def verify(sign, keyid, infile=None, outfile=None):
keyid=b85decode(keyid)
sign=b85decode(sign)
if(len(keyid)!=STORAGE_ID_LEN or len(sign)!= nacl.crypto_generichash_BYTES):
raise ValueError
fd = inputfd(infile)
outfd = outputfd(outfile) if outfile else None
reset()
written=0
eps[USB_CRYPTO_EP_CTRL_IN].write("%s%s%s" % (USB_CRYPTO_CMD_VERIFY,sign,keyid))
tmp=read_ctrl(timeout=50)
if(tmp and tmp.startswith('err: ')):
return
pkt = fd.read(32768)
#if len(pkt)>0:
# outfd.write(keyid)
while pkt:
written+=eps[USB_CRYPTO_EP_DATA_IN].write(pkt)
if outfd: outfd.write(pkt)
pkt = fd.read(32768)
if(written%64==0):
eps[USB_CRYPTO_EP_DATA_IN].write(None)
read_ctrl()
res = eps[USB_CRYPTO_EP_DATA_OUT].read(1)
read_ctrl()
reset()
if fd != sys.stdin: fd.close()
if outfd and outfd != sys.stdout: outfd.close()
return res[0]
def sign_handler(infile=None,
outfile=None,
self=None,
basedir=None,
armor=False):
# provides a high level function to sign files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file,
# if unspecified but armor is, or if '-' or
# infile is unspecified, then it uses stdout
# otherwise it appends '.sig' to infile
# armor instructs the function to output ascii
# self specifies the sender for signing the message
# basedir provides a root for the keystores
# this function also handles buffering.
fd = inputfd(infile)
if (not outfile and armor) or outfile == '-' or (not infile
or infile == '-'):
outfd = sys.stdout
else:
outfd = open(outfile or infile + '.sig', 'w')
publickey.Identity(self, basedir=basedir).buffered_sign(fd, outfd, armor)
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
def encrypt(peer, infile=None, outfile=None):
if len(peer)>PEER_NAME_MAX:
raise ValueError
fd = inputfd(infile)
outfd = outputfd(outfile or infile+'.pbp' if infile else '-')
reset()
eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_ENCRYPT+peer)
# needs to return keyid read it here
keyid = ''.join([chr(x) for x in eps[USB_CRYPTO_EP_CTRL_OUT].read(STORAGE_ID_LEN)])
if(keyid.startswith('err: ')):
raise ValueError(keyid)
if len(keyid)<STORAGE_ID_LEN:
raise ValueError
pkt = fd.read(32768)
#if len(pkt)>0:
# outfd.write(keyid)
while pkt:
wrote = eps[USB_CRYPTO_EP_DATA_IN].write(pkt)
if (wrote<32768 and not (wrote&0x3f)):
eps[USB_CRYPTO_EP_DATA_IN].write(None)
outfd.write(''.join([chr(x) for x in eps[USB_CRYPTO_EP_DATA_OUT].read(wrote+40)]))
pkt = fd.read(32768)
if(len(pkt)==32768):
eps[USB_CRYPTO_EP_DATA_IN].write(None)
reset()
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
return keyid
def decrypt(keyid, infile=None, outfile=None):
keyid=b85decode(keyid)
if(len(keyid)!=STORAGE_ID_LEN):
raise ValueError
fd = inputfd(infile)
outfd = outputfd(outfile or infile+'.pbp' if infile else '-')
reset()
eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_DECRYPT+keyid)
tmp = read_ctrl(timeout=50)
if(tmp and tmp.startswith('err: ')):
raise ValueError(tmp)
pkt = fd.read(32808)
#if len(pkt)>0:
# outfd.write(keyid)
while pkt:
wrote = eps[USB_CRYPTO_EP_DATA_IN].write(pkt)
if (wrote<32808 and not (wrote&0x3f)):
eps[USB_CRYPTO_EP_DATA_IN].write(None)
tmp = read_ctrl(timeout=50)
if(tmp and tmp.startswith('err: ')):
raise ValueError(tmp)
outfd.write(''.join([chr(x) for x in eps[USB_CRYPTO_EP_DATA_OUT].read(wrote-40)]))
pkt = fd.read(32808)
if(len(pkt)==32808):
eps[USB_CRYPTO_EP_DATA_IN].write(None)
reset()
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
def sign(peer, infile=None, outfile=None):
if len(peer)>PEER_NAME_MAX:
raise ValueError
fd = inputfd(infile)
outfd = outputfd(outfile)
reset()
written=0
eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_SIGN+peer)
# needs to return keyid read it here
keyid = ''.join([chr(x) for x in eps[USB_CRYPTO_EP_CTRL_OUT].read(STORAGE_ID_LEN)])
if(keyid.startswith('err: ')):
return
if len(keyid)<STORAGE_ID_LEN:
return
pkt = fd.read(32768)
#if len(pkt)>0:
# outfd.write(keyid)
while pkt:
written+=eps[USB_CRYPTO_EP_DATA_IN].write(pkt)
pkt = fd.read(32768)
if outfile: outfd.write(pkt)
if(written%64==0):
eps[USB_CRYPTO_EP_DATA_IN].write(None)
read_ctrl()
res = eps[USB_CRYPTO_EP_DATA_OUT].read(nacl.crypto_generichash_BYTES)
read_ctrl()
reset()
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
return ''.join([chr(x) for x in res]), keyid
def decrypt_handler(infile=None, outfile=None, self=None, basedir=None):
# provides a high level function to do decryption of files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file, if not specified
# it uses the same filename with '.pbp' appended
# self specifies the recipient of the message for using pk crypto
# basedir provides a root for the keystores needed for pk crypto
# if self is specified pk crypto is used, otherwise symmetric
# this function also handles buffering.
fd = inputfd(infile)
outfd = outputfd(outfile)
key = None
_type=struct.unpack('B',fd.read(1))[0]
# asym
if _type == ASYM_CIPHER:
if not self:
print >>sys.stderr, "Error: need to specify your own key using the --self param"
raise ValueError
size = struct.unpack('>L',fd.read(4))[0]
r = []
for _ in xrange(size):
rnonce = fd.read(nacl.crypto_box_NONCEBYTES)
ct = fd.read(struct.unpack('B', fd.read(1))[0])
r.append((rnonce,ct))
me = publickey.Identity(self, basedir=basedir)
me.clear()
sender, key = me.keydecrypt(r)
if not sender:
# print >>sys.stderr, 'good key from', sender
#else:
raise ValueError('decryption failed')
# sym
elif _type == BLOCK_CIPHER:
pwd = getpass.getpass('Passphrase for decrypting: ')
key = scrypt.hash(pwd, scrypt_salt)[:nacl.crypto_secretbox_KEYBYTES]
sender = None
clearmem(pwd)
else:
raise ValueError('decryption failed')
if key:
nonce = fd.read(nacl.crypto_secretbox_NONCEBYTES)
while len(nonce) == nacl.crypto_secretbox_NONCEBYTES:
buf = fd.read(BLOCK_SIZE + (nacl.crypto_secretbox_ZEROBYTES - nacl.crypto_secretbox_BOXZEROBYTES))
if not buf:
raise ValueError('decryption failed')
break
outfd.write(decrypt((nonce, buf), k = key))
nonce = fd.read(nacl.crypto_secretbox_NONCEBYTES)
clearmem(key)
if 0 < len(nonce) < nacl.crypto_secretbox_NONCEBYTES:
raise ValueError('decryption failed')
if fd != sys.stdin: fd.close()
if outfd != sys.stdout and type(outfd) == file: outfd.close()
return sender
def hash_handler(infile=None, k='', outlen=16):
fd = inputfd(infile)
# calculate hash sum of data
state = nacl.crypto_generichash_init(outlen=outlen, k=k or '')
while True:
block = fd.read(BLOCK_SIZE)
if not block.strip(): break
state = nacl.crypto_generichash_update(state, block)
if fd != sys.stdin: fd.close()
return nacl.crypto_generichash_final(state, outlen=outlen)
def hash_handler(infile=None, k='', outlen=16):
fd = inputfd(infile)
# calculate hash sum of data
state = nacl.crypto_generichash_init(outlen=outlen, k=k or '')
while True:
block = fd.read(BLOCK_SIZE)
if not block.strip(): break
state = nacl.crypto_generichash_update(state, block)
if fd != sys.stdin: fd.close()
return nacl.crypto_generichash_final(state, outlen=outlen)
def encrypt_handler(infile=None,
outfile=None,
recipient=None,
self=None,
basedir=None):
# provides a high level function to do encryption of files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file, if not specified
