Remove derive_key from COSEKey interface.

Author: dajiaji

cwt/algs/ec2.py

@@ -1,4 +1,4 @@
-from typing import Any, Dict, List, Optional, Union
+from typing import Any, Dict, Optional, Union
 
 import cryptography
 from cryptography.hazmat.primitives import hashes
@@ -18,15 +18,12 @@
     COSE_ALGORITHMS_CKDM_KEY_AGREEMENT_ES,
     COSE_ALGORITHMS_HPKE,
     COSE_ALGORITHMS_SIG_EC2,
-    COSE_KEY_LEN,
     COSE_KEY_OPERATION_VALUES,
     COSE_KEY_TYPES,
 )
-from ..cose_key_interface import COSEKeyInterface
 from ..exceptions import EncodeError, VerifyError
-from ..utils import i2osp, os2ip, to_cis
+from ..utils import i2osp, os2ip
 from .asymmetric import AsymmetricKey
-from .symmetric import AESCCMKey, AESGCMKey, ChaCha20Key, HMACKey
 
 
 class EC2Key(AsymmetricKey):
@@ -273,13 +270,7 @@ def verify(self, msg: bytes, sig: bytes):
         except ValueError as err:
             raise VerifyError("Invalid signature.") from err
 
-    def derive_bytes(
-        self,
-        length: int,
-        material: bytes = b"",
-        info: bytes = b"",
-        public_key: Optional[Any] = None,
-    ) -> bytes:
+    def derive_bytes(self, length: int, material: bytes = b"", info: bytes = b"", public_key: Optional[Any] = None) -> bytes:
 
         if self._public_key:
             raise ValueError("Public key cannot be used for key derivation.")
@@ -304,52 +295,6 @@ def derive_bytes(
         except Exception as err:
             raise EncodeError("Failed to derive bytes.") from err
 
-    def derive_key(
-        self,
-        context: Union[List[Any], Dict[str, Any]],
-        material: bytes = b"",
-        public_key: Optional[COSEKeyInterface] = None,
-    ) -> COSEKeyInterface:
-
-        if self._public_key:
-            raise ValueError("Public key cannot be used for key derivation.")
-        if not public_key:
-            raise ValueError("public_key should be set.")
-        if not isinstance(public_key.key, EllipticCurvePublicKey):
-            raise ValueError("public_key should be elliptic curve public key.")
-        if self._alg not in COSE_ALGORITHMS_CKDM_KEY_AGREEMENT.values():
-            raise ValueError(f"Invalid alg for key derivation: {self._alg}.")
-
-        # Validate context information.
-        if isinstance(context, dict):
-            context = to_cis(context, self._alg)
-        else:
-            self._validate_context(context)
-
-        # Derive key.
-        self._key = self._private_key if self._private_key else ec.generate_private_key(self._crv_obj)
-        shared_key = self._key.exchange(ec.ECDH(), public_key.key)
-        hkdf = HKDF(
-            algorithm=self._hash_alg(),
-            length=COSE_KEY_LEN[context[0]] // 8,
-            salt=None,
-            info=self._dumps(context),
-        )
-        # return COSEKey.from_symmetric_key(hkdf.derive(shared_key), alg=context[0])
-        cose_key = {
-            1: 4,
-            3: context[0],
-            -1: hkdf.derive(shared_key),
-        }
-        if cose_key[3] in [1, 2, 3]:
-            return AESGCMKey(cose_key)
-        if cose_key[3] in [4, 5, 6, 7]:
-            return HMACKey(cose_key)
-        if cose_key[3] in [10, 11, 12, 13, 30, 31, 32, 33]:
-            return AESCCMKey(cose_key)
-        # cose_key[3] == 24:
-        return ChaCha20Key(cose_key)
-
     def _der_to_os(self, key_size: int, sig: bytes) -> bytes:
         num_bytes = (key_size + 7) // 8
         r, s = decode_dss_signature(sig)

cwt/algs/okp.py

@@ -1,4 +1,4 @@
-from typing import Any, Dict, List, Optional, Union
+from typing import Any, Dict, Optional, Union
 
 import cryptography
 from cryptography.hazmat.primitives import hashes
@@ -23,20 +23,16 @@
     PublicFormat,
 )
 
