def verify(sign, keyid, infile=None, outfile=None): keyid=b85decode(keyid) sign=b85decode(sign) if(len(keyid)!=STORAGE_ID_LEN or len(sign)!= nacl.crypto_generichash_BYTES): raise ValueError fd = inputfd(infile) outfd = outputfd(outfile) if outfile else None reset() written=0 eps[USB_CRYPTO_EP_CTRL_IN].write("%s%s%s" % (USB_CRYPTO_CMD_VERIFY,sign,keyid)) tmp=read_ctrl(timeout=50) if(tmp and tmp.startswith('err: ')): return pkt = fd.read(32768) #if len(pkt)>0: # outfd.write(keyid) while pkt: written+=eps[USB_CRYPTO_EP_DATA_IN].write(pkt) if outfd: outfd.write(pkt) pkt = fd.read(32768) if(written%64==0): eps[USB_CRYPTO_EP_DATA_IN].write(None) read_ctrl() res = eps[USB_CRYPTO_EP_DATA_OUT].read(1) read_ctrl() reset() if fd != sys.stdin: fd.close() if outfd and outfd != sys.stdout: outfd.close() return res[0]
def sign_handler(infile=None, outfile=None, self=None, basedir=None, armor=False): # provides a high level function to sign files # infile specifies the filename of the input file, # if '-' or not specified it uses stdin # outfile specifies the filename of the output file, # if unspecified but armor is, or if '-' or # infile is unspecified, then it uses stdout # otherwise it appends '.sig' to infile # armor instructs the function to output ascii # self specifies the sender for signing the message # basedir provides a root for the keystores # this function also handles buffering. fd = inputfd(infile) if (not outfile and armor) or outfile == '-' or (not infile or infile == '-'): outfd = sys.stdout else: outfd = open(outfile or infile + '.sig', 'w') publickey.Identity(self, basedir=basedir).buffered_sign(fd, outfd, armor) if fd != sys.stdin: fd.close() if outfd != sys.stdout: outfd.close()
def encrypt(peer, infile=None, outfile=None): if len(peer)>PEER_NAME_MAX: raise ValueError fd = inputfd(infile) outfd = outputfd(outfile or infile+'.pbp' if infile else '-') reset() eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_ENCRYPT+peer) # needs to return keyid read it here keyid = ''.join([chr(x) for x in eps[USB_CRYPTO_EP_CTRL_OUT].read(STORAGE_ID_LEN)]) if(keyid.startswith('err: ')): raise ValueError(keyid) if len(keyid)<STORAGE_ID_LEN: raise ValueError pkt = fd.read(32768) #if len(pkt)>0: # outfd.write(keyid) while pkt: wrote = eps[USB_CRYPTO_EP_DATA_IN].write(pkt) if (wrote<32768 and not (wrote&0x3f)): eps[USB_CRYPTO_EP_DATA_IN].write(None) outfd.write(''.join([chr(x) for x in eps[USB_CRYPTO_EP_DATA_OUT].read(wrote+40)])) pkt = fd.read(32768) if(len(pkt)==32768): eps[USB_CRYPTO_EP_DATA_IN].write(None) reset() if fd != sys.stdin: fd.close() if outfd != sys.stdout: outfd.close() return keyid
def decrypt(keyid, infile=None, outfile=None): keyid=b85decode(keyid) if(len(keyid)!=STORAGE_ID_LEN): raise ValueError fd = inputfd(infile) outfd = outputfd(outfile or infile+'.pbp' if infile else '-') reset() eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_DECRYPT+keyid) tmp = read_ctrl(timeout=50) if(tmp and tmp.startswith('err: ')): raise ValueError(tmp) pkt = fd.read(32808) #if len(pkt)>0: # outfd.write(keyid) while pkt: wrote = eps[USB_CRYPTO_EP_DATA_IN].write(pkt) if (wrote<32808 and not (wrote&0x3f)): eps[USB_CRYPTO_EP_DATA_IN].write(None) tmp = read_ctrl(timeout=50) if(tmp and tmp.startswith('err: ')): raise ValueError(tmp) outfd.write(''.join([chr(x) for x in eps[USB_CRYPTO_EP_DATA_OUT].read(wrote-40)])) pkt = fd.read(32808) if(len(pkt)==32808): eps[USB_CRYPTO_EP_DATA_IN].write(None) reset() if fd != sys.stdin: fd.close() if outfd != sys.stdout: outfd.close()
