Esempio n. 1
0
    def stretch_passphrase(self, passphrase, salt):
        keys = {}
        sys.stdout.write(strings._('deriving_keys'))
        sys.stdout.flush()

        # start with the passphrase
        key = passphrase

        # derive a key for each cipher
        for cipher in common.ciphers:
            sys.stdout.write(' {0}'.format(cipher))
            sys.stdout.flush()

            # rounds of pbkdf2 and scrypt
            key = str(PBKDF2.crypt(key, salt.encode('hex'), 100000))
            key = scrypt.hash(key, salt, N=2**14, r=8, p=1)

            if cipher == 'aes256':
                # AES256 needs 256-bit (32-byte) key
                keys[cipher] = key[:32]
            elif cipher == 'blowfish':
                # Blowfish keys very from 32-448 bits, but we'll use 256-bit (32-byte) key
                keys[cipher] = key[:32]
            elif cipher == 'cast5':
                # CAST5 needs 128-bit (16-byte) key
                keys[cipher] = key[:16]

        sys.stdout.write('\n')

        return keys
Esempio n. 2
0
 def validate_password(self, attempt):
     ''' Check the password against existing credentials '''
     if self._password is not None:
         return self.password == PBKDF2.crypt(
             attempt, self.password,
         )
     else:
         return False
Esempio n. 3
0
 def post(self, *args, **kwargs):
     ''' Checks submitted username and password '''
     user = User.by_handle(self.get_argument('account', ''))
     password_attempt = self.get_argument('password', '')
     if user is not None:
         if user.validate_password(password_attempt):
             if not user.locked:
                 self.successful_login(user)
                 if self.config.story_mode and user.logins == 1 and not user.is_admin():
                     self.redirect('/user/missions/firstlogin')
                 else:
                     self.redirect('/user')
             else:
                 self.render('public/login.html',
                             info=None, errors=["Your account has been locked"])
         else:
             self.failed_login()
     else:
         if password_attempt is not None:
             PBKDF2.crypt(password_attempt, "BurnTheHashTime")
         self.failed_login()
Esempio n. 4
0
    def register(self):
        """
        Gets authentication info from a DPT-RP1.  You can call this BEFORE
        DigitalPaper.authenticate()

        Returns (ca, priv_key, client_id):
            - ca: a PEM-encoded X.509 server certificate, issued by the CA
                  on the device
            - priv_key: a PEM-encoded 2048-bit RSA private key
            - client_id: the client id
        """

        reg_url = "http://{addr}:8080".format(addr=self.addr)
        register_pin_url = "{base_url}/register/pin".format(base_url=reg_url)
        register_hash_url = "{base_url}/register/hash".format(base_url=reg_url)
        register_ca_url = "{base_url}/register/ca".format(base_url=reg_url)
        register_url = "{base_url}/register".format(base_url=reg_url)
        register_cleanup_url = "{base_url}/register/cleanup".format(
            base_url=reg_url)

        print("Cleaning up...")
        r = self.session.put(register_cleanup_url)
        print(r)

        print("Requesting PIN...")
        r = self.session.post(register_pin_url)
        m1 = r.json()

        n1 = base64.b64decode(m1["a"])
        mac = base64.b64decode(m1["b"])
        yb = base64.b64decode(m1["c"])
        yb = int.from_bytes(yb, "big")
        n2 = os.urandom(16)  # random nonce

        dh = DiffieHellman()
        ya = dh.gen_public_key()
        ya = b"\x00" + ya.to_bytes(256, "big")

        zz = dh.gen_shared_key(yb)
        zz = zz.to_bytes(256, "big")
        yb = yb.to_bytes(256, "big")

        derivedKey = PBKDF2(passphrase=zz,
                            salt=n1 + mac + n2,
                            iterations=10000,
                            digestmodule=SHA256).read(48)

        authKey = derivedKey[:32]
        keyWrapKey = derivedKey[32:]

        hmac = HMAC(authKey, digestmod=SHA256)
        hmac.update(n1 + mac + yb + n1 + n2 + mac + ya)
        m2hmac = hmac.digest()

        m2 = dict(
            a=base64.b64encode(n1).decode("utf-8"),
            b=base64.b64encode(n2).decode("utf-8"),
            c=base64.b64encode(mac).decode("utf-8"),
            d=base64.b64encode(ya).decode("utf-8"),
            e=base64.b64encode(m2hmac).decode("utf-8"),
        )

        print("Encoding nonce...")
        r = self.session.post(register_hash_url, json=m2)
        m3 = r.json()

