diff options
author | Arthur de Jong <arthur@arthurdejong.org> | 2018-02-07 20:04:31 +0100 |
---|---|---|
committer | Arthur de Jong <arthur@arthurdejong.org> | 2018-02-09 15:04:57 +0100 |
commit | e60d7f3356c4808e17e363055fca23fae005f76f (patch) | |
tree | cb8493beb766c5a13f07f364a8ae16a0dc0b9c1d | |
parent | 8054c6e6244de9d5d830a7a24b5ef84d60f8c4b2 (diff) |
Also use EncryptedValue for MAC key
This ensures that an encrypted MAC key is hanled in the same way as
normal encrypted data values.
This also ensures consistent fallback to the globally configured
encryption algorithm if no value has been set in the EncryptedValue.
-rw-r--r-- | pskc/mac.py | 23 | ||||
-rw-r--r-- | pskc/parser.py | 4 | ||||
-rw-r--r-- | pskc/serialiser.py | 24 |
3 files changed, 24 insertions, 27 deletions
diff --git a/pskc/mac.py b/pskc/mac.py index 65ec9b3..38552dd 100644 --- a/pskc/mac.py +++ b/pskc/mac.py @@ -1,7 +1,7 @@ # mac.py - module for checking value signatures # coding: utf-8 # -# Copyright (C) 2014-2017 Arthur de Jong +# Copyright (C) 2014-2018 Arthur de Jong # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -81,25 +81,22 @@ class MAC(object): def __init__(self, pskc): self.pskc = pskc self._algorithm = None - self.key_plain_value = None - self.key_cipher_value = None - self.key_algorithm = None @property def key(self): """Provide access to the MAC key binary value if available.""" - if self.key_plain_value: - return self.key_plain_value - elif self.key_cipher_value: - return self.pskc.encryption.decrypt_value( - self.key_cipher_value, self.key_algorithm) - # fall back to encryption key - return self.pskc.encryption.key + value = getattr(self, '_key', None) + if hasattr(value, 'get_value'): + return value.get_value(self.pskc) + elif value: + return value + else: + # fall back to encryption key + return self.pskc.encryption.key @key.setter def key(self, value): - self.key_plain_value = value - self.key_cipher_value = None + self._key = value @property def algorithm(self): diff --git a/pskc/parser.py b/pskc/parser.py index 11486f8..b3e7952 100644 --- a/pskc/parser.py +++ b/pskc/parser.py @@ -157,8 +157,8 @@ class PSKCParser(object): mac_method.get('algorithm')) mac_key = find(mac_method, 'MACKey') if mac_key is not None: - mac.key_algorithm, mac.key_cipher_value = ( - cls.parse_encrypted_value(mac_key)) + algorithm, cipher_value = cls.parse_encrypted_value(mac_key) + mac.key = EncryptedValue(cipher_value, None, algorithm) @classmethod def parse_key_package(cls, device, key_package): diff --git a/pskc/serialiser.py b/pskc/serialiser.py index c71f6ea..8020f60 100644 --- a/pskc/serialiser.py +++ b/pskc/serialiser.py @@ -90,22 +90,21 @@ class PSKCSerialiser(object): @classmethod def serialise_mac(cls, mac, container): - if not mac.algorithm and not mac.key: + key_value = getattr(mac, '_key', None) or mac.pskc.encryption.key + if not mac.algorithm and not key_value: return mac_method = mk_elem( container, 'pskc:MACMethod', Algorithm=mac.algorithm, empty=True) + # encrypt the mac key if needed + if not hasattr(key_value, 'get_value'): + key_value = EncryptedValue.create(mac.pskc, key_value) + # construct encrypted MACKey + algorithm = key_value.algorithm or mac.pskc.encryption.algorithm mac_key = mk_elem(mac_method, 'pskc:MACKey', empty=True) - mk_elem( - mac_key, 'xenc:EncryptionMethod', - Algorithm=mac.pskc.encryption.algorithm) + mk_elem(mac_key, 'xenc:EncryptionMethod', Algorithm=algorithm) cipher_data = mk_elem(mac_key, 'xenc:CipherData', empty=True) - if mac.key_cipher_value: - mk_elem(cipher_data, 'xenc:CipherValue', - base64.b64encode(mac.key_cipher_value).decode()) - elif mac.key_plain_value: - mk_elem(cipher_data, 'xenc:CipherValue', - base64.b64encode(mac.pskc.encryption.encrypt_value( - mac.key_plain_value)).decode()) + mk_elem(cipher_data, 'xenc:CipherValue', + base64.b64encode(key_value.cipher_value).decode()) @classmethod def serialise_key_package(cls, device, container): @@ -195,10 +194,11 @@ class PSKCSerialiser(object): mk_elem(element, 'pskc:PlainValue', value2text(value)) else: # encrypted value + algorithm = value.algorithm or pskc.encryption.algorithm encrypted_value = mk_elem( element, 'pskc:EncryptedValue', empty=True) mk_elem(encrypted_value, 'xenc:EncryptionMethod', - Algorithm=value.algorithm) + Algorithm=algorithm) cipher_data = mk_elem( encrypted_value, 'xenc:CipherData', empty=True) mk_elem(cipher_data, 'xenc:CipherValue', |