From 7d705cba2d9e9793b8124e3893ae6b14aa06eb14 Mon Sep 17 00:00:00 2001 From: Julien Vehent Date: Sun, 25 Oct 2015 08:46:27 -0400 Subject: [PATCH] fix aad generation --- example.json | 58 ++++++++++++++++----------------- example.txt | 4 +-- example.yaml | 84 ++++++++++++++++++++++++++---------------------- sops/__init__.py | 36 +++++++++++---------- 4 files changed, 96 insertions(+), 86 deletions(-) diff --git a/example.json b/example.json index fa300e070..03abd0aea 100644 --- a/example.json +++ b/example.json @@ -1,51 +1,51 @@ { - "firstName": "ENC[AES256_GCM,data:Sf9dCw==,iv:OtsxqCFAvsDfiUIu+FmMT+9SZZ+hwFXxWAoA/fFt4n0=,tag:UJpAMAlrLm+TMIAkQCShTg==,type:str]", - "lastName": "ENC[AES256_GCM,data:8CSE1Fc=,iv:ZwNczZao5fK44uYH+TU+RwXSC6OHjbBWCrQiO97Ws3I=,tag:ghRiOGqNPvotGEIE80XpRg==,type:str]", - "age": "ENC[AES256_GCM,data:UHBRAg==,iv:79skTitX1Tq8EtiyAYeP6Ir8dAkiporJGSHqRThHh5g=,tag:NhZfAZs64lX/+HtePiOkww==,type:float]", + "firstName": "ENC[AES256_GCM,data:Sf9dCw==,iv:OtsxqCFAvsDfiUIu+FmMT+9SZZ+hwFXxWAoA/fFt4n0=,tag:T+mdTNgbGHiNksabARl0SQ==,type:str]", + "lastName": "ENC[AES256_GCM,data:8CSE1Fc=,iv:ZwNczZao5fK44uYH+TU+RwXSC6OHjbBWCrQiO97Ws3I=,tag:MzyRtngiN63kfHNkBttpKw==,type:str]", + "age": "ENC[AES256_GCM,data:UHBRAg==,iv:79skTitX1Tq8EtiyAYeP6Ir8dAkiporJGSHqRThHh5g=,tag:HJC3yTJS9jqncxqmMbAuCA==,type:float]", "address": { - "city": "ENC[AES256_GCM,data:DKo/DSI8QjU=,iv:ZVT8sB8Lq7Q1l4kRmEpjq78BLXL6VSG5Wl+s0skKz9k=,tag:VQ8t+CtkTd6l20wrQHECPA==,type:str]", - "postalCode": "ENC[AES256_GCM,data:DxjkWjslhRKFeA==,iv:jZYRetIj1Brxj0Dhc6e06NOwQt4nR0wW6iVRN/n5SwI=,tag:L2fq3kQuNyJ04nGGPpJV9Q==,type:str]", - "state": "ENC[AES256_GCM,data:haM=,iv:dZlMji6974EpdMsW+ZF6kGt4cUG2jJiz1mANZLZaMhU=,tag:XMC1iixS6IRf3zMCf5/ZDw==,type:str]", - "streetAddress": "ENC[AES256_GCM,data:KnPa8Gihd9+dHcXZZg==,iv:KA/JWp/fW0BaTvRlc0SHYZPtdVU6Jzryp8L5CHo1a4I=,tag:t2rp4iR0+VtHvNgBgQ/+OQ==,type:str]" - }, + "city": "ENC[AES256_GCM,data:DKo/DSI8QjU=,iv:ZVT8sB8Lq7Q1l4kRmEpjq78BLXL6VSG5Wl+s0skKz9k=,tag:Dtv5h2tivM4E1T/JQmhiwQ==,type:str]", + "postalCode": "ENC[AES256_GCM,data:DxjkWjslhRKFeA==,iv:jZYRetIj1Brxj0Dhc6e06NOwQt4nR0wW6iVRN/n5SwI=,tag:ajqvdmJwFwsMxbLx03/x3Q==,type:str]", + "state": "ENC[AES256_GCM,data:haM=,iv:dZlMji6974EpdMsW+ZF6kGt4cUG2jJiz1mANZLZaMhU=,tag:9F2gABkPf1M7h6Sx9h34Fg==,type:str]", + "streetAddress": "ENC[AES256_GCM,data:KnPa8Gihd9+dHcXZZg==,iv:KA/JWp/fW0BaTvRlc0SHYZPtdVU6Jzryp8L5CHo1a4I=,tag:bb1hmGbEMRbQxi4NITR5iw==,type:str]" + }, "phoneNumbers": [ { - "number": "ENC[AES256_GCM,data:qgbbyAXoBbkDr1bA,iv:Y8Z2nBp2yV6ldfAU9Zjsb6gCBLQrNMEqvkwSSZ3Y2Z4=,tag:UZksExiLkAALhZ9w5cJ3qw==,type:str]", - "type": "ENC[AES256_GCM,data:29QEQA==,iv:x+GSbhrTvvNj46Kv1FE1bghPBBAm37sLJVMuclg1OnM=,tag:wDS+sfKLDusWlMgpWidRyA==,type:str]" - }, + "number": "ENC[AES256_GCM,data:qgbbyAXoBbkDr1bA,iv:Y8Z2nBp2yV6ldfAU9Zjsb6gCBLQrNMEqvkwSSZ3Y2Z4=,tag:DmGMtmhmnuWYwhvxvihelQ==,type:str]", + "type": "ENC[AES256_GCM,data:29QEQA==,iv:x+GSbhrTvvNj46Kv1FE1bghPBBAm37sLJVMuclg1OnM=,tag:ZgB+OcAKYZ3vPzy5hKOWWQ==,type:str]" + }, { - "number": "ENC[AES256_GCM,data:z+CGrbAnrTwABu8b,iv:w5BfJFjJtIoXtTbkhhbRsGNP9cvhYiRIzhxay6WIjbs=,tag:JlwuErBmnbmlkWW6oIgdcQ==,type:str]", - "type": "ENC[AES256_GCM,data:e/dNOAmq,iv:ZFoDttfnZIeHnDfbIzT9t2UgLK/0Bf3oFJ1CmN+Ovco=,tag:oWSUu9exCqZakfaHOeWE3g==,type:str]" + "number": "ENC[AES256_GCM,data:z+CGrbAnrTwABu8b,iv:w5BfJFjJtIoXtTbkhhbRsGNP9cvhYiRIzhxay6WIjbs=,tag:eaSOt8CLk1w21uE7+2I0Tw==,type:str]", + "type": "ENC[AES256_GCM,data:e/dNOAmq,iv:ZFoDttfnZIeHnDfbIzT9t2UgLK/0Bf3oFJ1CmN+Ovco=,tag:B1BUM+UwZdCjOgIX52FDTw==,type:str]" } - ], + ], "sops": { - "mac": "ENC[AES256_GCM,data:PnFjXqwLfBi2R+wbe3dJTsb14e0GFiJA18bAVHDKPc1EVXpOHbtI4uswWMsCfSM23lkVLGe9nLo62V+b2KUvQrPt0AQGqCNa6oXZi0sW1rRAHFdV93x6IJ42mwHrz3MOrgbMPp32ZQYmFU0QTqAAA3zu1DW1MajbRIxECDCsOkc=,iv:QJm3YiR1NwFrSTZUMpCqLSemqwyEsg9l1ubCnMO1pP4=,tag:7qZ1+5NbP9DNefZKg1VJ8A==,type:str]", - "version": 