tlslite.keyexchange module

Handling of cryptographic operations for key exchange

class tlslite.keyexchange.ADHKeyExchange(cipherSuite, clientHello, serverHello, dhParams=None, dhGroups=None)[source]

Bases: KeyExchange

Handling of anonymous Diffie-Hellman Key exchange

FFDHE without signing serverKeyExchange useful for anonymous DH

__init__(cipherSuite, clientHello, serverHello, dhParams=None, dhGroups=None)[source]: Initialize KeyExchange. privateKey is the signing private key

makeClientKeyExchange()[source]: Create client key share for the key exchange

makeServerKeyExchange()[source]: Prepare server side of anonymous key exchange with selected parameters

processClientKeyExchange(clientKeyExchange)[source]: Use client provided parameters to establish premaster secret

processServerKeyExchange(srvPublicKey, serverKeyExchange)[source]: Process the server key exchange, return premaster secret.

class tlslite.keyexchange.AECDHKeyExchange(cipherSuite, clientHello, serverHello, acceptedCurves, defaultCurve=23)[source]

Bases: KeyExchange

Handling of anonymous Eliptic curve Diffie-Hellman Key exchange

ECDHE without signing serverKeyExchange useful for anonymous ECDH

__init__(cipherSuite, clientHello, serverHello, acceptedCurves, defaultCurve=23)[source]: Initialize KeyExchange. privateKey is the signing private key

makeClientKeyExchange()[source]: Make client key exchange for ECDHE

makeServerKeyExchange(sigHash=None)[source]: Create AECDHE version of Server Key Exchange

processClientKeyExchange(clientKeyExchange)[source]: Calculate premaster secret from previously generated SKE and CKE

processServerKeyExchange(srvPublicKey, serverKeyExchange)[source]: Process the server key exchange, return premaster secret

class tlslite.keyexchange.AuthenticatedKeyExchange(cipherSuite, clientHello, serverHello, privateKey=None)[source]

Bases: KeyExchange

Common methods for key exchanges that authenticate Server Key Exchange

Methods for signing Server Key Exchange message

makeServerKeyExchange(sigHash=None)[source]: Prepare server side of key exchange with selected parameters

class tlslite.keyexchange.DHE_RSAKeyExchange(cipherSuite, clientHello, serverHello, privateKey, dhParams=None, dhGroups=None)[source]

Bases: AuthenticatedKeyExchange, ADHKeyExchange

Handling of authenticated ephemeral Diffe-Hellman Key exchange.

__init__(cipherSuite, clientHello, serverHello, privateKey, dhParams=None, dhGroups=None)[source]

Create helper object for Diffie-Hellamn key exchange.

Parameters:: dhParams (2-element tuple of int) – Diffie-Hellman parameters that will be used by server. First element of the tuple is the generator, the second is the prime. If not specified it will use a secure set (currently a 2048-bit safe prime).

class tlslite.keyexchange.ECDHE_RSAKeyExchange(cipherSuite, clientHello, serverHello, privateKey, acceptedCurves, defaultCurve=23)[source]

Bases: AuthenticatedKeyExchange, AECDHKeyExchange

Helper class for conducting ECDHE key exchange

__init__(cipherSuite, clientHello, serverHello, privateKey, acceptedCurves, defaultCurve=23)[source]: Initialize KeyExchange. privateKey is the signing private key

class tlslite.keyexchange.ECDHKeyExchange(group, version)[source]

Bases: RawDHKeyExchange

Implementation of the Elliptic Curve Diffie-Hellman key exchange.

__init__(group, version)[source]

Set the parameters of the key exchange

Sets group on which the KEX will take part and protocol version used.

calc_public_value(private)[source]: Calculate public value for given private key.

calc_shared_key(private, peer_share)[source]: Calculate the shared key,

get_random_private_key()[source]: Return random private key value for the selected curve.

class tlslite.keyexchange.FFDHKeyExchange(group, version, generator=None, prime=None)[source]

Bases: RawDHKeyExchange

Implemenation of the Finite Field Diffie-Hellman key exchange.

__init__(group, version, generator=None, prime=None)[source]

Set the parameters of the key exchange

Sets group on which the KEX will take part and protocol version used.

calc_public_value(private)[source]

Calculate the public value for given private value.

Return type:: int

calc_shared_key(private, peer_share)[source]: Calculate the shared key.

get_random_private_key()[source]

Return a random private value for the prime used.

