~ubuntu-branches/ubuntu/wily/python-pskc/wily

Committer: Package Import Robot
Author(s): Arthur de Jong
Date: 2014-06-20 14:50:59 UTC
mfrom: (1.1.1)
Revision ID: package-import@ubuntu.com-20140620145059-cf3iwj9rnwagig43

Tags: 0.2-1

* New upstream release:
  - raise exceptions on parsing, decryption and other problems
  - support more encryption algorithms (AES128-CBC, AES192-CBC, AES256-CBC,
    TripleDES-CBC, KW-AES128, KW-AES192, KW-AES256 and KW-TripleDES) and be
    more lenient in accepting algorithm URIs
  - support all HMAC algorithms that Python's hashlib module has hash
    functions for (HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
    HMAC-SHA384 and HMAC-SHA512)
  - support PRF attribute of PBKDF2 algorithm
* Build and install Sphinx documentation.

files added:
debian/python-pskc.doc-base

docs/changes.rst

docs/exceptions.rst

pskc/aeskw.py

pskc/exceptions.py

pskc/tripledeskw.py

tests/aes128-cbc.pskcxml

tests/aes192-cbc.pskcxml

tests/aes256-cbc.pskcxml

tests/draft-keyprov-actividentity-3des.pskcxml

tests/draft-keyprov-ocra.pskcxml

tests/draft-keyprov-securid-aes-counter.pskcxml

tests/draft-keyprov-totp.pskcxml

tests/invalid-encryption.pskcxml

tests/invalid-mac-algorithm.pskcxml

tests/invalid-mac-value.pskcxml

tests/invalid-no-mac-method.pskcxml

tests/invalid-notxml.pskcxml

tests/invalid-wrongelement.pskcxml

tests/invalid-wrongversion.pskcxml

tests/kw-aes128.pskcxml

tests/kw-aes192.pskcxml

tests/kw-aes256.pskcxml

tests/kw-tripledes.pskcxml

tests/odd-namespace.pskcxml

tests/test_aeskw.doctest

tests/test_draft_keyprov.doctest

tests/test_encryption.doctest

tests/test_invalid.doctest

tests/test_misc.doctest

tests/test_tripledeskw.doctest

tests/tripledes-cbc.pskcxml

files removed:
tests/test_minimal.doctest

files modified:
ChangeLog

NEWS

PKG-INFO

README

debian/changelog

debian/control

debian/python-pskc.docs

debian/rules

docs/encryption.rst

docs/index.rst

docs/mac.rst

docs/policy.rst

docs/usage.rst

pskc/__init__.py

pskc/encryption.py

pskc/key.py

pskc/mac.py

pskc/parse.py

pskc/policy.py

python_pskc.egg-info/PKG-INFO

python_pskc.egg-info/SOURCES.txt

python_pskc.egg-info/requires.txt

setup.cfg

setup.py

tests/rfc6030-figure10.pskcxml

tests/rfc6030-figure2.pskcxml

tests/rfc6030-figure3.pskcxml

tests/rfc6030-figure4.pskcxml

tests/rfc6030-figure5.pskcxml

tests/rfc6030-figure6.pskcxml

tests/rfc6030-figure7.pskcxml

tests/test_rfc6030.doctest

Show diffs side-by-side

added added

removed removed

pskc/encryption.py

"""

import base64

from Crypto.Cipher import AES

from Crypto.Protocol.KDF import PBKDF2

AES128_CBC = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc'

def unpad(value):

"""Remove padding from the plaintext."""

return value[0:-ord(value[-1])]

class EncryptedValue(object):

def parse(self, encrypted_value):

"""Read encrypted data from the <EncryptedValue> XML tree."""

