diff options
author | Rob Austein <sra@hactrn.net> | 2022-01-04 09:12:47 -0500 |
---|---|---|
committer | Rob Austein <sra@hactrn.net> | 2022-01-04 09:12:47 -0500 |
commit | 6f0d8236b8622a68f42284ed1314d8acd86c89ed (patch) | |
tree | 1e0605d51d81fb87518eae0339576382e00fce0f /cryptech_backup | |
parent | f8c3655b7af461555b89f7394c396b7ed7a267ee (diff) |
PyCrypto is no longer present in Debian Bullseye and is abandonware in
anycase. PyCryptodome is about 98% of a drop-in replacement (but that
last 2% can be tricky), so convert the most critical stuff to use
PyCryptodome.
A bunch of the test scripts and so forth still need to be converted,
for today the goals are just to have the package install properly and
to be able to run the unit tests.
Diffstat (limited to 'cryptech_backup')
-rwxr-xr-x | cryptech_backup | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/cryptech_backup b/cryptech_backup index a15c9c0..99d2c38 100755 --- a/cryptech_backup +++ b/cryptech_backup @@ -21,7 +21,7 @@ We also implement a software-based variant on this backup mechanism, for cases where there is no second HSM. The protocol is much the same, but the KEKEK is generated in software and encrypted using a symmetric key derived from a passphrase using PBKDF2. This requires -the PyCrypto library, and is only as secure as memory on the machine +the PyCryptodome library, and is only as secure as memory on the machine where you're running it (so it's theoretically vulnerable to root or anybody with access to /dev/mem). Don't use this mode unless you understand the risks, and see the "NOTE WELL" above. @@ -305,7 +305,7 @@ class AESKeyWrapWithPadding(object): "Something went wrong during unwrap." def __init__(self, key): - from Crypto.Cipher import AES + from Cryptodome.Cipher import AES self.ctx = AES.new(key, AES.MODE_ECB) def _encrypt(self, b1, b2): @@ -391,7 +391,7 @@ class SoftKEKEK(object): time.clock = time.process_time def parse_EncryptedPrivateKeyInfo(self, der): - from Crypto.Util.asn1 import DerObject, DerSequence, DerOctetString, DerObjectId + from Cryptodome.Util.asn1 import DerObject, DerSequence, DerOctetString, DerObjectId encryptedPrivateKeyInfo = DerSequence() encryptedPrivateKeyInfo.decode(der) encryptionAlgorithm = DerSequence() @@ -405,7 +405,7 @@ class SoftKEKEK(object): return encryptedData.payload def encode_EncryptedPrivateKeyInfo(self, der): - from Crypto.Util.asn1 import DerSequence, DerOctetString + from Cryptodome.Util.asn1 import DerSequence, DerOctetString return DerSequence([ DerSequence([ struct.pack("BB", 0x06, len(self.oid_aesKeyWrap)) + self.oid_aesKeyWrap @@ -414,12 +414,12 @@ class SoftKEKEK(object): ]).encode() def gen_salt(self, bytes = 16): - from Crypto import Random + from Cryptodome import Random return Random.new().read(bytes) def wrapper(self, salt, keylen = 256, iterations = 8000): - from Crypto.Protocol.KDF import PBKDF2 - from Crypto.Hash import SHA256, HMAC + from Cryptodome.Protocol.KDF import PBKDF2 + from Cryptodome.Hash import SHA256, HMAC return AESKeyWrapWithPadding(PBKDF2( password = getpass.getpass("KEKEK Passphrase: "), salt = salt, @@ -433,7 +433,7 @@ class SoftKEKEK(object): @classmethod def generate(cls, args, result): - from Crypto.PublicKey import RSA + from Cryptodome.PublicKey import RSA self = cls() k = RSA.generate(args.keylen) salt = self.gen_salt() |