Raise exception when MAC validation fails

This changes the way the check() function works to raise an exception when the MAC is not correct. The MAC is also now always checked before attempting decryption. This also renames the internal DataType.value property to a get_value() method for clarity.
author: Arthur de Jong <arthur@arthurdejong.org> 2014-06-14 18:27:50 +0200
committer: Arthur de Jong <arthur@arthurdejong.org> 2014-06-14 19:52:04 +0200
commit: 9d8aae0baebde47474d20c3c653f32183ee1d40f (patch)
tree: 74e8dc0d22d00231bb1a589726fe77d08095a05d
parent: 699ecf84ff888c9c3fc429af41b797e823efb24b (diff)
2 files changed, 24 insertions, 21 deletions
diff --git a/pskc/key.py b/pskc/key.py
index 444ef42..f1414a6 100644
--- a/pskc/key.py
+++ b/pskc/key.py
@@ -37,7 +37,6 @@ class DataType(object):
       plain_value: raw unencrypted value if present (possibly base64 encoded)
       encrypted_value: reference to an EncryptedValue instance
       value_mac: reference to a ValueMAC instance
-      value: the plaintext value (decrypted if necessary)
     """
 
     def __init__(self, key, element=None):
@@ -68,12 +67,13 @@ class DataType(object):
 class BinaryDataType(DataType):
     """Subclass of DataType for binary data (e.g. keys)."""
 
-    @property
-    def value(self):
+    def get_value(self):
         """Provide the raw binary value."""
         # plain value is base64 encoded
         if self.plain_value is not None:
             return base64.b64decode(self.plain_value)
+        # check MAC if present
+        self.check()
         # encrypted value is in correct format
         return self.encrypted_value.decrypt()
 
@@ -81,12 +81,13 @@ class BinaryDataType(DataType):
 class IntegerDataType(DataType):
     """Subclass of DataType for integer types (e.g. counters)."""
 
-    @property
-    def value(self):
+    def get_value(self):
         """Provide the raw integer value."""
         # plain value is a string representation of the number
         if self.plain_value:
             return int(self.plain_value)
+        # check MAC if present
+        self.check()
         # decrypted value is big endian encoded
         value = self.encrypted_value.decrypt()
         if value is not None:
@@ -259,33 +260,31 @@ class Key(object):
     @property
     def secret(self):
         """The secret key itself."""
-        return self._secret.value
+        return self._secret.get_value()
 
     @property
     def counter(self):
         """An event counter for event-based OTP."""
-        return self._counter.value
+        return self._counter.get_value()
 
     @property
     def time_offset(self):
         """A time offset for time-based OTP (number of intervals)."""
-        return self._time_offset.value
+        return self._time_offset.get_value()
 
     @property
     def time_interval(self):
         """A time interval in seconds."""
-        return self._time_interval.value
+        return self._time_interval.get_value()
 
     @property
     def time_drift(self):
         """Device clock drift value (number of time intervals)."""
-        return self._time_drift.value
+        return self._time_drift.get_value()
 
     def check(self):
         """Check if all MACs in the message are valid."""
-        checks = (self._secret.check(), self._counter.check(),
-                  self._time_offset.check(), self._time_interval.check(),
-                  self._time_drift.check())
-        if all(x is None for x in checks):
-            return None
-        return all(x is not False for x in checks)
+        if any((self._secret.check(), self._counter.check(),
+                self._time_offset.check(), self._time_interval.check(),
+                self._time_drift.check())):
+            return True
diff --git a/pskc/mac.py b/pskc/mac.py
index e789b6d..084d641 100644
--- a/pskc/mac.py
+++ b/pskc/mac.py
@@ -57,22 +57,26 @@ class ValueMAC(object):
     def check(self, value):
         """Check if the provided value matches the MAC.
 
-        This will return None if the value cannot be checked (no value,
-        no key, etc.) or a boolean otherwise.
+        This will return None if there is no MAC to be checked. It will
+        return True if the MAC matches and raise an exception if it fails.
         """
+        from pskc.exceptions import DecryptionError
         if value is None or self._value_mac is None:
             return  # no MAC present or nothing to check
         key = self.mac.key
         if key is None:
-            return False  # no MAC key present
+            raise DecryptionError('No MAC key available')
         digestmod = None
         match = _hmac_url_re.search(self.mac.algorithm)
         if match:
             digestmod = getattr(hashlib, match.group('hash'), None)
         if digestmod is None:
-            return False  # unknown algorithm
+            raise DecryptionError(
+                'Unsupported MAC algorithm: %r' % self.mac.algorithm)
         h = hmac.new(key, value, digestmod).digest()
-        return h == self._value_mac
+        if h != self._value_mac:
+            raise DecryptionError('MAC value does not match')
+        return True
 
 
 class MAC(object):
author	Arthur de Jong <arthur@arthurdejong.org>	2014-06-14 18:27:50 +0200
committer	Arthur de Jong <arthur@arthurdejong.org>	2014-06-14 19:52:04 +0200
commit	9d8aae0baebde47474d20c3c653f32183ee1d40f (patch)
tree	74e8dc0d22d00231bb1a589726fe77d08095a05d
parent	699ecf84ff888c9c3fc429af41b797e823efb24b (diff)