jkey 0.1.2__py3-none-any.whl

jkey/2fa/core.py

@@ -0,0 +1,124 @@
+import base64
+import hashlib
+import hmac
+import os
+import struct
+import time
+
+from jkey.pv.core import load_recovery, load_totp, save_recovery, save_totp
+
+
+def _hotp(secret: bytes, counter: int, digits: int = 6) -> str:
+    msg = struct.pack(">Q", counter)
+    h = hmac.new(secret, msg, hashlib.sha1).digest()
+    offset = h[-1] & 0xf
+    truncated = struct.unpack(">I", h[offset:offset+4])[0] & 0x7fffffff
+    return str(truncated % (10 ** digits)).zfill(digits)
+
+
+def _b32_decode(s: str) -> bytes:
+    s = s.upper().replace(" ", "")
+    remainder = len(s) % 8
+    if remainder:
+        s += "=" * (8 - remainder)
+    return base64.b32decode(s)
+
+
+def _validate_b32_secret(s: str) -> bool:
+    try:
+        _b32_decode(s)
+        return True
+    except Exception:
+        return False
+
+
+def totp(secret_key: str, digits: int = 6, interval: int = 30) -> str:
+    secret = _b32_decode(secret_key)
+    counter = int(time.time()) // interval
+    return _hotp(secret, counter, digits)
+
+
+def _import_recovery_file(account: str, recovery_path: str | None):
+    if not recovery_path:
+        return
+    if not os.path.exists(recovery_path):
+        print(f"Warning: Recovery file not found: {recovery_path}")
+        return
+    try:
+        with open(recovery_path, "r", encoding="utf-8") as f:
+            codes = [line.strip() for line in f if line.strip()]
+        if codes:
+            data = load_recovery()
+            if data is None:
+                return
+            data[account] = codes
+            save_recovery(data)
+            print(f"Imported {len(codes)} recovery codes for {account}")
+    except OSError as e:
+        print(f"Warning: Could not read recovery file: {e}")
+
+
+def list_accounts(keyword: str | None = None):
+    data = load_totp()
+    if data is None:
+        return
+    if not data:
+        print("No 2FA accounts found.")
+        return
+    keys = sorted(data.keys())
+    if keyword:
+        keys = [k for k in keys if keyword.lower() in k.lower()]
+        if not keys:
+            print(f"No accounts matching '{keyword}'.")
+            return
+    for acc_id in keys:
+        secret = data[acc_id]
+        try:
+            print(f"{acc_id}: {totp(secret)}")
+        except Exception as e:
+            print(f"Error processing '{acc_id}': {e}")
+
+
+def show_code(account: str):
+    data = load_totp()
+    if data is None:
+        return
+    if account not in data:
+        print(f"Error: Account '{account}' not found.")
+        return
+    secret = data[account]
+    try:
+        print(f"{account}: {totp(secret)}")
+    except Exception as e:
+        print(f"Error processing '{account}': {e}")
+
+
+def add_account(name: str, secret: str, recovery_path: str | None = None):
+    if not _validate_b32_secret(secret):
+        print(f"Error: Invalid base32 secret for '{name}'.")
+        return
+    data = load_totp()
+    if data is None:
+        return
+    data[name] = secret
+    save_totp(data)
+    print(f"Added 2FA account: {name}")
+    _import_recovery_file(name, recovery_path)
+
+
+def remove_account(account: str):
+    data = load_totp()
+    if data is None:
+        return
+    if account not in data:
+        print(f"Error: Account '{account}' not found.")
+        return
+    del data[account]
+    save_totp(data)
+
+    rc = load_recovery()
+    if rc and account in rc:
+        del rc[account]
+        save_recovery(rc)
+
+    print(f"Removed 2FA account: {account}")

jkey/2fa/qr.py

@@ -0,0 +1,65 @@
+import importlib
+import os
+from urllib.parse import parse_qs, unquote, urlparse
+
+import cv2
+
+from jkey.pv.core import load_totp, save_qr_image, save_totp
+
+_core = importlib.import_module("jkey.2fa.core")
+_import_recovery_file = _core._import_recovery_file
+
+
+def scan_and_add(image_path: str, recovery_path: str | None = None):
+    if not os.path.exists(image_path):
+        print(f"Error: File not found: {image_path}")
+        return
+
+    img = cv2.imread(image_path)
+    if img is None:
+        print(f"Error: Could not read image: {image_path}")
+        return
+
+    detector = cv2.QRCodeDetector()
+    data, _, _ = detector.detectAndDecode(img)
+    if not data:
+        print("Error: No QR code found in the image.")
+        return
+
+    parsed = urlparse(data)
+    if parsed.scheme != "otpauth":
+        print(f"Error: Not a valid otpauth:// URL: {data}")
+        return
+
+    params = parse_qs(parsed.query)
+    secret = params.get("secret", [None])[0]
+    if not secret:
+        print("Error: No secret found in QR code.")
+        return
+
+    path = unquote(parsed.path).lstrip("/")
+    issuer = params.get("issuer", [None])[0]
+
+    if issuer and path.startswith(issuer + ":"):
+        name = path[len(issuer) + 1:]
+    elif issuer and ":" in path:
+        name = path
+    else:
+        name = path
+
+    if not name:
+        name = issuer or "unknown"
+
+    data = load_totp()
+    if data is None:
+        return
+    data[name] = secret
+    save_totp(data)
+    print(f"Added 2FA account: {name}")
+
+    try:
+        save_qr_image(name, cv2.imencode(".jpg", img)[1].tobytes())
+    except Exception:
+        pass
+
+    _import_recovery_file(name, recovery_path)

jkey/__main__.py

@@ -0,0 +1,4 @@
+from jkey.cli import main
+
+if __name__ == "__main__":
+    main()

