| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
This ensures that an encrypted MAC key is hanled in the same way as
normal encrypted data values.
This also ensures consistent fallback to the globally configured
encryption algorithm if no value has been set in the EncryptedValue.
|
|
|
|
|
|
|
|
|
| |
The cryptography library is better supported.
This uses the functions from cryptography for AES and Triple DES
encryption, replaces the (un)padding functions that were previously
implemented in python-pskc with cryptography and uses PBKDF2
implementation from hashlib.
|
|
|
|
|
|
| |
This uses os.urandom() as a source for random data and replaces other
utility functions. This also removes one import for getting the lengths
of Tripple DES keys.
|
|
|
|
|
| |
This also makes a few small code formatting changes to ensure that the
flake8 tests pass.
|
|
|
|
|
|
|
|
| |
This switches to using the hashlib.new() function to be able to use all
hashes that are available in Python (specifically RIPEMD160).
This also adds a number of tests for HMACs using test vectors from
RFC 2202, RFC 4231 and RFC 2857.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 6030 implies that the MAC should be performed over the ciphertext
but some earlier drafts implied that the MAC should be performed on the
plaintext. This change accpets the MAC if either the plaintext or
ciphertext match.
Note that this change allows for a padding oracle attack when CBC
encryption modes are used because decryption (and unpadding) needs to be
done before MAC checking. However, this module is not expected to be
available to users to process arbitrary PSKC files repeatedly.
This removes the tests for a missing MAC key (and replaces it for tests
of missing EncryptionMethod) because falling back to using the
encryption key (implemented in a444f78) in combination with this change
means that decryption is performed before MAC checking and is no longer
possible to trigger a missing MAC key error.
|
|
|
|
|
| |
Similar to the change for parsing, move the XML serialisation of PSKC
data to a single class in a separate module.
|
|
|
|
|
|
| |
This moves all the parse() functions to a single class in a dedicated
module that can be used for parsing PSKC files. This should make it
easier to subclass the parser.
|
|
|
|
|
|
| |
This uses the encryption key also as MAC key if no MAC key has been
specified in the PSKC file. Earlier versions of the PSKC draft specified
this behaviour.
|
|
|
|
|
| |
This makes it much easier to test the encryption, decryption and HMAC
processing separate from the PSKC parsing.
|
| |
|
|
|
|
|
| |
This method will set up a MAC key and algorithm as specified or use
reasonable defauts.
|
| |
|
|
|
|
|
|
| |
This also makes the MAC.algorithm a property similarly as what is done
for Encryption (normalise algorithm names) and adds a setter for the
MAC.key property.
|
|
|
|
|
|
| |
This removes calling parse() from the Encryption and MAC constructors
and stores a reference to the PSKC object in both objects so it can be
used later on.
|
|
|
|
|
|
|
|
|
|
| |
This adds tests to ensure that incorrect attribute and value types in
the PSKC file raise a ValueError exception and extends the tests for
invalid encryption options.
This removes some code or adds no cover directives to a few places that
have unreachable code or are Python version specific and places doctest
directives inside the doctests where needed.
|
|
|
|
|
|
|
|
|
| |
This removes the EncryptedValue and ValueMAC classes and instead moves
the XML parsing of these values to the DataType class. This will make it
easier to support different parsing schemes.
This also includes a small consistency improvement in the subclasses of
DataType.
|
|
|
|
|
|
|
|
|
| |
This simplifies calls to the find() family of functions and allows
parsing PSKC files that have slightly different namespace URLs. This is
especially common when parsing old draft versions of the specification.
This also removes passing multiple patterns to the find() functions that
was introduced in 68b20e2.
|
|
|
|
|
|
|
| |
This renames the parse module to xml to better reflect the purpose of
the module and it's functions.
This also introduces a parse() function that wraps etree.parse().
|
|
|
|
|
| |
Refactor the functionality to find an HMAC function into a separate
function.
|
|
|
|
|
|
|
|
|
| |
This changes the way the check() function works to raise an exception
when the MAC is not correct. The MAC is also now always checked before
attempting decryption.
This also renames the internal DataType.value property to a get_value()
method for clarity.
|
|
|
|
|
| |
This uses the name of the hash to automatically get the correct hash
object from Python's hashlib.
|
|
|
|
|
|
|
|
| |
This changes the parse module functions to better match the ElementTree
API and extends it with findint(), findtime() and findbin().
It also passes the namespaces to all calls that require it without
duplicating this throughout the normal code.
|
| |
|
| |
|
|
|
|
| |
This also hides two properties that are not part of the public API.
|
|
|
|
| |
This also allows re-organising the imports a bit.
|
|
This implements message message authentication code checking for the
encrypted values if MACMethod and ValueMAC are present.
|