def gen_mac_login():
optestlib.p_debug('\n** Mac login details for accounts table')
enc_login = {'email': Email, 'personalKey': SecretKey}
muk = {
'k': optestlib.opb64e(sym_keys['mp']),
'key_ops': ['encrypt', 'decrypt'],
'alg': 'A256GCM',
'ext': True,
'key': 'oct',
'kid': 'mp'
}
srp = {
'hexX': optestlib.opb64e(sym_keys['srp-x']),
'params': {
'method': alg_srp,
'iterations': p2c_srp,
'alg': alg_muk,
'salt': optestlib.opb64e(p2s_srp)
}
}
enc_login['masterUnlockKey'] = muk
enc_login['SRPComputedXDictionary'] = srp
optestlib.p_str("mac enc_login contents:", json.dumps(enc_login, indent=4))
return enc_login
def gen_rsa_key(ekid, pub=None, priv=None):
if priv == None:
new_priv = RSA.generate(2048)
jwk_priv = RSAKey(key=new_priv).to_dict()
iv = None
else:
iv = optestlib.opb64d(priv['iv'])
jwk_priv = priv['key']
if pub == None:
new_pub = new_priv.publickey()
jwk_pub = RSAKey(key=new_pub).to_dict()
else:
jwk_pub = pub
jwk_priv['alg'] = 'RSA-OAEP'
jwk_priv['key_ops'] = ['decrypt']
jwk_priv['kid'] = ekid
jwk_pub['key_ops'] = ['encrypt']
jwk_pub['alg'] = 'RSA-OAEP'
jwk_pub['ext'] = True
jwk_pub['kid'] = ekid
optestlib.p_str("New Private key", json.dumps(jwk_priv, indent=4))
pri_keys[ekid] = jwk_priv
pub_keys[ekid] = jwk_pub
key_dat_str = json.dumps(jwk_priv)
optestlib.p_debug('\n*** Encrypting pri key with AES kid %s' % ekid)
iv, ct = optestlib.enc_aes_gcm(key_dat_str, sym_keys[ekid], iv=iv)
optestlib.p_data('IV', iv, dump=False)
optestlib.p_data('KEY', sym_keys[ekid], dump=False)
optestlib.p_data('Ciphertext', ct, dump=False)
priv_out = {
'kid': ekid,
'cty': 'b5+jwk+json',
'enc': 'A256GCM',
'data': optestlib.opb64e(ct),
'iv': optestlib.opb64e(iv)
}
optestlib.p_str("New Public key", json.dumps(jwk_pub, indent=4))
return jwk_pub, priv_out
def enc_mac_login(kid, mac_login_data):
out_pt = json.dumps(mac_login_data)
iv = read_default('mac_enc_login_iv')
iv, ct = optestlib.enc_aes_gcm(out_pt, sym_keys[kid], iv=iv)
out = {
'iv': optestlib.opb64e(iv),
'data': optestlib.opb64e(ct),
'enc': 'A256GCM',
'cty': 'b5+jwk+json',
'kid': kid
}
optestlib.p_str('Encrypted macOS enc_login:', out)
return out
def gen_sym_key(ekid, new_kid=None, iv=None, k=None):
out = {'kid': ekid, 'cty': 'b5+jwk+json'}
if new_kid != None:
kid = new_kid
else:
kid = gen_uuid()
if k != None:
new_key = k
else:
new_key = get_random_bytes(32)
key_dat = {
'alg': 'A256GCM',
'ext': True,
'key_ops': ['decrypt', 'encrypt'],
'kty': 'oct',
'kid': kid
}
key_dat['k'] = optestlib.opb64e(new_key)
key_dat_str = json.dumps(key_dat)
optestlib.p_str("New symmetric key", json.dumps(key_dat, indent=4))
sym_keys[kid] = new_key
if ekid == 'mp':
# sym_keys['mk'] = new_key
optestlib.p_debug('\n*** Encrypting sym key with AES kid %s' % ekid)
iv, ct = optestlib.enc_aes_gcm(key_dat_str, sym_keys[ekid], iv=iv)
optestlib.p_data('IV', iv, dump=False)
optestlib.p_data('KEY', sym_keys[ekid], dump=False)
optestlib.p_data('Ciphertext', ct, dump=False)
out['iv'] = optestlib.opb64e(iv)
out['data'] = optestlib.opb64e(ct)
out['enc'] = 'A256GCM'
else: # only the primary sym_key is itself AES encrypted, rest by RSA
optestlib.p_debug('\n*** Encrypting sym key with RSA kid %s\n' % ekid)
jwkj = '{"keys": [%s]}' % json.dumps(pub_keys[ekid])
jwk = load_jwks(jwkj)[0]
optestlib.p_str('Public key e:', jwk.e)
optestlib.p_str('Public key n:', jwk.n)
RSA_Key = RSA.construct((jwk.n, jwk.e))
C = PKCS1_OAEP.new(RSA_Key)
ct = C.encrypt(key_dat_str)
out['enc'] = 'RSA-OAEP'
out['data'] = optestlib.opb64e(ct)
optestlib.p_debug('')
optestlib.p_data('RSA-OAEP ciphertext', ct, dump=False)
return kid, out
enc_master_key_data = optestlib.get_binary(
