[英]How does Ansible Vault detect wrong password?
What mechanism does Ansible Vault use to detect wrong vault passwords? Ansible Vault 使用什么机制来检测错误的 Vault 密码? In other word, if a user inputs wrong vault password then Ansible shows error message below.换句话说,如果用户输入了错误的保管库密码,则 Ansible 会在下面显示错误消息。 How?如何?
Decryption failed (no vault secrets were found that could decrypt)
Is there any section in Vault Payload that Ansible uses to detect wrong passwords? Ansible 用于检测错误密码的Vault Payload中是否有任何部分?
The code for ansible-vault
with the relevant section can be found here: https://github.com/ansible/ansible/blob/devel/lib/ansible/parsing/vault/ init .py#L736可以在此处找到带有相关部分的 ansible ansible-vault
代码: https://github.com/ansible/ansible/blob/devel/lib/ansible/parsing/vault/init .py# L736
Summarised, it uses the specified password and vault ID to decrypt the file.总而言之,它使用指定的密码和保管库 ID 来解密文件。 So it will look for the vault ID in the vault file and will then try to decrypt the password.因此它将在保管库文件中查找保管库 ID,然后尝试解密密码。 The crytpo part will only return a byte string when the decryption was successful and the expected format (PKCS7) is returned:当解密成功并返回预期格式(PKCS7)时, crytpo 部分只会返回一个字节串:
b_ciphertext, b_salt, b_crypted_hmac = parse_vaulttext(b_vaulttext)
b_password = secret.bytes
b_key1, b_key2, b_iv = cls._gen_key_initctr(b_password, b_salt)
_decrypt_cryptography
function does is to check if the HMAC is correct, using one of the keys derived from the password above:正如您正确指出的那样, _decrypt_cryptography
function 所做的第一件事是使用从上述密码派生的密钥之一检查 HMAC 是否正确:hmac = HMAC(b_key2, hashes.SHA256(), CRYPTOGRAPHY_BACKEND)
hmac.update(b_ciphertext)
try:
hmac.verify(_unhexlify(b_crypted_hmac))
except InvalidSignature as e:
raise AnsibleVaultError('HMAC verification failed: %s' % e)
cipher = C_Cipher(algorithms.AES(b_key1), modes.CTR(b_iv), CRYPTOGRAPHY_BACKEND)
decryptor = cipher.decryptor()
unpadder = padding.PKCS7(128).unpadder()
b_plaintext = unpadder.update(
decryptor.update(b_ciphertext) + decryptor.finalize()
) + unpadder.finalize()
b_plaintext
is then returned.然后返回b_plaintext
。So when you use the wrong password, the crypto function will return non-PKCS7 data and this then leads to the message above.因此,当您使用错误密码时,加密 function 将返回非 PKCS7 数据,这将导致上述消息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.