CryptoDataHub 0.11.1__tar.gz → 0.12.1__tar.gz

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/CHANGELOG.rst

@@ -2,6 +2,42 @@
 Changelog
 =========
 
+-------------------
+0.12.1 - 2023-12-13
+-------------------
+
+Improvements
+============
+
+-  SSH
+
+   -  add missing compression algorithms (#16)
+   -  add missing encryption algorithms (#16)
+   -  add missing host key algorithms (#16)
+   -  add missing KEX algorithms (#16)
+
+-  TLS
+
+   -  add grade for SSL cipher kinds (#18)
+
+-------------------
+0.11.2 - 2023-11-13
+-------------------
+
+Notable fixes
+=============
+
+-  Generic
+
+   -  add missing garde for PQC algorithms
+
+Refactor
+========
+
+-  Generic
+
+   -  move HTTP fetcher and digest generation to common utils
+
 -------------------
 0.11.1 - 2023-11-06
 -------------------

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/CryptoDataHub.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: CryptoDataHub
-Version: 0.11.1
+Version: 0.12.1
 Summary: Repository of cryptography-related data
 Author: Szilárd Pfeiffer
 Author-email: coroner@pfeifferszilard.hu

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: CryptoDataHub
-Version: 0.11.1
+Version: 0.12.1
 Summary: Repository of cryptography-related data
 Author: Szilárd Pfeiffer
 Author-email: coroner@pfeifferszilard.hu

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/cryptodatahub/__setup__.py

@@ -2,7 +2,7 @@
 
 __title__ = 'CryptoDataHub'
 __technical_name__ = __title__.lower()
-__version__ = '0.11.1'
+__version__ = '0.12.1'
 __description__ = 'Repository of cryptography-related data'
 __author__ = 'Szilárd Pfeiffer'
 __author_email__ = 'coroner@pfeifferszilard.hu'

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/cryptodatahub/common/algorithm.py

@@ -115,7 +115,7 @@ class MACParams(CryptoDataParamsOIDOptional, GradeableVulnerabilities):
 MAC = CryptoDataEnumOIDBase('MAC', CryptoDataEnumOIDBase.get_json_records(MACParams))
 
 
-@attr.s
+@attr.s(frozen=True)
 class MACModeParams(CryptoDataParamsEnumString, GradeableVulnerabilities):
     name = attr.ib(validator=attr.validators.instance_of(six.string_types))
 

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/cryptodatahub/common/authentication.json

@@ -102,5 +102,12 @@
         "oid": null,
         "vulnerabilities": [],
         "anonymous": false
+    },
+    "XMSS": {
+        "name": "XMSS",
+        "long_name": "eXtended Merkle Signature Scheme",
+        "oid": null,
+        "vulnerabilities": [],
+        "anonymous": false
     }
 }

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/cryptodatahub/common/block-cipher-mode.json

@@ -33,13 +33,7 @@
     "CTR": {
         "name": "CTR",
         "long_name": "counter",
-        "vulnerabilities": [
-            {
-                "attack_type": "REUSED_KEY_ATTACK",
-                "grade": "WEAK",
-                "named": null
-            }
-        ]
+        "vulnerabilities": []
     },
     "ECB": {
         "name": "ECB",

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/cryptodatahub/common/block-cipher.json

@@ -85,7 +85,7 @@
             }
         ],
         "key_size": 192,
-        "block_size": 192
+        "block_size": 128
     },
     "TWOFISH256": {
         "name": "Twofish-256",
@@ -98,7 +98,7 @@
             }
         ],
         "key_size": 256,
-        "block_size": 256
+        "block_size": 128
     },
     "CAMELLIA_128": {
         "name": "Camellia-128",
@@ -107,6 +107,13 @@
         "key_size": 128,
         "block_size": 128
     },
+    "CAMELLIA_192": {
+        "name": "Camellia-192",
+        "long_name": null,
+        "vulnerabilities": null,
+        "key_size": 192,
+        "block_size": 128
+    },
     "CAMELLIA_256": {
         "name": "Camellia-256",
         "long_name": null,
@@ -431,6 +438,13 @@
         "key_size": 256,
         "block_size": 128
     },
+    "SM4": {
+        "name": "SM4",
+        "long_name": "ShangMi 4",
+        "vulnerabilities": [],
+        "key_size": 128,
+        "block_size": 128
+    },
     "TRIPLE_DES": {
         "name": "3DES",
         "long_name": "Triple DES",

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/cryptodatahub/common/hash.json

