derivepassphrase.git

src/derivepassphrase/exporter/vault_native.py          1) # SPDX-FileCopyrightText: 2025 Marco Ricci <software@the13thletter.info>

src/derivepassphrase/exporter/vault_v03_and_below.py   2) #

src/derivepassphrase/exporter/vault_native.py          3) # SPDX-License-Identifier: Zlib

src/derivepassphrase/exporter/vault_v03_and_below.py   4) 

src/derivepassphrase/exporter/vault_native.py          5) """Exporter for the vault native configuration format (v0.2 or v0.3).
src/derivepassphrase/exporter/vault_native.py          6) 
src/derivepassphrase/exporter/vault_native.py          7) The vault native formats are the configuration formats used by vault
src/derivepassphrase/exporter/vault_native.py          8) v0.2 and v0.3.  The configuration is stored as a single encrypted file,
src/derivepassphrase/exporter/vault_native.py          9) which is encrypted and authenticated.  v0.2 and v0.3 differ in some
src/derivepassphrase/exporter/vault_native.py         10) details concerning key derivation and expected format of internal
src/derivepassphrase/exporter/vault_native.py         11) structures, so they are *not* compatible.  v0.2 additionally contains
src/derivepassphrase/exporter/vault_native.py         12) cryptographic weaknesses (API misuse of a key derivation function, and
src/derivepassphrase/exporter/vault_native.py         13) a low-entropy method of generating initialization vectors for CBC block
src/derivepassphrase/exporter/vault_native.py         14) encryption mode) and should thus be avoided if possible.
src/derivepassphrase/exporter/vault_native.py         15) 

src/derivepassphrase/exporter/vault_native.py         16) The public interface is the [`export_vault_native_data`][] function.
src/derivepassphrase/exporter/vault_native.py         17) Multiple *non-public* classes are additionally documented here for
src/derivepassphrase/exporter/vault_native.py         18) didactical and educational reasons, but they are not part of the module
src/derivepassphrase/exporter/vault_native.py         19) API, are subject to change without notice (including removal), and
src/derivepassphrase/exporter/vault_native.py         20) should *not* be used or relied on.

src/derivepassphrase/exporter/vault_native.py         21) 
src/derivepassphrase/exporter/vault_native.py         22) """

src/derivepassphrase/exporter/vault_v03_and_below.py  23) 
src/derivepassphrase/exporter/vault_v03_and_below.py  24) from __future__ import annotations
src/derivepassphrase/exporter/vault_v03_and_below.py  25) 
src/derivepassphrase/exporter/vault_v03_and_below.py  26) import abc
src/derivepassphrase/exporter/vault_v03_and_below.py  27) import base64
src/derivepassphrase/exporter/vault_v03_and_below.py  28) import json
src/derivepassphrase/exporter/vault_v03_and_below.py  29) import logging
src/derivepassphrase/exporter/vault_v03_and_below.py  30) import warnings

src/derivepassphrase/exporter/vault_v03_and_below.py  31) from typing import TYPE_CHECKING
src/derivepassphrase/exporter/vault_v03_and_below.py  32) 

src/derivepassphrase/exporter/vault_native.py         33) from derivepassphrase import _cli_msg as _msg

src/derivepassphrase/exporter/vault_v03_and_below.py  34) from derivepassphrase import exporter, vault
src/derivepassphrase/exporter/vault_v03_and_below.py  35) 
src/derivepassphrase/exporter/vault_v03_and_below.py  36) if TYPE_CHECKING:

src/derivepassphrase/exporter/vault_native.py         37)     from collections.abc import Sequence

src/derivepassphrase/exporter/vault_v03_and_below.py  38)     from typing import Any
src/derivepassphrase/exporter/vault_v03_and_below.py  39) 
src/derivepassphrase/exporter/vault_v03_and_below.py  40)     from typing_extensions import Buffer

src/derivepassphrase/exporter/vault_v03_and_below.py  41) 
src/derivepassphrase/exporter/vault_v03_and_below.py  42) if TYPE_CHECKING:
src/derivepassphrase/exporter/vault_v03_and_below.py  43)     from cryptography import exceptions as crypt_exceptions
src/derivepassphrase/exporter/vault_v03_and_below.py  44)     from cryptography import utils as crypt_utils
src/derivepassphrase/exporter/vault_v03_and_below.py  45)     from cryptography.hazmat.primitives import ciphers, hashes, hmac, padding
src/derivepassphrase/exporter/vault_v03_and_below.py  46)     from cryptography.hazmat.primitives.ciphers import algorithms, modes
src/derivepassphrase/exporter/vault_v03_and_below.py  47)     from cryptography.hazmat.primitives.kdf import pbkdf2
src/derivepassphrase/exporter/vault_v03_and_below.py  48) else:
src/derivepassphrase/exporter/vault_v03_and_below.py  49)     try:
src/derivepassphrase/exporter/vault_v03_and_below.py  50)         from cryptography import exceptions as crypt_exceptions
src/derivepassphrase/exporter/vault_v03_and_below.py  51)         from cryptography import utils as crypt_utils
src/derivepassphrase/exporter/vault_v03_and_below.py  52)         from cryptography.hazmat.primitives import (
src/derivepassphrase/exporter/vault_v03_and_below.py  53)             ciphers,
src/derivepassphrase/exporter/vault_v03_and_below.py  54)             hashes,
src/derivepassphrase/exporter/vault_v03_and_below.py  55)             hmac,
src/derivepassphrase/exporter/vault_v03_and_below.py  56)             padding,
src/derivepassphrase/exporter/vault_v03_and_below.py  57)         )
src/derivepassphrase/exporter/vault_v03_and_below.py  58)         from cryptography.hazmat.primitives.ciphers import algorithms, modes
src/derivepassphrase/exporter/vault_v03_and_below.py  59)         from cryptography.hazmat.primitives.kdf import pbkdf2
src/derivepassphrase/exporter/vault_v03_and_below.py  60)     except ModuleNotFoundError as exc:
src/derivepassphrase/exporter/vault_v03_and_below.py  61) 

src/derivepassphrase/exporter/vault_v03_and_below.py  62)         class _DummyModule:  # pragma: no cover

