Revonzy Mini Shell
#
# Copyright 2008 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""
Keyczart(ool) is a utility for creating and managing Keyczar keysets.
@author: arkajit.dey@gmail.com (Arkajit Dey)
"""
import os
import sys
import errors
import keyczar
import keydata
import keyinfo
import readers
import writers
import util
KEYSETS = [('aes', keyinfo.DECRYPT_AND_ENCRYPT, None, None),
('aes-crypted', keyinfo.DECRYPT_AND_ENCRYPT, None, 'aes'),
('hmac', keyinfo.SIGN_AND_VERIFY, None, None),
('rsa', keyinfo.DECRYPT_AND_ENCRYPT, 'rsa', None),
('rsa-sign', keyinfo.SIGN_AND_VERIFY, 'rsa', None),
('dsa', keyinfo.SIGN_AND_VERIFY, 'dsa', None)]
mock = None # mock reader used for testing purposes, disabled when set to None
class _Name(object):
def __init__(self, name):
self.name = name
def __str__(self):
return self.name
class Command(_Name):
"""Enum representing keyczart commands."""
CREATE = Command("create")
ADDKEY = Command("addkey")
PUBKEY = Command("pubkey")
PROMOTE = Command("promote")
DEMOTE = Command("demote")
REVOKE = Command("revoke")
GENKEY = Command("genkey")
commands = {"create": CREATE, "addkey": ADDKEY, "pubkey": PUBKEY,
"promote": PROMOTE, "demote": DEMOTE, "revoke": REVOKE,
"genkey": GENKEY}
def GetCommand(cmd):
try:
return commands[cmd]
except KeyError:
raise errors.KeyczarError("Illegal command")
class Flag(_Name):
"""Enum representing keyczart flags."""
LOCATION = Flag("location")
NAME = Flag("name")
SIZE = Flag("size")
STATUS = Flag("status")
PURPOSE = Flag("purpose")
DESTINATION = Flag("destination")
VERSION = Flag("version")
ASYMMETRIC = Flag("asymmetric")
CRYPTER = Flag("crypter")
flags = {"location": LOCATION, "name": NAME, "size": SIZE, "status": STATUS,
"purpose": PURPOSE, "destination": DESTINATION, "version": VERSION,
"asymmetric": ASYMMETRIC, "crypter": CRYPTER}
def GetFlag(flag):
try:
return flags[flag]
except KeyError:
raise errors.KeyczarError("Unknown flag")
def Create(loc, name, purpose, asymmetric=None):
if mock is None and loc is None: # not testing
raise errors.KeyczarError("Location missing")
kmd = None
if purpose == keyinfo.SIGN_AND_VERIFY:
if asymmetric is None:
kmd = keydata.KeyMetadata(name, purpose, keyinfo.HMAC_SHA1)
elif asymmetric.lower() == "rsa":
kmd = keydata.KeyMetadata(name, purpose, keyinfo.RSA_PRIV)
else: # default to DSA
kmd = keydata.KeyMetadata(name, purpose, keyinfo.DSA_PRIV)
elif purpose == keyinfo.DECRYPT_AND_ENCRYPT:
if asymmetric is None:
kmd = keydata.KeyMetadata(name, purpose, keyinfo.AES)
else: # default to RSA
kmd = keydata.KeyMetadata(name, purpose, keyinfo.RSA_PRIV)
else:
raise errors.KeyczarError("Missing or unsupported purpose")
if mock is not None: # just testing, update mock object
mock.kmd = kmd
else:
writer = writers.CreateWriter(loc)
try:
writer.WriteMetadata(kmd, overwrite=False)
finally:
writer.Close()
def AddKey(loc, status, crypter=None, size=None):
czar = CreateGenericKeyczar(loc, crypter)
if size == -1:
size = None
czar.AddVersion(status, size)
UpdateGenericKeyczar(czar, loc, crypter)
def PubKey(loc, dest):
if mock is None and dest is None: # not required when testing
raise errors.KeyczarError("Must define destination")
czar = CreateGenericKeyczar(loc)
czar.PublicKeyExport(dest, mock) # supply mock for testing if enabled
def Promote(loc, num):
czar = CreateGenericKeyczar(loc)
if num < 0:
raise errors.KeyczarError("Missing version")
czar.Promote(num)
UpdateGenericKeyczar(czar, loc)
def Demote(loc, num):
czar = CreateGenericKeyczar(loc)
if num < 0:
raise errors.KeyczarError("Missing version")
czar.Demote(num)
UpdateGenericKeyczar(czar, loc)
def Revoke(loc, num):
czar = CreateGenericKeyczar(loc)
if num < 0:
raise errors.KeyczarError("Missing version")
czar.Revoke(num)
UpdateGenericKeyczar(czar, loc)
if mock is not None: # testing, update mock
mock.RemoveKey(num)
else:
writer = writers.CreateWriter(loc)
try:
writer.Remove(num)
finally:
writer.Close()
def _CreateCrypter(location):
"""Helper to create a Crypter for the location."""
return keyczar.Crypter.Read(location)
def GenKeySet(loc):
print "Generating private key sets..."
for (name, purpose, asymmetric, crypter) in KEYSETS:
print "."