def sign(peer, infile=None, outfile=None): if len(peer)>PEER_NAME_MAX: raise ValueError fd = inputfd(infile) outfd = outputfd(outfile) reset() written=0 eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_SIGN+peer) # needs to return keyid read it here keyid = ''.join([chr(x) for x in eps[USB_CRYPTO_EP_CTRL_OUT].read(STORAGE_ID_LEN)]) if(keyid.startswith('err: ')): return if len(keyid)<STORAGE_ID_LEN: return pkt = fd.read(32768) #if len(pkt)>0: # outfd.write(keyid) while pkt: written+=eps[USB_CRYPTO_EP_DATA_IN].write(pkt) pkt = fd.read(32768) if outfile: outfd.write(pkt) if(written%64==0): eps[USB_CRYPTO_EP_DATA_IN].write(None) read_ctrl() res = eps[USB_CRYPTO_EP_DATA_OUT].read(nacl.crypto_generichash_BYTES) read_ctrl() reset() if fd != sys.stdin: fd.close() if outfd != sys.stdout: outfd.close() return ''.join([chr(x) for x in res]), keyid
def decrypt_handler(infile=None, outfile=None, self=None, basedir=None): # provides a high level function to do decryption of files # infile specifies the filename of the input file, # if '-' or not specified it uses stdin # outfile specifies the filename of the output file, if not specified # it uses the same filename with '.pbp' appended # self specifies the recipient of the message for using pk crypto # basedir provides a root for the keystores needed for pk crypto # if self is specified pk crypto is used, otherwise symmetric # this function also handles buffering. fd = inputfd(infile) outfd = outputfd(outfile) key = None _type=struct.unpack('B',fd.read(1))[0] # asym if _type == ASYM_CIPHER: if not self: print >>sys.stderr, "Error: need to specify your own key using the --self param" raise ValueError size = struct.unpack('>L',fd.read(4))[0] r = [] for _ in xrange(size): rnonce = fd.read(nacl.crypto_box_NONCEBYTES) ct = fd.read(struct.unpack('B', fd.read(1))[0]) r.append((rnonce,ct)) me = publickey.Identity(self, basedir=basedir) me.clear() sender, key = me.keydecrypt(r) if not sender: # print >>sys.stderr, 'good key from', sender #else: raise ValueError('decryption failed') # sym elif _type == BLOCK_CIPHER: pwd = getpass.getpass('Passphrase for decrypting: ') key = scrypt.hash(pwd, scrypt_salt)[:nacl.crypto_secretbox_KEYBYTES] sender = None clearmem(pwd) else: raise ValueError('decryption failed') if key: nonce = fd.read(nacl.crypto_secretbox_NONCEBYTES) while len(nonce) == nacl.crypto_secretbox_NONCEBYTES: buf = fd.read(BLOCK_SIZE + (nacl.crypto_secretbox_ZEROBYTES - nacl.crypto_secretbox_BOXZEROBYTES)) if not buf: raise ValueError('decryption failed') break outfd.write(decrypt((nonce, buf), k = key)) nonce = fd.read(nacl.crypto_secretbox_NONCEBYTES) clearmem(key) if 0 < len(nonce) < nacl.crypto_secretbox_NONCEBYTES: raise ValueError('decryption failed') if fd != sys.stdin: fd.close() if outfd != sys.stdout and type(outfd) == file: outfd.close() return sender
def hash_handler(infile=None, k='', outlen=16): fd = inputfd(infile) # calculate hash sum of data state = nacl.crypto_generichash_init(outlen=outlen, k=k or '') while True: block = fd.read(BLOCK_SIZE) if not block.strip(): break state = nacl.crypto_generichash_update(state, block) if fd != sys.stdin: fd.close() return nacl.crypto_generichash_final(state, outlen=outlen)
def encrypt_handler(infile=None, outfile=None, recipient=None, self=None, basedir=None): # provides a high level function to do encryption of files # infile specifies the filename of the input file, # if '-' or not specified it uses stdin # outfile specifies the filename of the output file, if not specified # it uses the same filename with '.pbp' appended # recipient specifies the name of the recipient for using public key crypto # self specifies the sender for signing the message using pk crypto # basedir provides a root for the keystores needed for pk crypto # if both self and recipient is specified pk crypto is used, otherwise symmetric # this function also handles buffering. fd = inputfd(infile) outfd = outputfd(outfile or (infile + '.pbp' if infile not in [None, '-'] else '-')) if recipient and self: # let's do public key encryption key = nacl.randombytes(nacl.crypto_secretbox_KEYBYTES) me = publickey.Identity(self, basedir=basedir) size = struct.pack('>H', len(recipient)) # write