Make the vault UUID and CHARSETS attributes public (689cf84) - derivepassphrase.git

Make the vault UUID and CHARSETS attributes public

Marco Ricci commited on 2025-01-29 15:28:07
Zeige 6 geänderte Dateien mit 40 Einfügungen und 40 Löschungen.

They are constants, they are not priviledged information, and having to
keep indirectly referring to them instead of directly is rather
irritating.

src/derivepassphrase/exporter/vault_native.py 851f4ff..d8b5861
src/derivepassphrase/vault.py 41b7b52..3c16796
tests/__init__.py a1e42c2..d1b7f41
tests/test_derivepassphrase_cli.py 7044144..3f7e141
tests/test_derivepassphrase_ssh_agent.py 4a78a6c..5ab1a6c
tests/test_derivepassphrase_vault.py 190ae3a..a8e2bc0

src/derivepassphrase/exporter/vault_native.py

Zeige Datei @ 689cf84

@@ -215,8 +215,8 @@ class VaultNativeConfigParser(abc.ABC):
     ) -> bytes:
         """Generate a key from a password.
 
-        Uses PBKDF2 with HMAC-SHA1, with the vault UUID as a fixed salt
-        value.
+        Uses PBKDF2 with HMAC-SHA1, with [vault.Vault.UUID][] as a fixed
+        salt value.
 
         Args:
             password:
@@ -246,7 +246,7 @@ class VaultNativeConfigParser(abc.ABC):
         raw_key = pbkdf2.PBKDF2HMAC(
             algorithm=hashes.SHA1(),
             length=key_size // 2,
-            salt=vault.Vault._UUID,  # noqa: SLF001
+            salt=vault.Vault.UUID,
             iterations=iterations,
         ).derive(bytes(password))
         result_key = raw_key.hex().lower().encode('ASCII')
@@ -254,7 +254,7 @@ class VaultNativeConfigParser(abc.ABC):
             _msg.TranslatedString(
                 _msg.DebugMsgTemplate.VAULT_NATIVE_PBKDF2_CALL,
                 password=password,
-                salt=vault.Vault._UUID,  # noqa: SLF001
+                salt=vault.Vault.UUID,
                 iterations=iterations,
                 key_size=key_size // 2,
                 algorithm='sha1',

src/derivepassphrase/vault.py

Zeige Datei @ 689cf84

@@ -12,7 +12,7 @@ import hashlib
 import hmac
 import math
 import types
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, Final
 
 from typing_extensions import TypeAlias, assert_type
 
@@ -49,18 +49,18 @@ class Vault:
 
     """
 
-    _UUID = b'e87eb0f4-34cb-46b9-93ad-766c5ab063e7'
+    UUID: Final = b'e87eb0f4-34cb-46b9-93ad-766c5ab063e7'
     """A tag used by vault in the bit stream generation."""
-    _CHARSETS = types.MappingProxyType(
+    CHARSETS: Final = types.MappingProxyType(
         collections.OrderedDict([
             ('lower', b'abcdefghijklmnopqrstuvwxyz'),
             ('upper', b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'),
             (
                 'alpha',
                 (
-                    # _CHARSETS['lower']
+                    # CHARSETS['lower']
                     b'abcdefghijklmnopqrstuvwxyz'
-                    # _CHARSETS['upper']
+                    # CHARSETS['upper']
                     b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
                 ),
             ),
@@ -68,11 +68,11 @@ class Vault:
             (
                 'alphanum',
                 (
-                    # _CHARSETS['lower']
+                    # CHARSETS['lower']
                     b'abcdefghijklmnopqrstuvwxyz'
-                    # _CHARSETS['upper']
+                    # CHARSETS['upper']
                     b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-                    # _CHARSETS['number']
+                    # CHARSETS['number']
                     b'0123456789'
                 ),
             ),
@@ -82,15 +82,15 @@ class Vault:
             (
                 'all',
                 (
-                    # _CHARSETS['lower']
+                    # CHARSETS['lower']
                     b'abcdefghijklmnopqrstuvwxyz'
-                    # _CHARSETS['upper']
+                    # CHARSETS['upper']
                     b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-                    # _CHARSETS['number']
+                    # CHARSETS['number']
                     b'0123456789'
-                    # _CHARSETS['space']
+                    # CHARSETS['space']
                     b' '
-                    # _CHARSETS['symbol']
+                    # CHARSETS['symbol']
                     b'!"#$%&\'()*+,./:;<=>?@[\\]^{|}~-_'
                 ),
             ),
@@ -160,7 +160,7 @@ class Vault:
         self._phrase = self._get_binary_string(phrase)
         self._length = length
         self._repeat = repeat
-        self._allowed = bytearray(self._CHARSETS['all'])
+        self._allowed = bytearray(self.CHARSETS['all'])
         self._required: list[bytes] = []
 
         def subtract_or_require(
@@ -174,12 +174,12 @@ class Vault:
                 for _ in range(count):
                     self._required.append(characters)
 
