Clean up unicode string typing.

tknarr · tknarr · commit b0ca8faee50f · 2016-07-08T20:46:52.000-07:00
diff --git a/pyauth/About.py b/pyauth/About.py
@@ -2,7 +2,6 @@
 """Metadata about the program."""
 
 import sysconfig
-import base64
 import io
 import pkg_resources
 import wx
diff --git a/pyauth/AuthenticationStore.py b/pyauth/AuthenticationStore.py
@@ -4,6 +4,7 @@
 import os
 import errno
 import string
+import base64
 import wx
 import pyotp
 from About import GetProgramName, GetVendorName
@@ -61,12 +62,16 @@ def __init__( self, filename, password ):
         # algorithm has changed).
         self.algorithm = AuthenticationStore.CURRENT_ALGORITHM
         self.old_algorithm = self.cfg.Read( '/crypto/algorithm', 'cleartext' )
-        self.old_password_salt = self.cfg.Read( '/crypto/salt', '' ).encode()
+        oldsalt = self.cfg.Read( '/crypto/salt', '' )
+        if self.old_algorithm == 'AES' or self.old_algorithm == 'cleartext':
+            self.old_password_salt = oldsalt.encode()
+        else:
+            self.old_password_salt = base64.urlsafe_b64decode( oldsalt.encode() )
         self.decryptor = create_encryption_object( self.old_algorithm, password,
                                                    self.old_password_salt )
         self.algorithm_changed = self.decryptor.algorithm != self.algorithm
         if self.algorithm_changed:
-            self.password_salt = generate_salt( self.algorithm ).encode()
+            self.password_salt = generate_salt( self.algorithm )
             self.password_changed = True
             self.encryptor = create_encryption_object( self.algorithm, password,
                                                        self.password_salt )
@@ -146,7 +151,7 @@ def Save( self, force = False ):
         for entry in self.entry_list:
             entry.Save( self.cfg, "/entries", self.encryptor, force )
         if self.password_changed:
-            self.cfg.Write( '/crypto/salt', self.password_salt )
+            self.cfg.Write( '/crypto/salt', base64.urlsafe_b64encode( self.password_salt ) )
             self.password_changed = False
         if self.algorithm_changed:
             self.cfg.Write( '/crypto/algorithm', self.algorithm )
@@ -338,7 +343,8 @@ def Load( klass, cfg, entry_group, decryptor ):
         sort_index = cfg.ReadInt( 'sort_index' )
         provider = cfg.Read( 'provider' )
         account = cfg.Read( 'account' )
-        secret = decryptor.Decrypt( cfg.Read( 'secret' ) )
+        encrypted_secret = cfg.Read( 'secret' )
+        secret = decryptor.Decrypt( encrypted_secret )
         digits = cfg.ReadInt( 'digits', 6 )
         original_label = cfg.Read( 'original_label', '' )
         if original_label == '':
diff --git a/pyauth/Encryption.py b/pyauth/Encryption.py
@@ -1,5 +1,13 @@
 # -*- coding: utf-8 -*-
-"""Encryption for the authentication store."""
+"""
+Encryption for the authentication store.
+
+Passwords and cleartext are Unicode text strings. Ciphertext is a
+Unicode string containing base64-encoded data. The salt used for
+key derivation is an unencoded byte string representing raw byte
+data (the obsolete AES encryption method uses an unencoded or
+Unicode string containing base64 data directly).
+"""
 
 import os
 import string
@@ -33,7 +41,7 @@ def __init__( self, password = None, salt = None ):
                               salt = self.storage_key_salt,
                               iterations = 100000,
                               backend = self.backend )
-            self.storage_key = base64.urlsafe_b64encode( kdf.derive( password ) )
+            self.storage_key = base64.urlsafe_b64encode( kdf.derive( password.encode() ) )
 
     @classmethod
     def GenerateSalt( cls ):
@@ -62,7 +70,7 @@ def Encrypt( self, secret ):
         cleartext = padder.update( secret.encode() )
         cleartext += padder.finalize()
         ciphertext = f.encrypt( cleartext.encode() )
-        return ciphertext
+        return unicode( ciphertext )
 
     def Decrypt( self, token ):
         """Decrypt a secret using the current key."""
@@ -95,7 +103,7 @@ def __init__( self, password = None, salt = None ):
                               salt = self.storage_key_salt,
                               iterations = 10000,
                               backend = self.backend )
-            self.storage_key = base64.b64encode( kdf.derive( password ) )
+            self.storage_key = kdf.derive( password.encode() )
 
     @classmethod
     def GenerateSalt( cls ):
@@ -126,7 +134,7 @@ def Decrypt( self, ciphertext ):
             b = base64.standard_b64decode( ciphertext )
             iv = b[0:self.BLOCK_SIZE]
             raw_ciphertext = b[self.BLOCK_SIZE:]
-            cipher = Cipher( algorithms.AES( base64.b64decode( self.storage_key ) ),
+            cipher = Cipher( algorithms.AES( self.storage_key ),
                              modes.CBC( iv ), self.backend )
             decryptor = cipher.decryptor()
             cleartext = decryptor.update( raw_ciphertext ) + decryptor.finalize()
@@ -150,23 +158,23 @@ def SetPassword( self, new_password, new_salt = None ):
         pass
 
     def Encrypt( self, cleartext ):
-        return cleartext
+        raise NotImplementedError( "Encryption is not supported by the cleartext algorithm." )
 
     def Decrypt( self, ciphertext ):
         return ciphertext
 
 def generate_salt( algorithm_name ):
     if algorithm_name == 'FERNET-256':
-        s = base64.urlsafe_b64encode( Fernet_256.GenerateSalt() )
+        salt = Fernet_256.GenerateSalt()
     else:
         raise NotImplementedError( "Algorithm not implemented: " + algorithm_name )
-    return s
+    return salt
 
 def create_encryption_object( algorithm_name, password = None, salt = None ):
     if algorithm_name == 'FERNET-256':
-        e = Fernet_256( password.encode(), salt )
+        e = Fernet_256( password, salt )
     elif algorithm_name == 'AES':
-        e = Old_AES( password.encode(), salt )
+        e = Old_AES( password, salt )
     elif algorithm_name == 'cleartext':
         e = Cleartext()
     else:
