initial commit

ezekg · ezekg · commit 0bb7281589cc · 2022-07-28T10:53:39.000-05:00
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Keygen LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
@@ -0,0 +1,58 @@
+# Example Python Cryptographic Machine Files
+
+This is an example of how to verify and decrypt [cryptographic machine files](https://keygen.sh/docs/api/cryptography/#cryptographic-lic)
+in Python, using Ed25519 signing and AES-256-GCM encryption. This example
+verifies the `aes-256-gcm+ed25519` algorithm.
+
+## Running the example
+
+First up, add an environment variable containing your Ed25519 public key:
+```bash
+export KEYGEN_PUBLIC_KEY='799efc7752286e6c3815b13358d98fc0f0b566764458adcb48f1be2c10a55906'
+```
+
+You can either run each line above within your terminal session before
+starting the app, or you can add the above contents to your `~/.bashrc`
+file and then run `source ~/.bashrc` after saving the file.
+
+Next, install dependencies with [`pip`](https://packaging.python.org/):
+
+```
+pip install -r requirements.txt
+```
+
+Then run the script, passing in a `path` to a machine file, and a `license`
+key as arguments:
+
+```bash
+python main.py --license 'A_LICENSE_KEY' \
+  --path /etc/keygen/machine.lic
+```
+
+Or run one of the pre-defined examples:
+
+```bash
+KEYGEN_PUBLIC_KEY='e8601e48b69383ba520245fd07971e983d06d22c4257cfd82304601479cee788' python main.py \
+  --fingerprint '198e9fe586114844f6a4eaca5069b41a7ed43fb5a2df84892b69826d64573e39' \
+  --license 'B10760-1B177D-656D1F-C03298-9AF89E-V3' \
+  --path examples/machine.lic
+```
+
+The following will happen:
+
+1. The current device will be fingerprinted, using a SHA-256 digest of the
+   device's MAC address. You may want to look into alternative fingerprinting,
+   depending on your expected environment.
+1. The machine file's authenticity will be verified using Ed25519, by verifing
+   its signature using the public key.
+1. The machine file will be decrypted using the license key and fingerprint
