derivepassphrase.git

src/derivepassphrase/exporter/vault_v03_and_below.py   1) # SPDX-FileCopyrightText: 2024 Marco Ricci <m@the13thletter.info>
src/derivepassphrase/exporter/vault_v03_and_below.py   2) #
src/derivepassphrase/exporter/vault_v03_and_below.py   3) # SPDX-License-Identifier: MIT
src/derivepassphrase/exporter/vault_v03_and_below.py   4) 
src/derivepassphrase/exporter/vault_v03_and_below.py   5) """Exporter for the vault native configuration format (v0.2 or v0.3)."""

src/derivepassphrase/exporter/vault_v03_and_below.py   6) 
src/derivepassphrase/exporter/vault_v03_and_below.py   7) from __future__ import annotations
src/derivepassphrase/exporter/vault_v03_and_below.py   8) 
src/derivepassphrase/exporter/vault_v03_and_below.py   9) import abc
src/derivepassphrase/exporter/vault_v03_and_below.py  10) import base64
src/derivepassphrase/exporter/vault_v03_and_below.py  11) import json
src/derivepassphrase/exporter/vault_v03_and_below.py  12) import logging
src/derivepassphrase/exporter/vault_v03_and_below.py  13) import warnings

src/derivepassphrase/exporter/vault_v03_and_below.py  14) from typing import TYPE_CHECKING
src/derivepassphrase/exporter/vault_v03_and_below.py  15) 
src/derivepassphrase/exporter/vault_v03_and_below.py  16) from derivepassphrase import exporter, vault
src/derivepassphrase/exporter/vault_v03_and_below.py  17) 
src/derivepassphrase/exporter/vault_v03_and_below.py  18) if TYPE_CHECKING:
src/derivepassphrase/exporter/vault_v03_and_below.py  19)     from typing import Any
src/derivepassphrase/exporter/vault_v03_and_below.py  20) 
src/derivepassphrase/exporter/vault_v03_and_below.py  21)     from typing_extensions import Buffer

src/derivepassphrase/exporter/vault_v03_and_below.py  22) 
src/derivepassphrase/exporter/vault_v03_and_below.py  23) if TYPE_CHECKING:
src/derivepassphrase/exporter/vault_v03_and_below.py  24)     from cryptography import exceptions as crypt_exceptions
src/derivepassphrase/exporter/vault_v03_and_below.py  25)     from cryptography import utils as crypt_utils
src/derivepassphrase/exporter/vault_v03_and_below.py  26)     from cryptography.hazmat.primitives import ciphers, hashes, hmac, padding
src/derivepassphrase/exporter/vault_v03_and_below.py  27)     from cryptography.hazmat.primitives.ciphers import algorithms, modes
src/derivepassphrase/exporter/vault_v03_and_below.py  28)     from cryptography.hazmat.primitives.kdf import pbkdf2
src/derivepassphrase/exporter/vault_v03_and_below.py  29) else:
src/derivepassphrase/exporter/vault_v03_and_below.py  30)     try:
src/derivepassphrase/exporter/vault_v03_and_below.py  31)         from cryptography import exceptions as crypt_exceptions
src/derivepassphrase/exporter/vault_v03_and_below.py  32)         from cryptography import utils as crypt_utils
src/derivepassphrase/exporter/vault_v03_and_below.py  33)         from cryptography.hazmat.primitives import (
src/derivepassphrase/exporter/vault_v03_and_below.py  34)             ciphers,
src/derivepassphrase/exporter/vault_v03_and_below.py  35)             hashes,
src/derivepassphrase/exporter/vault_v03_and_below.py  36)             hmac,
src/derivepassphrase/exporter/vault_v03_and_below.py  37)             padding,
src/derivepassphrase/exporter/vault_v03_and_below.py  38)         )
src/derivepassphrase/exporter/vault_v03_and_below.py  39)         from cryptography.hazmat.primitives.ciphers import algorithms, modes
src/derivepassphrase/exporter/vault_v03_and_below.py  40)         from cryptography.hazmat.primitives.kdf import pbkdf2
src/derivepassphrase/exporter/vault_v03_and_below.py  41)     except ModuleNotFoundError as exc:
src/derivepassphrase/exporter/vault_v03_and_below.py  42) 

src/derivepassphrase/exporter/vault_v03_and_below.py  43)         class _DummyModule:  # pragma: no cover

src/derivepassphrase/exporter/vault_v03_and_below.py  44)             def __init__(self, exc: type[Exception]) -> None:
src/derivepassphrase/exporter/vault_v03_and_below.py  45)                 self.exc = exc
src/derivepassphrase/exporter/vault_v03_and_below.py  46) 

