python-pskc branch master updated. 0.1-38-g1417d4a
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
python-pskc branch master updated. 0.1-38-g1417d4a
- From: Commits of the python-pskc project <python-pskc-commits [at] lists.arthurdejong.org>
- To: python-pskc-commits [at] lists.arthurdejong.org
- Reply-to: python-pskc-users [at] lists.arthurdejong.org
- Subject: python-pskc branch master updated. 0.1-38-g1417d4a
- Date: Sat, 14 Jun 2014 19:53:53 +0200 (CEST)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "python-pskc".
The branch, master has been updated
via 1417d4a0d8aee27e0578cc82c4965b295ba6b050 (commit)
via 9d8aae0baebde47474d20c3c653f32183ee1d40f (commit)
via 699ecf84ff888c9c3fc429af41b797e823efb24b (commit)
via 01e102ba4d25bf6650e6940e69513523b659d080 (commit)
via 59e790e9181310a7991f2b172c56532b15eac654 (commit)
from 566e4477f40f632205d572e57394d712e7d55f63 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://arthurdejong.org/git/python-pskc/commit/?id=1417d4a0d8aee27e0578cc82c4965b295ba6b050
commit 1417d4a0d8aee27e0578cc82c4965b295ba6b050
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sat Jun 14 19:25:54 2014 +0200
Add tests for missing or invalid MAC
This tests for incomplete, unknown or invalid MACs in PSKC files.
diff --git a/tests/invalid-mac-algorithm.pskcxml
b/tests/invalid-mac-algorithm.pskcxml
new file mode 100644
index 0000000..75ccbe4
--- /dev/null
+++ b/tests/invalid-mac-algorithm.pskcxml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ Based on figure 6 but with an unknown HMAC alorithm.
+-->
+
+<KeyContainer Version="1.0"
+ xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
+ <EncryptionKey>
+ <ds:KeyName>Pre-shared-key</ds:KeyName>
+ </EncryptionKey>
+ <MACMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-zha9";>
+ <MACKey>
+ <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+ <xenc:CipherData>
+
<xenc:CipherValue>ESIzRFVmd4iZABEiM0RVZgKn6WjLaTC1sbeBMSvIhRejN9vJa2BOlSaMrR7I5wSX</xenc:CipherValue>
+ </xenc:CipherData>
+ </MACKey>
+ </MACMethod>
+ <KeyPackage>
+ <DeviceInfo>
+ <Manufacturer>Manufacturer</Manufacturer>
+ <SerialNo>987654321</SerialNo>
+ </DeviceInfo>
+ <CryptoModuleInfo>
+ <Id>CM_ID_001</Id>
+ </CryptoModuleInfo>
+ <Key Id="12345678" Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
+ <Issuer>Issuer</Issuer>
+ <AlgorithmParameters>
+ <ResponseFormat Length="8" Encoding="DECIMAL"/>
+ </AlgorithmParameters>
+ <Data>
+ <Secret>
+ <EncryptedValue>
+ <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+ <xenc:CipherData>
+
<xenc:CipherValue>AAECAwQFBgcICQoLDA0OD+cIHItlB3Wra1DUpxVvOx2lef1VmNPCMl8jwZqIUqGv</xenc:CipherValue>
+ </xenc:CipherData>
+ </EncryptedValue>
+ <ValueMAC>Su+NvtQfmvfJzF6bmQiJqoLRExc=</ValueMAC>
+ </Secret>
+ <Counter>
+ <PlainValue>0</PlainValue>
+ </Counter>
+ </Data>
+ </Key>
+ </KeyPackage>
+</KeyContainer>
diff --git a/tests/invalid-mac-value.pskcxml b/tests/invalid-mac-value.pskcxml
new file mode 100644
index 0000000..26d335c
--- /dev/null
+++ b/tests/invalid-mac-value.pskcxml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ Based on figure 6 but with a modified CipherValue element.