out encrypted message key (nonce, c(key+recplen)) for each recipient for r in recipient: r = publickey.Identity(r, basedir=basedir, publicOnly=True) nonce = nacl.randombytes(nacl.crypto_box_NONCEBYTES) outfd.write(nonce) outfd.write(nacl.crypto_box(key + size, nonce, r.cp, me.cs)) me.clear() else: # let's do symmetric crypto key = getkey(nacl.crypto_secretbox_KEYBYTES) buf = fd.read(BLOCK_SIZE) if buf: nonce, cipher = encrypt(buf, k=key) outfd.write(nonce) outfd.write(cipher) buf = fd.read(BLOCK_SIZE) while buf: nonce = inc_nonce(nonce) nonce, cipher = encrypt(buf, k=key, nonce=nonce) outfd.write(cipher) buf = fd.read(BLOCK_SIZE) clearmem(key) key = None if fd != sys.stdin: fd.close() if outfd != sys.stdout and isinstance(outfd, file): outfd.close()
def chaining_decrypt_handler(infile=None, outfile=None, recipient=None, self=None, basedir=None): # provides highlevel forward secure deccryption receive primitive for files # for details see doc/chaining-dh.txt # infile specifies the input file, # outfile the filename of the output, # self the sending parties name # recipient the receiving peers name # basedir the root directory used for key storage fd = inputfd(infile) outfd = outputfd(outfile or infile+'.pbp') ctx=chaining.ChainingContext(self, recipient, basedir) ctx.buffered_decrypt(fd, outfd) if fd != sys.stdin: fd.close() if outfd != sys.stdout: outfd.close()
def verify_handler(infile=None, outfile=None, basedir=None): # provides a high level function to verify signed files # infile specifies the filename of the input file, # if '-' or not specified it uses stdin # outfile specifies the filename of the output file, # basedir provides a root for the keystores # this function also handles buffering. fd = inputfd(infile) outfd = outputfd(outfile) sender = publickey.buffered_verify(fd,outfd,basedir) if fd != sys.stdin: fd.close() if outfd != sys.stdout: outfd.close() return sender
def verify_handler(infile=None, outfile=None, basedir=None): # provides a high level function to verify signed files # infile specifies the filename of the input file, # if '-' or not specified it uses stdin # outfile specifies the filename of the output file, # basedir provides a root for the keystores # this function also handles buffering. fd = inputfd(infile) outfd = outputfd(outfile) sender = publickey.buffered_verify(fd, outfd, basedir) if fd != sys.stdin: fd.close() if outfd != sys.stdout: outfd.close() return sender
def encrypt_handler(infile=None, outfile=None, recipient=None, self=None, basedir=None): # provides a high level function to do encryption of files # infile specifies the filename of the input file, # if '-' or not specified it uses stdin # outfile specifies the filename of the output file, if not specified # it uses the same filename with '.pbp' appended # recipient specifies the name of the recipient for using public key crypto # self specifies the sender for signing the message using pk crypto # basedir provides a root for the keystores needed for pk crypto # if both self and recipient is specified pk crypto is used, otherwise symmetric # this function also handles buffering. fd = inputfd(infile) outfd = outputfd(outfile or (infile+'.pbp' if infile not in [None,'-'] else '-')) if recipient and self: # let's do public key encryption key = nacl.randombytes(nacl.crypto_secretbox_KEYBYTES) me = publickey.Identity(self, basedir=basedir) size = struct.pack('>H',len(recipient)) # write out encrypted message key (nonce, c(key+recplen)) for each recipient for r in recipient: r = publickey.Identity(r, basedir=basedir, publicOnly=True) nonce = nacl.randombytes(nacl.crypto_box_NONCEBYTES) outfd.write(nonce) outfd.write(nacl.crypto_box(key+size, nonce, r.cp, me.cs)) me.clear() else: # let's do symmetric crypto key = getkey(nacl.crypto_secretbox_KEYBYTES) buf = fd.read(BLOCK_SIZE) if buf: nonce, cipher = encrypt(buf, k=key) outfd.write(nonce) outfd.write(cipher) buf = fd.read(BLOCK_SIZE) while buf: nonce = inc_nonce(nonce) nonce, cipher = encrypt(buf, k=key, nonce=nonce) outfd.write(cipher) buf = fd.read(BLOCK_SIZE) clearmem(key) key=None if fd != sys.stdin: fd.close() if outfd != sys.stdout and isinstance(outfd,file): outfd.close()