@@ -45,7 +45,7 @@
                 "named": null
             }
         ],
-        "digest_size": 64
+        "digest_size": 128
     },
     "RIPEMD128": {
         "name": "RIPEMD-128",
@@ -99,6 +99,19 @@
         ],
         "digest_size": 160
     },
+    "SHA1_96": {
+        "name": "SHA-1/96",
+        "long_name": "Secure Hash Algorithm 1 (96)",
+        "oid": null,
+        "vulnerabilities": [
+            {
+                "attack_type": "COLLISION",
+                "grade": "WEAK",
+                "named": null
+            }
+        ],
+        "digest_size": 96
+    },
     "SHA2_224": {
         "name": "SHA-224",
         "long_name": "Secure Hash Algorithm 2 (224)",
@@ -183,6 +196,13 @@
         "vulnerabilities": null,
         "digest_size": 256
     },
+    "SM3": {
+        "name": "SM3",
+        "long_name": "ShangMi 3",
+        "oid": "1.2.156.10197.1.401",
+        "vulnerabilities": null,
+        "digest_size": 256
+    },
     "TIGER_128": {
         "name": "Tiger/128",
         "long_name": null,
@@ -194,7 +214,13 @@
         "name": "Tiger/128(96)",
         "long_name": null,
         "oid": null,
-        "vulnerabilities": null,
+        "vulnerabilities": [
+            {
+                "attack_type": "COLLISION",
+                "grade": "WEAK",
+                "named": null
+            }
+        ],
         "digest_size": 96
     },
     "TIGER_160": {
@@ -208,7 +234,13 @@
         "name": "Tiger/160(96)",
         "long_name": null,
         "oid": null,
-        "vulnerabilities": null,
+        "vulnerabilities": [
+            {
+                "attack_type": "COLLISION",
+                "grade": "WEAK",
+                "named": null
+            }
+        ],
         "digest_size": 96
     },
     "TIGER_192": {
@@ -222,7 +254,13 @@
         "name": "Tiger/192(96)",
         "long_name": null,
         "oid": null,
-        "vulnerabilities": null,
+        "vulnerabilities": [
+            {
+                "attack_type": "COLLISION",
+                "grade": "WEAK",
+                "named": null
+            }
+        ],
         "digest_size": 96
     },
     "WHIRLPOOL": {

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/cryptodatahub/common/key-exchange.json

@@ -128,7 +128,7 @@
     "HYBRID_PQS": {
         "name": "hybrid post-quantum safe",
         "long_name": null,
-        "vulnerabilities": null,
+        "vulnerabilities": [],
         "forward_secret": true
     },
     "SRP": {

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/cryptodatahub/common/key.py

@@ -1,7 +1,6 @@
 # -*- coding: utf-8 -*-
 
 import abc
-import hashlib
 import base64
 import collections
 import datetime
@@ -26,7 +25,7 @@ from cryptodatahub.common.grade import (
     Vulnerability,
 )
 from cryptodatahub.common.types import _ConverterBase
-from cryptodatahub.common.utils import bytes_to_hex_string
+from cryptodatahub.common.utils import bytes_to_hex_string, hash_bytes
 
 from cryptodatahub.tls.algorithm import TlsExtensionType
 
@@ -38,7 +37,7 @@ class _PublicKeySizeGradeable(GradeableVulnerabilities):
         return 'public key size'
 
 
-@attr.s
+@attr.s(frozen=True)
 class PublicKeySize(GradeableComplex):
     _FINITE_FIELD_TYPES = [Authentication.RSA, Authentication.DSS, KeyExchange.ADH, KeyExchange.DH, KeyExchange.DHE]
     _ELLIPTIC_CURVE_TYPES = [Authentication.ECDSA, Authentication.EDDSA, KeyExchange.ECDH, KeyExchange.ECDHE]
@@ -79,6 +78,8 @@ class PublicKeySize(GradeableComplex):
                     Vulnerability(attack_type=AttackType.DOS_ATTACK, grade=Grade.WEAK, named=AttackNamed.DHEAT_ATTACK)
                 )
             gradeables = [_PublicKeySizeGradeable(gradeables)]
+        elif self.key_type == KeyExchange.HYBRID_PQS:
+            gradeables = []
         else:
             gradeables = None
 
@@ -109,12 +110,12 @@ def convert_public_key_size(key_exchange):
     return _PublicKeySizeConverter(key_exchange)
 
 
-@attr.s
+@attr.s(frozen=True)
 class PublicKeyParamBase(object):
     pass
 
 
-@attr.s
+@attr.s(frozen=True)
 class PublicKeyParamsDsa(PublicKeyParamBase):
     prime = attr.ib(validator=attr.validators.instance_of(six.integer_types))
     generator = attr.ib(validator=attr.validators.instance_of(six.integer_types))
@@ -122,7 +123,7 @@ class PublicKeyParamsDsa(PublicKeyParamBase):
     public_key_value = attr.ib(validator=attr.validators.instance_of(six.integer_types))
 