src/derivepassphrase/exporter/vault_v03_and_below.py  47)             def __getattr__(self, name: str) -> Any:  # noqa: ANN401
src/derivepassphrase/exporter/vault_v03_and_below.py  48)                 def func(*args: Any, **kwargs: Any) -> Any:  # noqa: ANN401,ARG001

src/derivepassphrase/exporter/vault_v03_and_below.py  49)                     raise self.exc
src/derivepassphrase/exporter/vault_v03_and_below.py  50) 
src/derivepassphrase/exporter/vault_v03_and_below.py  51)                 return func
src/derivepassphrase/exporter/vault_v03_and_below.py  52) 

src/derivepassphrase/exporter/vault_v03_and_below.py  53)         crypt_exceptions = crypt_utils = _DummyModule(exc)
src/derivepassphrase/exporter/vault_v03_and_below.py  54)         ciphers = hashes = hmac = padding = _DummyModule(exc)
src/derivepassphrase/exporter/vault_v03_and_below.py  55)         algorithms = modes = pbkdf2 = _DummyModule(exc)

src/derivepassphrase/exporter/vault_v03_and_below.py  56)         STUBBED = True
src/derivepassphrase/exporter/vault_v03_and_below.py  57)     else:
src/derivepassphrase/exporter/vault_v03_and_below.py  58)         STUBBED = False

src/derivepassphrase/exporter/vault_v03_and_below.py  59) 
src/derivepassphrase/exporter/vault_v03_and_below.py  60) logger = logging.getLogger(__name__)
src/derivepassphrase/exporter/vault_v03_and_below.py  61) 
src/derivepassphrase/exporter/vault_v03_and_below.py  62) 
src/derivepassphrase/exporter/vault_v03_and_below.py  63) def _h(bs: bytes | bytearray) -> str:
src/derivepassphrase/exporter/vault_v03_and_below.py  64)     return 'bytes.fromhex({!r})'.format(bs.hex(' '))
src/derivepassphrase/exporter/vault_v03_and_below.py  65) 
src/derivepassphrase/exporter/vault_v03_and_below.py  66) 

src/derivepassphrase/exporter/vault_v03_and_below.py  67) class VaultNativeConfigParser(abc.ABC):

src/derivepassphrase/exporter/vault_v03_and_below.py  68)     """A base parser for vault's native configuration format.
src/derivepassphrase/exporter/vault_v03_and_below.py  69) 
src/derivepassphrase/exporter/vault_v03_and_below.py  70)     Certain details are specific to the respective vault versions, and
src/derivepassphrase/exporter/vault_v03_and_below.py  71)     are abstracted out.  This class by itself is not instantiable
src/derivepassphrase/exporter/vault_v03_and_below.py  72)     because of this.
src/derivepassphrase/exporter/vault_v03_and_below.py  73) 
src/derivepassphrase/exporter/vault_v03_and_below.py  74)     """
src/derivepassphrase/exporter/vault_v03_and_below.py  75) 

src/derivepassphrase/exporter/vault_v03_and_below.py  76)     def __init__(self, contents: Buffer, password: str | Buffer) -> None:

src/derivepassphrase/exporter/vault_v03_and_below.py  77)         """Initialize the parser.
src/derivepassphrase/exporter/vault_v03_and_below.py  78) 
src/derivepassphrase/exporter/vault_v03_and_below.py  79)         Args:
src/derivepassphrase/exporter/vault_v03_and_below.py  80)             contents:
src/derivepassphrase/exporter/vault_v03_and_below.py  81)                 The binary contents of the encrypted configuration file.
src/derivepassphrase/exporter/vault_v03_and_below.py  82) 
src/derivepassphrase/exporter/vault_v03_and_below.py  83)                 Note: On disk, these are usually stored in
src/derivepassphrase/exporter/vault_v03_and_below.py  84)                 base64-encoded form, not in the "raw" form as needed
src/derivepassphrase/exporter/vault_v03_and_below.py  85)                 here.
src/derivepassphrase/exporter/vault_v03_and_below.py  86) 
src/derivepassphrase/exporter/vault_v03_and_below.py  87)             password:
src/derivepassphrase/exporter/vault_v03_and_below.py  88)                 The vault master key/master passphrase the file is
src/derivepassphrase/exporter/vault_v03_and_below.py  89)                 encrypted with.  Must be non-empty.  See
src/derivepassphrase/exporter/vault_v03_and_below.py  90)                 [`derivepassphrase.exporter.get_vault_key`][] for
src/derivepassphrase/exporter/vault_v03_and_below.py  91)                 details.
src/derivepassphrase/exporter/vault_v03_and_below.py  92) 
src/derivepassphrase/exporter/vault_v03_and_below.py  93)                 If this is a text string, then the UTF-8 encoding of the
src/derivepassphrase/exporter/vault_v03_and_below.py  94)                 string is used as the binary password.
src/derivepassphrase/exporter/vault_v03_and_below.py  95) 
src/derivepassphrase/exporter/vault_v03_and_below.py  96)         """

