Augment references of pkcs1 with oaep
Rightly the system in use is RSAES-OAEP, part of the PKCS#1 standard. "PKCS#1" is not enough information to communicate to someone the encryption scheme in use. Refer to the scheme Zuul uses as "PKCS#1-OAEP" or "pkcs1-oaep" to clarify. Change-Id: I74dcde6fa3756354ce65233c64c6189d1b241e90
This commit is contained in:
parent
bf1a4f2192
commit
717e8e928d
|
@ -27,7 +27,7 @@ def main():
|
||||||
private_key, public_key = \
|
private_key, public_key = \
|
||||||
encryption.deserialize_rsa_keypair(f.read())
|
encryption.deserialize_rsa_keypair(f.read())
|
||||||
|
|
||||||
ciphertext = encryption.encrypt_pkcs1(sys.argv[1], public_key)
|
ciphertext = encryption.encrypt_pkcs1_oaep(sys.argv[1], public_key)
|
||||||
print(ciphertext.encode('base64'))
|
print(ciphertext.encode('base64'))
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
|
|
|
@ -38,7 +38,7 @@
|
||||||
name: test_secret
|
name: test_secret
|
||||||
data:
|
data:
|
||||||
username: test-username
|
username: test-username
|
||||||
password: !encrypted/pkcs1 |
|
password: !encrypted/pkcs1-oaep |
|
||||||
BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71YUsi1wGZZ
|
BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71YUsi1wGZZ
|
||||||
L0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4joeusC9drN3AA8a4o
|
L0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4joeusC9drN3AA8a4o
|
||||||
ykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CRgd0QBMPl6VDoFgBPB8vxtJw+
|
ykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CRgd0QBMPl6VDoFgBPB8vxtJw+
|
||||||
|
|
|
@ -39,14 +39,14 @@ class TestEncryption(BaseTestCase):
|
||||||
self.assertEqual(self.public.public_numbers(),
|
self.assertEqual(self.public.public_numbers(),
|
||||||
public2.public_numbers())
|
public2.public_numbers())
|
||||||
|
|
||||||
def test_pkcs1(self):
|
def test_pkcs1_oaep(self):
|
||||||
"Verify encryption and decryption"
|
"Verify encryption and decryption"
|
||||||
orig_plaintext = "some text to encrypt"
|
orig_plaintext = "some text to encrypt"
|
||||||
ciphertext = encryption.encrypt_pkcs1(orig_plaintext, self.public)
|
ciphertext = encryption.encrypt_pkcs1_oaep(orig_plaintext, self.public)
|
||||||
plaintext = encryption.decrypt_pkcs1(ciphertext, self.private)
|
plaintext = encryption.decrypt_pkcs1_oaep(ciphertext, self.private)
|
||||||
self.assertEqual(orig_plaintext, plaintext)
|
self.assertEqual(orig_plaintext, plaintext)
|
||||||
|
|
||||||
def test_openssl_pkcs1(self):
|
def test_openssl_pkcs1_oaep(self):
|
||||||
"Verify that we can decrypt something encrypted with OpenSSL"
|
"Verify that we can decrypt something encrypted with OpenSSL"
|
||||||
orig_plaintext = "some text to encrypt"
|
orig_plaintext = "some text to encrypt"
|
||||||
pem_public = encryption.serialize_rsa_public_key(self.public)
|
pem_public = encryption.serialize_rsa_public_key(self.public)
|
||||||
|
@ -65,5 +65,5 @@ class TestEncryption(BaseTestCase):
|
||||||
finally:
|
finally:
|
||||||
os.unlink(public_file.name)
|
os.unlink(public_file.name)
|
||||||
|
|
||||||
plaintext = encryption.decrypt_pkcs1(ciphertext, self.private)
|
plaintext = encryption.decrypt_pkcs1_oaep(ciphertext, self.private)
|
||||||
self.assertEqual(orig_plaintext, plaintext)
|
self.assertEqual(orig_plaintext, plaintext)
|
||||||
|
|
|
@ -313,7 +313,7 @@ class TestJob(BaseTestCase):
|
||||||
name: pypi-credentials
|
name: pypi-credentials
|
||||||
data:
|
data:
|
||||||
username: test-username
|
username: test-username
|
||||||
password: !encrypted/pkcs1 |
|
password: !encrypted/pkcs1-oaep |
|
||||||
BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71YUsi1wGZZ
|
BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71YUsi1wGZZ
|
||||||
L0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4joeusC9drN3AA8a4o