        if base64.b64decode(m3["a"]) != n2:
            print("Nonce N2 doesn't match")
            return

        eHash = base64.b64decode(m3["b"])
        m3hmac = base64.b64decode(m3["e"])
        hmac = HMAC(authKey, digestmod=SHA256)
        hmac.update(n1 + n2 + mac + ya + m2hmac + n2 + eHash)
        if m3hmac != hmac.digest():
            print("M3 HMAC doesn't match")
            return

        pin = input("Please enter the PIN shown on the DPT-RP1: ")

        hmac = HMAC(authKey, digestmod=SHA256)
        hmac.update(pin.encode())
        psk = hmac.digest()

        rs = os.urandom(16)  # random nonce
        hmac = HMAC(authKey, digestmod=SHA256)
        hmac.update(rs + psk + yb + ya)
        rHash = hmac.digest()

        wrappedRs = wrap(rs, authKey, keyWrapKey)

        hmac = HMAC(authKey, digestmod=SHA256)
        hmac.update(n2 + eHash + m3hmac + n1 + rHash + wrappedRs)
        m4hmac = hmac.digest()

        m4 = dict(
            a=base64.b64encode(n1).decode("utf-8"),
            b=base64.b64encode(rHash).decode("utf-8"),
            d=base64.b64encode(wrappedRs).decode("utf-8"),
            e=base64.b64encode(m4hmac).decode("utf-8"),
        )

        print("Getting certificate from device CA...")
        r = self.session.post(register_ca_url, json=m4)
        print(r)

        m5 = r.json()

        if base64.b64decode(m5["a"]) != n2:
            print("Nonce N2 doesn't match")
            return

        wrappedEsCert = base64.b64decode(m5["d"])
        m5hmac = base64.b64decode(m5["e"])

        hmac = HMAC(authKey, digestmod=SHA256)
        hmac.update(n1 + rHash + wrappedRs + m4hmac + n2 + wrappedEsCert)
        if hmac.digest() != m5hmac:
            print("HMAC doesn't match!")
            return

        esCert = unwrap(wrappedEsCert, authKey, keyWrapKey)
        es = esCert[:16]
        cert = esCert[16:]

        hmac = HMAC(authKey, digestmod=SHA256)
        hmac.update(es + psk + yb + ya)
        if hmac.digest() != eHash:
            print("eHash does not match!")
            return

        # print("Certificate: ")
        # print(cert)

        print("Generating RSA2048 keys")
        new_key = RSA.generate(2048, e=65537)

        # with open("key.pem", 'wb') as f:
        #    f.write(new_key.exportKey("PEM"))

        keyPubC = new_key.publickey().exportKey("PEM")

        selfDeviceId = str(uuid.uuid4())
        print("Device ID: " + selfDeviceId)
        selfDeviceId = selfDeviceId.encode()

        # with open("client_id.txt", 'wb') as f:
        #    f.write(selfDeviceId)

        wrappedDIDKPUBC = wrap(selfDeviceId + keyPubC, authKey, keyWrapKey)

        hmac = HMAC(authKey, digestmod=SHA256)
        hmac.update(n2 + wrappedEsCert + m5hmac + n1 + wrappedDIDKPUBC)
        m6hmac = hmac.digest()

        m6 = dict(
            a=base64.b64encode(n1).decode("utf-8"),
            d=base64.b64encode(wrappedDIDKPUBC).decode("utf-8"),
            e=base64.b64encode(m6hmac).decode("utf-8"),
        )

        print("Registering device...")
        r = self.session.post(register_url, json=m6)
        print(r)

        print("Cleaning up...")
        r = self.session.put(register_cleanup_url)
        print(r)

        return (
            cert.decode("utf-8"),
            new_key.exportKey("PEM").decode("utf-8"),
            selfDeviceId.decode("utf-8"),
        )
Esempio n. 5
0
 def _hash_password(cls, password):
     return PBKDF2.crypt(password, iterations=ITERATE)
Esempio n. 6
0
def keyFromText(text, salt):
    optimalSize = max(AES.key_size)
    return PBKDF2(text, salt).read(optimalSize)
Esempio n. 7
0
def main(global_config, **settings):
    config = Configurator(
        autocommit=True,
        settings=settings,
        authentication_policy=AuthenticationPolicy(settings['auth.file'],
                                                   __name__),
        authorization_policy=AuthorizationPolicy(),
        route_prefix=route_prefix(settings),
    )
    config.include('pyramid_exclog')
    config.include("cornice")
    config.add_forbidden_view(forbidden)
    config.add_request_method(request_params, 'params', reify=True)
    config.add_request_method(authenticated_role, reify=True)
    config.add_request_method(extract_tender, 'tender', reify=True)
    config.add_request_method(check_accreditation)
    config.add_renderer('prettyjson', JSON(indent=4))
    config.add_renderer('jsonp', JSONP(param_name='opt_jsonp'))
    config.add_renderer('prettyjsonp', JSONP(indent=4, param_name='opt_jsonp'))
    config.add_subscriber(add_logging_context, NewRequest)
    config.add_subscriber(set_logging_context, ContextFound)
    config.add_subscriber(set_renderer, NewRequest)
    config.add_subscriber(beforerender, BeforeRender)
    config.scan("openprocurement.edge.views.spore")
    config.scan("openprocurement.edge.views.health")
    config.scan("openprocurement.edge.views.tenders")

