derivepassphrase.git

src/derivepassphrase/exporter/vault_native.py          1) # SPDX-FileCopyrightText: 2025 Marco Ricci <software@the13thletter.info>

src/derivepassphrase/exporter/vault_v03_and_below.py   2) #

src/derivepassphrase/exporter/vault_native.py          3) # SPDX-License-Identifier: Zlib

src/derivepassphrase/exporter/vault_v03_and_below.py   4) 

src/derivepassphrase/exporter/vault_native.py          5) """Exporter for the vault native configuration format (v0.2 or v0.3).
src/derivepassphrase/exporter/vault_native.py          6) 
src/derivepassphrase/exporter/vault_native.py          7) The vault native formats are the configuration formats used by vault
src/derivepassphrase/exporter/vault_native.py          8) v0.2 and v0.3.  The configuration is stored as a single encrypted file,
src/derivepassphrase/exporter/vault_native.py          9) which is encrypted and authenticated.  v0.2 and v0.3 differ in some
src/derivepassphrase/exporter/vault_native.py         10) details concerning key derivation and expected format of internal
src/derivepassphrase/exporter/vault_native.py         11) structures, so they are *not* compatible.  v0.2 additionally contains
src/derivepassphrase/exporter/vault_native.py         12) cryptographic weaknesses (API misuse of a key derivation function, and
src/derivepassphrase/exporter/vault_native.py         13) a low-entropy method of generating initialization vectors for CBC block
src/derivepassphrase/exporter/vault_native.py         14) encryption mode) and should thus be avoided if possible.
src/derivepassphrase/exporter/vault_native.py         15) 

src/derivepassphrase/exporter/vault_native.py         16) The public interface is the [`export_vault_native_data`][] function.
src/derivepassphrase/exporter/vault_native.py         17) Multiple *non-public* classes are additionally documented here for
src/derivepassphrase/exporter/vault_native.py         18) didactical and educational reasons, but they are not part of the module
src/derivepassphrase/exporter/vault_native.py         19) API, are subject to change without notice (including removal), and
src/derivepassphrase/exporter/vault_native.py         20) should *not* be used or relied on.

src/derivepassphrase/exporter/vault_native.py         21) 
src/derivepassphrase/exporter/vault_native.py         22) """

src/derivepassphrase/exporter/vault_v03_and_below.py  23) 

src/derivepassphrase/exporter/vault_native.py         24) # ruff: noqa: S303
src/derivepassphrase/exporter/vault_native.py         25) 

src/derivepassphrase/exporter/vault_v03_and_below.py  26) from __future__ import annotations
src/derivepassphrase/exporter/vault_v03_and_below.py  27) 
src/derivepassphrase/exporter/vault_v03_and_below.py  28) import abc
src/derivepassphrase/exporter/vault_v03_and_below.py  29) import base64

src/derivepassphrase/exporter/vault_native.py         30) import importlib

src/derivepassphrase/exporter/vault_v03_and_below.py  31) import json
src/derivepassphrase/exporter/vault_v03_and_below.py  32) import logging

src/derivepassphrase/exporter/vault_native.py         33) import os

src/derivepassphrase/exporter/vault_v03_and_below.py  34) import warnings

src/derivepassphrase/exporter/vault_v03_and_below.py  35) from typing import TYPE_CHECKING
src/derivepassphrase/exporter/vault_v03_and_below.py  36) 

src/derivepassphrase/exporter/vault_native.py         37) from derivepassphrase import _cli_msg as _msg

src/derivepassphrase/exporter/vault_v03_and_below.py  38) from derivepassphrase import exporter, vault
src/derivepassphrase/exporter/vault_v03_and_below.py  39) 
src/derivepassphrase/exporter/vault_v03_and_below.py  40) if TYPE_CHECKING:
src/derivepassphrase/exporter/vault_v03_and_below.py  41)     from typing import Any
src/derivepassphrase/exporter/vault_v03_and_below.py  42) 
src/derivepassphrase/exporter/vault_v03_and_below.py  43)     from typing_extensions import Buffer

src/derivepassphrase/exporter/vault_v03_and_below.py  44) 
src/derivepassphrase/exporter/vault_v03_and_below.py  45) if TYPE_CHECKING:
src/derivepassphrase/exporter/vault_v03_and_below.py  46)     from cryptography import exceptions as crypt_exceptions
src/derivepassphrase/exporter/vault_v03_and_below.py  47)     from cryptography import utils as crypt_utils
src/derivepassphrase/exporter/vault_v03_and_below.py  48)     from cryptography.hazmat.primitives import ciphers, hashes, hmac, padding
src/derivepassphrase/exporter/vault_v03_and_below.py  49)     from cryptography.hazmat.primitives.ciphers import algorithms, modes
src/derivepassphrase/exporter/vault_v03_and_below.py  50)     from cryptography.hazmat.primitives.kdf import pbkdf2
src/derivepassphrase/exporter/vault_v03_and_below.py  51) else:
src/derivepassphrase/exporter/vault_v03_and_below.py  52)     try:

src/derivepassphrase/exporter/vault_native.py         53)         importlib.import_module('cryptography')

src/derivepassphrase/exporter/vault_v03_and_below.py  54)     except ModuleNotFoundError as exc:
src/derivepassphrase/exporter/vault_v03_and_below.py  55) 

src/derivepassphrase/exporter/vault_v03_and_below.py  56)         class _DummyModule:  # pragma: no cover

src/derivepassphrase/exporter/vault_v03_and_below.py  57)             def __init__(self, exc: type[Exception]) -> None:
src/derivepassphrase/exporter/vault_v03_and_below.py  58)                 self.exc = exc
src/derivepassphrase/exporter/vault_v03_and_below.py  59) 

src/derivepassphrase/exporter/vault_v03_and_below.py  60)             def __getattr__(self, name: str) -> Any:  # noqa: ANN401
src/derivepassphrase/exporter/vault_v03_and_below.py  61)                 def func(*args: Any, **kwargs: Any) -> Any:  # noqa: ANN401,ARG001

src/derivepassphrase/exporter/vault_v03_and_below.py  62)                     raise self.exc
src/derivepassphrase/exporter/vault_v03_and_below.py  63) 
src/derivepassphrase/exporter/vault_v03_and_below.py  64)                 return func
src/derivepassphrase/exporter/vault_v03_and_below.py  65) 

src/derivepassphrase/exporter/vault_v03_and_below.py  66)         crypt_exceptions = crypt_utils = _DummyModule(exc)
src/derivepassphrase/exporter/vault_v03_and_below.py  67)         ciphers = hashes = hmac = padding = _DummyModule(exc)
src/derivepassphrase/exporter/vault_v03_and_below.py  68)         algorithms = modes = pbkdf2 = _DummyModule(exc)

src/derivepassphrase/exporter/vault_v03_and_below.py  69)         STUBBED = True
src/derivepassphrase/exporter/vault_v03_and_below.py  70)     else:

src/derivepassphrase/exporter/vault_native.py         71)         from cryptography import exceptions as crypt_exceptions
src/derivepassphrase/exporter/vault_native.py         72)         from cryptography import utils as crypt_utils
src/derivepassphrase/exporter/vault_native.py         73)         from cryptography.hazmat.primitives import (
src/derivepassphrase/exporter/vault_native.py         74)             ciphers,
src/derivepassphrase/exporter/vault_native.py         75)             hashes,
src/derivepassphrase/exporter/vault_native.py         76)             hmac,
src/derivepassphrase/exporter/vault_native.py         77)             padding,
src/derivepassphrase/exporter/vault_native.py         78)         )
src/derivepassphrase/exporter/vault_native.py         79)         from cryptography.hazmat.primitives.ciphers import algorithms, modes
src/derivepassphrase/exporter/vault_native.py         80)         from cryptography.hazmat.primitives.kdf import pbkdf2
src/derivepassphrase/exporter/vault_native.py         81) 

src/derivepassphrase/exporter/vault_v03_and_below.py  82)         STUBBED = False

src/derivepassphrase/exporter/vault_v03_and_below.py  83) 

src/derivepassphrase/exporter/vault_native.py         84) __all__ = ('export_vault_native_data',)
src/derivepassphrase/exporter/vault_native.py         85) 

src/derivepassphrase/exporter/vault_v03_and_below.py  86) logger = logging.getLogger(__name__)
src/derivepassphrase/exporter/vault_v03_and_below.py  87) 
src/derivepassphrase/exporter/vault_v03_and_below.py  88) 

