2018-02-02 09:29:52 -08:00
|
|
|
#!/usr/bin/env python3
|
2016-05-20 13:27:20 -07:00
|
|
|
from __future__ import print_function
|
2014-06-12 07:39:29 -07:00
|
|
|
|
|
|
|
|
'''
|
2016-02-10 07:46:58 -08:00
|
|
|
Use TREZOR as a hardware key for opening EncFS filesystem!
|
2014-06-12 07:39:29 -07:00
|
|
|
|
2016-06-01 05:05:53 -07:00
|
|
|
Usage:
|
2014-06-12 07:39:29 -07:00
|
|
|
|
|
|
|
|
encfs --standard --extpass=./encfs_aes_getpass.py ~/.crypt ~/crypt
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
import os
|
|
|
|
|
import sys
|
2014-06-12 08:39:50 -07:00
|
|
|
import json
|
|
|
|
|
import hashlib
|
2014-06-12 07:39:29 -07:00
|
|
|
import binascii
|
|
|
|
|
|
2017-06-23 12:31:42 -07:00
|
|
|
from trezorlib.client import TrezorClient
|
2018-03-05 08:30:44 -08:00
|
|
|
from trezorlib.transport import enumerate_devices
|
2016-05-20 04:36:17 -07:00
|
|
|
|
2017-06-23 12:31:42 -07:00
|
|
|
|
2014-06-12 07:39:29 -07:00
|
|
|
def wait_for_devices():
|
2018-03-05 08:30:44 -08:00
|
|
|
devices = enumerate_devices()
|
2014-06-12 07:39:29 -07:00
|
|
|
while not len(devices):
|
2016-02-10 07:46:58 -08:00
|
|
|
sys.stderr.write("Please connect TREZOR to computer and press Enter...")
|
2016-05-20 04:36:17 -07:00
|
|
|
input()
|
2018-03-05 08:30:44 -08:00
|
|
|
devices = enumerate_devices()
|
2014-06-12 07:39:29 -07:00
|
|
|
|
|
|
|
|
return devices
|
|
|
|
|
|
2017-06-23 12:31:42 -07:00
|
|
|
|
2014-06-12 10:16:30 -07:00
|
|
|
def choose_device(devices):
|
2014-06-12 12:45:33 -07:00
|
|
|
if not len(devices):
|
2017-11-06 02:09:54 -08:00
|
|
|
raise RuntimeError("No TREZOR connected!")
|
2014-06-12 12:45:33 -07:00
|
|
|
|
|
|
|
|
if len(devices) == 1:
|
|
|
|
|
try:
|
2017-09-04 04:36:31 -07:00
|
|
|
return devices[0]
|
2014-06-12 12:45:33 -07:00
|
|
|
except IOError:
|
2017-11-06 02:09:54 -08:00
|
|
|
raise RuntimeError("Device is currently in use")
|
2014-06-12 12:45:33 -07:00
|
|
|
|
2014-06-12 07:39:29 -07:00
|
|
|
i = 0
|
|
|
|
|
sys.stderr.write("----------------------------\n")
|
|
|
|
|
sys.stderr.write("Available devices:\n")
|
|
|
|
|
for d in devices:
|
|
|
|
|
try:
|
2017-09-04 04:36:31 -07:00
|
|
|
client = TrezorClient(d)
|
2014-06-12 07:39:29 -07:00
|
|
|
except IOError:
|
|
|
|
|
sys.stderr.write("[-] <device is currently in use>\n")
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
if client.features.label:
|
|
|
|
|
sys.stderr.write("[%d] %s\n" % (i, client.features.label))
|
|
|
|
|
else:
|
|
|
|
|
sys.stderr.write("[%d] <no label>\n" % i)
|
2017-09-04 04:36:31 -07:00
|
|
|
client.close()
|
2014-06-12 07:39:29 -07:00
|
|
|
i += 1
|
|
|
|
|
|
|
|
|
|
sys.stderr.write("----------------------------\n")
|
2016-06-22 05:51:46 -07:00
|
|
|
sys.stderr.write("Please choose device to use:")
|
2014-06-12 07:39:29 -07:00
|
|
|
|
|
|
|
|
try:
|
2016-05-20 04:36:17 -07:00
|
|
|
device_id = int(input())
|
2017-09-04 04:36:31 -07:00
|
|
|
return devices[device_id]
|
2014-06-12 07:39:29 -07:00
|
|
|
except:
|
2017-11-06 02:09:54 -08:00
|
|
|
raise ValueError("Invalid choice, exiting...")
