Search code examples
pythoncryptographyelliptic-curvepython-cryptography

convert base-64 spki string into public key

I'm trying to find a python equivalent of this js function:

/**
* Generating the shared secret with the merchant private key and the ephemeral public key(part of the payment token data)
* using Elliptic Curve Diffie-Hellman (id-ecDH 1.3.132.1.12).
* As the Apple Pay certificate is issued using prime256v1 encryption, create elliptic curve key instances using the package - https://www.npmjs.com/package/ec-key
*/
sharedSecret (privatePem) {
    const prv = new ECKey(privatePem, 'pem') // Create a new ECkey instance from PEM formatted string
    const publicEc = new ECKey(this.ephemeralPublicKey, 'spki') // Create a new ECKey instance from a base-64 spki string
    return prv.computeSecret(publicEc).toString('hex') // Compute secret using private key for provided ephemeral public key
  }

public key i try to convert: (should be a base-64 spki string?)

MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYtpZKqPDqavs4KzNnMoxWdIThKe/ErKMI/l34Y9/xVkt4DU4BrCaQnGLlRGx+Pn/WHPkQg3BYoRH4xUWswNhEA==

What i manage to do:

from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1, EllipticCurvePublicKey, ECDH
from cryptography.hazmat.primitives.serialization import load_pem_private_key

def __compute_shared_secret(ephemeral_public_key: str) -> bytes:
    curve = SECP256R1()
    key = base64.b64decode(ephemeral_public_key)
    public_key = EllipticCurvePublicKey.from_encoded_point(curve, key)  # problem here
    server_private_key = load_pem_private_key(<private_key>, password=None)
    shared_secret = server_private_key.exchange(ECDH(), public_key)
    return shared_secret

ValueError: Unsupported elliptic curve point type

From what i understand i need to convert the public key to something before using it in EllipticCurvePublicKey, but i can't figure what type of conversion i should do.

Solution

  • According to the documentation of the JavaScript library the line

    const publicEc = new ECKey(this.ephemeralPublicKey, 'spki')

    imports a Base64 encoded X.509/SPKI DER key.

    In Python, this can be done with load_der_public_key() of the Cryptography library as follows:

    from cryptography.hazmat.primitives.serialization import load_der_public_key
import base64
...
public_key = load_der_public_key(base64.b64decode(ephemeral_public_key))

    Here, ephemeral_public_key is the Base64 encoded X.509/SPKI DER key.

    With this change of the Python code the shared secret can be determined.