src/derivepassphrase/exporter/vault_v03_and_below.py  97)         if not password:

src/derivepassphrase/exporter/vault_v03_and_below.py  98)             msg = 'Password must not be empty'

src/derivepassphrase/exporter/vault_v03_and_below.py  99)             raise ValueError(msg)  # noqa: DOC501

src/derivepassphrase/exporter/vault_v03_and_below.py 100)         self._contents = bytes(contents)

src/derivepassphrase/exporter/vault_v03_and_below.py 101)         self._iv_size = 0
src/derivepassphrase/exporter/vault_v03_and_below.py 102)         self._mac_size = 0
src/derivepassphrase/exporter/vault_v03_and_below.py 103)         self._encryption_key = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 104)         self._encryption_key_size = 0
src/derivepassphrase/exporter/vault_v03_and_below.py 105)         self._signing_key = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 106)         self._signing_key_size = 0
src/derivepassphrase/exporter/vault_v03_and_below.py 107)         self._message = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 108)         self._message_tag = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 109)         self._iv = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 110)         self._payload = b''

src/derivepassphrase/exporter/vault_v03_and_below.py 111)         self._password = password
src/derivepassphrase/exporter/vault_v03_and_below.py 112)         self._sentinel: object = object()
src/derivepassphrase/exporter/vault_v03_and_below.py 113)         self._data: Any = self._sentinel
src/derivepassphrase/exporter/vault_v03_and_below.py 114) 

src/derivepassphrase/exporter/vault_v03_and_below.py 115)     def __call__(self) -> Any:  # noqa: ANN401
src/derivepassphrase/exporter/vault_v03_and_below.py 116)         """Return the decrypted and parsed vault configuration.
src/derivepassphrase/exporter/vault_v03_and_below.py 117) 
src/derivepassphrase/exporter/vault_v03_and_below.py 118)         Raises:
src/derivepassphrase/exporter/vault_v03_and_below.py 119)             cryptography.exceptions.InvalidSignature:
src/derivepassphrase/exporter/vault_v03_and_below.py 120)                 The encrypted configuration does not contain a valid
src/derivepassphrase/exporter/vault_v03_and_below.py 121)                 signature.
src/derivepassphrase/exporter/vault_v03_and_below.py 122)             ValueError:
src/derivepassphrase/exporter/vault_v03_and_below.py 123)                 The format is invalid, in a non-cryptographic way.  (For
src/derivepassphrase/exporter/vault_v03_and_below.py 124)                 example, it contains an unsupported version marker, or
src/derivepassphrase/exporter/vault_v03_and_below.py 125)                 unexpected extra contents, or invalid padding.)
src/derivepassphrase/exporter/vault_v03_and_below.py 126) 
src/derivepassphrase/exporter/vault_v03_and_below.py 127)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 128)         if self._data is self._sentinel:
src/derivepassphrase/exporter/vault_v03_and_below.py 129)             self._parse_contents()
src/derivepassphrase/exporter/vault_v03_and_below.py 130)             self._derive_keys()
src/derivepassphrase/exporter/vault_v03_and_below.py 131)             self._check_signature()
src/derivepassphrase/exporter/vault_v03_and_below.py 132)             self._data = self._decrypt_payload()

src/derivepassphrase/exporter/vault_v03_and_below.py 133)         return self._data
src/derivepassphrase/exporter/vault_v03_and_below.py 134) 
src/derivepassphrase/exporter/vault_v03_and_below.py 135)     @staticmethod

src/derivepassphrase/exporter/vault_v03_and_below.py 136)     def _pbkdf2(

src/derivepassphrase/exporter/vault_v03_and_below.py 137)         password: str | Buffer, key_size: int, iterations: int

src/derivepassphrase/exporter/vault_v03_and_below.py 138)     ) -> bytes:
src/derivepassphrase/exporter/vault_v03_and_below.py 139)         if isinstance(password, str):
src/derivepassphrase/exporter/vault_v03_and_below.py 140)             password = password.encode('utf-8')
src/derivepassphrase/exporter/vault_v03_and_below.py 141)         raw_key = pbkdf2.PBKDF2HMAC(

src/derivepassphrase/exporter/vault_v03_and_below.py 142)             algorithm=hashes.SHA1(),

src/derivepassphrase/exporter/vault_v03_and_below.py 143)             length=key_size // 2,
src/derivepassphrase/exporter/vault_v03_and_below.py 144)             salt=vault.Vault._UUID,  # noqa: SLF001
src/derivepassphrase/exporter/vault_v03_and_below.py 145)             iterations=iterations,

src/derivepassphrase/exporter/vault_v03_and_below.py 146)         ).derive(bytes(password))