dir_path = os.path.join(loc, name)
if crypter:
crypter = _CreateCrypter(os.path.join(loc, crypter))
Clean(dir_path)
Create(dir_path, "Test", purpose, asymmetric)
AddKey(dir_path, keyinfo.PRIMARY, crypter)
UseKey(purpose, dir_path, os.path.join(dir_path, "1.out"), crypter)
AddKey(dir_path, keyinfo.PRIMARY, crypter)
UseKey(purpose, dir_path, os.path.join(dir_path, "2.out"), crypter)
print "Exporting public key sets..."
for name in ('dsa', 'rsa-sign'):
print "."
dir_path = os.path.join(loc, name)
dest = os.path.join(loc, name + '.public')
PubKey(dir_path, dest)
print "Done!"
def Clean(directory):
for filename in os.listdir(directory):
path = os.path.join(directory, filename)
if not os.path.isdir(path):
os.remove(path)
def UseKey(purpose, loc, dest, crypter=None, msg="This is some test data"):
reader = readers.CreateReader(loc)
try:
answer = ""
if crypter:
reader = readers.EncryptedReader(reader, crypter)
if purpose == keyinfo.DECRYPT_AND_ENCRYPT:
answer = keyczar.Crypter(reader).Encrypt(msg)
elif purpose == keyinfo.SIGN_AND_VERIFY:
answer = keyczar.Signer(reader).Sign(msg)
util.WriteFile(answer, dest)
finally:
reader.Close()
def Usage():
print '''Usage: "Keyczart command flags"
Commands: create addkey pubkey promote demote revoke
Flags: location name size status purpose destination version asymmetric crypter
Command Usage:
create --location=/path/to/keys --purpose=(crypt|sign) [--name="A name"] [--asymmetric=(dsa|rsa)]
Creates a new, empty key set in the given location.
This key set must have a purpose of either "crypt" or "sign"
and may optionally be given a name. The optional asymmetric
flag will generate a public key set of the given algorithm.
The "dsa" asymmetric value is valid only for sets with "sign" purpose.
with the given purpose.
addkey --location=/path/to/keys [--status=(active|primary)] [--size=size] [--crypter=crypterLocation]
Adds a new key to an existing key set. Optionally
specify a purpose, which is active by default. Optionally
specify a key size in bits. Also optionally specify the
location of a set of crypting keys, which will be used to
encrypt this key set.
pubkey --location=/path/to/keys --destination=/destination
Extracts public keys from a given key set and writes them
to the destination. The "pubkey" command Only works for
key sets that were created with the "--asymmetric" flag.
promote --location=/path/to/keys --version=versionNumber
Promotes the status of the given key version in the given
location. Active keys are promoted to primary (which demotes
any existing primary key to active). Keys scheduled for
revocation are promoted to be active.
demote --location=/path/to/keys --version=versionNumber
Demotes the status of the given key version in the given
location. Primary keys are demoted to active. Active keys
are scheduled for revocation.
revoke --location=/path/to/keys --version=versionNumber
Revokes the key of the given version number.
This key must have been scheduled for revocation by the
promote command. WARNING: The key will be destroyed.
Optional flags are in [brackets]. The notation (a|b|c) means "a", "b", and "c"
are the valid choices'''
def CreateGenericKeyczar(loc, crypter=None):
if mock is not None:
return keyczar.GenericKeyczar(mock)
if loc is None:
raise errors.KeyczarError("Need location")
else:
generic = None
reader = readers.CreateReader(loc)
try:
if crypter:
reader = readers.EncryptedReader(reader, crypter)
generic = keyczar.GenericKeyczar(reader)
finally:
reader.Close()
return generic
def UpdateGenericKeyczar(czar, loc, encrypter=None):
if mock is not None: # update key data
mock.kmd = czar.metadata
for v in czar.versions:
mock.SetKey(v.version_number, czar.GetKey(v))
else:
writer = writers.CreateWriter(loc)
try:
czar.Write(writer, encrypter)
finally:
writer.Close()
def main(argv):
if len(argv) == 0:
Usage()
else:
cmd = GetCommand(argv[0])
flags = {}
for arg in argv:
if arg.startswith("--"):
arg = arg[2:] # trim leading dashes
try:
[flag, val] = arg.split("=")
flags[GetFlag(flag)] = val
except ValueError:
print "Flags incorrectly formatted"
Usage()
try:
version = int(flags.get(VERSION, -1))
size = int(flags.get(SIZE, -1))
# -1 if non-existent
except ValueError:
print "Size and version flags require an integer"
Usage()
loc = flags.get(LOCATION) # all commands need location
if cmd == CREATE:
purpose = {'crypt': keyinfo.DECRYPT_AND_ENCRYPT,
'sign': keyinfo.SIGN_AND_VERIFY}.get(flags.get(PURPOSE))
Create(loc, flags.get(NAME, 'Test'), purpose, flags.get(ASYMMETRIC))
elif cmd == ADDKEY:
status = keyinfo.GetStatus(flags.get(STATUS, 'ACTIVE').upper())
if CRYPTER in flags:
crypter = _CreateCrypter(flags[CRYPTER])
else:
crypter = None
AddKey(loc, status, crypter, size)
elif cmd == PUBKEY:
PubKey(loc, flags.get(DESTINATION))
elif cmd == PROMOTE:
Promote(loc, version)
elif cmd == DEMOTE:
Demote(loc, version)
elif cmd == REVOKE:
Revoke(loc, version)
elif cmd == GENKEY:
GenKeySet(loc)
else:
Usage()
if __name__ == '__main__':
sys.exit(main(sys.argv[1:])) # sys.argv[0] is name of program
EliteHackz.ORG
Revonzy Mini Shell
root@revonzy.com