Return type:: int

class tlslite.keyexchange.KeyExchange(cipherSuite, clientHello, serverHello, privateKey=None)[source]

Bases: object

Common API for calculating Premaster secret

NOT stable, will get moved from this file

__init__(cipherSuite, clientHello, serverHello, privateKey=None)[source]: Initialize KeyExchange. privateKey is the signing private key

static calcVerifyBytes(version, handshakeHashes, signatureAlg, premasterSecret, clientRandom, serverRandom, prf_name=None, peer_tag=b'client', key_type='rsa')[source]: Calculate signed bytes for Certificate Verify

static makeCertificateVerify(version, handshakeHashes, validSigAlgs, privateKey, certificateRequest, premasterSecret, clientRandom, serverRandom)[source]

Create a Certificate Verify message

Parameters:

version – protocol version in use
handshakeHashes – the running hash of all handshake messages
validSigAlgs – acceptable signature algorithms for client side, applicable only to TLSv1.2 (or later)
certificateRequest – the server provided Certificate Request message
premasterSecret – the premaster secret, needed only for SSLv3
clientRandom – client provided random value, needed only for SSLv3
serverRandom – server provided random value, needed only for SSLv3

makeClientKeyExchange()[source]

Create a ClientKeyExchange object

Returns a ClientKeyExchange for the second flight from client in the handshake.

makeServerKeyExchange(sigHash=None)[source]

Create a ServerKeyExchange object

Returns a ServerKeyExchange object for the server’s initial leg in the handshake. If the key exchange method does not send ServerKeyExchange (e.g. RSA), it returns None.

processClientKeyExchange(clientKeyExchange)[source]

Process ClientKeyExchange and return premaster secret

Processes the client’s ClientKeyExchange message and returns the premaster secret. Raises TLSLocalAlert on error.

processServerKeyExchange(srvPublicKey, serverKeyExchange)[source]: Process the server KEX and return premaster secret

signServerKeyExchange(serverKeyExchange, sigHash=None)[source]

Sign a server key exchange using default or specified algorithm

Parameters:: sigHash (str) – name of the signature hash to be used for signing

static verifyServerKeyExchange(serverKeyExchange, publicKey, clientRandom, serverRandom, validSigAlgs)[source]

Verify signature on the Server Key Exchange message

the only acceptable signature algorithms are specified by validSigAlgs

class tlslite.keyexchange.RSAKeyExchange(cipherSuite, clientHello, serverHello, privateKey)[source]

Bases: KeyExchange

Handling of RSA key exchange

NOT stable API, do NOT use

__init__(cipherSuite, clientHello, serverHello, privateKey)[source]: Initialize KeyExchange. privateKey is the signing private key

makeClientKeyExchange()[source]: Return a client key exchange with clients key share

makeServerKeyExchange(sigHash=None)[source]: Don’t create a server key exchange for RSA key exchange

processClientKeyExchange(clientKeyExchange)[source]: Decrypt client key exchange, return premaster secret

processServerKeyExchange(srvPublicKey, serverKeyExchange)[source]: Generate premaster secret for server

class tlslite.keyexchange.RawDHKeyExchange(group, version)[source]

Bases: object

Abstract class for performing Diffe-Hellman key exchange.

Provides a shared API for X25519, ECDHE and FFDHE key exchange.

__init__(group, version)[source]

Set the parameters of the key exchange

Sets group on which the KEX will take part and protocol version used.

calc_public_value(private)[source]: Calculate the public value from the provided private value.

calc_shared_key(private, peer_share)[source]: Calcualte the shared key given our private and remote share value

get_random_private_key()[source]: Generate a random value suitable for use as the private value of KEX.

class tlslite.keyexchange.SRPKeyExchange(cipherSuite, clientHello, serverHello, privateKey, verifierDB, srpUsername=None, password=None, settings=None)[source]

Bases: KeyExchange

Helper class for conducting SRP key exchange

__init__(cipherSuite, clientHello, serverHello, privateKey, verifierDB, srpUsername=None, password=None, settings=None)[source]: Link Key Exchange options with verifierDB for SRP

makeClientKeyExchange()[source]: Create ClientKeyExchange

makeServerKeyExchange(sigHash=None)[source]: Create SRP version of Server Key Exchange

processClientKeyExchange(clientKeyExchange)[source]: Calculate premaster secret from Client Key Exchange and sent SKE

processServerKeyExchange(srvPublicKey, serverKeyExchange)[source]: Calculate premaster secret from ServerKeyExchange