[Python-modules-commits] [python-pskc] 01/07: Import python-pskc_1.0.orig.tar.gz
Arthur de Jong
adejong at moszumanska.debian.org
Sun Dec 31 15:10:46 UTC 2017
This is an automated email from the git hooks/post-receive script.
adejong pushed a commit to branch master
in repository python-pskc.
commit 5227f23cea2c68d6cafb61db17f4f9eb5637b197
Author: Arthur de Jong <adejong at debian.org>
Date: Fri Dec 29 20:53:32 2017 +0100
Import python-pskc_1.0.orig.tar.gz
---
ChangeLog | 359 ++++++
MANIFEST.in | 4 +-
NEWS | 25 +
PKG-INFO | 66 +-
README | 23 +-
docs/conf.py | 14 +-
docs/encryption.rst | 46 +-
docs/exceptions.rst | 3 +
docs/index.rst | 1 +
docs/mac.rst | 42 +-
docs/policy.rst | 2 +-
docs/pskc2csv.rst | 65 ++
docs/signatures.rst | 114 ++
docs/usage.rst | 19 +-
pskc/__init__.py | 5 +-
pskc/algorithms.py | 77 +-
pskc/crypto/__init__.py | 19 +-
pskc/crypto/aeskw.py | 44 +-
pskc/crypto/tripledeskw.py | 51 +-
pskc/encryption.py | 189 ++-
pskc/exceptions.py | 11 +-
pskc/key.py | 174 +--
pskc/mac.py | 62 +-
pskc/parser.py | 180 ++-
pskc/policy.py | 27 +-
pskc/serialiser.py | 109 +-
pskc/signature.py | 137 +++
pskc/xml.py | 89 +-
pskc2csv.py | 63 +-
python_pskc.egg-info/PKG-INFO | 66 +-
python_pskc.egg-info/SOURCES.txt | 39 +-
python_pskc.egg-info/requires.txt | 11 +-
setup.cfg | 8 +-
setup.py | 19 +-
tests/actividentity/test.pskcxml | 34 +
tests/certificate/README | 29 +
tests/certificate/ca-certificate.pem | 20 +
tests/certificate/ca-key.pem | 28 +
tests/certificate/certificate.pem | 18 +
tests/certificate/key.pem | 28 +
tests/certificate/request.pem | 16 +
tests/certificate/ss-certificate.pem | 20 +
.../non-encrypted.pskcxml | 41 +
.../password-encrypted.pskcxml | 45 +
.../non-encrypted.pskcxml | 42 +
.../password-encrypted.pskcxml | 45 +
tests/encryption/camellia128-cbc.pskcxml | 38 +
tests/encryption/camellia192-cbc.pskcxml | 38 +
tests/encryption/camellia256-cbc.pskcxml | 38 +
tests/encryption/kw-camellia128.pskcxml | 29 +
tests/encryption/kw-camellia192.pskcxml | 29 +
tests/encryption/kw-camellia256.pskcxml | 29 +
tests/misc/partialxml.pskcxml | 23 +
tests/multiotp/pskc-hotp-aes.txt | 85 ++
tests/multiotp/pskc-hotp-pbe.txt | 65 ++
tests/multiotp/pskc-totp-aes.txt | 145 +++
tests/multiotp/pskc-totp-pbe.txt | 62 +
tests/multiotp/tokens_hotp_aes.pskc | 80 ++
tests/multiotp/tokens_hotp_pbe.pskc | 62 +
tests/multiotp/tokens_ocra_aes.pskc | 1216 ++++++++++++++++++++
tests/multiotp/tokens_ocra_pbe.pskc | 53 +
tests/multiotp/tokens_totp_aes.pskc | 98 ++
tests/multiotp/tokens_totp_pbe.pskc | 71 ++
tests/rfc6030/figure9.pskcxml | 9 +-
tests/test_actividentity.doctest | 2 +-
tests/test_aeskw.doctest | 8 +-
tests/test_crypto.doctest | 76 --
...eyprov_portable_symmetric_key_container.doctest | 180 +++
tests/test_draft_ietf_keyprov_pskc_02.doctest | 17 +-
tests/test_encryption.doctest | 70 +-
tests/test_invalid.doctest | 12 +-
tests/test_mac.doctest | 129 +++
tests/test_misc.doctest | 29 +-
tests/test_multiotp.doctest | 75 ++
tests/test_pskc2csv.doctest | 185 +++
tests/test_rfc6030.doctest | 27 +-
tests/test_signature.doctest | 219 ++++
tests/test_write.doctest | 50 +-
tests/test_yubico.doctest | 8 +-
tox.ini | 39 +
80 files changed, 5222 insertions(+), 603 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index b39deaa..11c622f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,362 @@
+2017-12-29 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [2651e80] tests/test_write.doctest: Not all XML serialisers
+ write namespaces in same order
+
+ This ignores the namespace declarations in the generated XML
+ files because not all implementations on all environments write
+ these in the same order.
