Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArthur de Jong <arthur@arthurdejong.org>2018-02-07 20:04:31 +0100
committerArthur de Jong <arthur@arthurdejong.org>2018-02-09 15:04:57 +0100
commite60d7f3356c4808e17e363055fca23fae005f76f (patch)
treecb8493beb766c5a13f07f364a8ae16a0dc0b9c1d
parent8054c6e6244de9d5d830a7a24b5ef84d60f8c4b2 (diff)
Also use EncryptedValue for MAC key
This ensures that an encrypted MAC key is hanled in the same way as normal encrypted data values. This also ensures consistent fallback to the globally configured encryption algorithm if no value has been set in the EncryptedValue.
-rw-r--r--pskc/mac.py23
-rw-r--r--pskc/parser.py4
-rw-r--r--pskc/serialiser.py24
3 files changed, 24 insertions, 27 deletions
diff --git a/pskc/mac.py b/pskc/mac.py
index 65ec9b3..38552dd 100644
--- a/pskc/mac.py
+++ b/pskc/mac.py
@@ -1,7 +1,7 @@
# mac.py - module for checking value signatures
# coding: utf-8
#
-# Copyright (C) 2014-2017 Arthur de Jong
+# Copyright (C) 2014-2018 Arthur de Jong
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@@ -81,25 +81,22 @@ class MAC(object):
def __init__(self, pskc):
self.pskc = pskc
self._algorithm = None
- self.key_plain_value = None
- self.key_cipher_value = None
- self.key_algorithm = None
@property
def key(self):
"""Provide access to the MAC key binary value if available."""
- if self.key_plain_value:
- return self.key_plain_value
- elif self.key_cipher_value:
- return self.pskc.encryption.decrypt_value(
- self.key_cipher_value, self.key_algorithm)
- # fall back to encryption key
- return self.pskc.encryption.key
+ value = getattr(self, '_key', None)
+ if hasattr(value, 'get_value'):
+ return value.get_value(self.pskc)
+ elif value:
+ return value
+ else:
+ # fall back to encryption key
+ return self.pskc.encryption.key
@key.setter
def key(self, value):
- self.key_plain_value = value
- self.key_cipher_value = None
+ self._key = value
@property
def algorithm(self):
diff --git a/pskc/parser.py b/pskc/parser.py
index 11486f8..b3e7952 100644
--- a/pskc/parser.py
+++ b/pskc/parser.py
@@ -157,8 +157,8 @@ class PSKCParser(object):
mac_method.get('algorithm'))
mac_key = find(mac_method, 'MACKey')
if mac_key is not None:
- mac.key_algorithm, mac.key_cipher_value = (
- cls.parse_encrypted_value(mac_key))
+ algorithm, cipher_value = cls.parse_encrypted_value(mac_key)
+ mac.key = EncryptedValue(cipher_value, None, algorithm)
@classmethod
def parse_key_package(cls, device, key_package):
diff --git a/pskc/serialiser.py b/pskc/serialiser.py
index c71f6ea..8020f60 100644
--- a/pskc/serialiser.py
+++ b/pskc/serialiser.py
@@ -90,22 +90,21 @@ class PSKCSerialiser(object):
@classmethod
def serialise_mac(cls, mac, container):
- if not mac.algorithm and not mac.key:
+ key_value = getattr(mac, '_key', None) or mac.pskc.encryption.key
+ if not mac.algorithm and not key_value:
return
mac_method = mk_elem(
container, 'pskc:MACMethod', Algorithm=mac.algorithm, empty=True)
+ # encrypt the mac key if needed
+ if not hasattr(key_value, 'get_value'):
+ key_value = EncryptedValue.create(mac.pskc, key_value)
+ # construct encrypted MACKey
+ algorithm = key_value.algorithm or mac.pskc.encryption.algorithm
mac_key = mk_elem(mac_method, 'pskc:MACKey', empty=True)
- mk_elem(
- mac_key, 'xenc:EncryptionMethod',
- Algorithm=mac.pskc.encryption.algorithm)
+ mk_elem(mac_key, 'xenc:EncryptionMethod', Algorithm=algorithm)
cipher_data = mk_elem(mac_key, 'xenc:CipherData', empty=True)
- if mac.key_cipher_value:
- mk_elem(cipher_data, 'xenc:CipherValue',
- base64.b64encode(mac.key_cipher_value).decode())
- elif mac.key_plain_value:
- mk_elem(cipher_data, 'xenc:CipherValue',
- base64.b64encode(mac.pskc.encryption.encrypt_value(
- mac.key_plain_value)).decode())
+ mk_elem(cipher_data, 'xenc:CipherValue',
+ base64.b64encode(key_value.cipher_value).decode())
@classmethod
def serialise_key_package(cls, device, container):
@@ -195,10 +194,11 @@ class PSKCSerialiser(object):
mk_elem(element, 'pskc:PlainValue', value2text(value))
else:
# encrypted value
+ algorithm = value.algorithm or pskc.encryption.algorithm
encrypted_value = mk_elem(
element, 'pskc:EncryptedValue', empty=True)
mk_elem(encrypted_value, 'xenc:EncryptionMethod',
- Algorithm=value.algorithm)
+ Algorithm=algorithm)
cipher_data = mk_elem(
encrypted_value, 'xenc:CipherData', empty=True)
mk_elem(cipher_data, 'xenc:CipherValue',