 
-@attr.s
+@attr.s(frozen=True)
 class PublicKeyParamsEcdsa(PublicKeyParamBase):
     named_group = attr.ib(validator=attr.validators.instance_of(NamedGroup))
     point_x = attr.ib(validator=attr.validators.instance_of(six.integer_types))
@@ -142,26 +143,20 @@ class PublicKeyParamsEcdsa(PublicKeyParamBase):
         return bytes(asn1crypto.keys.ECPointBitString.from_coords(self.point_x, self.point_y))
 
 
-@attr.s
+@attr.s(frozen=True)
 class PublicKeyParamsEddsa(PublicKeyParamBase):
     curve_type = attr.ib(validator=attr.validators.instance_of(NamedGroup))
     key_data = attr.ib(validator=attr.validators.instance_of((bytes, bytearray)))
 
 
-@attr.s
+@attr.s(frozen=True)
 class PublicKeyParamsRsa(PublicKeyParamBase):
     modulus = attr.ib(validator=attr.validators.instance_of(six.integer_types))
     public_exponent = attr.ib(validator=attr.validators.instance_of(six.integer_types))
 
 
-@attr.s(eq=False)
+@attr.s(eq=False, frozen=True)
 class PublicKey(object):
-    _HASHLIB_FUNCS = {
-        Hash.MD5: hashlib.md5,
-        Hash.SHA1: hashlib.sha1,
-        Hash.SHA2_256: hashlib.sha256
-    }
-
     _public_key = attr.ib(validator=attr.validators.instance_of(asn1crypto.keys.PublicKeyInfo))
 
     @classmethod
@@ -317,17 +312,11 @@ class PublicKey(object):
     def key_bytes(self):
         return PublicKey.der.fget(self)
 
-    @classmethod
-    def get_digest(cls, hash_type, key_bytes):
-        try:
-            hashlib_funcs = cls._HASHLIB_FUNCS[hash_type]
-        except KeyError as e:
-            six.raise_from(NotImplementedError(hash_type), e)
-
-        return hashlib_funcs(key_bytes).digest()
+    def get_digest(self, hash_type):
+        return hash_bytes(hash_type, self.der)
 
     def fingerprint(self, hash_type):
-        return bytes_to_hex_string(self.get_digest(hash_type, self.der), ':')
+        return bytes_to_hex_string(self.get_digest(hash_type), ':')
 
     @property
     def fingerprints(self):
@@ -374,7 +363,7 @@ class PublicKeySigned(PublicKey):
         raise NotImplementedError()
 
 
-@attr.s(eq=False, init=False)
+@attr.s(eq=False, init=False, frozen=True)
 class PublicKeyX509Base(PublicKeySigned):  # pylint: disable=too-many-public-methods
     _EV_OIDS_BY_CA = {
         'A-Trust': ('1.2.40.0.17.1.22', ),
@@ -435,7 +424,7 @@ class PublicKeyX509Base(PublicKeySigned):  # pylint: disable=too-many-public-met
     def __init__(self, certificate):
         super(PublicKeySigned, self).__init__(certificate.public_key)
 
-        self._certificate = certificate
+        object.__setattr__(self, '_certificate', certificate)
 
     @classmethod
     def _get_type_name(cls):
@@ -472,7 +461,7 @@ class PublicKeyX509Base(PublicKeySigned):  # pylint: disable=too-many-public-met
 
     @property
     def public_key_pin(self):
-        return base64.b64encode(self.get_digest(Hash.SHA2_256, self.key_bytes)).decode('ascii')
+        return base64.b64encode(hash_bytes(Hash.SHA2_256, self.key_bytes)).decode('ascii')
 
     def _has_any_policy_value(self, oid_values):
         if self._certificate.certificate_policies_value is None:

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/cryptodatahub/common/mac.json