jkey/aes.py

@@ -0,0 +1,279 @@
+import base64
+import hashlib
+import hmac
+import json
+import os
+import sys
+
+SBOX = [
+    0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b,
+    0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
+    0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 0xb7, 0xfd, 0x93, 0x26,
+    0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
+    0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2,
+    0xeb, 0x27, 0xb2, 0x75, 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
+    0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 0x53, 0xd1, 0x00, 0xed,
+    0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
+    0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f,
+    0x50, 0x3c, 0x9f, 0xa8, 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
+    0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 0xcd, 0x0c, 0x13, 0xec,
+    0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
+    0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14,
+    0xde, 0x5e, 0x0b, 0xdb, 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
+    0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 0xe7, 0xc8, 0x37, 0x6d,
+    0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
+    0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f,
+    0x4b, 0xbd, 0x8b, 0x8a, 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
+    0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 0xe1, 0xf8, 0x98, 0x11,
+    0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
+    0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f,
+    0xb0, 0x54, 0xbb, 0x16,
+]
+
+INV_SBOX = [0] * 256
+for _i, _v in enumerate(SBOX):
+    INV_SBOX[_v] = _i
+
+RCON = [0x00, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36]
+
+
+def _xtime(a):
+    return ((a << 1) ^ 0x11b) & 0xff if a & 0x80 else (a << 1) & 0xff
+
+
+def _gf_mul(a, b):
+    result = 0
+    for _ in range(8):
+        if b & 1:
+            result ^= a
+        a = _xtime(a)
+        b >>= 1
+    return result
+
+
+def _sub_word(word):
+    return (
+        (SBOX[(word >> 24) & 0xff] << 24)
+        | (SBOX[(word >> 16) & 0xff] << 16)
+        | (SBOX[(word >> 8) & 0xff] << 8)
+        | SBOX[word & 0xff]
+    )
+
+
+def _rot_word(word):
+    return ((word << 8) | (word >> 24)) & 0xffffffff
+
+
+def _key_expansion(key: bytes) -> list:
+    nr = 14
+    nk = 8
+    nb = 4
+    nw = nb * (nr + 1)
+    w = []
+    for i in range(nk):
+        w.append(int.from_bytes(key[4*i:4*i+4], 'big'))
+    for i in range(nk, nw):
+        temp = w[i - 1]
+        if i % nk == 0:
+            temp = _sub_word(_rot_word(temp)) ^ (RCON[i // nk] << 24)
+        elif i % nk == 4:
+            temp = _sub_word(temp)
+        w.append(w[i - nk] ^ temp)
+    return w
+
+
+def _bytes_to_state(b: bytes):
+    return [list(b[i:i+4]) for i in range(0, 16, 4)]
+
+
+def _state_to_bytes(state):
+    result = bytearray()
+    for row in state:
+        result.extend(row)
+    return bytes(result)
+
+
+def _add_round_key(state, rk):
+    rk_bytes = []
+    for word in rk:
+        rk_bytes.extend([(word >> 24) & 0xff, (word >> 16) & 0xff, (word >> 8) & 0xff, word & 0xff])
+    for i in range(4):
+        for j in range(4):
+            state[j][i] ^= rk_bytes[i * 4 + j]
+
+
+def _sub_bytes(state):
+    for i in range(4):
+        for j in range(4):
+            state[i][j] = SBOX[state[i][j]]
+
+
+def _inv_sub_bytes(state):
+    for i in range(4):
+        for j in range(4):
+            state[i][j] = INV_SBOX[state[i][j]]
+
+
+def _shift_rows(state):
+    state[1][0], state[1][1], state[1][2], state[1][3] = state[1][1], state[1][2], state[1][3], state[1][0]
+    state[2][0], state[2][1], state[2][2], state[2][3] = state[2][2], state[2][3], state[2][0], state[2][1]
+    state[3][0], state[3][1], state[3][2], state[3][3] = state[3][3], state[3][0], state[3][1], state[3][2]
+
+
+def _inv_shift_rows(state):
+    state[1][0], state[1][1], state[1][2], state[1][3] = state[1][3], state[1][0], state[1][1], state[1][2]
+    state[2][0], state[2][1], state[2][2], state[2][3] = state[2][2], state[2][3], state[2][0], state[2][1]
+    state[3][0], state[3][1], state[3][2], state[3][3] = state[3][1], state[3][2], state[3][3], state[3][0]
+
+
+def _mix_columns(state):
+    for i in range(4):
+        a = [state[j][i] for j in range(4)]
+        state[0][i] = _gf_mul(2, a[0]) ^ _gf_mul(3, a[1]) ^ a[2] ^ a[3]
+        state[1][i] = a[0] ^ _gf_mul(2, a[1]) ^ _gf_mul(3, a[2]) ^ a[3]
+        state[2][i] = a[0] ^ a[1] ^ _gf_mul(2, a[2]) ^ _gf_mul(3, a[3])
+        state[3][i] = _gf_mul(3, a[0]) ^ a[1] ^ a[2] ^ _gf_mul(2, a[3])
+
+
+def _inv_mix_columns(state):
+    for i in range(4):
