Re: PSKC XML ActivIdentity format

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Sat, 2016-12-17 at 21:41 +0000, Jaap Ruijgrok wrote:
> a2b_hex('************')#Transportkey obfuscated
> 
> '************'

You have inadvertently published the binary value of the key above. The
line should have been

  pskc.encryption.key = a2b_hex('************')

I have had a look into the PSKC file you provided with some more detail
and there are a few other places where the file does not follow the RFC
6030 spec (from the looks of it an expired draft version):

- the <EncryptionMethod> element is specified at the top level (under
  <KeyContainer>) while <EncryptionKey> is expected
- the file uses <DigestMethod> instead of <MACMethod>
- the file uses <Device> instead of <KeyPackage>
- the file uses <DeviceId> instead of <DeviceInfo>
- the file uses <Usage> instead of <AlgorithmParameters>

The above should not be too difficult to support with minimal changes,
however the elements that contain the actual useful information (key
secret and counter) are contained in <Data Name="SECRET"> and <Data
Name="COUNTER"> elements instead of <Secret> and <Counter> elements.
The structure is also different from RFC 6030 and to make things more
complicated the way to determine whether a value needs to be decrypted
is different.

I have some ongoing work to support multiple older PSKC formats but
that is not really ready for release yet. Having a concrete sample file
helps though. I'm happy to support any widely used PSKC flavour. If you
bring me in contact with someone at ActivIdentity I'm happy to add
support.

Your best bet for now is probably to request a new PSKC file that
conforms to RFC 6030 (I did that in the past with another provider).
You should probably also consider the token secrets no longer secret.

Kind regards,

-- 
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --

-- 
To unsubscribe send an email to
python-pskc-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/python-pskc-users/