def encrypt_handler(infile=None, outfile=None, recipient=None, self=None, basedir=None): # provides a high level function to do encryption of files # infile specifies the filename of the input file, # if '-' or not specified it uses stdin # outfile specifies the filename of the output file, if not specified # it uses the same filename with '.pbp' appended # recipient specifies the name of the recipient for using public key crypto # self specifies the sender for signing the message using pk crypto # basedir provides a root for the keystores needed for pk crypto # if both self and recipient is specified pk crypto is used, otherwise symmetric # this function also handles buffering. fd = inputfd(infile) outfd = outputfd(outfile or (infile+'.pbp' if infile else '-')) if recipient and self: # let's do public key encryption key = nacl.randombytes(nacl.crypto_secretbox_KEYBYTES) me = publickey.Identity(self, basedir=basedir) peerkeys = me.keyencrypt(key, recipients=[publickey.Identity(x, basedir=basedir) for x in recipient]) me.clear() outfd.write(struct.pack("B", ASYM_CIPHER)) outfd.write(struct.pack(">L", len(peerkeys))) for rnonce, ct in peerkeys: outfd.write(rnonce) outfd.write(struct.pack("B", len(ct))) outfd.write(ct) else: # let's do symmetric crypto key = getkey(nacl.crypto_secretbox_KEYBYTES) outfd.write(struct.pack("B", BLOCK_CIPHER)) buf = fd.read(BLOCK_SIZE) while buf: nonce, cipher = encrypt(buf, k=key) outfd.write(nonce) outfd.write(cipher) buf = fd.read(BLOCK_SIZE) clearmem(key) if fd != sys.stdin: fd.close() if outfd != sys.stdout and type(outfd) == file: outfd.close()
def chaining_decrypt_handler(infile=None, outfile=None, recipient=None, self=None, basedir=None): # provides highlevel forward secure deccryption receive primitive for files # for details see doc/chaining-dh.txt # infile specifies the input file, # outfile the filename of the output, # self the sending parties name # recipient the receiving peers name # basedir the root directory used for key storage fd = inputfd(infile) outfd = outputfd(outfile or infile + '.pbp') ctx = chaining.ChainingContext(self, recipient, basedir) ctx.buffered_decrypt(fd, outfd) if fd != sys.stdin: fd.close() if outfd != sys.stdout: outfd.close()
def sign(peer, infile=None, outfile=None): if len(peer)>PEER_NAME_MAX: raise ValueError fd = inputfd(infile) outfd = outputfd(outfile) reset() written=0 eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_SIGN+peer, timeout=0) tmp = read_ctrl(timeout=0) if(tmp and tmp.startswith('err: ')): raise ValueError(tmp) # needs to return keyid read it here keyid = ''.join([chr(x) for x in eps[USB_CRYPTO_EP_CTRL_OUT].read(EKID_SIZE, timeout=0)]) if(keyid.startswith('err: ')): return if len(keyid)<EKID_SIZE: return pkt = fd.read(32768) tmp = read_ctrl(timeout=0) if(tmp and tmp!="go"): raise ValueError(tmp) #if len(pkt)>0: # outfd.write(keyid) while pkt: written+=eps[USB_CRYPTO_EP_DATA_IN].write(pkt, timeout=0) pkt = fd.read(32768) if outfile: outfd.write(pkt) if(written%64==0): eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0) read_ctrl() res = eps[USB_CRYPTO_EP_DATA_OUT].read(nacl.crypto_generichash_BYTES, timeout=0) read_ctrl() reset() if fd != sys.stdin: fd.close() if outfd != sys.stdout: outfd.close() return ''.join([chr(x) for x in res]), keyid