src/derivepassphrase/exporter/vault_native.py         89) @exporter.register_export_vault_config_data_handler('v0.2', 'v0.3')
src/derivepassphrase/exporter/vault_native.py         90) def export_vault_native_data(  # noqa: D417
src/derivepassphrase/exporter/vault_native.py         91)     path: str | bytes | os.PathLike | None = None,
src/derivepassphrase/exporter/vault_native.py         92)     key: str | Buffer | None = None,
src/derivepassphrase/exporter/vault_native.py         93)     *,
src/derivepassphrase/exporter/vault_native.py         94)     format: str,  # noqa: A002
src/derivepassphrase/exporter/vault_native.py         95) ) -> Any:  # noqa: ANN401
src/derivepassphrase/exporter/vault_native.py         96)     """Export the full configuration stored in vault native format.
src/derivepassphrase/exporter/vault_native.py         97) 
src/derivepassphrase/exporter/vault_native.py         98)     See [`exporter.ExportVaultConfigDataFunction`][] for an explanation
src/derivepassphrase/exporter/vault_native.py         99)     of the call signature, and the exceptions to expect.
src/derivepassphrase/exporter/vault_native.py        100) 
src/derivepassphrase/exporter/vault_native.py        101)     Other Args:
src/derivepassphrase/exporter/vault_native.py        102)         format:
src/derivepassphrase/exporter/vault_native.py        103)             The only supported formats are `v0.2` and `v0.3`.
src/derivepassphrase/exporter/vault_native.py        104) 
src/derivepassphrase/exporter/vault_native.py        105)     """  # noqa: DOC201,DOC501
src/derivepassphrase/exporter/vault_native.py        106)     # Trigger import errors if necessary.
src/derivepassphrase/exporter/vault_native.py        107)     importlib.import_module('cryptography')
src/derivepassphrase/exporter/vault_native.py        108)     if path is None:
src/derivepassphrase/exporter/vault_native.py        109)         path = exporter.get_vault_path()
src/derivepassphrase/exporter/vault_native.py        110)     with open(path, 'rb') as infile:
src/derivepassphrase/exporter/vault_native.py        111)         contents = base64.standard_b64decode(infile.read())
src/derivepassphrase/exporter/vault_native.py        112)     if key is None:
src/derivepassphrase/exporter/vault_native.py        113)         key = exporter.get_vault_key()
src/derivepassphrase/exporter/vault_native.py        114)     parser_class: type[VaultNativeConfigParser] | None = {
src/derivepassphrase/exporter/vault_native.py        115)         'v0.2': VaultNativeV02ConfigParser,
src/derivepassphrase/exporter/vault_native.py        116)         'v0.3': VaultNativeV03ConfigParser,
src/derivepassphrase/exporter/vault_native.py        117)     }.get(format)
src/derivepassphrase/exporter/vault_native.py        118)     if parser_class is None:  # pragma: no cover
src/derivepassphrase/exporter/vault_native.py        119)         msg = exporter.INVALID_VAULT_NATIVE_CONFIGURATION_FORMAT.format(
src/derivepassphrase/exporter/vault_native.py        120)             fmt=format
src/derivepassphrase/exporter/vault_native.py        121)         )
src/derivepassphrase/exporter/vault_native.py        122)         raise ValueError(msg)
src/derivepassphrase/exporter/vault_native.py        123)     try:
src/derivepassphrase/exporter/vault_native.py        124)         return parser_class(contents, key)()
src/derivepassphrase/exporter/vault_native.py        125)     except ValueError as exc:
src/derivepassphrase/exporter/vault_native.py        126)         raise exporter.NotAVaultConfigError(
src/derivepassphrase/exporter/vault_native.py        127)             os.fsdecode(path),
src/derivepassphrase/exporter/vault_native.py        128)             format=format,
src/derivepassphrase/exporter/vault_native.py        129)         ) from exc
src/derivepassphrase/exporter/vault_native.py        130) 
src/derivepassphrase/exporter/vault_native.py        131) 

src/derivepassphrase/exporter/vault_native.py        132) def _h(bs: Buffer) -> str:
src/derivepassphrase/exporter/vault_native.py        133)     return '<{}>'.format(memoryview(bs).hex(' '))

src/derivepassphrase/exporter/vault_v03_and_below.py 134) 
src/derivepassphrase/exporter/vault_v03_and_below.py 135) 

src/derivepassphrase/exporter/vault_v03_and_below.py 136) class VaultNativeConfigParser(abc.ABC):

src/derivepassphrase/exporter/vault_v03_and_below.py 137)     """A base parser for vault's native configuration format.
src/derivepassphrase/exporter/vault_v03_and_below.py 138) 
src/derivepassphrase/exporter/vault_v03_and_below.py 139)     Certain details are specific to the respective vault versions, and
src/derivepassphrase/exporter/vault_v03_and_below.py 140)     are abstracted out.  This class by itself is not instantiable
src/derivepassphrase/exporter/vault_v03_and_below.py 141)     because of this.
src/derivepassphrase/exporter/vault_v03_and_below.py 142) 
src/derivepassphrase/exporter/vault_v03_and_below.py 143)     """
src/derivepassphrase/exporter/vault_v03_and_below.py 144) 

src/derivepassphrase/exporter/vault_v03_and_below.py 145)     def __init__(self, contents: Buffer, password: str | Buffer) -> None:

src/derivepassphrase/exporter/vault_v03_and_below.py 146)         """Initialize the parser.
src/derivepassphrase/exporter/vault_v03_and_below.py 147) 
src/derivepassphrase/exporter/vault_v03_and_below.py 148)         Args:
src/derivepassphrase/exporter/vault_v03_and_below.py 149)             contents:
src/derivepassphrase/exporter/vault_v03_and_below.py 150)                 The binary contents of the encrypted configuration file.
src/derivepassphrase/exporter/vault_v03_and_below.py 151) 
src/derivepassphrase/exporter/vault_v03_and_below.py 152)                 Note: On disk, these are usually stored in
src/derivepassphrase/exporter/vault_v03_and_below.py 153)                 base64-encoded form, not in the "raw" form as needed
src/derivepassphrase/exporter/vault_v03_and_below.py 154)                 here.
src/derivepassphrase/exporter/vault_v03_and_below.py 155) 
src/derivepassphrase/exporter/vault_v03_and_below.py 156)             password:
src/derivepassphrase/exporter/vault_v03_and_below.py 157)                 The vault master key/master passphrase the file is
src/derivepassphrase/exporter/vault_v03_and_below.py 158)                 encrypted with.  Must be non-empty.  See

src/derivepassphrase/exporter/vault_native.py        159)                 [`exporter.get_vault_key`][] for details.

src/derivepassphrase/exporter/vault_v03_and_below.py 160) 
src/derivepassphrase/exporter/vault_v03_and_below.py 161)                 If this is a text string, then the UTF-8 encoding of the
src/derivepassphrase/exporter/vault_v03_and_below.py 162)                 string is used as the binary password.
src/derivepassphrase/exporter/vault_v03_and_below.py 163) 

src/derivepassphrase/exporter/vault_native.py        164)         Raises:
src/derivepassphrase/exporter/vault_native.py        165)             ValueError:
src/derivepassphrase/exporter/vault_native.py        166)                 The password must not be empty.
src/derivepassphrase/exporter/vault_native.py        167) 

src/derivepassphrase/exporter/vault_native.py        168)         Warning:
src/derivepassphrase/exporter/vault_native.py        169)             Non-public class, provided for didactical and educational
src/derivepassphrase/exporter/vault_native.py        170)             purposes only. Subject to change without notice, including
src/derivepassphrase/exporter/vault_native.py        171)             removal.
src/derivepassphrase/exporter/vault_native.py        172) 

src/derivepassphrase/exporter/vault_v03_and_below.py 173)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 174)         if not password:

src/derivepassphrase/exporter/vault_v03_and_below.py 175)             msg = 'Password must not be empty'

src/derivepassphrase/exporter/vault_native.py        176)             raise ValueError(msg)

src/derivepassphrase/exporter/vault_v03_and_below.py 177)         self._contents = bytes(contents)