+-->
+
+<KeyContainer Version="1.0"
+ xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
+ <EncryptionKey>
+ <ds:KeyName>Pre-shared-key</ds:KeyName>
+ </EncryptionKey>
+ <MACMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";>
+ <MACKey>
+ <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+ <xenc:CipherData>
+
<xenc:CipherValue>ESIzRFVmd4iZABEiM0RVZgKn6WjLaTC1sbeBMSvIhRejN9vJa2BOlSaMrR7I5wSX</xenc:CipherValue>
+ </xenc:CipherData>
+ </MACKey>
+ </MACMethod>
+ <KeyPackage>
+ <DeviceInfo>
+ <Manufacturer>Manufacturer</Manufacturer>
+ <SerialNo>987654321</SerialNo>
+ </DeviceInfo>
+ <CryptoModuleInfo>
+ <Id>CM_ID_001</Id>
+ </CryptoModuleInfo>
+ <Key Id="12345678" Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
+ <Issuer>Issuer</Issuer>
+ <AlgorithmParameters>
+ <ResponseFormat Length="8" Encoding="DECIMAL"/>
+ </AlgorithmParameters>
+ <Data>
+ <Secret>
+ <EncryptedValue>
+ <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+ <xenc:CipherData>
+
<xenc:CipherValue>AAECAwQFBgcICQoLDA0OD+cIHItlB3Wra1DUpxVvOx2lef1VmNPCMl8jwZqIUqGz</xenc:CipherValue>
+ </xenc:CipherData>
+ </EncryptedValue>
+ <ValueMAC>Su+NvtQfmvfJzF6bmQiJqoLRExc=</ValueMAC>
+ </Secret>
+ <Counter>
+ <PlainValue>0</PlainValue>
+ </Counter>
+ </Data>
+ </Key>
+ </KeyPackage>
+</KeyContainer>
diff --git a/tests/invalid-no-mac-method.pskcxml
b/tests/invalid-no-mac-method.pskcxml
new file mode 100644
index 0000000..0c7765e
--- /dev/null
+++ b/tests/invalid-no-mac-method.pskcxml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ An encrypted secret with a MAC but missing a global MACMethod and
+ MAC key definition.
+-->
+
+<KeyContainer Version="1.0"
+ xmlns="urn:ietf:params:xml:ns:keyprov:pskc"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
+ xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
+ <EncryptionKey>
+ <ds:KeyName>Pre-shared-key</ds:KeyName>
+ </EncryptionKey>
+ <KeyPackage>
+ <Key Id="12345678" Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
+ <Data>
+ <Secret>
+ <EncryptedValue>
+ xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+ <xenc:CipherData>
+
<xenc:CipherValue>AAECAwQFBgcICQoLDA0OD+cIHItlB3Wra1DUpxVvOx2lef1VmNPCMl8jwZqIUqGv</xenc:CipherValue>
+ </xenc:CipherData>
+ </EncryptedValue>
+ <ValueMAC>LP6xMvjtypbfT9PdkJhBZ+D6O4w=</ValueMAC>
+ </Secret>
+ </Data>
+ </Key>
+ </KeyPackage>
+</KeyContainer>
diff --git a/tests/test_invalid.doctest b/tests/test_invalid.doctest
index c8e8a78..adb1acf 100644
--- a/tests/test_invalid.doctest
+++ b/tests/test_invalid.doctest
@@ -101,3 +101,43 @@ Specify an unknown PBKDF2 PRF (pseudorandom function).
Traceback (most recent call last):
...
KeyDerivationError: Pseudorandom function unsupported: ...
+
+
+There is a ValueMAC element but no MACMethod element.
+
+>>> pskc = PSKC('tests/invalid-no-mac-method.pskcxml')
+>>> pskc.encryption.key = '12345678901234567890123456789012'.decode('hex')
+>>> key = pskc.keys[0]
+>>> key.id
+'12345678'
+>>> key.secret
+Traceback (most recent call last):
+ ...
+DecryptionError: No MAC key available
+
+
+There is an unknown algorithm specified in MACMethod.
+
+>>> pskc = PSKC('tests/invalid-mac-algorithm.pskcxml')
+>>> pskc.encryption.key = '12345678901234567890123456789012'.decode('hex')
+>>> key = pskc.keys[0]
+>>> key.id
+'12345678'
+>>> key.secret
+Traceback (most recent call last):
+ ...
+DecryptionError: Unsupported MAC algorithm: ...
+
+
+The MAC value does not match the calculated MAC, something was modified in
+transit.
