Major refactor for both Python 2.7 and 3.X compatibility.

aznashwan · aznashwan · commit 19920a14dcd4 · 2015-06-15T01:26:05.000+03:00
diff --git a/blob.py b/blob.py
@@ -0,0 +1,39 @@
+# Copyright 2015, Nashwan Azhari.
+# Licensed under the GPLv2, see LICENSE file for details.
+
+"""
+Basic Blob structure used for data manipulation.
+"""
+
+from ctypes import c_char
+from ctypes import create_string_buffer
+from ctypes import POINTER
+from ctypes import Structure
+from ctypes import cdll
+from ctypes import windll
+from ctypes.wintypes import DWORD
+
+memcpy = cdll.msvcrt.memcpy
+localfree = windll.kernel32.LocalFree
+
+
+class Blob(Structure):
+    """Basic Structure used for data manipulation.
+    It is structurally identical to the native CRYPT_INTEGER_BLOB structure.
+
+    Composed of a field holding the length of the data and a
+    pointer to the start of it.
+    """
+    _fields_ = [("length", DWORD), ("data", POINTER(c_char))]
+
+    def get_data(self):
+        """Fetches the data from the Blob."""
+        fetched = create_string_buffer(self.length)
+
+        memcpy(fetched, self.data, self.length)
+
+        return fetched.raw
+
+    def free_blob(self):
+        """Frees the memory allocated for the Blob's data."""
+        localfree(self.data)
diff --git a/securestring.py b/securestring.py
@@ -1,77 +1,124 @@
-from ctypes import *
-from ctypes.wintypes import DWORD
+# Copyright 2015, Nashwan Azhari.
+# Licensed under the GPLv2, see LICENSE file for details.
 
-protectdata = windll.crypt32.CryptProtectData
-unprotectdata = windll.crypt32.CryptUnprotectData
-localfree = windll.kernel32.LocalFree
-copy = cdll.msvcrt.memcpy
+"""
+A pure Python implementation of the functionality of the ConvertTo-SecureString
+and ConvertFrom-SecureString PoweShell commandlets.
 
-# the basic blob structure we will be using for calling
-# the above System functions
-class blob(Structure):
-	_fields_ = [("length", DWORD), ("data", POINTER(c_char))]
+Usage example:
+from securestring import encrypt, decrypt
 
-# this function will fetch all the gata from a given blob
-def getblobdata(b):
-	length = int(b.length)
-	
-	fetched = c_buffer(length)
-	copy(fetched, b.data, length)
+if __name__ == "__main__":
+    str = "My horse is amazing"
 
-	freeblobdata(b)
-	return fetched.raw
+    # encryption:
+    try:
+        enc = encrypt(str)
+        print("The encryption of %s is: %s" % (str, enc))
+    except Exception as e:
+        print(e)
 
-# this function will free the memory of the data field from a given blob
-def freeblobdata(b):
-	localfree(b.data)
+    # decryption:
+    try:
+        dec = decrypt(enc)
+        print("The decryption of the above is: %s" % dec)
+    except Exception as e:
+        print(e)
+
+    # checking of operation symmetry:
+    print("Encryption and decryption are symmetrical: %r", dec == str)
+
+    # decrypting powershell input:
+    psenc = "<your output of ConvertFrom-SecureString>"
+    try:
+        dec = decrypt(psenc)
+        print("Decryption from ConvertFrom-SecureString's input: %s" % dec)
+    except Exception as e:
+        print(e)
+
+"""
+
+from codecs import encode
+from codecs import decode
+
+from blob import Blob
+
+from ctypes import byref
+from ctypes import create_string_buffer
+from ctypes import windll
+
+protect_data = windll.crypt32.CryptProtectData
+unprotect_data = windll.crypt32.CryptUnprotectData
 
 
-# this function will encrypt a given string in accordance with the 
-# ConvertFrom-SecureString commandlet and return the hex representation
 def encrypt(input):
-	# for some odd reason the cmdlet's calls encrypt the data with interwoven
-	# nulls, for which we will account as follows:
-	nulled = ""
-	for char in input:
-		nulled = nulled + char + "\x00"
-
-	data = c_buffer(nulled, len(nulled))
-
-	inputBlob = blob(len(nulled), data)
-	entropyBlob = blob()
-	outputBlob = blob()
-	flag = 0x01
-
-	res = protectdata(byref(inputBlob), u"", byref(entropyBlob), None, 
-		None, flag, byref(outputBlob))
-	if res == 0:
-		freeblobdata(outputBlob)
-		raise Exception("Failed to encrypt " + input)
-	else:
-		return getblobdata(outputBlob).encode("hex")
-
-# this function will decrypt the output of ConvertFrom-SecureString
-# and return the original string which was encrypted
+    """Encrypts the given string following the same syscalls as done by
+    ConvertFrom-SecureString.
+
+    Arguments:
+    input -- an input string.
+
+    Returns:
+    output -- string containing the output of the encryption in hexadecimal.
+    """
+    # CryptProtectData takes UTF-16; so we must convert the data here:
+    encoded = input.encode("utf-16")
+    data = create_string_buffer(encoded, len(encoded))
+
+    # create our various Blobs:
+    input_blob = Blob(len(encoded), data)
+    output_blob = Blob()
+    flag = 0x01
+
+    # call CryptProtectData:
+    res = protect_data(byref(input_blob), u"", byref(Blob()), None,
+                       None, flag, byref(output_blob))
+    input_blob.free_blob()
+
+    # check return code:
+    if res == 0:
+        output_blob.free_blob()
+        raise Exception("Failed to encrypt: %s" % input)
+    else:
+        raw = output_blob.get_data()
+        output_blob.free_blob()
+
+        # encode the resulting bytes into hexadecimal before returning:
+        hex = encode(raw, "hex")
+        return decode(hex, "utf-8").upper()
+
+
 def decrypt(input):
-	rawinput = input.decode("hex")
-	data = c_buffer(rawinput, len(rawinput))
-
-	inputBlob = blob(len(rawinput), data)
-	entropyBlob = blob()
-	outputBlob = blob()
-	dwflags = 0x01
-
-	res = unprotectdata(byref(inputBlob), u"", byref(entropyBlob), None, 
-		None, dwflags, byref(outputBlob))
-	if res == 0:
-		freeblobdata(outputBlob)
-		raise Exception("Failed to decrypt " + input)
-	else:
-		clean = ""
-		# as mentioned, the commandlets work with data with interwoven nulls,
-		# for which we must account for by removing them at the end:
-		for char in getblobdata(outputBlob):
-			if char != "\x00":
-				clean = clean + char
-		return clean
+    """Decrypts the given hexadecimally-encoded string in conformity
+    with CryptUnprotectData.
+
+    Arguments:
+    input -- the encrypted input string in hexadecimal format.
+
+    Returns:
+    output -- string containing the output of decryption.
+    """
+    # de-hex the input:
+    rawinput = decode(input, "hex")
+    data = create_string_buffer(rawinput, len(rawinput))
+
+    # create out various Blobs:
+    input_blob = Blob(len(rawinput), data)
+    output_blob = Blob()
+    dwflags = 0x01
+
+    # call CryptUnprotectData:
+    res = unprotect_data(byref(input_blob), u"", byref(Blob()), None,
+                         None, dwflags, byref(output_blob))
+    input_blob.free_blob()
+
+    # check return code:
+    if res == 0:
+        output_blob.free_blob()
+        raise Exception("Failed to decrypt: %s" + input)
+    else:
+        raw = output_blob.get_data()
+        output_blob.free_blob()
 