-from ..const import (  # COSE_KEY_LEN,
+from ..const import (
     COSE_ALGORITHMS_CKDM_KEY_AGREEMENT,
     COSE_ALGORITHMS_CKDM_KEY_AGREEMENT_ES,
     COSE_ALGORITHMS_HPKE,
     COSE_ALGORITHMS_SIG_OKP,
-    COSE_KEY_LEN,
     COSE_KEY_OPERATION_VALUES,
     COSE_KEY_TYPES,
 )
-from ..cose_key_interface import COSEKeyInterface
 from ..exceptions import EncodeError, VerifyError
-from ..utils import to_cis
 from .asymmetric import AsymmetricKey
-from .symmetric import AESCCMKey, AESGCMKey, ChaCha20Key, HMACKey
 
 
 class OKPKey(AsymmetricKey):
@@ -273,13 +269,7 @@ def verify(self, msg: bytes, sig: bytes):
         except cryptography.exceptions.InvalidSignature as err:
             raise VerifyError("Failed to verify.") from err
 
-    def derive_bytes(
-        self,
-        length: int,
-        material: bytes = b"",
-        info: bytes = b"",
-        public_key: Optional[Any] = None,
-    ) -> bytes:
+    def derive_bytes(self, length: int, material: bytes = b"", info: bytes = b"", public_key: Optional[Any] = None) -> bytes:
 
         if self._public_key:
             raise ValueError("Public key cannot be used for key derivation.")
@@ -297,60 +287,7 @@ def derive_bytes(
             else:
                 self._key = X25519PrivateKey.generate() if self._crv == 4 else X448PrivateKey.generate()
             shared_key = self._key.exchange(public_key.key)
-            hkdf = HKDF(
-                algorithm=self._hash_alg(),
-                length=length,
-                salt=None,
-                info=info,
-            )
+            hkdf = HKDF(algorithm=self._hash_alg(), length=length, salt=None, info=info)
             return hkdf.derive(shared_key)
         except Exception as err:
             raise EncodeError("Failed to derive bytes.") from err
-
-    def derive_key(
-        self,
-        context: Union[List[Any], Dict[str, Any]],
-        material: bytes = b"",
-        public_key: Optional[COSEKeyInterface] = None,
-    ) -> COSEKeyInterface:
-
-        if self._public_key:
-            raise ValueError("Public key cannot be used for key derivation.")
-        if not public_key:
-            raise ValueError("public_key should be set.")
-        if not isinstance(public_key.key, X25519PublicKey) and not isinstance(public_key.key, X448PublicKey):
-            raise ValueError("public_key should be x25519/x448 public key.")
-        # if self._alg not in COSE_ALGORITHMS_CKDM_KEY_AGREEMENT.values():
-        #     raise ValueError(f"Invalid alg for key derivation: {self._alg}.")
-
-        # Validate context information.
-        if isinstance(context, dict):
-            context = to_cis(context, self._alg)
-        else:
-            self._validate_context(context)
-
-        # Derive key.
-        if self._private_key:
-            self._key = self._private_key
-        else:
-            self._key = X25519PrivateKey.generate() if self._crv == 4 else X448PrivateKey.generate()
-        shared_key = self._key.exchange(public_key.key)
-        hkdf = HKDF(
-            algorithm=self._hash_alg(),
-            length=COSE_KEY_LEN[context[0]] // 8,
-            salt=None,
-            info=self._dumps(context),
-        )
-        cose_key = {
-            1: 4,
-            3: context[0],
-            -1: hkdf.derive(shared_key),
-        }
-        if cose_key[3] in [1, 2, 3]:
-            return AESGCMKey(cose_key)
-        if cose_key[3] in [4, 5, 6, 7]:
-            return HMACKey(cose_key)
-        if cose_key[3] in [10, 11, 12, 13, 30, 31, 32, 33]:
-            return AESCCMKey(cose_key)
-        # cose_key[3] == 24:
-        return ChaCha20Key(cose_key)

cwt/cose_key_interface.py

@@ -277,7 +277,7 @@ def derive_bytes(
         public_key: Optional[Any] = None,
     ) -> bytes:
         """
-        Derives a key with a key material or key exchange.
+        Derives a byte string with a key material or key exchange.
 
         Args:
             length (int): The length of derived byte string.
@@ -292,26 +292,3 @@ def derive_bytes(
             EncodeError: Failed to derive key.
         """
         raise NotImplementedError
-
-    def derive_key(
-        self,
-        context: Union[List[Any], Dict[str, Any]],
-        material: bytes = b"",
-        public_key: Optional[Any] = None,
-    ) -> Any:
-        """
-        Derives a key with a key material or key exchange.
-
-        Args:
-            context (Union[List[Any], Dict[str, Any]]): Context information structure for
-                key derivation functions.
-            material (bytes): A key material as bytes.
-            public_key: A public key for key derivation with key exchange.
-        Returns:
-            COSEKeyInterface: A COSE key derived.
-        Raises:
-            NotImplementedError: Not implemented.
-            ValueError: Invalid arguments.
-            EncodeError: Failed to derive key.
-        """
-        raise NotImplementedError