" Enter master_key_data (hex or base64): ")
enc_overview_key_data = optestlib.get_binary(
" Enter overview_key_data (hex or base64): ")
mk, mk_hmac, ok, ok_hmac = optestlib.get_local_vault_keys(
password, salt, enc_master_key_data, enc_overview_key_data)
print "\n* Derived/Decrypted/Derived Vault Keys"
optestlib.p_data('Master Key', mk, dump=False)
optestlib.p_data('Master HMAC Key', mk_hmac, dump=False)
optestlib.p_data('Overview Key', ok, dump=False)
optestlib.p_data('Overview HMAC Key', ok_hmac, dump=False)
print "\n(Base-64 versions for convenience:"
optestlib.p_str('Master key', optestlib.opb64e(mk))
optestlib.p_str('Master HMAC key', optestlib.opb64e(mk_hmac))
optestlib.p_str('Overview key', optestlib.opb64e(ok))
optestlib.p_str('Overview HMAC key', optestlib.opb64e(ok_hmac))
enc_login_data = optestlib.get_binary(
"\nEnter encrypted login data (from accounts table) (hex / base64): ")
PT = optestlib.decrypt_opdata(enc_login_data, mk, mk_hmac)
optestlib.p_str('Decrypted enc_login', PT)
m_hmac = optestlib.get_binary(
"Enter master HMAC key (base-64 or hex encoded): ")
o_key = optestlib.get_binary(
"Enter overview encryption key (base-64 or hex encoded): ")
o_hmac = optestlib.get_binary(
"Enter master HMAC key (base-64 or hex encoded): ")
o_data = optestlib.get_binary('Enter overview data (base-64 or hex): ')
i_key_data_enc = optestlib.get_binary('Enter item key data (base-64 or hex): ')
i_data = optestlib.get_binary('Enter item detail data (base-64 or hex): ')
print "\n* Decrypting item overview\n"
o_pt = optestlib.decrypt_opdata(o_data, o_key, o_hmac)
optestlib.p_str('Item Overview', o_pt)
print "\n* Decrypting item keys\n"
i_key_data = optestlib.decrypt_verify_cbc(i_key_data_enc, m_key, m_hmac)
i_key = i_key_data[0:32]
i_hmac = i_key_data[32:]
optestlib.p_data('Item Key', i_key)
optestlib.p_data('Item HMAC', i_hmac)
print "\n* Decrypting item details\n"
i_pt = optestlib.decrypt_opdata(i_data, i_key, i_hmac)
optestlib.p_str('Item Details', o_pt)
#
# David Schuetz
# November 2018
#
# https://github.com/dschuetz/1password
#
# Given EMK blob from Windows "1Password10.sqlite" database,
# and user's primary account Master Password,
# decrypts EMK blob to produce master encryption and HMAC keys
#
import optestlib
bin_emk = optestlib.get_binary(
'Enter EMK data (from config table) in base-64 or hex: ')
password = raw_input("\nEnter the master password: ")
PT = optestlib.decrypt_emk(bin_emk, password)
enc_key = PT[0:32]
hmac_key = PT[32:]
optestlib.p_data('Master Enc Key', enc_key)
optestlib.p_str('(base-64)', optestlib.opb64e(enc_key))
optestlib.p_data('Master HMAC Key', hmac_key)
optestlib.p_str('(base-64)', optestlib.opb64e(hmac_key))
optestlib.p_str('Enc+HMAC together', optestlib.opb64e(enc_key + hmac_key))
#
# Given email, Secret Key, Master Password, and elements from "enc_sym_key"
# from the primary account's first keyset ("encrypted_by = mp"),
# computes 1Password 2SKD result for MUK and SRP-X
#
import optestlib
secret_key = raw_input(
"\nEnter the account's Secret Key (A3-xxx....): ").upper()
password = raw_input("\nEnter the master password:"******"\nEnter the email address: ")
p2s = optestlib.get_binary(
"\nEnter the 'p2s' parameter (salt, base-64 or hex encoded): ")
p2c = raw_input("\nEnter the 'p2c' parameter (iterations count): ")
p2c = int(p2c)
algo = raw_input(
"\nEnter the 'alg' parameter\n (PBES2g-HS256 for MUK, SRPg-4096 for SRP-x) (note: case sensitive): "
)
print "\n"
muk = optestlib.compute_2skd(secret_key, password, email, p2s, p2c, algo)
optestlib.p_str('\nBase-64 Encoded result:', optestlib.opb64e(muk))