src/derivepassphrase/exporter/vault_v03_and_below.py 147)         logger.debug(
src/derivepassphrase/exporter/vault_v03_and_below.py 148)             'binary = pbkdf2(%s, %s, %s, %s, %s) = %s -> %s',
src/derivepassphrase/exporter/vault_v03_and_below.py 149)             repr(password),
src/derivepassphrase/exporter/vault_v03_and_below.py 150)             repr(vault.Vault._UUID),  # noqa: SLF001
src/derivepassphrase/exporter/vault_v03_and_below.py 151)             iterations,
src/derivepassphrase/exporter/vault_v03_and_below.py 152)             key_size // 2,
src/derivepassphrase/exporter/vault_v03_and_below.py 153)             repr('sha1'),
src/derivepassphrase/exporter/vault_v03_and_below.py 154)             _h(raw_key),
src/derivepassphrase/exporter/vault_v03_and_below.py 155)             _h(raw_key.hex().lower().encode('ASCII')),
src/derivepassphrase/exporter/vault_v03_and_below.py 156)         )
src/derivepassphrase/exporter/vault_v03_and_below.py 157)         return raw_key.hex().lower().encode('ASCII')
src/derivepassphrase/exporter/vault_v03_and_below.py 158) 
src/derivepassphrase/exporter/vault_v03_and_below.py 159)     def _parse_contents(self) -> None:
src/derivepassphrase/exporter/vault_v03_and_below.py 160)         logger.info('Parsing IV, payload and signature from the file contents')
src/derivepassphrase/exporter/vault_v03_and_below.py 161) 

src/derivepassphrase/exporter/vault_v03_and_below.py 162)         if len(self._contents) < self._iv_size + 16 + self._mac_size:

src/derivepassphrase/exporter/vault_v03_and_below.py 163)             msg = 'Invalid vault configuration file: file is truncated'

src/derivepassphrase/exporter/vault_v03_and_below.py 164)             raise ValueError(msg)
src/derivepassphrase/exporter/vault_v03_and_below.py 165) 

src/derivepassphrase/exporter/vault_v03_and_below.py 166)         def cut(buffer: bytes, cutpoint: int) -> tuple[bytes, bytes]:
src/derivepassphrase/exporter/vault_v03_and_below.py 167)             return buffer[:cutpoint], buffer[cutpoint:]
src/derivepassphrase/exporter/vault_v03_and_below.py 168) 

src/derivepassphrase/exporter/vault_v03_and_below.py 169)         cutpos1 = len(self._contents) - self._mac_size
src/derivepassphrase/exporter/vault_v03_and_below.py 170)         cutpos2 = self._iv_size

src/derivepassphrase/exporter/vault_v03_and_below.py 171) 

src/derivepassphrase/exporter/vault_v03_and_below.py 172)         self._message, self._message_tag = cut(self._contents, cutpos1)
src/derivepassphrase/exporter/vault_v03_and_below.py 173)         self._iv, self._payload = cut(self._message, cutpos2)

src/derivepassphrase/exporter/vault_v03_and_below.py 174) 
src/derivepassphrase/exporter/vault_v03_and_below.py 175)         logger.debug(
src/derivepassphrase/exporter/vault_v03_and_below.py 176)             'buffer %s = [[%s, %s], %s]',

src/derivepassphrase/exporter/vault_v03_and_below.py 177)             _h(self._contents),

src/derivepassphrase/exporter/vault_v03_and_below.py 178)             _h(self._iv),
src/derivepassphrase/exporter/vault_v03_and_below.py 179)             _h(self._payload),
src/derivepassphrase/exporter/vault_v03_and_below.py 180)             _h(self._message_tag),

src/derivepassphrase/exporter/vault_v03_and_below.py 181)         )
src/derivepassphrase/exporter/vault_v03_and_below.py 182) 
src/derivepassphrase/exporter/vault_v03_and_below.py 183)     def _derive_keys(self) -> None:
src/derivepassphrase/exporter/vault_v03_and_below.py 184)         logger.info('Deriving an encryption and signing key')
src/derivepassphrase/exporter/vault_v03_and_below.py 185)         self._generate_keys()
src/derivepassphrase/exporter/vault_v03_and_below.py 186)         assert (

src/derivepassphrase/exporter/vault_v03_and_below.py 187)             len(self._encryption_key) == self._encryption_key_size

src/derivepassphrase/exporter/vault_v03_and_below.py 188)         ), 'Derived encryption key is invalid'

src/derivepassphrase/exporter/vault_v03_and_below.py 189)         assert (

src/derivepassphrase/exporter/vault_v03_and_below.py 190)             len(self._signing_key) == self._signing_key_size