-        subtract_or_require(lower, self._CHARSETS['lower'])
-        subtract_or_require(upper, self._CHARSETS['upper'])
-        subtract_or_require(number, self._CHARSETS['number'])
-        subtract_or_require(space, self._CHARSETS['space'])
-        subtract_or_require(dash, self._CHARSETS['dash'])
-        subtract_or_require(symbol, self._CHARSETS['symbol'])
+        subtract_or_require(lower, self.CHARSETS['lower'])
+        subtract_or_require(upper, self.CHARSETS['upper'])
+        subtract_or_require(number, self.CHARSETS['number'])
+        subtract_or_require(space, self.CHARSETS['space'])
+        subtract_or_require(dash, self.CHARSETS['dash'])
+        subtract_or_require(symbol, self.CHARSETS['symbol'])
         if len(self._required) > self._length:
             msg = 'requested passphrase length too short'
             raise ValueError(msg)
@@ -297,8 +297,8 @@ class Vault:
                 primitive.  If a string, then the UTF-8 encoding of the
                 string is used.
             service:
-                A vault service name.  Will be suffixed with
-                `Vault._UUID`, and then used as the salt value for
+                A vault service name.  Will be suffixed with the
+                [`UUID`][], and then used as the salt value for
                 PBKDF2.  If a string, then the UTF-8 encoding of the
                 string is used.
             length:
@@ -335,7 +335,7 @@ class Vault:
         """
         phrase = cls._get_binary_string(phrase)
         assert isinstance(phrase, bytes)
-        salt = cls._get_binary_string(service) + cls._UUID
+        salt = cls._get_binary_string(service) + cls.UUID
         return hashlib.pbkdf2_hmac(
             hash_name='sha1',
             password=phrase,
@@ -526,9 +526,9 @@ class Vault:
         """Obtain the master passphrase from a configured SSH key.
 
         vault allows the usage of certain SSH keys to derive a master
-        passphrase, by signing the vault UUID with the SSH key.  The key
-        type must ensure that signatures are deterministic (perhaps only
-        in conjunction with the given SSH agent).
+        passphrase, by signing the vault [`UUID`][] with the SSH key.
+        The key type must ensure that signatures are deterministic
+        (perhaps only in conjunction with the given SSH agent).
 
         Args:
             key:
@@ -538,8 +538,8 @@ class Vault:
                 [`ssh_agent.SSHAgentClient.ensure_agent_subcontext`][].
 
         Returns:
-            The signature of the vault UUID under this key, unframed but
-            encoded in base64.
+            The signature of the vault [`UUID`][] under this key,
+            unframed but encoded in base64.
 
         Raises:
             KeyError:
@@ -588,7 +588,7 @@ class Vault:
                     'signature not deterministic under this agent'
                 )
                 raise ValueError(msg)
-            raw_sig = client.sign(key, cls._UUID)
+            raw_sig = client.sign(key, cls.UUID)
         _keytype, trailer = ssh_agent.SSHAgentClient.unstring_prefix(raw_sig)
         signature_blob = ssh_agent.SSHAgentClient.unstring(trailer)
         return bytes(base64.standard_b64encode(signature_blob))

tests/__init__.py

Zeige Datei @ 689cf84

@@ -1708,7 +1708,7 @@ def sign(
 
     """
     del self  # Unused.
-    assert message == vault.Vault._UUID
+    assert message == vault.Vault.UUID
     for value in SUPPORTED_KEYS.values():
         if value.public_key_data == key:  # pragma: no branch
             assert value.expected_signature is not None

tests/test_derivepassphrase_cli.py

Zeige Datei @ 689cf84

@@ -641,7 +641,7 @@ class TestCLI:
     ) -> None:
         """Named character classes can be disabled on the command-line."""
         option = f'--{charset_name}'
-        charset = vault.Vault._CHARSETS[charset_name].decode('ascii')
+        charset = vault.Vault.CHARSETS[charset_name].decode('ascii')
         runner = click.testing.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -3757,7 +3757,7 @@ class TestCLITransition:
     ) -> None:
         """Forwarding arguments from top-level to "vault" works."""
         option = f'--{charset_name}'
-        charset = vault.Vault._CHARSETS[charset_name].decode('ascii')
+        charset = vault.Vault.CHARSETS[charset_name].decode('ascii')
         runner = click.testing.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.