# it uses the same filename with '.pbp' appended
# recipient specifies the name of the recipient for using public key crypto
# self specifies the sender for signing the message using pk crypto
# basedir provides a root for the keystores needed for pk crypto
# if both self and recipient is specified pk crypto is used, otherwise symmetric
# this function also handles buffering.
fd = inputfd(infile)
outfd = outputfd(outfile or
(infile + '.pbp' if infile not in [None, '-'] else '-'))
if recipient and self:
# let's do public key encryption
key = nacl.randombytes(nacl.crypto_secretbox_KEYBYTES)
me = publickey.Identity(self, basedir=basedir)
size = struct.pack('>H', len(recipient))
# write out encrypted message key (nonce, c(key+recplen)) for each recipient
for r in recipient:
r = publickey.Identity(r, basedir=basedir, publicOnly=True)
nonce = nacl.randombytes(nacl.crypto_box_NONCEBYTES)
outfd.write(nonce)
outfd.write(nacl.crypto_box(key + size, nonce, r.cp, me.cs))
me.clear()
else:
# let's do symmetric crypto
key = getkey(nacl.crypto_secretbox_KEYBYTES)
buf = fd.read(BLOCK_SIZE)
if buf:
nonce, cipher = encrypt(buf, k=key)
outfd.write(nonce)
outfd.write(cipher)
buf = fd.read(BLOCK_SIZE)
while buf:
nonce = inc_nonce(nonce)
nonce, cipher = encrypt(buf, k=key, nonce=nonce)
outfd.write(cipher)
buf = fd.read(BLOCK_SIZE)
clearmem(key)
key = None
if fd != sys.stdin: fd.close()
if outfd != sys.stdout and isinstance(outfd, file): outfd.close()
def chaining_decrypt_handler(infile=None, outfile=None, recipient=None, self=None, basedir=None):
# provides highlevel forward secure deccryption receive primitive for files
# for details see doc/chaining-dh.txt
# infile specifies the input file,
# outfile the filename of the output,
# self the sending parties name
# recipient the receiving peers name
# basedir the root directory used for key storage
fd = inputfd(infile)
outfd = outputfd(outfile or infile+'.pbp')
ctx=chaining.ChainingContext(self, recipient, basedir)
ctx.buffered_decrypt(fd, outfd)
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
def verify_handler(infile=None, outfile=None, basedir=None):
# provides a high level function to verify signed files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file,
# basedir provides a root for the keystores
# this function also handles buffering.
fd = inputfd(infile)
outfd = outputfd(outfile)
sender = publickey.buffered_verify(fd,outfd,basedir)
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
return sender
def verify_handler(infile=None, outfile=None, basedir=None):
# provides a high level function to verify signed files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file,
# basedir provides a root for the keystores
# this function also handles buffering.
fd = inputfd(infile)
outfd = outputfd(outfile)
sender = publickey.buffered_verify(fd, outfd, basedir)
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
return sender
def encrypt_handler(infile=None, outfile=None, recipient=None, self=None, basedir=None):
# provides a high level function to do encryption of files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file, if not specified
# it uses the same filename with '.pbp' appended
# recipient specifies the name of the recipient for using public key crypto
# self specifies the sender for signing the message using pk crypto
# basedir provides a root for the keystores needed for pk crypto
# if both self and recipient is specified pk crypto is used, otherwise symmetric
# this function also handles buffering.
fd = inputfd(infile)
outfd = outputfd(outfile or (infile+'.pbp' if infile not in [None,'-'] else '-'))
if recipient and self:
# let's do public key encryption
key = nacl.randombytes(nacl.crypto_secretbox_KEYBYTES)
me = publickey.Identity(self, basedir=basedir)
size = struct.pack('>H',len(recipient))
# write out encrypted message key (nonce, c(key+recplen)) for each recipient
for r in recipient:
r = publickey.Identity(r, basedir=basedir, publicOnly=True)
nonce = nacl.randombytes(nacl.crypto_box_NONCEBYTES)
outfd.write(nonce)
outfd.write(nacl.crypto_box(key+size, nonce, r.cp, me.cs))
me.clear()
else:
# let's do symmetric crypto
key = getkey(nacl.crypto_secretbox_KEYBYTES)
buf = fd.read(BLOCK_SIZE)
if buf:
nonce, cipher = encrypt(buf, k=key)
outfd.write(nonce)
outfd.write(cipher)
buf = fd.read(BLOCK_SIZE)
while buf:
nonce = inc_nonce(nonce)
nonce, cipher = encrypt(buf, k=key, nonce=nonce)
outfd.write(cipher)
buf = fd.read(BLOCK_SIZE)
clearmem(key)
key=None
if fd != sys.stdin: fd.close()
if outfd != sys.stdout and isinstance(outfd,file): outfd.close()
def encrypt_handler(infile=None, outfile=None, recipient=None, self=None, basedir=None):
# provides a high level function to do encryption of files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file, if not specified