+
+>>> pskc = PSKC('tests/invalid-mac-value.pskcxml')
+>>> pskc.encryption.key = '12345678901234567890123456789012'.decode('hex')
+>>> key = pskc.keys[0]
+>>> key.id
+'12345678'
+>>> key.secret
+Traceback (most recent call last):
+ ...
+DecryptionError: MAC value does not match
http://arthurdejong.org/git/python-pskc/commit/?id=9d8aae0baebde47474d20c3c653f32183ee1d40f
commit 9d8aae0baebde47474d20c3c653f32183ee1d40f
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sat Jun 14 18:27:50 2014 +0200
Raise exception when MAC validation fails
This changes the way the check() function works to raise an exception
when the MAC is not correct. The MAC is also now always checked before
attempting decryption.
This also renames the internal DataType.value property to a get_value()
method for clarity.
diff --git a/pskc/key.py b/pskc/key.py
index 444ef42..f1414a6 100644
--- a/pskc/key.py
+++ b/pskc/key.py
@@ -37,7 +37,6 @@ class DataType(object):
plain_value: raw unencrypted value if present (possibly base64 encoded)
encrypted_value: reference to an EncryptedValue instance
value_mac: reference to a ValueMAC instance
- value: the plaintext value (decrypted if necessary)
"""
def __init__(self, key, element=None):
@@ -68,12 +67,13 @@ class DataType(object):
class BinaryDataType(DataType):
"""Subclass of DataType for binary data (e.g. keys)."""
- @property
- def value(self):
+ def get_value(self):
"""Provide the raw binary value."""
# plain value is base64 encoded
if self.plain_value is not None:
return base64.b64decode(self.plain_value)
+ # check MAC if present
+ self.check()
# encrypted value is in correct format
return self.encrypted_value.decrypt()
@@ -81,12 +81,13 @@ class BinaryDataType(DataType):
class IntegerDataType(DataType):
"""Subclass of DataType for integer types (e.g. counters)."""
- @property
- def value(self):
+ def get_value(self):
"""Provide the raw integer value."""
# plain value is a string representation of the number
if self.plain_value:
return int(self.plain_value)
+ # check MAC if present
+ self.check()
# decrypted value is big endian encoded
value = self.encrypted_value.decrypt()
if value is not None:
@@ -259,33 +260,31 @@ class Key(object):
@property
def secret(self):
"""The secret key itself."""
- return self._secret.value
+ return self._secret.get_value()
@property
def counter(self):
"""An event counter for event-based OTP."""
- return self._counter.value
+ return self._counter.get_value()
@property
def time_offset(self):
"""A time offset for time-based OTP (number of intervals)."""
- return self._time_offset.value
+ return self._time_offset.get_value()
@property
def time_interval(self):
"""A time interval in seconds."""
- return self._time_interval.value
+ return self._time_interval.get_value()
@property
def time_drift(self):
"""Device clock drift value (number of time intervals)."""
- return self._time_drift.value
+ return self._time_drift.get_value()
def check(self):
"""Check if all MACs in the message are valid."""
- checks = (self._secret.check(), self._counter.check(),
- self._time_offset.check(), self._time_interval.check(),
- self._time_drift.check())
- if all(x is None for x in checks):
- return None
- return all(x is not False for x in checks)
+ if any((self._secret.check(), self._counter.check(),
+ self._time_offset.check(), self._time_interval.check(),
+ self._time_drift.check())):
+ return True
diff --git a/pskc/mac.py b/pskc/mac.py
index e789b6d..084d641 100644
--- a/pskc/mac.py
+++ b/pskc/mac.py
@@ -57,22 +57,26 @@ class ValueMAC(object):
def check(self, value):
"""Check if the provided value matches the MAC.
- This will return None if the value cannot be checked (no value,
- no key, etc.) or a boolean otherwise.
+ This will return None if there is no MAC to be checked. It will
+ return True if the MAC matches and raise an exception if it fails.