+
+2017-12-29 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [44b1353] docs/conf.py, setup.cfg, tox.ini: Add Sphinx
+ documentation checks
+
+ This also slightly tunes the way Sphinx documentation is built.
+
+2017-12-15 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [42be53b] pskc2csv.py, tox.ini: Add support for PyPy
+
+2017-12-15 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [660ed65] setup.py, tox.ini: Add support for Python 3.7
+
+2017-12-15 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [9cd97c9] README, setup.py: Use README as package long description
+
+2017-12-15 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [20bf9c5] docs/encryption.rst, pskc/encryption.py, pskc2csv.py,
+ tests/test_rfc6030.doctest: Add an is_encrypted property
+
+ This property can be use to see whether the PSKC file needs an
+ additional pre-shared key or passphrase to decrypt any stored
+ information.
+
+2017-12-27 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [c365a70] : Implement XML signature checking
+
+2017-12-17 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [418f3dc] docs/encryption.rst, docs/index.rst, docs/mac.rst,
+ docs/signatures.rst, docs/usage.rst: Add documentation for signed
+ PSKC files
+
+2017-12-23 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [a97ac46] pskc/parser.py, pskc/serialiser.py,
+ pskc/signature.py, pskc/xml.py, setup.py,
+ tests/certificate/README, tests/certificate/ca-certificate.pem,
+ tests/certificate/ca-key.pem, tests/certificate/certificate.pem,
+ tests/certificate/key.pem, tests/certificate/request.pem,
+ tests/certificate/ss-certificate.pem,
+ tests/rfc6030/figure9.pskcxml,
+ tests/test_draft_ietf_keyprov_pskc_02.doctest,
+ tests/test_rfc6030.doctest, tests/test_signature.doctest, tox.ini:
+ Implement signature checking
+
+ This adds support for creating and verifying embedded XML
+ signatures in PSKC files. This uses the third-party signxml
+ library for actual signing and verification.
+
+ The signxml library has a dependency on lxml and defusedxml
+ (and a few others) but all parts of python-pskc still work
+ correctly with our without lxml and/or defusedxml and signxml
+ is only required when working with embedded signatures.
+
+ This modifies the tox configuration to skip the signature
+ checks if singxml is not installed and to only require 100%
+ code coverage if the signature tests are done.
+
+2017-12-15 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [c0bd21f] pskc/xml.py: Move namespace moving to own function
+
+2017-09-22 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [ea503d6] pskc/__init__.py, pskc/parser.py, pskc/signature.py,
+ tests/test_draft_ietf_keyprov_pskc_02.doctest,
+ tests/test_rfc6030.doctest: Implement basic parsing of signature
+ properties
+
+2017-12-23 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [fcc6cdb] pskc2csv.py: Explicitly close output file in pskc2csv
+
+ This ensures that the file descriptor is closed if we opened
+ the file. This is not a big problem for the script (because
+ the script exists anyway) but causes problems for the tests.
+
+2017-12-18 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [052f5bc] docs/policy.rst, pskc/parser.py,
+ pskc/policy.py, pskc/serialiser.py, tests/test_misc.doctest,
+ tests/test_write.doctest: Fix typo in pin_max_failed_attempts
+ attribute
+
+ This makes the old name (pin_max_failed_attemtps) available as
+ a deprecated property.
+
+2017-12-15 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [6f0ca70] pskc/parser.py,
+ tests/draft-hoyer-keyprov-portable-symmetric-key-container-00/non-encrypted.pskcxml,
+ tests/draft-hoyer-keyprov-portable-symmetric-key-container-00/password-encrypted.pskcxml,
+ tests/draft-hoyer-keyprov-portable-symmetric-key-container-01/non-encrypted.pskcxml,
+ tests/draft-hoyer-keyprov-portable-symmetric-key-container-01/password-encrypted.pskcxml,
+ tests/test_draft_hoyer_keyprov_portable_symmetric_key_container.doctest:
+ Add limited support for very old draft PSKC versions
+
+ This adds basic support for parsing the PSKC files as specified
+ in draft-hoyer-keyprov-portable-symmetric-key-container-00 and
+ draft-hoyer-keyprov-portable-symmetric-key-container-01.
+
+ It should be able to extract secrets, counters, etc. but not
+ all properties from the PSKC file are supported.
+
+ It is speculated that this format resembles the "Verisign PSKC
+ format" that some applications produce.