src/derivepassphrase/exporter/vault_v03_and_below.py  63)             def __init__(self, exc: type[Exception]) -> None:
src/derivepassphrase/exporter/vault_v03_and_below.py  64)                 self.exc = exc
src/derivepassphrase/exporter/vault_v03_and_below.py  65) 

src/derivepassphrase/exporter/vault_v03_and_below.py  66)             def __getattr__(self, name: str) -> Any:  # noqa: ANN401
src/derivepassphrase/exporter/vault_v03_and_below.py  67)                 def func(*args: Any, **kwargs: Any) -> Any:  # noqa: ANN401,ARG001

src/derivepassphrase/exporter/vault_v03_and_below.py  68)                     raise self.exc
src/derivepassphrase/exporter/vault_v03_and_below.py  69) 
src/derivepassphrase/exporter/vault_v03_and_below.py  70)                 return func
src/derivepassphrase/exporter/vault_v03_and_below.py  71) 

src/derivepassphrase/exporter/vault_v03_and_below.py  72)         crypt_exceptions = crypt_utils = _DummyModule(exc)
src/derivepassphrase/exporter/vault_v03_and_below.py  73)         ciphers = hashes = hmac = padding = _DummyModule(exc)
src/derivepassphrase/exporter/vault_v03_and_below.py  74)         algorithms = modes = pbkdf2 = _DummyModule(exc)

src/derivepassphrase/exporter/vault_v03_and_below.py  75)         STUBBED = True
src/derivepassphrase/exporter/vault_v03_and_below.py  76)     else:
src/derivepassphrase/exporter/vault_v03_and_below.py  77)         STUBBED = False

src/derivepassphrase/exporter/vault_v03_and_below.py  78) 

src/derivepassphrase/exporter/vault_native.py         79) __all__ = ('export_vault_native_data',)
src/derivepassphrase/exporter/vault_native.py         80) 

src/derivepassphrase/exporter/vault_v03_and_below.py  81) logger = logging.getLogger(__name__)
src/derivepassphrase/exporter/vault_v03_and_below.py  82) 
src/derivepassphrase/exporter/vault_v03_and_below.py  83) 

src/derivepassphrase/exporter/vault_native.py         84) def _h(bs: Buffer) -> str:
src/derivepassphrase/exporter/vault_native.py         85)     return '<{}>'.format(memoryview(bs).hex(' '))

src/derivepassphrase/exporter/vault_v03_and_below.py  86) 
src/derivepassphrase/exporter/vault_v03_and_below.py  87) 

src/derivepassphrase/exporter/vault_v03_and_below.py  88) class VaultNativeConfigParser(abc.ABC):

src/derivepassphrase/exporter/vault_v03_and_below.py  89)     """A base parser for vault's native configuration format.
src/derivepassphrase/exporter/vault_v03_and_below.py  90) 
src/derivepassphrase/exporter/vault_v03_and_below.py  91)     Certain details are specific to the respective vault versions, and
src/derivepassphrase/exporter/vault_v03_and_below.py  92)     are abstracted out.  This class by itself is not instantiable
src/derivepassphrase/exporter/vault_v03_and_below.py  93)     because of this.
src/derivepassphrase/exporter/vault_v03_and_below.py  94) 
src/derivepassphrase/exporter/vault_v03_and_below.py  95)     """
src/derivepassphrase/exporter/vault_v03_and_below.py  96) 

src/derivepassphrase/exporter/vault_v03_and_below.py  97)     def __init__(self, contents: Buffer, password: str | Buffer) -> None:

src/derivepassphrase/exporter/vault_v03_and_below.py  98)         """Initialize the parser.
src/derivepassphrase/exporter/vault_v03_and_below.py  99) 
src/derivepassphrase/exporter/vault_v03_and_below.py 100)         Args:
src/derivepassphrase/exporter/vault_v03_and_below.py 101)             contents:
src/derivepassphrase/exporter/vault_v03_and_below.py 102)                 The binary contents of the encrypted configuration file.
src/derivepassphrase/exporter/vault_v03_and_below.py 103) 
src/derivepassphrase/exporter/vault_v03_and_below.py 104)                 Note: On disk, these are usually stored in
src/derivepassphrase/exporter/vault_v03_and_below.py 105)                 base64-encoded form, not in the "raw" form as needed
src/derivepassphrase/exporter/vault_v03_and_below.py 106)                 here.
src/derivepassphrase/exporter/vault_v03_and_below.py 107) 
src/derivepassphrase/exporter/vault_v03_and_below.py 108)             password:
src/derivepassphrase/exporter/vault_v03_and_below.py 109)                 The vault master key/master passphrase the file is
src/derivepassphrase/exporter/vault_v03_and_below.py 110)                 encrypted with.  Must be non-empty.  See

src/derivepassphrase/exporter/vault_native.py        111)                 [`exporter.get_vault_key`][] for details.

src/derivepassphrase/exporter/vault_v03_and_below.py 112) 
src/derivepassphrase/exporter/vault_v03_and_below.py 113)                 If this is a text string, then the UTF-8 encoding of the
src/derivepassphrase/exporter/vault_v03_and_below.py 114)                 string is used as the binary password.
src/derivepassphrase/exporter/vault_v03_and_below.py 115) 

src/derivepassphrase/exporter/vault_native.py        116)         Raises:
src/derivepassphrase/exporter/vault_native.py        117)             ValueError:
src/derivepassphrase/exporter/vault_native.py        118)                 The password must not be empty.
src/derivepassphrase/exporter/vault_native.py        119) 

src/derivepassphrase/exporter/vault_native.py        120)         Warning:
src/derivepassphrase/exporter/vault_native.py        121)             Non-public class, provided for didactical and educational
src/derivepassphrase/exporter/vault_native.py        122)             purposes only. Subject to change without notice, including
src/derivepassphrase/exporter/vault_native.py        123)             removal.
src/derivepassphrase/exporter/vault_native.py        124) 

src/derivepassphrase/exporter/vault_v03_and_below.py 125)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 126)         if not password:

src/derivepassphrase/exporter/vault_v03_and_below.py 127)             msg = 'Password must not be empty'