src/derivepassphrase/exporter/vault_v03_and_below.py 178)         self._iv_size = 0
src/derivepassphrase/exporter/vault_v03_and_below.py 179)         self._mac_size = 0
src/derivepassphrase/exporter/vault_v03_and_below.py 180)         self._encryption_key = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 181)         self._encryption_key_size = 0
src/derivepassphrase/exporter/vault_v03_and_below.py 182)         self._signing_key = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 183)         self._signing_key_size = 0
src/derivepassphrase/exporter/vault_v03_and_below.py 184)         self._message = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 185)         self._message_tag = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 186)         self._iv = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 187)         self._payload = b''

src/derivepassphrase/exporter/vault_v03_and_below.py 188)         self._password = password
src/derivepassphrase/exporter/vault_v03_and_below.py 189)         self._sentinel: object = object()
src/derivepassphrase/exporter/vault_v03_and_below.py 190)         self._data: Any = self._sentinel
src/derivepassphrase/exporter/vault_v03_and_below.py 191) 

src/derivepassphrase/exporter/vault_v03_and_below.py 192)     def __call__(self) -> Any:  # noqa: ANN401
src/derivepassphrase/exporter/vault_v03_and_below.py 193)         """Return the decrypted and parsed vault configuration.
src/derivepassphrase/exporter/vault_v03_and_below.py 194) 
src/derivepassphrase/exporter/vault_v03_and_below.py 195)         Raises:
src/derivepassphrase/exporter/vault_v03_and_below.py 196)             cryptography.exceptions.InvalidSignature:
src/derivepassphrase/exporter/vault_v03_and_below.py 197)                 The encrypted configuration does not contain a valid
src/derivepassphrase/exporter/vault_v03_and_below.py 198)                 signature.
src/derivepassphrase/exporter/vault_v03_and_below.py 199)             ValueError:
src/derivepassphrase/exporter/vault_v03_and_below.py 200)                 The format is invalid, in a non-cryptographic way.  (For
src/derivepassphrase/exporter/vault_v03_and_below.py 201)                 example, it contains an unsupported version marker, or
src/derivepassphrase/exporter/vault_v03_and_below.py 202)                 unexpected extra contents, or invalid padding.)
src/derivepassphrase/exporter/vault_v03_and_below.py 203) 
src/derivepassphrase/exporter/vault_v03_and_below.py 204)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 205)         if self._data is self._sentinel:
src/derivepassphrase/exporter/vault_v03_and_below.py 206)             self._parse_contents()
src/derivepassphrase/exporter/vault_v03_and_below.py 207)             self._derive_keys()
src/derivepassphrase/exporter/vault_v03_and_below.py 208)             self._check_signature()
src/derivepassphrase/exporter/vault_v03_and_below.py 209)             self._data = self._decrypt_payload()

src/derivepassphrase/exporter/vault_v03_and_below.py 210)         return self._data
src/derivepassphrase/exporter/vault_v03_and_below.py 211) 
src/derivepassphrase/exporter/vault_v03_and_below.py 212)     @staticmethod

src/derivepassphrase/exporter/vault_v03_and_below.py 213)     def _pbkdf2(

src/derivepassphrase/exporter/vault_v03_and_below.py 214)         password: str | Buffer, key_size: int, iterations: int

src/derivepassphrase/exporter/vault_v03_and_below.py 215)     ) -> bytes:

src/derivepassphrase/exporter/vault_native.py        216)         """Generate a key from a password.
src/derivepassphrase/exporter/vault_native.py        217) 
src/derivepassphrase/exporter/vault_native.py        218)         Uses PBKDF2 with HMAC-SHA1, with the vault UUID as a fixed salt
src/derivepassphrase/exporter/vault_native.py        219)         value.
src/derivepassphrase/exporter/vault_native.py        220) 
src/derivepassphrase/exporter/vault_native.py        221)         Args:
src/derivepassphrase/exporter/vault_native.py        222)             password:
src/derivepassphrase/exporter/vault_native.py        223)                 The password from which to derive the key.
src/derivepassphrase/exporter/vault_native.py        224)             key_size:
src/derivepassphrase/exporter/vault_native.py        225)                 The size of the output string.  The effective key size
src/derivepassphrase/exporter/vault_native.py        226)                 (in bytes) is thus half of this output string size.
src/derivepassphrase/exporter/vault_native.py        227)             iterations:
src/derivepassphrase/exporter/vault_native.py        228)                 The PBKDF2 iteration count.
src/derivepassphrase/exporter/vault_native.py        229) 
src/derivepassphrase/exporter/vault_native.py        230)         Returns:
src/derivepassphrase/exporter/vault_native.py        231)             The PBKDF2-derived key, encoded as a lowercase ASCII
src/derivepassphrase/exporter/vault_native.py        232)             hexadecimal string.
src/derivepassphrase/exporter/vault_native.py        233) 
src/derivepassphrase/exporter/vault_native.py        234)         Danger: Insecure use of cryptography
src/derivepassphrase/exporter/vault_native.py        235)             This function is insecure because it uses a fixed salt
src/derivepassphrase/exporter/vault_native.py        236)             value, which is not secure against rainbow tables.  It is
src/derivepassphrase/exporter/vault_native.py        237)             further difficult to use because the effective key size is
src/derivepassphrase/exporter/vault_native.py        238)             only half as large as the "size" parameter (output string
src/derivepassphrase/exporter/vault_native.py        239)             size).  Finally, though the use of SHA-1 in HMAC per se is
src/derivepassphrase/exporter/vault_native.py        240)             not known to be insecure, SHA-1 is known not to be
src/derivepassphrase/exporter/vault_native.py        241)             collision-resistant.
src/derivepassphrase/exporter/vault_native.py        242) 
src/derivepassphrase/exporter/vault_native.py        243)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 244)         if isinstance(password, str):
src/derivepassphrase/exporter/vault_v03_and_below.py 245)             password = password.encode('utf-8')
src/derivepassphrase/exporter/vault_v03_and_below.py 246)         raw_key = pbkdf2.PBKDF2HMAC(

src/derivepassphrase/exporter/vault_v03_and_below.py 247)             algorithm=hashes.SHA1(),

src/derivepassphrase/exporter/vault_v03_and_below.py 248)             length=key_size // 2,
src/derivepassphrase/exporter/vault_v03_and_below.py 249)             salt=vault.Vault._UUID,  # noqa: SLF001
src/derivepassphrase/exporter/vault_v03_and_below.py 250)             iterations=iterations,

src/derivepassphrase/exporter/vault_v03_and_below.py 251)         ).derive(bytes(password))

src/derivepassphrase/exporter/vault_native.py        252)         result_key = raw_key.hex().lower().encode('ASCII')

src/derivepassphrase/exporter/vault_v03_and_below.py 253)         logger.debug(

src/derivepassphrase/exporter/vault_native.py        254)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        255)                 _msg.DebugMsgTemplate.VAULT_NATIVE_PBKDF2_CALL,
src/derivepassphrase/exporter/vault_native.py        256)                 password=password,
src/derivepassphrase/exporter/vault_native.py        257)                 salt=vault.Vault._UUID,  # noqa: SLF001
src/derivepassphrase/exporter/vault_native.py        258)                 iterations=iterations,
src/derivepassphrase/exporter/vault_native.py        259)                 key_size=key_size // 2,
src/derivepassphrase/exporter/vault_native.py        260)                 algorithm='sha1',
src/derivepassphrase/exporter/vault_native.py        261)                 raw_result=raw_key,
src/derivepassphrase/exporter/vault_native.py        262)                 result_key=result_key.decode('ASCII'),
src/derivepassphrase/exporter/vault_native.py        263)             ),

src/derivepassphrase/exporter/vault_v03_and_below.py 264)         )

src/derivepassphrase/exporter/vault_native.py        265)         return result_key

src/derivepassphrase/exporter/vault_v03_and_below.py 266) 
src/derivepassphrase/exporter/vault_v03_and_below.py 267)     def _parse_contents(self) -> None:

src/derivepassphrase/exporter/vault_native.py        268)         """Parse the contents into IV, payload and MAC.
src/derivepassphrase/exporter/vault_native.py        269) 
src/derivepassphrase/exporter/vault_native.py        270)         This operates on, and sets, multiple internal attributes of the
src/derivepassphrase/exporter/vault_native.py        271)         parser.
src/derivepassphrase/exporter/vault_native.py        272) 
src/derivepassphrase/exporter/vault_native.py        273)         Raises:
src/derivepassphrase/exporter/vault_native.py        274)             ValueError:
src/derivepassphrase/exporter/vault_native.py        275)                 The configuration file contents are clearly truncated.
src/derivepassphrase/exporter/vault_native.py        276) 
src/derivepassphrase/exporter/vault_native.py        277)         """