0.8, + "mac": "ENC[AES256_GCM,data:IIVPhOc9mNHBL4tYpyBlgi1EgpC3UUd/ndLkT4ZDvn4RmScQzUVkWwblylqR26ObR1U3sTmmQLnE5w/eLugssS+SycPzIWqz7wRWDCbZxrU3wLVV1Qa7BzZDVarKs94FbY+46+9NLL+/M4QcGgfN8aArDj4N3NrCCfazyGSEKuc=,iv:6ukma4Rj0e2027T/S2JWKcqvJwSwT3pDMmJfSGbvek0=,tag:Ek6gppFf6TaaV9J9pIUlKA==,type:str]", + "version": 0.90000000000000002, "kms": [ { - "created_at": 1444233149.795402, - "enc": "CiC6yCOtzsnFhkfdIslYZ0bAf//gYLYCmIu87B3sy/5yYxKnAQEBAgB4usgjrc7JxYZH3SLJWGdGwH//4GC2ApiLvOwd7Mv+cmMAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAwO9pCAxCN0oznQ7x8CARCAOxrIQYZ7J8/aCCnLUf0zLqL96AwfyYS76+g51sLaQlNTMqNGfslT6cZmw24CdsNrvtz8QypP74+pM7Xd", + "created_at": 1444233149.7954021, + "enc": "CiC6yCOtzsnFhkfdIslYZ0bAf//gYLYCmIu87B3sy/5yYxKnAQEBAgB4usgjrc7JxYZH3SLJWGdGwH//4GC2ApiLvOwd7Mv+cmMAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAwO9pCAxCN0oznQ7x8CARCAOxrIQYZ7J8/aCCnLUf0zLqL96AwfyYS76+g51sLaQlNTMqNGfslT6cZmw24CdsNrvtz8QypP74+pM7Xd", "arn": "arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e" - }, + }, { - "created_at": 1444233151.305619, - "enc": "CiBdfsKZbRNf/Li8Tf2SjeSdP76DineB1sbPjV0TV+meTxKnAQEBAgB4XX7CmW0TX/y4vE39ko3knT++g4p3gdbGz41dE1fpnk8AAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAxyg2xy9gTYriI3dBgCARCAO2NVWrAab3DY5GdcLzNxTm8wKkyn/8km/5mxGWZX5zerOgZjXsyFAUW9plckQjRAe1JeXbSjhZq5ev/k", + "created_at": 1444233151.305619, + "enc": "CiBdfsKZbRNf/Li8Tf2SjeSdP76DineB1sbPjV0TV+meTxKnAQEBAgB4XX7CmW0TX/y4vE39ko3knT++g4p3gdbGz41dE1fpnk8AAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAxyg2xy9gTYriI3dBgCARCAO2NVWrAab3DY5GdcLzNxTm8wKkyn/8km/5mxGWZX5zerOgZjXsyFAUW9plckQjRAe1JeXbSjhZq5ev/k", "arn": "arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d" } - ], + ], "pgp": [ { - "fp": "1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A", - "enc": "-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1\n\nhIwDEEVDpnzXnMABBACqAUiwqLNn7w7WyQ6J24oIxPC/9Hx5NmqWLperCA2W3lIM\ndvW8WHP10MsbPaj7CWCkillppKmxkuQqivRvgcxWeSMXbotlnCAfczwDCpf1o1/T\nJctzN4qSBlCpEF+2OyRTEVz22Zd7UfOZqzoJ4e7yA3WiLpe47X5YhpPie0HClNJe\nAZ1zPj9zvAuHLf1ZRthuLwpM40cyjfPmPI0jDknUpfvWV6GueXcozSuJEWJcVBKn\nDyR3mZfWpxPee0CVmuqTMT8OIM2p+5uNNrNWqy5eM8nhY6lRyMxN915xccN36g==\n=LxSJ\n-----END PGP MESSAGE-----\n", + "fp": "1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A", + "enc": "-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1\n\nhIwDEEVDpnzXnMABBACqAUiwqLNn7w7WyQ6J24oIxPC/9Hx5NmqWLperCA2W3lIM\ndvW8WHP10MsbPaj7CWCkillppKmxkuQqivRvgcxWeSMXbotlnCAfczwDCpf1o1/T\nJctzN4qSBlCpEF+2OyRTEVz22Zd7UfOZqzoJ4e7yA3WiLpe47X5YhpPie0HClNJe\nAZ1zPj9zvAuHLf1ZRthuLwpM40cyjfPmPI0jDknUpfvWV6GueXcozSuJEWJcVBKn\nDyR3mZfWpxPee0CVmuqTMT8OIM2p+5uNNrNWqy5eM8nhY6lRyMxN915xccN36g==\n=LxSJ\n-----END PGP MESSAGE-----\n", "created_at": "2015-10-08T15:33:31Z" - }, + }, { - "fp": "85D77543B3D624B63CEA9E6DBC17301B491B3F21", - "created_at": 1444233151.309663, + "fp": "85D77543B3D624B63CEA9E6DBC17301B491B3F21", + "created_at": 