src/derivepassphrase/exporter/vault_v03_and_below.py 191)         ), 'Derived signing key is invalid'

src/derivepassphrase/exporter/vault_v03_and_below.py 192) 
src/derivepassphrase/exporter/vault_v03_and_below.py 193)     @abc.abstractmethod
src/derivepassphrase/exporter/vault_v03_and_below.py 194)     def _generate_keys(self) -> None:
src/derivepassphrase/exporter/vault_v03_and_below.py 195)         raise AssertionError
src/derivepassphrase/exporter/vault_v03_and_below.py 196) 
src/derivepassphrase/exporter/vault_v03_and_below.py 197)     def _check_signature(self) -> None:
src/derivepassphrase/exporter/vault_v03_and_below.py 198)         logger.info('Checking HMAC signature')

src/derivepassphrase/exporter/vault_v03_and_below.py 199)         mac = hmac.HMAC(self._signing_key, hashes.SHA256())

src/derivepassphrase/exporter/vault_v03_and_below.py 200)         mac_input = self._hmac_input()
src/derivepassphrase/exporter/vault_v03_and_below.py 201)         logger.debug(
src/derivepassphrase/exporter/vault_v03_and_below.py 202)             'mac_input = %s, expected_tag = %s',
src/derivepassphrase/exporter/vault_v03_and_below.py 203)             _h(mac_input),

src/derivepassphrase/exporter/vault_v03_and_below.py 204)             _h(self._message_tag),

src/derivepassphrase/exporter/vault_v03_and_below.py 205)         )
src/derivepassphrase/exporter/vault_v03_and_below.py 206)         mac.update(mac_input)
src/derivepassphrase/exporter/vault_v03_and_below.py 207)         try:

src/derivepassphrase/exporter/vault_v03_and_below.py 208)             mac.verify(self._message_tag)

src/derivepassphrase/exporter/vault_v03_and_below.py 209)         except crypt_exceptions.InvalidSignature:

src/derivepassphrase/exporter/vault_v03_and_below.py 210)             msg = 'File does not contain a valid signature'

src/derivepassphrase/exporter/vault_v03_and_below.py 211)             raise ValueError(msg) from None
src/derivepassphrase/exporter/vault_v03_and_below.py 212) 
src/derivepassphrase/exporter/vault_v03_and_below.py 213)     @abc.abstractmethod
src/derivepassphrase/exporter/vault_v03_and_below.py 214)     def _hmac_input(self) -> bytes:
src/derivepassphrase/exporter/vault_v03_and_below.py 215)         raise AssertionError
src/derivepassphrase/exporter/vault_v03_and_below.py 216) 

src/derivepassphrase/exporter/vault_v03_and_below.py 217)     def _decrypt_payload(self) -> Any:  # noqa: ANN401

src/derivepassphrase/exporter/vault_v03_and_below.py 218)         decryptor = self._make_decryptor()
src/derivepassphrase/exporter/vault_v03_and_below.py 219)         padded_plaintext = bytearray()

src/derivepassphrase/exporter/vault_v03_and_below.py 220)         padded_plaintext.extend(decryptor.update(self._payload))

src/derivepassphrase/exporter/vault_v03_and_below.py 221)         padded_plaintext.extend(decryptor.finalize())
src/derivepassphrase/exporter/vault_v03_and_below.py 222)         logger.debug('padded plaintext = %s', _h(padded_plaintext))

src/derivepassphrase/exporter/vault_v03_and_below.py 223)         unpadder = padding.PKCS7(self._iv_size * 8).unpadder()

src/derivepassphrase/exporter/vault_v03_and_below.py 224)         plaintext = bytearray()
src/derivepassphrase/exporter/vault_v03_and_below.py 225)         plaintext.extend(unpadder.update(padded_plaintext))
src/derivepassphrase/exporter/vault_v03_and_below.py 226)         plaintext.extend(unpadder.finalize())
src/derivepassphrase/exporter/vault_v03_and_below.py 227)         logger.debug('plaintext = %s', _h(plaintext))

src/derivepassphrase/exporter/vault_v03_and_below.py 228)         return json.loads(plaintext)

src/derivepassphrase/exporter/vault_v03_and_below.py 229) 
src/derivepassphrase/exporter/vault_v03_and_below.py 230)     @abc.abstractmethod
src/derivepassphrase/exporter/vault_v03_and_below.py 231)     def _make_decryptor(self) -> ciphers.CipherContext:
src/derivepassphrase/exporter/vault_v03_and_below.py 232)         raise AssertionError
src/derivepassphrase/exporter/vault_v03_and_below.py 233) 
src/derivepassphrase/exporter/vault_v03_and_below.py 234) 

src/derivepassphrase/exporter/vault_v03_and_below.py 235) class VaultNativeV03ConfigParser(VaultNativeConfigParser):