@@ -31,6 +31,54 @@
         "digest_size": 256,
         "hash_algorithm": null
     },
+    "CBCMAC_3DES": {
+        "name": "CBC-MAC 3DES",
+        "long_name": null,
+        "oid": null,
+        "vulnerabilities": null,
+        "digest_size": 64,
+        "hash_algorithm": null
+    },
+    "CBCMAC_AES": {
+        "name": "CBC-MAC AES",
+        "long_name": null,
+        "oid": null,
+        "vulnerabilities": null,
+        "digest_size": 128,
+        "hash_algorithm": null
+    },
+    "CBCMAC_BLOWFISH": {
+        "name": "CBC-MAC Blowfish",
+        "long_name": null,
+        "oid": null,
+        "vulnerabilities": null,
+        "digest_size": 64,
+        "hash_algorithm": null
+    },
+    "CBCMAC_DES": {
+        "name": "CBC-MAC DES",
+        "long_name": null,
+        "oid": null,
+        "vulnerabilities": null,
+        "digest_size": 64,
+        "hash_algorithm": null
+    },
+    "CBCMAC_RIJNDAEL": {
+        "name": "CBC-MAC Rijndael",
+        "long_name": null,
+        "oid": null,
+        "vulnerabilities": null,
+        "digest_size": 128,
+        "hash_algorithm": null
+    },
+    "CBCMAC_TWOFISH": {
+        "name": "CBC-MAC Twofish",
+        "long_name": null,
+        "oid": null,
+        "vulnerabilities": null,
+        "digest_size": 128,
+        "hash_algorithm": null
+    },
     "CRYPTICORE": {
         "name": "CryptiCore",
         "long_name": "CryptiCore (Badger)",
@@ -239,6 +287,14 @@
         "digest_size": null,
         "hash_algorithm": "SHA3_512"
     },
+    "SM3": {
+        "name": "SM3",
+        "long_name": "ShangMi 3",
+        "oid": "1.2.156.10197.1.401.2",
+        "vulnerabilities": [],
+        "digest_size": null,
+        "hash_algorithm": "SM3"
+    },
     "TIGER_128": {
         "name": "Tiger/128",
         "long_name": null,

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/cryptodatahub/common/parameter.py

@@ -48,7 +48,7 @@ class DHParameterNumbers(object):
         return self.p == other.p and self.g == other.g and (self.q is None or self.q == other.q)
 
 
-@attr.s(eq=False)
+@attr.s(eq=False, frozen=True)
 class DHParamWellKnownParams(CryptoDataParamsBase, GradeableVulnerabilities):
     parameter_numbers = attr.ib(
         converter=convert_dict_to_object(DHParameterNumbers),

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/cryptodatahub/common/signature.json

@@ -222,5 +222,12 @@
         "oid": null,
         "key_type": "EDDSA",
         "hash_algorithm": "SHAKE_256"
+    },
+    "XMSS": {
+        "name": "XMSS",
+        "long_name": null,
+        "oid": null,
+        "key_type": "XMSS",
+        "hash_algorithm": "SHA2_256"
     }
 }

{CryptoDataHub-0.11.1 → CryptoDataHub-0.12.1}/cryptodatahub/common/stores.py

@@ -41,7 +41,7 @@ CertificateTransparencyLogStateType = enum.Enum(
 )
 
 
-@attr.s
+@attr.s(frozen=True)
 class CertificateTransparencyLogState(CryptoDataParamsBase):
     state_type = attr.ib(
         converter=convert_enum(CertificateTransparencyLogStateType),
@@ -53,7 +53,7 @@ class CertificateTransparencyLogState(CryptoDataParamsBase):
     )
 
 
-@attr.s
+@attr.s(frozen=True)
 class CertificateTransparencyLogTemporalInterval(CryptoDataParamsBase):
     start_inclusive = attr.ib(
         converter=convert_datetime(),
@@ -65,7 +65,7 @@ class CertificateTransparencyLogTemporalInterval(CryptoDataParamsBase):
     )
 
 
-@attr.s
+@attr.s(frozen=True)
 class CertificateTransparencyLogParamsBase(CryptoDataParamsBase):
     log_id = attr.ib(
         converter=convert_base64_data(),
@@ -75,7 +75,8 @@ class CertificateTransparencyLogParamsBase(CryptoDataParamsBase):
 
 
 class CertificateTransparencyLogUnknown(CertificateTransparencyLogParamsBase):
-    pass
+    def __str__(self):
+        return str(self.log_id)
 
 
 @attr.s(frozen=True)
@@ -131,6 +132,11 @@ class CertificateTransparencyLogParams(  # pylint: disable=too-many-instance-att
         if self.mmd < 1:
             raise ValueError(self.mmd)
 
+    def __str__(self):
+        return '{} ({})'.format(
+            self.description, self.log_id
+        )
+
     @classmethod
     def description_to_enum_item_name(cls, description):
         name = name_to_enum_item_name(description)
@@ -208,7 +214,7 @@ def convert_root_certificate_params():
     return _RootCertificateParamCertificateConverter()
 
