Página inicial Explorar Ajuda
Registrar Entrar
dayuan
/
manyi
6
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Tree: 34216f9fac
Branches Tags
manyi
/
venv
/
Lib
/
site-packages
/
Cryptodome
/
IO
/
PEM.py

PEM.py 6.3 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166 
  1. #
    2. 

  2. #  Util/PEM.py : Privacy Enhanced Mail utilities
    3. 

  3. #
    4. 

  4. # ===================================================================
    5. 

  5. #
    6. 

  6. # Copyright (c) 2014, Legrandin <helderijs@gmail.com>
    7. 

  7. # All rights reserved.
    8. 

  8. #
    9. 

  9. # Redistribution and use in source and binary forms, with or without
    10. 

  10. # modification, are permitted provided that the following conditions
    11. 

  11. # are met:
    12. 

  12. #
    13. 

  13. # 1. Redistributions of source code must retain the above copyright
    14. 

  14. #    notice, this list of conditions and the following disclaimer.
    15. 

  15. # 2. Redistributions in binary form must reproduce the above copyright
    16. 

  16. #    notice, this list of conditions and the following disclaimer in
    17. 

  17. #    the documentation and/or other materials provided with the
    18. 

  18. #    distribution.
    19. 

  19. #
    20. 

  20. # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
    21. 

  21. # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
    22. 

  22. # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
    23. 

  23. # FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
    24. 

  24. # COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
    25. 

  25. # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
    26. 

  26. # BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
    27. 

  27. # LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
    28. 

  28. # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    29. 

  29. # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
    30. 

  30. # ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    31. 

  31. # POSSIBILITY OF SUCH DAMAGE.
    32. 

  32. # ===================================================================
    33. 

  33. 

  34. __all__ = ['encode', 'decode']
    35. 

  35. 

  36. import re
    37. 

  37. from binascii import a2b_base64, b2a_base64, hexlify, unhexlify
    38. 

  38. 

  39. from Cryptodome.Hash import MD5
    40. 

  40. from Cryptodome.Util.Padding import pad, unpad
    41. 

  41. from Cryptodome.Cipher import DES, DES3, AES
    42. 

  42. from Cryptodome.Protocol.KDF import PBKDF1
    43. 

  43. from Cryptodome.Random import get_random_bytes
    44. 

  44. from Cryptodome.Util.py3compat import tobytes, tostr
    45. 

  45. 

  46. 

  47. def encode(data, marker, passphrase=None, randfunc=None):
    48. 

  48.     """Encode a piece of binary data into PEM format.
    49. 

  49. 

  50.     Args:
    51. 

  51.       data (byte string):
    52. 

  52.         The piece of binary data to encode.
    53. 

  53.       marker (string):
    54. 

  54.         The marker for the PEM block (e.g. "PUBLIC KEY").
    55. 

  55.         Note that there is no official master list for all allowed markers.
    56. 

  56.         Still, you can refer to the OpenSSL_ source code.
    57. 

  57.       passphrase (byte string):
    58. 

  58.         If given, the PEM block will be encrypted. The key is derived from
    59. 

  59.         the passphrase.
    60. 

  60.       randfunc (callable):
    61. 

  61.         Random number generation function; it accepts an integer N and returns
    62. 

  62.         a byte string of random data, N bytes long. If not given, a new one is
    63. 

  63.         instantiated.
    64. 

  64. 

  65.     Returns:
    66. 

  66.       The PEM block, as a string.
    67. 

  67. 

  68.     .. _OpenSSL: https://github.com/openssl/openssl/blob/master/include/openssl/pem.h
    69. 

  69.     """
    70. 

  70. 

  71.     if randfunc is None:
    72. 

  72.         randfunc = get_random_bytes
    73. 

  73. 

  74.     out = "-----BEGIN %s-----\n" % marker
    75. 

  75.     if passphrase:
    76. 

  76.         # We only support 3DES for encryption
    77. 

  77.         salt = randfunc(8)
    78. 

  78.         key = PBKDF1(passphrase, salt, 16, 1, MD5)
    79. 

  79.         key += PBKDF1(key + passphrase, salt, 8, 1, MD5)
    80. 

  80.         objenc = DES3.new(key, DES3.MODE_CBC, salt)
    81. 

  81.         out += "Proc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,%s\n\n" %\
    82. 

  82.             tostr(hexlify(salt).upper())
    83. 

  83.         # Encrypt with PKCS#7 padding
    84. 

  84.         data = objenc.encrypt(pad(data, objenc.block_size))
    85. 

  85.     elif passphrase is not None:
    86. 

