mirror of
https://github.com/zadam/trilium.git
synced 2025-06-06 18:08:33 +02:00
password change (reencryption)
This commit is contained in:
parent
42c21afa62
commit
b83f090486
74
change-password.py
Normal file
74
change-password.py
Normal file
@ -0,0 +1,74 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
import src.config_provider
|
||||
import src.sql
|
||||
import base64
|
||||
import getpass
|
||||
from Crypto.Cipher import AES
|
||||
from Crypto.Util import Counter
|
||||
import binascii
|
||||
|
||||
import src.my_scrypt
|
||||
|
||||
currentPassword = getpass.getpass(prompt="Enter current password: ")
|
||||
|
||||
currentPasswordHash = binascii.hexlify(src.my_scrypt.getVerificationHash(currentPassword))
|
||||
|
||||
config = src.config_provider.getConfig()
|
||||
|
||||
if currentPasswordHash != config['Login']['passwordHash']:
|
||||
print("Given password doesn't match hash")
|
||||
exit(-1)
|
||||
|
||||
currentPasswordEncryptionKey = src.my_scrypt.getEncryptionHash(currentPassword)
|
||||
|
||||
newPassword1 = getpass.getpass(prompt="Enter new password: ")
|
||||
newPassword2 = getpass.getpass(prompt="Repeat the same password: ")
|
||||
|
||||
if newPassword1 != newPassword2:
|
||||
print('Entered passwords are not identical!')
|
||||
exit(-1)
|
||||
|
||||
newPasswordVerificationKey = binascii.hexlify(src.my_scrypt.getVerificationHash(newPassword1))
|
||||
newPasswordEncryptionKey = src.my_scrypt.getEncryptionHash(newPassword1)
|
||||
|
||||
src.sql.connect(config['Document']['documentPath'])
|
||||
|
||||
encryptedNotes = src.sql.getResults("select note_id, note_title, note_text from notes where encryption = 1")
|
||||
|
||||
def decrypt(encryptedBase64):
|
||||
encryptedBytes = base64.b64decode(encryptedBase64)
|
||||
|
||||
aes = getAes(currentPasswordEncryptionKey)
|
||||
return aes.decrypt(encryptedBytes)
|
||||
|
||||
def encrypt(plainText):
|
||||
aes = getAes(newPasswordEncryptionKey)
|
||||
encryptedBytes = aes.encrypt(plainText)
|
||||
|
||||
return base64.b64encode(encryptedBytes)
|
||||
|
||||
def getAes(key):
|
||||
return AES.new(key, AES.MODE_CTR, counter=Counter.new(128, initial_value=5))
|
||||
|
||||
for note in encryptedNotes:
|
||||
decryptedTitle = decrypt(note['note_title'])
|
||||
decryptedText = decrypt(note['note_text'])
|
||||
|
||||
reEncryptedTitle = encrypt(decryptedTitle)
|
||||
reEncryptedText = encrypt(decryptedText)
|
||||
|
||||
print (reEncryptedTitle)
|
||||
print (reEncryptedText)
|
||||
|
||||
src.sql.execute("update notes set note_title = ?, note_text = ? where note_id = ?",
|
||||
[reEncryptedTitle, reEncryptedText, note['note_id']])
|
||||
|
||||
print("Note " + note['note_id'] + " reencrypted with new password")
|
||||
|
||||
print("New password hash is: " + newPasswordVerificationKey)
|
||||
print("Set this value to passwordHash value in config.ini")
|
||||
|
||||
src.sql.commit()
|
||||
|
||||
print("Changes committed. All encrypted notes were re-encrypted successfully with new password key.")
|
@ -17,7 +17,7 @@ certKeyPath=cert.key
|
||||
# Enter below credentials with with which you want to authenticate to Notecase web app
|
||||
username=your_username
|
||||
# This is bcrypt password hash. You can use generate-password.py (in this directory) to hash your password
|
||||
password-hash=$2b$12$FHT8keXp3BGTfzAV/VnrkuLpkwN8Vpj5iIh4RwCbHTNWYSBI9hGAK
|
||||
passwordHash=$2b$12$FHT8keXp3BGTfzAV/VnrkuLpkwN8Vpj5iIh4RwCbHTNWYSBI9hGAK
|
||||
|
||||
[Sync]
|
||||
sync-server-url=https://localhost:57201
|
||||
|
@ -1,28 +1,15 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
import getpass
|
||||
|
||||
import scrypt # pip install scrypt
|
||||
import binascii
|
||||
import src.my_scrypt
|
||||
|
||||
password1 = getpass.getpass()
|
||||
|
||||
print('Repeat the same password:')
|
||||
|
||||
password2 = getpass.getpass()
|
||||
password2 = getpass.getpass(prompt='Repeat the same password:')
|
||||
|
||||
if password1 == password2:
|
||||
# salt is constant
|
||||
salt = "dc73b57736511340f132e4b5521d178afa6311c45e0c25e6a9339038507852a6"
|
||||
|
||||
hashed = scrypt.hash(password=password1,
|
||||
salt=salt,
|
||||
N=16384,
|
||||
r=8,
|
||||
p=1,
|
||||
buflen=32)
|
||||
hash = src.my_scrypt.getVerificationHash(password1)
|
||||
|
||||
print('Generated password hash:')
|
||||
print(binascii.hexlify(hashed))
|
||||
print(hash)
|
||||
else:
|
||||
print('Entered passwords are not identical!')
