aboutsummaryrefslogtreecommitdiff
path: root/cryptech_backup
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2022-01-04 09:12:47 -0500
committerRob Austein <sra@hactrn.net>2022-01-04 09:12:47 -0500
commit6f0d8236b8622a68f42284ed1314d8acd86c89ed (patch)
tree1e0605d51d81fb87518eae0339576382e00fce0f /cryptech_backup
parentf8c3655b7af461555b89f7394c396b7ed7a267ee (diff)
Replace old PyCrypto with PyCryptodomeHEADmaster
PyCrypto is no longer present in Debian Bullseye and is abandonware in anycase. PyCryptodome is about 98% of a drop-in replacement (but that last 2% can be tricky), so convert the most critical stuff to use PyCryptodome. A bunch of the test scripts and so forth still need to be converted, for today the goals are just to have the package install properly and to be able to run the unit tests.
Diffstat (limited to 'cryptech_backup')
-rwxr-xr-xcryptech_backup16
1 files changed, 8 insertions, 8 deletions
diff --git a/cryptech_backup b/cryptech_backup
index a15c9c0..99d2c38 100755
--- a/cryptech_backup
+++ b/cryptech_backup
@@ -21,7 +21,7 @@ We also implement a software-based variant on this backup mechanism,
for cases where there is no second HSM. The protocol is much the
same, but the KEKEK is generated in software and encrypted using a
symmetric key derived from a passphrase using PBKDF2. This requires
-the PyCrypto library, and is only as secure as memory on the machine
+the PyCryptodome library, and is only as secure as memory on the machine
where you're running it (so it's theoretically vulnerable to root or
anybody with access to /dev/mem). Don't use this mode unless you
understand the risks, and see the "NOTE WELL" above.
@@ -305,7 +305,7 @@ class AESKeyWrapWithPadding(object):
"Something went wrong during unwrap."
def __init__(self, key):
- from Crypto.Cipher import AES
+ from Cryptodome.Cipher import AES
self.ctx = AES.new(key, AES.MODE_ECB)
def _encrypt(self, b1, b2):
@@ -391,7 +391,7 @@ class SoftKEKEK(object):
time.clock = time.process_time
def parse_EncryptedPrivateKeyInfo(self, der):
- from Crypto.Util.asn1 import DerObject, DerSequence, DerOctetString, DerObjectId
+ from Cryptodome.Util.asn1 import DerObject, DerSequence, DerOctetString, DerObjectId
encryptedPrivateKeyInfo = DerSequence()
encryptedPrivateKeyInfo.decode(der)
encryptionAlgorithm = DerSequence()
@@ -405,7 +405,7 @@ class SoftKEKEK(object):
return encryptedData.payload
def encode_EncryptedPrivateKeyInfo(self, der):
- from Crypto.Util.asn1 import DerSequence, DerOctetString
+ from Cryptodome.Util.asn1 import DerSequence, DerOctetString
return DerSequence([
DerSequence([
struct.pack("BB", 0x06, len(self.oid_aesKeyWrap)) + self.oid_aesKeyWrap
@@ -414,12 +414,12 @@ class SoftKEKEK(object):
]).encode()
def gen_salt(self, bytes = 16):
- from Crypto import Random
+ from Cryptodome import Random
return Random.new().read(bytes)
def wrapper(self, salt, keylen = 256, iterations = 8000):
- from Crypto.Protocol.KDF import PBKDF2
- from Crypto.Hash import SHA256, HMAC
+ from Cryptodome.Protocol.KDF import PBKDF2
+ from Cryptodome.Hash import SHA256, HMAC
return AESKeyWrapWithPadding(PBKDF2(
password = getpass.getpass("KEKEK Passphrase: "),
salt = salt,
@@ -433,7 +433,7 @@ class SoftKEKEK(object):
@classmethod
def generate(cls, args, result):
- from Crypto.PublicKey import RSA
+ from Cryptodome.PublicKey import RSA
self = cls()
k = RSA.generate(args.keylen)
salt = self.gen_salt()