src/derivepassphrase/exporter/vault_v03_and_below.py 236)     """A parser for vault's native configuration format (v0.3).
src/derivepassphrase/exporter/vault_v03_and_below.py 237) 
src/derivepassphrase/exporter/vault_v03_and_below.py 238)     This is the modern, pre-storeroom configuration format.
src/derivepassphrase/exporter/vault_v03_and_below.py 239) 
src/derivepassphrase/exporter/vault_v03_and_below.py 240)     """
src/derivepassphrase/exporter/vault_v03_and_below.py 241) 

src/derivepassphrase/exporter/vault_v03_and_below.py 242)     KEY_SIZE = 32
src/derivepassphrase/exporter/vault_v03_and_below.py 243) 

src/derivepassphrase/exporter/vault_v03_and_below.py 244)     def __init__(self, *args: Any, **kwargs: Any) -> None:  # noqa: ANN401,D107

src/derivepassphrase/exporter/vault_v03_and_below.py 245)         super().__init__(*args, **kwargs)

src/derivepassphrase/exporter/vault_v03_and_below.py 246)         self._iv_size = 16
src/derivepassphrase/exporter/vault_v03_and_below.py 247)         self._mac_size = 32

src/derivepassphrase/exporter/vault_v03_and_below.py 248) 

src/derivepassphrase/exporter/vault_v03_and_below.py 249)     def __call__(self) -> Any:  # noqa: ANN401,D102

src/derivepassphrase/exporter/vault_v03_and_below.py 250)         if self._data is self._sentinel:
src/derivepassphrase/exporter/vault_v03_and_below.py 251)             logger.info('Attempting to parse as v0.3 configuration')
src/derivepassphrase/exporter/vault_v03_and_below.py 252)             return super().__call__()
src/derivepassphrase/exporter/vault_v03_and_below.py 253)         return self._data

src/derivepassphrase/exporter/vault_v03_and_below.py 254) 
src/derivepassphrase/exporter/vault_v03_and_below.py 255)     def _generate_keys(self) -> None:

src/derivepassphrase/exporter/vault_v03_and_below.py 256)         self._encryption_key = self._pbkdf2(self._password, self.KEY_SIZE, 100)
src/derivepassphrase/exporter/vault_v03_and_below.py 257)         self._signing_key = self._pbkdf2(self._password, self.KEY_SIZE, 200)
src/derivepassphrase/exporter/vault_v03_and_below.py 258)         self._encryption_key_size = self._signing_key_size = self.KEY_SIZE

src/derivepassphrase/exporter/vault_v03_and_below.py 259) 
src/derivepassphrase/exporter/vault_v03_and_below.py 260)     def _hmac_input(self) -> bytes:

src/derivepassphrase/exporter/vault_v03_and_below.py 261)         return self._message.hex().lower().encode('ASCII')

src/derivepassphrase/exporter/vault_v03_and_below.py 262) 
src/derivepassphrase/exporter/vault_v03_and_below.py 263)     def _make_decryptor(self) -> ciphers.CipherContext:
src/derivepassphrase/exporter/vault_v03_and_below.py 264)         return ciphers.Cipher(

src/derivepassphrase/exporter/vault_v03_and_below.py 265)             algorithms.AES256(self._encryption_key), modes.CBC(self._iv)

src/derivepassphrase/exporter/vault_v03_and_below.py 266)         ).decryptor()
src/derivepassphrase/exporter/vault_v03_and_below.py 267) 
src/derivepassphrase/exporter/vault_v03_and_below.py 268) 

src/derivepassphrase/exporter/vault_v03_and_below.py 269) class VaultNativeV02ConfigParser(VaultNativeConfigParser):

src/derivepassphrase/exporter/vault_v03_and_below.py 270)     """A parser for vault's native configuration format (v0.2).
src/derivepassphrase/exporter/vault_v03_and_below.py 271) 
src/derivepassphrase/exporter/vault_v03_and_below.py 272)     This is the classic configuration format.  Compared to v0.3, it
src/derivepassphrase/exporter/vault_v03_and_below.py 273)     contains an (accidental) API misuse for the generation of the master
src/derivepassphrase/exporter/vault_v03_and_below.py 274)     keys, a low-entropy method of generating initialization vectors for
src/derivepassphrase/exporter/vault_v03_and_below.py 275)     the AES-CBC encryption step, and extra layers of base64 encoding.
src/derivepassphrase/exporter/vault_v03_and_below.py 276)     Because of these significantly weakened confidentiality guarantees,
src/derivepassphrase/exporter/vault_v03_and_below.py 277)     v0.2 configurations should be upgraded to at least v0.3 as soon as
src/derivepassphrase/exporter/vault_v03_and_below.py 278)     possible.