cwt/recipient_algs/direct_hkdf.py

@@ -80,7 +80,7 @@ def encode(self, plaintext: bytes = b"", aad: bytes = b"") -> Tuple[List[Any], O
                 info=self._dumps(self._context),
             )
             derived = hkdf.derive(plaintext)
-            return self.to_list(), COSEKey.from_symmetric_key(derived, self._context[0], self._kid)
+            return self.to_list(), COSEKey.from_symmetric_key(derived, self._context[0], kid=self._kid)
         except Exception as err:
             raise EncodeError("Failed to derive key.") from err
 

cwt/recipient_algs/ecdh_aes_key_wrap.py

@@ -3,7 +3,7 @@
 from cryptography.hazmat.primitives.keywrap import aes_key_unwrap, aes_key_wrap
 
 from ..algs.ec2 import EC2Key
-from ..const import COSE_KEY_OPERATION_VALUES
+from ..const import COSE_KEY_LEN, COSE_KEY_OPERATION_VALUES
 from ..cose_key import COSEKey
 from ..cose_key_interface import COSEKeyInterface
 from ..exceptions import DecodeError, EncodeError
@@ -56,7 +56,13 @@ def encode(self, plaintext: bytes = b"", aad: bytes = b"") -> Tuple[List[Any], O
             # ECDH-SS (alg=-32, -33, -34)
             if not self._sender_key:
                 raise ValueError("sender_key should be set in advance.")
-        wrapping_key = self._sender_key.derive_key(self._context, public_key=self._recipient_key)
+        wrapping_bytes = self._sender_key.derive_bytes(
+            COSE_KEY_LEN[self._context[0]] // 8,
+            info=self._dumps(self._context),
+            public_key=self._recipient_key,
+        )
+        wrapping_key = COSEKey.from_symmetric_key(wrapping_bytes, alg=self._context[0])
+        # wrapping_key = self._sender_key.derive_key(self._context, public_key=self._recipient_key)
         if self._alg in [-29, -30, -31]:
             # ECDH-ES
             self._unprotected[-1] = self._to_cose_key(self._sender_key.key.public_key())
@@ -78,8 +84,14 @@ def decode(
             raise ValueError("sender_public_key should be set.")
 
         try:
-            derived = key.derive_key(self._context, public_key=self._sender_public_key)
-            derived_bytes = aes_key_unwrap(derived.key, self._ciphertext)
+            wrapping_key_bytes = key.derive_bytes(
+                COSE_KEY_LEN[self._context[0]] // 8,
+                info=self._dumps(self._context),
+                public_key=self._sender_public_key,
+            )
+            wrapping_key = COSEKey.from_symmetric_key(wrapping_key_bytes, alg=self._context[0])
+            # derived = key.derive_key(self._context, public_key=self._sender_public_key)
+            derived_bytes = aes_key_unwrap(wrapping_key.key, self._ciphertext)
         except Exception as err:
             raise DecodeError("Failed to decode key.") from err
         if not as_cose_key:

cwt/recipient_algs/ecdh_direct_hkdf.py

@@ -78,7 +78,12 @@ def encode(self, plaintext: bytes = b"", aad: bytes = b"") -> Tuple[List[Any], O
             if not self._sender_key:
                 raise ValueError("sender_key should be set in advance.")
 
-        derived_key = self._sender_key.derive_key(self._context, public_key=self._recipient_key)
+        derived_bytes = self._sender_key.derive_bytes(
+            COSE_KEY_LEN[self._context[0]] // 8,
+            info=self._dumps(self._context),
+            public_key=self._recipient_key,
+        )
+        derived_key = COSEKey.from_symmetric_key(derived_bytes, alg=self._context[0])
         if self._alg in [-25, -26]:
             # ECDH-ES
             self._unprotected[-1] = self._to_cose_key(self._sender_key.key.public_key())
@@ -97,12 +102,13 @@ def decode(
         if not self._sender_public_key:
             raise ValueError("sender_public_key should be set.")
         try:
-            if not as_cose_key:
-                return key.derive_bytes(
-                    COSE_KEY_LEN[self._context[0]] // 8,
-                    info=self._dumps(self._context),
-                    public_key=self._sender_public_key,
-                )
-            return key.derive_key(self._context, public_key=self._sender_public_key)
+            derived_bytes = key.derive_bytes(
+                COSE_KEY_LEN[self._context[0]] // 8,
+                info=self._dumps(self._context),
+                public_key=self._sender_public_key,
+            )
         except Exception as err:
             raise DecodeError("Failed to decode.") from err
+        if not as_cose_key:
+            return derived_bytes
+        return COSEKey.from_symmetric_key(derived_bytes, alg=self._context[0], kid=self._kid)