alex
>>
>> On Fri, Dec 1, 2017 at 2:47 PM, John Pacific <me at johnpacific.com> wrote:
>>
>>> Hey, folks!
>>>
>>> I'm working on prototyping this cryptosystem using cryptography. I'm
>>> porting it from Charm-crypto in Python to this.
>>>
>>> Charm crypto overrides some operators to perform scalar multiplication
>>> and modular inverses -- ie: `*` and `~`. When these operators are used with
>>> an EC element, it performs the overriden operation.
>>>
>>> I am now in the need to perform some similar operations within the
>>> context of cryptography.io and I can't seem to find a great way to do
>>> this.
>>>
>>> I can access some OpenSSL functions like `EC_POINT_mul` and
>>> `BN_mod_inverse` via `default_backend()._lib.EC_POINT_mul`, etc but I
>>> can't find any documentation of how this is used within the context of
>>> cryptography.io.
>>>
>>> Do any of you wonderful folks have any pointers on this or maybe how to
>>> perform some point arithmetic with the cryptography objects?
>>>
>>>
>>> Thanks,
>>>
>>> tux
>>>
>>> _______________________________________________
>>> Cryptography-dev mailing list
>>> Cryptography-dev at python.org
>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>>
>>>
>>
>>
>> --
>> "I disapprove of what you say, but I will defend to the death your right
>> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
>> "The people's good is the highest law." -- Cicero
>> GPG Key fingerprint: D1B3 ADC0 E023 8CA6
>>
>>
>> _______________________________________________
>> Cryptography-dev mailing list
>> Cryptography-dev at python.org
>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>
>>
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
>


-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20171201/4a2855fc/attachment-0001.html>

From terje at elde.net  Thu Dec 14 04:30:20 2017
From: terje at elde.net (Terje Elde)
Date: Thu, 14 Dec 2017 10:30:20 +0100
Subject: [Cryptography-dev] Looking to sign certificates with pkcs11 key
Message-ID: <C1CBC8BC-99EC-468C-971B-D7766B87E5B6@elde.net>

Hi!

I?m looking to set up a solution where an intermediate CA signs certificates using a pkcs11-accessible private key.

Doing this without pkcs11 seems pretty straight forward thanks to pyca/cryptography, which is surprisingly comfortable to use.  There?s no native support for pkcs11 (yet) though, which sends me looking at hybrid solutions, doing most of the work with the cryptography package, but looking elsewhere for the actual pkcs11-operations.

I can easily enough grab the public key for the intermediate CA, build up the cert etc, but when it?s time to sign it, things get more difficult.

The cryptography package often wraps openssl at a fairly high level, so the actual signing call in `create_x509_certificate` expects an openssl structure and a private key as input.  That?s a bit of a challenge, since I don?t actually have the private key, that being about half the point of pkcs11.

One possible way to go could perhaps be to:
 - Subclass Backend, replacing the `create_x509_certificate`-method
 - In ?my? version, replace the `self._lib.X509_sign`-operation with simply DER-encoding the cert, allowing use of the pkcs11-module for the actual signing
 - Bring the signature back into the cert structure

In order to do that though, I?d probably need `ASN1_item_i2d` or similar, which doesn?t seem to be exposed in cryptography.


Would be interesting to hear if any of you have any good suggestions for solving this either using cryptography or another package.

Terje Elde


From paul.l.kehrer at gmail.com  Thu Dec 14 06:38:11 2017
From: paul.l.kehrer at gmail.com (Paul Kehrer)
Date: Thu, 14 Dec 2017 03:38:11 -0800
Subject: [Cryptography-dev] Looking to sign certificates with pkcs11 key
In-Reply-To: <C1CBC8BC-99EC-468C-971B-D7766B87E5B6@elde.net>
References: <C1CBC8BC-99EC-468C-971B-D7766B87E5B6@elde.net>
Message-ID: <CABj5TKRSEpUZ-wV_zKKAh=8R-0Kag1faqzy7L3p8ArNa2OCY-g@mail.gmail.com>

We discussed this in the past (
https://github.com/pyca/cryptography/issues/1506) but now that we're
dropping explicit backends the proposed solutions in that issue don't
really apply.

Probably the easiest path is just to sign your certificate with a dummy key
and then call `tbs_certificate_bytes` on the resulting certificate. Those
bytes can then be signed by your real key to construct the certificate and
then you can construct/load the resulting bytes as a cryptography object.
This avoids any private API calls, but is not particularly elegant.

If you want to create your own backend then you should be able to get the
bytes you need via i2d_re_X509_tbs rather than needing ASN1_item_i2d
directly bound. Be aware that since we're deprecating this backend concept
(at least as a thing that users pass as an argument) this might be a bit
tricky to maintain in the long term.

We've been discussing whether it makes sense to build a hazmat x509 layer
(to allow construction of a variety of various ASN.1 structures that
violate RFCs but are nonetheless seen in the wild) -- maybe giving access
to the tbs_certificate_bytes prior to signing makes sense there. In that
case the hazmat cert builder would provide tbs bytes that can be signed via
<other method> and then maybe we'd also include a hazmat method for
constructing the final cert from tbs + signature?