src/derivepassphrase/exporter/vault_native.py        128)             raise ValueError(msg)

src/derivepassphrase/exporter/vault_v03_and_below.py 129)         self._contents = bytes(contents)

src/derivepassphrase/exporter/vault_v03_and_below.py 130)         self._iv_size = 0
src/derivepassphrase/exporter/vault_v03_and_below.py 131)         self._mac_size = 0
src/derivepassphrase/exporter/vault_v03_and_below.py 132)         self._encryption_key = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 133)         self._encryption_key_size = 0
src/derivepassphrase/exporter/vault_v03_and_below.py 134)         self._signing_key = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 135)         self._signing_key_size = 0
src/derivepassphrase/exporter/vault_v03_and_below.py 136)         self._message = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 137)         self._message_tag = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 138)         self._iv = b''
src/derivepassphrase/exporter/vault_v03_and_below.py 139)         self._payload = b''

src/derivepassphrase/exporter/vault_v03_and_below.py 140)         self._password = password
src/derivepassphrase/exporter/vault_v03_and_below.py 141)         self._sentinel: object = object()
src/derivepassphrase/exporter/vault_v03_and_below.py 142)         self._data: Any = self._sentinel
src/derivepassphrase/exporter/vault_v03_and_below.py 143) 

src/derivepassphrase/exporter/vault_v03_and_below.py 144)     def __call__(self) -> Any:  # noqa: ANN401
src/derivepassphrase/exporter/vault_v03_and_below.py 145)         """Return the decrypted and parsed vault configuration.
src/derivepassphrase/exporter/vault_v03_and_below.py 146) 
src/derivepassphrase/exporter/vault_v03_and_below.py 147)         Raises:
src/derivepassphrase/exporter/vault_v03_and_below.py 148)             cryptography.exceptions.InvalidSignature:
src/derivepassphrase/exporter/vault_v03_and_below.py 149)                 The encrypted configuration does not contain a valid
src/derivepassphrase/exporter/vault_v03_and_below.py 150)                 signature.
src/derivepassphrase/exporter/vault_v03_and_below.py 151)             ValueError:
src/derivepassphrase/exporter/vault_v03_and_below.py 152)                 The format is invalid, in a non-cryptographic way.  (For
src/derivepassphrase/exporter/vault_v03_and_below.py 153)                 example, it contains an unsupported version marker, or
src/derivepassphrase/exporter/vault_v03_and_below.py 154)                 unexpected extra contents, or invalid padding.)
src/derivepassphrase/exporter/vault_v03_and_below.py 155) 
src/derivepassphrase/exporter/vault_v03_and_below.py 156)         """

src/derivepassphrase/exporter/vault_v03_and_below.py 157)         if self._data is self._sentinel:
src/derivepassphrase/exporter/vault_v03_and_below.py 158)             self._parse_contents()
src/derivepassphrase/exporter/vault_v03_and_below.py 159)             self._derive_keys()
src/derivepassphrase/exporter/vault_v03_and_below.py 160)             self._check_signature()
src/derivepassphrase/exporter/vault_v03_and_below.py 161)             self._data = self._decrypt_payload()

src/derivepassphrase/exporter/vault_v03_and_below.py 162)         return self._data
src/derivepassphrase/exporter/vault_v03_and_below.py 163) 
src/derivepassphrase/exporter/vault_v03_and_below.py 164)     @staticmethod

src/derivepassphrase/exporter/vault_v03_and_below.py 165)     def _pbkdf2(

src/derivepassphrase/exporter/vault_v03_and_below.py 166)         password: str | Buffer, key_size: int, iterations: int

src/derivepassphrase/exporter/vault_v03_and_below.py 167)     ) -> bytes:
src/derivepassphrase/exporter/vault_v03_and_below.py 168)         if isinstance(password, str):
src/derivepassphrase/exporter/vault_v03_and_below.py 169)             password = password.encode('utf-8')
src/derivepassphrase/exporter/vault_v03_and_below.py 170)         raw_key = pbkdf2.PBKDF2HMAC(

src/derivepassphrase/exporter/vault_v03_and_below.py 171)             algorithm=hashes.SHA1(),

src/derivepassphrase/exporter/vault_v03_and_below.py 172)             length=key_size // 2,
src/derivepassphrase/exporter/vault_v03_and_below.py 173)             salt=vault.Vault._UUID,  # noqa: SLF001
src/derivepassphrase/exporter/vault_v03_and_below.py 174)             iterations=iterations,

src/derivepassphrase/exporter/vault_v03_and_below.py 175)         ).derive(bytes(password))

src/derivepassphrase/exporter/vault_native.py        176)         result_key = raw_key.hex().lower().encode('ASCII')

src/derivepassphrase/exporter/vault_v03_and_below.py 177)         logger.debug(

src/derivepassphrase/exporter/vault_native.py        178)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        179)                 _msg.DebugMsgTemplate.VAULT_NATIVE_PBKDF2_CALL,
src/derivepassphrase/exporter/vault_native.py        180)                 password=password,
src/derivepassphrase/exporter/vault_native.py        181)                 salt=vault.Vault._UUID,  # noqa: SLF001
src/derivepassphrase/exporter/vault_native.py        182)                 iterations=iterations,
src/derivepassphrase/exporter/vault_native.py        183)                 key_size=key_size // 2,
src/derivepassphrase/exporter/vault_native.py        184)                 algorithm='sha1',
src/derivepassphrase/exporter/vault_native.py        185)                 raw_result=raw_key,
src/derivepassphrase/exporter/vault_native.py        186)                 result_key=result_key.decode('ASCII'),
src/derivepassphrase/exporter/vault_native.py        187)             ),

src/derivepassphrase/exporter/vault_v03_and_below.py 188)         )

src/derivepassphrase/exporter/vault_native.py        189)         return result_key

src/derivepassphrase/exporter/vault_v03_and_below.py 190) 
src/derivepassphrase/exporter/vault_v03_and_below.py 191)     def _parse_contents(self) -> None:

src/derivepassphrase/exporter/vault_native.py        192)         logger.info(
src/derivepassphrase/exporter/vault_native.py        193)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        194)                 _msg.InfoMsgTemplate.VAULT_NATIVE_PARSING_IV_PAYLOAD_MAC,
src/derivepassphrase/exporter/vault_native.py        195)             ),
src/derivepassphrase/exporter/vault_native.py        196)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 197) 

src/derivepassphrase/exporter/vault_v03_and_below.py 198)         if len(self._contents) < self._iv_size + 16 + self._mac_size:

src/derivepassphrase/exporter/vault_v03_and_below.py 199)             msg = 'Invalid vault configuration file: file is truncated'

src/derivepassphrase/exporter/vault_v03_and_below.py 200)             raise ValueError(msg)
src/derivepassphrase/exporter/vault_v03_and_below.py 201) 

src/derivepassphrase/exporter/vault_v03_and_below.py 202)         def cut(buffer: bytes, cutpoint: int) -> tuple[bytes, bytes]:
src/derivepassphrase/exporter/vault_v03_and_below.py 203)             return buffer[:cutpoint], buffer[cutpoint:]
src/derivepassphrase/exporter/vault_v03_and_below.py 204) 

src/derivepassphrase/exporter/vault_v03_and_below.py 205)         cutpos1 = len(self._contents) - self._mac_size
src/derivepassphrase/exporter/vault_v03_and_below.py 206)         cutpos2 = self._iv_size

src/derivepassphrase/exporter/vault_v03_and_below.py 207) 

src/derivepassphrase/exporter/vault_v03_and_below.py 208)         self._message, self._message_tag = cut(self._contents, cutpos1)
src/derivepassphrase/exporter/vault_v03_and_below.py 209)         self._iv, self._payload = cut(self._message, cutpos2)

src/derivepassphrase/exporter/vault_v03_and_below.py 210) 
src/derivepassphrase/exporter/vault_v03_and_below.py 211)         logger.debug(

src/derivepassphrase/exporter/vault_native.py        212)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        213)                 _msg.DebugMsgTemplate.VAULT_NATIVE_PARSE_BUFFER,
src/derivepassphrase/exporter/vault_native.py        214)                 contents=_h(self._contents),
src/derivepassphrase/exporter/vault_native.py        215)                 iv=_h(self._iv),
src/derivepassphrase/exporter/vault_native.py        216)                 payload=_h(self._payload),
src/derivepassphrase/exporter/vault_native.py        217)                 mac=_h(self._message_tag),
src/derivepassphrase/exporter/vault_native.py        218)             ),

src/derivepassphrase/exporter/vault_v03_and_below.py 219)         )
src/derivepassphrase/exporter/vault_v03_and_below.py 220) 
src/derivepassphrase/exporter/vault_v03_and_below.py 221)     def _derive_keys(self) -> None:

src/derivepassphrase/exporter/vault_native.py        222)         logger.info(
src/derivepassphrase/exporter/vault_native.py        223)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        224)                 _msg.InfoMsgTemplate.VAULT_NATIVE_DERIVING_KEYS,
src/derivepassphrase/exporter/vault_native.py        225)             ),
src/derivepassphrase/exporter/vault_native.py        226)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 227)         self._generate_keys()

src/derivepassphrase/exporter/vault_native.py        228)         assert len(self._encryption_key) == self._encryption_key_size, (
src/derivepassphrase/exporter/vault_native.py        229)             'Derived encryption key is invalid'
src/derivepassphrase/exporter/vault_native.py        230)         )
src/derivepassphrase/exporter/vault_native.py        231)         assert len(self._signing_key) == self._signing_key_size, (
src/derivepassphrase/exporter/vault_native.py        232)             'Derived signing key is invalid'
src/derivepassphrase/exporter/vault_native.py        233)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 234) 
src/derivepassphrase/exporter/vault_v03_and_below.py 235)     @abc.abstractmethod
src/derivepassphrase/exporter/vault_v03_and_below.py 236)     def _generate_keys(self) -> None:
src/derivepassphrase/exporter/vault_v03_and_below.py 237)         raise AssertionError
src/derivepassphrase/exporter/vault_v03_and_below.py 238) 
src/derivepassphrase/exporter/vault_v03_and_below.py 239)     def _check_signature(self) -> None:

src/derivepassphrase/exporter/vault_native.py        240)         logger.info(
src/derivepassphrase/exporter/vault_native.py        241)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        242)                 _msg.InfoMsgTemplate.VAULT_NATIVE_CHECKING_MAC,
src/derivepassphrase/exporter/vault_native.py        243)             ),
src/derivepassphrase/exporter/vault_native.py        244)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 245)         mac = hmac.HMAC(self._signing_key, hashes.SHA256())

src/derivepassphrase/exporter/vault_v03_and_below.py 246)         mac_input = self._hmac_input()
src/derivepassphrase/exporter/vault_v03_and_below.py 247)         logger.debug(

src/derivepassphrase/exporter/vault_native.py        248)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        249)                 _msg.DebugMsgTemplate.VAULT_NATIVE_CHECKING_MAC_DETAILS,
src/derivepassphrase/exporter/vault_native.py        250)                 mac_input=_h(mac_input),
src/derivepassphrase/exporter/vault_native.py        251)                 mac=_h(self._message_tag),
src/derivepassphrase/exporter/vault_native.py        252)             ),

src/derivepassphrase/exporter/vault_v03_and_below.py 253)         )
src/derivepassphrase/exporter/vault_v03_and_below.py 254)         mac.update(mac_input)
src/derivepassphrase/exporter/vault_v03_and_below.py 255)         try:

src/derivepassphrase/exporter/vault_v03_and_below.py 256)             mac.verify(self._message_tag)

src/derivepassphrase/exporter/vault_v03_and_below.py 257)         except crypt_exceptions.InvalidSignature:

src/derivepassphrase/exporter/vault_v03_and_below.py 258)             msg = 'File does not contain a valid signature'

src/derivepassphrase/exporter/vault_v03_and_below.py 259)             raise ValueError(msg) from None
src/derivepassphrase/exporter/vault_v03_and_below.py 260) 
src/derivepassphrase/exporter/vault_v03_and_below.py 261)     @abc.abstractmethod
src/derivepassphrase/exporter/vault_v03_and_below.py 262)     def _hmac_input(self) -> bytes:
src/derivepassphrase/exporter/vault_v03_and_below.py 263)         raise AssertionError
src/derivepassphrase/exporter/vault_v03_and_below.py 264) 

