From 71c679e1a0105490bd5845a15de5e8f1a32e2166 Mon Sep 17 00:00:00 2001 From: "Chris St. Pierre" Date: Tue, 11 Sep 2012 10:32:30 -0400 Subject: Cfg: documented all Cfg modules, added development docs --- src/lib/Bcfg2/Encryption.py | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'src/lib/Bcfg2/Encryption.py') diff --git a/src/lib/Bcfg2/Encryption.py b/src/lib/Bcfg2/Encryption.py index 355b49814..0a2d486bf 100755 --- a/src/lib/Bcfg2/Encryption.py +++ b/src/lib/Bcfg2/Encryption.py @@ -73,3 +73,44 @@ def ssl_encrypt(plaintext, passwd, algorithm=ALGORITHM, salt=None): crypted = str_encrypt(plaintext, key=key, salt=salt, iv=iv) return base64.b64encode("Salted__" + salt + crypted) + "\n" + +def get_passphrases(setup): + """ Get all candidate encryption passphrases from the config file. + + :param setup: The Bcfg2 option set to extract passphrases from + :type setup: Bcfg2.Options.OptionParser + returns: dict - a dict of : + """ + section = "encryption" + if setup.cfp.has_section(section): + return dict([(o, setup.cfp.get(section, o)) + for o in setup.cfp.options(section)]) + else: + return dict() + +def bruteforce_decrypt(crypted, passphrases=None, setup=None): + """ Convenience method to decrypt the given encrypted string by + trying the given passphrases or all passphrases (as returned by + :func:`Bcfg2.Encryption.passphrases`) sequentially until one is + found that works. + + Either ``passphrases`` or ``setup`` must be provided. + + :param crypted: The data to decrypt + :type crypted: string + :param passphrases: The passphrases to try. + :type passphrases: list + :param setup: A Bcfg2 option set to extract passphrases from + :type setup: Bcfg2.Options.OptionParser + :returns: string - The decrypted data + :raises: :class:`M2Crypto.EVP.EVPError`, if the data cannot be decrypted + """ + if not passphrases: + passphrases = get_passphrases(setup).values() + for passwd in passphrases: + try: + return ssl_decrypt(crypted, passwd) + except EVPError: + pass + raise EVPError("Failed to decrypt") + -- cgit v1.2.3-1-g7c22