+        a = [state[j][i] for j in range(4)]
+        state[0][i] = _gf_mul(14, a[0]) ^ _gf_mul(11, a[1]) ^ _gf_mul(13, a[2]) ^ _gf_mul(9, a[3])
+        state[1][i] = _gf_mul(9, a[0]) ^ _gf_mul(14, a[1]) ^ _gf_mul(11, a[2]) ^ _gf_mul(13, a[3])
+        state[2][i] = _gf_mul(13, a[0]) ^ _gf_mul(9, a[1]) ^ _gf_mul(14, a[2]) ^ _gf_mul(11, a[3])
+        state[3][i] = _gf_mul(11, a[0]) ^ _gf_mul(13, a[1]) ^ _gf_mul(9, a[2]) ^ _gf_mul(14, a[3])
+
+
+def _encrypt_block(block: bytes, w: list) -> bytes:
+    state = _bytes_to_state(block)
+    rk = w[:4]
+    _add_round_key(state, rk)
+    for rnd in range(1, 14):
+        _sub_bytes(state)
+        _shift_rows(state)
+        _mix_columns(state)
+        rk = w[4*rnd:4*(rnd+1)]
+        _add_round_key(state, rk)
+    _sub_bytes(state)
+    _shift_rows(state)
+    rk = w[56:60]
+    _add_round_key(state, rk)
+    return _state_to_bytes(state)
+
+
+def _decrypt_block(block: bytes, w: list) -> bytes:
+    state = _bytes_to_state(block)
+    rk = w[56:60]
+    _add_round_key(state, rk)
+    _inv_shift_rows(state)
+    _inv_sub_bytes(state)
+    for rnd in range(13, 0, -1):
+        rk = w[4*rnd:4*(rnd+1)]
+        _add_round_key(state, rk)
+        _inv_mix_columns(state)
+        _inv_shift_rows(state)
+        _inv_sub_bytes(state)
+    rk = w[:4]
+    _add_round_key(state, rk)
+    return _state_to_bytes(state)
+
+
+def _pkcs7_pad(data: bytes, block_size: int = 16) -> bytes:
+    pad_len = block_size - (len(data) % block_size)
+    return data + bytes([pad_len] * pad_len)
+
+
+def _pkcs7_unpad(data: bytes) -> bytes:
+    pad_len = data[-1]
+    if pad_len < 1 or pad_len > 16:
+        raise ValueError("Invalid padding")
+    for b in data[-pad_len:]:
+        if b != pad_len:
+            raise ValueError("Invalid padding")
+    return data[:-pad_len]
+
+
+def aes_cbc_encrypt(plaintext: bytes, key: bytes, iv: bytes) -> bytes:
+    w = _key_expansion(key)
+    ciphertext = bytearray()
+    prev = iv
+    for i in range(0, len(plaintext), 16):
+        block = plaintext[i:i+16]
+        xored = bytes(a ^ b for a, b in zip(block, prev))
+        enc = _encrypt_block(xored, w)
+        ciphertext.extend(enc)
+        prev = enc
+    return bytes(ciphertext)
+
+
+def aes_cbc_decrypt(ciphertext: bytes, key: bytes, iv: bytes) -> bytes:
+    w = _key_expansion(key)
+    plaintext = bytearray()
+    prev = iv
+    for i in range(0, len(ciphertext), 16):
+        block = ciphertext[i:i+16]
+        dec = _decrypt_block(block, w)
+        xored = bytes(a ^ b for a, b in zip(dec, prev))
+        plaintext.extend(xored)
+        prev = block
+    return bytes(plaintext)
+
+
+PBKDF2_ITERATIONS = 600_000
+SALT_LENGTH = 16
+IV_LENGTH = 16
+KEY_LENGTH = 32
+
+
+def derive_key(password: str, salt: bytes, dklen: int = KEY_LENGTH) -> bytes:
+    return hashlib.pbkdf2_hmac("sha256", password.encode("utf-8"), salt, PBKDF2_ITERATIONS, dklen=dklen)
+
+
+def encrypt(data: dict, password: str) -> dict:
+    salt = os.urandom(SALT_LENGTH)
+    iv = os.urandom(IV_LENGTH)
+    derived = derive_key(password, salt, dklen=64)
+    enc_key = derived[:32]
+    mac_key = derived[32:]
+    plaintext = json.dumps(data, ensure_ascii=False).encode("utf-8")
+    padded = _pkcs7_pad(plaintext)
+    ciphertext = aes_cbc_encrypt(padded, enc_key, iv)
+    mac = hmac.new(mac_key, iv + ciphertext, hashlib.sha256).digest()
+    return {
+        "salt": base64.b64encode(salt).decode("ascii"),
+        "iv": base64.b64encode(iv).decode("ascii"),
+        "data": base64.b64encode(ciphertext).decode("ascii"),
+        "mac": base64.b64encode(mac).decode("ascii"),
+        "version": 3,
+    }
+
+
+def decrypt(encrypted: dict, password: str) -> dict | None:
+    try:
+        salt = base64.b64decode(encrypted["salt"])
+        iv = base64.b64decode(encrypted["iv"])
+        ciphertext = base64.b64decode(encrypted["data"])
+        stored_mac = base64.b64decode(encrypted["mac"])
+    except Exception:
+        return None
+
+    version = encrypted.get("version", 1)
+    if version >= 3:
+        derived = derive_key(password, salt, dklen=64)
+        enc_key = derived[:32]
+        mac_key = derived[32:]
+    else:
+        enc_key = derive_key(password, salt)
+        mac_key = enc_key
+
+    expected_mac = hmac.new(mac_key, iv + ciphertext, hashlib.sha256).digest()
+    if not hmac.compare_digest(stored_mac, expected_mac):
+        return None
+
+    try:
+        padded = aes_cbc_decrypt(ciphertext, enc_key, iv)
+        plaintext = _pkcs7_unpad(padded)
+        return json.loads(plaintext.decode("utf-8"))
+    except Exception as e:
+        print(f"Warning: decryption integrity check failed: {e}", file=sys.stderr)
+        return None