src/derivepassphrase/exporter/vault_v03_and_below.py 265)     def _decrypt_payload(self) -> Any:  # noqa: ANN401

src/derivepassphrase/exporter/vault_native.py        266)         logger.info(
src/derivepassphrase/exporter/vault_native.py        267)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        268)                 _msg.InfoMsgTemplate.VAULT_NATIVE_DECRYPTING_CONTENTS,
src/derivepassphrase/exporter/vault_native.py        269)             ),
src/derivepassphrase/exporter/vault_native.py        270)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 271)         decryptor = self._make_decryptor()
src/derivepassphrase/exporter/vault_v03_and_below.py 272)         padded_plaintext = bytearray()

src/derivepassphrase/exporter/vault_v03_and_below.py 273)         padded_plaintext.extend(decryptor.update(self._payload))

src/derivepassphrase/exporter/vault_v03_and_below.py 274)         padded_plaintext.extend(decryptor.finalize())

src/derivepassphrase/exporter/vault_native.py        275)         logger.debug(
src/derivepassphrase/exporter/vault_native.py        276)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        277)                 _msg.DebugMsgTemplate.VAULT_NATIVE_PADDED_PLAINTEXT,
src/derivepassphrase/exporter/vault_native.py        278)                 contents=_h(padded_plaintext),
src/derivepassphrase/exporter/vault_native.py        279)             ),
src/derivepassphrase/exporter/vault_native.py        280)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 281)         unpadder = padding.PKCS7(self._iv_size * 8).unpadder()

src/derivepassphrase/exporter/vault_v03_and_below.py 282)         plaintext = bytearray()
src/derivepassphrase/exporter/vault_v03_and_below.py 283)         plaintext.extend(unpadder.update(padded_plaintext))
src/derivepassphrase/exporter/vault_v03_and_below.py 284)         plaintext.extend(unpadder.finalize())

src/derivepassphrase/exporter/vault_native.py        285)         logger.debug(
src/derivepassphrase/exporter/vault_native.py        286)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        287)                 _msg.DebugMsgTemplate.VAULT_NATIVE_PLAINTEXT,
src/derivepassphrase/exporter/vault_native.py        288)                 contents=_h(plaintext),
src/derivepassphrase/exporter/vault_native.py        289)             ),
src/derivepassphrase/exporter/vault_native.py        290)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 291)         return json.loads(plaintext)

src/derivepassphrase/exporter/vault_v03_and_below.py 292) 
src/derivepassphrase/exporter/vault_v03_and_below.py 293)     @abc.abstractmethod
src/derivepassphrase/exporter/vault_v03_and_below.py 294)     def _make_decryptor(self) -> ciphers.CipherContext:
src/derivepassphrase/exporter/vault_v03_and_below.py 295)         raise AssertionError
src/derivepassphrase/exporter/vault_v03_and_below.py 296) 
src/derivepassphrase/exporter/vault_v03_and_below.py 297) 

src/derivepassphrase/exporter/vault_v03_and_below.py 298) class VaultNativeV03ConfigParser(VaultNativeConfigParser):

src/derivepassphrase/exporter/vault_v03_and_below.py 299)     """A parser for vault's native configuration format (v0.3).
src/derivepassphrase/exporter/vault_v03_and_below.py 300) 
src/derivepassphrase/exporter/vault_v03_and_below.py 301)     This is the modern, pre-storeroom configuration format.
src/derivepassphrase/exporter/vault_v03_and_below.py 302) 

src/derivepassphrase/exporter/vault_native.py        303)     Warning:
src/derivepassphrase/exporter/vault_native.py        304)         Non-public class, provided for didactical and educational
src/derivepassphrase/exporter/vault_native.py        305)         purposes only. Subject to change without notice, including
src/derivepassphrase/exporter/vault_native.py        306)         removal.
src/derivepassphrase/exporter/vault_native.py        307) 

src/derivepassphrase/exporter/vault_v03_and_below.py 308)     """
src/derivepassphrase/exporter/vault_v03_and_below.py 309) 

src/derivepassphrase/exporter/vault_v03_and_below.py 310)     KEY_SIZE = 32
src/derivepassphrase/exporter/vault_v03_and_below.py 311) 

src/derivepassphrase/exporter/vault_native.py        312)     def __init__(self, *args: Any, **kwargs: Any) -> None:  # noqa: ANN401

src/derivepassphrase/exporter/vault_v03_and_below.py 313)         super().__init__(*args, **kwargs)

src/derivepassphrase/exporter/vault_v03_and_below.py 314)         self._iv_size = 16
src/derivepassphrase/exporter/vault_v03_and_below.py 315)         self._mac_size = 32

src/derivepassphrase/exporter/vault_v03_and_below.py 316) 
src/derivepassphrase/exporter/vault_v03_and_below.py 317)     def _generate_keys(self) -> None:

src/derivepassphrase/exporter/vault_v03_and_below.py 318)         self._encryption_key = self._pbkdf2(self._password, self.KEY_SIZE, 100)
src/derivepassphrase/exporter/vault_v03_and_below.py 319)         self._signing_key = self._pbkdf2(self._password, self.KEY_SIZE, 200)
src/derivepassphrase/exporter/vault_v03_and_below.py 320)         self._encryption_key_size = self._signing_key_size = self.KEY_SIZE

src/derivepassphrase/exporter/vault_v03_and_below.py 321) 
src/derivepassphrase/exporter/vault_v03_and_below.py 322)     def _hmac_input(self) -> bytes:

src/derivepassphrase/exporter/vault_v03_and_below.py 323)         return self._message.hex().lower().encode('ASCII')

src/derivepassphrase/exporter/vault_v03_and_below.py 324) 
src/derivepassphrase/exporter/vault_v03_and_below.py 325)     def _make_decryptor(self) -> ciphers.CipherContext:
src/derivepassphrase/exporter/vault_v03_and_below.py 326)         return ciphers.Cipher(