+   as the decryption key.
+
+If everything checks out, the script will print the decrypted contents of
+the machine file — the machine object, with any included data. If it
+fails, check your inputs.
+
+## Questions?
+
+Reach out at [support@keygen.sh](mailto:support@keygen.sh) if you have any
+questions or concerns!
diff --git a/examples/machine.lic b/examples/machine.lic
@@ -0,0 +1,117 @@
+-----BEGIN MACHINE FILE-----
+eyJlbmMiOiJ0S3JYUmw4NCtDSTJ6WDVpN1NSUWJqdkt1d1BpRWFhZDdudlF2
+bWNVVnd2L3B2ajEvcDdLb0NzWVVvbWJzT0tQdkwyS0xUcTBhNUtKeGpLRmNP
+RG1oc3JUR2NSNUF4bktoSVRJWTA0THFJelJzNW9tZzRpbWRDSVpZZWdzbzdK
+Rk9ISDVZaFBnaEFYK1FkK0U4aDUzZWlkNXM4KzVXL0xwN1h2ZUJVamhHeEFZ
+SjhTb3VwOFZpOXQwTmlDSHlaL1hIMDRNM0YwSm83MmI0b1VXSWlQT3NNcm9n
+VVhudllTckk1TU9abWNhZWlIN1NtNTlDWWozeUVhOE1BcW0xOTdCWktEU0k3
+cDdUV2l2VW5FeHprRUhFN2xaUHVleDdGbCtHaURQRHhGbjlkamRRQ3hyamp2
+OWRVUG0rdXkzS0Rzb0RwRjZWMWp4OU8wVWNpNFdZZzlUaWNoVm5KK0Yxd3g4
+aFJmQ25lU3QvSmo3SHVXSDZ4MC9DS0ZHczFZU0NicUU5VmMxaHFDWTdYNCsw
+KzdYQmNhZWpRSituUU5TemVkdXNya0JTa0NEcm1PUHpzUW9JNzJFUWUxS20x
+dkY0MlRxbHBXUzB3aFVFSml2a1VlcmZqVFQ4aGpPZTlJZEFzTEphQytqS3F3
+S2hmQ0QxVERqZVQ4QnMwT0JLOXpZV0JUbmlDY2Q1bUlUSFVySWZDanhmOGNh
+MDdmaW1TdnV0UTdCN3FNNlMvWEJ6VWhqNXAvNlJ2OU9TQS9pcDFkT0RuWHhm
+K2FOempTM1planB1Q2M3UGkzM0ltejZabCtZUWl0cklnMUpaaXhmZ0l0aGpr
+VS9BakVqaW1PekdxcS9NTjlSdjIwTUk3RWRrWE40Z3VhNGFjMGJNQzNQQnhs
+a3BZK0hMQW1HSWlxckJZSVAzVDRMNzBFMk5JRkl5bldtKzk2aHdKazBVR1RQ
+cUlVdCt1QmIzdWRueWhuS3h6bnR5eXR1eTBuNzVOaVpndlFONE14MUc5dWlF
+a2xIOWVQN2Jjbk5PWGEvRW9Mdm9NKy9NZDNZc01KdlkzZ09Sd2w0R0FFZ1Bv
+Z3VMZTc4L3R3T1dsU3NSS2ZrWlM1QW1GdWd2cU13dmdwOVhzT3NwOFRPa1F0
+MEtCdHVZejFFSjh5TmthSzBReXMwMUNjWDUzelJHZDJYc0dKMEo0TTBnR2FX
+QVBJZndVTm5iSThnRTV6eEZ0T2lGdXZXMTRML1JHRXdJZUxVaXhhbkVpa28z
+TjMrMHdhdGhjTzlVcGJreXR1VlpFOGprR0t3OHRZdGdyaFRDalc0bllEQW5O
+b2Z2Tm9hUkt2ZHp2RzEvODg0SDZuVWhYbEw5ZVBvaE1pZXJVOE9iYWhIQTR4
+T0dnQjhGQXp6QVhndGtaK3ZFRUpBOUl5Y2x5QWdzWjR3elVHMEpZcDF6bEhL
+RmdjMjA4eldxeUcxdW9VR3czTEtMZjRjZklNRlBkS2ozOWpCNms1TVFSOXc4
