/usr/lib/python3/dist-packages/pskc/encryption.py is in python3-pskc 0.3-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 | # encryption.py - module for handling encrypted values
# coding: utf-8
#
# Copyright (C) 2014-2015 Arthur de Jong
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301 USA
"""Module that handles encrypted PSKC values.
This module defines an Encryption class that handles the encryption key
and an EncryptedValue wrapper class that can decrypt values using the
encryption key.
The encryption key can be derived using the KeyDerivation class.
"""
def unpad(value):
"""Remove padding from the plaintext."""
return value[0:-ord(value[-1:])]
class EncryptedValue(object):
"""Wrapper class to handle encrypted values.
Instances of this class provide the following attributes:
algorithm: name of the encryption algorithm used
cipher_value: binary encrypted data
"""
def __init__(self, encryption, encrypted_value=None):
"""Initialise an encrypted value for the provided Key."""
self.encryption = encryption
self.algorithm = None
self.cipher_value = None
self.parse(encrypted_value)
def parse(self, encrypted_value):
"""Read encrypted data from the <EncryptedValue> XML tree."""
from pskc.xml import find, findbin
if encrypted_value is None:
return
encryption_method = find(encrypted_value, 'xenc:EncryptionMethod')
if encryption_method is not None:
self.algorithm = encryption_method.attrib.get('Algorithm')
self.cipher_value = findbin(
encrypted_value, 'xenc:CipherData/xenc:CipherValue')
def decrypt(self):
"""Decrypt the linked value and return the plaintext value."""
from pskc.exceptions import DecryptionError
if self.cipher_value is None:
return
key = self.encryption.key
if key is None:
raise DecryptionError('No key available')
if self.algorithm is None:
raise DecryptionError('No algorithm specified')
if self.algorithm.endswith('#aes128-cbc') or \
self.algorithm.endswith('#aes192-cbc') or \
self.algorithm.endswith('#aes256-cbc'):
from Crypto.Cipher import AES
if len(key) * 8 != int(self.algorithm[-7:-4]) or \
len(key) not in AES.key_size:
raise DecryptionError('Invalid key length')
iv = self.cipher_value[:AES.block_size]
ciphertext = self.cipher_value[AES.block_size:]
cipher = AES.new(key, AES.MODE_CBC, iv)
return unpad(cipher.decrypt(ciphertext))
elif self.algorithm.endswith('#tripledes-cbc'):
from Crypto.Cipher import DES3
if len(key) not in DES3.key_size:
raise DecryptionError('Invalid key length')
iv = self.cipher_value[:DES3.block_size]
ciphertext = self.cipher_value[DES3.block_size:]
cipher = DES3.new(key, DES3.MODE_CBC, iv)
return unpad(cipher.decrypt(ciphertext))
elif self.algorithm.endswith('#kw-aes128') or \
self.algorithm.endswith('#kw-aes192') or \
self.algorithm.endswith('#kw-aes256'):
from pskc.crypto.aeskw import unwrap
from Crypto.Cipher import AES
if len(key) * 8 != int(self.algorithm[-3:]) or \
len(key) not in AES.key_size:
raise DecryptionError('Invalid key length')
return unwrap(self.cipher_value, key)
elif self.algorithm.endswith('#kw-tripledes'):
from pskc.crypto.tripledeskw import unwrap
from Crypto.Cipher import DES3
if len(key) not in DES3.key_size:
raise DecryptionError('Invalid key length')
return unwrap(self.cipher_value, key)
else:
raise DecryptionError('Unsupported algorithm: %r' % self.algorithm)
class KeyDerivation(object):
"""Handle key derivation.
The algorithm property contains the key derivation algorithm to use. For
PBDKF2 the following parameters are set:
pbkdf2_salt: salt value
pbkdf2_iterations: number of iterations to use
pbkdf2_key_length: required key lengt
pbkdf2_prf: name of pseudorandom function used
"""
def __init__(self, key_deriviation=None):
self.algorithm = None
# PBKDF2 properties
self.pbkdf2_salt = None
self.pbkdf2_iterations = None
self.pbkdf2_key_length = None
self.pbkdf2_prf = None
self.parse(key_deriviation)
def parse(self, key_deriviation):
"""Read derivation parameters from a <KeyDerivationMethod> element."""
from pskc.xml import find, findint, findbin
if key_deriviation is None:
return
self.algorithm = key_deriviation.get('Algorithm')
# PBKDF2 properties
pbkdf2 = find(
key_deriviation, 'xenc11:PBKDF2-params', 'pkcs5:PBKDF2-params')
if pbkdf2 is not None:
# get used salt
self.pbkdf2_salt = findbin(
pbkdf2, 'Salt/Specified', 'xenc11:Salt/xenc11:Specified')
# required number of iterations
self.pbkdf2_iterations = findint(
pbkdf2, 'IterationCount', 'xenc11:IterationCount')
# key length
self.pbkdf2_key_length = findint(
pbkdf2, 'KeyLength', 'xenc11:KeyLength')
# pseudorandom function used
prf = find(pbkdf2, 'PRF', 'xenc11:PRF')
if prf is not None:
self.pbkdf2_prf = prf.get('Algorithm')
def derive(self, password):
"""Derive a key from the password."""
from pskc.exceptions import KeyDerivationError
if self.algorithm is None:
raise KeyDerivationError('No algorithm specified')
if self.algorithm.endswith('#pbkdf2'):
from Crypto.Protocol.KDF import PBKDF2
from pskc.mac import get_hmac
prf = None
if self.pbkdf2_prf:
prf = get_hmac(self.pbkdf2_prf)
if prf is None:
raise KeyDerivationError(
'Pseudorandom function unsupported: %r' %
self.pbkdf2_prf)
return PBKDF2(
password, self.pbkdf2_salt, dkLen=self.pbkdf2_key_length,
count=self.pbkdf2_iterations, prf=prf)
else:
raise KeyDerivationError(
'Unsupported algorithm: %r' % self.algorithm)
class Encryption(object):
"""Class for handling encryption keys that are used in the PSKC file.
Encryption generally uses a symmetric key that is used to encrypt some
of the information stored in PSKC files (typically the seed). This
class provides the following values:
id: identifier of the key
key_names: list of names for the key
key_name: (first) name of the key (usually there is only one)
key: the key value itself (binary form)
The key can either be included in the PSKC file (in that case it
automatically picked up) or derived using the derive_key() method.
"""
def __init__(self, key_info=None):
self.id = None
self.key_names = []
self.key = None
self.derivation = KeyDerivation()
self.parse(key_info)
def parse(self, key_info):
"""Read encryption information from the <EncryptionKey> XML tree."""
from pskc.xml import find, findall, findtext
if key_info is None:
return
self.id = key_info.get('Id')
for name in findall(key_info, 'ds:KeyName'):
self.key_names.append(findtext(name, '.'))
for name in findall(
key_info, 'xenc11:DerivedKey/xenc11:MasterKeyName'):
self.key_names.append(findtext(name, '.'))
self.derivation.parse(find(
key_info, 'xenc11:DerivedKey/xenc11:KeyDerivationMethod'))
@property
def key_name(self):
"""Provide the name of the (first) key."""
if self.key_names:
return self.key_names[0]
def derive_key(self, password):
"""Derive a key from the password."""
self.key = self.derivation.derive(password)
|