borg/darc/keychain.py

from getpass import getpass
import hashlib
import os
import msgpack
import zlib

from pbkdf2 import pbkdf2
from Crypto.Cipher import AES
from Crypto.Hash import SHA256, HMAC
from Crypto.PublicKey import RSA
from Crypto.Util import Counter
from Crypto.Util.number import bytes_to_long, long_to_bytes

from . import PACKET_ENCRYPT_READ, PACKET_ENCRYPT_CREATE
from .helpers import IntegrityError, zero_pad
from .oaep import OAEP


class Keychain(object):
    FILE_ID = 'DARC KEYCHAIN'

    CREATE = '\1'
    READ = '\2'

    def __init__(self, path=None):
        self._key_cache = {}
        self.read_key = os.urandom(32)
        self.create_key = os.urandom(32)
        self.counter = Counter.new(64, prefix='\0' * 8)
        self.aes_id = self.rsa_read = self.rsa_create = None
        self.path = path
        if path:
            self.open(path)

    def get_chunkify_seed(self):
        return bytes_to_long(self.aes_id[:4]) & 0x7fffffff

    def open(self, path):
        print 'Opening keychain "%s"' % path
        with open(path, 'rb') as fd:
            if fd.read(len(self.FILE_ID)) != self.FILE_ID:
                raise ValueError('Not a keychain')
            cdata = fd.read()
        self.password = ''
        data = self.decrypt_keychain(cdata, '')
        while not data:
            self.password = getpass('Keychain password: ')
            if not self.password:
                raise Exception('Keychain decryption failed')
            data = self.decrypt_keychain(cdata, self.password)
            if not data:
                print 'Incorrect password'
        chain = msgpack.unpackb(data)
        assert chain['version'] == 1
        self.aes_id = chain['aes_id']
        self.rsa_read = RSA.importKey(chain['rsa_read'])
        self.rsa_create = RSA.importKey(chain['rsa_create'])
        self.read_encrypted = OAEP(256, hash=SHA256).encode(self.read_key, os.urandom(32))
        self.read_encrypted = zero_pad(self.rsa_read.encrypt(self.read_encrypted, '')[0], 256)
        self.create_encrypted = OAEP(256, hash=SHA256).encode(self.create_key, os.urandom(32))
        self.create_encrypted = zero_pad(self.rsa_create.encrypt(self.create_encrypted, '')[0], 256)

    def encrypt_keychain(self, data, password):
        salt = os.urandom(32)
        iterations = 2000
        key = pbkdf2(password, salt, 32, iterations, hashlib.sha256)
        hash = HMAC.new(key, data, SHA256).digest()
        cdata = AES.new(key, AES.MODE_CTR, counter=Counter.new(128)).encrypt(data)
        d = {
            'version': 1,
            'salt': salt,
            'iterations': iterations,
            'algorithm': 'SHA256',
            'hash': hash,
            'data': cdata,
        }
        return msgpack.packb(d)

    def decrypt_keychain(self, data, password):
        d = msgpack.unpackb(data)
        assert d['version'] == 1
        assert d['algorithm'] == 'SHA256'
        key = pbkdf2(password, d['salt'], 32, d['iterations'], hashlib.sha256)
        data = AES.new(key, AES.MODE_CTR, counter=Counter.new(128)).decrypt(d['data'])
        if HMAC.new(key, data, SHA256).digest() != d['hash']:
            return None
        return data

    def save(self, path, password):
        chain = {
            'version': 1,
            'aes_id': self.aes_id,
            'rsa_read': self.rsa_read.exportKey('PEM'),
            'rsa_create': self.rsa_create.exportKey('PEM'),
        }
        data = self.encrypt_keychain(msgpack.packb(chain), password)
        with open(path, 'wb') as fd:
            fd.write(self.FILE_ID)
            fd.write(data)
            print 'Key chain "%s" saved' % path

    def restrict(self, path):
        if os.path.exists(path):
            print '%s already exists' % path
            return 1
        self.rsa_read = self.rsa_read.publickey()
        self.save(path, self.password)
        return 0

    def chpass(self):
        password, password2 = 1, 2
        while password != password2:
            password = getpass('New password: ')
            password2 = getpass('New password again: ')
            if password != password2:
                print 'Passwords do not match'
        self.save(self.path, password)
        return 0