src/derivepassphrase/exporter/vault_v03_and_below.py 279) 
src/derivepassphrase/exporter/vault_v03_and_below.py 280)     """
src/derivepassphrase/exporter/vault_v03_and_below.py 281) 
src/derivepassphrase/exporter/vault_v03_and_below.py 282)     def __init__(self, *args: Any, **kwargs: Any) -> None:  # noqa: ANN401,D107

src/derivepassphrase/exporter/vault_v03_and_below.py 283)         super().__init__(*args, **kwargs)

src/derivepassphrase/exporter/vault_v03_and_below.py 284)         self._iv_size = 16
src/derivepassphrase/exporter/vault_v03_and_below.py 285)         self._mac_size = 64

src/derivepassphrase/exporter/vault_v03_and_below.py 286) 

src/derivepassphrase/exporter/vault_v03_and_below.py 287)     def __call__(self) -> Any:  # noqa: ANN401,D102

src/derivepassphrase/exporter/vault_v03_and_below.py 288)         if self._data is self._sentinel:
src/derivepassphrase/exporter/vault_v03_and_below.py 289)             logger.info('Attempting to parse as v0.2 configuration')
src/derivepassphrase/exporter/vault_v03_and_below.py 290)             return super().__call__()
src/derivepassphrase/exporter/vault_v03_and_below.py 291)         return self._data

src/derivepassphrase/exporter/vault_v03_and_below.py 292) 
src/derivepassphrase/exporter/vault_v03_and_below.py 293)     def _parse_contents(self) -> None:
src/derivepassphrase/exporter/vault_v03_and_below.py 294)         super()._parse_contents()
src/derivepassphrase/exporter/vault_v03_and_below.py 295)         logger.debug('Decoding payload (base64) and message tag (hex)')

src/derivepassphrase/exporter/vault_v03_and_below.py 296)         self._payload = base64.standard_b64decode(self._payload)
src/derivepassphrase/exporter/vault_v03_and_below.py 297)         self._message_tag = bytes.fromhex(self._message_tag.decode('ASCII'))

src/derivepassphrase/exporter/vault_v03_and_below.py 298) 
src/derivepassphrase/exporter/vault_v03_and_below.py 299)     def _generate_keys(self) -> None:

src/derivepassphrase/exporter/vault_v03_and_below.py 300)         self._encryption_key = self._pbkdf2(self._password, 8, 16)
src/derivepassphrase/exporter/vault_v03_and_below.py 301)         self._signing_key = self._pbkdf2(self._password, 16, 16)
src/derivepassphrase/exporter/vault_v03_and_below.py 302)         self._encryption_key_size = 8
src/derivepassphrase/exporter/vault_v03_and_below.py 303)         self._signing_key_size = 16

src/derivepassphrase/exporter/vault_v03_and_below.py 304) 
src/derivepassphrase/exporter/vault_v03_and_below.py 305)     def _hmac_input(self) -> bytes:

src/derivepassphrase/exporter/vault_v03_and_below.py 306)         return base64.standard_b64encode(self._message)

src/derivepassphrase/exporter/vault_v03_and_below.py 307) 
src/derivepassphrase/exporter/vault_v03_and_below.py 308)     def _make_decryptor(self) -> ciphers.CipherContext:

src/derivepassphrase/exporter/vault_v03_and_below.py 309)         def evp_bytestokey_md5_one_iteration_no_salt(
src/derivepassphrase/exporter/vault_v03_and_below.py 310)             data: bytes, key_size: int, iv_size: int

src/derivepassphrase/exporter/vault_v03_and_below.py 311)         ) -> tuple[bytes, bytes]:
src/derivepassphrase/exporter/vault_v03_and_below.py 312)             total_size = key_size + iv_size
src/derivepassphrase/exporter/vault_v03_and_below.py 313)             buffer = bytearray()
src/derivepassphrase/exporter/vault_v03_and_below.py 314)             last_block = b''

src/derivepassphrase/exporter/vault_v03_and_below.py 315)             salt = b''