tests/test_derivepassphrase_ssh_agent.py

Zeige Datei @ 689cf84

@@ -459,11 +459,11 @@ class TestAgentInteraction:
         if public_key_data not in key_comment_pairs:  # pragma: no cover
             pytest.skip('prerequisite SSH key not loaded')
         signature = bytes(
-            client.sign(payload=vault.Vault._UUID, key=public_key_data)
+            client.sign(payload=vault.Vault.UUID, key=public_key_data)
         )
         assert signature == expected_signature, 'SSH signature mismatch'
         signature2 = bytes(
-            client.sign(payload=vault.Vault._UUID, key=public_key_data)
+            client.sign(payload=vault.Vault.UUID, key=public_key_data)
         )
         assert signature2 == expected_signature, 'SSH signature mismatch'
         assert (

tests/test_derivepassphrase_vault.py

Zeige Datei @ 689cf84

@@ -666,7 +666,7 @@ class TestVault:
         for key in ('lower', 'upper', 'number', 'space', 'dash', 'symbol'):
             if config[key] > 0:
                 assert (
-                    sum(c in vault.Vault._CHARSETS[key] for c in password)
+                    sum(c in vault.Vault.CHARSETS[key] for c in password)
                     >= config[key]
                 ), (
                     'Password does not satisfy '
@@ -678,7 +678,7 @@ class TestVault:
                 assert True
             else:
                 assert (
-                    sum(c in vault.Vault._CHARSETS[key] for c in password) == 0
+                    sum(c in vault.Vault.CHARSETS[key] for c in password) == 0
                 ), 'Password does not satisfy character ban constraints.'
 
         T = TypeVar('T', str, bytes)


...	...	@@ -215,8 +215,8 @@ class VaultNativeConfigParser(abc.ABC):
215	215	) -> bytes:
216	216	"""Generate a key from a password.
217	217
218		- Uses PBKDF2 with HMAC-SHA1, with the vault UUID as a fixed salt
219		- value.
	218	+ Uses PBKDF2 with HMAC-SHA1, with [vault.Vault.UUID][] as a fixed
	219	+ salt value.
220	220
221	221	Args:
222	222	password:
...	...	@@ -246,7 +246,7 @@ class VaultNativeConfigParser(abc.ABC):
246	246	raw_key = pbkdf2.PBKDF2HMAC(
247	247	algorithm=hashes.SHA1(),
248	248	length=key_size // 2,
249		- salt=vault.Vault._UUID, # noqa: SLF001
	249	+ salt=vault.Vault.UUID,
250	250	iterations=iterations,
251	251	).derive(bytes(password))
252	252	result_key = raw_key.hex().lower().encode('ASCII')
...	...	@@ -254,7 +254,7 @@ class VaultNativeConfigParser(abc.ABC):
254	254	_msg.TranslatedString(
255	255	_msg.DebugMsgTemplate.VAULT_NATIVE_PBKDF2_CALL,
256	256	password=password,
257		- salt=vault.Vault._UUID, # noqa: SLF001
	257	+ salt=vault.Vault.UUID,
258	258	iterations=iterations,
259	259	key_size=key_size // 2,
260	260	algorithm='sha1',

...	...	@@ -1708,7 +1708,7 @@ def sign(
1708	1708
1709	1709	"""
1710	1710	del self # Unused.
1711		- assert message == vault.Vault._UUID
	1711	+ assert message == vault.Vault.UUID
1712	1712	for value in SUPPORTED_KEYS.values():
1713	1713	if value.public_key_data == key: # pragma: no branch
1714	1714	assert value.expected_signature is not None

...	...	@@ -641,7 +641,7 @@ class TestCLI:
641	641	) -> None:
642	642	"""Named character classes can be disabled on the command-line."""
643	643	option = f'--{charset_name}'
644		- charset = vault.Vault._CHARSETS[charset_name].decode('ascii')
	644	+ charset = vault.Vault.CHARSETS[charset_name].decode('ascii')
645	645	runner = click.testing.CliRunner(mix_stderr=False)
646	646	# TODO(the-13th-letter): Rewrite using parenthesized
647	647	# with-statements.
...	...	@@ -3757,7 +3757,7 @@ class TestCLITransition:
3757	3757	) -> None:
3758	3758	"""Forwarding arguments from top-level to "vault" works."""
3759	3759	option = f'--{charset_name}'
3760		- charset = vault.Vault._CHARSETS[charset_name].decode('ascii')
	3760	+ charset = vault.Vault.CHARSETS[charset_name].decode('ascii')
3761	3761	runner = click.testing.CliRunner(mix_stderr=False)
3762	3762	# TODO(the-13th-letter): Rewrite using parenthesized
3763	3763	# with-statements.