    @staticmethod
    def generate(path):
        if os.path.exists(path):
            print '%s already exists' % path
            return 1
        password, password2 = 1, 2
        while password != password2:
            password = getpass('Keychain password: ')
            password2 = getpass('Keychain password again: ')
            if password != password2:
                print 'Passwords do not match'
        chain = Keychain()
        print 'Generating keychain'
        chain.aes_id = os.urandom(32)
        chain.rsa_read = RSA.generate(2048)
        chain.rsa_create = RSA.generate(2048)
        chain.save(path, password)
        return 0

    def id_hash(self, data):
        """Return HMAC hash using the "id" AES key
        """
        return HMAC.new(self.aes_id, data, SHA256).digest()

    def encrypt(self, magic, data):
        """Helper function used by `encrypt_read` and `encrypt_create`
        """
        data = zlib.compress(data)
        nonce = long_to_bytes(self.counter.next_value(), 8)
        if magic & PACKET_ENCRYPT_READ:
            data = ''.join((nonce, self.read_encrypted,
                            AES.new(self.read_key, AES.MODE_CTR, '',
                                    counter=self.counter).encrypt(data)))
        elif magic & PACKET_ENCRYPT_CREATE:
            data = ''.join((nonce, self.create_encrypted,
                            AES.new(self.create_key, AES.MODE_CTR, '',
                                    counter=self.counter).encrypt(data)))
        hash = self.id_hash(data)
        return ''.join((chr(magic), hash, data)), hash

    def _decrypt_key(self, data, rsa_key):
        """Helper function used by `decrypt`
        """
        try:
            return self._key_cache[data]
        except KeyError:
            self._key_cache[data] = OAEP(256, hash=SHA256).decode(rsa_key.decrypt(data))
            return self._key_cache[data]

    def decrypt(self, data):
        """Decrypt `data` previously encrypted by `encrypt_create` or `encrypt_read`
        """
        magic = ord(data[0])
        hash = data[1:33]
        if self.id_hash(data[33:]) != hash:
            raise IntegrityError('Encryption integrity error')
        nonce = bytes_to_long(data[33:41])
        counter = Counter.new(64, prefix='\0' * 8, initial_value=nonce)
        if magic & PACKET_ENCRYPT_READ:
            key = self._decrypt_key(data[41:297], self.rsa_read)
        elif magic & PACKET_ENCRYPT_CREATE:
            key = self._decrypt_key(data[41:297], self.rsa_create)
        else:
            raise Exception('Unknown pack magic %d found' % magic)
        data = AES.new(key, AES.MODE_CTR, counter=counter).decrypt(data[297:])
        return magic, zlib.decompress(data), hash
Added keychain encryption 2010-10-24 19:47:00 +00:00			`from getpass import getpass`
			`import hashlib`
Initial AES encryption support 2010-10-21 22:10:51 +00:00			`import os`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`import msgpack`
Initial AES encryption support 2010-10-21 22:10:51 +00:00			`import zlib`

Added keychain encryption 2010-10-24 19:47:00 +00:00			`from pbkdf2 import pbkdf2`
Initial AES encryption support 2010-10-21 22:10:51 +00:00			`from Crypto.Cipher import AES`
More cryptography work. 2010-10-23 19:38:42 +00:00			`from Crypto.Hash import SHA256, HMAC`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`from Crypto.PublicKey import RSA`
			`from Crypto.Util import Counter`
Rework the way the encryption works to make it more tamper proof 2010-11-08 21:07:24 +00:00			`from Crypto.Util.number import bytes_to_long, long_to_bytes`
More cryptography work. 2010-10-23 19:38:42 +00:00
Reworked packer format again 2010-12-06 20:46:29 +00:00			`from . import PACKET_ENCRYPT_READ, PACKET_ENCRYPT_CREATE`
Handle special case where RSA.encrypt returns cipher text shorter than 256 bytes. 2010-11-03 18:46:21 +00:00			`from .helpers import IntegrityError, zero_pad`
More cryptography work. 2010-10-23 19:38:42 +00:00			`from .oaep import OAEP`
Initial AES encryption support 2010-10-21 22:10:51 +00:00