+UnBmSkJvU2pnemt3eS9GSnhVcnk0Ni9Pdlk4VDNSMGFxb0VOZHVrRHVvOUF2
+a1N3VmY2WkRadjR4Qk1FVmFJUFRxbUxIc1pyZmkwcTdRa3RjdklzNHpmSEZK
+SW15MnZHQndMb0ZzOGhteXNOOVQzbnB2MzFiM0ZaVmQ3VUR4SmxTR21qa281
+enNaNEVFeDFEUjhHRzMzYjg5Q1Yxc09GUytBWWxXem9iM0sza3NnREt5NzhY
+Qk9ucEttY3ZKZnNvWm83ZSt2dTZtOHAzQzVzak53UVJycUJJb1Z1K0czbWIv
+U2dvTHRkWExZcGlEaE5pTzVFS3hDVSsvUCtNcEFPbERRU211cy85N0VadlRP
+R05RVDZGWkVjWEpocUl0Zm9DemFYZGQxenJYamhXbGpCNng3Q0F0Y3Fudkl5
+MlZ0UHplSlB6Z2hFSzZlZ1VyL2MybDBHU3ZVNjNmTnFxUzZoQzJpZUZaWTg0
+T2ptZ1hKb1BZU2YxODAwTlRlMUkyRzdrZi9LaTh0S2FqMVVONndDQ1Y0RDk0
+d3B1WElJdVZiaXl0U1ArYktudGtiQ1NUZ1ZpZEwyZHdZTnE0Y2o1bHdTM0xn
+R1BpVnpQZDNPMWs3V2tlemlpRVJ0K0xKNTFNbHZIVS9kVkI2RTZIREY2dFVt
+UHpHaDhaSTFUTGhOUU1GV3pSMWJUaFhzdFRuZ2FrR3ZKc0I4WFd1Y1R5RGg5
+cXdnYlhWYytqNmFQZ0FBb3M0enh3VVowdTJTV2lGWHpVTWxlUUtqWTM4VGk4
+dFp1ZTlac1ZBUEJVUFo2TTVSV0dEQVZ1OGttVno3VjFVTkhEQS9OTTA5dGZS
+aFVkUjVJNlhlRXZ0ZWJFdmM1YktNNnFXOTBId3V0QWx2b0dXcmFpak9qbGti
+VmZZV2d3RlloYmg0eEdJL2NoYkR0OWtBcVFIMDhPUCsyZVhTbmxZWU1GSVdI
+Qk8rK1g5WGd0RktmK2dJb3N5K2hKZjVIekhZL3hGWHFiVzJzWnE4U0lZaUhW
+RTVWMXA1cGVKbUNHaVZnTEV0YUZSU0o1bWxWeUxWdldLSmdIRG9SWUlPaFR4
+WFUvVnkxM3hXVmF3c0dTa2s0NDU5bHZoVEt1bUhIK3o4aTkyOG9EY2dsWnk0
+bENtbTFGTUhEQ3dHMUkzUjJNbzR3ZkQ1MXhVNHVCTW1iR0dBckowSlBJZHNV
+ZUZUeEFpS2lLV25KRzBrbGF5cWNUR0huTGR0QUY0TWJ0R0N5YytsMldzZ0xh
+cFZlOE9ablJ1MWZUY1M3TGE0RjZudUdrMVpxeVhJeEhlU3RVUlFWOVZ0ZFI3
+ZGwzcHFsaXh1eDZHTTRBNVhMbVp1NG9DeWtqU1c5SGp2MFhQdjFwdnFsemtq
+b2xoTjF6RzlHbmJVQ2c2cExmMGJ4VFcwdlJSV0kwWU9NZm1kNkZMeURRZ1ZE
+YkY3L2UwVS9jRXllRHZTWkM0KzZCcTFjdFhTZlZ4NDFqaHBMV3E2eG9WT3hl
+NHg3UXZreEEzM3JkdFVYeWNEa0RneFNDQ1lSZzFxckFWOUx5SjdRMlIwOVZs
+cnd5YitMWm1RQkVRMGRxdlVmNVB0UU1LQVRnWXlvclo2cEFTWmI4QUdMeis3
+QzNXTjJHbnNoR1dwZUlCV2RzSGJFTXZnR0ZTUGt1NlpCaDR3MVlTRm44NUwr
+a3FGNnJTTUVscVRtdjcyVVJRdTRyNE85L0FSa3VOMHFYRmZNMldVNlpTUTkz
+TzR4STdpbW92SWMyWktaUHFKOG5nRUR4UEIyMFhpaUFFSmM2Y0tCUUNmYTA1
+SnlRYWt2Z0ZnQ0gvTDl3YkQxcUJMVDRRSTJ3d0M0TnlYcHlHNm9mMWpaVElN
+SFprVVBhMDlwYVNnVXZvVDRTaUtYZXBObG41dzdIWHdVY1JMQjBRUzVvUHZL
+OXBoYW0zcTBMbHlFMHVkUFhINEkvdEFWZThIcDJwQWRiUkl5c0E0dHJ1bUFv