    if auctions_core:
        config.add_request_method(extract_auction, 'auction', reify=True)
        config.scan("openprocurement.edge.views.auctions")
        add_auction_design()

    if contracting:
        config.add_request_method(extract_contract, 'contract', reify=True)
        config.scan("openprocurement.edge.views.contracts")
        add_contract_design()

    if planning:
        config.add_request_method(extract_plan, 'plan', reify=True)
        config.scan("openprocurement.edge.views.plans")
        add_plan_design()

    # CouchDB connection
    db_name = os.environ.get('DB_NAME', settings['couchdb.db_name'])
    server = Server(settings.get('couchdb.url'),
                    session=Session(retry_delays=range(10)))
    if 'couchdb.admin_url' not in settings and server.resource.credentials:
        try:
            server.version()
        except Unauthorized:
            server = Server(
                extract_credentials(settings.get('couchdb.url'))[0])
    config.registry.couchdb_server = server
    if 'couchdb.admin_url' in settings and server.resource.credentials:
        aserver = Server(settings.get('couchdb.admin_url'),
                         session=Session(retry_delays=range(10)))
        config.registry.admin_couchdb_server = aserver
        users_db = aserver['_users']
        if SECURITY != users_db.security:
            LOGGER.info("Updating users db security",
                        extra={'MESSAGE_ID': 'update_users_security'})
            users_db.security = SECURITY
        username, password = server.resource.credentials
        user_doc = users_db.get(
            'org.couchdb.user:{}'.format(username),
            {'_id': 'org.couchdb.user:{}'.format(username)})
        if not user_doc.get(
                'derived_key', '') or PBKDF2(password, user_doc.get(
                    'salt', ''), user_doc.get('iterations', 10)).hexread(
                        int(len(user_doc.get('derived_key', '')) /
                            2)) != user_doc.get('derived_key', ''):
            user_doc.update({
                "name": username,
                "roles": [],
                "type": "user",
                "password": password
            })
            LOGGER.info("Updating edge db main user",
                        extra={'MESSAGE_ID': 'update_edge_main_user'})
            users_db.save(user_doc)
        security_users = [
            username,
        ]
        if 'couchdb.reader_username' in settings and 'couchdb.reader_password' in settings:
            reader_username = settings.get('couchdb.reader_username')
            reader = users_db.get(
                'org.couchdb.user:{}'.format(reader_username),
                {'_id': 'org.couchdb.user:{}'.format(reader_username)})
            if not reader.get('derived_key', '') or PBKDF2(
                    settings.get('couchdb.reader_password'),
                    reader.get('salt', ''), reader.get(
                        'iterations', 10)).hexread(
                            int(len(reader.get('derived_key', '')) /
                                2)) != reader.get('derived_key', ''):
                reader.update({
                    "name":
                    reader_username,
                    "roles": ['reader'],
                    "type":
                    "user",
                    "password":
                    settings.get('couchdb.reader_password')
                })
                LOGGER.info("Updating edge db reader user",
                            extra={'MESSAGE_ID': 'update_edge_reader_user'})
                users_db.save(reader)
            security_users.append(reader_username)
        if db_name not in aserver:
            aserver.create(db_name)
        db = aserver[db_name]
        SECURITY[u'members'][u'names'] = security_users
        if SECURITY != db.security:
            LOGGER.info("Updating edge db security",
                        extra={'MESSAGE_ID': 'update_edge_security'})
            db.security = SECURITY
        auth_doc = db.get(VALIDATE_DOC_ID, {'_id': VALIDATE_DOC_ID})
        if auth_doc.get(
                'validate_doc_update') != VALIDATE_DOC_UPDATE % username:
            auth_doc['validate_doc_update'] = VALIDATE_DOC_UPDATE % username
            LOGGER.info("Updating edge db validate doc",
                        extra={'MESSAGE_ID': 'update_edge_validate_doc'})
            db.save(auth_doc)
        # sync couchdb views
        sync_design(db)
        db = server[db_name]
    else:
        if db_name not in server:
            server.create(db_name)
        db = server[db_name]
        # sync couchdb views
        sync_design(db)
    config.registry.db = db

