yann2192 / pyelliptic Goto Github PK

Your program, licensed under the GPL, links to OpenSSL libraries. Without granting an exemption, the OpenSSL License and the GPL are incompatible. An explanation as to why can be seen here: https://people.gnome.org/~markmc/openssl-and-the-gpl

To fix this, and still keep your software licensed under the GPL, all you need to do is add the following to your license file.

• In addition, as a special exception, the copyright holders give
• permission to link the code of portions of this program with the
• OpenSSL library under certain conditions as described in each
• individual source file, and distribute linked combinations
• including the two.
• You must obey the GNU General Public License in all respects
• for all of the code used other than OpenSSL. If you modify
• file(s) with this exception, you may extend this exception to your
• version of the file(s), but you are not obligated to do so. If you
• do not wish to do so, delete this exception statement from your
• version. If you delete this exception statement from all source
• files in the program, then also delete it here.

I don't know if this used to work or not, but I have noticed that when using ECC to decrypt it requires you to pass in the public key in addition to the private key when creating the object. I believe only the private key should be required.

It fails with

Traceback (most recent call last):
  File "/Users/craig/Dropbox/codestuff/encryptr.py", line 221, in <module>
    result = new_ecc.decrypt(ciphertext)
  File "/usr/local/lib/python3.4/site-packages/pyelliptic/ecc.py", line 535, in decrypt
    raise RuntimeError("Fail to verify data")
RuntimeError: Fail to verify data

Reproduce code:

import pyelliptic

ecc = pyelliptic.ECC(curve='prime256v1')
public_key = ecc.get_pubkey()
private_key = ecc.get_privkey()
plaintext = 'abc'
ciphertext = ecc.encrypt(plaintext, public_key)

# this works fine
new_ecc = pyelliptic.ECC(privkey=private_key, pubkey=public_key, curve='prime256v1')
result = new_ecc.decrypt(ciphertext)

# this raises exception
new_ecc = pyelliptic.ECC(privkey=private_key, curve='prime256v1')
result = new_ecc.decrypt(ciphertext)

Just FYI

[mbarkhau@localhost pyelliptic-master]$ uname -a
Linux localhost.localdomain 3.7.2-204.fc18.x86_64 #1 SMP Wed Jan 16 16:22:52 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

This is the only sytem dependency I think is required

[mbarkhau@localhost pyelliptic-master]$ sudo yum install openssl-devel
Loaded plugins: langpacks, presto, refresh-packagekit
Package 1:openssl-devel-1.0.1e-4.fc18.x86_64 already installed and latest version
Nothing to do

Installed pyelliptic from source

[mbarkhau@localhost pyelliptic-master]$ sudo python setup.py install
running install
running bdist_egg
running egg_info
...
Installed /usr/lib/python2.7/site-packages/pyelliptic-1.5.1-py2.7.egg
Processing dependencies for pyelliptic==1.5.1
Finished processing dependencies for pyelliptic==1.5.1

Import raises error

[mbarkhau@localhost pyelliptic-master]$ python -c "import pyelliptic"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "pyelliptic/__init__.py", line 14, in <module>
    from .openssl import OpenSSL
  File "pyelliptic/openssl.py", line 398, in <module>
    OpenSSL = _OpenSSL(libname)
  File "pyelliptic/openssl.py", line 69, in __init__
    self.EC_KEY_free = self._lib.EC_KEY_free
  File "/usr/lib64/python2.7/ctypes/__init__.py", line 373, in __getattr__
    func = self.__getitem__(name)
  File "/usr/lib64/python2.7/ctypes/__init__.py", line 378, in __getitem__
    func = self._FuncPtr((name_or_ordinal, self))
AttributeError: /lib64/libcrypto.so.10: undefined symbol: EC_KEY_free

Am I missing some library? If so, I think the readme should be updated with apt-get/yum instructions.

The MAC verification in ECC.decrypt is not a constant-time operation (see here). I don't know whether this may lead to a timing attack, but it's better to be safe than sorry.

Suggest using streql or constant_time_compare.