+
+2016-09-19 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [9b85634] tests/multiotp/pskc-hotp-aes.txt,
+ tests/multiotp/pskc-hotp-pbe.txt, tests/multiotp/pskc-totp-aes.txt,
+ tests/multiotp/pskc-totp-pbe.txt,
+ tests/multiotp/tokens_hotp_aes.pskc,
+ tests/multiotp/tokens_hotp_pbe.pskc,
+ tests/multiotp/tokens_ocra_aes.pskc,
+ tests/multiotp/tokens_ocra_pbe.pskc,
+ tests/multiotp/tokens_totp_aes.pskc,
+ tests/multiotp/tokens_totp_pbe.pskc, tests/test_multiotp.doctest:
+ Add test files from multiOTP
+
+ This adds tests for parsing the files that are shipped as part
+ of the multiOTP test suite.
+
+ https://www.multiotp.net/
+
+2017-12-15 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [01507af] pskc/key.py, pskc/parser.py, pskc/serialiser.py,
+ tests/misc/partialxml.pskcxml, tests/test_misc.doctest,
+ tests/test_write.doctest: Refactor internal storate of encrypted
+ values
+
+ This changes the way encrypted values are stored internally before
+ being decrypted. For example, the internal _secret property can now
+ be a decrypted plain value or an EncryptedValue instance instead
+ of always being a DataType, simplifying some things (e.g. all
+ XML encoding/decoding is now done in the corresponding module).
+
+ This should not change the public API but does have consequences
+ for those who use custom serialisers or parsers.
+
+2017-12-13 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [dcf1919] pskc/crypto/aeskw.py, pskc/encryption.py,
+ tests/encryption/kw-camellia128.pskcxml,
+ tests/encryption/kw-camellia192.pskcxml,
+ tests/encryption/kw-camellia256.pskcxml,
+ tests/test_encryption.doctest: Add support for KW-Camellia suite
+ of algorithms
+
+2017-12-13 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [364e93d] pskc/encryption.py,
+ tests/encryption/camellia128-cbc.pskcxml,
+ tests/encryption/camellia192-cbc.pskcxml,
+ tests/encryption/camellia256-cbc.pskcxml,
+ tests/test_encryption.doctest: Add support for Camellia-CBC
+ suite of algorithms
+
+2017-10-11 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [4c5e046] docs/conf.py, docs/pskc2csv.rst, setup.cfg: Add a
+ manual page for pskc2csv
+
+2017-10-09 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [25cb2fc] setup.cfg: Ignore missing docstring in __init__ in flake
+
+2017-09-30 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [225e569] pskc/crypto/__init__.py, pskc/crypto/aeskw.py,
+ pskc/crypto/tripledeskw.py, pskc/encryption.py,
+ pskc/mac.py, setup.cfg, setup.py, tests/test_crypto.doctest,
+ tests/test_encryption.doctest, tox.ini: Replace pycrypto with
+ cryptography
+
+ The cryptography library is better supported.
+
+ This uses the functions from cryptography for AES and Triple
+ DES encryption, replaces the (un)padding functions that were
+ previously implemented in python-pskc with cryptography and uses
+ PBKDF2 implementation from hashlib.
+
+2017-09-30 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [5dff7d4] pskc/encryption.py: Use PBKDF2 from hashlib
+
+ This uses pbkdf2_hmac() from hashlib for the PBKDF2 calculation.
+ The downside of this is that this function is only available
+ since Python 2.7.8.
+
+2017-09-30 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [2c8a9b7] pskc/crypto/aeskw.py, pskc/crypto/tripledeskw.py,
+ pskc/encryption.py, pskc/mac.py, tests/test_aeskw.doctest,
+ tests/test_write.doctest: Replace use of pycrypto utility functions
+
+ This uses os.urandom() as a source for random data and replaces
+ other utility functions. This also removes one import for getting
+ the lengths of Tripple DES keys.
+
+2017-09-24 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [d0eddf8] pskc/serialiser.py, pskc/xml.py,
+ tests/test_write.doctest: Implement our own XML formatting
+
+ This avoids a using xml.dom.minidom to indent the XML tree and
+ keep the attributes ordered alphabetically. This also allows
+ for customisations to the XML formatting.
+
+2017-09-24 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [4ed4e11] tests/test_mac.doctest: Support hashlib from Python 2.7.3
+
+ Some Python versions don't have the algorithms_available property
+ but do have the algorithms property in hashlib.
+
+2017-09-24 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [b90faeb] pskc/xml.py, setup.py, tox.ini: Use defusedxml if
+ available
+
+ This uses the defusedxml library if available to defend agains
+ a number of XML-based attacks.
+
+2017-09-23 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [7272e54] pskc/serialiser.py, tests/test_write.doctest: Fix bug
+ in saving PBKDF2 salt on Python3
+
+ The PBKDF2 salt was saved in the wrong way (b'base64encodeddata'
+ instead of base64encodeddata) when using Python 3. This fixes
+ that problem and tests that saving and loading of a file that
+ uses PBKDF2 key derivation works.
