| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
| |
This uses the defusedxml library if available to defend agains a number
of XML-based attacks.
|
|
|
|
|
|
|
| |
The PBKDF2 salt was saved in the wrong way (b'base64encodeddata' instead
of base64encodeddata) when using Python 3. This fixes that problem and
tests that saving and loading of a file that uses PBKDF2 key derivation
works.
|
|
|
|
|
| |
This makes minor changes to the pskc2csv script to make it more easily
testable.
|
|
|
|
|
|
| |
This allows adding an optional label to the --columns option that can be
used to output a label different from the key property name in the CSV
file header.
|
|
|
|
|
| |
This option can be used to configure the encoding of the secret in the
CSV file (still hex by default).
|
|
|
|
|
| |
This also makes a few small code formatting changes to ensure that the
flake8 tests pass.
|
| |
|
| |
|
|
|
|
|
| |
This makes KeyDerivation.algorithm and KeyDerivation.pbkdf2_prf
properties automatically normalise assigned values.
|
|
|
|
|
|
| |
This uses ElementTree.iter() instead of ElementTree.getiterator() for
going over all the child elements in the tree because the latter is
deprecated.
|
|
|
|
|
| |
This provides a read-only userid property on Key objects that uses the
key_userid or device_userid value, whichever one is defined.
|
|
|
|
| |
This also includes a few other small documentation improvements.
|
|
|
|
|
|
|
|
| |
This switches to using the hashlib.new() function to be able to use all
hashes that are available in Python (specifically RIPEMD160).
This also adds a number of tests for HMACs using test vectors from
RFC 2202, RFC 4231 and RFC 2857.
|
|
|
|
|
|
| |
This adds a number of algorithm URIs defined in RFC 6931 and also
simplifies the definition of the list of URIs. It also adds more aliases
for algorithms.
|
| |
|
| |
|
| |
|
|
|
|
| |
Have one doctest file per vendor to make tests a little more manageable.
|
|
|
|
| |
This adds tests from draft-josefsson-keyprov-pskc-yubikey-00.
|
|
|
|
|
|
| |
This adds support for parsing ActivIdentity files that conform to a very
old version of an Internet Draft. The implementation and test were based
on a file provided by Jaap Ruijgrok.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This updates the tests to use the original examples from
draft-hoyer-keyprov-pskc-algorithm-profiles-01 instead of modifying them
to fit the RFC 6030 schema (but does include some minor changes to make
them valid XML).
This adds a few additions to the parser to handle legacy challenge and
resposne encoding and a few key policy properties.
This also includes a fix for 0b757ec in the handling of the
<ChallengeFormat> element under a <Usage> element.
|
|
|
|
| |
Note that asymmetric encryption and digital signature checking has not
yet been implemented so the tests are pretty minimal.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for parsing most examples from
draft-ietf-keyprov-pskc-02. That file uses a few other names for
elements and attributes of the PSKC file and a few other minor
differences.
The XML parsing has been changed to allow specifying multiple matches
and the find*() functions now return the first found match.
While all examples from draft-ietf-keyprov-pskc-02 are tested support
for verifying digital signatures and asymmetric keys have not yet been
implemented.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 6030 implies that the MAC should be performed over the ciphertext
but some earlier drafts implied that the MAC should be performed on the
plaintext. This change accpets the MAC if either the plaintext or
ciphertext match.
Note that this change allows for a padding oracle attack when CBC
encryption modes are used because decryption (and unpadding) needs to be
done before MAC checking. However, this module is not expected to be
available to users to process arbitrary PSKC files repeatedly.
This removes the tests for a missing MAC key (and replaces it for tests
of missing EncryptionMethod) because falling back to using the
encryption key (implemented in a444f78) in combination with this change
means that decryption is performed before MAC checking and is no longer
possible to trigger a missing MAC key error.
|
| |
|
| |
|
|
|
|
|
| |
This fixes the pragma directives to be be correct independently of
whether lxml is installed or not.
|
|
|
|
|
| |
This sets up Tox with various versions of Python and for each version a
run with and without lxml.
|
|
|
|
|
| |
This ensures that the files that are read in the test suite are properly
closed to avoid leaking open file descriptors.
|
| |
|
|
|
| |
This accidentally slipped in as part of beafc6b.
|
| |
|
| |
|
|
|
|
|
| |
This uses a custom data descriptor (property) for secret, counter,
time_offset, time_interval and time_drift.
|
|
|
|
|
|
|
|
| |
This allows having multiple keys per device while also maintaining the
previous API.
Note that having multiple keys per device is not allowed by the RFC 6030
schema but is allowed by some older internet drafts.
|
|
|
|
|
| |
Similar to the change for parsing, move the XML serialisation of PSKC
data to a single class in a separate module.
|
|
|
|
|
|
| |
This moves all the parse() functions to a single class in a dedicated
module that can be used for parsing PSKC files. This should make it
easier to subclass the parser.
|
| |
|
|
|
|
| |
This enables branch coverage testing and adds tests to improve coverage.
|
|
|
|
| |
This also ensures that the PRF URL is normalised.
|
| |
|
|
|
|
|
|
| |
This tries to make it clearer that the setup_preshared_key() and
setup_pbkdf2() functions are meant to be used when writing out PSKC
files.
|
|
|
|
|
|
| |
This uses the encryption key also as MAC key if no MAC key has been
specified in the PSKC file. Earlier versions of the PSKC draft specified
this behaviour.
|
|
|
|
|
|
| |
In older versions of the PSKC standard it was allowed to have a global
initialization vector for CBC based encryption algorithms. It is
probably not a good idea to re-use an IV in general.
|
|
|
|
|
| |
This makes it much easier to test the encryption, decryption and HMAC
processing separate from the PSKC parsing.
|
|
|
|
| |
This makes the creation if internal instances a litte more consistent.
|
| |
|
| |
|