"""
+ from pskc.exceptions import DecryptionError
if value is None or self._value_mac is None:
return # no MAC present or nothing to check
key = self.mac.key
if key is None:
- return False # no MAC key present
+ raise DecryptionError('No MAC key available')
digestmod = None
match = _hmac_url_re.search(self.mac.algorithm)
if match:
digestmod = getattr(hashlib, match.group('hash'), None)
if digestmod is None:
- return False # unknown algorithm
+ raise DecryptionError(
+ 'Unsupported MAC algorithm: %r' % self.mac.algorithm)
h = hmac.new(key, value, digestmod).digest()
- return h == self._value_mac
+ if h != self._value_mac:
+ raise DecryptionError('MAC value does not match')
+ return True
class MAC(object):
http://arthurdejong.org/git/python-pskc/commit/?id=699ecf84ff888c9c3fc429af41b797e823efb24b
commit 699ecf84ff888c9c3fc429af41b797e823efb24b
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sat Jun 14 18:10:35 2014 +0200
Handle missing MAC algorithm properly
diff --git a/pskc/encryption.py b/pskc/encryption.py
index 518e8f5..6b45a7b 100644
--- a/pskc/encryption.py
+++ b/pskc/encryption.py
@@ -55,7 +55,8 @@ class EncryptedValue(object):
if encrypted_value is None:
return
encryption_method = find(encrypted_value, 'xenc:EncryptionMethod')
- self.algorithm = encryption_method.get('Algorithm')
+ if encryption_method is not None:
+ self.algorithm = encryption_method.attrib.get('Algorithm')
self.cipher_value = findbin(
encrypted_value, 'xenc:CipherData/xenc:CipherValue')
http://arthurdejong.org/git/python-pskc/commit/?id=01e102ba4d25bf6650e6940e69513523b659d080
commit 01e102ba4d25bf6650e6940e69513523b659d080
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sat Jun 14 18:06:46 2014 +0200
Add MAC tests to all CBC encrypted keys
This adds hmac-sha224, hmac-sha256, hmac-sha384 and hmac-sha512 tests
for values that are encrypted using CBC block cypher modes.
diff --git a/tests/aes128-cbc.pskcxml b/tests/aes128-cbc.pskcxml
index 3761991..2177c41 100644
--- a/tests/aes128-cbc.pskcxml
+++ b/tests/aes128-cbc.pskcxml
@@ -12,6 +12,14 @@
<EncryptionKey>
<ds:KeyName>Pre-shared-key</ds:KeyName>
</EncryptionKey>
+ <MACMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha224";>
+ <MACKey>
+ <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
+ <xenc:CipherData>
+
<xenc:CipherValue>SVZJVklWSVZJVklWSVZJViZS3d+rzbWqD74OQPuyiwrD+XlDXK7ef602mwOebfTR</xenc:CipherValue>
+ </xenc:CipherData>
+ </MACKey>
+ </MACMethod>
<KeyPackage>
<Key>
<Data>
@@ -22,6 +30,7 @@
<xenc:CipherValue>AAECAwQFBgcICQoLDA0OD+cIHItlB3Wra1DUpxVvOx2lef1VmNPCMl8jwZqIUqGv</xenc:CipherValue>
</xenc:CipherData>
</EncryptedValue>
+ <ValueMAC>CjGsEXpmZYGMyejd8WJdLFRBWE9XGJLiigPObg==</ValueMAC>
</Secret>
</Data>
</Key>
diff --git a/tests/aes192-cbc.pskcxml b/tests/aes192-cbc.pskcxml
index 4148688..b4e09ca 100644
--- a/tests/aes192-cbc.pskcxml
+++ b/tests/aes192-cbc.pskcxml
@@ -12,6 +12,14 @@
<EncryptionKey>
<ds:KeyName>Pre-shared-key</ds:KeyName>
</EncryptionKey>
+ <MACMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256";>
+ <MACKey>
+ <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
+ <xenc:CipherData>
+