-Paul

On December 14, 2017 at 3:39:22 AM, Terje Elde (terje at elde.net) wrote:

Hi!

I?m looking to set up a solution where an intermediate CA signs
certificates using a pkcs11-accessible private key.

Doing this without pkcs11 seems pretty straight forward thanks to
pyca/cryptography, which is surprisingly comfortable to use. There?s no
native support for pkcs11 (yet) though, which sends me looking at hybrid
solutions, doing most of the work with the cryptography package, but
looking elsewhere for the actual pkcs11-operations.

I can easily enough grab the public key for the intermediate CA, build up
the cert etc, but when it?s time to sign it, things get more difficult.

The cryptography package often wraps openssl at a fairly high level, so the
actual signing call in `create_x509_certificate` expects an openssl
structure and a private key as input. That?s a bit of a challenge, since I
don?t actually have the private key, that being about half the point of
pkcs11.

One possible way to go could perhaps be to:
- Subclass Backend, replacing the `create_x509_certificate`-method
- In ?my? version, replace the `self._lib.X509_sign`-operation with simply
DER-encoding the cert, allowing use of the pkcs11-module for the actual
signing
- Bring the signature back into the cert structure

In order to do that though, I?d probably need `ASN1_item_i2d` or similar,
which doesn?t seem to be exposed in cryptography.


Would be interesting to hear if any of you have any good suggestions for
solving this either using cryptography or another package.

Terje Elde

_______________________________________________
Cryptography-dev mailing list
Cryptography-dev at python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20171214/707348c5/attachment.html>

From terje at elde.net  Thu Dec 14 07:38:04 2017
From: terje at elde.net (Terje Elde)
Date: Thu, 14 Dec 2017 13:38:04 +0100
Subject: [Cryptography-dev] Looking to sign certificates with pkcs11 key
In-Reply-To: <CABj5TKRSEpUZ-wV_zKKAh=8R-0Kag1faqzy7L3p8ArNa2OCY-g@mail.gmail.com>
References: <C1CBC8BC-99EC-468C-971B-D7766B87E5B6@elde.net>
 <CABj5TKRSEpUZ-wV_zKKAh=8R-0Kag1faqzy7L3p8ArNa2OCY-g@mail.gmail.com>
Message-ID: <C3D60FE8-83EB-49B5-A1E9-F9C9514F4823@elde.net>


> On 14 Dec 2017, at 12:38, Paul Kehrer <paul.l.kehrer at gmail.com> wrote:
> 
> We discussed this in the past (https://github.com/pyca/cryptography/issues/1506 <https://github.com/pyca/cryptography/issues/1506>) but now that we're dropping explicit backends the proposed solutions in that issue don't really apply.
> 
> Probably the easiest path is just to sign your certificate with a dummy key and then call `tbs_certificate_bytes` on the resulting certificate. Those bytes can then be signed by your real key to construct the certificate and then you can construct/load the resulting bytes as a cryptography object. This avoids any private API calls, but is not particularly elegant.
> 
> If you want to create your own backend then you should be able to get the bytes you need via i2d_re_X509_tbs rather than needing ASN1_item_i2d directly bound. Be aware that since we're deprecating this backend concept (at least as a thing that users pass as an argument) this might be a bit tricky to maintain in the long term.

Many thanks!

I?ll play around some with both of those, and see if I can make something fly.

> We've been discussing whether it makes sense to build a hazmat x509 layer (to allow construction of a variety of various ASN.1 structures that violate RFCs but are nonetheless seen in the wild) -- maybe giving access to the tbs_certificate_bytes prior to signing makes sense there. In that case the hazmat cert builder would provide tbs bytes that can be signed via <other method> and then maybe we'd also include a hazmat method for constructing the final cert from tbs + signature?

Sounds like a fairly clean solution to me.

It?d probably require more work, but an (arguably more pythonic) way could perhaps be to support various protocols, so you could pass in ?something? that implemented an RSA signing protocol, and then have create_x509_certificate and similar just call that for the signature step.  It?s tempting in one way, but at the same time, it might require quite a bit more work, not being able to do that with the OpenSSL helpers that are currently available.

As for constructing things that violate RFCs, at least to me, that?s one of the major reasons why tools like these are interesting.  Being able to directly make whatever it is you need, makes it so much more easy to go about testing or verifying things, running quick trials for proof of concepts, and so on.

As a use case example, it?s been said that Apple doesn?t support NameConstraints.  If you were to test that, making a constrained CA sign two certs (one ?legal?, and the other violating the name constraint) would be pretty easy to throw together using pyca/cryptography, while a more proper CA platform should preferably prohibit you from doing that at all.  

Same applies to cloning mistakes that are happening in the wild to test your own systems against that particular weirdness, and so on.

Many thanks again!

Terje

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20171214/de76ebfd/attachment-0001.html>