summaryrefslogtreecommitdiff
path: root/keymanager
diff options
context:
space:
mode:
Diffstat (limited to 'keymanager')
-rw-r--r--keymanager/CHANGELOG4
-rw-r--r--keymanager/pkg/requirements.pip4
-rw-r--r--keymanager/src/leap/keymanager/__init__.py27
-rw-r--r--keymanager/src/leap/keymanager/openpgp.py22
4 files changed, 47 insertions, 10 deletions
diff --git a/keymanager/CHANGELOG b/keymanager/CHANGELOG
index 6ec2624..8371498 100644
--- a/keymanager/CHANGELOG
+++ b/keymanager/CHANGELOG
@@ -1,3 +1,7 @@
+0.3.4 Oct 18:
+ o Add option to choose cipher and digest algorithms when signing and
+ encrypting. Closes #4030.
+
0.3.3 Oct 4:
o Add a sanity check for the correct version of gnupg.
o Update code to use gnupg 1.2.2 python module. Closes #2342.
diff --git a/keymanager/pkg/requirements.pip b/keymanager/pkg/requirements.pip
index 5ebd803..1515204 100644
--- a/keymanager/pkg/requirements.pip
+++ b/keymanager/pkg/requirements.pip
@@ -1,4 +1,6 @@
leap.common>=0.3.0
simplejson
requests
-gnupg
+# if we bump the gnupg version, bump also the sanity check
+# in keymanager.__init__
+gnupg>=1.2.3
diff --git a/keymanager/src/leap/keymanager/__init__.py b/keymanager/src/leap/keymanager/__init__.py
index 76be226..a550598 100644
--- a/keymanager/src/leap/keymanager/__init__.py
+++ b/keymanager/src/leap/keymanager/__init__.py
@@ -25,16 +25,19 @@ try:
assert(GPGUtilities) # pyflakes happy
from gnupg import __version__
from distutils.version import LooseVersion as V
- assert(V(__version__) >= V('1.2.2'))
+ assert(V(__version__) >= V('1.2.3'))
-except ImportError, AssertionError:
+except (ImportError, AssertionError):
+ print "*******"
print "Ooops! It looks like there is a conflict in the installed version "
print "of gnupg."
+ print
print "Disclaimer: Ideally, we would need to work a patch and propose the "
print "merge to upstream. But until then do: "
print
print "% pip uninstall python-gnupg"
print "% pip install gnupg"
+ print "*******"
sys.exit(1)
import logging
@@ -391,7 +394,8 @@ class KeyManager(object):
# encrypt/decrypt and sign/verify API
#
- def encrypt(self, data, pubkey, passphrase=None, sign=None):
+ def encrypt(self, data, pubkey, passphrase=None, sign=None,
+ cipher_algo='AES256'):
"""
Encrypt C{data} using public @{key} and sign with C{sign} key.
@@ -401,6 +405,8 @@ class KeyManager(object):
:type pubkey: EncryptionKey
:param sign: The key used for signing.
:type sign: EncryptionKey
+ :param cipher_algo: The cipher algorithm to use.
+ :type cipher_algo: str
:return: The encrypted data.
:rtype: str
@@ -436,7 +442,8 @@ class KeyManager(object):
return self._wrapper_map[privkey.__class__].decrypt(
data, privkey, passphrase, verify)
- def sign(self, data, privkey):
+ def sign(self, data, privkey, digest_algo='SHA512', clearsign=False,
+ detach=True, binary=False):
"""
Sign C{data} with C{privkey}.
@@ -445,6 +452,14 @@ class KeyManager(object):
:param privkey: The private key to be used to sign.
:type privkey: EncryptionKey
+ :param digest_algo: The hash digest to use.
+ :type digest_algo: str
+ :param clearsign: If True, create a cleartext signature.
+ :type clearsign: bool
+ :param detach: If True, create a detached signature.
+ :type detach: bool
+ :param binary: If True, do not ascii armour the output.
+ :type binary: bool
:return: The signed data.
:rtype: str
@@ -454,7 +469,9 @@ class KeyManager(object):
privkey.__class__ in self._wrapper_map,
'Unknown key type.')
leap_assert(privkey.private is True, 'Key is not private.')
- return self._wrapper_map[privkey.__class__].sign(data, privkey)
+ return self._wrapper_map[privkey.__class__].sign(
+ data, privkey, digest_algo=digest_algo, clearsign=clearsign,
+ detach=detach, binary=binary)
def verify(self, data, pubkey):
"""
diff --git a/keymanager/src/leap/keymanager/openpgp.py b/keymanager/src/leap/keymanager/openpgp.py
index 9d8d89a..6412331 100644
--- a/keymanager/src/leap/keymanager/openpgp.py
+++ b/keymanager/src/leap/keymanager/openpgp.py
@@ -433,7 +433,8 @@ class OpenPGPScheme(EncryptionScheme):
raise errors.EncryptionDecryptionFailed(
'Failed to encrypt/decrypt: %s' % stderr)
- def encrypt(self, data, pubkey, passphrase=None, sign=None):
+ def encrypt(self, data, pubkey, passphrase=None, sign=None,
+ cipher_algo='AES256'):
"""
Encrypt C{data} using public @{pubkey} and sign with C{sign} key.
@@ -443,6 +444,8 @@ class OpenPGPScheme(EncryptionScheme):
:type pubkey: OpenPGPKey
:param sign: The key used for signing.
:type sign: OpenPGPKey
+ :param cipher_algo: The cipher algorithm to use.
+ :type cipher_algo: str
:return: The encrypted data.
:rtype: str
@@ -459,7 +462,7 @@ class OpenPGPScheme(EncryptionScheme):
data, pubkey.fingerprint,
default_key=sign.key_id if sign else None,
passphrase=passphrase, symmetric=False,
- cipher_algo='AES256')
+ cipher_algo=cipher_algo)
# Here we cannot assert for correctness of sig because the sig is
# in the ciphertext.
# result.ok - (bool) indicates if the operation succeeded
@@ -517,7 +520,8 @@ class OpenPGPScheme(EncryptionScheme):
gpgutil = GPGUtilities(gpg)
return gpgutil.is_encrypted_asym(data)
- def sign(self, data, privkey):
+ def sign(self, data, privkey, digest_algo='SHA512', clearsign=False,
+ detach=True, binary=False):
"""
Sign C{data} with C{privkey}.
@@ -526,6 +530,14 @@ class OpenPGPScheme(EncryptionScheme):
:param privkey: The private key to be used to sign.
:type privkey: OpenPGPKey
+ :param digest_algo: The hash digest to use.
+ :type digest_algo: str
+ :param clearsign: If True, create a cleartext signature.
+ :type clearsign: bool
+ :param detach: If True, create a detached signature.
+ :type detach: bool
+ :param binary: If True, do not ascii armour the output.
+ :type binary: bool
:return: The ascii-armored signed data.
:rtype: str
@@ -536,7 +548,9 @@ class OpenPGPScheme(EncryptionScheme):
# result.fingerprint - contains the fingerprint of the key used to
# sign.
with self._temporary_gpgwrapper(privkey) as gpg:
- result = gpg.sign(data, default_key=privkey.key_id)
+ result = gpg.sign(data, default_key=privkey.key_id,
+ digest_algo=digest_algo, clearsign=clearsign,
+ detach=detach, binary=binary)
rfprint = privkey.fingerprint
privkey = gpg.list_keys(secret=True).pop()
kfprint = privkey['fingerprint']