linotp.lib.migrate module¶
contains the hsm migration handler
- class linotp.lib.migrate.Crypter(password, salt)¶
Bases:
object- decrypt(encrypted_data, just_mac='')¶
decrypt the stored data
- Parameters
encrypted_data – the hexlified string with (iv:enc_data)
- Returns
decrypted data
- encrypt(input_data, just_mac='')¶
encrypt data
- Parameters
input_data – any data as input
- Returns
dictionary with hexlified iv and crypted_data
- static hmac_sha256(secret, msg)¶
- mac(*messages)¶
calculate the mac independend of the type
- static pad(input_data)¶
pkcs7 padding: the value of the last byte is the pad lenght !and zero is not allowed! we take a full block instead
- static unpad(output_data)¶
pkcs7 unpadding: the last byte value is the number of bytes to subtract
- exception linotp.lib.migrate.DecryptionError¶
Bases:
Exception
- class linotp.lib.migrate.MigrationHandler¶
Bases:
objectthe migration handler supports the migration of encryted data like the token seed or pin of the encrypted config entries, that contain sensitive data like password
- calculate_mac(data)¶
helper method - to return a mac from given data
- Parameters
data – the input data for the mac calculation
- Returns
the mac as binary
- get_config_items()¶
iterator function, to return a config entry in the migration format
it reads all config entries from the config table, which have the type password. The decrypted value is taken from the linotp config
- Returns
dictionary with the config entry: key, type, description and the value, which is a dict with the encryption relevant data like: encrypted_data, iv, mac
- get_token_data()¶
get all tokens
- set_config_entry(config_entry)¶
set the config entry - using the standard way, so that the new value will be encrypted using the new encryption key and potetialy as well an new iv.
before storing the new entry, the old value in its encryted form is read. The
- Parameters
config_entry – the config entry, as a dict
- Returns
nothing -
- set_token_data(token_data)¶
- setup(passphrase, salt=None)¶
setup the MigtaionHandler - or more precise the cytpto handler, which is a MigrationHandler member.
- Parameters
passphrase – enc + decryption key is derived from the passphrase
salt – optional - if not given, a new one is generated
- Returns
the salt, as binary