1444233151.3096631, "enc": "-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1\n\nhQIMA0t4uZHfl9qgARAAgQdMpnTNMCdbdFRpBsC9kxi334LbBrFUkp5lI+YzutZy\nSic85ea06FGL3O93tII9mwGAsESwKlN4nX0d31vuh/lYxMDakyd1IK/BkMG4Z1xG\n52MsACG/pyitMBXkIIyjmR0tVR+CixDsy5cUJxoWq+mfuE2ywziPY+KbEZ50hFXg\naAdKCdInXlLHdId+aXhThhXUGN1seQjtdyZjVXnp8c9hHS2YQdyp/SZf47NJ4A2y\nkO40kNS4oaHUUZIZLtzaFhWytZlpWEJJkIgH/vefL3jLW4SiIiqz24wr7MncsF+A\np8Pteulc5VrvA5CzQIq9qF3Zwn9HV2a0KWLZ/J29EYzSM8u9HLOYqsmNKt0TcVbX\n6eoG3JTJoRDrzO0DZvR3pMm4gQ0WXzHKzpu8g+JYnoQ19AMWJAPbTp5ej3MWHcXD\nXFjz4gsSYbwc4h/zVBOWsYoHlyTLUMwg2BA1YiL89xs8MIhIHOAmvM0mv+QuZQ7S\nCfc1mS04CZSmJvTcNkvE5n76n2iXs6nYNk8TYyQlhYebuQmJQKJuUYjKIHhuxZFa\n30WaSGnKHqIQn1pl7jqyqm8sVTzaKMyhbM0T+UQUJhXcWVr7r+CtRAt8XjVnJMvo\nviJwTWy1Ddo0Vu1licMFJXMnQbQlVh+CZS6FHqcbxfPaYfe7JldGmhwKg+F/NEHS\nXgEf78iLm3FNb4yeOkB/z2xjiZ3XvUAQjsUK5ofF1CJYcQ//YIFex1oO55Z0+qIt\njdDtqivLgf4SFRf0uhOxUrQNuFAvY361F1mvrGPcTubh/Ygq0aVzWzgC9gn7DTo=\n=uQw0\n-----END PGP MESSAGE-----\n" } - ], - "lastmodified": "2015-10-09T13:18:13Z", + ], + "lastmodified": "2015-10-25T13:54:31Z", "attention": "This section contains key material that should only be modified with extra care. See `sops -h`." } } \ No newline at end of file diff --git a/example.txt b/example.txt index f74e2c7c6..d53b3d58a 100644 --- a/example.txt +++ b/example.txt @@ -1,2 +1,2 @@ -ENC[AES256_GCM,data:Q0wnzAzEA+eYHxJcLu84qY6HWU6U8WD9jj5sgnx18oTvXGOJs42mLn0UUe944sB4rROV6BK6vL11YnIad5aNE9O7UC/DNsbQklB3p73olHCwCmIPErQch0Ir8gGlsQjXYb3isWgIl1jee9bFvPtNKdVojYV6clTaSGfBtAC67wC9TRT935AbzOlpdfa1G5jQiq89zHNebytGZtU=,iv:FdFKnnAlai/yZi8/O/eFNtaBWQGdETjTuVByAQ21xO0=,tag:Y1K0tobkjUPDkAXWZG3uSw==,type:str] -SOPS={"attention": "This section contains key material that should only be modified with extra care. See `sops -h`.", "kms": [{"arn": "arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e", "created_at": 1444233233.692422, "enc": "CiC6yCOtzsnFhkfdIslYZ0bAf//gYLYCmIu87B3sy/5yYxKnAQEBAgB4usgjrc7JxYZH3SLJWGdGwH//4GC2ApiLvOwd7Mv+cmMAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAxatks17s0ZWQIyPi8CARCAO65vxmVs4SOASbNDdnwdeOlg75rz7oeqWId2JyQU8sNyz7+TNvvsLIjIR50AGMwnbMIgTmbM99LDi6Vo"}, {"arn": "arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d", "created_at": 1444233235.129884, "enc": "CiBdfsKZbRNf/Li8Tf2SjeSdP76DineB1sbPjV0TV+meTxKnAQEBAgB4XX7CmW0TX/y4vE39ko3knT++g4p3gdbGz41dE1fpnk8AAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzI3YJKPROE+fG2vJYCARCAO2IeX+3IeMkOOOsQauVrUTP9FVFmcmpXYDT41PDt8nhFvU/Q9RUUoVG1OLeWK+KBDZgu1NWGeUTN3TTs"}], "lastmodified": "2015-10-09T13:18:39Z", "mac": "ENC[AES256_GCM,data:Z2paQGLI4W6smiCB6Zfk7pec5UqPt89zBMxGNvEtcYwEivWXwAP8ueDXOzhtFEopZ1NhYX/KJrbHU4sLiI9ZjntpdGGEfzsreOXCDWLQMGnKryM1kWmc+XcsdPeq1T0i9wrY+NUy33zIYCB9UdoLKTzBEjmRPESc+Obz5ZARy4E=,iv:abqIls895sMngznd2K3kT/VsTYe/Tw0+h3HwsiT/QVA=,tag:tLUXl8MPdbe17ROY8LIphA==,type:str]", "pgp": [{"created_at": "2015-10-08T15:32:06Z", "enc": "-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1\n\nhIwDEEVDpnzXnMABA/4uvvk2EDmAkmHKu4RMTq/NGSK7ZXuY7QATPdT+M0lkQGV4\nVmHlVVXe/y2qr5ouI+k3In3Fk7HR5yFDH5G2Jz3PwuosLVw3M2XmNXZ8bvcRcvKB\nI+6WNGOC2M1bvVeqTETL77nyd5fRuhDFVjQtf/oYym6IGiX9S1UH0Mx3rkDNyNJc\nAfVY+u3DNvLI5VDXMms/XQOkwEYiCL93QnWgGbSVxDXPRp3rDXTeoWEzZNXadJ6E\nKNEnToUnVXrjOH6YwHsjDc6p6djaONxlKhy+kEdoM/+AX04ukdgvyacUfbg=\n=kYWb\n-----END PGP MESSAGE-----\n", "fp": "1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A"}, {"created_at": 