    config.registry.server_id = settings.get('id', '')
    config.registry.health_threshold = float(
        settings.get('health_threshold', 99))
    config.registry.update_after = asbool(settings.get('update_after', True))
    return config.make_wsgi_app()
Esempio n. 8
0
 def _hash_password(self, raw_pwd):
     return PBKDF2.crypt(raw_pwd, iterations=0x2537)
Esempio n. 9
0
    def __init__(self, cookie_file=None, domain_name="", key_file=None):
        self.salt = b"saltysalt"
        self.iv = b" " * 16
        self.length = 16
        # below is domain name to filter cookies by
        self.domain_name = domain_name
        if sys.platform == "darwin":
            # Chrome on OSX
            my_pass = keyring.get_password("Chrome Safe Storage",
                                           "Chrome").encode("utf8")
            iterations = 1003  # count of pbkdf2 iterations for mac os
            self.key = PBKDF2(my_pass, self.salt,
                              iterations=iterations).read(self.length)
            cookie_file = cookie_file or os.path.expanduser(
                "~/Library/Application Support/Google/Chrome/Default/Cookies")

        elif sys.platform.startswith("linux"):
            # Chrome on Linux
            # encrypted with key peanuts
            my_pass = get_linux_pass().encode("utf8")
            iterations = 1
            self.key = PBKDF2(my_pass, self.salt,
                              iterations=iterations).read(self.length)
            paths = map(
                os.path.expanduser,
                [
                    "~/.config/google-chrome/Default/Cookies",
                    "~/.config/chromium/Default/Cookies",
                    "~/.config/google-chrome-beta/Default/Cookies",
                ],
            )
            cookie_file = cookie_file or next(filter(os.path.exists, paths),
                                              None)
        elif sys.platform == "win32":

            # Read key from file
            key_file = (key_file or glob.glob(
                os.path.join(
                    os.getenv("APPDATA", ""),
                    "..\Local\\Google\\Chrome\\User Data\\Local State",
                )) or glob.glob(
                    os.path.join(
                        os.getenv("LOCALAPPDATA", ""),
                        "Google\\Chrome\\User Data\\Local State",
                    )) or glob.glob(
                        os.path.join(
                            os.getenv("APPDATA", ""),
                            "Google\\Chrome\\User Data\\Local State",
                        )))

            if isinstance(key_file, list):
                if key_file:
                    key_file = key_file[0]

            if key_file:
                f = open(key_file, "rb")
                key_file_json = json.load(f)
                key64 = key_file_json["os_crypt"]["encrypted_key"].encode(
                    "utf-8")

                # unprotect data
                keydpapi = base64.standard_b64decode(key64)[5:]
                _, self.key = crypt_unprotect_data(keydpapi, is_key=True)

            # cookie extraction from APPDATA
            #  \\ is required to prevent unicode error in windows
            cookie_file = (cookie_file or windows_group_policy_path(
            ) or glob.glob(
                os.path.join(
                    os.getenv("APPDATA", ""),
                    "..\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
                )) or glob.glob(
                    os.path.join(
                        os.getenv("LOCALAPPDATA", ""),
                        "Google\\Chrome\\User Data\\Default\\Cookies",
                    )) or glob.glob(
                        os.path.join(
                            os.getenv("APPDATA", ""),
                            "Google\\Chrome\\User Data\\Default\\Cookies",
                        )))
        else:
            raise BrowserCookieError("OS not supported")

        if isinstance(cookie_file, list):
            if not cookie_file:
                raise BrowserCookieError("Failed to fetch Chrome cookie")
            cookie_file = cookie_file[0]

        self.tmp_cookie_file = create_local_copy(cookie_file)
Esempio n. 10
0
def main(global_config, **settings):
    config = Configurator(
        autocommit=True,
        settings=settings,
        authentication_policy=AuthenticationPolicy(settings['auth.file'],
                                                   __name__),
        authorization_policy=AuthorizationPolicy(),
        route_prefix=route_prefix(settings),
    )
    config.include('pyramid_exclog')
    config.include("cornice")
    config.add_forbidden_view(forbidden)
    config.add_request_method(request_params, 'params', reify=True)
    config.add_request_method(authenticated_role, reify=True)
    config.add_request_method(extract_tender, 'tender', reify=True)
    config.add_request_method(check_accreditation)
    config.add_renderer('prettyjson', JSON(indent=4))
    config.add_renderer('jsonp', JSONP(param_name='opt_jsonp'))
    config.add_renderer('prettyjsonp', JSONP(indent=4, param_name='opt_jsonp'))
    config.add_subscriber(add_logging_context, NewRequest)
    config.add_subscriber(set_logging_context, ContextFound)
    config.add_subscriber(set_renderer, NewRequest)
    config.add_subscriber(beforerender, BeforeRender)
    config.scan("openprocurement.api.views.spore")
    config.scan("openprocurement.api.views.health")