jkey/cli.py

@@ -0,0 +1,154 @@
+import argparse
+import importlib
+import sys
+from importlib.metadata import version
+
+from jkey.pm.core import (
+    add_password,
+    delete_password,
+    import_from_csv,
+    list_passwords,
+    show_password,
+)
+from jkey.pm.gen import generate_password
+from jkey.pv.core import cmd_init, cmd_lock, cmd_set_pw, cmd_unlock, decrypt_file, encrypt_file
+from jkey.pv.export import cmd_export
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="jkey",
+        description="Python library for password management and TOTP verification",
+    )
+    parser.add_argument("--version", action="version", version=f"%(prog)s {version('jkey')}")
+    sub = parser.add_subparsers(dest="command")
+
+    p = sub.add_parser("2fa", help="Manage TOTP 2FA accounts")
+    p2 = p.add_subparsers(dest="action")
+    a = p2.add_parser("ls", help="List accounts and TOTP codes")
+    a.add_argument("keyword", nargs="?", default=None)
+    a = p2.add_parser("get", help="Show TOTP code")
+    a.add_argument("account")
+    a = p2.add_parser("add", help="Add account")
+    a.add_argument("name")
+    a.add_argument("secret")
+    a.add_argument("--recovery")
+    a = p2.add_parser("qr", help="Import from QR code")
+    a.add_argument("image_path")
+    a.add_argument("--recovery")
+    a = p2.add_parser("rm", help="Remove account")
+    a.add_argument("account")
+
+    p = sub.add_parser("pm", help="Manage passwords")
+    p2 = p.add_subparsers(dest="action")
+    g = p2.add_parser("gen", help="Generate random password")
+    g.add_argument("-L", "--length", type=int, default=16)
+    g.add_argument("--no-upper", action="store_true")
+    g.add_argument("--no-lower", action="store_true")
+    g.add_argument("--no-digits", action="store_true")
+    g.add_argument("--no-symbols", action="store_true")
+    a = p2.add_parser("ls", help="List stored passwords")
+    a.add_argument("keyword", nargs="?", default=None)
+    a = p2.add_parser("get", help="Show stored password")
+    a.add_argument("name")
+    a = p2.add_parser("add", help="Store password")
+    a.add_argument("name")
+    a = p2.add_parser("rm", help="Delete password")
+    a.add_argument("name")
+    a = p2.add_parser("import", help="Import from CSV")
+    a.add_argument("csv_path")
+
+    p = sub.add_parser("pv", help="Manage encrypted vault (passwd vault)")
+    p2 = p.add_subparsers(dest="action")
+    p2.add_parser("init", help="Initialize vault")
+    p2.add_parser("unlock", help="Unlock vault")
+    p2.add_parser("lock", help="Lock vault")
+    p2.add_parser("set-pw", help="Set master password")
+    e = p2.add_parser("encrypt", help="Encrypt a file")
+    e.add_argument("input")
+    e.add_argument("-o", "--output", help="Output .jkey path")
+    d = p2.add_parser("decrypt", help="Decrypt a .jkey file")
+    d.add_argument("input")
+    d.add_argument("-o", "--output", help="Output file path")
+    x = p2.add_parser("export", help="Export plaintext data (re-enters master password)")
+    x.add_argument("type", choices=["totp", "passwords", "recovery", "qr", "all"])
+    x.add_argument("-o", "--output", help="Output path (file or directory)")
+
+    args = parser.parse_args()
+    if args.command is None:
+        parser.print_help()
+        sys.exit(1)
+
+    if args.command == "2fa":
+        _2fa(args)
+    elif args.command == "pm":
+        _pm(args)
+    elif args.command == "pv":
+        _pv(args)
+
+
+def _2fa(args):
+    core = importlib.import_module("jkey.2fa.core")
+    a = args.action
+    if a == "ls":
+        core.list_accounts(args.keyword)
+    elif a == "get":
+        core.show_code(args.account)
+    elif a == "add":
+        core.add_account(args.name, args.secret, args.recovery)
+    elif a == "qr":
+        qr_mod = importlib.import_module("jkey.2fa.qr")
+        qr_mod.scan_and_add(args.image_path, args.recovery)
+    elif a == "rm":
+        core.remove_account(args.account)
+    else:
+        print("Usage: jkey 2fa ls|get|add|qr|rm")
+
+
+def _pm(args):
+    a = args.action
+    if a == "gen":
+        try:
+            pwd = generate_password(
+                length=args.length,
+                uppercase=not args.no_upper,
+                lowercase=not args.no_lower,
+                digits=not args.no_digits,
+                symbols=not args.no_symbols,
+            )
+            print(pwd)
+        except ValueError as e:
+            print(f"Error: {e}")
+            sys.exit(1)
+    elif a == "ls":
+        list_passwords(args.keyword)
+    elif a == "get":
+        show_password(args.name)
+    elif a == "add":
+        add_password(args.name)
+    elif a == "rm":
+        delete_password(args.name)
+    elif a == "import":
+        import_from_csv(args.csv_path)
+    else:
+        print("Usage: jkey pm gen|ls|get|add|rm|import")
+
+
+def _pv(args):
+    a = args.action
+    if a == "init":
+        cmd_init()
+    elif a == "unlock":
+        cmd_unlock()
+    elif a == "lock":
+        cmd_lock()
+    elif a == "set-pw":
+        cmd_set_pw()
+    elif a == "encrypt":
+        encrypt_file(args.input, args.output)
+    elif a == "decrypt":
+        decrypt_file(args.input, args.output)
+    elif a == "export":
+        cmd_export(args)
+    else:
+        print("Usage: jkey pv init|unlock|lock|set-pw|encrypt|decrypt|export")