# it uses the same filename with '.pbp' appended
# recipient specifies the name of the recipient for using public key crypto
# self specifies the sender for signing the message using pk crypto
# basedir provides a root for the keystores needed for pk crypto
# if both self and recipient is specified pk crypto is used, otherwise symmetric
# this function also handles buffering.
fd = inputfd(infile)
outfd = outputfd(outfile or (infile+'.pbp' if infile else '-'))
if recipient and self:
# let's do public key encryption
key = nacl.randombytes(nacl.crypto_secretbox_KEYBYTES)
me = publickey.Identity(self, basedir=basedir)
peerkeys = me.keyencrypt(key, recipients=[publickey.Identity(x, basedir=basedir)
for x
in recipient])
me.clear()
outfd.write(struct.pack("B", ASYM_CIPHER))
outfd.write(struct.pack(">L", len(peerkeys)))
for rnonce, ct in peerkeys:
outfd.write(rnonce)
outfd.write(struct.pack("B", len(ct)))
outfd.write(ct)
else:
# let's do symmetric crypto
key = getkey(nacl.crypto_secretbox_KEYBYTES)
outfd.write(struct.pack("B", BLOCK_CIPHER))
buf = fd.read(BLOCK_SIZE)
while buf:
nonce, cipher = encrypt(buf, k=key)
outfd.write(nonce)
outfd.write(cipher)
buf = fd.read(BLOCK_SIZE)
clearmem(key)
if fd != sys.stdin: fd.close()
if outfd != sys.stdout and type(outfd) == file: outfd.close()
def chaining_decrypt_handler(infile=None,
outfile=None,
recipient=None,
self=None,
basedir=None):
# provides highlevel forward secure deccryption receive primitive for files
# for details see doc/chaining-dh.txt
# infile specifies the input file,
# outfile the filename of the output,
# self the sending parties name
# recipient the receiving peers name
# basedir the root directory used for key storage
fd = inputfd(infile)
outfd = outputfd(outfile or infile + '.pbp')
ctx = chaining.ChainingContext(self, recipient, basedir)
ctx.buffered_decrypt(fd, outfd)
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
def sign(peer, infile=None, outfile=None):
if len(peer)>PEER_NAME_MAX:
raise ValueError
fd = inputfd(infile)
outfd = outputfd(outfile)
reset()
written=0
eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_SIGN+peer, timeout=0)
tmp = read_ctrl(timeout=0)
if(tmp and tmp.startswith('err: ')):
raise ValueError(tmp)
# needs to return keyid read it here
keyid = ''.join([chr(x) for x in eps[USB_CRYPTO_EP_CTRL_OUT].read(EKID_SIZE, timeout=0)])
if(keyid.startswith('err: ')):
return
if len(keyid)<EKID_SIZE:
return
pkt = fd.read(32768)
tmp = read_ctrl(timeout=0)
if(tmp and tmp!="go"):
raise ValueError(tmp)
#if len(pkt)>0:
# outfd.write(keyid)
while pkt:
written+=eps[USB_CRYPTO_EP_DATA_IN].write(pkt, timeout=0)
pkt = fd.read(32768)
if outfile: outfd.write(pkt)
if(written%64==0):
eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0)
read_ctrl()
res = eps[USB_CRYPTO_EP_DATA_OUT].read(nacl.crypto_generichash_BYTES, timeout=0)
read_ctrl()
reset()
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
return ''.join([chr(x) for x in res]), keyid
def sign_handler(infile=None, outfile=None, self=None, basedir=None, armor=False):