 
-@attr.s
+@attr.s(frozen=True)
 class RootCertificateTrustStoreConstraint(CryptoDataParamsBase):
     owner = attr.ib(
         converter=convert_enum(Entity),
@@ -221,7 +227,7 @@ class RootCertificateTrustStoreConstraint(CryptoDataParamsBase):
     )
 
 
-@attr.s
+@attr.s(frozen=True)
 class RootCertificateParams(CryptoDataParamsFetchedBase):
     certificate = attr.ib(
         converter=convert_root_certificate_params(),
@@ -281,9 +287,7 @@ class RootCertificateBase(CryptoDataEnumBase):
     def get_item_by_sha2_256_fingerprint(cls, fingerprint_value):
         if not hasattr(cls, '_ITEMS_BY_SHA2_256_HASH'):
             cls._ITEMS_BY_SHA2_256_HASH = {
-                bytes_to_hex_string(
-                    item.value.certificate.get_digest(Hash.SHA2_256, item.value.certificate.der)
-                ): item
+                bytes_to_hex_string(item.value.certificate.get_digest(Hash.SHA2_256)): item
                 for item in cls
             }
 

CryptoDataHub-0.12.1/cryptodatahub/common/utils.py

@@ -0,0 +1,110 @@
+# -*- coding: utf-8 -*-
+
+import binascii
+import hashlib
+
+import attr
+import six
+import urllib3
+
+from cryptodatahub.common.algorithm import Hash
+
+
+def bytes_to_hex_string(byte_array, separator='', lowercase=False):
+    if lowercase:
+        format_str = '{:02x}'
+    else:
+        format_str = '{:02X}'
+
+    return separator.join([format_str.format(x) for x in six.iterbytes(bytes(byte_array))])
+
+
+def bytes_from_hex_string(hex_string, separator=''):
+    if separator:
+        hex_string = ''.join(hex_string.split(separator))
+
+    try:
+        binary_data = binascii.a2b_hex(hex_string)
+    except (TypeError, ValueError) as e:
+        six.raise_from(ValueError(*e.args), e)
+
+    return binary_data
+
+
+def name_to_enum_item_name(name):
+    converted_name = ''
+    for char in name:
+        if char.isalnum():
+            converted_name += char
+        elif converted_name and converted_name[-1] != '_':
+            converted_name += '_'
+
+    return converted_name.rstrip('_').upper()
+
+
+_HASHLIB_FUNCS = {
+    Hash.MD5: hashlib.md5,
+    Hash.SHA1: hashlib.sha1,
+    Hash.SHA2_224: hashlib.sha224,
+    Hash.SHA2_256: hashlib.sha256,
+    Hash.SHA2_384: hashlib.sha384,
+    Hash.SHA2_512: hashlib.sha512,
+}
+
+
+def hash_bytes(hash_algorithm, hashable_value):
+    try:
+        hashlib_funcs = _HASHLIB_FUNCS[hash_algorithm]
+    except KeyError as e:
+        six.raise_from(NotImplementedError(hash_algorithm), e)
+
+    return hashlib_funcs(hashable_value).digest()
+
+
+@attr.s
+class HttpFetcher(object):
+    connect_timeout = attr.ib(default=2, validator=attr.validators.instance_of((int, float)))
+    read_timeout = attr.ib(default=1, validator=attr.validators.instance_of((int, float)))
+    retry = attr.ib(default=1, validator=attr.validators.instance_of(int))
+    _request_params = attr.ib(default=None, init=False)
+    _response = attr.ib(default=None, init=False)
+
+    def __attrs_post_init__(self):
+        request_params = {
+            'preload_content': False,
+            'timeout': urllib3.Timeout(connect=self.connect_timeout, read=self.read_timeout),
+            'retries': urllib3.Retry(
+                self.retry, status_forcelist=urllib3.Retry.RETRY_AFTER_STATUS_CODES | frozenset([502])
+            ),
+        }
+
+        object.__setattr__(self, '_request_params', request_params)
+
+    def get_response_header(self, header_name):
+        if self._response is None:
+            raise AttributeError()
+
+        return self._response.headers.get(header_name, None)
+
+    @property
+    def response_data(self):
+        if self._response is None:
+            raise AttributeError()
+
+        return self._response.data
+
+    def fetch(self, url):
+        pool_manager = urllib3.PoolManager()
+
+        try:
+            self._response = pool_manager.request('GET', str(url), **self._request_params)
+        except BaseException as e:  # pylint: disable=broad-except
+            if e.__class__.__name__ != 'TimeoutError' and not isinstance(e, urllib3.exceptions.HTTPError):
+                raise e
+
+        pool_manager.clear()
+
+    def __call__(self, url):
+        self.fetch(url)
+
+        return self.response_data