1444233235.135862, "enc": "-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1\n\nhQIMA0t4uZHfl9qgAQ/9GNa5B4AkO7UODicvjpsgEGLd++1mJteKOwww/08src+H\nnfe/VtTvOdCNVNwvkeKtANvM5DCX9RVTjul4SH7iKd/O9XmTFXA66fhgAbRmEczm\npzQXog/res0u/q+mVwdSDqx/6qBViIcz1Zgc5oFnAneRlAke2/UsNFuFbtaQDZZh\nuralZFdrLx/DWjqEWXEh9D+caek2z/Tjhl/PQ6JNPEa7aZfMLjuTuaoPkSgd87Zc\ndnz/UL77Wx1zdv/cLtO2XvJhOvi0BF9dkg4evouTtNJs+WjQvkBCAijwdC5JdjTz\nWj4mV4H/YdlOn+j2ng3GGmF6GIX5x9FLLD5a9PjSgHVvAH8ZpXkCVY2U8e7QAW7+\nv3KLKGZFWvke62pmypj3777Z5MBj/SJAlzmuPdCLQCXIIpozqK4N4qTvg4Rt5TsN\n8YH9HYfWhX6fHvd67alwrz4IV3g1LgCKCGQd0EXl8pjYwErspGym3UOyZKSD4dDb\nH8zdbr2bQxZ2dJR3o+DVTdohfFjxUqHAZ8bO3vkUT4xblY8n2NnIUWxw3tDHdV/6\niXWVfRcgsIRmFM8qZ7CwwxDZFgLGY3oPhzNmze+B1g5xMG/l4MbKwjCb2EQ38CDr\nDG11GMG5ewhZUDwry4aDpxQMUhvuLBupve+caHzs62zTyWxurwLwfzOHbUyCxbjS\nXAEQ++zCoKncWsAxJdaoIvAvTJBEJeRyGToPESe8iYjmkT1jYZCMj30opOmOZ94M\nE0X4OYpb8FGL/QhOASMe8eW+wYUycySePsQZaQfdIkky7olIsMTBQmSxB16D\n=lXuh\n-----END PGP MESSAGE-----\n", "fp": "85D77543B3D624B63CEA9E6DBC17301B491B3F21"}], "version": 0.8} \ No newline at end of file +ENC[AES256_GCM,data:Q0wnzAzEA+eYHxJcLu84qY6HWU6U8WD9jj5sgnx18oTvXGOJs42mLn0UUe944sB4rROV6BK6vL11YnIad5aNE9O7UC/DNsbQklB3p73olHCwCmIPErQch0Ir8gGlsQjXYb3isWgIl1jee9bFvPtNKdVojYV6clTaSGfBtAC67wC9TRT935AbzOlpdfa1G5jQiq89zHNebytGZtU=,iv:FdFKnnAlai/yZi8/O/eFNtaBWQGdETjTuVByAQ21xO0=,tag:WxJoPC4YGoMCx3QbrSvJ7Q==,type:str] +SOPS={"attention": "This section contains key material that should only be modified with extra care. See `sops -h`.", "kms": [{"arn": "arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e", "created_at": 1444233233.6924219, "enc": "CiC6yCOtzsnFhkfdIslYZ0bAf//gYLYCmIu87B3sy/5yYxKnAQEBAgB4usgjrc7JxYZH3SLJWGdGwH//4GC2ApiLvOwd7Mv+cmMAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAxatks17s0ZWQIyPi8CARCAO65vxmVs4SOASbNDdnwdeOlg75rz7oeqWId2JyQU8sNyz7+TNvvsLIjIR50AGMwnbMIgTmbM99LDi6Vo"}, {"arn": "arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d", "created_at": 1444233235.129884, "enc": "CiBdfsKZbRNf/Li8Tf2SjeSdP76DineB1sbPjV0TV+meTxKnAQEBAgB4XX7CmW0TX/y4vE39ko3knT++g4p3gdbGz41dE1fpnk8AAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzI3YJKPROE+fG2vJYCARCAO2IeX+3IeMkOOOsQauVrUTP9FVFmcmpXYDT41PDt8nhFvU/Q9RUUoVG1OLeWK+KBDZgu1NWGeUTN3TTs"}], "lastmodified": "2015-10-25T13:55:01Z", "mac": "ENC[AES256_GCM,data:vh99DgltlYdUECiiK/XW5JnBaZKX43Eb0RJ4Xc7KITVU0LCkfaSA9kgIfw4zWu6ieo1ENFlWrxx8iM04gROoalMcA/+VIs/yQTacpA19/oWmKSdN3bHW6lLTOVAWEQWIO7gjnrYuWA8fzSP4PopiMDE6unVJoC4NhrohgTxdQps=,iv:09HRNaX95n0JD6Avo8DoXBJJGuBWx7lMjK9y+icgeJA=,tag:UAAP1+A0ZNBDKbug5ZQHhw==,type:str]", "pgp": [{"created_at": "2015-10-08T15:32:06Z", "enc": "-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1\n\nhIwDEEVDpnzXnMABA/4uvvk2EDmAkmHKu4RMTq/NGSK7ZXuY7QATPdT+M0lkQGV4\nVmHlVVXe/y2qr5ouI+k3In3Fk7HR5yFDH5G2Jz3PwuosLVw3M2XmNXZ8bvcRcvKB\nI+6WNGOC2M1bvVeqTETL77nyd5fRuhDFVjQtf/oYym6IGiX9S1UH0Mx3rkDNyNJc\nAfVY+u3DNvLI5VDXMms/XQOkwEYiCL93QnWgGbSVxDXPRp3rDXTeoWEzZNXadJ6E\nKNEnToUnVXrjOH6YwHsjDc6p6djaONxlKhy+kEdoM/+AX04ukdgvyacUfbg=\n=kYWb\n-----END PGP MESSAGE-----\n", "fp": "1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A"}, {"created_at": 