def sign_handler(infile=None, outfile=None, self=None, basedir=None, armor=False): # provides a high level function to sign files # infile specifies the filename of the input file, # if '-' or not specified it uses stdin # outfile specifies the filename of the output file, # if unspecified but armor is, or if '-' or # infile is unspecified, then it uses stdout # otherwise it appends '.sig' to infile # armor instructs the function to output ascii # self specifies the sender for signing the message # basedir provides a root for the keystores # this function also handles buffering. fd = inputfd(infile) if (not outfile and armor) or outfile == '-' or (not infile or infile == '-'): outfd = sys.stdout else: outfd = open(outfile or infile+'.sig','w') publickey.Identity(self, basedir=basedir).buffered_sign(fd, outfd, armor) if fd != sys.stdin: fd.close() if outfd != sys.stdout: outfd.close()
def encrypt(peer, infile=None, outfile=None): if len(peer)>PEER_NAME_MAX: raise ValueError fd = inputfd(infile) outfd = outputfd(outfile or infile+'.pbp' if infile else '-') reset() eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_ENCRYPT+peer, timeout=0) tmp = read_ctrl(timeout=0) if(tmp and tmp.startswith('err: ')): raise ValueError(tmp) # needs to return keyid read it here keyid = ''.join([chr(x) for x in eps[USB_CRYPTO_EP_CTRL_OUT].read(EKID_SIZE, timeout=0)]) if(keyid.startswith('err: ')): raise ValueError(keyid) if len(keyid)<EKID_SIZE: print len(keyid),EKID_SIZE print repr(keyid) raise ValueError pkt = fd.read(32768) #if len(pkt)>0: # outfd.write(keyid) while pkt: wrote = eps[USB_CRYPTO_EP_DATA_IN].write(pkt, timeout=0) if (wrote<32768 and not (wrote&0x3f)): eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0) outfd.write(''.join([chr(x) for x in eps[USB_CRYPTO_EP_DATA_OUT].read(wrote+40, timeout=0)])) pkt = fd.read(32768) if(len(pkt)==32768): eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0) reset() if fd != sys.stdin: fd.close() if outfd != sys.stdout: outfd.close() return keyid
def verify(sign, keyid, infile=None, outfile=None): keyid=b85decode(keyid) sign=b85decode(sign) if(len(keyid)!=EKID_SIZE or len(sign)!= nacl.crypto_generichash_BYTES): print len(keyid), EKID_SIZE, repr(keyid) print len(sign), 32, repr(sign) raise ValueError fd = inputfd(infile) outfd = outputfd(outfile) if outfile else None reset() written=0 eps[USB_CRYPTO_EP_CTRL_IN].write("%s%s%s" % (USB_CRYPTO_CMD_VERIFY,sign,keyid), timeout=0) tmp=read_ctrl(timeout=0) if(tmp and tmp.startswith('err: ')): return tmp = read_ctrl(timeout=0) if(tmp and tmp!="go"): raise ValueError(tmp) pkt = fd.read(32768) #if len(pkt)>0: # outfd.write(keyid) while pkt: written+=eps[USB_CRYPTO_EP_DATA_IN].write(pkt, timeout=0) if outfd: outfd.write(pkt) pkt = fd.read(32768) if(written%64==0): eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0) read_ctrl() res = eps[USB_CRYPTO_EP_DATA_OUT].read(1, timeout=0) read_ctrl() reset() if fd != sys.stdin: fd.close() if outfd and outfd != sys.stdout: outfd.close() return res[0]
def decrypt(keyid, infile=None, outfile=None): keyid=b85decode(keyid) if(len(keyid)!=EKID_SIZE): raise ValueError fd = inputfd(infile) outfd = outputfd(outfile or infile+'.pbp' if infile else '-') reset() eps[USB_CRYPTO_EP_CTRL_IN].write(USB_CRYPTO_CMD_DECRYPT+keyid, timeout=0) tmp = read_ctrl(timeout=0) if(tmp and tmp.startswith('err: ')): raise ValueError(tmp) tmp = read_ctrl(timeout=0) pkt = fd.read(32808) if(tmp and tmp!="go"): raise ValueError(tmp) #if len(pkt)>0: # outfd.write(keyid) while pkt: wrote = eps[USB_CRYPTO_EP_DATA_IN].write(pkt, timeout=0) if (wrote<32808 and not (wrote&0x3f)): eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0) tmp = read_ctrl(timeout=50) if(tmp and tmp.startswith('err: ')): raise ValueError(tmp) outfd.write(''.join([chr(x) for x in eps[USB_CRYPTO_EP_DATA_OUT].read(wrote-40, timeout=0)])) pkt = fd.read(32808) if(len(pkt)==32808): eps[USB_CRYPTO_EP_DATA_IN].write(None, timeout=0) reset() if fd != sys.stdin: fd.close() if outfd != sys.stdout: outfd.close()