+        # decode the resulting data from UTF-16:
+        return decode(raw, "utf-16")
diff --git a/test_securestring.py b/test_securestring.py
@@ -1,46 +1,62 @@
+# Copyright 2015, Nashwan Azhari.
+# Licensed under the GPLv2, see LICENSE file for details.
+
+from codecs import decode
 from subprocess import check_output
+
 from securestring import encrypt, decrypt
 
 testinputs = [
-	"Simple",
-	"A longer string",
-	"A!string%with(a4239lot#of$&*special@characters{[]})",
-	"Quite a very much longer string meant to push the envelope",
-	"fsdafsgdfgdfgdfgdfgsdfgdgdfgdmmghnh kv dfv dj fkvjjenrwenvfvvslfvnsljfvnlsfvlnsfjlvnssdwoewivdsvmxxvsdvsdv",
+    "Simple",
+    "A longer string",
+    "A!string%with(a4239lot#of$&*special@characters{[]})",
+    "Quite a very much longer string meant to push the envelope",
+    "fsdafsgdfgdfgdfgdfgsdfgdgdfgdmmghnh kv dfv dj fkvjjenrwenvfvvslfvnsljfvnlsfvlnsfjlvnssdwoewivdsvmxxvsdvsdv",
 ]
 
-# tests whether encryption and decryption are symmetrical operations
+
 def test_encryption_decryption_symmetry():
-	for input in testinputs:
-		try:
-			assert decrypt(encrypt(input)) == input
-		except:
-			assert False
+    """Tests whether encryption and decryption is symmetrical."""
+    for input in testinputs:
+        try:
+            assert decrypt(encrypt(input)) == input
+        except Exception as e:
+            print(e)
+            assert False
 
 
 def runpscommand(command):
-	try:
-		return check_output(["powershell.exe", "-NoProfile",
-                    "-NonInteractive", command]).replace("\r\n", "")
-	except:
-		raise Exception("System error has occured.")
+    """Helper function which runs the given command with PowerShell
+    and returns the output.
+    """
+    try:
+        # NOTE: trailing newline characters must be removed here:
+        return check_output(["powershell.exe", "-NoProfile",
+                             "-NonInteractive", command]).replace(b"\r\n", b"")
+    except:
+        raise Exception("System error has occured.")
+
 
-# tests whether decrypt() can handle input directly from ConvertFrom-SecureString
 def test_decrypt_from_CFSS():
-	for input in testinputs:
-		try:
-			psenc = runpscommand("ConvertTo-SecureString \"%s\" -AsPlainText -Force | ConvertFrom-SecureString" % input)
-			assert decrypt(psenc) == input
-		except:
-			assert False
-
-# tests whether the output of encrypt() is compatible with ConvertTo-SecureString
-def test_convert_encrypted_to_securestring():
-	for input in testinputs:
-		try:
-			enc = encrypt(input)
-			psres = runpscommand("\"%s\" | ConvertTo-SecureString" % enc)
-			assert psres == "System.Security.SecureString"
-		except:
-			assert False
+    """Tests whether decrypt() is able to decrypt the
+    output of ConvertFrom-SecureString."""
+    for input in testinputs:
+        try:
+            psenc = runpscommand("ConvertTo-SecureString \"%s\" -AsPlainText -Force | ConvertFrom-SecureString" % input)
+            assert decrypt(psenc) == input
+        except Exception as e:
+            print(e)
+            assert False
+
 
+def test_convert_encrypted_to_securestring():
+    """Tests whether the output of encrypt() is compatible with
+    PowerShell's SecureStrings by feeding its output to ConvertTo-SecureString."""
+    for input in testinputs:
+        try:
+            enc = encrypt(input)
+            psres = runpscommand("\"%s\" | ConvertTo-SecureString" % enc)
+            assert decode(psres, "utf-8") == "System.Security.SecureString"
+        except Exception as e:
+            print(e)
+            assert False
