Handle AES-256 compatibility in Identity

2025-07-22 14:31:00 -04:00 · 2025-05-06 16:12:15 +02:00 · 2025-05-06 16:12:15 +02:00 · 437da99d63
commit 437da99d63
parent 3cbcbec942
2 changed files with 63 additions and 61 deletions
--- a/RNS/Cryptography/Token.py
+++ b/RNS/Cryptography/Token.py
@ -37,7 +37,8 @@ from RNS.Cryptography import AES
 from RNS.Cryptography.AES import AES_128_CBC
 from RNS.Cryptography.AES import AES_256_CBC

-# import RNS # TODO: Remove
+# TODO: Remove after migration
+import RNS

 class Token():
    """
@ -66,23 +67,11 @@ class Token():
                self._signing_key = key[:16]
                self._encryption_key = key[16:]

-                ####################################################################
-                self.mode_legacy = AES_128_CBC        # TODO: Remove after migration
-                self._signing_key_128 = key[:16]      # TODO: Remove after migration
-                self._encryption_key_128 = key[16:]   # TODO: Remove after migration
-                ####################################################################
-
            elif len(key) == 64:
                self.mode = AES_256_CBC
                self._signing_key = key[:32]
                self._encryption_key = key[32:]

-                ####################################################################
-                self.mode_legacy = AES_128_CBC        # TODO: Remove after migration
-                self._signing_key_128 = key[:16]      # TODO: Remove after migration
-                self._encryption_key_128 = key[16:32] # TODO: Remove after migration
-                ####################################################################
-
            else: raise ValueError("Token key must be 128 or 256 bits, not "+str(len(key)*8))

        else: raise TypeError(f"Invalid token mode: {mode}")
@ -93,11 +82,8 @@ class Token():
        else:
            received_hmac = token[-32:]
            expected_hmac = HMAC.new(self._signing_key, token[:-32]).digest()
-            expected_hmac_128 = HMAC.new(self._signing_key_128, token[:-32]).digest() # TODO: Remove after migration

-            # TODO: Reset after migration
-            # if received_hmac == expected_hmac: return True
-            if received_hmac == expected_hmac or received_hmac == expected_hmac_128: return True
+            if received_hmac == expected_hmac: return True
            else: return False


@ -105,6 +91,7 @@ class Token():
        if not isinstance(data, bytes): raise TypeError("Token plaintext input must be bytes")
        iv = os.urandom(16)

+        # RNS.log(f"Encrypting with {self.mode}") # TODO: Remove
        ciphertext = self.mode.encrypt(
            plaintext = PKCS7.pad(data),
            key = self._encryption_key,
@ -116,6 +103,7 @@ class Token():


    def decrypt(self, token = None):
+        # RNS.log(f"Trying decryption with {self.mode}") # TODO: Remove
        if not isinstance(token, bytes): raise TypeError("Token must be bytes")
        if not self.verify_hmac(token): raise ValueError("Token HMAC was invalid")

@ -123,30 +111,14 @@ class Token():
        ciphertext = token[16:-32]

        try:
-            try:
-                # RNS.log(f"Trying decryption with {self.mode}", RNS.LOG_DEBUG) # TODO: Remove
-                plaintext = PKCS7.unpad(
-                    self.mode.decrypt(
-                        ciphertext = ciphertext,
-                        key = self._encryption_key,
-                        iv = iv))
+            plaintext = PKCS7.unpad(
+                self.mode.decrypt(
+                    ciphertext = ciphertext,
+                    key = self._encryption_key,
+                    iv = iv))

-                # RNS.log(f"Decrypted packet with {self.mode}", RNS.LOG_DEBUG) # TODO: Remove
-                return plaintext
-
-            # TODO: Remove after migration ############################
-            except Exception as e:
-                # RNS.log(f"{self.mode} decryption failed", RNS.LOG_DEBUG) # TODO: Remove
-                # RNS.log(f"Trying decryption with {self.mode_legacy}", RNS.LOG_DEBUG) # TODO: Remove
-                plaintext = PKCS7.unpad(
-                    self.mode_legacy.decrypt(
-                        ciphertext = ciphertext,
-                        key = self._encryption_key_128,
-                        iv = iv))
-
-                # RNS.log(f"Decrypted packet with {self.mode_legacy}", RNS.LOG_DEBUG) # TODO: Remove
-                return plaintext
-            ###########################################################
+            # RNS.log(f"Decrypted packet with {self.mode}") # TODO: Remove
+            return plaintext

        except Exception as e:
            RNS.trace_exception(e) # TODO: Remove after migration