| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Have one doctest file per vendor to make tests a little more manageable.
|
|
|
|
| |
This adds tests from draft-josefsson-keyprov-pskc-yubikey-00.
|
|
|
|
|
|
| |
This adds support for parsing ActivIdentity files that conform to a very
old version of an Internet Draft. The implementation and test were based
on a file provided by Jaap Ruijgrok.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This updates the tests to use the original examples from
draft-hoyer-keyprov-pskc-algorithm-profiles-01 instead of modifying them
to fit the RFC 6030 schema (but does include some minor changes to make
them valid XML).
This adds a few additions to the parser to handle legacy challenge and
resposne encoding and a few key policy properties.
This also includes a fix for 0b757ec in the handling of the
<ChallengeFormat> element under a <Usage> element.
|
|
|
|
| |
Note that asymmetric encryption and digital signature checking has not
yet been implemented so the tests are pretty minimal.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for parsing most examples from
draft-ietf-keyprov-pskc-02. That file uses a few other names for
elements and attributes of the PSKC file and a few other minor
differences.
The XML parsing has been changed to allow specifying multiple matches
and the find*() functions now return the first found match.
While all examples from draft-ietf-keyprov-pskc-02 are tested support
for verifying digital signatures and asymmetric keys have not yet been
implemented.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 6030 implies that the MAC should be performed over the ciphertext
but some earlier drafts implied that the MAC should be performed on the
plaintext. This change accpets the MAC if either the plaintext or
ciphertext match.
Note that this change allows for a padding oracle attack when CBC
encryption modes are used because decryption (and unpadding) needs to be
done before MAC checking. However, this module is not expected to be
available to users to process arbitrary PSKC files repeatedly.
This removes the tests for a missing MAC key (and replaces it for tests
of missing EncryptionMethod) because falling back to using the
encryption key (implemented in a444f78) in combination with this change
means that decryption is performed before MAC checking and is no longer
possible to trigger a missing MAC key error.
|
| |
|
|
|
|
|
| |
This ensures that the files that are read in the test suite are properly
closed to avoid leaking open file descriptors.
|
|
|
|
|
|
|
|
| |
This allows having multiple keys per device while also maintaining the
previous API.
Note that having multiple keys per device is not allowed by the RFC 6030
schema but is allowed by some older internet drafts.
|
| |
|
|
|
|
| |
This enables branch coverage testing and adds tests to improve coverage.
|
|
|
|
| |
This also ensures that the PRF URL is normalised.
|
|
|
|
|
|
| |
This uses the encryption key also as MAC key if no MAC key has been
specified in the PSKC file. Earlier versions of the PSKC draft specified
this behaviour.
|
|
|
|
|
|
| |
In older versions of the PSKC standard it was allowed to have a global
initialization vector for CBC based encryption algorithms. It is
probably not a good idea to re-use an IV in general.
|
| |
|
| |
|
|
|
|
|
| |
This factors out the PBKDF2 key derivation to a separate function and
introduces a function to configure KeyDerivation instances with PBKDF2.
|
|
|
|
|
| |
This method will set up a MAC key and algorithm as specified or use
reasonable defauts.
|
|
|
|
|
|
| |
This writes information about a pre-shared key or PBKDF2 key derivation
in the PSKC file. This also means that writing a decrypted version of a
previously encrypted file requires actively removing the encryption.
|
|
|
|
|
| |
This property on the Encryption object provides a list of key sizes (in
bytes) that the configured encryption algorithm supports.
|
| |
|
|
|
|
|
| |
This supports writing the XML output to binary streams as well as text
streams in Python 3.
|
|
|
|
|
|
|
|
|
|
| |
This adds tests to ensure that incorrect attribute and value types in
the PSKC file raise a ValueError exception and extends the tests for
invalid encryption options.
This removes some code or adds no cover directives to a few places that
have unreachable code or are Python version specific and places doctest
directives inside the doctests where needed.
|
|
|
|
|
|
| |
RFC 6030 is not clear about whether the attribute of ChallengeFormat and
ResponseFormat should be the singular CheckDigit or the plural
CheckDigits. This ensures that both forms are accepted.
|
|
|
|
|
| |
This checks for unknown policy elements in the PSKC file and will cause
the key usage policy check to fail.
|
|
|
|
|
| |
Some vendor-specific files were lifted from the LinOTP test suite and
another Feitian file was found in the oath-toolkit repository.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This extends support for handling various encoding methods for integer
values in PSKC files. For encrypted files the decrypted value is first
tried to be evaluated as an ASCII representation of the number and after
that big-endian decoded.
For plaintext values first ASCII decoding is tried after which base64
decoding is tried which tries the same encodings as for decrypted
values.
There should be no possibility for any base64 encoded value (either of
an ASCII value or a big-endian value) to be interpreted as an ASCII
value for any 32-bit integer.
There is a possibility that a big-endian encoded integer could be
incorrectly interpreted as an ASCII value but this is only the case for
110 numbers when only considering 6-digit numbers.
|
|
|
|
|
| |
This puts the test PSKC files in subdirectories so they can be organised
more cleanly.
|
|
|
|
|
| |
If no key derivation algorithm has been specified in the PSKC file an
exception should be raised when attempting to perform key derivation.
|
|
|
|
|
| |
This transforms the algorithm URIs that are set to known values when
parsing or setting the algorithm.
|
|
|
|
|
|
| |
Either determine the encryption algorithm from the PSKC file or from the
explicitly set value. This also adds support for setting the encryption
key name.
|
|
|
|
|
| |
This fixes a problem with writing a PSKC file that is based on a read
file that was encrypted.
|
| |
|
|
|
|
|
|
|
|
| |
This enables support for Python 3 together with Python 2 support with a
single codebase.
On Python 3 key data is passed around as bytestrings which makes the
doctests a little harder to maintain across Python versions.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The find() utility functions now allow specifying multiple paths to be
searched where the first match is returned.
This allows handling PSKC files where the PBKDF2 salt, iteration count,
key length and PRF elements are prefixed with the xenc11 namespace.
A test including such a PSKC file has been included.
Thanks to Eric Plet for reporting this.
|
|
|
|
|
|
| |
This moves the encryption functions under the pskc.crypto package to
more clearly separate it from the other code. Ideally this should be
replaced by third-party library code.
|
|
|
|
|
| |
This makes a simple doctest that checks the writing of the XML
representation of the PSKC data.
|
|
|
|
|
|
| |
This supports setters for the secret, counter, time_offset,
time_interval and time_drift properties. Setting these values stores the
values unencrypted internally.
|
|
|
|
| |
This tests for incomplete, unknown or invalid MACs in PSKC files.
|
|
|
|
|
| |
This adds hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512 tests
for values that are encrypted using CBC block cypher modes.
|
|
|
|
|
| |
This adds support for key unwrapping using the RFC 3217 Triple DES key
wrap algorithm if the PSKC file uses this.
|
| |
|
| |
|
|
|
|
|
| |
The test is taken from draft-hoyer-keyprov-pskc-algorithm-profiles-01
modified to fit the schema as described in RFC 6030.
|
|
|
|
|
| |
The test is taken from draft-hoyer-keyprov-pskc-algorithm-profiles-01
modified to be valid XML and to fit the schema as described in RFC 6030.
|
|
|
|
|
| |
The test is taken from draft-hoyer-keyprov-pskc-algorithm-profiles-01
modified to fit the schema as described in RFC 6030.
|
|
|
|
|
| |
The test is taken from draft-hoyer-keyprov-pskc-algorithm-profiles-01
modified to fit the schema as described in RFC 6030.
|
| |
|