It would be awesome to have this mode. It looks like it is present in

$ openssl version  
OpenSSL 1.0.1f 6 Jan 2014
$ openssl enc -help 2>&1 | grep gcm
-aes-128-ecb               -aes-128-gcm               -aes-128-ofb              
-aes-192-ecb               -aes-192-gcm               -aes-192-ofb              
-aes-256-ecb               -aes-256-gcm               -aes-256-ofb

My system libraries may be deficient and am building my own. Unable to build the shared libraries.

In OpenBazaar we use the MIT license, and we also use pyelliptic. However, I believe this use may be incompatible with our licenses.

Would you please give us your opinion on how you think we should solve this licensing incompatibility?

As pyelliptic is a library, would it be reasonable to ask to switch to the LGPL so that it can be used as an external library in projects such as OpenBazaar?

Thank you very much!

Please, can you consider create functions for loading already created keys? Thanks!

Do you plan to support Python 3 in the short term?.

Thanks!.

File "/home/s/webapps/appt/lib/python3.4/site-packages/pyelliptic/ecc.py", line 89, in init
self.privkey, self.pubkey_x, self.pubkey_y = self._generate()
File "/home/s/webapps/appt/lib/python3.4/site-packages/pyelliptic/ecc.py", line 223, in _generate
raise Exception("[OpenSSL] EC_KEY_generate_key FAIL ... " + OpenSSL.get_error())
TypeError: Can't convert 'bytes' object to str implicitly

library should accept SHA type as an optional parameter and hash to the preferred method. This bug prevents the library from being used for things like JWT, VAPID and the like.

Hi @yann2192 , @fredigato, @ankitpopli1891, @arjan-s

I have few issues related to PyOpenSSL & Cryptography packages in Python. Can you please help in resolving these, if possible ? (Tried a lot but couldn't figure out the exact reason still)

Python Code which initiates the Error:

print("Salt: %s" % salt)
server_key = pyelliptic.ECC(curve="prime256v1")
print("Server_key: %s" % server_key)
server_key_id = base64.urlsafe_b64encode(server_key.get_pubkey()[1:])

http_ece.keys[server_key_id] = server_key
http_ece.labels[server_key_id] = "P-256"
encrypted = http_ece.encrypt(data, salt=salt, keyid=server_key_id,
            dh=self.receiver_key, authSecret=self.auth_key)

Value of "Salt" is getting displayed in 100% of the cases. But
If value of "Server Key:" gets displayed, I see the the following EntryPoint Error because of http_ece.encrypt() call:
AttributeError("'EntryPoint' object has no attribute 'resolve'",)
(Ref. File Link: https://github.com/martinthomson/encrypted-content-encoding/blob/master/python/http_ece/__init__.py#L128 )

Otherwise I get the following Error because of pyelliptic.ECC() call:
Exception('[OpenSSL] EC_KEY_generate_key FAIL ... error:00000000:lib(0):func(0):reason(0)',)
(Ref. File Link: https://github.com/yann2192/pyelliptic/blob/master/pyelliptic/ecc.py#L214)

Other Details:
Partial Requirements.txt:

cryptography==1.5
pyelliptic==1.5.7
pyOpenSSL==16.1.0

The Django App is running on Debian8 Google Compute Engine VM Instance using Apache and mod_wsgi.

Can you please help in resolving this issue ?
Please let me know if any more information is required.

Thanks,

Traceback (most recent call last):
File "C:/Users/Maryam/PycharmProjects/bachproject/test.py", line 9, in
import pyelliptic
File "build\bdist.win32\egg\pyelliptic__init__.py", line 14, in
File "build\bdist.win32\egg\pyelliptic\openssl.py", line 342, in
Exception: Couldn't load OpenSSL lib ...

I'm still new to this module and this error arises when I use the commented example shown in the ecc.py file.
Are there any dependencies that I should download other than the openssl module? (I also have the pycrypto module I don't know if it's related or not)

i use tencent mars(https://github.com/Tencent/mars) which use this library.it's going wrong when i use command python gen_key.py.the stack trace is:
File "build\bdist.win-amd64\egg\pyelliptic_init_.py", line 43, in
File "build\bdist.win-amd64\egg\pyelliptic\openssl.py", line 528, in
File "build\bdist.win-amd64\egg\pyelliptic\openssl.py", line 67, in init
File "C:\Python27\lib\ctypes_init_.py", line 362, in init
self._handle = _dlopen(self._name, mode)
WindowsError: [Error 193] %1 不是有效的 Win32

How the ECC algorithm encrypt explain text with the priv_key and decrypt by pub_key?

