From 4d92b937bddea136a709bb29b66a2ce6fe0ac943 Mon Sep 17 00:00:00 2001
From: Arthur de Jong <arthur@arthurdejong.org>
Date: Sat, 31 May 2014 23:39:17 +0200
Subject: Support kw-tripledes decryption

This adds support for key unwrapping using the RFC 3217 Triple DES key
wrap algorithm if the PSKC file uses this.
---
 pskc/encryption.py            |  6 ++++++
 tests/kw-tripledes.pskcxml    | 30 ++++++++++++++++++++++++++++++
 tests/test_encryption.doctest | 11 +++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 tests/kw-tripledes.pskcxml

diff --git a/pskc/encryption.py b/pskc/encryption.py
index d1451df..48b9ef5 100644
--- a/pskc/encryption.py
+++ b/pskc/encryption.py
@@ -102,6 +102,12 @@ class EncryptedValue(object):
                len(key) not in AES.key_size:
                 raise DecryptionError('Invalid key length')
             return unwrap(self.cipher_value, key)
+        elif self.algorithm.endswith('#kw-tripledes'):
+            from pskc.tripledeskw import unwrap
+            from Crypto.Cipher import DES3
+            if len(key) not in DES3.key_size:
+                raise DecryptionError('Invalid key length')
+            return unwrap(self.cipher_value, key)
         else:
             raise DecryptionError('Unsupported algorithm: %r' % self.algorithm)
 
diff --git a/tests/kw-tripledes.pskcxml b/tests/kw-tripledes.pskcxml
new file mode 100644
index 0000000..ffa0264
--- /dev/null
+++ b/tests/kw-tripledes.pskcxml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+  Test that holds an kw-tripledes encrypted value. The pre-shared key is
+  255e0d1c07b646dfb3134cc843ba8aa71f025b7c0838251f, the plain text value is
+  2923bf85e06dd6ae529149f1f1bae9eab3a7da3d860d3e98.
+-->
+
+<KeyContainer Version="1.0"
+  xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
+  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+  xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
+ <EncryptionKey>
+  <ds:KeyName>Pre-shared-key</ds:KeyName>
+ </EncryptionKey>
+ <KeyPackage>
+  <Key>
+   <Data>
+    <Secret>
+     <EncryptedValue>
+      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-tripledes"/>
+      <xenc:CipherData>
+       <xenc:CipherValue>aQEHYY7wkrO0jKF5ayNK6foz67QVlgQDfbXWqE6zqsJ2jGMndaRn1A==</xenc:CipherValue>
+      </xenc:CipherData>
+     </EncryptedValue>
+    </Secret>
+   </Data>
+  </Key>
+ </KeyPackage>
+</KeyContainer>
diff --git a/tests/test_encryption.doctest b/tests/test_encryption.doctest
index 19ea062..6d39e35 100644
--- a/tests/test_encryption.doctest
+++ b/tests/test_encryption.doctest
@@ -81,3 +81,14 @@ DecryptionError: Invalid key length
 >>> pskc.encryption.key = '000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f'.decode('hex')
 >>> pskc.keys[0].secret.encode('hex')
 '00112233445566778899aabbccddeeff0001020304050607'
+
+
+>>> pskc = PSKC('tests/kw-tripledes.pskcxml')
+>>> pskc.encryption.key = '255e0d1c07b646dfb3134cc843ba8aa71f'.decode('hex')
+>>> pskc.keys[0].secret
+Traceback (most recent call last):
+    ...
+DecryptionError: Invalid key length
+>>> pskc.encryption.key = '255e0d1c07b646dfb3134cc843ba8aa71f025b7c0838251f'.decode('hex')
+>>> pskc.keys[0].secret.encode('hex')
+'2923bf85e06dd6ae529149f1f1bae9eab3a7da3d860d3e98'
-- 
cgit v1.2.3