jkey/pm/core.py

@@ -0,0 +1,86 @@
+import csv
+import getpass
+
+from jkey.pv.core import load_passwords, save_passwords
+
+
+def list_passwords(keyword: str | None = None):
+    data = load_passwords()
+    if data is None:
+        return
+    if not data:
+        print("No stored passwords found.")
+        return
+    keys = sorted(data.keys())
+    if keyword:
+        keys = [k for k in keys if keyword.lower() in k.lower()]
+        if not keys:
+            print(f"No passwords matching '{keyword}'.")
+            return
+    for name in keys:
+        print(f"{name}: {data[name]}")
+
+
+def show_password(name: str):
+    data = load_passwords()
+    if data is None:
+        return
+    if name not in data:
+        print(f"Error: Password '{name}' not found.")
+        return
+    print(f"{name}: {data[name]}")
+
+
+def add_password(name: str):
+    data = load_passwords()
+    if data is None:
+        return
+    pw = getpass.getpass(f"Password for '{name}': ")
+    if not pw:
+        print("Password cannot be empty.")
+        return
+    data[name] = pw
+    save_passwords(data)
+    print(f"Password stored: {name}")
+
+
+def delete_password(name: str):
+    data = load_passwords()
+    if data is None:
+        return
+    if name not in data:
+        print(f"Error: Password '{name}' not found.")
+        return
+    del data[name]
+    save_passwords(data)
+    print(f"Password deleted: {name}")
+
+
+def import_from_csv(csv_path: str):
+    data = load_passwords()
+    if data is None:
+        return
+    try:
+        with open(csv_path, "r", encoding="utf-8") as f:
+            reader = csv.reader(f)
+            rows = list(reader)
+    except OSError as e:
+        print(f"Error: Cannot read file '{csv_path}': {e}")
+        return
+    if not rows:
+        print("Error: Empty CSV file.")
+        return
+    first = rows[0]
+    if len(first) >= 2 and first[0].strip().lower() in ("name", "url", "account", "key"):
+        rows = rows[1:]
+    imported = 0
+    for row in rows:
+        if len(row) < 2:
+            continue
+        name = row[0].strip()
+        pw = row[1].strip()
+        if name and pw:
+            data[name] = pw
+            imported += 1
+    save_passwords(data)
+    print(f"Imported {imported} passwords from {csv_path}")

jkey/pm/gen.py

@@ -0,0 +1,33 @@
+import secrets
+import string
+
+_SYMBOLS = "!@#$%^&*()_+-=[]{}|;:,.<>?/"
+
+
+def generate_password(
+    length: int = 16,
+    uppercase: bool = True,
+    lowercase: bool = True,
+    digits: bool = True,
+    symbols: bool = True,
+) -> str:
+    char_sets = []
+    if lowercase:
+        char_sets.append(string.ascii_lowercase)
+    if uppercase:
+        char_sets.append(string.ascii_uppercase)
+    if digits:
+        char_sets.append(string.digits)
+    if symbols:
+        char_sets.append(_SYMBOLS)
+    if not char_sets:
+        raise ValueError("At least one character set must be selected.")
+    all_chars = "".join(char_sets)
+    mandatory = [secrets.choice(cs) for cs in char_sets]
+    if length < len(mandatory):
+        raise ValueError("Length too small to include all required character types.")
+    remaining = length - len(mandatory)
+    extra = [secrets.choice(all_chars) for _ in range(remaining)]
+    password_list = mandatory + extra
+    secrets.SystemRandom().shuffle(password_list)
+    return "".join(password_list)