+
+2017-09-23 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [cd33833] pskc2csv.py, setup.cfg, tests/test_pskc2csv.doctest:
+ Add tests for the pskc2csv script
+
+ This makes minor changes to the pskc2csv script to make it more
+ easily testable.
+
+2017-09-22 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [6028b8e] pskc2csv.py: Support adding custom CSV file headers
+
+ This allows adding an optional label to the --columns option that
+ can be used to output a label different from the key property
+ name in the CSV file header.
+
+2017-09-20 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [eef681b] pskc2csv.py: Add --secret-encoding option to pskc2csv
+
+ This option can be used to configure the encoding of the secret
+ in the CSV file (still hex by default).
+
+2017-09-20 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [6f78dd6] pskc/__init__.py, pskc/crypto/aeskw.py,
+ pskc/crypto/tripledeskw.py, pskc/exceptions.py, pskc/mac.py,
+ pskc/parser.py, pskc/policy.py, pskc/serialiser.py, setup.cfg,
+ tox.ini: Run flake8 from tox
+
+ This also makes a few small code formatting changes to ensure
+ that the flake8 tests pass.
+
+2017-09-11 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [cc3acc2] tox.ini: Simplify Tox configuration
+
+2017-06-10 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [0c00c80] pskc/__init__.py, pskc/encryption.py, pskc/parser.py,
+ pskc/serialiser.py, pskc/xml.py, pskc2csv.py: Various minor code
+ style improvements
+
+2017-06-10 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [510e6a5] pskc/encryption.py, pskc/parser.py: Normalise key
+ derivation algorithms
+
+ This makes KeyDerivation.algorithm and KeyDerivation.pbkdf2_prf
+ properties automatically normalise assigned values.
+
+2017-06-10 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [d72e6cc] pskc/xml.py: Switch to using non-deprecated method
+
+ This uses ElementTree.iter() instead of ElementTree.getiterator()
+ for going over all the child elements in the tree because the
+ latter is deprecated.
+
+2017-06-10 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [7b106ff] docs/usage.rst, pskc/key.py, tests/test_yubico.doctest:
+ Provide Key.userid convenience property
+
+ This provides a read-only userid property on Key objects that uses
+ the key_userid or device_userid value, whichever one is defined.
+
+2017-06-09 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [f0d2991] docs/conf.py, docs/encryption.rst, docs/exceptions.rst,
+ docs/mac.rst: Document supported encryption and MAC algorithms
+
+ This also includes a few other small documentation improvements.
+
+2017-06-09 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [8b8848d] pskc/encryption.py, pskc/mac.py,
+ tests/test_invalid.doctest, tests/test_mac.doctest: Refactor
+ MAC lookups
+
+ This switches to using the hashlib.new() function to be able to use
+ all hashes that are available in Python (specifically RIPEMD160).
+
+ This also adds a number of tests for HMACs using test vectors
+ from RFC 2202, RFC 4231 and RFC 2857.
+
+2017-06-09 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [e10f9c6] pskc/algorithms.py: Handle more algortihm URIs
+
+ This adds a number of algorithm URIs defined in RFC 6931 and also
+ simplifies the definition of the list of URIs. It also adds more
+ aliases for algorithms.
