This function is used to decrypt the AES seed phrase returned from the master server. The seed phrase is decrypted with the SSH RSA host key. Pass in the encrypted AES key. Returns the decrypted AES seed key, a string :param dict payload: The incomi
(self, payload, master_pub=True)
| 1452 | return payload |
| 1453 | |
| 1454 | def decrypt_aes(self, payload, master_pub=True): |
| 1455 | """ |
| 1456 | This function is used to decrypt the AES seed phrase returned from |
| 1457 | the master server. The seed phrase is decrypted with the SSH RSA |
| 1458 | host key. |
| 1459 | |
| 1460 | Pass in the encrypted AES key. |
| 1461 | Returns the decrypted AES seed key, a string |
| 1462 | |
| 1463 | :param dict payload: The incoming payload. This is a dictionary which may have the following keys: |
| 1464 | 'aes': The shared AES key |
| 1465 | 'enc': The format of the message. ('clear', 'pub', etc) |
| 1466 | 'sig': The message signature |
| 1467 | 'publish_port': The TCP port which published the message |
| 1468 | 'token': The encrypted token used to verify the message. |
| 1469 | 'pub_key': The public key of the sender. |
| 1470 | |
| 1471 | :rtype: str |
| 1472 | :return: The decrypted token that was provided, with padding. |
| 1473 | |
| 1474 | :rtype: str |
| 1475 | :return: The decrypted AES seed key |
| 1476 | """ |
| 1477 | if self.opts.get("auth_trb", False): |
| 1478 | log.warning("Auth Called: %s", "".join(traceback.format_stack())) |
| 1479 | else: |
| 1480 | log.debug("Decrypting the current master AES key") |
| 1481 | |
| 1482 | key = self.get_keys() |
| 1483 | key_str = key.decrypt(payload["aes"], self.opts["encryption_algorithm"]) |
| 1484 | if "sig" in payload: |
| 1485 | m_path = os.path.join(self.opts["pki_dir"], self.mpub) |
| 1486 | if os.path.exists(m_path): |
| 1487 | try: |
| 1488 | mkey = PublicKey.from_file(m_path) |
| 1489 | except Exception: # pylint: disable=broad-except |
| 1490 | log.exception("Something unexpected occured loading master pub-key") |
| 1491 | return "", "" |
| 1492 | digest = hashlib.sha256(key_str).hexdigest() |
| 1493 | digest = salt.utils.stringutils.to_bytes(digest) |
| 1494 | m_digest = mkey.decrypt(payload["sig"]) |
| 1495 | if m_digest != digest: |
| 1496 | return "", "" |
| 1497 | else: |
| 1498 | return "", "" |
| 1499 | |
| 1500 | key_str = salt.utils.stringutils.to_str(key_str) |
| 1501 | |
| 1502 | if "_|-" in key_str: |
| 1503 | return key_str.split("_|-") |
| 1504 | else: |
| 1505 | if "token" in payload: |
| 1506 | token = key.decrypt(payload["token"], self.opts["encryption_algorithm"]) |
| 1507 | return key_str, token |
| 1508 | elif not master_pub: |
| 1509 | return key_str, "" |
| 1510 | return "", "" |
| 1511 |