Merge CryptoManager and KeyChain into Keychain 2010-10-31 21:21:59 +00:00			`class Keychain(object):`
Renamed dedupestore to darc 2010-10-27 18:12:40 +00:00			`FILE_ID = 'DARC KEYCHAIN'`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00
Merge CryptoManager and KeyChain into Keychain 2010-10-31 21:21:59 +00:00			`CREATE = '\1'`
			`READ = '\2'`

Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`def __init__(self, path=None):`
Merge CryptoManager and KeyChain into Keychain 2010-10-31 21:21:59 +00:00			`self._key_cache = {}`
			`self.read_key = os.urandom(32)`
			`self.create_key = os.urandom(32)`
Rework the way the encryption works to make it more tamper proof 2010-11-08 21:07:24 +00:00			`self.counter = Counter.new(64, prefix='\0' * 8)`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`self.aes_id = self.rsa_read = self.rsa_create = None`
Added keychain chpass 2010-10-24 20:13:34 +00:00			`self.path = path`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`if path:`
			`self.open(path)`

Chunkifier improvements. Including tin foil hat compliant seeding. 2010-11-04 20:19:01 +00:00			`def get_chunkify_seed(self):`
Only use 31 bits for chunification seed 2010-11-23 11:38:10 +00:00			`return bytes_to_long(self.aes_id[:4]) & 0x7fffffff`
Chunkifier improvements. Including tin foil hat compliant seeding. 2010-11-04 20:19:01 +00:00
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`def open(self, path):`
Remove logging usage 2010-10-30 11:44:25 +00:00			`print 'Opening keychain "%s"' % path`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`with open(path, 'rb') as fd:`
Keychain improvements. 2010-10-25 18:22:20 +00:00			`if fd.read(len(self.FILE_ID)) != self.FILE_ID:`
			`raise ValueError('Not a keychain')`
Added keychain encryption 2010-10-24 19:47:00 +00:00			`cdata = fd.read()`
Various changes 2010-10-31 20:55:09 +00:00			`self.password = ''`
Various bug fixes 2010-11-02 17:33:53 +00:00			`data = self.decrypt_keychain(cdata, '')`
Added keychain encryption 2010-10-24 19:47:00 +00:00			`while not data:`
Added "keychain restrict" command 2010-10-24 20:00:46 +00:00			`self.password = getpass('Keychain password: ')`
			`if not self.password:`
Added keychain encryption 2010-10-24 19:47:00 +00:00			`raise Exception('Keychain decryption failed')`
Various bug fixes 2010-11-02 17:33:53 +00:00			`data = self.decrypt_keychain(cdata, self.password)`
Added keychain encryption 2010-10-24 19:47:00 +00:00			`if not data:`
Remove logging usage 2010-10-30 11:44:25 +00:00			`print 'Incorrect password'`
Added keychain encryption 2010-10-24 19:47:00 +00:00			`chain = msgpack.unpackb(data)`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`assert chain['version'] == 1`
			`self.aes_id = chain['aes_id']`
			`self.rsa_read = RSA.importKey(chain['rsa_read'])`
			`self.rsa_create = RSA.importKey(chain['rsa_create'])`
Merge CryptoManager and KeyChain into Keychain 2010-10-31 21:21:59 +00:00			`self.read_encrypted = OAEP(256, hash=SHA256).encode(self.read_key, os.urandom(32))`
Handle special case where RSA.encrypt returns cipher text shorter than 256 bytes. 2010-11-03 18:46:21 +00:00			`self.read_encrypted = zero_pad(self.rsa_read.encrypt(self.read_encrypted, '')[0], 256)`
Merge CryptoManager and KeyChain into Keychain 2010-10-31 21:21:59 +00:00			`self.create_encrypted = OAEP(256, hash=SHA256).encode(self.create_key, os.urandom(32))`
Handle special case where RSA.encrypt returns cipher text shorter than 256 bytes. 2010-11-03 18:46:21 +00:00			`self.create_encrypted = zero_pad(self.rsa_create.encrypt(self.create_encrypted, '')[0], 256)`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00
Rework the way the encryption works to make it more tamper proof 2010-11-08 21:07:24 +00:00			`def encrypt_keychain(self, data, password):`
Added keychain encryption 2010-10-24 19:47:00 +00:00			`salt = os.urandom(32)`
			`iterations = 2000`
			`key = pbkdf2(password, salt, 32, iterations, hashlib.sha256)`
			`hash = HMAC.new(key, data, SHA256).digest()`
			`cdata = AES.new(key, AES.MODE_CTR, counter=Counter.new(128)).encrypt(data)`
			`d = {`
			`'version': 1,`
			`'salt': salt,`
			`'iterations': iterations,`
			`'algorithm': 'SHA256',`
			`'hash': hash,`
			`'data': cdata,`
			`}`
			`return msgpack.packb(d)`