+
+2017-01-25 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [1fc1a03] README, docs/usage.rst, setup.py: Switch URLs to HTTPS
+
+2017-01-21 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [8de25c2] tests/actividentity/test.pskcxml,
+ tests/test_actividentity.doctest: Correct name of ActivIdentity
+ test file
+
+2017-01-21 Arthur de Jong <arthur at arthurdejong.org>
+
+ * [5889df7] ChangeLog, NEWS, README, docs/conf.py, pskc/__init__.py,
+ pskc2csv.py, setup.py: Get files ready for 0.5 release
+
2017-01-15 Arthur de Jong <arthur at arthurdejong.org>
* [29a183d] tests/test_feitian.doctest, tests/test_nagraid.doctest:
diff --git a/MANIFEST.in b/MANIFEST.in
index 6eb0c88..1510480 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,3 +1,3 @@
-include README NEWS ChangeLog COPYING *.py
-recursive-include tests *.doctest *.py *.pskcxml *.xml
+include README NEWS ChangeLog COPYING tox.ini *.py
+recursive-include tests *.doctest *.py *.pskcxml *.xml *.pem *.txt *.pskc README
recursive-include docs *.rst *.py
diff --git a/NEWS b/NEWS
index 69459af..e8f7aa2 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,28 @@
+changes from 0.5 to 1.0
+-----------------------
+
+* fix a bug in writing passphrase encrypted PSKC files on Python3
+* fix a typo in the pin_max_failed_attempts attribute (the old name is
+ available as a deprecated property)
+* switch from pycrypto to cryptography as provider for encryption functions
+ because the latter is better supported
+* switch to using the PBKDF2 implementation from hashlib which requires
+ Python 2.7.8 or newer
+* use defusedxml when available (python-pskc now supports both standard
+ xml.etree and lxml with and without defusedxml)
+* support checking and generating embedded XML signatures (this requires the
+ signxml library which is not required for any other operations)
+* add limited support for very old draft PSKC versions (it is speculated that
+ this resembles the "Verisign PSKC format" that some applications produce)
+* support Camellia-CBC and KW-Camellia encryption algorithms
+* support any hashing algorithm available in Python
+* add a --secret-encoding option to pskc2csv to allow base64 encoded binary
+ output
+* support naming the CSV column headers in pskc2csv
+* add a manual page for pskc2csv
+* a number of documentation, code style and test suite improvements
+
+
changes from 0.4 to 0.5
-----------------------
diff --git a/PKG-INFO b/PKG-INFO
index 2b22cb0..b2344d7 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,22 +1,36 @@
Metadata-Version: 1.1
Name: python-pskc
-Version: 0.5
+Version: 1.0
Summary: Python module for handling PSKC files
-Home-page: http://arthurdejong.org/python-pskc/
+Home-page: https://arthurdejong.org/python-pskc/
Author: Arthur de Jong
Author-email: arthur at arthurdejong.org
License: LGPL
+Description-Content-Type: UNKNOWN
Description: Python module for handling PSKC files
+ =====================================
- This Python library handles Portable Symmetric Key Container (PSKC) files as
- defined in RFC 6030. PSKC files are used to transport and provision symmetric
- keys (seed files) to different types of crypto modules, commonly one-time
- password tokens or other authentication devices.
+ A Python module to handle Portable Symmetric Key Container (PSKC) files as
+ defined in `RFC 6030 <https://tools.ietf.org/html/rfc6030>`_. PSKC files are
+ used to transport and provision symmetric keys and key meta data (seed files)
+ to different types of crypto modules, commonly one-time password systems or
+ other authentication devices.
This module can be used to extract keys from PSKC files for use in an OTP
authentication system. The module can also be used for authoring PSKC files.
- The following prints all keys, decrypting using a password:
+ This module should be able to handle most common PSKC files.
+
+ https://arthurdejong.org/python-pskc/
+
+
+ API
+ ---
+
+ The module provides a straightforward API that is mostly geared towards
+ parsing existing PSKC files.
+
+ Extracting key material from encrypted PSKC files is as simple as:
>>> from pskc import PSKC
>>> pskc = PSKC('tests/rfc6030/figure7.pskcxml')
@@ -25,7 +39,7 @@ Description: Python module for handling PSKC files
... print('%s %s' % (key.serial, str(key.secret.decode())))
987654321 12345678901234567890
- The following generates an encrypted PSKC file:
+ Writing am encrypted PSKC file is as simple as:
>>> pskc = PSKC()
>>> key = pskc.add_key(
@@ -34,11 +48,42 @@ Description: Python module for handling PSKC files
>>> pskc.encryption.setup_pbkdf2('passphrase')
>>> pskc.write('output.pskcxml')
- The module should be able to handle most common PSKC files.
+ The key object has a number of properties. See the pskc.key.Key documentation
+ for details.
+
+
+ Security considerations
+ -----------------------
+
+ This code handles private key material and is written in Python. No
+ precautions have been taken to lock pages in memory to prevent swapping. Also
+ no attempt is currently made to securely dispose of memory that may have held
+ private key material.
+
+
+ Copyright
+ ---------
+
+ Copyright (C) 2014-2017 Arthur de Jong
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ 02110-1301 USA
Keywords: PSKC,RFC 6030,key container
Platform: UNKNOWN
-Classifier: Development Status :: 4 - Beta
+Classifier: Development Status :: 4 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
@@ -51,6 +96,7 @@ Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
+Classifier: Programming Language :: Python :: 3.7
Classifier: Topic :: Security :: Cryptography
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Systems Administration :: Authentication/Directory
diff --git a/README b/README
index 3b70159..9384b1d 100644
--- a/README
+++ b/README
@@ -1,16 +1,18 @@
-Python PSKC module
-==================
+Python module for handling PSKC files
+=====================================
A Python module to handle Portable Symmetric Key Container (PSKC) files as
defined in `RFC 6030 <https://tools.ietf.org/html/rfc6030>`_. PSKC files are
used to transport and provision symmetric keys and key meta data (seed files)
-to different types of crypto modules, commonly one-time password tokens or
+to different types of crypto modules, commonly one-time password systems or
other authentication devices.