src/derivepassphrase/exporter/vault_native.py        278)         logger.info(
src/derivepassphrase/exporter/vault_native.py        279)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        280)                 _msg.InfoMsgTemplate.VAULT_NATIVE_PARSING_IV_PAYLOAD_MAC,
src/derivepassphrase/exporter/vault_native.py        281)             ),
src/derivepassphrase/exporter/vault_native.py        282)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 283) 

src/derivepassphrase/exporter/vault_v03_and_below.py 284)         if len(self._contents) < self._iv_size + 16 + self._mac_size:

src/derivepassphrase/exporter/vault_v03_and_below.py 285)             msg = 'Invalid vault configuration file: file is truncated'

src/derivepassphrase/exporter/vault_v03_and_below.py 286)             raise ValueError(msg)
src/derivepassphrase/exporter/vault_v03_and_below.py 287) 

src/derivepassphrase/exporter/vault_v03_and_below.py 288)         def cut(buffer: bytes, cutpoint: int) -> tuple[bytes, bytes]:
src/derivepassphrase/exporter/vault_v03_and_below.py 289)             return buffer[:cutpoint], buffer[cutpoint:]
src/derivepassphrase/exporter/vault_v03_and_below.py 290) 

src/derivepassphrase/exporter/vault_v03_and_below.py 291)         cutpos1 = len(self._contents) - self._mac_size
src/derivepassphrase/exporter/vault_v03_and_below.py 292)         cutpos2 = self._iv_size

src/derivepassphrase/exporter/vault_v03_and_below.py 293) 

src/derivepassphrase/exporter/vault_v03_and_below.py 294)         self._message, self._message_tag = cut(self._contents, cutpos1)
src/derivepassphrase/exporter/vault_v03_and_below.py 295)         self._iv, self._payload = cut(self._message, cutpos2)

src/derivepassphrase/exporter/vault_v03_and_below.py 296) 
src/derivepassphrase/exporter/vault_v03_and_below.py 297)         logger.debug(

src/derivepassphrase/exporter/vault_native.py        298)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        299)                 _msg.DebugMsgTemplate.VAULT_NATIVE_PARSE_BUFFER,
src/derivepassphrase/exporter/vault_native.py        300)                 contents=_h(self._contents),
src/derivepassphrase/exporter/vault_native.py        301)                 iv=_h(self._iv),
src/derivepassphrase/exporter/vault_native.py        302)                 payload=_h(self._payload),
src/derivepassphrase/exporter/vault_native.py        303)                 mac=_h(self._message_tag),
src/derivepassphrase/exporter/vault_native.py        304)             ),

src/derivepassphrase/exporter/vault_v03_and_below.py 305)         )
src/derivepassphrase/exporter/vault_v03_and_below.py 306) 
src/derivepassphrase/exporter/vault_v03_and_below.py 307)     def _derive_keys(self) -> None:

src/derivepassphrase/exporter/vault_native.py        308)         """Derive the signing and encryption keys.
src/derivepassphrase/exporter/vault_native.py        309) 
src/derivepassphrase/exporter/vault_native.py        310)         This is a bookkeeping method.  The actual work is done in
src/derivepassphrase/exporter/vault_native.py        311)         [`_generate_keys`][].
src/derivepassphrase/exporter/vault_native.py        312) 
src/derivepassphrase/exporter/vault_native.py        313)         """

src/derivepassphrase/exporter/vault_native.py        314)         logger.info(
src/derivepassphrase/exporter/vault_native.py        315)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        316)                 _msg.InfoMsgTemplate.VAULT_NATIVE_DERIVING_KEYS,
src/derivepassphrase/exporter/vault_native.py        317)             ),
src/derivepassphrase/exporter/vault_native.py        318)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 319)         self._generate_keys()

src/derivepassphrase/exporter/vault_native.py        320)         assert len(self._encryption_key) == self._encryption_key_size, (
src/derivepassphrase/exporter/vault_native.py        321)             'Derived encryption key is invalid'
src/derivepassphrase/exporter/vault_native.py        322)         )
src/derivepassphrase/exporter/vault_native.py        323)         assert len(self._signing_key) == self._signing_key_size, (
src/derivepassphrase/exporter/vault_native.py        324)             'Derived signing key is invalid'
src/derivepassphrase/exporter/vault_native.py        325)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 326) 
src/derivepassphrase/exporter/vault_v03_and_below.py 327)     @abc.abstractmethod
src/derivepassphrase/exporter/vault_v03_and_below.py 328)     def _generate_keys(self) -> None:

src/derivepassphrase/exporter/vault_native.py        329)         """Derive the signing and encryption keys, and set the key sizes.
src/derivepassphrase/exporter/vault_native.py        330) 
src/derivepassphrase/exporter/vault_native.py        331)         Subclasses must override this, as the derivation system is
src/derivepassphrase/exporter/vault_native.py        332)         version-specific.  The default implementation raises an error.
src/derivepassphrase/exporter/vault_native.py        333) 
src/derivepassphrase/exporter/vault_native.py        334)         Raises:
src/derivepassphrase/exporter/vault_native.py        335)             AssertionError:
src/derivepassphrase/exporter/vault_native.py        336)                 There is no default implementation.
src/derivepassphrase/exporter/vault_native.py        337) 
src/derivepassphrase/exporter/vault_native.py        338)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 339)         raise AssertionError
src/derivepassphrase/exporter/vault_v03_and_below.py 340) 
src/derivepassphrase/exporter/vault_v03_and_below.py 341)     def _check_signature(self) -> None:

src/derivepassphrase/exporter/vault_native.py        342)         """Check for a valid MAC on the encrypted vault configuration.
src/derivepassphrase/exporter/vault_native.py        343) 
src/derivepassphrase/exporter/vault_native.py        344)         The MAC uses HMAC-SHA1, and thus is 32 bytes long, before
src/derivepassphrase/exporter/vault_native.py        345)         encoding.
src/derivepassphrase/exporter/vault_native.py        346) 
src/derivepassphrase/exporter/vault_native.py        347)         Raises:
src/derivepassphrase/exporter/vault_native.py        348)             ValueError:
src/derivepassphrase/exporter/vault_native.py        349)                 The MAC is invalid.
src/derivepassphrase/exporter/vault_native.py        350) 
src/derivepassphrase/exporter/vault_native.py        351)         """

src/derivepassphrase/exporter/vault_native.py        352)         logger.info(
src/derivepassphrase/exporter/vault_native.py        353)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        354)                 _msg.InfoMsgTemplate.VAULT_NATIVE_CHECKING_MAC,
src/derivepassphrase/exporter/vault_native.py        355)             ),
src/derivepassphrase/exporter/vault_native.py        356)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 357)         mac = hmac.HMAC(self._signing_key, hashes.SHA256())

src/derivepassphrase/exporter/vault_v03_and_below.py 358)         mac_input = self._hmac_input()
src/derivepassphrase/exporter/vault_v03_and_below.py 359)         logger.debug(

src/derivepassphrase/exporter/vault_native.py        360)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        361)                 _msg.DebugMsgTemplate.VAULT_NATIVE_CHECKING_MAC_DETAILS,
src/derivepassphrase/exporter/vault_native.py        362)                 mac_input=_h(mac_input),
src/derivepassphrase/exporter/vault_native.py        363)                 mac=_h(self._message_tag),
src/derivepassphrase/exporter/vault_native.py        364)             ),

src/derivepassphrase/exporter/vault_v03_and_below.py 365)         )
src/derivepassphrase/exporter/vault_v03_and_below.py 366)         mac.update(mac_input)
src/derivepassphrase/exporter/vault_v03_and_below.py 367)         try:

src/derivepassphrase/exporter/vault_v03_and_below.py 368)             mac.verify(self._message_tag)

src/derivepassphrase/exporter/vault_v03_and_below.py 369)         except crypt_exceptions.InvalidSignature:

src/derivepassphrase/exporter/vault_v03_and_below.py 370)             msg = 'File does not contain a valid signature'