Various bug fixes 2010-11-02 17:33:53 +00:00			`def decrypt_keychain(self, data, password):`
Added keychain encryption 2010-10-24 19:47:00 +00:00			`d = msgpack.unpackb(data)`
			`assert d['version'] == 1`
			`assert d['algorithm'] == 'SHA256'`
			`key = pbkdf2(password, d['salt'], 32, d['iterations'], hashlib.sha256)`
			`data = AES.new(key, AES.MODE_CTR, counter=Counter.new(128)).decrypt(d['data'])`
			`if HMAC.new(key, data, SHA256).digest() != d['hash']:`
			`return None`
			`return data`

			`def save(self, path, password):`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`chain = {`
			`'version': 1,`
			`'aes_id': self.aes_id,`
			`'rsa_read': self.rsa_read.exportKey('PEM'),`
			`'rsa_create': self.rsa_create.exportKey('PEM'),`
			`}`
Rework the way the encryption works to make it more tamper proof 2010-11-08 21:07:24 +00:00			`data = self.encrypt_keychain(msgpack.packb(chain), password)`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`with open(path, 'wb') as fd:`
Keychain improvements. 2010-10-25 18:22:20 +00:00			`fd.write(self.FILE_ID)`
Added keychain encryption 2010-10-24 19:47:00 +00:00			`fd.write(data)`
Remove logging usage 2010-10-30 11:44:25 +00:00			`print 'Key chain "%s" saved' % path`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00
Added "keychain restrict" command 2010-10-24 20:00:46 +00:00			`def restrict(self, path):`
			`if os.path.exists(path):`
Remove logging usage 2010-10-30 11:44:25 +00:00			`print '%s already exists' % path`
Added "keychain restrict" command 2010-10-24 20:00:46 +00:00			`return 1`
			`self.rsa_read = self.rsa_read.publickey()`
			`self.save(path, self.password)`
			`return 0`

Added keychain chpass 2010-10-24 20:13:34 +00:00			`def chpass(self):`
			`password, password2 = 1, 2`
			`while password != password2:`
			`password = getpass('New password: ')`
			`password2 = getpass('New password again: ')`
			`if password != password2:`
Remove logging usage 2010-10-30 11:44:25 +00:00			`print 'Passwords do not match'`
Added keychain chpass 2010-10-24 20:13:34 +00:00			`self.save(self.path, password)`
			`return 0`

Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`@staticmethod`
Added "keychain restrict" command 2010-10-24 20:00:46 +00:00			`def generate(path):`
			`if os.path.exists(path):`
Remove logging usage 2010-10-30 11:44:25 +00:00			`print '%s already exists' % path`
Added "keychain restrict" command 2010-10-24 20:00:46 +00:00			`return 1`
Added keychain chpass 2010-10-24 20:13:34 +00:00			`password, password2 = 1, 2`
Added "keychain restrict" command 2010-10-24 20:00:46 +00:00			`while password != password2:`
			`password = getpass('Keychain password: ')`
			`password2 = getpass('Keychain password again: ')`
			`if password != password2:`
Remove logging usage 2010-10-30 11:44:25 +00:00			`print 'Passwords do not match'`
Merge CryptoManager and KeyChain into Keychain 2010-10-31 21:21:59 +00:00			`chain = Keychain()`
Remove logging usage 2010-10-30 11:44:25 +00:00			`print 'Generating keychain'`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`chain.aes_id = os.urandom(32)`
			`chain.rsa_read = RSA.generate(2048)`
			`chain.rsa_create = RSA.generate(2048)`
Added keychain encryption 2010-10-24 19:47:00 +00:00			`chain.save(path, password)`
Added "keychain restrict" command 2010-10-24 20:00:46 +00:00			`return 0`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00
Initial AES encryption support 2010-10-21 22:10:51 +00:00			`def id_hash(self, data):`
Rework the way the encryption works to make it more tamper proof 2010-11-08 21:07:24 +00:00			`"""Return HMAC hash using the "id" AES key`
			`"""`
Merge CryptoManager and KeyChain into Keychain 2010-10-31 21:21:59 +00:00			`return HMAC.new(self.aes_id, data, SHA256).digest()`
More cryptography work. 2010-10-23 19:38:42 +00:00
Reworked packer format again 2010-12-06 20:46:29 +00:00			`def encrypt(self, magic, data):`
Rework the way the encryption works to make it more tamper proof 2010-11-08 21:07:24 +00:00			"""Helper function used by `encrypt_read` and `encrypt_create`
			`"""`
More cryptography work. 2010-10-23 19:38:42 +00:00			`data = zlib.compress(data)`
Rework the way the encryption works to make it more tamper proof 2010-11-08 21:07:24 +00:00			`nonce = long_to_bytes(self.counter.next_value(), 8)`
Reworked packer format again 2010-12-06 20:46:29 +00:00			`if magic & PACKET_ENCRYPT_READ:`
			`data = ''.join((nonce, self.read_encrypted,`
			`AES.new(self.read_key, AES.MODE_CTR, '',`
			`counter=self.counter).encrypt(data)))`
			`elif magic & PACKET_ENCRYPT_CREATE:`
			`data = ''.join((nonce, self.create_encrypted,`
			`AES.new(self.create_key, AES.MODE_CTR, '',`
			`counter=self.counter).encrypt(data)))`
Verify cindex integrity on archive open 2010-10-24 18:18:18 +00:00			`hash = self.id_hash(data)`
Reworked packer format again 2010-12-06 20:46:29 +00:00			`return ''.join((chr(magic), hash, data)), hash`
More cryptography work. 2010-10-23 19:38:42 +00:00
Rework the way the encryption works to make it more tamper proof 2010-11-08 21:07:24 +00:00			`def _decrypt_key(self, data, rsa_key):`
			"""Helper function used by `decrypt`
			`"""`
Added keychain and switched to MODE_CTR 2010-10-23 21:01:12 +00:00			`try:`
			`return self._key_cache[data]`
			`except KeyError:`
			`self._key_cache[data] = OAEP(256, hash=SHA256).decode(rsa_key.decrypt(data))`
			`return self._key_cache[data]`

More cryptography work. 2010-10-23 19:38:42 +00:00			`def decrypt(self, data):`
Rework the way the encryption works to make it more tamper proof 2010-11-08 21:07:24 +00:00			"""Decrypt `data` previously encrypted by `encrypt_create` or `encrypt_read`
			`"""`
Reworked packer format again 2010-12-06 20:46:29 +00:00			`magic = ord(data[0])`
Rework the way the encryption works to make it more tamper proof 2010-11-08 21:07:24 +00:00			`hash = data[1:33]`
			`if self.id_hash(data[33:]) != hash:`
			`raise IntegrityError('Encryption integrity error')`
			`nonce = bytes_to_long(data[33:41])`
			`counter = Counter.new(64, prefix='\0' * 8, initial_value=nonce)`
Reworked packer format again 2010-12-06 20:46:29 +00:00			`if magic & PACKET_ENCRYPT_READ:`
Rework the way the encryption works to make it more tamper proof 2010-11-08 21:07:24 +00:00			`key = self._decrypt_key(data[41:297], self.rsa_read)`
Reworked packer format again 2010-12-06 20:46:29 +00:00			`elif magic & PACKET_ENCRYPT_CREATE:`
Fixed typo 2010-11-09 19:48:20 +00:00			`key = self._decrypt_key(data[41:297], self.rsa_create)`
More cryptography work. 2010-10-23 19:38:42 +00:00			`else:`
Reworked packer format again 2010-12-06 20:46:29 +00:00			`raise Exception('Unknown pack magic %d found' % magic)`
Rework the way the encryption works to make it more tamper proof 2010-11-08 21:07:24 +00:00			`data = AES.new(key, AES.MODE_CTR, counter=counter).decrypt(data[297:])`
Reworked packer format again 2010-12-06 20:46:29 +00:00			`return magic, zlib.decompress(data), hash`
Verify cindex integrity on archive open 2010-10-24 18:18:18 +00:00
Merge CryptoManager and KeyChain into Keychain 2010-10-31 21:21:59 +00:00