1444233235.1358621, "enc": "-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1\n\nhQIMA0t4uZHfl9qgAQ/9GNa5B4AkO7UODicvjpsgEGLd++1mJteKOwww/08src+H\nnfe/VtTvOdCNVNwvkeKtANvM5DCX9RVTjul4SH7iKd/O9XmTFXA66fhgAbRmEczm\npzQXog/res0u/q+mVwdSDqx/6qBViIcz1Zgc5oFnAneRlAke2/UsNFuFbtaQDZZh\nuralZFdrLx/DWjqEWXEh9D+caek2z/Tjhl/PQ6JNPEa7aZfMLjuTuaoPkSgd87Zc\ndnz/UL77Wx1zdv/cLtO2XvJhOvi0BF9dkg4evouTtNJs+WjQvkBCAijwdC5JdjTz\nWj4mV4H/YdlOn+j2ng3GGmF6GIX5x9FLLD5a9PjSgHVvAH8ZpXkCVY2U8e7QAW7+\nv3KLKGZFWvke62pmypj3777Z5MBj/SJAlzmuPdCLQCXIIpozqK4N4qTvg4Rt5TsN\n8YH9HYfWhX6fHvd67alwrz4IV3g1LgCKCGQd0EXl8pjYwErspGym3UOyZKSD4dDb\nH8zdbr2bQxZ2dJR3o+DVTdohfFjxUqHAZ8bO3vkUT4xblY8n2NnIUWxw3tDHdV/6\niXWVfRcgsIRmFM8qZ7CwwxDZFgLGY3oPhzNmze+B1g5xMG/l4MbKwjCb2EQ38CDr\nDG11GMG5ewhZUDwry4aDpxQMUhvuLBupve+caHzs62zTyWxurwLwfzOHbUyCxbjS\nXAEQ++zCoKncWsAxJdaoIvAvTJBEJeRyGToPESe8iYjmkT1jYZCMj30opOmOZ94M\nE0X4OYpb8FGL/QhOASMe8eW+wYUycySePsQZaQfdIkky7olIsMTBQmSxB16D\n=lXuh\n-----END PGP MESSAGE-----\n", "fp": "85D77543B3D624B63CEA9E6DBC17301B491B3F21"}], "version": 0.90000000000000002} \ No newline at end of file diff --git a/example.yaml b/example.yaml index 5dbb974e4..7856a6b40 100644 --- a/example.yaml +++ b/example.yaml @@ -1,63 +1,71 @@ # The secrets below are unreadable without access to one of the sops master key -myapp1: ENC[AES256_GCM,data:UpXlBAV263+rZdQu4BRia0qXMDhm,iv:rnp4FZeiduOpvuVINNqDFEyLXJalg/UxKBb0TwcZBQ0=,tag:Xv0iAKLeAKqTxa3C8UPHZg==,type:str] +myapp1: ENC[AES256_GCM,data:Lu8R0GhsXNZghMz2nQhMY+g4cIez,iv:F93qChfY13N0AYf1Lea9g7TeJ7JUSwK/asHkrYqCYHU=,tag:FlDZqR21nmiyuRFJQsp16g==,type:str] app2: db: - user: ENC[AES256_GCM,data:DcCb,iv:XOc8876U/AgIaG712CNrdigwQjjkuIaIYfX2H7cv49I=,tag:Vhuhu7C1anuWc9rNBwVbDw==,type:str] - password: ENC[AES256_GCM,data:/lxxfM7WVw==,iv:cR1XPolF6ur/lIJeT3lkeIeMqlGcVzrJRTD//f/JoQ4=,tag:+wrUc73/iR2kB36CNdXfFA==,type:str] + user: ENC[AES256_GCM,data:7QZ4,iv:W+zTDj2CwBjpAmAFZAjQ2RDDLhq0Tk/3rEcZbdgB2No=,tag:6psopjJ1G/o2lzcGeuWbFw==,type:str] + password: ENC[AES256_GCM,data:1kWyBaqP3w==,iv:7AiNASKexyCy0nyqnm4XmIZCUeQTTUl3tdadw08gZsw=,tag:lCF41WwaaMiDWy8o4sknUw==,type:str] # private key for secret operations in app2 key: |- - ENC[AES256_GCM,data:78VMY0v+DvYl2LePvuDsN4SeyPQK9uBPE9L/kadbUgFF3S36OgWu4XJnDnpZfHRfsRDqlJM+mF2vze6+psRy+5o1O89FlOFpRykicV96kpToCM1TyaVzlQs0bAUWJ5S3H/pStQvU03E2Avx2KR5pxvOajPkb4orfU3nkgmnU8SJSZcLgmxC2eQgkx5ajXcQ26CLvQreczOGFtRGRo9WP3ePg93S4DcDrwjWsIqoMwS+2Pv+iAGVy+bhSleKe8WpmhtCSBpwlq9vNiykPEXktAhBugDyWgkLtTnAL3VcJ7z8xWoKIdGPBIMTgGk8Vdkuc0z6Y32bhyRvJr2xg08lZZDwyzpmP8+qSTi4gc/y4C8B8hIm6ldQMImSvdKNFs3yehxMTnensy/qT8wisX9UELaFClJZDRqgF2g7+2Oeci3c7RNa0HXt+qMjUREQ1Px4m3mi2AAvxU/bOduBmf/d0eyR/jn5I1wbDWH/IHkulfF0eAezG3PYS5BIkoN4iluPX87RBkxKjzkQmMUQCBb0pPSVjbVdTzKyhZD2gpca5rrxw3jbUU7wObfWO9EWxPdvzxxr/8Ul4rWzpohL+/2B0+SjHCOq4ZMk7wR4Y4dnZHd8gHb6U59g6ayelaYv3RCP4bHrW7dWYgfCeqKErsvGqzik=,iv:rOwVWlkdSomHVVXwBwxGLUgbsPvPBqnV7E12gcmmzlY=,tag:dliz9mVOhTA4zfBsCGVyqQ==,type:str] -number: ENC[AES256_GCM,data:FveYIOa4aPM4HvGm5w==,iv:7/CYCTI4aLHoYS2T3sMhibReeO29opiqzyMIXUvVD3w=,tag:3Rn+oZ+1PS7DYUlGCWJMQA==,type:float] + ENC[AES256_GCM,data:RtzGDC+P01XyIZhD6xwpUEicxuO+7q31UbmKyVy318NHUOQqkgkZHoe9CQasF0uJmaFpO5W7Jx+bnBPaQ5uSOqjaSV10ShU4YiMraf7+cTZiX0pXpKfqpp0WMPiD04rNg1BC+HxKsd0KWO7kK24ghDg6zQPAg0rPUbnHk2SoRAkyUjX5ac+FsFyPULxHjdyWe+otHrJPC5pza/STYN/S3EU1gJRa1RcLBkzw6Jsb+P06T55whIZsRt/DSpcqURs7Er6sQS+Wn6yN6nglvcSKGDh4Sg3TkS283w9lUpVvmzTso9M01bW+cB9O/p4OxgK8q8reOZGSwIrj3Vhns5OzXaKeeHzeFIBCFmyYv1sCN5NNhETBBU/8zxQItbKinp8Xa3PZb8QfMQo2OuBNme8Hf/bPvB34WnXMAHGjMzXvFp5v1/ep/K5V2tgNWpWN2QQT7B06ETFM7SCIJZVgoS8/vYrPY36+1TKfJtua70g0Im6yOgplpEXlBRjvxp/6gmjY5gxCyGnPYVe6UXWvUFfuVivgASogUriwRXdaTt2XBQPAHGwfe1uYVEqqpRc5AKuK90UGCcbKiJlknXGbGR9jpktQj1fCcwpAlclPo7CH0QTiYteJfKKK6xZlxPrdACA1S4NTLpkd4w03rTlPLAK7W9g=,iv:IboZbpgTJXBGBv//zB6p+KWjPCucfMyBfbS8AaNxwxM=,tag:KstjLUAjPdw7/yM1PgS7lQ==,type:str] +number: ENC[AES256_GCM,data:jEgbjfL7+SCTSosGPQ==,iv:spC5b7q41H5zv8YLjgQJzpep4s2/K31CrG9M9ejOYT0=,tag:UQAh66JSlYHxFsaAJWM8MQ==,type:float] an_array: -- ENC[AES256_GCM,data:kUbSpUwaGDtAcyI=,iv:94+201+1O3Sb9SgY7kc/1QWE9H1Tk1oN42A3OshBsb8=,tag:ciZwcgXAfhhrqltDWM7ZTQ==,type:str] -- ENC[AES256_GCM,data:pZWqRK5ZYpOfGHw=,iv:kSqcJz3/t78O+xDQkBDvoG6pxA1w5uzNAMlEBgnkRR8=,tag:RvniVpPKwr/o/VAvFrxqSA==,type:str] -- ENC[AES256_GCM,data:oAkO6uRAV70w+ZOSScMLzUk5rtwybj0epc2tesZkeXuNuM9R0I8l34yQ2/jjCEgLcGYtqB6+i4ljGg==,iv:bniytY7Y+oZen0T3OjBBlQMoHVx4TwnYUI5IgHbf2AY=,tag:7CRdL76zQkwbumga9kWgsg==,type:str] -- ENC[AES256_GCM,data:n5ZMVViz/IZwqRDgIljrQg==,iv:8A9X2UyYwyGsFKwoTO1MH69MCpUa31QJ3jSgde9i2Pc=,tag:vG4j9Y01cVg+oJ7peeA6PQ==,type:str] +- ENC[AES256_GCM,data:rWwz6kkyFwYLO+I=,iv:wmx12WrPQlvPkM47AdjkJ6lqu5EDQILy+gWEySS5+L0=,tag:HLOb5MlYHt7D7vz6YUe2IQ==,type:str] +- ENC[AES256_GCM,data:BGylHf7DWr5GdFI=,iv:hjeunPNNIXUEMTRNOQZqToJ07uEEeCkwNjF2qXiQq/8=,tag:ldq/VuEYPdoQOKD/jQvLbA==,type:str] +- ENC[AES256_GCM,data:ZF4QnOTjJIcK18fsBT3dQ7bz4wHi3pu7Z43YSOn+i+yvRlEHl4jooeRbnfHkl+9sTVQcBtUUtGPBbw==,iv:hIOfO68FLrX1BKlGEmCRP6WAII43eSuxb+tyECr8jjc=,tag:gqYothutne6ao10Dqq0K8A==,type:str] +- ENC[AES256_GCM,data:dyM1KSNFG4M1llxe1q859Q==,iv:9LkBElhS+xOEtS0nFlTCRU0uVMTwhMpG+gxX6OsFdL8=,tag:R5f+uaPJiH49EJdBD/wM6w==,type:str] +somebooleans: +- ENC[AES256_GCM,data:8dRL+w==,iv:UeD05OGraBU42aaG3DVwGUBycWSKLmSSuOP5sfRe6t8=,tag:XfJ4E7bb0AOr6LpLFRC3dg==,type:bool] +- ENC[AES256_GCM,data:d0Cpo+Q=,iv:BG+aIgUfHwdVRxvv+Nh1PQPnErQWVeDmlGiWparFLts=,tag:9Nne/LYstnqFFGLEh8XD6w==,type:bool] +this: + is: + a: + nested: + value: ENC[AES256_GCM,data:TzfuYK7BOwJlmlxydTmtPKlfIvSxoaIMiqrt,iv:q+YKcwFOImx8VX4Ti1ECjBWLz32gtkxzBDq12uOsmvk=,tag:GXz+BkXKbblwfEc/dZLgzg==,type:str] sops: - mac: ENC[AES256_GCM,data:uASXtE/p4eVE82+bMzctzxVZJDhjXsa+E+U9WgSEhQ43exet2edQ4ClvFl0C1oVGLbDwoeSoG3nYJ+08TrPtclEpuLpUNJaySiPwnjbCxbImw494UYVmK7WSfNcSqLmX9KEKM0VJr8cxc2A29uF2cZDNG1PB/gRoNfvWX+ax784=,iv:HMICJ1axBjGuukEc8iF8KOAMY6F+Z77aodJiMh84ZqM=,tag:9ZbE3oUermAWNMTV0LEyfg==,type:str] - version: 0.8 + mac: ENC[AES256_GCM,data:e3y7iNcEW4XuADj02f8mqJpA1I3nNkzk2Hx2k7NjT7KAyYF0fZGwVaOYu0/nIADUp0rSknJY827W++TcRfyM2iwRQ1FH7ydLWCYZsiL8UJtC7SrTy1goAxqCvUpJX5YlgB3jZLw9XmkxSCQ/oHT6JWwyqLtVtuHV6zWUds4s5Oc=,iv:WFMmLUkiuEL3ILZaP5RRx+uPOTjHFv+FNJUR6GJvZjI=,tag:G4+LNwAXecQrJLJs1g+2BA==,type:str] + version: 0.90000000000000002 kms: - - created_at: 1444233191.408969 - enc: CiC6yCOtzsnFhkfdIslYZ0bAf//gYLYCmIu87B3sy/5yYxKnAQEBAgB4usgjrc7JxYZH3SLJWGdGwH//4GC2ApiLvOwd7Mv+cmMAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzV1o6Prf6blP9lLM4CARCAO+JL69F23WaIi3c2mQdHBTSUf1OdyRTq0+yFYxZCmCARmYAM3GEnTiuFMMCFP4I09TJJBBuc58/RTM0u + - created_at: '2015-10-25T12:52:27Z' + enc: CiC6yCOtzsnFhkfdIslYZ0bAf//gYLYCmIu87B3sy/5yYxKnAQEBAgB4usgjrc7JxYZH3SLJWGdGwH//4GC2ApiLvOwd7Mv+cmMAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAykG26ZbESEOy9KtoQCARCAO4cK6asAUiZBDmIgWk98BTvxUkvUmXYF2dxkP+Pr6F+r2oO7jhyB/FqyV5WAHCmdljs6DzBvB0FSKgdL arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e - - created_at: 1444233192.474385 - enc: CiBdfsKZbRNf/Li8Tf2SjeSdP76DineB1sbPjV0TV+meTxKnAQEBAgB4XX7CmW0TX/y4vE39ko3knT++g4p3gdbGz41dE1fpnk8AAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAww2lEDZcq5evsCFcACARCAOxuzZh55fs9x7WE/ZpiRKIG85bvTWVn8wFnFozK/dT3tlPmNv5JwGiXQw1BG6e+fw31npvcGoIvzkwje + - created_at: '2015-10-25T12:52:27Z' + enc: CiBdfsKZbRNf/Li8Tf2SjeSdP76DineB1sbPjV0TV+meTxKnAQEBAgB4XX7CmW0TX/y4vE39ko3knT++g4p3gdbGz41dE1fpnk8AAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAyCYH1/pZUBOw+MIuwCARCAOxndAiSkud0QizKFYXWI1u0/EJO5+QB5vU6L++f8O8fxPl49Jt3vryWwUJHpL8qQ/J+SqJ4d27A2OV4+ arn: arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d pgp: - fp: 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A + created_at: '2015-10-25T12:52:27Z' enc: | -----BEGIN PGP MESSAGE----- Version: GnuPG v1 - hIwDEEVDpnzXnMABA/458VE1tAIAgviKuG5g/Mv7CUf0abIz4PjMYkNKtqszClGb - 1yjyDxHkn+zBgs+Xp7YftDEhKIafmEVfeC5V0V6DMfNHdGu5h4mjuv+Hlm2rBbMK - PwCZcconWKKYPZskT7WTfaY/WTi+WtDvo6kxYB3+D8OGFF5uzGZyqQZ6kQghYdJe - AXO1DKKbxc/pzxAmnnSsKCksv7kvHAokGSQPuBhZ/tufjwH+BKPQU0Ivh9jpVjuK - JB6E7XZ02Qtt9yTXGkojZxBUD9cZJxe4De/X1MbXWgVAJ0J6ShkeFNl1PS44ig== - =oYdL + hIwDEEVDpnzXnMABA/9tz5qIUwbl6KRJNkP2wTzj7cvIb/7esm3AN85nr6Dli5t0 + bzzq2OF6WGuyzBGJVLFwaizSFVVgLcxeNnMMgJWH5llt4kp8gJxcBfLgYVvlYm+g + Wguqmj0Ecx2/XbpqReEM4c68uFvQqEsKURRanFOnweb03IJfem05xPE+jwmvCtJe + AZLwWIpuP6qDY1DzEFZ07A0bmixal3c7OAIQSxM5hw4KAJJAilKbLEVqF5OjBn/D + 7qDIh9PqfdGnEAfREfbJFL0zH9xQxEPZ1l1DSNN9ZnHMv+UmiGAX9gCN2OjX0g== + =YXAh -----END PGP MESSAGE----- - created_at: '2015-10-08T15:33:10Z' - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 - created_at: 1444233192.486551 + created_at: '2015-10-25T12:52:27Z' enc: | -----BEGIN PGP MESSAGE----- Version: GnuPG v1 - hQIMA0t4uZHfl9qgAQ/+IzDsOY8rkovkbo/yECCO3yzdLBIueeQU9EpVNo85r6Dm - tDmBoQ0YmBNdFSQ6zO01N1S6IOrTshHZKkLlBjjDamSxZTyCvwMTHvDJUg1fV8h4 - QRllZmfeuIHqWCzAiIyEUHfKak0nJ+qGQtjJBMSHnHiTTnHGBA24WtgAAbbqcKyV - 7FFMNt3PNVe5GQnXfFwGLIDm5Pge83QN2JgYaeOaR2KAeGR7tPGi1k66qE1R8+lq - 7B5F92VQdAuC0dy2i09bZmzKbegDFl713D1vdvv1u60EFnCiaIGQs4r+Dob+EK1n - k8MTP9PwTW2LO/ShmLTJ1gOx+r0EWi+uebzPee566HYUOB0NMd5wx56vxxsWbmgo - OLA4/SWiWUz9N3ARouEccRlhCmGBepHBAzsFloz/SxP9/LmpkYr7e1AVaiVXKSGU - zQVzhb7EqBKzisDsvQXgZvu6apitz9OO3fXud7JaRfq8CFBCcn+iAnwfAup23STT - FXv+g4deuhJRaUdDLrZyWvoCES95dmDFrrfVUFzpSWAYqJjS0OKvbPY2TLJB43Ip - mepaMJ5RCPJuzT1yeG02HTTzA0Zkbdk2Iez3IJZBTRoKHfdCrOTQgudEF/v0TOAm - 2KQEfzQv/pcxvlPsR4ElOMr2yEtHHKdbNZq8dyuAMArXOSFU8SlDiXgTLqivw1XS - XgHy700JO7oO7Ii9WGV3J1L3TfAjd+uPTYqKsD67IKAJmUc5zyy+CrpL8l1OQ50b - FcjpqVkpIdddl1AUuY5NVBc0Xkhglz244o+xjIkULVLdlAFFGpv5CnXMLOOm5Bs= - =MGKv + hQIMA0t4uZHfl9qgARAAjQrSvwlR66cwzHM9HkzvKcfXxy71mBwCjVYR/dazz+Bg + WWyAOsaZ9lPnR1K7ANaiKPtsF6+drEWokUsHdDc4waYMYX4Ha7kjXr9CfbrlhM6Y + gI0PrRI17Un85HjeHQYp/Vndw8c4ZKV0tOKKGGiWA+GAXiM+fDrSJBSt8wy6SJtY + t+T1Wl/VEmyvLGM9VGK+MI6Htyy2FCH0kWQ8wBA9iJv59MvBTR2s3FhdGovosk7k + 1PIRV3M5A7yjOMgHkvdC149BfqBLGcUYM+1xwXLJOGX04eCD8Y/XT41NRMH44rfq + ev6LEVJlqi50DhagkBdPp/FTpFLhhTRfkIISz236XPzZC/zDXLBSQt5DbwqymsVy + WTavSqDmOQFX2Zir+nlZcKwwCsY3funZm9jVefuQmphN+yXRM2VkK67goH5ZMeGI + uFU3xzuhyibYH/YgJT8g0fTYeiaKzcIicwN4klkhpnckrHSa8brMTYK1eZ+olB29 + XnbCM6unDnaKDJGarD9reDQt91lRsENUkj83mOrHdtGQigV2fbv3+KtfXvW4Q8Fq + lcq5oLRTch6RAcSbQfTL9fK6AjPbWZX97JjAZbeSY+HI6YRGL+Iaf26sHbZQTcuS + rrx0vX2rvkQSwdZ+ZfKC9az2/9hPjWkDLyhu5WE3KIq/SlsDl8pTLXzarGeEPN7S + XgHWXXf18MxU482uhGAysV50jpmnJXQk4SCM8QHZMqgKIDmJD4E6hq6WqEi1AR2C + 8HwuI2CMQ9skRKtoQJUV1gdSXuLYWzfJKCv0nrLk6Ot94QQV9RsxMeKaqf2V47o= + =ca1h -----END PGP MESSAGE----- - lastmodified: '2015-10-09T13:17:59Z' + lastmodified: '2015-10-25T13:55:10Z' attention: This section contains key material that should only be modified with extra care. See `sops -h`. diff --git a/sops/__init__.py b/sops/__init__.py index 0c60d45cf..1baa8a4f3 100644 --- a/sops/__init__.py +++ b/sops/__init__.py @@ -469,26 +469,32 @@ def walk_and_decrypt(branch, key, aad=b'', stash=None, digest=None, """Walk the branch