# provides a high level function to sign files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file,
# if unspecified but armor is, or if '-' or
# infile is unspecified, then it uses stdout
# otherwise it appends '.sig' to infile
# armor instructs the function to output ascii
# self specifies the sender for signing the message
# basedir provides a root for the keystores
# this function also handles buffering.
fd = inputfd(infile)
if (not outfile and armor) or outfile == '-' or (not infile or infile == '-'):
outfd = sys.stdout
else:
outfd = open(outfile or infile+'.sig','w')
publickey.Identity(self, basedir=basedir).buffered_sign(fd, outfd, armor)
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
def encrypt(peer, infile=None, outfile=None):
if len(peer)>PEER_NAME_MAX:
raise ValueError
fd = inputfd(infile)
outfd = outputfd(outfile or infile+'.pbp' if infile else '-')
reset()
eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_ENCRYPT+peer, timeout=0)
tmp = read_ctrl(timeout=0)
if(tmp and tmp.startswith('err: ')):
raise ValueError(tmp)
# needs to return keyid read it here
keyid = ''.join([chr(x) for x in eps[USB_CRYPTO_EP_CTRL_OUT].read(EKID_SIZE, timeout=0)])
if(keyid.startswith('err: ')):
raise ValueError(keyid)
if len(keyid)<EKID_SIZE:
print len(keyid),EKID_SIZE
print repr(keyid)
raise ValueError
pkt = fd.read(32768)
#if len(pkt)>0:
# outfd.write(keyid)
while pkt:
wrote = eps[USB_CRYPTO_EP_DATA_IN].write(pkt, timeout=0)
if (wrote<32768 and not (wrote&0x3f)):
eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0)
outfd.write(''.join([chr(x) for x in eps[USB_CRYPTO_EP_DATA_OUT].read(wrote+40, timeout=0)]))
pkt = fd.read(32768)
if(len(pkt)==32768):
eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0)
reset()
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
return keyid
def verify(sign, keyid, infile=None, outfile=None):
keyid=b85decode(keyid)
sign=b85decode(sign)
if(len(keyid)!=EKID_SIZE or len(sign)!= nacl.crypto_generichash_BYTES):
print len(keyid), EKID_SIZE, repr(keyid)
print len(sign), 32, repr(sign)
raise ValueError
fd = inputfd(infile)
outfd = outputfd(outfile) if outfile else None
reset()
written=0
eps[USB_CRYPTO_EP_CTRL_IN].write("%s%s%s" % (USB_CRYPTO_CMD_VERIFY,sign,keyid), timeout=0)
tmp=read_ctrl(timeout=0)
if(tmp and tmp.startswith('err: ')):
return
tmp = read_ctrl(timeout=0)
if(tmp and tmp!="go"):
raise ValueError(tmp)
pkt = fd.read(32768)
#if len(pkt)>0:
# outfd.write(keyid)
while pkt:
written+=eps[USB_CRYPTO_EP_DATA_IN].write(pkt, timeout=0)
if outfd: outfd.write(pkt)
pkt = fd.read(32768)
if(written%64==0):
eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0)
read_ctrl()
res = eps[USB_CRYPTO_EP_DATA_OUT].read(1, timeout=0)
read_ctrl()
reset()
if fd != sys.stdin: fd.close()
if outfd and outfd != sys.stdout: outfd.close()
return res[0]
def decrypt(keyid, infile=None, outfile=None):
keyid=b85decode(keyid)
if(len(keyid)!=EKID_SIZE):
raise ValueError
fd = inputfd(infile)
outfd = outputfd(outfile or infile+'.pbp' if infile else '-')
reset()
eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_DECRYPT+keyid, timeout=0)
tmp = read_ctrl(timeout=0)
if(tmp and tmp.startswith('err: ')):
raise ValueError(tmp)
tmp = read_ctrl(timeout=0)
pkt = fd.read(32808)
if(tmp and tmp!="go"):
raise ValueError(tmp)
#if len(pkt)>0:
# outfd.write(keyid)
while pkt:
wrote = eps[USB_CRYPTO_EP_DATA_IN].write(pkt, timeout=0)
if (wrote<32808 and not (wrote&0x3f)):
eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0)
tmp = read_ctrl(timeout=50)
if(tmp and tmp.startswith('err: ')):
raise ValueError(tmp)
outfd.write(''.join([chr(x) for x in eps[USB_CRYPTO_EP_DATA_OUT].read(wrote-40, timeout=0)]))
pkt = fd.read(32808)
if(len(pkt)==32808):
eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0)
reset()
if fd != sys.stdin: fd.close()
if outfd != sys.stdout: outfd.close()
def decrypt_handler(infile=None,
outfile=None,
self=None,
peer=None,
max_recipients=20,
basedir=None):
# provides a high level function to do decryption of files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file, if not specified