    # tender procurementMethodType plugins support
    config.add_route_predicate('procurementMethodType', isTender)
    config.registry.tender_procurementMethodTypes = {}
    config.add_request_method(tender_from_data)
    config.add_directive('add_tender_procurementMethodType',
                         register_tender_procurementMethodType)

    # search for plugins
    plugins = settings.get('plugins') and settings['plugins'].split(',')
    for entry_point in iter_entry_points('openprocurement.api.plugins'):
        if not plugins or entry_point.name in plugins:
            plugin = entry_point.load()
            plugin(config)

    # CouchDB connection
    db_name = os.environ.get('DB_NAME', settings['couchdb.db_name'])
    server = Server(settings.get('couchdb.url'),
                    session=Session(retry_delays=range(10)))
    if 'couchdb.admin_url' not in settings and server.resource.credentials:
        try:
            server.version()
        except Unauthorized:
            server = Server(
                extract_credentials(settings.get('couchdb.url'))[0])
    config.registry.couchdb_server = server
    if 'couchdb.admin_url' in settings and server.resource.credentials:
        aserver = Server(settings.get('couchdb.admin_url'),
                         session=Session(retry_delays=range(10)))
        config.registry.admin_couchdb_server = aserver
        users_db = aserver['_users']
        if SECURITY != users_db.security:
            LOGGER.info("Updating users db security",
                        extra={'MESSAGE_ID': 'update_users_security'})
            users_db.security = SECURITY
        username, password = server.resource.credentials
        user_doc = users_db.get(
            'org.couchdb.user:{}'.format(username),
            {'_id': 'org.couchdb.user:{}'.format(username)})
        if not user_doc.get(
                'derived_key', '') or PBKDF2(password, user_doc.get(
                    'salt', ''), user_doc.get('iterations', 10)).hexread(
                        int(len(user_doc.get('derived_key', '')) /
                            2)) != user_doc.get('derived_key', ''):
            user_doc.update({
                "name": username,
                "roles": [],
                "type": "user",
                "password": password
            })
            LOGGER.info("Updating api db main user",
                        extra={'MESSAGE_ID': 'update_api_main_user'})
            users_db.save(user_doc)
        security_users = [
            username,
        ]
        if 'couchdb.reader_username' in settings and 'couchdb.reader_password' in settings:
            reader_username = settings.get('couchdb.reader_username')
            reader = users_db.get(
                'org.couchdb.user:{}'.format(reader_username),
                {'_id': 'org.couchdb.user:{}'.format(reader_username)})
            if not reader.get('derived_key', '') or PBKDF2(
                    settings.get('couchdb.reader_password'),
                    reader.get('salt', ''), reader.get(
                        'iterations', 10)).hexread(
                            int(len(reader.get('derived_key', '')) /
                                2)) != reader.get('derived_key', ''):
                reader.update({
                    "name":
                    reader_username,
                    "roles": ['reader'],
                    "type":
                    "user",
                    "password":
                    settings.get('couchdb.reader_password')
                })
                LOGGER.info("Updating api db reader user",
                            extra={'MESSAGE_ID': 'update_api_reader_user'})
                users_db.save(reader)
            security_users.append(reader_username)
        if db_name not in aserver:
            aserver.create(db_name)
        db = aserver[db_name]
        SECURITY[u'members'][u'names'] = security_users
        if SECURITY != db.security:
            LOGGER.info("Updating api db security",
                        extra={'MESSAGE_ID': 'update_api_security'})
            db.security = SECURITY
        auth_doc = db.get(VALIDATE_DOC_ID, {'_id': VALIDATE_DOC_ID})
        if auth_doc.get(
                'validate_doc_update') != VALIDATE_DOC_UPDATE % username:
            auth_doc['validate_doc_update'] = VALIDATE_DOC_UPDATE % username
            LOGGER.info("Updating api db validate doc",
                        extra={'MESSAGE_ID': 'update_api_validate_doc'})
            db.save(auth_doc)
        # sync couchdb views
        sync_design(db)
        db = server[db_name]
    else:
        if db_name not in server:
            server.create(db_name)
        db = server[db_name]
        # sync couchdb views
        sync_design(db)
    config.registry.db = db