|
L0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4joeusC9drN3AA8a4o
|
||||||
ykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CRgd0QBMPl6VDoFgBPB8vxtJw+
|
ykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CRgd0QBMPl6VDoFgBPB8vxtJw+
|
||||||
|
|
|
@ -123,8 +123,8 @@ repo {repo} on branch {branch}. The error was:
|
||||||
loader.dispose()
|
loader.dispose()
|
||||||
|
|
||||||
|
|
||||||
class EncryptedPKCS1(yaml.YAMLObject):
|
class EncryptedPKCS1_OAEP(yaml.YAMLObject):
|
||||||
yaml_tag = u'!encrypted/pkcs1'
|
yaml_tag = u'!encrypted/pkcs1-oaep'
|
||||||
yaml_loader = yaml.SafeLoader
|
yaml_loader = yaml.SafeLoader
|
||||||
|
|
||||||
def __init__(self, ciphertext):
|
def __init__(self, ciphertext):
|
||||||
|
@ -134,7 +134,7 @@ class EncryptedPKCS1(yaml.YAMLObject):
|
||||||
return not self.__eq__(other)
|
return not self.__eq__(other)
|
||||||
|
|
||||||
def __eq__(self, other):
|
def __eq__(self, other):
|
||||||
if not isinstance(other, EncryptedPKCS1):
|
if not isinstance(other, EncryptedPKCS1_OAEP):
|
||||||
return False
|
return False
|
||||||
return (self.ciphertext == other.ciphertext)
|
return (self.ciphertext == other.ciphertext)
|
||||||
|
|
||||||
|
@ -143,7 +143,7 @@ class EncryptedPKCS1(yaml.YAMLObject):
|
||||||
return cls(node.value)
|
return cls(node.value)
|
||||||
|
|
||||||
def decrypt(self, private_key):
|
def decrypt(self, private_key):
|
||||||
return encryption.decrypt_pkcs1(self.ciphertext, private_key)
|
return encryption.decrypt_pkcs1_oaep(self.ciphertext, private_key)
|
||||||
|
|
||||||
|
|
||||||
class NodeSetParser(object):
|
class NodeSetParser(object):
|
||||||
|
@ -175,7 +175,7 @@ class NodeSetParser(object):
|
||||||
class SecretParser(object):
|
class SecretParser(object):
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def getSchema():
|
def getSchema():
|
||||||
data = {str: vs.Any(str, EncryptedPKCS1)}
|
data = {str: vs.Any(str, EncryptedPKCS1_OAEP)}
|
||||||
|
|
||||||
secret = {vs.Required('name'): str,
|
secret = {vs.Required('name'): str,
|
||||||
vs.Required('data'): data,
|
vs.Required('data'): data,
|
||||||
|
|
|
@ -95,10 +95,10 @@ def deserialize_rsa_keypair(data):
|
||||||
|
|
||||||
|
|
||||||
# https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#decryption
|
# https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#decryption
|
||||||
def decrypt_pkcs1(ciphertext, private_key):
|
def decrypt_pkcs1_oaep(ciphertext, private_key):
|
||||||
"""Decrypt PKCS1 (RSAES-OAEP) encoded ciphertext
|
"""Decrypt PKCS#1 (RSAES-OAEP) encoded ciphertext
|
||||||
|
|
||||||
:arg ciphertext: A string previously encrypted with PKCS1
|
:arg ciphertext: A string previously encrypted with PKCS#1
|
||||||
(RSAES-OAEP).
|
(RSAES-OAEP).
|
||||||
:arg private_key: A private key object as returned by
|
:arg private_key: A private key object as returned by
|
||||||
:func:generate_rsa_keypair()
|
:func:generate_rsa_keypair()
|
||||||
|
@ -117,10 +117,10 @@ def decrypt_pkcs1(ciphertext, private_key):
|
||||||
|
|
||||||
|
|
||||||
# https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#encryption
|
# https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#encryption
|
||||||
def encrypt_pkcs1(plaintext, public_key):
|
def encrypt_pkcs1_oaep(plaintext, public_key):
|
||||||
"""Encrypt data with PKCS1 (RSAES-OAEP)
|
"""Encrypt data with PKCS#1 (RSAES-OAEP)
|
||||||
|
|
||||||
:arg plaintext: A string to encrypt with PKCS1 (RSAES-OAEP).
|
:arg plaintext: A string to encrypt with PKCS#1 (RSAES-OAEP).
|
||||||
|
|
||||||
:arg public_key: A public key object as returned by
|
:arg public_key: A public key object as returned by
|
||||||
:func:generate_rsa_keypair()
|
:func:generate_rsa_keypair()
|
||||||
|
|
Loading…
Reference in New Issue