from pskc.parse import g_e_v, namespaces

from pskc.parse import find, findbin

if encrypted_value is None:

return

encryption_method = encrypted_value.find(

'xenc:EncryptionMethod', namespaces=namespaces)

self.algorithm = encryption_method.attrib.get('Algorithm')

value = g_e_v(encrypted_value, 'xenc:CipherData/xenc:CipherValue')

if value is not None:

self.cipher_value = base64.b64decode(value)

encryption_method = find(encrypted_value, 'xenc:EncryptionMethod')

if encryption_method is not None:

self.algorithm = encryption_method.attrib.get('Algorithm')

self.cipher_value = findbin(

encrypted_value, 'xenc:CipherData/xenc:CipherValue')

def decrypt(self):

"""Decrypt the linked value and return the plaintext value."""

from pskc.exceptions import DecryptionError

if self.cipher_value is None:

return

key = self.encryption.key

ciphertext = self.cipher_value

if key is None or ciphertext is None:

return

if self.algorithm == AES128_CBC:

iv = ciphertext[:AES.block_size]

if key is None:

raise DecryptionError('No key available')

if self.algorithm is None:

raise DecryptionError('No algorithm specified')

if self.algorithm.endswith('#aes128-cbc') or \

self.algorithm.endswith('#aes192-cbc') or \

self.algorithm.endswith('#aes256-cbc'):

from Crypto.Cipher import AES

if len(key) * 8 != int(self.algorithm[-7:-4]) or \

len(key) not in AES.key_size:

raise DecryptionError('Invalid key length')

iv = self.cipher_value[:AES.block_size]

ciphertext = self.cipher_value[AES.block_size:]

cipher = AES.new(key, AES.MODE_CBC, iv)

plaintext = cipher.decrypt(ciphertext[AES.block_size:])

return plaintext[0:-ord(plaintext[-1])]

PBKDF2_URIS = [

'http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2',

'http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#pbkdf2',

'http://www.w3.org/2009/xmlenc11#pbkdf2',

]

return unpad(cipher.decrypt(ciphertext))

elif self.algorithm.endswith('#tripledes-cbc'):

from Crypto.Cipher import DES3

if len(key) not in DES3.key_size:

raise DecryptionError('Invalid key length')

iv = self.cipher_value[:DES3.block_size]

ciphertext = self.cipher_value[DES3.block_size:]

cipher = DES3.new(key, DES3.MODE_CBC, iv)

return unpad(cipher.decrypt(ciphertext))

elif self.algorithm.endswith('#kw-aes128') or \

self.algorithm.endswith('#kw-aes192') or \

self.algorithm.endswith('#kw-aes256'):

from pskc.aeskw import unwrap

from Crypto.Cipher import AES

if len(key) * 8 != int(self.algorithm[-3:]) or \

len(key) not in AES.key_size:

raise DecryptionError('Invalid key length')

100

return unwrap(self.cipher_value, key)

101

elif self.algorithm.endswith('#kw-tripledes'):

102

from pskc.tripledeskw import unwrap

103

from Crypto.Cipher import DES3

104

if len(key) not in DES3.key_size:

105

raise DecryptionError('Invalid key length')

106

return unwrap(self.cipher_value, key)

107

else:

108

raise DecryptionError('Unsupported algorithm: %r' % self.algorithm)

109

110

111

class KeyDerivation(object):

117

pbkdf2_salt: salt value

118

pbkdf2_iterations: number of iterations to use

119

pbkdf2_key_length: required key lengt

pbkdf2_prf: name of pseudorandom function used (HMAC-SHA1 is assumed)

120

pbkdf2_prf: name of pseudorandom function used

121

"""

122

100

123

def __init__(self, key_deriviation=None):

108

131

109

132

def parse(self, key_deriviation):

110

133

"""Read derivation parameters from a <KeyDerivationMethod> element."""