|
0
src/__init__.py
Normal file
0
src/__init__.py
Normal file
@ -2,7 +2,6 @@ import os
|
||||
|
||||
import binascii
|
||||
import scrypt
|
||||
import configparser
|
||||
from flask import Flask, request, send_from_directory
|
||||
from flask import render_template, redirect
|
||||
from flask_cors import CORS
|
||||
@ -13,9 +12,9 @@ from sql import connect
|
||||
from tree_api import tree_api
|
||||
from notes_move_api import notes_move_api
|
||||
from password_api import password_api
|
||||
import config_provider
|
||||
|
||||
config = configparser.ConfigParser()
|
||||
config.read('config.ini')
|
||||
config = config_provider.getConfig()
|
||||
|
||||
app = Flask(__name__)
|
||||
app.secret_key = config['Security']['flaskSecretKey']
|
||||
@ -54,7 +53,7 @@ documentPath = config['Document']['documentPath']
|
||||
|
||||
connect(documentPath)
|
||||
|
||||
hashedPassword = config['Login']['password-hash'].encode('utf-8')
|
||||
hashedPassword = config['Login']['passwordHash'].encode('utf-8')
|
||||
|
||||
|
||||
def verify_password(hex_hashed_password, guessed_password):
|
||||
|
7
src/config_provider.py
Normal file
7
src/config_provider.py
Normal file
@ -0,0 +1,7 @@
|
||||
import configparser
|
||||
|
||||
def getConfig():
|
||||
config = configparser.ConfigParser()
|
||||
config.read('config.ini')
|
||||
|
||||
return config
|
21
src/my_scrypt.py
Normal file
21
src/my_scrypt.py
Normal file
@ -0,0 +1,21 @@
|
||||
import scrypt # pip install scrypt
|
||||
|
||||
def getVerificationHash(password):
|
||||
salt = "dc73b57736511340f132e4b5521d178afa6311c45e0c25e6a9339038507852a6"
|
||||
|
||||
return getScryptHash(password, salt)
|
||||
|
||||
def getEncryptionHash(password):
|
||||
salt = "2503bfc386bc028772f803887eaaf4d4a5c1019036873e4ba5de79a4efb7e8d8"
|
||||
|
||||
return getScryptHash(password, salt)
|
||||
|
||||
def getScryptHash(password, salt):
|
||||
hashed = scrypt.hash(password=password,
|
||||
salt=salt,
|
||||
N=16384,
|
||||
r=8,
|
||||
p=1,
|
||||
buflen=32)
|
||||
|
||||
return hashed
|
@ -1,8 +1,8 @@
|
||||
from flask import Blueprint, jsonify, request
|
||||
from flask_login import login_required
|
||||
import hashlib
|
||||
import configparser
|
||||
import binascii
|
||||
import config_provider
|
||||
|
||||
password_api = Blueprint('password_api', __name__)
|
||||
|
||||
@ -11,16 +11,12 @@ password_api = Blueprint('password_api', __name__)
|
||||
def verifyPassword():
|
||||
req = request.get_json(force=True)
|
||||
|
||||
config = configparser.ConfigParser()
|
||||
config.read('config.ini')
|
||||
config = config_provider.getConfig()
|
||||
|
||||
hashedPassword = config['Login']['password-hash'].encode('utf-8')
|
||||
hashedPassword = config['Login']['passwordHash'].encode('utf-8')
|
||||
hashedPasswordBytes = binascii.unhexlify(hashedPassword)
|
||||
hashedPasswordSha = hashlib.sha256(hashedPasswordBytes).hexdigest()
|
||||
|
||||
print(req['password'])
|
||||
print(hashedPasswordSha)
|
||||
|
||||
isValid = req['password'] == hashedPasswordSha
|
||||
|
||||
return jsonify({
|
||||
|
@ -1,6 +1,8 @@
|
||||
import base64
|
||||
import sqlite3
|
||||
|
||||
conn = None
|
||||
|
||||
def dict_factory(cursor, row):
|
||||
d = {}
|
||||
for idx, col in enumerate(cursor.description):
|
||||
|
Loading…
x
Reference in New Issue
Block a user