This module can be used to extract keys from PSKC files for use in an OTP
authentication system. The module can also be used for authoring PSKC files.
-http://arthurdejong.org/python-pskc/
+This module should be able to handle most common PSKC files.
+
+https://arthurdejong.org/python-pskc/
API
@@ -25,7 +27,7 @@ Extracting key material from encrypted PSKC files is as simple as:
>>> pskc = PSKC('tests/rfc6030/figure7.pskcxml')
>>> pskc.encryption.derive_key('qwerty')
>>> for key in pskc.keys:
-... print key.serial, key.secret
+... print('%s %s' % (key.serial, str(key.secret.decode())))
987654321 12345678901234567890
Writing am encrypted PSKC file is as simple as:
@@ -46,7 +48,7 @@ Security considerations
This code handles private key material and is written in Python. No
precautions have been taken to lock pages in memory to prevent swapping. Also
-no attempt is currently made to security dispose of memory that may have held
+no attempt is currently made to securely dispose of memory that may have held
private key material.
@@ -69,12 +71,3 @@ You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA
-
-
-Development notes
------------------
-
-This package should use a mostly standard source code layout and support both
-Python 2 (2.6 but 2.7 is recommended) and Python 3 (most recent versions
-should work). The tests can be run with nosetests and the aim is to have
-maximum code coverage.
diff --git a/docs/conf.py b/docs/conf.py
index d7ad826..4ddee2b 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -28,8 +28,8 @@ import pskc
# Add any Sphinx extension module names here, as strings. They can be extensions
# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
extensions = [
- 'sphinx.ext.autodoc', 'sphinx.ext.doctest', 'sphinx.ext.todo',
- 'sphinx.ext.coverage', 'sphinx.ext.autosummary'
+ 'sphinx.ext.autodoc', 'sphinx.ext.doctest', 'sphinx.ext.coverage',
+ 'sphinx.ext.intersphinx',
]
# Add any paths that contain templates here, relative to this directory.
@@ -132,7 +132,7 @@ html_theme = 'default'
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
# using the given strftime format.
-html_last_updated_fmt = '%b %d, %Y'
+html_last_updated_fmt = '%Y-%m-%d'
# If true, SmartyPants will be used to convert quotes and dashes to
# typographically correct entities.
@@ -172,7 +172,7 @@ html_show_sourcelink = False
#html_file_suffix = None
# Suffix for generated links to HTML files.
-#html_link_suffix = ''
+html_link_suffix = ''
# Output file base name for HTML help builder.
htmlhelp_basename = 'python-pskcdoc'
@@ -183,9 +183,11 @@ htmlhelp_basename = 'python-pskcdoc'
# One entry per manual page. List of tuples
# (source start file, name, description, authors, manual section).
man_pages = [
- ('index', 'python-pskc', u'python-pskc Documentation',
+ ('pskc2csv', 'pskc2csv', u'Convert a PSKC file to CSV',
[u'Arthur de Jong'], 1)
]
# If true, show URL addresses after external links.
-#man_show_urls = False
+man_show_urls = True
+
+intersphinx_mapping = {'python': ('https://docs.python.org/3', None)}
diff --git a/docs/encryption.rst b/docs/encryption.rst
index 59242dd..a6e26d1 100644
--- a/docs/encryption.rst
+++ b/docs/encryption.rst
@@ -52,10 +52,20 @@ The Encryption class
.. attribute:: algorithm
- A URI of the encryption algorithm used. Setting a value for this
- attribute will result in an attempt to use the canonical URI for this
- algorithm. For instance setting a `3DES-CBC` value will automatically
- be converted to `http://www.w3.org/2001/04/xmlenc#aes128-cbc`.
+ A URI of the encryption algorithm used. See the section
+ :ref:`encryption-algorithms` below for a list of algorithms URIs.
+
+ Assigned values to this attribute will be converted to the canonical
+ URI for the algorithm if it is known. For instance, the value
+ ``3DES-CBC`` will automatically be converted into
+ ``http://www.w3.org/2001/04/xmlenc#tripledes-cbc``.
+
+
+ .. attribute:: is_encrypted
+
+ An indicator of whether the PSKC file requires an additional pre-shared
+ key or passphrase to decrypt the contents of the file. Will be ``True``
+ if a key or passphrase is needed, ``False`` otherwise.
.. attribute:: key_names
@@ -95,7 +105,7 @@ The Encryption class
Configure pre-shared key encryption when writing the file.