    # migrate data
    if not os.environ.get('MIGRATION_SKIP'):
        migrate_data(config.registry.db)

    # S3 connection
    if 'aws.access_key' in settings and 'aws.secret_key' in settings and 'aws.s3_bucket' in settings:
        connection = S3Connection(settings['aws.access_key'],
                                  settings['aws.secret_key'])
        config.registry.s3_connection = connection
        bucket_name = settings['aws.s3_bucket']
        if bucket_name not in [b.name for b in connection.get_all_buckets()]:
            connection.create_bucket(bucket_name, location=Location.EU)
        config.registry.bucket_name = bucket_name
    config.registry.server_id = settings.get('id', '')
    config.registry.health_threshold = float(
        settings.get('health_threshold', 99))
    config.registry.update_after = asbool(settings.get('update_after', True))
    return config.make_wsgi_app()
Esempio n. 11
0
 def _hash_password(cls, password):
     return PBKDF2.crypt(password + STATIC_SALT, iterations=ITERATE)
Esempio n. 12
0
 def auth_password(self, other_password):
     if self._password is not None:
         return self.password == PBKDF2.crypt(other_password, self.password)
     else:
         return False
Esempio n. 13
0
def main(global_config, **settings):
    config = Configurator(
        settings=settings,
        root_factory=factory,
        authentication_policy=AuthenticationPolicy(settings['auth.file'],
                                                   __name__),
        authorization_policy=AuthorizationPolicy(),
        route_prefix=ROUTE_PREFIX,
    )
    config.add_forbidden_view(forbidden)
    config.add_request_method(authenticated_role, reify=True)
    config.add_renderer('prettyjson', JSON(indent=4))
    config.add_renderer('jsonp', JSONP(param_name='opt_jsonp'))
    config.add_renderer('prettyjsonp', JSONP(indent=4, param_name='opt_jsonp'))
    if JournalHandler:
        config.add_subscriber(set_journal_handler, NewRequest)
        config.add_subscriber(update_journal_handler_role, ContextFound)
        config.add_subscriber(cleanup_journal_handler, BeforeRender)
    config.add_subscriber(set_renderer, NewRequest)
    config.add_subscriber(beforerender, BeforeRender)
    config.include('pyramid_exclog')
    config.include("cornice")
    config.scan("openprocurement.api.views")

    # CouchDB connection
    db_name = os.environ.get('DB_NAME', settings['couchdb.db_name'])
    server = Server(settings.get('couchdb.url'),
                    session=Session(retry_delays=range(10)))
    if 'couchdb.admin_url' not in settings and server.resource.credentials:
        try:
            server.version()
        except Unauthorized:
            server = Server(
                extract_credentials(settings.get('couchdb.url'))[0])
    config.registry.couchdb_server = server
    if 'couchdb.admin_url' in settings and server.resource.credentials:
        aserver = Server(settings.get('couchdb.admin_url'),
                         session=Session(retry_delays=range(10)))
        users_db = aserver['_users']
        if SECURITY != users_db.security:
            LOGGER.info("Updating users db security",
                        extra={'MESSAGE_ID': 'update_users_security'})
            users_db.security = SECURITY
        username, password = server.resource.credentials
        user_doc = users_db.get(
            'org.couchdb.user:{}'.format(username),
            {'_id': 'org.couchdb.user:{}'.format(username)})
        if not user_doc.get(
                'derived_key', '') or PBKDF2(password, user_doc.get(
                    'salt', ''), user_doc.get('iterations', 10)).hexread(
                        int(len(user_doc.get('derived_key', '')) /
                            2)) != user_doc.get('derived_key', ''):
            user_doc.update({
                "name": username,
                "roles": [],
                "type": "user",
                "password": password
            })
            LOGGER.info("Updating api db main user",
                        extra={'MESSAGE_ID': 'update_api_main_user'})
            users_db.save(user_doc)
        security_users = [
            username,
        ]
        if 'couchdb.reader_username' in settings and 'couchdb.reader_password' in settings:
            reader_username = settings.get('couchdb.reader_username')
            reader = users_db.get(
                'org.couchdb.user:{}'.format(reader_username),
                {'_id': 'org.couchdb.user:{}'.format(reader_username)})
            if not reader.get('derived_key', '') or PBKDF2(
                    settings.get('couchdb.reader_password'),
                    reader.get('salt', ''), reader.get(
                        'iterations', 10)).hexread(
                            int(len(reader.get('derived_key', '')) /
                                2)) != reader.get('derived_key', ''):
                reader.update({
                    "name":
                    reader_username,
                    "roles": ['reader'],
                    "type":
                    "user",
                    "password":
                    settings.get('couchdb.reader_password')
                })
                LOGGER.info("Updating api db reader user",
                            extra={'MESSAGE_ID': 'update_api_reader_user'})
                users_db.save(reader)
            security_users.append(reader_username)
        if db_name not in aserver:
            aserver.create(db_name)
        db = aserver[db_name]
        SECURITY[u'members'][u'names'] = security_users
        if SECURITY != db.security:
            LOGGER.info("Updating api db security",
                        extra={'MESSAGE_ID': 'update_api_security'})
            db.security = SECURITY
        auth_doc = db.get(VALIDATE_DOC_ID, {'_id': VALIDATE_DOC_ID})
        if auth_doc.get(
                'validate_doc_update') != VALIDATE_DOC_UPDATE % username:
            auth_doc['validate_doc_update'] = VALIDATE_DOC_UPDATE % username
            LOGGER.info("Updating api db validate doc",
                        extra={'MESSAGE_ID': 'update_api_validate_doc'})
            db.save(auth_doc)
        # sync couchdb views
        sync_design(db)
        db = server[db_name]
    else:
        if db_name not in server:
            server.create(db_name)
        db = server[db_name]
        # sync couchdb views
        sync_design(db)
    config.registry.db = db