jkey/pv/core.py

@@ -0,0 +1,290 @@
+import base64
+import getpass
+import json
+import os
+
+from jkey import aes
+
+CONFIG_DIR = os.path.join(os.path.expanduser("~"), ".config", "jkey")
+TOTP_FILE = os.path.join(CONFIG_DIR, "totp.jkey")
+PASSWORDS_FILE = os.path.join(CONFIG_DIR, "passwords.jkey")
+RECOVERY_FILE = os.path.join(CONFIG_DIR, "recovery.jkey")
+QR_DIR = os.path.join(CONFIG_DIR, "qr")
+
+_session_password: str | None = None
+_totp_cache: dict | None = None
+_passwords_cache: dict | None = None
+_recovery_cache: dict | None = None
+
+
+def _ensure_dir():
+    os.makedirs(CONFIG_DIR, exist_ok=True)
+    os.makedirs(QR_DIR, exist_ok=True)
+
+
+def _password_from_env() -> str | None:
+    return os.environ.get("JKEY_PASS")
+
+
+def _prompt_password(prompt: str = "Master password: ") -> str:
+    return getpass.getpass(prompt)
+
+
+def _read_jkey(path: str) -> dict | None:
+    if not os.path.exists(path):
+        return None
+    with open(path, "r", encoding="utf-8") as f:
+        return json.load(f)
+
+
+def _write_jkey(path: str, encrypted: dict):
+    _ensure_dir()
+    tmp = path + ".tmp"
+    with open(tmp, "w", encoding="utf-8") as f:
+        json.dump(encrypted, f, indent=4, ensure_ascii=False)
+    os.replace(tmp, path)
+
+
+def _decrypt_file(path: str, password: str) -> dict | None:
+    encrypted = _read_jkey(path)
+    if encrypted is None:
+        return None
+    return aes.decrypt(encrypted, password)
+
+
+def _encrypt_file(path: str, data: dict, password: str):
+    encrypted = aes.encrypt(data, password)
+    _write_jkey(path, encrypted)
+
+
+def _unlock_all(password: str) -> bool:
+    global _session_password, _totp_cache, _passwords_cache, _recovery_cache
+    data = _decrypt_file(TOTP_FILE, password)
+    if data is None:
+        return False
+    _totp_cache = data
+    _passwords_cache = _decrypt_file(PASSWORDS_FILE, password) or {}
+    _recovery_cache = _decrypt_file(RECOVERY_FILE, password) or {}
+    _session_password = password
+    return True
+
+
+def verify_password(password: str) -> bool:
+    encrypted = _read_jkey(TOTP_FILE)
+    if encrypted is None:
+        return False
+    return aes.decrypt(encrypted, password) is not None
+
+
+def _ensure_unlocked():
+    if is_unlocked():
+        return True
+    if not os.path.exists(TOTP_FILE):
+        print("Error: Vault not initialized. Run 'jkey pv init' first.")
+        return False
+    pw = _password_from_env()
+    if pw and _unlock_all(pw):
+        return True
+    for _ in range(3):
+        pw = _prompt_password()
+        if _unlock_all(pw):
+            return True
+        print("Incorrect password. Try again.")
+    print("Failed to unlock vault.")
+    return False
+
+
+def is_unlocked() -> bool:
+    return _session_password is not None
+
+
+def lock():
+    global _session_password, _totp_cache, _passwords_cache, _recovery_cache
+    _session_password = None
+    _totp_cache = None
+    _passwords_cache = None
+    _recovery_cache = None
+
+
+def load_totp() -> dict | None:
+    if not _ensure_unlocked():
+        return None
+    return _totp_cache
+
+
+def save_totp(data: dict):
+    global _totp_cache
+    if _session_password is None:
+        return
+    _encrypt_file(TOTP_FILE, data, _session_password)
+    _totp_cache = data
+
+
+def load_passwords() -> dict | None:
+    if not _ensure_unlocked():
+        return None
+    return _passwords_cache
+
+
+def save_passwords(data: dict):
+    global _passwords_cache
+    if _session_password is None:
+        return
+    _encrypt_file(PASSWORDS_FILE, data, _session_password)
+    _passwords_cache = data
+
+
+def load_recovery() -> dict | None:
+    if not _ensure_unlocked():
+        return None
+    return _recovery_cache
+
+
+def save_recovery(data: dict):
+    global _recovery_cache
+    if _session_password is None:
+        return
+    _encrypt_file(RECOVERY_FILE, data, _session_password)
+    _recovery_cache = data
+
+
+def save_qr_image(name: str, image_data: bytes):
+    if _session_password is None:
+        return
+    _ensure_dir()
+    encoded = base64.b64encode(image_data).decode("ascii")
+    encrypted = aes.encrypt({"raw": encoded}, _session_password)
+    path = os.path.join(QR_DIR, f"{name}.jkey")
+    _write_jkey(path, encrypted)
+
+
+def load_qr_image(name: str) -> bytes | None:
+    if not _ensure_unlocked():
+        return None
+    path = os.path.join(QR_DIR, f"{name}.jkey")
+    if not os.path.exists(path):
+        return None
+    encrypted = _read_jkey(path)
+    if encrypted is None:
+        return None
+    data = aes.decrypt(encrypted, _session_password)
+    if data is None or "raw" not in data:
+        return None
+    return base64.b64decode(data["raw"])
+
+
+def list_qr_images() -> list[str]:
+    if not os.path.exists(QR_DIR):
+        return []
+    names = []
+    for f in os.listdir(QR_DIR):
+        if f.endswith(".jkey"):
+            names.append(f[:-5])
+    return sorted(names)
+
+
+def encrypt_file(input_path: str, output_path: str | None = None):
+    if not os.path.exists(input_path):
+        print(f"Error: File not found: {input_path}")
+        return
+    if not _ensure_unlocked():
+        return
+    with open(input_path, "rb") as f:
+        raw = f.read()
+    encoded = base64.b64encode(raw).decode("ascii")
+    encrypted = aes.encrypt({"raw": encoded}, _session_password)
+    if output_path is None:
+        output_path = input_path + ".jkey"
+    _write_jkey(output_path, encrypted)
+    print(f"Encrypted: {output_path}")
+
+
+def decrypt_file(path: str, output_path: str | None = None):
+    if not os.path.exists(path):
+        print(f"Error: File not found: {path}")
+        return
+    if not _ensure_unlocked():
+        return
+    encrypted = _read_jkey(path)
+    if encrypted is None:
+        return
+    data = aes.decrypt(encrypted, _session_password)
+    if data is None:
+        print("Error: Decryption failed.")
+        return
+    if "raw" in data:
+        raw = base64.b64decode(data["raw"])
+    else:
+        raw = json.dumps(data, indent=4, ensure_ascii=False).encode("utf-8")
+    if output_path:
+        with open(output_path, "wb") as f:
+            f.write(raw)
+        print(f"Decrypted: {output_path}")
+    else:
+        if "raw" in data:
+            print("(binary data, use -o <file> to save)")
+        else:
+            print(raw.decode("utf-8"))
+
+
+def cmd_init():
+    if os.path.exists(TOTP_FILE):
+        print("Vault already exists. Use 'jkey pv set-pw' to change password.")
+        return
+    pw1 = _password_from_env()
+    if pw1 is None:
+        pw1 = _prompt_password("Set master password: ")
+        if not pw1:
+            print("Password cannot be empty.")
+            return
+        pw2 = _prompt_password("Confirm master password: ")
+        if pw1 != pw2:
+            print("Passwords do not match.")
+            return
+    _ensure_dir()
+    _encrypt_file(TOTP_FILE, {}, pw1)
+    _encrypt_file(PASSWORDS_FILE, {}, pw1)
+    _encrypt_file(RECOVERY_FILE, {}, pw1)
+    _unlock_all(pw1)
+    print(f"Vault initialized at {CONFIG_DIR}")
+
+
+def cmd_unlock():
+    if is_unlocked():
+        print("Vault is already unlocked.")
+        return
+    if not os.path.exists(TOTP_FILE):
+        print("Error: Vault not initialized. Run 'jkey pv init' first.")
+        return
+    if _ensure_unlocked():
+        print("Vault unlocked.")
+
+
+def cmd_lock():
+    if not is_unlocked():
+        print("Vault is already locked.")
+        return
+    lock()
+    print("Vault locked.")
+
+
+def cmd_set_pw():
+    if not os.path.exists(TOTP_FILE):
+        print("Error: Vault not initialized. Run 'jkey pv init' first.")
+        return
+    if not _ensure_unlocked():
+        return
+    pw1 = _prompt_password("New master password: ")
+    if not pw1:
+        print("Password cannot be empty.")
+        return
+    pw2 = _prompt_password("Confirm new master password: ")
+    if pw1 != pw2:
+        print("Passwords do not match.")
+        return
+    global _session_password
+    _encrypt_file(TOTP_FILE, _totp_cache, pw1)
+    _encrypt_file(PASSWORDS_FILE, _passwords_cache, pw1)
+    _encrypt_file(RECOVERY_FILE, _recovery_cache, pw1)
+    _session_password = pw1
+    print("Master password changed.")