+VS9EN3E5czZVc0JiMW02azBwQ0w1Z3ZLV3Z2M096YnBGOXRNbEFhYW12ZnFG
+a1dIanNQK2pwZnVoeGhsL3llTEl3ZU5lZjJmTmxIOVNtWjExbzVsL3lpVTJ1
+QWVrd0dabGVQUmx2QzgrS3ovd3o4ejgxUllLVnVWSGNvcVc2dkY3OEJadkFa
+VDgvbVZyQzR5TElpcXp3NkhvYmpQWnhsNW5rRXhVSHdLalRsRXdPWExWNFJu
+dlY1ZitjZlk3Qnh1RGhCdlpGU2dEb0NiUmpOK2JIOTRxM3A3SDQzUlV4SG9N
+azY4M1pOMmZCM09nNW1CSUZxOFA0SU94c0dSWGltcDZvR1FzQTcxMGdxV1Z1
+YWdVbWJ5YWhjWWRsQW1majVlWC8zV2RCN3VOdm5idDViZmlTL05GS21LTWxy
+T2NoSUNLUU56bU1IZ2xPZW95SzA3ZlAwUVZLc2hsZEJhZzNicXF0MSsxU3hi
+akFwVTN3UHNjakVuSVBhUjBUemhrcFVuMm5rR25iWDhxSVVOcURsMlkyc3RI
+S3V5VmEybUpZaUVLVm1sdE9GakYyVm92ZFZPY3lqT3lTOWFlUTduY0tlZTdp
+c1E1RC9NdURlK091aWhLY3RzLzRobnRCMHV3a0x5SVZKdE5xSHgwQzlxVE9D
+NEtNbjdlcGlDT0ltdjBHRVdaQkZyS2kvOXJEbE1FOXBnWTZPTU5ySXZhK1Br
+UWVRQllmRXo1bnAzTzJNZm5zS1B2dHVjamF2OWg5TlQyUjkwcVBDSXkzcjl5
+YUFZV1hTR1cyTlZtNFdXcENnM05jdjFDTDhZTEMwR1I5OFI3LzgwdUxEQ1A0
+a04wRG1PLzFZN2wxb2VXVlVVY0ZvTnFBSmo2NCtGS1BsL21CUDNYY0FDMWhE
+cmlENTlDYVFNWVhkOGdXVkJiRzVYeEpIdU5mNmdvZjRidEhFVUM3UHdaUjVp
+cDROai9OdUh4Vk4rVVhselVFUmh1UTR2a2daWkFpVE9IbE5Pc3ZlLzJmNTlt
+VkhMSnpDRTF3Wlc1c09TZlVuN2Zwb2hzUUMrRVROdHhRemdURkU3N1NFUDVi
+dFdSZytFWDNmU1Fibjh6LzBiektUYTc3VFpmdzYrL2g3SXN6UmNCTDVZOFN5
+UzZnbGxjbmtoVTVLZjVwc0dJc0JXaklDMjhwQnhMMkhqaWF4ZlowVkpKTVNF
+MWkzSFVQU29RbmdUaFdxckQvd3dzN1Fjb280VVdrbWF4VlF5Z3k4MWRaZlhr
+amdMcmxvQVhodSthb0lxa0I2ZkxYbTUxT2JUK3dEVHQ3SHpwVkRTb0VDamEy
+VUR3MDRPNXNOcitDR3p6aGc0LzdYZTQvZWhQbW85MmhyeVFPRUFaK3pveVRp
+TGx1bWhtbE1zMUhTeHRxSGw2TU93VnZNV3lEVW9BWXNCc3MzTWpGazk4b0hM
+RTFIajVCMUNxYTBKbk9kQXF2UE0wOUZ0UjZxdlVRSFVLbE9mRnhuY2xlSlpm
+WnJreVBlV0tCeld6RHhYL1hGR1BpT3JldUVLeE9hZWRyaUQ5STNHalg4clpk
+Y08xUUVmWlFCN1NQdkc2Q25XZUVzWDFWV2RNclVTQlJLaldUQkVlRlVjdmdH
+QzhRamVFS1RlcXpuTFpkZFh5MmdpVnl5ejdMSW1kOWVNUkJpOHNmbzZYSTgr
+TWsyOXJUZksvNGZJd0tub0ZtNVdCS1hSWENvalJMVTV1MGw1MUwyVmtkZHNR
+VUlzZjc1UlFIZkxKUVZEODY3elJJM2JaZTJOUkRMOEtQQU95bUVMd3hKMmRq
+OURJa1N2WXJSR3kxOGE4VXdzRVNrS1RtZFRyYlhRQ0ZCYUMxeXlhTng1dUJo
+dU85eTJSMlEzRWE0NGJlQmFXaHRZVm9uQ0ZQM01WSTQ5bXI2MzNyM3F3QlAz