# it uses the same filename with '.pbp' appended
# self specifies the recipient of the message for using pk crypto
# basedir provides a root for the keystores needed for pk crypto
# if self is specified pk crypto is used, otherwise symmetric
# this function also handles buffering.
fd = inputfd(infile)
outfd = outputfd(outfile)
key = None
# asym
if self:
me = publickey.Identity(self, basedir=basedir)
if peer:
peer = publickey.Identity(peer, basedir=basedir, publicOnly=True)
sender = None
size = None
i = 0
while i < (max_recipients if not size else size):
i += 1
rnonce = fd.read(nacl.crypto_box_NONCEBYTES)
ct = fd.read(nacl.crypto_secretbox_KEYBYTES + 2 +
nacl.crypto_secretbox_MACBYTES)
if sender: continue
for keys in ([peer] if peer else publickey.get_public_keys(
basedir=basedir)):
try:
tmp = nacl.crypto_box_open(ct, rnonce, keys.cp, me.cs)
except ValueError:
continue
key = tmp[:nacl.crypto_secretbox_KEYBYTES]
size = struct.unpack('>H',
tmp[nacl.crypto_secretbox_KEYBYTES:])[0]
sender = keys.name
break
me.clear()
if not sender:
raise ValueError('decryption failed')
# sym
else:
pwd = getpass.getpass('Passphrase for decrypting: ')
key = scrypt.hash(pwd, scrypt_salt)[:nacl.crypto_secretbox_KEYBYTES]
sender = None
clearmem(pwd)
pwd = None
if key:
nonce = fd.read(nacl.crypto_secretbox_NONCEBYTES)
buf = fd.read(BLOCK_SIZE + nacl.crypto_secretbox_MACBYTES)
while buf:
outfd.write(decrypt((nonce, buf), k=key))
nonce = inc_nonce(nonce)
buf = fd.read(BLOCK_SIZE + nacl.crypto_secretbox_MACBYTES)
clearmem(key)
key = None
if fd != sys.stdin: fd.close()
if outfd != sys.stdout and type(outfd) == file: outfd.close()
return sender
def decrypt_handler(infile=None, outfile=None, self=None, peer=None, max_recipients = 20, basedir=None):
# provides a high level function to do decryption of files
# infile specifies the filename of the input file,
# if '-' or not specified it uses stdin
# outfile specifies the filename of the output file, if not specified
# it uses the same filename with '.pbp' appended
# self specifies the recipient of the message for using pk crypto
# basedir provides a root for the keystores needed for pk crypto
# if self is specified pk crypto is used, otherwise symmetric
# this function also handles buffering.
fd = inputfd(infile)
outfd = outputfd(outfile)
key = None
# asym
if self:
me = publickey.Identity(self, basedir=basedir)
if peer:
peer = publickey.Identity(peer, basedir=basedir, publicOnly=True)
sender = None
size = None
i=0
while i < (max_recipients if not size else size):
i+=1
rnonce = fd.read(nacl.crypto_box_NONCEBYTES)
ct = fd.read(nacl.crypto_secretbox_KEYBYTES+2+nacl.crypto_secretbox_MACBYTES)
if sender: continue
for keys in ([peer] if peer else publickey.get_public_keys(basedir=basedir)):
try:
tmp = nacl.crypto_box_open(ct, rnonce, keys.cp, me.cs)
except ValueError:
continue
key = tmp[:nacl.crypto_secretbox_KEYBYTES]
size = struct.unpack('>H',tmp[nacl.crypto_secretbox_KEYBYTES:])[0]
sender = keys.name
break
me.clear()
if not sender:
raise ValueError('decryption failed')
# sym
else:
pwd = getpass.getpass('Passphrase for decrypting: ')
key = scrypt.hash(pwd, scrypt_salt)[:nacl.crypto_secretbox_KEYBYTES]
sender = None
clearmem(pwd)
pwd=None
if key:
nonce = fd.read(nacl.crypto_secretbox_NONCEBYTES)
buf = fd.read(BLOCK_SIZE + nacl.crypto_secretbox_MACBYTES)
while buf:
outfd.write(decrypt((nonce, buf), k = key))
nonce = inc_nonce(nonce)
buf = fd.read(BLOCK_SIZE + nacl.crypto_secretbox_MACBYTES)
clearmem(key)
key = None
if fd != sys.stdin: fd.close()
if outfd != sys.stdout and type(outfd) == file: outfd.close()
return sender