...	...	@@ -459,11 +459,11 @@ class TestAgentInteraction:
459	459	if public_key_data not in key_comment_pairs: # pragma: no cover
460	460	pytest.skip('prerequisite SSH key not loaded')
461	461	signature = bytes(
462		- client.sign(payload=vault.Vault._UUID, key=public_key_data)
	462	+ client.sign(payload=vault.Vault.UUID, key=public_key_data)
463	463	)
464	464	assert signature == expected_signature, 'SSH signature mismatch'
465	465	signature2 = bytes(
466		- client.sign(payload=vault.Vault._UUID, key=public_key_data)
	466	+ client.sign(payload=vault.Vault.UUID, key=public_key_data)
467	467	)
468	468	assert signature2 == expected_signature, 'SSH signature mismatch'
469	469	assert (

...	...	@@ -666,7 +666,7 @@ class TestVault:
666	666	for key in ('lower', 'upper', 'number', 'space', 'dash', 'symbol'):
667	667	if config[key] > 0:
668	668	assert (
669		- sum(c in vault.Vault._CHARSETS[key] for c in password)
	669	+ sum(c in vault.Vault.CHARSETS[key] for c in password)
670	670	>= config[key]
671	671	), (
672	672	'Password does not satisfy '
...	...	@@ -678,7 +678,7 @@ class TestVault:
678	678	assert True
679	679	else:
680	680	assert (
681		- sum(c in vault.Vault._CHARSETS[key] for c in password) == 0
	681	+ sum(c in vault.Vault.CHARSETS[key] for c in password) == 0
682	682	), 'Password does not satisfy character ban constraints.'
683	683
684	684	T = TypeVar('T', str, bytes)
685	685