jkey/pv/export.py

@@ -0,0 +1,147 @@
+import csv
+import getpass
+import io
+import json
+import os
+
+from jkey.pv.core import (
+    _ensure_unlocked,
+    _password_from_env,
+    list_qr_images,
+    load_passwords,
+    load_qr_image,
+    load_recovery,
+    load_totp,
+    verify_password,
+)
+
+
+def cmd_export(args):
+    if not _ensure_unlocked():
+        return
+
+    env_pw = _password_from_env()
+    if env_pw and verify_password(env_pw):
+        pass
+    else:
+        pw = getpass.getpass("Confirm master password to export: ")
+        if not verify_password(pw):
+            print("Incorrect password. Export cancelled.")
+            return
+
+    t = args.type
+    output = args.output
+
+    if t == "totp":
+        data = load_totp()
+        if data is None:
+            return
+        out = json.dumps(data, indent=4, ensure_ascii=False) + "\n"
+        if output:
+            with open(output, "w", encoding="utf-8") as f:
+                f.write(out)
+            print(f"Exported TOTP secrets to {output}")
+        else:
+            print(out, end="")
+
+    elif t == "passwords":
+        data = load_passwords()
+        if data is None:
+            return
+        buf = io.StringIO()
+        w = csv.writer(buf)
+        w.writerow(["name", "password"])
+        for name, pw_val in sorted(data.items()):
+            w.writerow([name, pw_val])
+        out = buf.getvalue()
+        if output:
+            with open(output, "w", encoding="utf-8", newline="") as f:
+                f.write(out)
+            print(f"Exported passwords to {output}")
+        else:
+            print(out, end="")
+
+    elif t == "recovery":
+        data = load_recovery()
+        if data is None:
+            return
+        lines = []
+        for account in sorted(data.keys()):
+            lines.append(f"Account: {account}")
+            for code in data[account]:
+                lines.append(f"  {code}")
+            lines.append("")
+        out = "\n".join(lines)
+        if output:
+            with open(output, "w", encoding="utf-8") as f:
+                f.write(out)
+                f.write("\n")
+            print(f"Exported recovery codes to {output}")
+        else:
+            print(out)
+
+    elif t == "qr":
+        if not output:
+            print("Error: -o <directory> required for QR export.")
+            return
+        os.makedirs(output, exist_ok=True)
+        names = list_qr_images()
+        if not names:
+            print("No QR images found.")
+            return
+        for name in names:
+            img = load_qr_image(name)
+            if img:
+                path = os.path.join(output, f"{name}.jpg")
+                with open(path, "wb") as f:
+                    f.write(img)
+        print(f"Exported {len(names)} QR images to {output}")
+
+    elif t == "all":
+        if not output:
+            print("Error: -o <directory> required for full export.")
+            return
+        os.makedirs(output, exist_ok=True)
+
+        totp_data = load_totp()
+        if totp_data:
+            p = os.path.join(output, "totp.json")
+            with open(p, "w", encoding="utf-8") as f:
+                json.dump(totp_data, f, indent=4, ensure_ascii=False)
+                f.write("\n")
+            print(f"  {p}")
+
+        pw_data = load_passwords()
+        if pw_data:
+            p = os.path.join(output, "passwords.csv")
+            with open(p, "w", encoding="utf-8", newline="") as f:
+                w = csv.writer(f)
+                w.writerow(["name", "password"])
+                for name, pw_val in sorted(pw_data.items()):
+                    w.writerow([name, pw_val])
+            print(f"  {p}")
+
+        rc_data = load_recovery()
+        if rc_data:
+            p = os.path.join(output, "recovery.txt")
+            with open(p, "w", encoding="utf-8") as f:
+                for account in sorted(rc_data.keys()):
+                    f.write(f"Account: {account}\n")
+                    for code in rc_data[account]:
+                        f.write(f"  {code}\n")
+                    f.write("\n")
+            print(f"  {p}")
+
+        qr_dir = os.path.join(output, "qr")
+        names = list_qr_images()
+        if names:
+            os.makedirs(qr_dir, exist_ok=True)
+            for name in names:
+                img = load_qr_image(name)
+                if img:
+                    p = os.path.join(qr_dir, f"{name}.jpg")
+                    with open(p, "wb") as f:
+                        f.write(img)
+            print(f"  {qr_dir}/ ({len(names)} images)")
+
+        print(f"Exported to {output}")