Hi.
pyelliptic currently uses SHA-1 to hash messages before signing. I've heard SHA-1 is not considered very secure anymore so what do you think about optional ecdsa-with-sha256 mode (and maybe -sha512)?

>>> from pyelliptic.arithmetic import bin_to_b58check
>>> bin_to_b58check(b'a')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.4/dist-packages/pyelliptic/arithmetic.py", line 156, in bin_to_b58check
    inp_fmtd = '\x00' + inp
TypeError: Can't convert 'bytes' object to str implicitly
>>> 

The problem seems to arise because python 3 differentiates between strings and bytes. Calling the function with a string doesn't work either.

Encryption is not possible with curves on fields smaller or equal than 224bits.
Can be circumvented by:

--- pyelliptic-1.5/pyelliptic/ecc.py 2012-12-10 22:47:00.000000000 +0100
+++ pyelliptic-1.5_mychanges/pyelliptic/ecc.py 2013-06-23 14:31:01.353120820 +0200
@@ -227,8 +227,8 @@
ecdh_keylen = OpenSSL.ECDH_compute_key(
ecdh_keybuffer, 32, other_pub_key, own_key, 0)

•        if ecdh_keylen != 32:
  

•            raise Exception("[OpenSSL] ECDH keylen FAIL ...")
  

•        # if ecdh_keylen != 32:
  

•        #     raise Exception("[OpenSSL] ECDH keylen FAIL ...")
  

But I am not sure if this is a good idea to drop the exception..

I have some problems with Mac OS that is bundled with openssl OpenSSL 0.9.8y. Here's the traceback:

>>> import pyelliptic
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/nopper/.pyenv/versions/mpotr/lib/python2.7/site-packages/pyelliptic/__init__.py", line 14, in <module>
    from .openssl import OpenSSL
  File "/Users/nopper/.pyenv/versions/mpotr/lib/python2.7/site-packages/pyelliptic/openssl.py", line 398, in <module>
    OpenSSL = _OpenSSL(libname)
  File "/Users/nopper/.pyenv/versions/mpotr/lib/python2.7/site-packages/pyelliptic/openssl.py", line 171, in __init__
    self.EVP_aes_128_ctr = self._lib.EVP_aes_128_ctr
  File "/Users/nopper/.pyenv/versions/2.7.5/lib/python2.7/ctypes/__init__.py", line 378, in __getattr__
    func = self.__getitem__(name)
  File "/Users/nopper/.pyenv/versions/2.7.5/lib/python2.7/ctypes/__init__.py", line 383, in __getitem__
    func = self._FuncPtr((name_or_ordinal, self))
AttributeError: dlsym(0x1006166f0, EVP_aes_128_ctr): symbol not found

I would suggest to implement a try catch mechanism that simlpy disables functions that can not be imported from the .dylib.

Currently the get_pubkey and get_privkey method returns public key and private key that is not compatible with other libraries like SpongyCastle and Cryptopp.

As per the standards, we should use Point Compression or Compact Point Representation.

The following reproduces: bin_to_b58check(hash_160('a')). I'm not sure where exactly it's going wrong but I can't understand the intention of the decode function with respect to the while loop. I had go at fixing it and decided to "fail fast"! Cheers

Public keys of elliptic curves are made by addition/multiplication of private points. For generating public key, each curve needs a lot of parameters: prime P, base points Gx and Gy, coefficient a, coefficient b, order and seed.

By default, pyelliptic provides no means to convert private keys to public keys. In arithmetic.py, which is used in PyBitMessage, there is a method called "privtopub(privkey)", but parameters for multiplication are hardcoded only for secp256k1 curve, which makes most cool functions of arithmetic.py useless for other curves.

