From 287afa7b9d8d8d0a3a6fb6db67939ced0ab4caa0 Mon Sep 17 00:00:00 2001 From: Arthur de Jong Date: Fri, 30 May 2014 13:26:42 +0200 Subject: Support kw-aes128, kw-aes192 and kw-aes256 This adds support for key unwrapping using the RFC 3394 or RFC 5649 algorithm if the PSKC file uses this. --- pskc/encryption.py | 9 +++++++++ tests/kw-aes128.pskcxml | 29 +++++++++++++++++++++++++++++ tests/kw-aes192.pskcxml | 30 ++++++++++++++++++++++++++++++ tests/kw-aes256.pskcxml | 30 ++++++++++++++++++++++++++++++ tests/test_encryption.doctest | 28 ++++++++++++++++++++++++++++ 5 files changed, 126 insertions(+) create mode 100644 tests/kw-aes128.pskcxml create mode 100644 tests/kw-aes192.pskcxml create mode 100644 tests/kw-aes256.pskcxml diff --git a/pskc/encryption.py b/pskc/encryption.py index 9b6f763..d1451df 100644 --- a/pskc/encryption.py +++ b/pskc/encryption.py @@ -93,6 +93,15 @@ class EncryptedValue(object): ciphertext = self.cipher_value[DES3.block_size:] cipher = DES3.new(key, DES3.MODE_CBC, iv) return unpad(cipher.decrypt(ciphertext)) + elif self.algorithm.endswith('#kw-aes128') or \ + self.algorithm.endswith('#kw-aes192') or \ + self.algorithm.endswith('#kw-aes256'): + from pskc.aeskw import unwrap + from Crypto.Cipher import AES + if len(key) * 8 != int(self.algorithm[-3:]) or \ + len(key) not in AES.key_size: + raise DecryptionError('Invalid key length') + return unwrap(self.cipher_value, key) else: raise DecryptionError('Unsupported algorithm: %r' % self.algorithm) diff --git a/tests/kw-aes128.pskcxml b/tests/kw-aes128.pskcxml new file mode 100644 index 0000000..29ba6de --- /dev/null +++ b/tests/kw-aes128.pskcxml @@ -0,0 +1,29 @@ + + + + + + + Pre-shared-key + + + + + + + + + H6aLCoEStEeu80vY+1p7gp0+hiNx0s/l + + + + + + + diff --git a/tests/kw-aes192.pskcxml b/tests/kw-aes192.pskcxml new file mode 100644 index 0000000..20bb260 --- /dev/null +++ b/tests/kw-aes192.pskcxml @@ -0,0 +1,30 @@ + + + + + + + Pre-shared-key + + + + + + + + + lneLJa5spDX5K1uXwFCu0kaKuKF62E5d + + + + + + + diff --git a/tests/kw-aes256.pskcxml b/tests/kw-aes256.pskcxml new file mode 100644 index 0000000..2bd6e56 --- /dev/null +++ b/tests/kw-aes256.pskcxml @@ -0,0 +1,30 @@ + + + + + + + Pre-shared-key + + + + + + + + + qPm8FhLGiz/25vT74w5x5Haci4CjLLiVjNXRfWslTaE= + + + + + + + diff --git a/tests/test_encryption.doctest b/tests/test_encryption.doctest index 3f54998..19ea062 100644 --- a/tests/test_encryption.doctest +++ b/tests/test_encryption.doctest @@ -53,3 +53,31 @@ DecryptionError: Invalid key length >>> pskc.encryption.key = '12345678901234567890123456789012'.decode('hex') >>> pskc.keys[0].secret '12345678901234567890' + + +>>> pskc = PSKC('tests/kw-aes128.pskcxml') +>>> pskc.encryption.key = '1234'.decode('hex') +>>> pskc.keys[0].secret +Traceback (most recent call last): + ... +DecryptionError: Invalid key length +>>> pskc.encryption.key = '000102030405060708090a0b0c0d0e0f'.decode('hex') +>>> pskc.keys[0].secret.encode('hex') +'00112233445566778899aabbccddeeff' + + +>>> pskc = PSKC('tests/kw-aes192.pskcxml') +>>> pskc.encryption.key = '000102030405060708090a0b0c0d0e0f'.decode('hex') +>>> pskc.keys[0].secret +Traceback (most recent call last): + ... +DecryptionError: Invalid key length +>>> pskc.encryption.key = '000102030405060708090a0b0c0d0e0f1011121314151617'.decode('hex') +>>> pskc.keys[0].secret.encode('hex') +'00112233445566778899aabbccddeeff' + + +>>> pskc = PSKC('tests/kw-aes256.pskcxml') +>>> pskc.encryption.key = '000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f'.decode('hex') +>>> pskc.keys[0].secret.encode('hex') +'00112233445566778899aabbccddeeff0001020304050607' -- cgit v1.2.3