def initialize_task_api_sessions(self): # Loop through background credentials and start the API sessions profiles = hxtool_global.hxtool_db.profileList() for profile in profiles: task_api_credential = hxtool_global.hxtool_db.backgroundProcessorCredentialGet(profile['profile_id']) if task_api_credential: decrypted_background_password = keyring.get_password("hxtool_{}".format(profile['profile_id']), task_api_credential['hx_api_username']) # TODO: eventually remove this code once most people are using keyring if not decrypted_background_password: logger.info("Background credential for {} is not using keyring, moving it.".format(profile['profile_id'])) try: salt = HXAPI.b64(task_api_credential['salt'], True) iv = HXAPI.b64(task_api_credential['iv'], True) key = crypt_pbkdf2_hmacsha256(salt, TASK_API_KEY) decrypted_background_password = crypt_aes(key, iv, task_api_credential['hx_api_encrypted_password'], decrypt = True) keyring.set_password("hxtool_{}".format(profile['profile_id']), task_api_credential['hx_api_username'], decrypted_background_password) hxtool_db.backgroundProcessorCredentialRemove(profile['profile_id']) hxtool_db.backgroundProcessorCredentialCreate(profile['profile_id'], task_api_credential['hx_api_username']) except (UnicodeDecodeError, ValueError): logger.error("Please reset the background credential for {} ({}).".format(profile['hx_host'], profile['profile_id'])) if decrypted_background_password: self._add_task_api_task(profile['profile_id'], profile['hx_host'], profile['hx_port'], task_api_credential['hx_api_username'], decrypted_background_password) decrypted_background_password = None else: logger.info("No background credential for {} ({}).".format(profile['hx_host'], profile['profile_id']))
def rotate_task_key(self, hxtool_db, use_legacy_key=False): if use_legacy_key: k = TASK_API_KEY else: k = self._read_task_api_key() new_key = crypt_generate_random(32) # Loop through background credentials and start the API sessions profiles = hxtool_db.profileList() for profile in profiles: task_api_credential = hxtool_db.backgroundProcessorCredentialGet( profile['profile_id']) if task_api_credential: salt = HXAPI.b64(task_api_credential['salt'], True) iv = HXAPI.b64(task_api_credential['iv'], True) key = crypt_pbkdf2_hmacsha256(salt, k) decrypted_background_password = crypt_aes( key, iv, task_api_credential['hx_api_encrypted_password'], decrypt=True) hxtool_db.backgroundProcessorCredentialRemove( profile['profile_id']) iv, salt, encrypted_password = self._encrypt_task_credential( new_key, decrypted_background_password) hxtool_db.backgroundProcessorCredentialCreate( profile['profile_id'], task_api_credential['hx_api_username'], HXAPI.b64(iv), HXAPI.b64(salt), encrypted_password) decrypted_background_password = None self._write_task_api_key(new_key)
def initialize_task_api_sessions(self): # Loop through background credentials and start the API sessions profiles = hxtool_global.hxtool_db.profileList() for profile in profiles: task_api_credential = hxtool_global.hxtool_db.backgroundProcessorCredentialGet( profile['profile_id']) if task_api_credential: try: salt = HXAPI.b64(task_api_credential['salt'], True) iv = HXAPI.b64(task_api_credential['iv'], True) key = crypt_pbkdf2_hmacsha256(salt, TASK_API_KEY) decrypted_background_password = crypt_aes( key, iv, task_api_credential['hx_api_encrypted_password'], decrypt=True) self._add_task_api_task( profile['profile_id'], profile['hx_host'], profile['hx_port'], task_api_credential['hx_api_username'], decrypted_background_password) decrypted_background_password = None except UnicodeDecodeError: logger.error( "Please reset the background credential for {} ({}).". format(profile['hx_host'], profile['profile_id'])) else: logger.info("No background credential for {} ({}).".format( profile['hx_host'], profile['profile_id']))
def add_task_api_session(self, profile_id, hx_host, hx_port, username, password): iv = crypt_generate_random(16) salt = crypt_generate_random(32) key = crypt_pbkdf2_hmacsha256(salt, TASK_API_KEY) encrypted_password = crypt_aes(key, iv, password) hxtool_global.hxtool_db.backgroundProcessorCredentialCreate( profile_id, username, HXAPI.b64(iv), HXAPI.b64(salt), encrypted_password) encrypted_password = None self._add_task_api_task(profile_id, hx_host, hx_port, username, password) password = None
def add_task_api_session(self, profile_id, hx_host, hx_port, username, password): iv = crypt_generate_random(16) salt = crypt_generate_random(32) k = self._read_task_api_key() iv, salt, encrypted_password = self._encrypt_task_credential( k, password) hxtool_global.hxtool_db.backgroundProcessorCredentialCreate( profile_id, username, HXAPI.b64(iv), HXAPI.b64(salt), encrypted_password) encrypted_password = None self._add_task_api_task(profile_id, hx_host, hx_port, username, password) password = None
def crypt_aes(key, iv, data, decrypt = False, base64_coding = True): cipher = AES.new(key, AES.MODE_OFB, iv) if decrypt: if base64_coding: data = HXAPI.b64(data, True) data = cipher.decrypt(data) data = unpad(data, 16).decode('utf-8') return data else: data = data.encode('utf-8') data = pad(data, 16) data = cipher.encrypt(data) if base64_coding: data = HXAPI.b64(data) return data
def ruleGet(self, rule_id): with self._lock: r = self._db.table('rules').get((tinydb.Query()['id'] == rule_id)) if r: return HXAPI.b64(r['rule'], decode = True, decode_string = True) else: return False
def crypt_aes(key, iv, data, decrypt=False, base64_coding=True): cipher = AES.new(key, AES.MODE_OFB, iv) if decrypt: if base64_coding: data = HXAPI.b64(data, True) data = cipher.decrypt(data).decode('utf-8') # Implement PKCS7 de-padding pad_length = ord(data[-1:]) if 1 <= pad_length <= 15: if all(c == chr(pad_length) for c in data[-pad_length:]): data = data[:len(data) - pad_length:] return data else: # Implement PKCS7 padding pad_length = 16 - (len(data) % 16) if pad_length < 16: data += (chr(pad_length) * pad_length) data = data.encode('utf-8') data = cipher.encrypt(data) if base64_coding: data = HXAPI.b64(data) return data