<xenc:CipherValue>SVZJVklWSVZJVklWSVZJVmDaimFqjBwo8MSWUGmwDkqJvsb1xlkf0MHfyqeooZzM</xenc:CipherValue>
+ </xenc:CipherData>
+ </MACKey>
+ </MACMethod>
<KeyPackage>
<Key>
<Data>
@@ -22,6 +30,7 @@
<xenc:CipherValue>AAECAwQFBgcICQoLDA0OD/616ab2do/xcWNKuW1qE3rSzwqoZcpg5ucwpjiZ07tV</xenc:CipherValue>
</xenc:CipherData>
</EncryptedValue>
+ <ValueMAC>ADfYOligu/3jDK9QhUGO7gGMxNxmrBUy4qtv4HyKF8o=</ValueMAC>
</Secret>
</Data>
</Key>
diff --git a/tests/aes256-cbc.pskcxml b/tests/aes256-cbc.pskcxml
index 204c014..ea8eaad 100644
--- a/tests/aes256-cbc.pskcxml
+++ b/tests/aes256-cbc.pskcxml
@@ -12,6 +12,14 @@
<EncryptionKey>
<ds:KeyName>Pre-shared-key</ds:KeyName>
</EncryptionKey>
+ <MACMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha384";>
+ <MACKey>
+ <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
+ <xenc:CipherData>
+
<xenc:CipherValue>SVZJVklWSVZJVklWSVZJVlAHw4GN7cbXseMBjNjUCrR8Lb4syW0I7bbNZbCBRt7T</xenc:CipherValue>
+ </xenc:CipherData>
+ </MACKey>
+ </MACMethod>
<KeyPackage>
<Key>
<Data>
@@ -22,6 +30,7 @@
<xenc:CipherValue>AAECAwQFBgcICQoLDA0OD7mg24krBXvsLMVBhZbLXDVFEWhqNqRTCO8AfowoBFcd</xenc:CipherValue>
</xenc:CipherData>
</EncryptedValue>
+
<ValueMAC>JdB5+Ub/VSapUmJq+ZzEbseBPijlOp6BGy3+AAHoM7x17MbqR77xREby+9/65UOG</ValueMAC>
</Secret>
</Data>
</Key>
diff --git a/tests/test_encryption.doctest b/tests/test_encryption.doctest
index 6d39e35..c2a12a2 100644
--- a/tests/test_encryption.doctest
+++ b/tests/test_encryption.doctest
@@ -25,6 +25,10 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>>> pskc.encryption.key = '12345678901234567890123456789012'.decode('hex')
>>> pskc.keys[0].secret
'12345678901234567890'
+>>> pskc.mac.algorithm
+'http://www.w3.org/2001/04/xmldsig-more#hmac-sha224'
+>>> pskc.mac.key
+'MacMacMacMacMacMacMa'
>>> pskc = PSKC('tests/aes192-cbc.pskcxml')
@@ -36,12 +40,20 @@ DecryptionError: Invalid key length
>>> pskc.encryption.key =
>>> '123456789012345678901234567890123456789012345678'.decode('hex')
>>> pskc.keys[0].secret
'12345678901234567890'
+>>> pskc.mac.algorithm
+'http://www.w3.org/2001/04/xmldsig-more#hmac-sha256'
+>>> pskc.mac.key
+'MacMacMacMacMacMacMa'
>>> pskc = PSKC('tests/aes256-cbc.pskcxml')
>>> pskc.encryption.key =
>>> '1234567890123456789012345678901234567890123456789012345678901234'.decode('hex')
>>> pskc.keys[0].secret
'12345678901234567890'
+>>> pskc.mac.algorithm
+'http://www.w3.org/2001/04/xmldsig-more#hmac-sha384'
+>>> pskc.mac.key
+'MacMacMacMacMacMacMa'
>>> pskc = PSKC('tests/tripledes-cbc.pskcxml')
@@ -53,6 +65,10 @@ DecryptionError: Invalid key length
>>> pskc.encryption.key = '12345678901234567890123456789012'.decode('hex')
>>> pskc.keys[0].secret
'12345678901234567890'
+>>> pskc.mac.algorithm
+'http://www.w3.org/2001/04/xmldsig-more#hmac-sha512'
+>>> pskc.mac.key
+'MacMacMacMacMacMacMa'
>>> pskc = PSKC('tests/kw-aes128.pskcxml')
diff --git a/tests/tripledes-cbc.pskcxml b/tests/tripledes-cbc.pskcxml
index 04d822b..96358f5 100644
--- a/tests/tripledes-cbc.pskcxml
+++ b/tests/tripledes-cbc.pskcxml
@@ -12,6 +12,14 @@
<EncryptionKey>
<ds:KeyName>Pre-shared-key</ds:KeyName>
</EncryptionKey>
+ <MACMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha512";>