  86.         raise ValueError("Empty password")
    87. 

  87. 

  88.     # Each BASE64 line can take up to 64 characters (=48 bytes of data)
    89. 

  89.     # b2a_base64 adds a new line character!
    90. 

  90.     chunks = [tostr(b2a_base64(data[i:i + 48]))
    91. 

  91.               for i in range(0, len(data), 48)]
    92. 

  92.     out += "".join(chunks)
    93. 

  93.     out += "-----END %s-----" % marker
    94. 

  94.     return out
    95. 

  95. 

  96. 

  97. def decode(pem_data, passphrase=None):
    98. 

  98.     """Decode a PEM block into binary.
    99. 

  99. 

  100.     Args:
    101. 

  101.       pem_data (string):
    102. 

  102.         The PEM block.
    103. 

  103.       passphrase (byte string):
    104. 

  104.         If given and the PEM block is encrypted,
    105. 

  105.         the key will be derived from the passphrase.
    106. 

  106. 

  107.     Returns:
    108. 

  108.       A tuple with the binary data, the marker string, and a boolean to
    109. 

  109.       indicate if decryption was performed.
    110. 

  110. 

  111.     Raises:
    112. 

  112.       ValueError: if decoding fails, if the PEM file is encrypted and no passphrase has
    113. 

  113.                   been provided or if the passphrase is incorrect.
    114. 

  114.     """
    115. 

  115. 

  116.     # Verify Pre-Encapsulation Boundary
    117. 

  117.     r = re.compile(r"\s*-----BEGIN (.*)-----\s+")
    118. 

  118.     m = r.match(pem_data)
    119. 

  119.     if not m:
    120. 

  120.         raise ValueError("Not a valid PEM pre boundary")
    121. 

  121.     marker = m.group(1)
    122. 

  122. 

  123.     # Verify Post-Encapsulation Boundary
    124. 

  124.     r = re.compile(r"-----END (.*)-----\s*$")
    125. 

  125.     m = r.search(pem_data)
    126. 

  126.     if not m or m.group(1) != marker:
    127. 

  127.         raise ValueError("Not a valid PEM post boundary")
    128. 

  128. 

  129.     # Removes spaces and slit on lines
    130. 

  130.     lines = pem_data.replace(" ", '').split()
    131. 

  131. 

  132.     # Decrypts, if necessary
    133. 

  133.     if lines[1].startswith('Proc-Type:4,ENCRYPTED'):
    134. 

  134.         if not passphrase:
    135. 

  135.             raise ValueError("PEM is encrypted, but no passphrase available")
    136. 

  136.         DEK = lines[2].split(':')
    137. 

  137.         if len(DEK) != 2 or DEK[0] != 'DEK-Info':
    138. 

  138.             raise ValueError("PEM encryption format not supported.")
    139. 

  139.         algo, salt = DEK[1].split(',')
    140. 

  140.         salt = unhexlify(tobytes(salt))
    141. 

  141.         if algo == "DES-CBC":
    142. 

  142.             # This is EVP_BytesToKey in OpenSSL
    143. 

  143.             key = PBKDF1(passphrase, salt, 8, 1, MD5)
    144. 

  144.             objdec = DES.new(key, DES.MODE_CBC, salt)
    145. 

  145.         elif algo == "DES-EDE3-CBC":
    146. 

  146.             # Note that EVP_BytesToKey is note exactly the same as PBKDF1
    147. 

  147.             key = PBKDF1(passphrase, salt, 16, 1, MD5)
    148. 

  148.             key += PBKDF1(key + passphrase, salt, 8, 1, MD5)
    149. 

  149.             objdec = DES3.new(key, DES3.MODE_CBC, salt)
    150. 

  150.         elif algo == "AES-128-CBC":
    151. 

  151.             key = PBKDF1(passphrase, salt[:8], 16, 1, MD5)
    152. 

  152.             objdec = AES.new(key, AES.MODE_CBC, salt)
    153. 

  153.         else:
    154. 

  154.             raise ValueError("Unsupport PEM encryption algorithm (%s)." % algo)
    155. 

  155.         lines = lines[2:]
    156. 

  156.     else:
    157. 

  157.         objdec = None
    158. 

  158. 

  159.     # Decode body
    160. 

  160.     data = a2b_base64(''.join(lines[1:-1]))
    161. 

  161.     enc_flag = False
    162. 

  162.     if objdec:
    163. 

  163.         data = unpad(objdec.decrypt(data), objdec.block_size)
    164. 

  164.         enc_flag = True
    165. 

  165. 

  166.     return (data, marker, enc_flag)
    167.