UPD: When you generate a key pair, you get a key pair of privkey, pubkeyX and pubkeyY. If you discard public key parameters, there are no means to get them back in pyelliptic. In any case, here is a code from PyBitmessage that can generate pubkeys back:

def point_multiplication(secret, curve_name):
    k = OpenSSL.EC_KEY_new_by_curve_name(OpenSSL.get_curve(curve_name))
    priv_key = OpenSSL.BN_bin2bn(secret, 32, None)
    group = OpenSSL.EC_KEY_get0_group(k)
    pub_key = OpenSSL.EC_POINT_new(group)

    OpenSSL.EC_POINT_mul(group, pub_key, priv_key, None, None, None)
    OpenSSL.EC_KEY_set_private_key(k, priv_key)
    OpenSSL.EC_KEY_set_public_key(k, pub_key)

    size = OpenSSL.i2o_ECPublicKey(k, None)
    mb = OpenSSL.create_string_buffer(size)
    OpenSSL.i2o_ECPublicKey(k, OpenSSL.byref(OpenSSL.pointer(mb)))

    OpenSSL.EC_POINT_free(pub_key)
    OpenSSL.BN_free(priv_key)
    OpenSSL.EC_KEY_free(k)
    return mb.raw

... so I'm closing the issue.

I am using pyelliptic 1.5.7

Any idea how I can fix this?

Subj. Currently you can't import pyelliptic with openssl 1.1 and greater. Also pyelliptic not understand LD_LIBRARY_* env for change lookup folder.

You could consider also adding the following smaller curves:
prime192v1 (very important curve which was defined together with secp224r1, prime256v1, secp384r1 and secp521r1 in FIPS186-3)
prime192v2
prime192v3
prime239v1
prime239v2
prime239v3

Greets,
erazortt

test.py currently uses assert for unit tests, which means they cannot be automated properly for a continuous-integration build. Let's switch to using proper unit tests, i.e. Python's unittest framework.

I suggest to truncate the signature to the size returned by OpenSSL.ECDSA_sign since the rest is useless anyhow and makes the signature smaller on curves defined on smaller fields.

--- pyelliptic-1.5/pyelliptic/ecc.py 2012-12-10 22:47:00.000000000 +0100
+++ pyelliptic-1.5_mychanges/pyelliptic/ecc.py 2013-06-23 14:31:01.353120820 +0200
@@ -348,7 +348,7 @@
siglen.contents, key)) != 1:
raise Exception("[OpenSSL] ECDSA_verify FAIL ...")

•        return sig.raw
  

•        return sig.raw[0:siglen.contents.value]
  
   finally:
       OpenSSL.EC_KEY_free(key)
  

Greets,
erazortt

This seems problematic http://crypto.stackexchange.com/questions/6480/what-information-to-include-when-calculating-the-hmac-of-ciphertext

Under pyelliptic's current scheme an attacker could alter the IV or ephemeral public key and the hmac check would still pass.

Hi @yann2192 , @fredigato, @ankitpopli1891, @arjan-s

I have few issues related to PyElliptic package in Python. Can you please help in resolving these, if possible ? (Tried a lot but couldn't figure out the exact reason still)

Python Code which initiates the Error:

print("Salt: %s" % salt)
server_key = pyelliptic.ECC(curve="prime256v1")
print("Server_key: %s" % server_key)
server_key_id = base64.urlsafe_b64encode(server_key.get_pubkey()[1:])

http_ece.keys[server_key_id] = server_key
http_ece.labels[server_key_id] = "P-256"
encrypted = http_ece.encrypt(data, salt=salt, keyid=server_key_id,
            dh=self.receiver_key, authSecret=self.auth_key)

Value of "Salt" is getting displayed in 100% of the cases. But
If value of "Server Key:" gets displayed, I see the the following EntryPoint Error because of http_ece.encrypt() call:
AttributeError("'EntryPoint' object has no attribute 'resolve'",)
(Ref. File Link: https://github.com/martinthomson/encrypted-content-encoding/blob/master/python/http_ece/__init__.py#L128 )

Otherwise I get the following Error because of pyelliptic.ECC() call:
Exception('[OpenSSL] EC_KEY_generate_key FAIL ... error:00000000:lib(0):func(0):reason(0)',)
(Ref. File Link: https://github.com/yann2192/pyelliptic/blob/master/pyelliptic/ecc.py#L214)

Other Details:
Partial Requirements.txt:

cryptography==1.5
pyelliptic==1.5.7
pyOpenSSL==16.1.0

The Django App is running on Debian8 Google Compute Engine VM Instance using Apache and mod_wsgi.

Can you please help in resolving this issue ?
Please let me know if any more information is required.

Thanks,