src/derivepassphrase/exporter/vault_v03_and_below.py 316)             logging.debug(
src/derivepassphrase/exporter/vault_v03_and_below.py 317)                 (
src/derivepassphrase/exporter/vault_v03_and_below.py 318)                     'data = %s, salt = %s, key_size = %s, iv_size = %s, '
src/derivepassphrase/exporter/vault_v03_and_below.py 319)                     'buffer length = %s, buffer = %s'
src/derivepassphrase/exporter/vault_v03_and_below.py 320)                 ),
src/derivepassphrase/exporter/vault_v03_and_below.py 321)                 _h(data),
src/derivepassphrase/exporter/vault_v03_and_below.py 322)                 _h(salt),
src/derivepassphrase/exporter/vault_v03_and_below.py 323)                 key_size,
src/derivepassphrase/exporter/vault_v03_and_below.py 324)                 iv_size,
src/derivepassphrase/exporter/vault_v03_and_below.py 325)                 len(buffer),
src/derivepassphrase/exporter/vault_v03_and_below.py 326)                 _h(buffer),
src/derivepassphrase/exporter/vault_v03_and_below.py 327)             )
src/derivepassphrase/exporter/vault_v03_and_below.py 328)             while len(buffer) < total_size:
src/derivepassphrase/exporter/vault_v03_and_below.py 329)                 with warnings.catch_warnings():
src/derivepassphrase/exporter/vault_v03_and_below.py 330)                     warnings.simplefilter(
src/derivepassphrase/exporter/vault_v03_and_below.py 331)                         'ignore', crypt_utils.CryptographyDeprecationWarning
src/derivepassphrase/exporter/vault_v03_and_below.py 332)                     )

src/derivepassphrase/exporter/vault_v03_and_below.py 333)                     block = hashes.Hash(hashes.MD5())

src/derivepassphrase/exporter/vault_v03_and_below.py 334)                 block.update(last_block)
src/derivepassphrase/exporter/vault_v03_and_below.py 335)                 block.update(data)
src/derivepassphrase/exporter/vault_v03_and_below.py 336)                 block.update(salt)
src/derivepassphrase/exporter/vault_v03_and_below.py 337)                 last_block = block.finalize()
src/derivepassphrase/exporter/vault_v03_and_below.py 338)                 buffer.extend(last_block)
src/derivepassphrase/exporter/vault_v03_and_below.py 339)                 logging.debug(
src/derivepassphrase/exporter/vault_v03_and_below.py 340)                     'buffer length = %s, buffer = %s', len(buffer), _h(buffer)
src/derivepassphrase/exporter/vault_v03_and_below.py 341)                 )
src/derivepassphrase/exporter/vault_v03_and_below.py 342)             logging.debug(
src/derivepassphrase/exporter/vault_v03_and_below.py 343)                 'encryption_key = %s, iv = %s',
src/derivepassphrase/exporter/vault_v03_and_below.py 344)                 _h(buffer[:key_size]),
src/derivepassphrase/exporter/vault_v03_and_below.py 345)                 _h(buffer[key_size:total_size]),
src/derivepassphrase/exporter/vault_v03_and_below.py 346)             )
src/derivepassphrase/exporter/vault_v03_and_below.py 347)             return bytes(buffer[:key_size]), bytes(buffer[key_size:total_size])
src/derivepassphrase/exporter/vault_v03_and_below.py 348) 

src/derivepassphrase/exporter/vault_v03_and_below.py 349)         data = base64.standard_b64encode(self._iv + self._encryption_key)

src/derivepassphrase/exporter/vault_v03_and_below.py 350)         encryption_key, iv = evp_bytestokey_md5_one_iteration_no_salt(
src/derivepassphrase/exporter/vault_v03_and_below.py 351)             data, key_size=32, iv_size=16

src/derivepassphrase/exporter/vault_v03_and_below.py 352)         )
src/derivepassphrase/exporter/vault_v03_and_below.py 353)         return ciphers.Cipher(
src/derivepassphrase/exporter/vault_v03_and_below.py 354)             algorithms.AES256(encryption_key), modes.CBC(iv)
src/derivepassphrase/exporter/vault_v03_and_below.py 355)         ).decryptor()
src/derivepassphrase/exporter/vault_v03_and_below.py 356) 
src/derivepassphrase/exporter/vault_v03_and_below.py 357) 
src/derivepassphrase/exporter/vault_v03_and_below.py 358) if __name__ == '__main__':
src/derivepassphrase/exporter/vault_v03_and_below.py 359)     import os
src/derivepassphrase/exporter/vault_v03_and_below.py 360) 
src/derivepassphrase/exporter/vault_v03_and_below.py 361)     logging.basicConfig(level=('DEBUG' if os.getenv('DEBUG') else 'WARNING'))

src/derivepassphrase/exporter/vault_v03_and_below.py 362)     with open(exporter.get_vault_path(), 'rb') as infile:

src/derivepassphrase/exporter/vault_v03_and_below.py 363)         contents = base64.standard_b64decode(infile.read())

src/derivepassphrase/exporter/vault_v03_and_below.py 364)     password = exporter.get_vault_key()

src/derivepassphrase/exporter/vault_v03_and_below.py 365)     try:

src/derivepassphrase/exporter/vault_v03_and_below.py 366)         config = VaultNativeV03ConfigParser(contents, password)()

src/derivepassphrase/exporter/vault_v03_and_below.py 367)     except ValueError:

src/derivepassphrase/exporter/vault_v03_and_below.py 368)         config = VaultNativeV02ConfigParser(contents, password)()