From be2b49fd90236ee16e5da3564caf3a6b227e46c8 Mon Sep 17 00:00:00 2001
From: Arthur de Jong <arthur@arthurdejong.org>
Date: Sun, 4 Feb 2018 16:08:47 +0100
Subject: Correctly write a PSKC file with a global IV

This ensures that the encryption IV, which should be per encrypted value
is written out per encrypted value instead of globally. This is mostly
useful for when reading an old format PSKC file and writing out a RFC
6030 compliant one.
---
 pskc/serialiser.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'pskc/serialiser.py')

diff --git a/pskc/serialiser.py b/pskc/serialiser.py
index 8020f60..ca6622c 100644
--- a/pskc/serialiser.py
+++ b/pskc/serialiser.py
@@ -100,11 +100,14 @@ class PSKCSerialiser(object):
             key_value = EncryptedValue.create(mac.pskc, key_value)
         # construct encrypted MACKey
         algorithm = key_value.algorithm or mac.pskc.encryption.algorithm
+        cipher_value = key_value.cipher_value
+        if mac.pskc.encryption.iv:
+            cipher_value = mac.pskc.encryption.iv + cipher_value
         mac_key = mk_elem(mac_method, 'pskc:MACKey', empty=True)
         mk_elem(mac_key, 'xenc:EncryptionMethod', Algorithm=algorithm)
         cipher_data = mk_elem(mac_key, 'xenc:CipherData', empty=True)
         mk_elem(cipher_data, 'xenc:CipherValue',
-                base64.b64encode(key_value.cipher_value).decode())
+                base64.b64encode(cipher_value).decode())
 
     @classmethod
     def serialise_key_package(cls, device, container):
@@ -195,6 +198,9 @@ class PSKCSerialiser(object):
         else:
             # encrypted value
             algorithm = value.algorithm or pskc.encryption.algorithm
+            cipher_value = value.cipher_value
+            if pskc.encryption.iv:
+                cipher_value = pskc.encryption.iv + cipher_value
             encrypted_value = mk_elem(
                 element, 'pskc:EncryptedValue', empty=True)
             mk_elem(encrypted_value, 'xenc:EncryptionMethod',
@@ -202,7 +208,7 @@ class PSKCSerialiser(object):
             cipher_data = mk_elem(
                 encrypted_value, 'xenc:CipherData', empty=True)
             mk_elem(cipher_data, 'xenc:CipherValue',
-                    base64.b64encode(value.cipher_value).decode())
+                    base64.b64encode(cipher_value).decode())
             if value.mac_value:
                 mk_elem(element, 'pskc:ValueMAC',
                         base64.b64encode(value.mac_value).decode())
-- 
cgit v1.2.3