- :param binary key: the encryption key to use
+ :param bytes key: the encryption key to use
:param str id: encryption key identifier
:param str algorithm: encryption algorithm
:param int key_length: encryption key length in bytes
@@ -128,7 +138,7 @@ The Encryption class
:param str key_name: a name for the key
:param list key_names: a number of names for the key
:param list fields: a list of fields to encrypt
- :param binary salt: PBKDF2 salt
+ :param bytes salt: PBKDF2 salt
:param int salt_length: used when generating random salt
:param int iterations: number of PBKDF2 iterations
:param function prf: PBKDF2 pseudorandom function
@@ -138,3 +148,27 @@ The Encryption class
By default 12000 iterations will be used and a random salt with the
length of the to-be-generated encryption key will be used.
+
+
+.. _encryption-algorithms:
+
+Supported encryption algorithms
+-------------------------------
+
+The following encryption algorithms are currently supported by python-pskc.
+
++----------------------------------------------------+-----------------------------------------------------+
+| URI | Description |
++====================================================+=====================================================+
+| ``http://www.w3.org/2001/04/xmlenc#aes128-cbc`` | AES encryption in CBC mode with various key lengths |
+| ``http://www.w3.org/2001/04/xmlenc#aes192-cbc`` | |
+| ``http://www.w3.org/2001/04/xmlenc#aes256-cbc`` | |
++----------------------------------------------------+-----------------------------------------------------+
+| ``http://www.w3.org/2001/04/xmlenc#kw-aes128`` | AES key wrap with various key lengths |
+| ``http://www.w3.org/2001/04/xmlenc#kw-aes192`` | |
+| ``http://www.w3.org/2001/04/xmlenc#kw-aes256`` | |
++----------------------------------------------------+-----------------------------------------------------+
+| ``http://www.w3.org/2001/04/xmlenc#tripledes-cbc`` | Triple DES (3DES) encryption in CBC mode |
++----------------------------------------------------+-----------------------------------------------------+
+| ``http://www.w3.org/2001/04/xmlenc#kw-tripledes`` | Triple DES (3DES) key wrap |
++----------------------------------------------------+-----------------------------------------------------+
diff --git a/docs/exceptions.rst b/docs/exceptions.rst
index fbd8e7f..81a73b2 100644
--- a/docs/exceptions.rst
+++ b/docs/exceptions.rst
@@ -1,6 +1,9 @@
Exceptions
==========
+The module and parser will try to interpret any provided PSKC files and will
+only raise exceptions on wildly invalid PSKC files.
+
.. module:: pskc.exceptions
.. exception:: PSKCError
diff --git a/docs/index.rst b/docs/index.rst
index 66bcbee..4496de3 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -11,6 +11,7 @@ Contents
usage
encryption
mac
+ signatures
policy
exceptions
changes
diff --git a/docs/mac.rst b/docs/mac.rst
index 0e8e5d5..c9e7813 100644
--- a/docs/mac.rst
+++ b/docs/mac.rst
@@ -28,9 +28,13 @@ The MAC class
.. attribute:: algorithm
- The name of the MAC algorithm to use (currently ``HMAC-MD5``,
- ``HMAC-SHA1``, ``HMAC-SHA224``, ``HMAC-SHA256``, ``HMAC-SHA384`` and
- ``HMAC-SHA512`` are supported).
+ A URI of the MAC algorithm used for message authentication. See the
+ section :ref:`mac-algorithms` below for a list of algorithm URIs.
+
+ Assigned values to this attribute will be converted to the canonical
+ URI for the algorithm if it is known. For instance, the value
+ ``HMAC-SHA-256`` will automatically be converted into
+ ``http://www.w3.org/2001/04/xmldsig-more#hmac-sha256``.
.. attribute:: key
@@ -41,11 +45,39 @@ The MAC class
.. function:: setup(...)
- Configure an encrypted MAC key.
+ Configure an encrypted MAC key for creating a new PSKC file.
:param str algorithm: encryption algorithm
- :param binary key: the encryption key to use
+ :param bytes key: the encryption key to use
None of the arguments are required. By default HMAC-SHA1 will be used
as a MAC algorithm. If no key is configured a random key will be
generated with the length of the output of the configured hash.
+
+ This function will automatically be called when the configured
+ encryption algorithm requires a message authentication code.