    # migrate data
    migrate_data(config.registry.db)

    # S3 connection
    if 'aws.access_key' in settings and 'aws.secret_key' in settings and 'aws.s3_bucket' in settings:
        connection = S3Connection(settings['aws.access_key'],
                                  settings['aws.secret_key'])
        config.registry.s3_connection = connection
        bucket_name = settings['aws.s3_bucket']
        if bucket_name not in [b.name for b in connection.get_all_buckets()]:
            connection.create_bucket(bucket_name, location=Location.EU)
        config.registry.bucket_name = bucket_name
    return config.make_wsgi_app()
Esempio n. 14
0
 def _hash_password(self, password):
     return PBKDF2.crypt(password, iterations=0x2537)
Esempio n. 15
0
 def validate_password(self, attempt):
     """ Check the password against existing credentials """
     if self._password is not None:
         return self.password == PBKDF2.crypt(attempt, self.password)
     else:
         return False
Esempio n. 16
0
 def check_password(self, raw_pwd):
     if not raw_pwd:
         return None
     return self.password == PBKDF2.crypt(raw_pwd, self.password)
Esempio n. 17
0
 def get_salt(self, key):
     # Salt is generated as the hash of the key with it's own salt acting like a seed value
     return PBKDF2(key, Storage.salt_seed).read(self.sal_size)
Esempio n. 18
0
 def _hash_password(cls, password):
     return PBKDF2.crypt(password, iterations=ITERATE)
Esempio n. 19
0
import pytest
from pbkdf2 import PBKDF2
import random
import string
import tempfile

from two1.bitcoin.crypto import HDKey, HDPrivateKey
from two1.bitcoin.utils import bytes_to_str
from two1.bitcoin.utils import rand_bytes
from two1.blockchain.mock_provider import MockProvider
from two1.wallet import exceptions
from two1.wallet.two1_wallet import Two1Wallet

enc_key_salt = b'\xaa\xbb\xcc\xdd'
passphrase = "test_wallet"
passphrase_hash = PBKDF2.crypt(passphrase)

master_key = "xprv9s21ZrQH143K2dUcTctuNw8oV8e7gi4ZbHFGAnyGJtWwmKbKTbLGtx48DQGzioGDdhVn8zFhJe8hbDdfDnK19ykxjwXLzd6EpxnTqi4zQGN"  # nopep8
master_seed = "tuna object element cancel hard nose faculty noble swear net subway offer"

mkey_enc, mseed_enc = Two1Wallet.encrypt(master_key=master_key,
                                         master_seed=master_seed,
                                         passphrase=passphrase,
                                         key_salt=enc_key_salt)