def decrypt_handler(infile=None, outfile=None, self=None, peer=None, max_recipients=20, basedir=None): # provides a high level function to do decryption of files # infile specifies the filename of the input file, # if '-' or not specified it uses stdin # outfile specifies the filename of the output file, if not specified # it uses the same filename with '.pbp' appended # self specifies the recipient of the message for using pk crypto # basedir provides a root for the keystores needed for pk crypto # if self is specified pk crypto is used, otherwise symmetric # this function also handles buffering. fd = inputfd(infile) outfd = outputfd(outfile) key = None # asym if self: me = publickey.Identity(self, basedir=basedir) if peer: peer = publickey.Identity(peer, basedir=basedir, publicOnly=True) sender = None size = None i = 0 while i < (max_recipients if not size else size): i += 1 rnonce = fd.read(nacl.crypto_box_NONCEBYTES) ct = fd.read(nacl.crypto_secretbox_KEYBYTES + 2 + nacl.crypto_secretbox_MACBYTES) if sender: continue for keys in ([peer] if peer else publickey.get_public_keys( basedir=basedir)): try: tmp = nacl.crypto_box_open(ct, rnonce, keys.cp, me.cs) except ValueError: continue key = tmp[:nacl.crypto_secretbox_KEYBYTES] size = struct.unpack('>H', tmp[nacl.crypto_secretbox_KEYBYTES:])[0] sender = keys.name break me.clear() if not sender: raise ValueError('decryption failed') # sym else: pwd = getpass.getpass('Passphrase for decrypting: ') key = scrypt.hash(pwd, scrypt_salt)[:nacl.crypto_secretbox_KEYBYTES] sender = None clearmem(pwd) pwd = None if key: nonce = fd.read(nacl.crypto_secretbox_NONCEBYTES) buf = fd.read(BLOCK_SIZE + nacl.crypto_secretbox_MACBYTES) while buf: outfd.write(decrypt((nonce, buf), k=key)) nonce = inc_nonce(nonce) buf = fd.read(BLOCK_SIZE + nacl.crypto_secretbox_MACBYTES) clearmem(key) key = None if fd != sys.stdin: fd.close() if outfd != sys.stdout and type(outfd) == file: outfd.close() return sender
def decrypt_handler(infile=None, outfile=None, self=None, peer=None, max_recipients = 20, basedir=None): # provides a high level function to do decryption of files # infile specifies the filename of the input file, # if '-' or not specified it uses stdin # outfile specifies the filename of the output file, if not specified # it uses the same filename with '.pbp' appended # self specifies the recipient of the message for using pk crypto # basedir provides a root for the keystores needed for pk crypto # if self is specified pk crypto is used, otherwise symmetric # this function also handles buffering. fd = inputfd(infile) outfd = outputfd(outfile) key = None # asym if self: me = publickey.Identity(self, basedir=basedir) if peer: peer = publickey.Identity(peer, basedir=basedir, publicOnly=True) sender = None size = None i=0 while i < (max_recipients if not size else size): i+=1 rnonce = fd.read(nacl.crypto_box_NONCEBYTES) ct = fd.read(nacl.crypto_secretbox_KEYBYTES+2+nacl.crypto_secretbox_MACBYTES) if sender: continue for keys in ([peer] if peer else publickey.get_public_keys(basedir=basedir)): try: tmp = nacl.crypto_box_open(ct, rnonce, keys.cp, me.cs) except ValueError: continue key = tmp[:nacl.crypto_secretbox_KEYBYTES] size = struct.unpack('>H',tmp[nacl.crypto_secretbox_KEYBYTES:])[0] sender = keys.name break me.clear() if not sender: raise ValueError('decryption failed') # sym else: pwd = getpass.getpass('Passphrase for decrypting: ') key = scrypt.hash(pwd, scrypt_salt)[:nacl.crypto_secretbox_KEYBYTES] sender = None clearmem(pwd) pwd=None if key: nonce = fd.read(nacl.crypto_secretbox_NONCEBYTES) buf = fd.read(BLOCK_SIZE + nacl.crypto_secretbox_MACBYTES) while buf: outfd.write(decrypt((nonce, buf), k = key)) nonce = inc_nonce(nonce) buf = fd.read(BLOCK_SIZE + nacl.crypto_secretbox_MACBYTES) clearmem(key) key = None if fd != sys.stdin: fd.close() if outfd != sys.stdout and type(outfd) == file: outfd.close() return sender