jkey-0.1.2.dist-info/METADATA

@@ -0,0 +1,105 @@
+Metadata-Version: 2.4
+Name: jkey
+Version: 0.1.2
+Summary: Python library for password management and TOTP verification.
+Author-email: jiaoyuan <imjiaoyuan@gmail.com>
+License: MIT
+Project-URL: Homepage, https://github.com/imjiaoyuan/jkey
+Project-URL: Repository, https://github.com/imjiaoyuan/jkey
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: opencv-python-headless>=4.9.0
+
+# jkey
+
+Python library for password management and TOTP verification.
+
+## Install
+
+```bash
+uv tool install jkey
+```
+
+Or run without installing:
+
+```bash
+uv run jkey --help
+```
+
+## Quick Start
+
+```bash
+# Initialize vault (set master password)
+jkey pv init
+
+# Add a 2FA account
+jkey 2fa add github JBSWY3DPEHPK3PXP
+
+# Get current TOTP code
+jkey 2fa get github
+
+# Import from QR code image
+jkey 2fa qr ./github.jpg
+
+# Generate a random password
+jkey pm gen -L 24
+
+# Store a password
+jkey pm add my-site
+
+# List all stored passwords
+jkey pm ls
+
+# Encrypt/decrypt any file
+jkey pv encrypt secret.pdf
+jkey pv decrypt secret.pdf.jkey -o secret.pdf
+```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `jkey 2fa ls [keyword]` | List TOTP accounts and codes |
+| `jkey 2fa get <account>` | Show TOTP code for an account |
+| `jkey 2fa add <name> <secret>` | Add a TOTP account |
+| `jkey 2fa qr <image>` | Import from QR code image |
+| `jkey 2fa rm <account>` | Remove a TOTP account |
+| `jkey pm gen [-L N]` | Generate a random password |
+| `jkey pm ls [keyword]` | List stored passwords |
+| `jkey pm get <name>` | Show a stored password |
+| `jkey pm add <name>` | Store a password (prompts for input) |
+| `jkey pm rm <name>` | Delete a stored password |
+| `jkey pm import <csv>` | Import passwords from CSV (name,password) |
+| `jkey pv init` | Initialize the encrypted vault |
+| `jkey pv unlock` | Unlock the vault |
+| `jkey pv lock` | Lock the vault |
+| `jkey pv set-pw` | Change master password |
+| `jkey pv encrypt <file>` | Encrypt a file |
+| `jkey pv decrypt <file>` | Decrypt a `.jkey` file |
+| `jkey pv export totp` | Export TOTP secrets (re-enters master password) |
+| `jkey pv export passwords` | Export passwords as CSV |
+| `jkey pv export recovery` | Export recovery codes |
+| `jkey pv export qr -o <dir>` | Export QR code images |
+| `jkey pv export all -o <dir>` | Export everything |
+
+Set `JKEY_PASS` environment variable to skip the password prompt.
+
+## How It Works
+
+Data is encrypted with AES-256-CBC + HMAC-SHA256 and stored in `~/.config/jkey/`:
+
+```
+~/.config/jkey/
+├── totp.jkey        # Encrypted TOTP secrets
+├── passwords.jkey   # Encrypted passwords
+├── recovery.jkey    # Encrypted recovery codes
+└── qr/              # Encrypted QR images
+```
+
+Back up `~/.config/jkey/` to migrate to another machine.
+
+## Dependencies
+
+- `opencv-python-headless` — QR code scanning
+
+Pure Python, no OpenSSL or libsodium required.

jkey-0.1.2.dist-info/RECORD

@@ -0,0 +1,18 @@
+jkey/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+jkey/__main__.py,sha256=PrHKvvvZNLoxd6bdOJGCmQUZvrZsemvtf9o7Lhlg0PI,65
+jkey/aes.py,sha256=UH2foWA2_FgfeWpVYOP9HVDVIPpnAdUHgH0tidxlvOY,9274
+jkey/cli.py,sha256=ChJe6ctZk0BGICHi5Do357cykxBF6-8l07X1YqfNDGo,5176
+jkey/2fa/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+jkey/2fa/core.py,sha256=iJrNW3glXrbQele2HCdB5t5E4h0w7xNNoFcw2Hctvos,3389
+jkey/2fa/qr.py,sha256=WVs_rT04xJoo5voPpzBSvZ2-XVACUNvFL8y_b4THQ2Q,1661
+jkey/pm/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+jkey/pm/core.py,sha256=tX6G04lHmmx0RsRLJzCjMTNgHdSACEel4HpzxojphTA,2193
+jkey/pm/gen.py,sha256=PP7k7ldpOm--L95bSq1Vo6rWF_-L49KJKzIsgJ8_AhQ,1027
+jkey/pv/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+jkey/pv/core.py,sha256=UxdiTXEu_e5440N9h13LB7ZU3q-ZQwKCTy2187MtFD0,7981
+jkey/pv/export.py,sha256=-ztD7y9zYv-D8EcsoGLFEtneJUJ2IcxhKMiB5voJTek,4471
+jkey-0.1.2.dist-info/METADATA,sha256=jfmu-JlCjfXmccn2TgGsOg4kbQ4RqUr2tCf8A5_6SEA,2880
+jkey-0.1.2.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+jkey-0.1.2.dist-info/entry_points.txt,sha256=Fe2Oba3cO6DG5h0Ybx9_H4vuqhaujIfnfJXQAERye1M,39
+jkey-0.1.2.dist-info/top_level.txt,sha256=B668dz5cpxfnglJdSEtVBrOK5tHbsFwh0J7I1NB0Lp0,5
+jkey-0.1.2.dist-info/RECORD,,

jkey-0.1.2.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

jkey-0.1.2.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+jkey = jkey.cli:main

jkey-0.1.2.dist-info/top_level.txt

@@ -0,0 +1 @@
+jkey