+RW1yMHBrck9aczA0NUNDa3diTktLdmlYREtBbm1FcUduRmxBMmNtQnl2TURP
+NktadEpyR2wvUWFqZ05wck1PQnNycE5wWFZjdVNhRVIrT0JFQXR1WnNXYUZT
+T1RUaFFVVWRBbFN3NWN4N3BnL2xTRlV5aWdudFBBWVVjVllzM3N1NEZpU0Zl
+L0UwT3Qzek5CL2wzUHIyb1g1bHFYNG9mVEZEZ2NySm5FVDBmU1ZhaW5zR3Zy
+TXNtTXV5UHhMcjJiSTJWWEIxMXNWNDhKQmR5aXhDNGxWSTZEUCtWNWs2MW01
+Qzd4bEFPYUFtSXVLWHBkdjROV3dkRXdrZmk2d3ZnSjluMGh4K09ORk1GT20y
+S0ZoR1NFeEpxQ1JNOXREa255elNtZWN4YnRqRllkdGp1bm4vL2kvTFNZdVhh
+bzFWQUFXcUVPNEloVXcwQUxJM0Z2ZUt3TDhUdWxIL05OWEpkVXJUOGh3Rllu
+ak1RMC9yYWhMTmpqNkEzeVB5YU1aWnFpYjJLbVlQcnRBOWxSc1pDN1h6SEJx
+cVJrTUMxVjlFRnJEcjBsYjNaeUNWUzlVYzNWZmUvWlhwSjlmZXBhQUlpb096
+OEt3N1JaUlZERVNmS3VFN2dYY2RsYkF6V2x2UjhWR3k5OWswMUo1Vms0Q2wy
+NS9mMmR1UERHUmgvMzR2V2hNbGhpc3A3bjE2VjM0a3NrcFgra2JkTjVwcC94
+UGc1M2VWcHVIVWNheHlhQ3pLWHdTZUlFY2xQQTM2SFJ5SGwrU2o5aUEvS0Fn
+NWJ2enVIQU9RVm1nNkVxVml3aE1Ub1pJRUlaZE85K1pGZ2pnd0U0LzVlOTMv
+bXN6RC8vazdSU2RkdkZKaTJTdjMvV2xwMHhkTUFIbkQwM0dWNTdNaFEzelRw
+V1ZnRGlscmo0RzA0R2dCVjBGUkd6dUxqMDNQNy9iZk84Z08zOUFScEh1Tlo1
+cjJmT2dVcTllOWZYTGNGS0tDdFltbk5iLy85NmljQzJ5QUhqUGR6NHlac1gz
+T085TEFYek5wOVJWK3RrU0p0S1hZRjh6Wk1rWTg5WmZEbEh5QkFleDByVFlZ
+ZlVVUS84OXFCR1Uwd2g3WVhGdWtPMUVqMkhCN0ZIb1lxSlNyMG5SeVFLMlJw
+SDBTeEhHR1NwK2lnaWpMbHp5VkJTVFZwL2EvdUpuZHRvOHhhOGJXZ3BiTkhn
+ZE9XaHNWMDRLQ0hFNWlXTS9BQ1RwVW9EOVU5QzdPZzRBPS5sTWhWTEpOV1VF
+S3lHcGt4LmMyUmhDbEJZWGY0SVRmcEV0WHRUdmc9PSIsInNpZyI6ImlHMGh2
+Y1VaeGUwU3BDZWlNWi95aldFcEFnV2t6Ly9vV2FNRmFkUjRmWGd1UkozTGZO
+K3FIOCt4eFhhRmRoSS8rbVFvdTdnZzRSRzdxSVUwdjRoUERRPT0iLCJhbGci
+OiJhZXMtMjU2LWdjbStlZDI1NTE5In0=
+-----END MACHINE FILE-----
diff --git a/main.py b/main.py
@@ -0,0 +1,108 @@
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.backends import default_backend
+from cryptography.exceptions import InvalidKey, InvalidTag
+from ed25519 import BadSignatureError
+from uuid import getnode as get_mac
+import argparse
+import ed25519
+import base64
+import json
+import sys
+import os
+
+def fingerprint():
+  """
+  fingerprint returns a hex-encoded SHA-256 digest of the current MAC address.