+
+
+.. _mac-algorithms:
+
+Supported MAC algorithms
+------------------------
+
+The module should support all HMAC algorithms that can be constructed from
+hash algorithms that are available in the standard Python :mod:`hashlib`
+module. At the least the following algorithms should be supported:
+
++-----------------------------------------------------------+--------------------------+
+| URI | Description |
++===========================================================+==========================+
+| ``http://www.w3.org/2001/04/xmldsig-more#hmac-md5`` | MD5-based HMAC |
++-----------------------------------------------------------+--------------------------+
+| ``http://www.w3.org/2000/09/xmldsig#hmac-sha1`` | SHA-1 based HMAC |
++-----------------------------------------------------------+--------------------------+
+| ``http://www.w3.org/2001/04/xmldsig-more#hmac-sha224`` | SHA-2 family based HMACs |
+| ``http://www.w3.org/2001/04/xmldsig-more#hmac-sha256`` | |
+| ``http://www.w3.org/2001/04/xmldsig-more#hmac-sha384`` | |
+| ``http://www.w3.org/2001/04/xmldsig-more#hmac-sha512`` | |
++-----------------------------------------------------------+--------------------------+
+| ``http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160`` | RIPEMD-160 based HMAC |
++-----------------------------------------------------------+--------------------------+
diff --git a/docs/policy.rst b/docs/policy.rst
index cad018f..3d1d8f7 100644
--- a/docs/policy.rst
+++ b/docs/policy.rst
@@ -64,7 +64,7 @@ The Policy class
Describe how the PIN is used during the usage of the key. See
:ref:`pin-use-constants` below.
- .. attribute:: pin_max_failed_attemtps
+ .. attribute:: pin_max_failed_attempts
The maximum number of times the PIN may be entered wrongly before it
MUST NOT be possible to use the key any more.
diff --git a/docs/pskc2csv.rst b/docs/pskc2csv.rst
new file mode 100644
index 0000000..4602121
--- /dev/null
+++ b/docs/pskc2csv.rst
@@ -0,0 +1,65 @@
+:orphan:
+
+pskc2csv
+========
+
+Synopsis
+--------
+
+**pskc2csv** [*options*] <*FILE*>
+
+Description
+-----------
+
+:program:`pskc2csv` reads a PSKC file, optionally decrypts any encrypted key
+material and outputs a CSV file with information from the PSKC file.
+
+Options
+-------
+
+.. program:: pskc2csv
+
+.. option:: -h, --help
+
+ Display usage summary.
+
+.. option:: -V, --version
+
+ Display version information.
+
+.. option:: -o FILE, --output FILE
+
+ By default :program:`pskc2csv` writes a CSV file to stdout. This option
+ can be used to save the CSV to a file instead.
+
+.. option:: -c COL:LABEL,COL,.., --columns COL:LABEL,COL,..
+
+ Specify the columns that should be written to the CSV file. Any
+ property of :class:`~pskc.key.Key` instances can be used as well
+ as :class:`~pskc.policy.Policy` properties via ``policy``.
+
+ For example: ``serial``, ``secret``, ``counter``, ``time_offset``,
+ ``time_interval``, ``interval``, ``time_drift``, ``issuer``,
+ ``manufacturer``, ``response_length``, ``policy.pin_min_length``.
+
+ By default ``serial,secret,algorithm,response_length,time_interval`` is
+ used.
+
+ The column can be followed by an optional label to use in the CSV file in
+ place of the column specification.
+
+.. option:: -p PASS/FILE, --password PASS/FILE, --passwd PASS/FILE
+
+ The password to use for decryption. If the argument refers to a file the
+ password is read from the file instead.
+
+.. option:: -s KEY/FILE, --secret KEY/FILE
+
+ A hex encoded encryption key or a file containing the binary (raw data,
+ not encoded) key.
+
+.. option:: -e ENCODING, --secret-encoding ENCODING
+
+ Specify the encoding to use for writing key material to the CSV file. By
+ default HEX encoding is used. Valid encodings are: ``base32``, ``base64``
+ or ``hex``.
diff --git a/docs/signatures.rst b/docs/signatures.rst
new file mode 100644
index 0000000..f5adc78
--- /dev/null
+++ b/docs/signatures.rst
@@ -0,0 +1,114 @@
+XML Signature checking
+======================
+
+.. module:: pskc.signature
+
+PSKC files can contain embedded XML signatures that allow integrity and
+authenticity checks of the transmitted information. This signature typically
+covers the whole PSKC file while MAC checking only covers the encrypted
+parts.
+
+ >>> pskc = PSKC('somefile.pskcxml')
+ >>> pskc.signature.verify()
+ >>> pskc = pskc.signature.signed_pskc
+
+When using XML signatures it is important to use the
+:attr:`~pskc.signature.Signature.signed_pskc` attribute after verification
+because that :class:`~pskc.PSKC` instance will only contain the signed
+information.
+
+
+To create a signed PSKC file build up a :class:`~pskc.PSKC` instance as
+usual, configure the signature and save it:
+
+ >>> pskc.signature.sign(key, certificate)
+ >>> pskc.write('output.pskcxml')
+
+
+The Signature class
+--------------------
+
+.. class:: Signature
+
+ .. attribute:: is_signed
... 6700 lines suppressed ...
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-pskc.git
More information about the Python-modules-commits
mailing list