src/derivepassphrase/exporter/vault_v03_and_below.py 327)             algorithms.AES256(self._encryption_key), modes.CBC(self._iv)

src/derivepassphrase/exporter/vault_v03_and_below.py 328)         ).decryptor()
src/derivepassphrase/exporter/vault_v03_and_below.py 329) 
src/derivepassphrase/exporter/vault_v03_and_below.py 330) 

src/derivepassphrase/exporter/vault_v03_and_below.py 331) class VaultNativeV02ConfigParser(VaultNativeConfigParser):

src/derivepassphrase/exporter/vault_v03_and_below.py 332)     """A parser for vault's native configuration format (v0.2).
src/derivepassphrase/exporter/vault_v03_and_below.py 333) 
src/derivepassphrase/exporter/vault_v03_and_below.py 334)     This is the classic configuration format.  Compared to v0.3, it
src/derivepassphrase/exporter/vault_v03_and_below.py 335)     contains an (accidental) API misuse for the generation of the master
src/derivepassphrase/exporter/vault_v03_and_below.py 336)     keys, a low-entropy method of generating initialization vectors for
src/derivepassphrase/exporter/vault_v03_and_below.py 337)     the AES-CBC encryption step, and extra layers of base64 encoding.
src/derivepassphrase/exporter/vault_v03_and_below.py 338)     Because of these significantly weakened confidentiality guarantees,
src/derivepassphrase/exporter/vault_v03_and_below.py 339)     v0.2 configurations should be upgraded to at least v0.3 as soon as
src/derivepassphrase/exporter/vault_v03_and_below.py 340)     possible.

src/derivepassphrase/exporter/vault_v03_and_below.py 341) 

src/derivepassphrase/exporter/vault_native.py        342)     Warning:
src/derivepassphrase/exporter/vault_native.py        343)         Non-public class, provided for didactical and educational
src/derivepassphrase/exporter/vault_native.py        344)         purposes only. Subject to change without notice, including
src/derivepassphrase/exporter/vault_native.py        345)         removal.
src/derivepassphrase/exporter/vault_native.py        346) 

src/derivepassphrase/exporter/vault_v03_and_below.py 347)     """
src/derivepassphrase/exporter/vault_v03_and_below.py 348) 

src/derivepassphrase/exporter/vault_native.py        349)     def __init__(self, *args: Any, **kwargs: Any) -> None:  # noqa: ANN401

src/derivepassphrase/exporter/vault_v03_and_below.py 350)         super().__init__(*args, **kwargs)

src/derivepassphrase/exporter/vault_v03_and_below.py 351)         self._iv_size = 16
src/derivepassphrase/exporter/vault_v03_and_below.py 352)         self._mac_size = 64

src/derivepassphrase/exporter/vault_v03_and_below.py 353) 
src/derivepassphrase/exporter/vault_v03_and_below.py 354)     def _parse_contents(self) -> None:
src/derivepassphrase/exporter/vault_v03_and_below.py 355)         super()._parse_contents()

src/derivepassphrase/exporter/vault_v03_and_below.py 356)         self._payload = base64.standard_b64decode(self._payload)
src/derivepassphrase/exporter/vault_v03_and_below.py 357)         self._message_tag = bytes.fromhex(self._message_tag.decode('ASCII'))

src/derivepassphrase/exporter/vault_native.py        358)         logger.debug(
src/derivepassphrase/exporter/vault_native.py        359)             _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        360)                 _msg.DebugMsgTemplate.VAULT_NATIVE_V02_PAYLOAD_MAC_POSTPROCESSING,
src/derivepassphrase/exporter/vault_native.py        361)                 payload=_h(self._payload),
src/derivepassphrase/exporter/vault_native.py        362)                 mac=_h(self._message_tag),
src/derivepassphrase/exporter/vault_native.py        363)             ),
src/derivepassphrase/exporter/vault_native.py        364)         )

src/derivepassphrase/exporter/vault_v03_and_below.py 365) 
src/derivepassphrase/exporter/vault_v03_and_below.py 366)     def _generate_keys(self) -> None:

src/derivepassphrase/exporter/vault_v03_and_below.py 367)         self._encryption_key = self._pbkdf2(self._password, 8, 16)
src/derivepassphrase/exporter/vault_v03_and_below.py 368)         self._signing_key = self._pbkdf2(self._password, 16, 16)
src/derivepassphrase/exporter/vault_v03_and_below.py 369)         self._encryption_key_size = 8
src/derivepassphrase/exporter/vault_v03_and_below.py 370)         self._signing_key_size = 16

src/derivepassphrase/exporter/vault_v03_and_below.py 371) 
src/derivepassphrase/exporter/vault_v03_and_below.py 372)     def _hmac_input(self) -> bytes:

src/derivepassphrase/exporter/vault_v03_and_below.py 373)         return base64.standard_b64encode(self._message)

src/derivepassphrase/exporter/vault_v03_and_below.py 374) 
src/derivepassphrase/exporter/vault_v03_and_below.py 375)     def _make_decryptor(self) -> ciphers.CipherContext:

src/derivepassphrase/exporter/vault_v03_and_below.py 376)         def evp_bytestokey_md5_one_iteration_no_salt(
src/derivepassphrase/exporter/vault_v03_and_below.py 377)             data: bytes, key_size: int, iv_size: int

src/derivepassphrase/exporter/vault_v03_and_below.py 378)         ) -> tuple[bytes, bytes]:
src/derivepassphrase/exporter/vault_v03_and_below.py 379)             total_size = key_size + iv_size
src/derivepassphrase/exporter/vault_v03_and_below.py 380)             buffer = bytearray()
src/derivepassphrase/exporter/vault_v03_and_below.py 381)             last_block = b''

src/derivepassphrase/exporter/vault_v03_and_below.py 382)             salt = b''

src/derivepassphrase/exporter/vault_native.py        383)             logger.debug(