src/derivepassphrase/exporter/vault_v03_and_below.py 371)             raise ValueError(msg) from None
src/derivepassphrase/exporter/vault_v03_and_below.py 372) 
src/derivepassphrase/exporter/vault_v03_and_below.py 373)     @abc.abstractmethod
src/derivepassphrase/exporter/vault_v03_and_below.py 374)     def _hmac_input(self) -> bytes:

src/derivepassphrase/exporter/vault_native.py        375)         """Return the input the MAC is supposed to verify.
src/derivepassphrase/exporter/vault_native.py        376) 
src/derivepassphrase/exporter/vault_native.py        377)         Subclasses must override this, as the MAC-attested data is
src/derivepassphrase/exporter/vault_native.py        378)         version-specific.  The default implementation raises an error.
src/derivepassphrase/exporter/vault_native.py        379) 
src/derivepassphrase/exporter/vault_native.py        380)         Raises:
src/derivepassphrase/exporter/vault_native.py        381)             AssertionError:
src/derivepassphrase/exporter/vault_native.py        382)                 There is no default implementation.
src/derivepassphrase/exporter/vault_native.py        383) 
src/derivepassphrase/exporter/vault_native.py        384)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 385)         raise AssertionError
src/derivepassphrase/exporter/vault_v03_and_below.py 386) 

src/derivepassphrase/exporter/vault_v03_and_below.py 387)     def _decrypt_payload(self) -> Any:  # noqa: ANN401

src/derivepassphrase/exporter/vault_native.py        388)         """Return the decrypted vault configuration.
src/derivepassphrase/exporter/vault_native.py        389) 
src/derivepassphrase/exporter/vault_native.py        390)         Requires [`_parse_contents`][] and [`_derive_keys`][] to have
src/derivepassphrase/exporter/vault_native.py        391)         run, and relies on [`_check_signature`][] for tampering
src/derivepassphrase/exporter/vault_native.py        392)         detection.
src/derivepassphrase/exporter/vault_native.py        393) 
src/derivepassphrase/exporter/vault_native.py        394)         """

src/derivepassphrase/exporter/vault_native.py        395)         logger.info(
src/derivepassphrase/exporter/vault_native.py        396)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        397)                 _msg.InfoMsgTemplate.VAULT_NATIVE_DECRYPTING_CONTENTS,
src/derivepassphrase/exporter/vault_native.py        398)             ),
src/derivepassphrase/exporter/vault_native.py        399)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 400)         decryptor = self._make_decryptor()
src/derivepassphrase/exporter/vault_v03_and_below.py 401)         padded_plaintext = bytearray()

src/derivepassphrase/exporter/vault_v03_and_below.py 402)         padded_plaintext.extend(decryptor.update(self._payload))

src/derivepassphrase/exporter/vault_v03_and_below.py 403)         padded_plaintext.extend(decryptor.finalize())

src/derivepassphrase/exporter/vault_native.py        404)         logger.debug(
src/derivepassphrase/exporter/vault_native.py        405)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        406)                 _msg.DebugMsgTemplate.VAULT_NATIVE_PADDED_PLAINTEXT,
src/derivepassphrase/exporter/vault_native.py        407)                 contents=_h(padded_plaintext),
src/derivepassphrase/exporter/vault_native.py        408)             ),
src/derivepassphrase/exporter/vault_native.py        409)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 410)         unpadder = padding.PKCS7(self._iv_size * 8).unpadder()

src/derivepassphrase/exporter/vault_v03_and_below.py 411)         plaintext = bytearray()
src/derivepassphrase/exporter/vault_v03_and_below.py 412)         plaintext.extend(unpadder.update(padded_plaintext))
src/derivepassphrase/exporter/vault_v03_and_below.py 413)         plaintext.extend(unpadder.finalize())

src/derivepassphrase/exporter/vault_native.py        414)         logger.debug(
src/derivepassphrase/exporter/vault_native.py        415)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        416)                 _msg.DebugMsgTemplate.VAULT_NATIVE_PLAINTEXT,
src/derivepassphrase/exporter/vault_native.py        417)                 contents=_h(plaintext),
src/derivepassphrase/exporter/vault_native.py        418)             ),
src/derivepassphrase/exporter/vault_native.py        419)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 420)         return json.loads(plaintext)

src/derivepassphrase/exporter/vault_v03_and_below.py 421) 
src/derivepassphrase/exporter/vault_v03_and_below.py 422)     @abc.abstractmethod
src/derivepassphrase/exporter/vault_v03_and_below.py 423)     def _make_decryptor(self) -> ciphers.CipherContext:

src/derivepassphrase/exporter/vault_native.py        424)         """Return the cipher context object used for decryption.
src/derivepassphrase/exporter/vault_native.py        425) 
src/derivepassphrase/exporter/vault_native.py        426)         Subclasses must override this, as the cipher setup is
src/derivepassphrase/exporter/vault_native.py        427)         version-specific.  The default implementation raises an error.
src/derivepassphrase/exporter/vault_native.py        428) 
src/derivepassphrase/exporter/vault_native.py        429)         Raises:
src/derivepassphrase/exporter/vault_native.py        430)             AssertionError:
src/derivepassphrase/exporter/vault_native.py        431)                 There is no default implementation.
src/derivepassphrase/exporter/vault_native.py        432) 
src/derivepassphrase/exporter/vault_native.py        433)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 434)         raise AssertionError
src/derivepassphrase/exporter/vault_v03_and_below.py 435) 
src/derivepassphrase/exporter/vault_v03_and_below.py 436) 

src/derivepassphrase/exporter/vault_v03_and_below.py 437) class VaultNativeV03ConfigParser(VaultNativeConfigParser):

src/derivepassphrase/exporter/vault_v03_and_below.py 438)     """A parser for vault's native configuration format (v0.3).
src/derivepassphrase/exporter/vault_v03_and_below.py 439) 
src/derivepassphrase/exporter/vault_v03_and_below.py 440)     This is the modern, pre-storeroom configuration format.
src/derivepassphrase/exporter/vault_v03_and_below.py 441) 

src/derivepassphrase/exporter/vault_native.py        442)     Warning:
src/derivepassphrase/exporter/vault_native.py        443)         Non-public class, provided for didactical and educational
src/derivepassphrase/exporter/vault_native.py        444)         purposes only. Subject to change without notice, including
src/derivepassphrase/exporter/vault_native.py        445)         removal.
src/derivepassphrase/exporter/vault_native.py        446) 

src/derivepassphrase/exporter/vault_v03_and_below.py 447)     """
src/derivepassphrase/exporter/vault_v03_and_below.py 448) 

src/derivepassphrase/exporter/vault_v03_and_below.py 449)     KEY_SIZE = 32

src/derivepassphrase/exporter/vault_native.py        450)     """
src/derivepassphrase/exporter/vault_native.py        451)     Key size for both the encryption and the signing key, including the
src/derivepassphrase/exporter/vault_native.py        452)     encoding as a hexadecimal string.  (The effective cryptographic
src/derivepassphrase/exporter/vault_native.py        453)     strength is half of this value.)
src/derivepassphrase/exporter/vault_native.py        454)     """

src/derivepassphrase/exporter/vault_v03_and_below.py 455) 

src/derivepassphrase/exporter/vault_native.py        456)     def __init__(self, *args: Any, **kwargs: Any) -> None:  # noqa: ANN401

src/derivepassphrase/exporter/vault_v03_and_below.py 457)         super().__init__(*args, **kwargs)

src/derivepassphrase/exporter/vault_v03_and_below.py 458)         self._iv_size = 16
src/derivepassphrase/exporter/vault_v03_and_below.py 459)         self._mac_size = 32

src/derivepassphrase/exporter/vault_v03_and_below.py 460) 
src/derivepassphrase/exporter/vault_v03_and_below.py 461)     def _generate_keys(self) -> None:

src/derivepassphrase/exporter/vault_native.py        462)         """Derive the signing and encryption keys, and set the key sizes.
src/derivepassphrase/exporter/vault_native.py        463) 
src/derivepassphrase/exporter/vault_native.py        464)         Version 0.3 vault configurations use a constant key size; see
src/derivepassphrase/exporter/vault_native.py        465)         [`KEY_SIZE`][].  The encryption and signing keys differ in how
src/derivepassphrase/exporter/vault_native.py        466)         many rounds of PBKDF2 they use (100 and 200, respectively).
src/derivepassphrase/exporter/vault_native.py        467) 
src/derivepassphrase/exporter/vault_native.py        468)         Danger: Insecure use of cryptography
src/derivepassphrase/exporter/vault_native.py        469)             This function makes use of the insecure function
src/derivepassphrase/exporter/vault_native.py        470)             [`VaultNativeConfigParser._pbkdf2`][], without any attempts
src/derivepassphrase/exporter/vault_native.py        471)             at mitigating its insecurity.  It further uses `_pbkdf2`
src/derivepassphrase/exporter/vault_native.py        472)             with the low iteration count of 100 and 200 rounds, which is
src/derivepassphrase/exporter/vault_native.py        473)             *drastically* insufficient to defend against password
src/derivepassphrase/exporter/vault_native.py        474)             guessing attacks using GPUs or ASICs.  We provide this
src/derivepassphrase/exporter/vault_native.py        475)             function for the purpose of interoperability with existing
src/derivepassphrase/exporter/vault_native.py        476)             vault installations.  Do not rely on this system to keep
src/derivepassphrase/exporter/vault_native.py        477)             your vault configuration secure against access by even
src/derivepassphrase/exporter/vault_native.py        478)             moderately determined attackers!
src/derivepassphrase/exporter/vault_native.py        479) 
src/derivepassphrase/exporter/vault_native.py        480)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 481)         self._encryption_key = self._pbkdf2(self._password, self.KEY_SIZE, 100)
src/derivepassphrase/exporter/vault_v03_and_below.py 482)         self._signing_key = self._pbkdf2(self._password, self.KEY_SIZE, 200)
src/derivepassphrase/exporter/vault_v03_and_below.py 483)         self._encryption_key_size = self._signing_key_size = self.KEY_SIZE

src/derivepassphrase/exporter/vault_v03_and_below.py 484) 
src/derivepassphrase/exporter/vault_v03_and_below.py 485)     def _hmac_input(self) -> bytes:

src/derivepassphrase/exporter/vault_native.py        486)         """Return the input the MAC is supposed to verify.
src/derivepassphrase/exporter/vault_native.py        487) 
src/derivepassphrase/exporter/vault_native.py        488)         This includes hexadecimal encoding of the message payload.
src/derivepassphrase/exporter/vault_native.py        489) 
src/derivepassphrase/exporter/vault_native.py        490)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 491)         return self._message.hex().lower().encode('ASCII')

src/derivepassphrase/exporter/vault_v03_and_below.py 492) 
src/derivepassphrase/exporter/vault_v03_and_below.py 493)     def _make_decryptor(self) -> ciphers.CipherContext:

src/derivepassphrase/exporter/vault_native.py        494)         """Return the cipher context object used for decryption.
src/derivepassphrase/exporter/vault_native.py        495) 
src/derivepassphrase/exporter/vault_native.py        496)         This is a standard AES256-CBC cipher context using the
src/derivepassphrase/exporter/vault_native.py        497)         previously derived encryption key and the IV declared in the
src/derivepassphrase/exporter/vault_native.py        498)         (MAC-verified) message payload.
src/derivepassphrase/exporter/vault_native.py        499) 
src/derivepassphrase/exporter/vault_native.py        500)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 501)         return ciphers.Cipher(

src/derivepassphrase/exporter/vault_v03_and_below.py 502)             algorithms.AES256(self._encryption_key), modes.CBC(self._iv)

src/derivepassphrase/exporter/vault_v03_and_below.py 503)         ).decryptor()
src/derivepassphrase/exporter/vault_v03_and_below.py 504) 
src/derivepassphrase/exporter/vault_v03_and_below.py 505) 

src/derivepassphrase/exporter/vault_v03_and_below.py 506) class VaultNativeV02ConfigParser(VaultNativeConfigParser):

src/derivepassphrase/exporter/vault_v03_and_below.py 507)     """A parser for vault's native configuration format (v0.2).
src/derivepassphrase/exporter/vault_v03_and_below.py 508) 
src/derivepassphrase/exporter/vault_v03_and_below.py 509)     This is the classic configuration format.  Compared to v0.3, it
src/derivepassphrase/exporter/vault_v03_and_below.py 510)     contains an (accidental) API misuse for the generation of the master
src/derivepassphrase/exporter/vault_v03_and_below.py 511)     keys, a low-entropy method of generating initialization vectors for
src/derivepassphrase/exporter/vault_v03_and_below.py 512)     the AES-CBC encryption step, and extra layers of base64 encoding.
src/derivepassphrase/exporter/vault_v03_and_below.py 513)     Because of these significantly weakened confidentiality guarantees,
src/derivepassphrase/exporter/vault_v03_and_below.py 514)     v0.2 configurations should be upgraded to at least v0.3 as soon as
src/derivepassphrase/exporter/vault_v03_and_below.py 515)     possible.

src/derivepassphrase/exporter/vault_v03_and_below.py 516) 

src/derivepassphrase/exporter/vault_native.py        517)     Warning:
src/derivepassphrase/exporter/vault_native.py        518)         Non-public class, provided for didactical and educational
src/derivepassphrase/exporter/vault_native.py        519)         purposes only. Subject to change without notice, including
src/derivepassphrase/exporter/vault_native.py        520)         removal.
src/derivepassphrase/exporter/vault_native.py        521) 

src/derivepassphrase/exporter/vault_v03_and_below.py 522)     """
src/derivepassphrase/exporter/vault_v03_and_below.py 523) 

src/derivepassphrase/exporter/vault_native.py        524)     def __init__(self, *args: Any, **kwargs: Any) -> None:  # noqa: ANN401

src/derivepassphrase/exporter/vault_v03_and_below.py 525)         super().__init__(*args, **kwargs)

src/derivepassphrase/exporter/vault_v03_and_below.py 526)         self._iv_size = 16
src/derivepassphrase/exporter/vault_v03_and_below.py 527)         self._mac_size = 64

src/derivepassphrase/exporter/vault_v03_and_below.py 528) 
src/derivepassphrase/exporter/vault_v03_and_below.py 529)     def _parse_contents(self) -> None:

src/derivepassphrase/exporter/vault_native.py        530)         """Parse the contents into IV, payload and MAC.
src/derivepassphrase/exporter/vault_native.py        531) 
src/derivepassphrase/exporter/vault_native.py        532)         Like the base class implementation, this operates on, and sets,
src/derivepassphrase/exporter/vault_native.py        533)         multiple internal attributes of the parser.  In version 0.2
src/derivepassphrase/exporter/vault_native.py        534)         vault configurations, the payload is encoded in base64 and the
src/derivepassphrase/exporter/vault_native.py        535)         message tag (MAC) is encoded in hexadecimal, so unlike the base
src/derivepassphrase/exporter/vault_native.py        536)         class implementation, we additionally decode the payload and the
src/derivepassphrase/exporter/vault_native.py        537)         MAC.
src/derivepassphrase/exporter/vault_native.py        538) 
src/derivepassphrase/exporter/vault_native.py        539)         Raises:
src/derivepassphrase/exporter/vault_native.py        540)             ValueError:
src/derivepassphrase/exporter/vault_native.py        541)                 The configuration file contents are clearly truncated,
src/derivepassphrase/exporter/vault_native.py        542)                 or the payload or the message tag cannot be decoded
src/derivepassphrase/exporter/vault_native.py        543)                 properly.
src/derivepassphrase/exporter/vault_native.py        544) 
src/derivepassphrase/exporter/vault_native.py        545)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 546)         super()._parse_contents()

src/derivepassphrase/exporter/vault_v03_and_below.py 547)         self._payload = base64.standard_b64decode(self._payload)
src/derivepassphrase/exporter/vault_v03_and_below.py 548)         self._message_tag = bytes.fromhex(self._message_tag.decode('ASCII'))

src/derivepassphrase/exporter/vault_native.py        549)         logger.debug(
src/derivepassphrase/exporter/vault_native.py        550)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        551)                 _msg.DebugMsgTemplate.VAULT_NATIVE_V02_PAYLOAD_MAC_POSTPROCESSING,
src/derivepassphrase/exporter/vault_native.py        552)                 payload=_h(self._payload),
src/derivepassphrase/exporter/vault_native.py        553)                 mac=_h(self._message_tag),
src/derivepassphrase/exporter/vault_native.py        554)             ),
src/derivepassphrase/exporter/vault_native.py        555)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 556) 
src/derivepassphrase/exporter/vault_v03_and_below.py 557)     def _generate_keys(self) -> None:

src/derivepassphrase/exporter/vault_native.py        558)         """Derive the signing and encryption keys, and set the key sizes.
src/derivepassphrase/exporter/vault_native.py        559) 
src/derivepassphrase/exporter/vault_native.py        560)         Version 0.2 vault configurations use 8-byte encryption keys and
src/derivepassphrase/exporter/vault_native.py        561)         16-byte signing keys, including the hexadecimal encoding.  They
src/derivepassphrase/exporter/vault_native.py        562)         both use 16 rounds of PBKDF2.  This is due to an oversight in
src/derivepassphrase/exporter/vault_native.py        563)         vault, where the author mistakenly supplied the intended
src/derivepassphrase/exporter/vault_native.py        564)         iteration count as the key size, and the key size as the
src/derivepassphrase/exporter/vault_native.py        565)         iteration count.
src/derivepassphrase/exporter/vault_native.py        566) 
src/derivepassphrase/exporter/vault_native.py        567)         Danger: Insecure use of cryptography
src/derivepassphrase/exporter/vault_native.py        568)             This function makes use of the insecure function
src/derivepassphrase/exporter/vault_native.py        569)             [`VaultNativeConfigParser._pbkdf2`][], without any attempts
src/derivepassphrase/exporter/vault_native.py        570)             at mitigating its insecurity.  It further uses `_pbkdf2`
src/derivepassphrase/exporter/vault_native.py        571)             with the low iteration count of 16 rounds, which is
src/derivepassphrase/exporter/vault_native.py        572)             *drastically* insufficient to defend against password
src/derivepassphrase/exporter/vault_native.py        573)             guessing attacks using GPUs or ASICs, and generates the
src/derivepassphrase/exporter/vault_native.py        574)             encryption key as a truncation of the signing key.  We
src/derivepassphrase/exporter/vault_native.py        575)             provide this function for the purpose of interoperability
src/derivepassphrase/exporter/vault_native.py        576)             with existing vault installations.  Do not rely on this
src/derivepassphrase/exporter/vault_native.py        577)             system to keep your vault configuration secure against
src/derivepassphrase/exporter/vault_native.py        578)             access by even moderately determined attackers!
src/derivepassphrase/exporter/vault_native.py        579) 
src/derivepassphrase/exporter/vault_native.py        580)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 581)         self._encryption_key = self._pbkdf2(self._password, 8, 16)
src/derivepassphrase/exporter/vault_v03_and_below.py 582)         self._signing_key = self._pbkdf2(self._password, 16, 16)
src/derivepassphrase/exporter/vault_v03_and_below.py 583)         self._encryption_key_size = 8
src/derivepassphrase/exporter/vault_v03_and_below.py 584)         self._signing_key_size = 16

src/derivepassphrase/exporter/vault_v03_and_below.py 585) 
src/derivepassphrase/exporter/vault_v03_and_below.py 586)     def _hmac_input(self) -> bytes:

src/derivepassphrase/exporter/vault_native.py        587)         """Return the input the MAC is supposed to verify.
src/derivepassphrase/exporter/vault_native.py        588) 
src/derivepassphrase/exporter/vault_native.py        589)         This includes hexadecimal encoding of the message payload.
src/derivepassphrase/exporter/vault_native.py        590) 
src/derivepassphrase/exporter/vault_native.py        591)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 592)         return base64.standard_b64encode(self._message)

src/derivepassphrase/exporter/vault_v03_and_below.py 593) 

src/derivepassphrase/exporter/vault_native.py        594)     @staticmethod
src/derivepassphrase/exporter/vault_native.py        595)     def _evp_bytestokey_md5_one_iteration_no_salt(
src/derivepassphrase/exporter/vault_native.py        596)         data: bytes, key_size: int, iv_size: int
src/derivepassphrase/exporter/vault_native.py        597)     ) -> tuple[bytes, bytes]:
src/derivepassphrase/exporter/vault_native.py        598)         """Reimplement OpenSSL's `EVP_BytesToKey` with fixed parameters.
src/derivepassphrase/exporter/vault_native.py        599) 
src/derivepassphrase/exporter/vault_native.py        600)         `EVP_BytesToKey` in general is a key derivation function,
src/derivepassphrase/exporter/vault_native.py        601)         i.e., a function that derives key material from an input
src/derivepassphrase/exporter/vault_native.py        602)         byte string.  `EVP_BytesToKey` conceptually splits the
src/derivepassphrase/exporter/vault_native.py        603)         derived key material into an encryption key and an
src/derivepassphrase/exporter/vault_native.py        604)         initialization vector (IV).
src/derivepassphrase/exporter/vault_native.py        605) 
src/derivepassphrase/exporter/vault_native.py        606)         Note: Algorithm description
src/derivepassphrase/exporter/vault_native.py        607)             `EVP_BytesToKey` takes an input byte string, two output
src/derivepassphrase/exporter/vault_native.py        608)             size (encryption key size and IV size), a message digest
src/derivepassphrase/exporter/vault_native.py        609)             function, a salt value and an iteration count.  The
src/derivepassphrase/exporter/vault_native.py        610)             derived key material is calculated in blocks, each of
src/derivepassphrase/exporter/vault_native.py        611)             which is the output of (iterated application of) the
src/derivepassphrase/exporter/vault_native.py        612)             message digest function.  The input to the message
src/derivepassphrase/exporter/vault_native.py        613)             digest function is the concatenation of the previous
src/derivepassphrase/exporter/vault_native.py        614)             block (if any) with the input byte string and the salt
src/derivepassphrase/exporter/vault_native.py        615)             value (if any):
src/derivepassphrase/exporter/vault_native.py        616) 
src/derivepassphrase/exporter/vault_native.py        617)             ~~~~ python
src/derivepassphrase/exporter/vault_native.py        618) 
src/derivepassphrase/exporter/vault_native.py        619)             data = block_input = b''.join([
src/derivepassphrase/exporter/vault_native.py        620)                 previous_block, input_string, salt
src/derivepassphrase/exporter/vault_native.py        621)             ])
src/derivepassphrase/exporter/vault_native.py        622)             for i in range(iteration_count):
src/derivepassphrase/exporter/vault_native.py        623)                 data = message_digest(data)
src/derivepassphrase/exporter/vault_native.py        624)             block = data
src/derivepassphrase/exporter/vault_native.py        625) 
src/derivepassphrase/exporter/vault_native.py        626)             ~~~~
src/derivepassphrase/exporter/vault_native.py        627) 
src/derivepassphrase/exporter/vault_native.py        628)             We use as many blocks as are necessary to cover the
src/derivepassphrase/exporter/vault_native.py        629)             total output byte string size.  The first few bytes
src/derivepassphrase/exporter/vault_native.py        630)             (dictated by the encryption key size) form the
src/derivepassphrase/exporter/vault_native.py        631)             encryption key, the other bytes (dictated by the IV
src/derivepassphrase/exporter/vault_native.py        632)             size) form the IV.
src/derivepassphrase/exporter/vault_native.py        633) 
src/derivepassphrase/exporter/vault_native.py        634)         We implement exactly the subset of `EVP_BytesToKey` that the
src/derivepassphrase/exporter/vault_native.py        635)         Node.js `crypto` library (v21 series and older) uses in its
src/derivepassphrase/exporter/vault_native.py        636)         implementation of `crypto.createCipher("aes256", password)`.
src/derivepassphrase/exporter/vault_native.py        637)         Specifically, the message digest function is fixed to MD5,
src/derivepassphrase/exporter/vault_native.py        638)         the salt is always empty, and the iteration count is fixed
src/derivepassphrase/exporter/vault_native.py        639)         at one.
src/derivepassphrase/exporter/vault_native.py        640) 
src/derivepassphrase/exporter/vault_native.py        641) 
src/derivepassphrase/exporter/vault_native.py        642)         Returns:
src/derivepassphrase/exporter/vault_native.py        643)             A 2-tuple containing the derived encryption key and the
src/derivepassphrase/exporter/vault_native.py        644)             derived initialization vector.
src/derivepassphrase/exporter/vault_native.py        645) 
src/derivepassphrase/exporter/vault_native.py        646)         Danger: Insecure use of cryptography
src/derivepassphrase/exporter/vault_native.py        647)             This function reimplements the OpenSSL function
src/derivepassphrase/exporter/vault_native.py        648)             `EVP_BytesToKey`, which generates cryptographically weak
src/derivepassphrase/exporter/vault_native.py        649)             keys, without any attempts at mitigating its insecurity.  We
src/derivepassphrase/exporter/vault_native.py        650)             provide this function for the purpose of interoperability
src/derivepassphrase/exporter/vault_native.py        651)             with existing vault installations.  Do not rely on this
src/derivepassphrase/exporter/vault_native.py        652)             system to keep your vault configuration secure against
src/derivepassphrase/exporter/vault_native.py        653)             access by even moderately determined attackers!
src/derivepassphrase/exporter/vault_native.py        654) 
src/derivepassphrase/exporter/vault_native.py        655)         """
src/derivepassphrase/exporter/vault_native.py        656)         total_size = key_size + iv_size
src/derivepassphrase/exporter/vault_native.py        657)         buffer = bytearray()
src/derivepassphrase/exporter/vault_native.py        658)         last_block = b''
src/derivepassphrase/exporter/vault_native.py        659)         salt = b''
src/derivepassphrase/exporter/vault_native.py        660)         logger.debug(
src/derivepassphrase/exporter/vault_native.py        661)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        662)                 _msg.DebugMsgTemplate.VAULT_NATIVE_EVP_BYTESTOKEY_INIT,
src/derivepassphrase/exporter/vault_native.py        663)                 data=_h(data),
src/derivepassphrase/exporter/vault_native.py        664)                 salt=_h(salt),
src/derivepassphrase/exporter/vault_native.py        665)                 key_size=key_size,
src/derivepassphrase/exporter/vault_native.py        666)                 iv_size=iv_size,
src/derivepassphrase/exporter/vault_native.py        667)                 buffer_length=len(buffer),
src/derivepassphrase/exporter/vault_native.py        668)                 buffer=_h(buffer),
src/derivepassphrase/exporter/vault_native.py        669)             ),
src/derivepassphrase/exporter/vault_native.py        670)         )
src/derivepassphrase/exporter/vault_native.py        671)         while len(buffer) < total_size:
src/derivepassphrase/exporter/vault_native.py        672)             with warnings.catch_warnings():
src/derivepassphrase/exporter/vault_native.py        673)                 warnings.simplefilter(
src/derivepassphrase/exporter/vault_native.py        674)                     'ignore', crypt_utils.CryptographyDeprecationWarning
src/derivepassphrase/exporter/vault_native.py        675)                 )
src/derivepassphrase/exporter/vault_native.py        676)                 block = hashes.Hash(hashes.MD5())
src/derivepassphrase/exporter/vault_native.py        677)             block.update(last_block)
src/derivepassphrase/exporter/vault_native.py        678)             block.update(data)
src/derivepassphrase/exporter/vault_native.py        679)             block.update(salt)
src/derivepassphrase/exporter/vault_native.py        680)             last_block = block.finalize()
src/derivepassphrase/exporter/vault_native.py        681)             buffer.extend(last_block)
src/derivepassphrase/exporter/vault_native.py        682)             logger.debug(
src/derivepassphrase/exporter/vault_native.py        683)                 _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        684)                     _msg.DebugMsgTemplate.VAULT_NATIVE_EVP_BYTESTOKEY_ROUND,
src/derivepassphrase/exporter/vault_native.py        685)                     buffer_length=len(buffer),
src/derivepassphrase/exporter/vault_native.py        686)                     buffer=_h(buffer),
src/derivepassphrase/exporter/vault_native.py        687)                 ),
src/derivepassphrase/exporter/vault_native.py        688)             )
src/derivepassphrase/exporter/vault_native.py        689)         logger.debug(
src/derivepassphrase/exporter/vault_native.py        690)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        691)                 _msg.DebugMsgTemplate.VAULT_NATIVE_EVP_BYTESTOKEY_RESULT,
src/derivepassphrase/exporter/vault_native.py        692)                 enc_key=_h(buffer[:key_size]),
src/derivepassphrase/exporter/vault_native.py        693)                 iv=_h(buffer[key_size:total_size]),
src/derivepassphrase/exporter/vault_native.py        694)             ),
src/derivepassphrase/exporter/vault_native.py        695)         )
src/derivepassphrase/exporter/vault_native.py        696)         return bytes(buffer[:key_size]), bytes(buffer[key_size:total_size])
src/derivepassphrase/exporter/vault_native.py        697) 

