diff options
| author | Arthur de Jong <arthur@arthurdejong.org> | 2018-02-08 23:21:33 +0100 |
|---|---|---|
| committer | Arthur de Jong <arthur@arthurdejong.org> | 2018-02-09 15:05:01 +0100 |
| commit | 924e1f38e257ac868a1d8a8adc2b6fa7ed45a339 (patch) | |
| tree | 0a12effa8bd732132174dc551119e0aacd9c92cc | |
| parent | be2b49fd90236ee16e5da3564caf3a6b227e46c8 (diff) | |
Correctly write a PSKC file without a MAC key
In some cases a PSKC file can be written with a MAC algorithm but
without a MAC key. This is possible when the MAC key is not supplied
(allowed in older PSKC versions) and a fallback to the encryption key is
done. If we have not yet decrypted the file the MAC key is not yet
available and so can't be included in the written file.
| -rw-r--r-- | pskc/serialiser.py | 2 | ||||
| -rw-r--r-- | tests/test_write.doctest | 92 |
2 files changed, 94 insertions, 0 deletions
diff --git a/pskc/serialiser.py b/pskc/serialiser.py index ca6622c..26bf1c2 100644 --- a/pskc/serialiser.py +++ b/pskc/serialiser.py @@ -95,6 +95,8 @@ class PSKCSerialiser(object): return mac_method = mk_elem( container, 'pskc:MACMethod', Algorithm=mac.algorithm, empty=True) + if not key_value: + return # encrypt the mac key if needed if not hasattr(key_value, 'get_value'): key_value = EncryptedValue.create(mac.pskc, key_value) diff --git a/tests/test_write.doctest b/tests/test_write.doctest index 34ddb36..4d980d6 100644 --- a/tests/test_write.doctest +++ b/tests/test_write.doctest @@ -257,6 +257,98 @@ providing the encryption key. </pskc:KeyContainer> +Read a legacy encrypted PSKC file and write it out as-is. This should convert +the format to RFC 6030 format as best it can. Note that this does not include +a MAC key (but does include a MAC algorithm because the MAC key is not +specified and we assume to use the encryption key as MAC key). + +>>> pskc = PSKC('tests/draft-hoyer-keyprov-portable-symmetric-key-container-01/password-encrypted.pskcxml') +>>> pskc.write(sys.stdout) #doctest: +ELLIPSIS +REPORT_UDIFF +<?xml version="1.0" encoding="UTF-8"?> +<pskc:KeyContainer ... Version="1.0"> + <pskc:EncryptionKey> + <xenc11:DerivedKey> + <xenc11:KeyDerivationMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#pbkdf2"> + <xenc11:PBKDF2-params> + <Salt> + <Specified>y6TzckeLRQw=</Specified> + </Salt> + <IterationCount>999</IterationCount> + <KeyLength>16</KeyLength> + </xenc11:PBKDF2-params> + </xenc11:KeyDerivationMethod> + </xenc11:DerivedKey> + </pskc:EncryptionKey> + <pskc:MACMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> + <pskc:KeyPackage> + <pskc:DeviceInfo> + <pskc:Manufacturer>Token Manufacturer</pskc:Manufacturer> + <pskc:SerialNo>98765432187</pskc:SerialNo> + <pskc:ExpiryDate>2008-01-01T00:00:00</pskc:ExpiryDate> + </pskc:DeviceInfo> + <pskc:Key Algorithm="HOTP" Id="77654321870"> + <pskc:Issuer>Credential Issuer</pskc:Issuer> + <pskc:AlgorithmParameters> + <pskc:ResponseFormat Encoding="DECIMAL" Length="6"/> + </pskc:AlgorithmParameters> + <pskc:FriendlyName>MySecondToken</pskc:FriendlyName> + <pskc:Data> + <pskc:Secret> + <pskc:EncryptedValue> + <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> + <xenc:CipherData> + <xenc:CipherValue>F/CY93NYc/SvmxT3oB6PzG7p6zpG92/t</xenc:CipherValue> + </xenc:CipherData> + </pskc:EncryptedValue> + <pskc:ValueMAC>hN793ZE7GM6yCM6gz9OKNRzibhg=</pskc:ValueMAC> + </pskc:Secret> + <pskc:Counter> + <pskc:EncryptedValue> + <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> + <xenc:CipherData> + <xenc:CipherValue>VVBYqRF1QSpetvIB2vBAzw==</xenc:CipherValue> + </xenc:CipherData> + </pskc:EncryptedValue> + <pskc:ValueMAC>6clqJvT9l0xIZtWSch2t6zr0IwU=</pskc:ValueMAC> + </pskc:Counter> + </pskc:Data> + </pskc:Key> + </pskc:KeyPackage> +</pskc:KeyContainer> + +If we decrypt the file the MAC key will be included in encrypted form. + +>>> pskc.encryption.derive_key('qwerty') +>>> pskc.write(sys.stdout) #doctest: +ELLIPSIS +REPORT_UDIFF +<?xml version="1.0" encoding="UTF-8"?> +<pskc:KeyContainer ... Version="1.0"> + <pskc:EncryptionKey> + <xenc11:DerivedKey> + <xenc11:KeyDerivationMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#pbkdf2"> + <xenc11:PBKDF2-params> + <Salt> + <Specified>y6TzckeLRQw=</Specified> + </Salt> + <IterationCount>999</IterationCount> + <KeyLength>16</KeyLength> + </xenc11:PBKDF2-params> + </xenc11:KeyDerivationMethod> + </xenc11:DerivedKey> + </pskc:EncryptionKey> + <pskc:MACMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"> + <pskc:MACKey> + <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> + <xenc:CipherData> + <xenc:CipherValue>...</xenc:CipherValue> + </xenc:CipherData> + </pskc:MACKey> + </pskc:MACMethod> + <pskc:KeyPackage> +... + </pskc:KeyPackage> +</pskc:KeyContainer> + + Set up an encrypted PSKC file and generate a pre-shared key for it. >>> pskc = PSKC() |