config = {'master_key': mkey_enc,
          'master_seed': mseed_enc,
          'locked': True,
          'passphrase_hash': passphrase_hash,
          'key_salt': bytes_to_str(enc_key_salt),
          'account_type': "BIP44BitcoinMainnet",
Esempio n. 20
0
def decrypt(key, salt, text):
    key = PBKDF2(key, salt).read(32)
    text = base64.b64decode(text)
    aes = pyaes.AESModeOfOperationCTR(key)
    decrypted = aes.decrypt(text)
    return decrypted.decode('utf-8')
Esempio n. 21
0
    def __init__(self, cookie_file=None, domain_name=""):
        self.salt = b'saltysalt'
        self.iv = b' ' * 16
        self.length = 16
        # domain name to filter cookies by
        self.domain_name = domain_name
        if sys.platform == 'darwin':
            # running Chrome on OSX
            my_pass = keyring.get_password('Chrome Safe Storage',
                                           'Chrome').encode(
                                               'utf8')  # get key from keyring
            iterations = 1003  # number of pbkdf2 iterations on mac
            self.key = PBKDF2(my_pass, self.salt,
                              iterations=iterations).read(self.length)
            cookie_file = cookie_file \
                          or os.path.expanduser('~/Library/Application Support/Google/Chrome/Default/Cookies')

        elif sys.platform.startswith('linux'):
            # running Chrome on Linux
            # chrome linux is encrypted with the key peanuts
            my_pass = get_linux_pass().encode('utf8')
            iterations = 1
            self.key = PBKDF2(my_pass, self.salt,
                              iterations=iterations).read(self.length)
            paths = map(os.path.expanduser, [
                '~/.config/google-chrome/Default/Cookies',
                '~/.config/chromium/Default/Cookies',
                '~/.config/google-chrome-beta/Default/Cookies'
            ])
            cookie_file = cookie_file or next(filter(os.path.exists, paths),
                                              None)
        elif sys.platform == "win32":

            # Read key from file
            key_file = glob.glob(
                os.path.join(os.getenv('APPDATA', ''), '..\Local\\Google\\Chrome\\User Data\\Local State')) \
                       or glob.glob(
                os.path.join(os.getenv('LOCALAPPDATA', ''), 'Google\\Chrome\\User Data\\Local State')) \
                       or glob.glob(os.path.join(os.getenv('APPDATA', ''), 'Google\\Chrome\\User Data\\Local State'))

            if isinstance(key_file, list):
                if key_file:
                    key_file = key_file[0]

            if key_file:
                f = open(key_file, 'rb')
                key_file_json = json.load(f)
                key64 = key_file_json['os_crypt']['encrypted_key'].encode(
                    'utf-8')

                # Decode Key, get rid of DPAPI prefix, unprotect data
                keydpapi = base64.standard_b64decode(key64)[5:]
                _, self.key = crypt_unprotect_data(keydpapi, is_key=True)

            # get cookie file from APPDATA
            # Note: in windows the \\ is required before a u to stop unicode errors
            cookie_file = cookie_file or windows_group_policy_path() \
                          or glob.glob(
                os.path.join(os.getenv('APPDATA', ''), '..\Local\\Google\\Chrome\\User Data\\Default\\Cookies')) \
                          or glob.glob(
                os.path.join(os.getenv('LOCALAPPDATA', ''), 'Google\\Chrome\\User Data\\Default\\Cookies')) \
                          or glob.glob(
                os.path.join(os.getenv('APPDATA', ''), 'Google\\Chrome\\User Data\\Default\\Cookies'))
        else:
            raise BrowserCookieError(
                "OS not recognized. Works on Chrome for OSX, Windows, and Linux."
            )

        # if the type of cookie_file is list, use the first element in the list
        if isinstance(cookie_file, list):
            if not cookie_file:
                raise BrowserCookieError('Failed to find Chrome cookie')
            cookie_file = cookie_file[0]

        self.tmp_cookie_file = create_local_copy(cookie_file)
Esempio n. 22
0
def getKey(passwd, length, salt=None):
#-------------------------------------------------------------------------------
    if salt is None:
        salt = mkSalt(8)
    return PBKDF2(passwd, salt).read(length)
Esempio n. 23
0
 def to_seed(cls, mnemonic, passphrase=''):
     mnemonic = cls.normalize_string(mnemonic)
     passphrase = cls.normalize_string(passphrase)
     return PBKDF2(mnemonic, u'mnemonic' + passphrase, iterations=PBKDF2_ROUNDS, macmodule=hmac, digestmodule=hashlib.sha512).read(64)
Esempio n. 24
0
def encrypt(key, text):
    salt = ''.join(random.choices(string.ascii_letters + string.digits, k=12))
    key = PBKDF2(key, salt).read(32)
    aes = pyaes.AESModeOfOperationCTR(key)
    ciphertext = aes.encrypt(text.encode('utf-8'))
    return (salt, base64.b64encode(ciphertext).decode())