+ <MACKey>
+ <xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
+ <xenc:CipherData>
+
<xenc:CipherValue>SVZJVklWSVbkU3i5koQy9wRwmtLzydqFV18QfbCMBR8=</xenc:CipherValue>
+ </xenc:CipherData>
+ </MACKey>
+ </MACMethod>
<KeyPackage>
<Key>
<Data>
@@ -22,6 +30,7 @@
<xenc:CipherValue>SVYxMjM0NTbvR25//t5tAuWfL+6ma90GGESqe3AlrJM=</xenc:CipherValue>
</xenc:CipherData>
</EncryptedValue>
+
<ValueMAC>4eM8sZbswb+q4q4qZ18q2Af5LEIzZy4M1Mz7XF6Gnc8KozCp87ykK10uOHZpdKLrc9j8Yz0dw9CtQUVcijQKgA==</ValueMAC>
</Secret>
</Data>
</Key>
http://arthurdejong.org/git/python-pskc/commit/?id=59e790e9181310a7991f2b172c56532b15eac654
commit 59e790e9181310a7991f2b172c56532b15eac654
Author: Arthur de Jong <arthur@arthurdejong.org>
Date: Sat Jun 14 18:03:29 2014 +0200
Automatically support all MACs in hashlib
This uses the name of the hash to automatically get the correct hash
object from Python's hashlib.
diff --git a/pskc/mac.py b/pskc/mac.py
index d65ccdb..e789b6d 100644
--- a/pskc/mac.py
+++ b/pskc/mac.py
@@ -31,10 +31,14 @@ with the PSKC encryption key.
import hashlib
import hmac
+import re
from pskc.encryption import EncryptedValue
+_hmac_url_re = re.compile(r'^.*#hmac-(?P<hash>[a-z0-9]+)$')
+
+
class ValueMAC(object):
"""Provide MAC checking ability to PSKC data values."""
@@ -57,12 +61,18 @@ class ValueMAC(object):
no key, etc.) or a boolean otherwise.
"""
if value is None or self._value_mac is None:
- return
- algorithm = self.mac.algorithm
+ return # no MAC present or nothing to check
key = self.mac.key
- if algorithm.endswith('#hmac-sha1') and key is not None:
- h = hmac.new(key, value, hashlib.sha1).digest()
- return h == self._value_mac
+ if key is None:
+ return False # no MAC key present
+ digestmod = None
+ match = _hmac_url_re.search(self.mac.algorithm)
+ if match:
+ digestmod = getattr(hashlib, match.group('hash'), None)
+ if digestmod is None:
+ return False # unknown algorithm
+ h = hmac.new(key, value, digestmod).digest()
+ return h == self._value_mac
class MAC(object):
-----------------------------------------------------------------------
Summary of changes:
pskc/encryption.py | 3 ++-
pskc/key.py | 31 +++++++++++----------
pskc/mac.py | 28 ++++++++++++++-----
tests/aes128-cbc.pskcxml | 9 +++++++
tests/aes192-cbc.pskcxml | 9 +++++++
tests/aes256-cbc.pskcxml | 9 +++++++
tests/invalid-mac-algorithm.pskcxml | 51 +++++++++++++++++++++++++++++++++++
tests/invalid-mac-value.pskcxml | 51 +++++++++++++++++++++++++++++++++++
tests/invalid-no-mac-method.pskcxml | 30 +++++++++++++++++++++
tests/test_encryption.doctest | 16 +++++++++++
tests/test_invalid.doctest | 40 +++++++++++++++++++++++++++
tests/tripledes-cbc.pskcxml | 9 +++++++
12 files changed, 262 insertions(+), 24 deletions(-)
create mode 100644 tests/invalid-mac-algorithm.pskcxml
create mode 100644 tests/invalid-mac-value.pskcxml
create mode 100644 tests/invalid-no-mac-method.pskcxml
hooks/post-receive
--
python-pskc
--
To unsubscribe send an email to
python-pskc-commits-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/python-pskc-commits/
- python-pskc branch master updated. 0.1-38-g1417d4a,
Commits of the python-pskc project