src/derivepassphrase/exporter/vault_native.py        384)                 _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        385)                     _msg.DebugMsgTemplate.VAULT_NATIVE_EVP_BYTESTOKEY_INIT,
src/derivepassphrase/exporter/vault_native.py        386)                     data=_h(data),
src/derivepassphrase/exporter/vault_native.py        387)                     salt=_h(salt),
src/derivepassphrase/exporter/vault_native.py        388)                     key_size=key_size,
src/derivepassphrase/exporter/vault_native.py        389)                     iv_size=iv_size,
src/derivepassphrase/exporter/vault_native.py        390)                     buffer_length=len(buffer),
src/derivepassphrase/exporter/vault_native.py        391)                     buffer=_h(buffer),

src/derivepassphrase/exporter/vault_v03_and_below.py 392)                 ),
src/derivepassphrase/exporter/vault_v03_and_below.py 393)             )
src/derivepassphrase/exporter/vault_v03_and_below.py 394)             while len(buffer) < total_size:
src/derivepassphrase/exporter/vault_v03_and_below.py 395)                 with warnings.catch_warnings():
src/derivepassphrase/exporter/vault_v03_and_below.py 396)                     warnings.simplefilter(
src/derivepassphrase/exporter/vault_v03_and_below.py 397)                         'ignore', crypt_utils.CryptographyDeprecationWarning
src/derivepassphrase/exporter/vault_v03_and_below.py 398)                     )

src/derivepassphrase/exporter/vault_v03_and_below.py 399)                     block = hashes.Hash(hashes.MD5())

src/derivepassphrase/exporter/vault_v03_and_below.py 400)                 block.update(last_block)
src/derivepassphrase/exporter/vault_v03_and_below.py 401)                 block.update(data)
src/derivepassphrase/exporter/vault_v03_and_below.py 402)                 block.update(salt)
src/derivepassphrase/exporter/vault_v03_and_below.py 403)                 last_block = block.finalize()
src/derivepassphrase/exporter/vault_v03_and_below.py 404)                 buffer.extend(last_block)

src/derivepassphrase/exporter/vault_native.py        405)                 logger.debug(

src/derivepassphrase/exporter/vault_native.py        406)                     _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        407)                         _msg.DebugMsgTemplate.VAULT_NATIVE_EVP_BYTESTOKEY_ROUND,
src/derivepassphrase/exporter/vault_native.py        408)                         buffer_length=len(buffer),
src/derivepassphrase/exporter/vault_native.py        409)                         buffer=_h(buffer),
src/derivepassphrase/exporter/vault_native.py        410)                     ),

src/derivepassphrase/exporter/vault_v03_and_below.py 411)                 )

src/derivepassphrase/exporter/vault_native.py        412)             logger.debug(

src/derivepassphrase/exporter/vault_native.py        413)                 _msg.TranslatedString(
src/derivepassphrase/exporter/vault_native.py        414)                     _msg.DebugMsgTemplate.VAULT_NATIVE_EVP_BYTESTOKEY_RESULT,
src/derivepassphrase/exporter/vault_native.py        415)                     enc_key=_h(buffer[:key_size]),
src/derivepassphrase/exporter/vault_native.py        416)                     iv=_h(buffer[key_size:total_size]),
src/derivepassphrase/exporter/vault_native.py        417)                 ),

src/derivepassphrase/exporter/vault_v03_and_below.py 418)             )
src/derivepassphrase/exporter/vault_v03_and_below.py 419)             return bytes(buffer[:key_size]), bytes(buffer[key_size:total_size])
src/derivepassphrase/exporter/vault_v03_and_below.py 420) 

src/derivepassphrase/exporter/vault_v03_and_below.py 421)         data = base64.standard_b64encode(self._iv + self._encryption_key)

src/derivepassphrase/exporter/vault_v03_and_below.py 422)         encryption_key, iv = evp_bytestokey_md5_one_iteration_no_salt(
src/derivepassphrase/exporter/vault_v03_and_below.py 423)             data, key_size=32, iv_size=16

src/derivepassphrase/exporter/vault_v03_and_below.py 424)         )
src/derivepassphrase/exporter/vault_v03_and_below.py 425)         return ciphers.Cipher(
src/derivepassphrase/exporter/vault_v03_and_below.py 426)             algorithms.AES256(encryption_key), modes.CBC(iv)
src/derivepassphrase/exporter/vault_v03_and_below.py 427)         ).decryptor()
src/derivepassphrase/exporter/vault_v03_and_below.py 428) 
src/derivepassphrase/exporter/vault_v03_and_below.py 429) 

src/derivepassphrase/exporter/vault_native.py        430) def export_vault_native_data(
src/derivepassphrase/exporter/vault_native.py        431)     contents: Buffer | None = None,
src/derivepassphrase/exporter/vault_native.py        432)     key: str | Buffer | None = None,
src/derivepassphrase/exporter/vault_native.py        433)     *,
src/derivepassphrase/exporter/vault_native.py        434)     try_formats: Sequence[str] = ('v0.3', 'v0.2'),
src/derivepassphrase/exporter/vault_native.py        435) ) -> Any:  # noqa: ANN401
src/derivepassphrase/exporter/vault_native.py        436)     """Export the full configuration stored in vault native format.
src/derivepassphrase/exporter/vault_native.py        437) 
src/derivepassphrase/exporter/vault_native.py        438)     Args:
src/derivepassphrase/exporter/vault_native.py        439)         contents:
src/derivepassphrase/exporter/vault_native.py        440)             The binary encrypted contents of the vault configuration
src/derivepassphrase/exporter/vault_native.py        441)             file.  If not given, then query

src/derivepassphrase/exporter/vault_native.py        442)             [`exporter.get_vault_path`][] for the correct filename and
src/derivepassphrase/exporter/vault_native.py        443)             read the contents from there.

src/derivepassphrase/exporter/vault_native.py        444) 
src/derivepassphrase/exporter/vault_native.py        445)             Note: On disk, these are usually stored in base64-encoded
src/derivepassphrase/exporter/vault_native.py        446)             form, not in the "raw" form as needed here.
src/derivepassphrase/exporter/vault_native.py        447)         key:
src/derivepassphrase/exporter/vault_native.py        448)             Encryption key/password for the configuration file, usually
src/derivepassphrase/exporter/vault_native.py        449)             the username, or passed via the `VAULT_KEY` environment
src/derivepassphrase/exporter/vault_native.py        450)             variable.  If not given, then query

src/derivepassphrase/exporter/vault_native.py        451)             [`exporter.get_vault_key`][] for the value.