111

from pskc.parse import g_e_v, g_e_i, namespaces

134

from pskc.parse import find, findint, findbin

112

135

if key_deriviation is None:

113

136

return

114

self.algorithm = key_deriviation.attrib.get('Algorithm')

137

self.algorithm = key_deriviation.get('Algorithm')

115

138

# PBKDF2 properties

116

pbkdf2 = key_deriviation.find(

117

'xenc11:PBKDF2-params', namespaces=namespaces)

139

pbkdf2 = find(key_deriviation, 'xenc11:PBKDF2-params')

118

140

if pbkdf2 is None:

119

pbkdf2 = key_deriviation.find(

120

'pkcs5:PBKDF2-params', namespaces=namespaces)

141

pbkdf2 = find(key_deriviation, 'pkcs5:PBKDF2-params')

121

142

if pbkdf2 is not None:

122

143

# get used salt

123

value = g_e_v(pbkdf2, 'Salt/Specified')

124

if value is not None:

125

self.pbkdf2_salt = base64.b64decode(value)

144

self.pbkdf2_salt = findbin(pbkdf2, 'Salt/Specified')

126

145

# required number of iterations

127

self.pbkdf2_iterations = g_e_i(pbkdf2, 'IterationCount')

146

self.pbkdf2_iterations = findint(pbkdf2, 'IterationCount')

128

147

# key length

129

self.pbkdf2_key_length = g_e_i(pbkdf2, 'KeyLength')

148

self.pbkdf2_key_length = findint(pbkdf2, 'KeyLength')

130

149

# pseudorandom function used

131

prf = pbkdf2.find('PRF', namespaces=namespaces)

150

prf = find(pbkdf2, 'PRF')

132

151

if prf is not None:

133

self.pbkdf2_prf = prf.attrib.get('Algorithm')

152

self.pbkdf2_prf = prf.get('Algorithm')

134

153

135

def generate(self, password):

154

def derive(self, password):

136

155

"""Derive a key from the password."""

137

if self.algorithm in PBKDF2_URIS:

138

# TODO: support pseudorandom function (prf)

156

from pskc.exceptions import KeyDerivationError

157

if self.algorithm is None:

158

raise KeyDerivationError('No algorithm specified')

159

if self.algorithm.endswith('#pbkdf2'):

160

from Crypto.Protocol.KDF import PBKDF2

161

from pskc.mac import get_hmac

162

prf = None

163

if self.pbkdf2_prf:

164

prf = get_hmac(self.pbkdf2_prf)

165

if prf is None:

166

raise KeyDerivationError(

167

'Pseudorandom function unsupported: %r' %

168

self.pbkdf2_prf)

139

169

return PBKDF2(

140

170

password, self.pbkdf2_salt, dkLen=self.pbkdf2_key_length,

141

count=self.pbkdf2_iterations, prf=None)

171

count=self.pbkdf2_iterations, prf=prf)

172

else:

173

raise KeyDerivationError(

174

'Unsupported algorithm: %r' % self.algorithm)

142

175

143

176

144

177

class Encryption(object):

166

199

167

200

def parse(self, key_info):

168

201

"""Read encryption information from the <EncryptionKey> XML tree."""

169

from pskc.parse import g_e_v, namespaces

202

from pskc.parse import find, findall, findtext

170

203

if key_info is None:

171

204

return

172

self.id = key_info.attrib.get('Id')

173

for name in key_info.findall('ds:KeyName', namespaces=namespaces):

174

self.key_names.append(g_e_v(name, '.'))

175

for name in key_info.findall(

176

'xenc11:DerivedKey/xenc11:MasterKeyName',

177

namespaces=namespaces):

178

self.key_names.append(g_e_v(name, '.'))

179

self.derivation.parse(key_info.find(

180

'xenc11:DerivedKey/xenc11:KeyDerivationMethod',

181

namespaces=namespaces))

205

self.id = key_info.get('Id')

206

for name in findall(key_info, 'ds:KeyName'):

207

self.key_names.append(findtext(name, '.'))

208

for name in findall(

209

key_info, 'xenc11:DerivedKey/xenc11:MasterKeyName'):

210

self.key_names.append(findtext(name, '.'))

211

self.derivation.parse(find(

212

key_info, 'xenc11:DerivedKey/xenc11:KeyDerivationMethod'))

182

213

183

214

@property

184

215

def key_name(self):

188

219

189

220

def derive_key(self, password):

190

221

"""Derive a key from the password."""

191

self.key = self.derivation.generate(password)

222

self.key = self.derivation.derive(password)

Older »