...	...	@@ -12,7 +12,7 @@ import hashlib
12	12	import hmac
13	13	import math
14	14	import types
15		-from typing import TYPE_CHECKING
	15	+from typing import TYPE_CHECKING, Final
16	16
17	17	from typing_extensions import TypeAlias, assert_type
18	18
...	...	@@ -49,18 +49,18 @@ class Vault:
49	49
50	50	"""
51	51
52		- _UUID = b'e87eb0f4-34cb-46b9-93ad-766c5ab063e7'
	52	+ UUID: Final = b'e87eb0f4-34cb-46b9-93ad-766c5ab063e7'
53	53	"""A tag used by vault in the bit stream generation."""
54		- _CHARSETS = types.MappingProxyType(
	54	+ CHARSETS: Final = types.MappingProxyType(
55	55	collections.OrderedDict([
56	56	('lower', b'abcdefghijklmnopqrstuvwxyz'),
57	57	('upper', b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'),
58	58	(
59	59	'alpha',
60	60	(
61		- # _CHARSETS['lower']
	61	+ # CHARSETS['lower']
62	62	b'abcdefghijklmnopqrstuvwxyz'
63		- # _CHARSETS['upper']
	63	+ # CHARSETS['upper']
64	64	b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
65	65	),
66	66	),
...	...	@@ -68,11 +68,11 @@ class Vault:
68	68	(
69	69	'alphanum',
70	70	(
71		- # _CHARSETS['lower']
	71	+ # CHARSETS['lower']
72	72	b'abcdefghijklmnopqrstuvwxyz'
73		- # _CHARSETS['upper']
	73	+ # CHARSETS['upper']
74	74	b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
75		- # _CHARSETS['number']
	75	+ # CHARSETS['number']
76	76	b'0123456789'
77	77	),
78	78	),
...	...	@@ -82,15 +82,15 @@ class Vault:
82	82	(
83	83	'all',
84	84	(
85		- # _CHARSETS['lower']
	85	+ # CHARSETS['lower']
86	86	b'abcdefghijklmnopqrstuvwxyz'
87		- # _CHARSETS['upper']
	87	+ # CHARSETS['upper']
88	88	b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
89		- # _CHARSETS['number']
	89	+ # CHARSETS['number']
90	90	b'0123456789'
91		- # _CHARSETS['space']
	91	+ # CHARSETS['space']
92	92	b' '
93		- # _CHARSETS['symbol']
	93	+ # CHARSETS['symbol']
94	94	b'!"#$%&\'()*+,./:;<=>?@[\\]^{\|}~-_'
95	95	),
96	96	),
...	...	@@ -160,7 +160,7 @@ class Vault:
160	160	self._phrase = self._get_binary_string(phrase)
161	161	self._length = length
162	162	self._repeat = repeat
163		- self._allowed = bytearray(self._CHARSETS['all'])
	163	+ self._allowed = bytearray(self.CHARSETS['all'])
164	164	self._required: list[bytes] = []
165	165
166	166	def subtract_or_require(
...	...	@@ -174,12 +174,12 @@ class Vault:
174	174	for _ in range(count):
175	175	self._required.append(characters)
176	176
177		- subtract_or_require(lower, self._CHARSETS['lower'])
178		- subtract_or_require(upper, self._CHARSETS['upper'])
179		- subtract_or_require(number, self._CHARSETS['number'])
180		- subtract_or_require(space, self._CHARSETS['space'])
181		- subtract_or_require(dash, self._CHARSETS['dash'])
182		- subtract_or_require(symbol, self._CHARSETS['symbol'])
	177	+ subtract_or_require(lower, self.CHARSETS['lower'])
	178	+ subtract_or_require(upper, self.CHARSETS['upper'])
	179	+ subtract_or_require(number, self.CHARSETS['number'])
	180	+ subtract_or_require(space, self.CHARSETS['space'])
	181	+ subtract_or_require(dash, self.CHARSETS['dash'])
	182	+ subtract_or_require(symbol, self.CHARSETS['symbol'])
183	183	if len(self._required) > self._length:
184	184	msg = 'requested passphrase length too short'
185	185	raise ValueError(msg)
...	...	@@ -297,8 +297,8 @@ class Vault:
297	297	primitive. If a string, then the UTF-8 encoding of the
298	298	string is used.
299	299	service:
300		- A vault service name. Will be suffixed with
301		- `Vault._UUID`, and then used as the salt value for
	300	+ A vault service name. Will be suffixed with the
	301	+ [`UUID`][], and then used as the salt value for
302	302	PBKDF2. If a string, then the UTF-8 encoding of the
303	303	string is used.
304	304	length:
...	...	@@ -335,7 +335,7 @@ class Vault:
335	335	"""
336	336	phrase = cls._get_binary_string(phrase)
337	337	assert isinstance(phrase, bytes)
338		- salt = cls._get_binary_string(service) + cls._UUID
	338	+ salt = cls._get_binary_string(service) + cls.UUID
339	339	return hashlib.pbkdf2_hmac(
340	340	hash_name='sha1',
341	341	password=phrase,
...	...	@@ -526,9 +526,9 @@ class Vault:
526	526	"""Obtain the master passphrase from a configured SSH key.
527	527
528	528	vault allows the usage of certain SSH keys to derive a master
529		- passphrase, by signing the vault UUID with the SSH key. The key
530		- type must ensure that signatures are deterministic (perhaps only
531		- in conjunction with the given SSH agent).
	529	+ passphrase, by signing the vault [`UUID`][] with the SSH key.
	530	+ The key type must ensure that signatures are deterministic
	531	+ (perhaps only in conjunction with the given SSH agent).
532	532
533	533	Args:
534	534	key:
...	...	@@ -538,8 +538,8 @@ class Vault:
538	538	[`ssh_agent.SSHAgentClient.ensure_agent_subcontext`][].
539	539
540	540	Returns:
541		- The signature of the vault UUID under this key, unframed but
542		- encoded in base64.
	541	+ The signature of the vault [`UUID`][] under this key,
	542	+ unframed but encoded in base64.
543	543
544	544	Raises:
545	545	KeyError:
...	...	@@ -588,7 +588,7 @@ class Vault:
588	588	'signature not deterministic under this agent'
589	589	)
590	590	raise ValueError(msg)
591		- raw_sig = client.sign(key, cls._UUID)
	591	+ raw_sig = client.sign(key, cls.UUID)
592	592	_keytype, trailer = ssh_agent.SSHAgentClient.unstring_prefix(raw_sig)
593	593	signature_blob = ssh_agent.SSHAgentClient.unstring(trailer)
594	594	return bytes(base64.standard_b64encode(signature_blob))