src/derivepassphrase/exporter/vault_native.py        452)         try_formats:
src/derivepassphrase/exporter/vault_native.py        453)             A sequence of formats to try out, in order.  Each key must
src/derivepassphrase/exporter/vault_native.py        454)             be one of `v0.2` or `v0.3`.
src/derivepassphrase/exporter/vault_native.py        455) 
src/derivepassphrase/exporter/vault_native.py        456)     Returns:
src/derivepassphrase/exporter/vault_native.py        457)         The vault configuration, as recorded in the configuration file.
src/derivepassphrase/exporter/vault_native.py        458) 
src/derivepassphrase/exporter/vault_native.py        459)         This may or may not be a valid configuration according to vault
src/derivepassphrase/exporter/vault_native.py        460)         or derivepassphrase.
src/derivepassphrase/exporter/vault_native.py        461) 
src/derivepassphrase/exporter/vault_native.py        462)     Raises:
src/derivepassphrase/exporter/vault_native.py        463)         RuntimeError:
src/derivepassphrase/exporter/vault_native.py        464)             Something went wrong during data collection, e.g. we
src/derivepassphrase/exporter/vault_native.py        465)             encountered unsupported or corrupted data in the storeroom.
src/derivepassphrase/exporter/vault_native.py        466)         json.JSONDecodeError:
src/derivepassphrase/exporter/vault_native.py        467)             An internal JSON data structure failed to parse from disk.
src/derivepassphrase/exporter/vault_native.py        468)             The storeroom is probably corrupted.
src/derivepassphrase/exporter/vault_native.py        469)         ValueError:
src/derivepassphrase/exporter/vault_native.py        470)             The requested formats to try out are invalid, or the
src/derivepassphrase/exporter/vault_native.py        471)             encrypted contents aren't in any of the attempted
src/derivepassphrase/exporter/vault_native.py        472)             configuration formats.
src/derivepassphrase/exporter/vault_native.py        473) 
src/derivepassphrase/exporter/vault_native.py        474)     """
src/derivepassphrase/exporter/vault_native.py        475)     if contents is None:
src/derivepassphrase/exporter/vault_native.py        476)         with open(exporter.get_vault_path(), 'rb') as infile:
src/derivepassphrase/exporter/vault_native.py        477)             contents = base64.standard_b64decode(infile.read())
src/derivepassphrase/exporter/vault_native.py        478)     if key is None:
src/derivepassphrase/exporter/vault_native.py        479)         key = exporter.get_vault_key()
src/derivepassphrase/exporter/vault_native.py        480)     stored_exception: Exception | None = None
src/derivepassphrase/exporter/vault_native.py        481)     for config_format in try_formats:

src/derivepassphrase/exporter/vault_native.py        482)         # Use match/case here once Python 3.9 becomes unsupported.
src/derivepassphrase/exporter/vault_native.py        483)         if config_format == 'v0.2':
src/derivepassphrase/exporter/vault_native.py        484)             try:
src/derivepassphrase/exporter/vault_native.py        485)                 return VaultNativeV02ConfigParser(contents, key)()
src/derivepassphrase/exporter/vault_native.py        486)             except ValueError as exc:
src/derivepassphrase/exporter/vault_native.py        487)                 exc.__context__ = stored_exception
src/derivepassphrase/exporter/vault_native.py        488)                 stored_exception = exc
src/derivepassphrase/exporter/vault_native.py        489)         elif config_format == 'v0.3':
src/derivepassphrase/exporter/vault_native.py        490)             try:
src/derivepassphrase/exporter/vault_native.py        491)                 return VaultNativeV03ConfigParser(contents, key)()
src/derivepassphrase/exporter/vault_native.py        492)             except ValueError as exc:
src/derivepassphrase/exporter/vault_native.py        493)                 exc.__context__ = stored_exception
src/derivepassphrase/exporter/vault_native.py        494)                 stored_exception = exc
src/derivepassphrase/exporter/vault_native.py        495)         else:  # pragma: no cover
src/derivepassphrase/exporter/vault_native.py        496)             msg = (

src/derivepassphrase/exporter/vault_native.py        497)                 f'Invalid vault native configuration format: {config_format!r}'

src/derivepassphrase/exporter/vault_native.py        498)             )
src/derivepassphrase/exporter/vault_native.py        499)             raise ValueError(msg)

src/derivepassphrase/exporter/vault_native.py        500)     msg = (

src/derivepassphrase/exporter/vault_native.py        501)         f'Not a valid vault native configuration. (We tried: {try_formats!r}.)'

src/derivepassphrase/exporter/vault_native.py        502)     )
src/derivepassphrase/exporter/vault_native.py        503)     raise stored_exception or ValueError(msg)
src/derivepassphrase/exporter/vault_native.py        504) 
src/derivepassphrase/exporter/vault_native.py        505) 

src/derivepassphrase/exporter/vault_v03_and_below.py 506) if __name__ == '__main__':
src/derivepassphrase/exporter/vault_v03_and_below.py 507)     import os
src/derivepassphrase/exporter/vault_v03_and_below.py 508) 
src/derivepassphrase/exporter/vault_v03_and_below.py 509)     logging.basicConfig(level=('DEBUG' if os.getenv('DEBUG') else 'WARNING'))

src/derivepassphrase/exporter/vault_v03_and_below.py 510)     with open(exporter.get_vault_path(), 'rb') as infile:

src/derivepassphrase/exporter/vault_v03_and_below.py 511)         contents = base64.standard_b64decode(infile.read())

src/derivepassphrase/exporter/vault_v03_and_below.py 512)     password = exporter.get_vault_key()

src/derivepassphrase/exporter/vault_v03_and_below.py 513)     try:

src/derivepassphrase/exporter/vault_v03_and_below.py 514)         config = VaultNativeV03ConfigParser(contents, password)()

src/derivepassphrase/exporter/vault_v03_and_below.py 515)     except ValueError:

src/derivepassphrase/exporter/vault_v03_and_below.py 516)         config = VaultNativeV02ConfigParser(contents, password)()