recursively and decrypt leaves.""" if isRoot and not ignoreMac: digest = hashlib.sha512() - + carryaad = aad for k, v in branch.items(): if k == 'sops' and isRoot: continue # everything under the `sops` key stays in clear nstash = dict() - aad += k.encode('utf-8') + caad = aad + if INPUT_VERSION >= 0.9: + caad = aad + k.encode('utf-8') + b':' + else: + caad = carryaad + caad += k.encode('utf-8') + carryaad = caad if stash: stash[k] = {'has_stash': True} nstash = stash[k] if isinstance(v, dict): - branch[k] = walk_and_decrypt(v, key, aad=aad, stash=nstash, + branch[k] = walk_and_decrypt(v, key, aad=caad, stash=nstash, digest=digest, isRoot=False) elif isinstance(v, list): - branch[k] = walk_list_and_decrypt(v, key, aad=aad, stash=nstash, + branch[k] = walk_list_and_decrypt(v, key, aad=caad, stash=nstash, digest=digest) elif isinstance(v, ruamel.yaml.scalarstring.PreservedScalarString): - ev = decrypt(v, key, aad=aad, stash=nstash, digest=digest) + ev = decrypt(v, key, aad=caad, stash=nstash, digest=digest) branch[k] = ruamel.yaml.scalarstring.PreservedScalarString(ev) else: - branch[k] = decrypt(v, key, aad=aad, stash=nstash, digest=digest) + branch[k] = decrypt(v, key, aad=caad, stash=nstash, digest=digest) if isRoot and not ignoreMac: # compute the hash computed on values with the one stored @@ -577,22 +583,22 @@ def walk_and_encrypt(branch, key, aad=b'', stash=None, for k, v in branch.items(): if k == 'sops' and isRoot: continue # everything under the `sops` key stays in clear - aad += k.encode('utf-8') + caad = aad + k.encode('utf-8') + b':' nstash = dict() if stash and k in stash: nstash = stash[k] if isinstance(v, dict): # recursively walk the tree - branch[k] = walk_and_encrypt(v, key, aad=aad, stash=nstash, + branch[k] = walk_and_encrypt(v, key, aad=caad, stash=nstash, digest=digest, isRoot=False) elif isinstance(v, list): - branch[k] = walk_list_and_encrypt(v, key, aad=aad, stash=nstash, + branch[k] = walk_list_and_encrypt(v, key, aad=caad, stash=nstash, digest=digest) elif isinstance(v, ruamel.yaml.scalarstring.PreservedScalarString): - ev = encrypt(v, key, aad=aad, stash=nstash, digest=digest) + ev = encrypt(v, key, aad=caad, stash=nstash, digest=digest) branch[k] = ruamel.yaml.scalarstring.PreservedScalarString(ev) else: - branch[k] = encrypt(v, key, aad=aad, stash=nstash, digest=digest) + branch[k] = encrypt(v, key, aad=caad, stash=nstash, digest=digest) if isRoot: branch['sops']['lastmodified'] = NOW # finalize and store the message authentication code in encrypted form @@ -635,16 +641,13 @@ def encrypt(value, key, aad=b'', stash=None, digest=None): if digest: digest.update(value) # if we have a stash, and the value of cleartext has not changed, - # attempt to take the IV and AAD value from the stash. + # attempt to take the IV. # if the stash has no existing value, or the cleartext has changed, - # generate new IV and AAD. + # generate new IV. if stash and 'cleartext' in stash and stash['cleartext'] == value: iv = stash['iv'] - aad = stash['aad'] else: iv = os.urandom(32) - if aad == b'': - aad = os.urandom(32) encryptor = Cipher(algorithms.AES(key), modes.GCM(iv), default_backend()).encryptor() @@ -654,7 +657,6 @@ def encrypt(value, key, aad=b'', stash=None, digest=None): "tag:{tag},type:{valtype}]".format( value=b64encode(enc_value).decode('utf-8'), iv=b64encode(iv).decode('utf-8'), - aad=b64encode(aad).decode('utf-8'), tag=b64encode(encryptor.tag).decode('utf-8'), valtype=valtype)