src/derivepassphrase/exporter/vault_v03_and_below.py 698)     def _make_decryptor(self) -> ciphers.CipherContext:

src/derivepassphrase/exporter/vault_native.py        699)         """Return the cipher context object used for decryption.
src/derivepassphrase/exporter/vault_native.py        700) 
src/derivepassphrase/exporter/vault_native.py        701)         This is a standard AES256-CBC cipher context. The encryption key
src/derivepassphrase/exporter/vault_native.py        702)         and the IV are derived via the OpenSSL `EVP_BytesToKey` function
src/derivepassphrase/exporter/vault_native.py        703)         (using MD5, no salt, and one iteration).  This is what the
src/derivepassphrase/exporter/vault_native.py        704)         Node.js `crypto` library (v21 series and older) used in its
src/derivepassphrase/exporter/vault_native.py        705)         implementation of `crypto.createCipher("aes256", password)`.
src/derivepassphrase/exporter/vault_native.py        706) 
src/derivepassphrase/exporter/vault_native.py        707)         Danger: Insecure use of cryptography
src/derivepassphrase/exporter/vault_native.py        708)             This function makes use of (an implementation of) the
src/derivepassphrase/exporter/vault_native.py        709)             OpenSSL function `EVP_BytesToKey`, which generates
src/derivepassphrase/exporter/vault_native.py        710)             cryptographically weak keys, without any attempts at
src/derivepassphrase/exporter/vault_native.py        711)             mitigating its insecurity.  We provide this function for the
src/derivepassphrase/exporter/vault_native.py        712)             purpose of interoperability with existing vault
src/derivepassphrase/exporter/vault_native.py        713)             installations.  Do not rely on this system to keep your
src/derivepassphrase/exporter/vault_native.py        714)             vault configuration secure against access by even moderately
src/derivepassphrase/exporter/vault_native.py        715)             determined attackers!
src/derivepassphrase/exporter/vault_native.py        716) 
src/derivepassphrase/exporter/vault_native.py        717)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 718)         data = base64.standard_b64encode(self._iv + self._encryption_key)

src/derivepassphrase/exporter/vault_native.py        719)         encryption_key, iv = self._evp_bytestokey_md5_one_iteration_no_salt(

src/derivepassphrase/exporter/vault_v03_and_below.py 720)             data, key_size=32, iv_size=16

src/derivepassphrase/exporter/vault_v03_and_below.py 721)         )
src/derivepassphrase/exporter/vault_v03_and_below.py 722)         return ciphers.Cipher(
src/derivepassphrase/exporter/vault_v03_and_below.py 723)             algorithms.AES256(encryption_key), modes.CBC(iv)
src/derivepassphrase/exporter/vault_v03_and_below.py 724)         ).decryptor()
src/derivepassphrase/exporter/vault_v03_and_below.py 725) 
src/derivepassphrase/exporter/vault_v03_and_below.py 726) 
src/derivepassphrase/exporter/vault_v03_and_below.py 727) if __name__ == '__main__':
src/derivepassphrase/exporter/vault_v03_and_below.py 728)     import os
src/derivepassphrase/exporter/vault_v03_and_below.py 729) 
src/derivepassphrase/exporter/vault_v03_and_below.py 730)     logging.basicConfig(level=('DEBUG' if os.getenv('DEBUG') else 'WARNING'))

src/derivepassphrase/exporter/vault_v03_and_below.py 731)     with open(exporter.get_vault_path(), 'rb') as infile:

src/derivepassphrase/exporter/vault_v03_and_below.py 732)         contents = base64.standard_b64decode(infile.read())

src/derivepassphrase/exporter/vault_v03_and_below.py 733)     password = exporter.get_vault_key()

src/derivepassphrase/exporter/vault_v03_and_below.py 734)     try:

src/derivepassphrase/exporter/vault_v03_and_below.py 735)         config = VaultNativeV03ConfigParser(contents, password)()

src/derivepassphrase/exporter/vault_v03_and_below.py 736)     except ValueError:

src/derivepassphrase/exporter/vault_v03_and_below.py 737)         config = VaultNativeV02ConfigParser(contents, password)()