|
2014-06-12 07:39:29 -07:00
|
|
|
|
2017-06-23 12:31:42 -07:00
|
|
|
|
2014-06-12 07:39:29 -07:00
|
|
|
def main():
|
2016-06-01 05:05:53 -07:00
|
|
|
|
2017-06-23 12:31:42 -07:00
|
|
|
if 'encfs_root' not in os.environ:
|
2016-06-01 05:05:53 -07:00
|
|
|
sys.stderr.write('\nThis is not a standalone script and is not meant to be run independently.\n')
|
|
|
|
|
sys.stderr.write('\nUsage: encfs --standard --extpass=./encfs_aes_getpass.py ~/.crypt ~/crypt\n')
|
|
|
|
|
sys.exit(1)
|
|
|
|
|
|
2014-06-12 07:39:29 -07:00
|
|
|
devices = wait_for_devices()
|
2014-06-12 12:45:33 -07:00
|
|
|
transport = choose_device(devices)
|
2014-06-12 07:39:29 -07:00
|
|
|
client = TrezorClient(transport)
|
|
|
|
|
|
|
|
|
|
rootdir = os.environ['encfs_root'] # Read "man encfs" for more
|
|
|
|
|
passw_file = os.path.join(rootdir, 'password.dat')
|
|
|
|
|
|
2014-06-12 10:19:56 -07:00
|
|
|
if not os.path.exists(passw_file):
|
2014-06-12 07:39:29 -07:00
|
|
|
# New encfs drive, let's generate password
|
|
|
|
|
|
2016-07-02 11:44:44 -07:00
|
|
|
sys.stderr.write('Please provide label for new drive: ')
|
2016-05-20 04:36:17 -07:00
|
|
|
label = input()
|
2014-06-12 07:39:29 -07:00
|
|
|
|
2016-02-10 07:46:58 -08:00
|
|
|
sys.stderr.write('Computer asked TREZOR for new strong password.\n')
|
2014-06-12 12:45:33 -07:00
|
|
|
sys.stderr.write('Please confirm action on your device.\n')
|
2014-06-12 08:39:50 -07:00
|
|
|
|
|
|
|
|
# 32 bytes, good for AES
|
|
|
|
|
trezor_entropy = client.get_entropy(32)
|
|
|
|
|
urandom_entropy = os.urandom(32)
|
|
|
|
|
passw = hashlib.sha256(trezor_entropy + urandom_entropy).digest()
|
2014-06-12 07:39:29 -07:00
|
|
|
|
|
|
|
|
if len(passw) != 32:
|
2017-11-06 02:09:54 -08:00
|
|
|
raise ValueError("32 bytes password expected")
|
2014-06-12 07:39:29 -07:00
|
|
|
|
2014-06-12 08:39:50 -07:00
|
|
|
bip32_path = [10, 0]
|
2014-06-12 12:45:33 -07:00
|
|
|
passw_encrypted = client.encrypt_keyvalue(bip32_path, label, passw, False, True)
|
2014-06-12 07:39:29 -07:00
|
|
|
|
2014-06-12 12:45:33 -07:00
|
|
|
data = {'label': label,
|
|
|
|
|
'bip32_path': bip32_path,
|
|
|
|
|
'password_encrypted_hex': binascii.hexlify(passw_encrypted)}
|
2016-01-12 15:17:38 -08:00
|
|
|
|
2014-06-12 12:45:33 -07:00
|
|
|
json.dump(data, open(passw_file, 'wb'))
|
2014-06-12 07:39:29 -07:00
|
|
|
|
2014-06-12 10:19:56 -07:00
|
|
|
# Let's load password
|
2014-06-12 12:45:33 -07:00
|
|
|
data = json.load(open(passw_file, 'r'))
|
2014-06-12 10:19:56 -07:00
|
|
|
|
|
|
|
|
sys.stderr.write('Please confirm action on your device.\n')
|
2014-06-12 12:45:33 -07:00
|
|
|
passw = client.decrypt_keyvalue(data['bip32_path'],
|
2016-05-26 08:20:44 -07:00
|
|
|
data['label'],
|
|
|
|
|
binascii.unhexlify(data['password_encrypted_hex']),
|
|
|
|
|
False, True)
|
2014-06-12 10:19:56 -07:00
|
|
|
|
2016-05-20 04:36:17 -07:00
|
|
|
print(passw)
|
2014-06-12 07:39:29 -07:00
|
|
|
|
2017-06-23 12:31:42 -07:00
|
|
|
|
2014-06-12 07:39:29 -07:00
|
|
|
if __name__ == '__main__':
|
|
|
|
|
main()
|
