tlslite.keyexchange module

Handling of cryptographic operations for key exchange

class tlslite.keyexchange.ADHKeyExchange(cipherSuite, clientHello, serverHello, dhParams=None, dhGroups=None)

Bases: tlslite.keyexchange.KeyExchange

Handling of anonymous Diffie-Hellman Key exchange

FFDHE without signing serverKeyExchange useful for anonymous DH

__init__(cipherSuite, clientHello, serverHello, dhParams=None, dhGroups=None)

Initialize KeyExchange. privateKey is the signing private key

makeClientKeyExchange()

Create client key share for the key exchange

makeServerKeyExchange()

Prepare server side of anonymous key exchange with selected parameters

processClientKeyExchange(clientKeyExchange)

Use client provided parameters to establish premaster secret

processServerKeyExchange(srvPublicKey, serverKeyExchange)

Process the server key exchange, return premaster secret.

class tlslite.keyexchange.AECDHKeyExchange(cipherSuite, clientHello, serverHello, acceptedCurves, defaultCurve=23)

Bases: tlslite.keyexchange.KeyExchange

Handling of anonymous Eliptic curve Diffie-Hellman Key exchange

ECDHE without signing serverKeyExchange useful for anonymous ECDH

__init__(cipherSuite, clientHello, serverHello, acceptedCurves, defaultCurve=23)

Initialize KeyExchange. privateKey is the signing private key

makeClientKeyExchange()

Make client key exchange for ECDHE

makeServerKeyExchange(sigHash=None)

Create AECDHE version of Server Key Exchange

processClientKeyExchange(clientKeyExchange)

Calculate premaster secret from previously generated SKE and CKE

processServerKeyExchange(srvPublicKey, serverKeyExchange)

Process the server key exchange, return premaster secret

class tlslite.keyexchange.AuthenticatedKeyExchange(cipherSuite, clientHello, serverHello, privateKey=None)

Bases: tlslite.keyexchange.KeyExchange

Common methods for key exchanges that authenticate Server Key Exchange

Methods for signing Server Key Exchange message

makeServerKeyExchange(sigHash=None)

Prepare server side of key exchange with selected parameters

class tlslite.keyexchange.DHE_RSAKeyExchange(cipherSuite, clientHello, serverHello, privateKey, dhParams=None, dhGroups=None)

Bases: tlslite.keyexchange.AuthenticatedKeyExchange, tlslite.keyexchange.ADHKeyExchange

Handling of authenticated ephemeral Diffe-Hellman Key exchange.

__init__(cipherSuite, clientHello, serverHello, privateKey, dhParams=None, dhGroups=None)

Create helper object for Diffie-Hellamn key exchange.

Parameters:dhParams (2-element tuple of int) – Diffie-Hellman parameters that will be used by server. First element of the tuple is the generator, the second is the prime. If not specified it will use a secure set (currently a 2048-bit safe prime).
class tlslite.keyexchange.ECDHE_RSAKeyExchange(cipherSuite, clientHello, serverHello, privateKey, acceptedCurves, defaultCurve=23)

Bases: tlslite.keyexchange.AuthenticatedKeyExchange, tlslite.keyexchange.AECDHKeyExchange

Helper class for conducting ECDHE key exchange

__init__(cipherSuite, clientHello, serverHello, privateKey, acceptedCurves, defaultCurve=23)

Initialize KeyExchange. privateKey is the signing private key

class tlslite.keyexchange.KeyExchange(cipherSuite, clientHello, serverHello, privateKey=None)

Bases: object

Common API for calculating Premaster secret

NOT stable, will get moved from this file

__init__(cipherSuite, clientHello, serverHello, privateKey=None)

Initialize KeyExchange. privateKey is the signing private key

static calcVerifyBytes(version, handshakeHashes, signatureAlg, premasterSecret, clientRandom, serverRandom)

Calculate signed bytes for Certificate Verify

static makeCertificateVerify(version, handshakeHashes, validSigAlgs, privateKey, certificateRequest, premasterSecret, clientRandom, serverRandom)

Create a Certificate Verify message

Parameters:
  • version – protocol version in use
  • handshakeHashes – the running hash of all handshake messages
  • validSigAlgs – acceptable signature algorithms for client side, applicable only to TLSv1.2 (or later)
  • certificateRequest – the server provided Certificate Request message
  • premasterSecret – the premaster secret, needed only for SSLv3
  • clientRandom – client provided random value, needed only for SSLv3
  • serverRandom – server provided random value, needed only for SSLv3
makeClientKeyExchange()

Create a ClientKeyExchange object

Returns a ClientKeyExchange for the second flight from client in the handshake.

makeServerKeyExchange(sigHash=None)

Create a ServerKeyExchange object

Returns a ServerKeyExchange object for the server’s initial leg in the handshake. If the key exchange method does not send ServerKeyExchange (e.g. RSA), it returns None.

processClientKeyExchange(clientKeyExchange)

Process ClientKeyExchange and return premaster secret

Processes the client’s ClientKeyExchange message and returns the premaster secret. Raises TLSLocalAlert on error.

processServerKeyExchange(srvPublicKey, serverKeyExchange)

Process the server KEX and return premaster secret

signServerKeyExchange(serverKeyExchange, sigHash=None)

Sign a server key exchange using default or specified algorithm

Parameters:sigHash (str) – name of the signature hash to be used for signing
static verifyServerKeyExchange(serverKeyExchange, publicKey, clientRandom, serverRandom, validSigAlgs)

Verify signature on the Server Key Exchange message

the only acceptable signature algorithms are specified by validSigAlgs

class tlslite.keyexchange.RSAKeyExchange(cipherSuite, clientHello, serverHello, privateKey)

Bases: tlslite.keyexchange.KeyExchange

Handling of RSA key exchange

NOT stable API, do NOT use

__init__(cipherSuite, clientHello, serverHello, privateKey)

Initialize KeyExchange. privateKey is the signing private key

makeClientKeyExchange()

Return a client key exchange with clients key share

makeServerKeyExchange(sigHash=None)

Don’t create a server key exchange for RSA key exchange

processClientKeyExchange(clientKeyExchange)

Decrypt client key exchange, return premaster secret

processServerKeyExchange(srvPublicKey, serverKeyExchange)

Generate premaster secret for server

class tlslite.keyexchange.SRPKeyExchange(cipherSuite, clientHello, serverHello, privateKey, verifierDB, srpUsername=None, password=None, settings=None)

Bases: tlslite.keyexchange.KeyExchange

Helper class for conducting SRP key exchange

__init__(cipherSuite, clientHello, serverHello, privateKey, verifierDB, srpUsername=None, password=None, settings=None)

Link Key Exchange options with verifierDB for SRP

makeClientKeyExchange()

Create ClientKeyExchange

makeServerKeyExchange(sigHash=None)

Create SRP version of Server Key Exchange

processClientKeyExchange(clientKeyExchange)

Calculate premaster secret from Client Key Exchange and sent SKE

processServerKeyExchange(srvPublicKey, serverKeyExchange)

Calculate premaster secret from ServerKeyExchange