def gen_item(name,
vault,
uuid,
title=None,
url=None,
user=None,
password=None):
global items
ekid = vault_kids[vault]
overview = {'ainfo': 'account-name', 'title': title, 'url': url}
iv = read_default(name + 'ov_iv')
iv, enc_overview = optestlib.enc_aes_gcm(json.dumps(overview),
sym_keys[ekid], iv)
ov_dat = {
'data': optestlib.opb64e(enc_overview),
'iv': optestlib.opb64e(iv),
'kid': ekid,
'cty': 'b5+jwk+json',
'enc': 'A256GCM'
}
details = {
'fields': [{
'name': 'username',
'type': 'T',
'value': user
}, {
'name': 'password',
'type': 'P',
'value': password
}]
}
iv = read_default(name + 'det_iv')
iv, enc_details = optestlib.enc_aes_gcm(json.dumps(details),
sym_keys[ekid], iv)
det_dat = {
'data': optestlib.opb64e(enc_details),
'iv': optestlib.opb64e(iv),
'kid': ekid,
'cty': 'b5+jwk+json',
'enc': 'A256GCM'
}
out = {
'vault': vault,
'item_num': name,
'overview': ov_dat,
'details': det_dat
}
items[name] = out
def gen_sym_key(ekid, new_kid=None, iv=None, k=None):
out = {'kid': ekid, 'cty': 'b5+jwk+json'}
if new_kid != None:
kid = new_kid
else:
kid = gen_uuid()
if k != None:
new_key = k
else:
new_key = get_random_bytes(32)
key_dat = {
'alg': 'A256GCM',
'ext': True,
'key_ops': ['decrypt', 'encrypt'],
'kty': 'oct',
'kid': kid
}
key_dat['k'] = optestlib.opb64e(new_key)
key_dat_str = json.dumps(key_dat)
optestlib.p_str("New symmetric key", json.dumps(key_dat, indent=4))
sym_keys[kid] = new_key
if ekid == 'mp':
# sym_keys['mk'] = new_key
optestlib.p_debug('\n*** Encrypting sym key with AES kid %s' % ekid)
iv, ct = optestlib.enc_aes_gcm(key_dat_str, sym_keys[ekid], iv=iv)
optestlib.p_data('IV', iv, dump=False)
optestlib.p_data('KEY', sym_keys[ekid], dump=False)
optestlib.p_data('Ciphertext', ct, dump=False)
out['iv'] = optestlib.opb64e(iv)
out['data'] = optestlib.opb64e(ct)
out['enc'] = 'A256GCM'
else: # only the primary sym_key is itself AES encrypted, rest by RSA
optestlib.p_debug('\n*** Encrypting sym key with RSA kid %s\n' % ekid)
jwkj = '{"keys": [%s]}' % json.dumps(pub_keys[ekid])
jwk = load_jwks(jwkj)[0]
optestlib.p_str('Public key e:', jwk.e)
optestlib.p_str('Public key n:', jwk.n)
RSA_Key = RSA.construct((jwk.n, jwk.e))
C = PKCS1_OAEP.new(RSA_Key)
ct = C.encrypt(key_dat_str)
out['enc'] = 'RSA-OAEP'
out['data'] = optestlib.opb64e(ct)
optestlib.p_debug('')
optestlib.p_data('RSA-OAEP ciphertext', ct, dump=False)
return kid, out
def gen_rsa_key(ekid, pub=None, priv=None):
if priv == None:
new_priv = RSA.generate(2048)
jwk_priv = RSAKey(key=new_priv).to_dict()
iv = None
else:
iv = optestlib.opb64d(priv['iv'])
jwk_priv = priv['key']
if pub == None:
new_pub = new_priv.publickey()
jwk_pub = RSAKey(key=new_pub).to_dict()
else:
jwk_pub = pub
jwk_priv['alg'] = 'RSA-OAEP'
jwk_priv['key_ops'] = ['decrypt']
jwk_priv['kid'] = ekid
jwk_pub['key_ops'] = ['encrypt']
jwk_pub['alg'] = 'RSA-OAEP'
jwk_pub['ext'] = True
jwk_pub['kid'] = ekid
optestlib.p_str("New Private key", json.dumps(jwk_priv, indent=4))
pri_keys[ekid] = jwk_priv
pub_keys[ekid] = jwk_pub
key_dat_str = json.dumps(jwk_priv)
optestlib.p_debug('\n*** Encrypting pri key with AES kid %s' % ekid)
iv, ct = optestlib.enc_aes_gcm(key_dat_str, sym_keys[ekid], iv=iv)
optestlib.p_data('IV', iv, dump=False)
optestlib.p_data('KEY', sym_keys[ekid], dump=False)
optestlib.p_data('Ciphertext', ct, dump=False)
priv_out = {
'kid': ekid,
'cty': 'b5+jwk+json',
'enc': 'A256GCM',
'data': optestlib.opb64e(ct),
'iv': optestlib.opb64e(iv)
}
optestlib.p_str("New Public key", json.dumps(jwk_pub, indent=4))
return jwk_pub, priv_out
def enc_mac_login(kid, mac_login_data):
out_pt = json.dumps(mac_login_data)
iv = read_default('mac_enc_login_iv')
iv, ct = optestlib.enc_aes_gcm(out_pt, sym_keys[kid], iv=iv)
out = {
'iv': optestlib.opb64e(iv),
'data': optestlib.opb64e(ct),
'enc': 'A256GCM',
'cty': 'b5+jwk+json',
'kid': kid
}
optestlib.p_str('Encrypted macOS enc_login:', out)
return out
def gen_vault_entry(name, ekid):
global vaults
out = {'enc': 'A256GCM', 'kid': ekid, 'cty': 'b5+jwk+json'}
uuid = read_default(name + '.vault_uuid', decode=False) or gen_uuid()
attrs = {
'uuid': uuid,
'name': 'Test vault: %s' % name,
'type': 'P',
'desc': 'unk-b64-blob',
'avatar': ''
}
iv = read_default(name + '.iv')
iv, enc_attrs = optestlib.enc_aes_gcm(json.dumps(attrs),
sym_keys[ekid],
iv=iv)
out['data'] = optestlib.opb64e(enc_attrs)
out['iv'] = optestlib.opb64e(iv)
vaults[name] = out