+  """
+  mac    = str(get_mac())
+  digest = hashes.Hash(hashes.SHA256())
+  digest.update(mac.encode())
+  return digest.finalize().hex()
+
+parser = argparse.ArgumentParser()
+
+parser.add_argument('-p', '--path',        dest='path',        required=True,         help='Path to machine file (required)')
+parser.add_argument('-l', '--license',     dest='license',     required=True,         help='License key (required)')
+parser.add_argument('-f', '--fingerprint', dest='fingerprint', default=fingerprint(), help='Machine fingerprint')
+
+args = parser.parse_args()
+
+# Read the machine file
+machine_file = None
+
+try:
+  with open(args.path) as f:
+    machine_file = f.read()
+except (FileNotFoundError, PermissionError):
+  print('[error] path does not exist! (or permission was denied)')
+
+  sys.exit(1)
+
+# Strip the header and footer from the machine file certificate
+payload = machine_file.lstrip('-----BEGIN MACHINE FILE-----\n') \
+                      .rstrip('-----END MACHINE FILE-----\n')
+
+# Decode the payload and parse the JSON object
+data = json.loads(base64.b64decode(payload))
+
+# Retrieve the enc and sig properties
+enc = data['enc']
+sig = data['sig']
+alg = data['alg']
+
+if alg != 'aes-256-gcm+ed25519':
+  print('[error] algorithm is not supported!')
+
+  sys.exit(1)
+
+# Verify using Ed25519
+try:
+  verify_key = ed25519.VerifyingKey(
+    os.environ['KEYGEN_PUBLIC_KEY'].encode(),
+    encoding='hex',
+  )
+
+  verify_key.verify(
+    base64.b64decode(sig),
+    ('machine/%s' % enc).encode(),
+  )
+except (AssertionError, BadSignatureError):
+  print('[error] verification failed!')
+
+  sys.exit(1)
+
+print('[info] verification successful!')
+
+# Hash the license key using SHA256
+digest = hashes.Hash(hashes.SHA256())
+digest.update(args.license.encode())
+digest.update(args.fingerprint.encode())
+key = digest.finalize()
+
+# Split and decode the enc value
+ciphertext, iv, tag = map(
+  lambda p: base64.b64decode(p),
+  enc.split('.'),
+)
+
+# Decrypt ciphertext
+try:
+  aes = Cipher(
+  algorithms.AES(key),
+  modes.GCM(iv, None, len(tag)),
+  default_backend(),
+  )
+  dec = aes.decryptor()
+
+  plaintext = dec.update(ciphertext) + \
+              dec.finalize_with_tag(tag)
+except (InvalidKey, InvalidTag):
+  print('[error] decryption failed!')
+
+  sys.exit(1)
+
+print('[info] decryption successful!')
+print(
+  json.dumps(json.loads(plaintext.decode()), indent=2)
+)
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,4 @@
+argparse
+cryptography
+ed25519
+uuid

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +argparse
 +cryptography
 +ed25519
 +uuid