How to use the asyncssh.pbe.KeyEncryptionError function in asyncssh
To help you get started, we’ve selected a few asyncssh examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
ronf / asyncssh / asyncssh / public_key.py View on Github 
raise KeyImportError('Passphrase must be specified to import '
'encrypted private keys')
dek_info = headers.get(b'DEK-Info', b'').split(b',')
if len(dek_info) != 2:
raise KeyImportError('Invalid PEM encryption params')
alg, iv = dek_info
try:
iv = binascii.a2b_hex(iv)
except binascii.Error:
raise KeyImportError('Invalid PEM encryption params') from None
try:
data = pkcs1_decrypt(data, alg, iv, passphrase)
except KeyEncryptionError:
raise KeyImportError('Unable to decrypt PKCS#1 '
'private key') from None
try:
key_data = der_decode(data)
except ASN1DecodeError:
raise KeyImportError('Invalid PEM private key') from None
if pem_name == b'ENCRYPTED':
if passphrase is None:
raise KeyImportError('Passphrase must be specified to import '
'encrypted private keys')
pem_name = b''
try:raise KeyImportError('Passphrase must be specified to import '
'encrypted private keys')
try:
key_size, iv_size, block_size, _, _, _ = \
get_encryption_params(cipher_name)
except KeyError:
raise KeyEncryptionError('Unknown cipher: %s' %
cipher_name.decode('ascii')) from None
if kdf != b'bcrypt':
raise KeyEncryptionError('Unknown kdf: %s' %
kdf.decode('ascii'))
if not _bcrypt_available: # pragma: no cover
raise KeyEncryptionError('OpenSSH private key encryption '
'requires bcrypt with KDF support')
packet = SSHPacket(kdf_data)
salt = packet.get_string()
rounds = packet.get_uint32()
packet.check_end()
if isinstance(passphrase, str):
passphrase = passphrase.encode('utf-8')
try:
key = bcrypt.kdf(passphrase, salt, key_size + iv_size,
rounds, ignore_few_rounds=True)
except ValueError:
raise KeyEncryptionError('Invalid OpenSSH '
'private key') from Nonedef _pbes2(params, passphrase):
"""PKCS#5 v2.0 cipher selection function for password-based encryption
This function implements the PKCS#5 v2.0 algorithm for password-based
encryption. It returns a cipher object which can be used to encrypt
or decrypt data based on the specified encryption parameters and
passphrase.
"""
if (not isinstance(params, tuple) or len(params) != 2 or
not isinstance(params[0], tuple) or len(params[0]) < 1 or
not isinstance(params[1], tuple) or len(params[1]) < 1):
raise KeyEncryptionError('Invalid PBES2 encryption parameters')
kdf_params = list(params[0])
kdf_alg = kdf_params.pop(0)
if kdf_alg not in _pbes2_kdf:
raise KeyEncryptionError('Unknown PBES2 key derivation function')
enc_params = list(params[1])
enc_alg = enc_params.pop(0)
if enc_alg not in _pbes2_cipher:
raise KeyEncryptionError('Unknown PBES2 encryption algorithm')
kdf_handler, kdf_args = _pbes2_kdf[kdf_alg]
enc_handler, cipher_name = _pbes2_cipher[enc_alg]
default_key_size, _, _ = get_cipher_params(cipher_name)params = (os.urandom(8), 2048)
cipher = handler(params, passphrase, hash_alg, cipher_name)
elif version == 2 and pkcs8_cipher_name in _pbes2_cipher_oid:
pbes2_cipher_oid = _pbes2_cipher_oid[pkcs8_cipher_name]
_, cipher_name = _pbes2_cipher[pbes2_cipher_oid]
_, iv_size, _ = get_cipher_params(cipher_name)
kdf_params = [os.urandom(8), 2048]
iv = os.urandom(iv_size)
enc_params = (pbes2_cipher_oid, iv)
if hash_name != 'sha1':
if hash_name in _pbes2_prf_oid:
kdf_params.append((_pbes2_prf_oid[hash_name], None))
else:
raise KeyEncryptionError('Unknown PBES2 hash function')
alg = _ES2
params = ((_ES2_PBKDF2, tuple(kdf_params)), enc_params)
cipher = _pbes2(params, passphrase)
else:
raise KeyEncryptionError('Unknown PKCS#8 encryption algorithm')
return der_encode(((alg, params), cipher.encrypt(data)))def pkcs8_decrypt(key_data, passphrase):
"""Decrypt PKCS#8 key data
This function decrypts key data in PKCS#8 EncryptedPrivateKeyInfo
format using the specified passphrase.
"""
if not isinstance(key_data, tuple) or len(key_data) != 2:
raise KeyEncryptionError('Invalid PKCS#8 encrypted key format')
alg_params, data = key_data
if (not isinstance(alg_params, tuple) or len(alg_params) != 2 or
not isinstance(data, bytes)):
raise KeyEncryptionError('Invalid PKCS#8 encrypted key format')
alg, params = alg_params
if alg == _ES2:
cipher = _pbes2(params, passphrase)
elif alg in _pkcs8_handler:
handler, hash_alg, cipher_name = _pkcs8_handler[alg]
cipher = handler(params, passphrase, hash_alg, cipher_name)
else:
raise KeyEncryptionError('Unknown PKCS#8 encryption algorithm')encryption. It returns a cipher object which can be used to encrypt
or decrypt data based on the specified encryption parameters and
passphrase.
"""
if (not isinstance(params, tuple) or len(params) != 2 or
not isinstance(params[0], tuple) or len(params[0]) < 1 or
not isinstance(params[1], tuple) or len(params[1]) < 1):
raise KeyEncryptionError('Invalid PBES2 encryption parameters')
kdf_params = list(params[0])
kdf_alg = kdf_params.pop(0)
if kdf_alg not in _pbes2_kdf:
raise KeyEncryptionError('Unknown PBES2 key derivation function')
enc_params = list(params[1])
enc_alg = enc_params.pop(0)
if enc_alg not in _pbes2_cipher:
raise KeyEncryptionError('Unknown PBES2 encryption algorithm')
kdf_handler, kdf_args = _pbes2_kdf[kdf_alg]
enc_handler, cipher_name = _pbes2_cipher[enc_alg]
default_key_size, _, _ = get_cipher_params(cipher_name)
key = kdf_handler(kdf_params, passphrase, default_key_size, *kdf_args)
return enc_handler(enc_params, cipher_name, key)
aes128-cbc, aes192-cbc, aes256-cbc, des-cbc, des3-cbc
"""
if pkcs1_cipher_name in _pkcs1_dek_name:
pkcs1_dek_name = _pkcs1_dek_name[pkcs1_cipher_name]
cipher_name = _pkcs1_cipher[pkcs1_dek_name]
key_size, iv_size, block_size = get_cipher_params(cipher_name)
iv = os.urandom(iv_size)
key = _pbkdf1(md5, passphrase, iv[:8], 1, key_size)
cipher = _RFC1423Pad(cipher_name, block_size, key, iv)
return pkcs1_dek_name, iv, cipher.encrypt(data)
else:
raise KeyEncryptionError('Unknown PKCS#1 encryption algorithm')
if (not isinstance(params, tuple) or len(params) != 2 or
not isinstance(params[0], tuple) or len(params[0]) < 1 or
not isinstance(params[1], tuple) or len(params[1]) < 1):
raise KeyEncryptionError('Invalid PBES2 encryption parameters')
kdf_params = list(params[0])
kdf_alg = kdf_params.pop(0)
if kdf_alg not in _pbes2_kdf:
raise KeyEncryptionError('Unknown PBES2 key derivation function')
enc_params = list(params[1])
enc_alg = enc_params.pop(0)
if enc_alg not in _pbes2_cipher:
raise KeyEncryptionError('Unknown PBES2 encryption algorithm')
kdf_handler, kdf_args = _pbes2_kdf[kdf_alg]
enc_handler, cipher_name = _pbes2_cipher[enc_alg]
default_key_size, _, _ = get_cipher_params(cipher_name)
key = kdf_handler(kdf_params, passphrase, default_key_size, *kdf_args)
return enc_handler(enc_params, cipher_name, key)if isinstance(passphrase, str):
passphrase = passphrase.encode('utf-8')
try:
key = bcrypt.kdf(passphrase, salt, key_size + iv_size,
rounds, ignore_few_rounds=True)
except ValueError:
raise KeyEncryptionError('Invalid OpenSSH '
'private key') from None
cipher = get_encryption(cipher_name, key[:key_size], key[key_size:])
key_data = cipher.decrypt_packet(0, b'', key_data, 0, mac)
if key_data is None:
raise KeyEncryptionError('Incorrect passphrase')
block_size = max(block_size, 8)
else:
block_size = 8
packet = SSHPacket(key_data)
check1 = packet.get_uint32()
check2 = packet.get_uint32()
if check1 != check2:
if cipher_name != b'none':
raise KeyEncryptionError('Incorrect passphrase') from None
else:
raise KeyImportError('Invalid OpenSSH private key')
alg = packet.get_string()raise KeyEncryptionError('Invalid PKCS#8 encrypted key format')
alg, params = alg_params
if alg == _ES2:
cipher = _pbes2(params, passphrase)
elif alg in _pkcs8_handler:
handler, hash_alg, cipher_name = _pkcs8_handler[alg]
cipher = handler(params, passphrase, hash_alg, cipher_name)
else:
raise KeyEncryptionError('Unknown PKCS#8 encryption algorithm')
try:
return der_decode(cipher.decrypt(data))
except (ASN1DecodeError, UnicodeDecodeError):
raise KeyEncryptionError('Invalid PKCS#8 encrypted key data')asyncssh
AsyncSSH: Asynchronous SSHv2 client and server library
Package Health Score
82 / 100Popular asyncssh functions
- asyncssh.asn1.ASN1DecodeError
- asyncssh.asn1.BitString
- asyncssh.asn1.der_encode
- asyncssh.asn1.ObjectIdentifier
- asyncssh.connect
- asyncssh.create_server
- asyncssh.Error
- asyncssh.generate_private_key
- asyncssh.load_keypairs
- asyncssh.misc.ProtocolError
- asyncssh.packet.Byte
- asyncssh.packet.MPInt
- asyncssh.packet.SSHPacket
- asyncssh.packet.String
- asyncssh.packet.UInt32
- asyncssh.pbe.KeyEncryptionError
- asyncssh.public_key.KeyExportError
- asyncssh.public_key.KeyImportError
- asyncssh.read_private_key
- asyncssh.sftp.SFTPError