def test_encryption():
mcf = derive_key ('Password1*')
fields = mcf.split('$')
newmcf = derive_key ('Password1*', '$pbkdf2$' + fields[2] + '$' + fields[3] + '$')
assert (mcf == newmcf)
mcf = derive_key ('Password1*', '', 128)
fields = mcf.split('$')
newmcf = derive_key ('Password1*', '$pbkdf2$' + fields[2] + '$' + fields[3] + '$', 128)
assert (mcf == newmcf)
# Requires OpenSSL 1.1.0 or later
#mcf = scrypt_key ('Password1*')
#fields = mcf.split('$')
#newmcf = scrypt_key ('Password1*', '$scrypt$' + fields[2] + '$' + fields[3] + '$')
#assert (mcf == newmcf)
iv = os.urandom(12)
key = os.urandom(32)
message = b'Hi there'
cipher_text = encrypt_aes_gcm (key, iv, message)
plain_text = decrypt_aes_gcm (key, iv, cipher_text)
assert (plain_text == message)
#salt = b'1234567890abcdefghijklmnopqrstuv'
salt = base64.b64decode('MTIzNDU2Nzg5MGFiY2RlZmdoaWprbG1ub3BxcnN0dXY=')
key = hkdf_key(base64.b64decode('6EVdXfSkSX+I15ZXGCRRH4TnpBnt17ivih5Nd7DxkPQ='), b'yuki', salt)
print base64.b64encode(key)
key = hmac_sha256(base64.b64decode('6EVdXfSkSX+I15ZXGCRRH4TnpBnt17ivih5Nd7DxkPQ='), salt)
print base64.b64encode(key)
key = hmac_sha256(salt, base64.b64decode('6EVdXfSkSX+I15ZXGCRRH4TnpBnt17ivih5Nd7DxkPQ='))
print base64.b64encode(key)
def generate_all(db_conf, password, defines):
"""
Generate all files (on database update)
"""
mkdir(defines['path.tmp'])
if config.debug:
open(defines['path.tmp'] + "/0_defines", "w").write(str(defines))
key = crypto.derive_key(db_conf, password)
db_plaintext = crypto.dec_db(db_conf, password, defines['path.db_cipher'], defines['path.db_hmac'])
js = db_conf.copy()
js['lock_timeout_minutes'] = defines['ui.lock_timeout_minutes']
js['page'] = dict()
for k in defines.keys():
if k[0:5] == 'page.':
js['page'][k[5:]] = defines[k]
js['cipher'] = encrypt_json(db_plaintext, key, db_conf,
(defines['path.include'], defines['path.db_include']),
tmp_path=defines['path.tmp'],
debug=config.debug)
generate_cryptobox_json(js, defines['path.db_json'])
generate_html(defines['path.html'] + "/desktop/index.html", defines['path.db_html'], defines)
generate_mhtml(defines['path.html'] + "/mobile/index.html", defines['path.db_mobile_html'], defines)
generate_bookmarklet(defines['path.bookmarklet'] + "/fill.js", defines['path.db_bookmarklet_fill'], defines)
generate_bookmarklet(defines['path.bookmarklet'] + "/form.js", defines['path.db_bookmarklet_form'], defines)
generate_chrome_extension()
if config.debug == False:
shutil.rmtree(defines['path.tmp'])
def import_vault(csv_filename, password):
""" Import vault content from CSV file
Args:
csv_filename
password
"""
safebox = csv_filename.replace('.csv', '')
items = read_csv(csv_filename)
if password:
mcf = derive_key(password.encode('utf-8'))
fields = mcf.split('$')
key = base64.b64decode(fields[4])
mcf = '$pbkdf2$' + fields[2] + '$' + fields[3] + '$'
iv = os.urandom(12)
contents = '['
for item in items:
contents += json.dumps(item) + ','
contents = contents[:-1] + ']'
payload = iv + encrypt_aes_gcm(key, iv, contents)
contents = base64.b64encode(payload)
print(contents)
print(mcf)
else:
for item in items:
print(json.dumps(item))
def preset_password(username, password):
""" Preset password for a new user or password reset. HMAC is used to protect the actual
password so that when passed from browser/app the password is not in clear text, and also
ensures that 2 users with the same password do not pass the same value.
Args:
username
password
Return:
mcf formatted entry for server side authentication
"""
hashword = base64.b16encode(hmac_sha256(username, password)).lower()
return derive_key(hashword)
def decrypt_vault(self, userid, password):
""" Decrypt the vault contents using a key derived from a password
Args:
password: to decrypt with
"""
vault = self.get_vault(userid)
if 'error' in vault:
print(vault['error'])
return
if 'mcf' in vault:
mcf = derive_key(password.encode('utf-8'), vault['mcf'])
fields = mcf.split('$')
key = base64.b64decode(fields[4])
for safebox in vault:
box = vault[safebox]
if isinstance(box, dict) and 'contents' in box and isinstance(box['contents'], str):
payload = base64.b64decode(box['contents'])
plaintext = decrypt_aes_gcm(key, payload[:12], payload[12:])
box['contents'] = json.loads(plaintext)
vault[safebox] = box
self.vaults[userid] = vault
def encrypt_vault(self, userid, password):
""" Encrypt the vault contents using a key derived from a password
Args:
password: to encrypt with
"""
vault = self.get_vault(userid)
if 'error' in vault:
print(vault['error'])
return
mcf = derive_key(password.encode('utf-8'))
fields = mcf.split('$')
key = base64.b64decode(fields[4])
mcf = '$pbkdf2$' + fields[2] + '$' + fields[3] + '$'
for safebox in vault:
box = vault[safebox]
if isinstance(box, dict) and 'contents' in box:
box_contents = json.dumps(box['contents'])
iv = os.urandom(12)
payload = iv + encrypt_aes_gcm(key, iv, box_contents)
box['contents'] = base64.b64encode(payload)
vault[safebox] = box
vault['mcf'] = mcf
self.vaults[userid] = vault