Encrypt/Decrypt Juniper $9 secrets. (#195)

Adding the ability to encrypt/decrypt type 9 Juniper secrets. This resolves at least part of #16

Include verifiable permission and license to use the code.

Author: ankenyr

LICENSE.email

@@ -117,7 +117,7 @@ def anonymize_io(self, in_io, out_io):
             output_line = line
             if self.compiled_regexes is not None and self.pwd_lookup is not None:
                 output_line = replace_matching_item(
-                    self.compiled_regexes, output_line, self.pwd_lookup
+                    self.compiled_regexes, output_line, self.pwd_lookup, self.salt
                 )
 
             if self.anonymizer6 is not None:

netconan/anonymize_files.py

@@ -25,6 +25,8 @@
 # Using passlib for digests not supported by hashlib
 from passlib.hash import cisco_type7, md5_crypt, sha512_crypt
 
+from netconan.utils import juniper_secrets
+
 from .default_pwd_regexes import default_com_line_regexes, default_pwd_line_regexes
 from .default_reserved_words import default_reserved_words
 
@@ -232,7 +234,7 @@ def anonymize_as_numbers(anonymizer, line):
     return as_number_regex.sub(lambda match: anonymizer.anonymize(match.group(0)), line)
 
 
-def _anonymize_value(raw_val, lookup, reserved_words):
+def _anonymize_value(raw_val, lookup, reserved_words, salt):
     """Generate an anonymized replacement for the input value.
 
     This function tries to determine what type of value was passed in and
@@ -248,12 +250,20 @@ def _anonymize_value(raw_val, lookup, reserved_words):
     if not val:
         logging.debug("Nothing to anonymize after removing special characters")
         return raw_val
-
+    decrypted = None
+    if val.startswith(juniper_secrets.MAGIC):
+        try:
+            decrypted = juniper_secrets.juniper_decrypt(val)
+        except ValueError:
+            pass
     if val in lookup:
         anon_val = lookup[val]
         logging.debug('Anonymized input "%s" to "%s" (via lookup)', val, anon_val)
         return sens_head + anon_val + sens_tail
-
+    elif decrypted in lookup:
+        anon_val = juniper_secrets.juniper_nonrandom_encrypt(lookup[decrypted], salt)
+        logging.debug('Anonymized input "%s" to "%s" (via lookup)', val, anon_val)
+        return sens_head + anon_val + sens_tail
     anon_val = "netconanRemoved{}".format(len(lookup))
     item_format = _check_sensitive_item_format(val)
     if item_format == _sensitive_item_formats.cisco_type7:
@@ -280,12 +290,11 @@ def _anonymize_value(raw_val, lookup, reserved_words):
         anon_val = sha512_crypt.using(rounds=5000).hash(anon_val)
 
     if item_format == _sensitive_item_formats.juniper_type9:
-        # TODO(https://github.com/intentionet/netconan/issues/16)
-        # Encode base anon_val instead of just returning a constant here
-        # This value corresponds to encoding: Conan812183
-        anon_val = "$9$0000IRc-dsJGirewg4JDj9At0RhSreK8Xhc"
-
-    lookup[val] = anon_val
+        anon_val = juniper_secrets.juniper_nonrandom_encrypt(anon_val, salt)
+    if decrypted:
+        lookup[decrypted] = juniper_secrets.juniper_decrypt(anon_val)
+    else:
+        lookup[val] = anon_val
     logging.debug('Anonymized input "%s" to "%s"', val, anon_val)
     return sens_head + anon_val + sens_tail
 
@@ -343,7 +352,11 @@ def generate_default_sensitive_item_regexes():
 
 
 def replace_matching_item(
-    compiled_regexes, input_line, pwd_lookup, reserved_words=default_reserved_words
+    compiled_regexes,
+    input_line,
+    pwd_lookup,
+    salt,
+    reserved_words=default_reserved_words,
 ):
     """If line matches a regex, anonymize or remove the line."""
     # Collapse whitespace to simplify regexes, also preserve leading and trailing whitespace
@@ -383,7 +396,7 @@ def replace_matching_item(
             # re.sub replaces the entire matching string, which includes prefix
             # Therefore, anon_val should have prefix prepended if applicable
             anon_val = prefix + _anonymize_value(
-                match.group(sensitive_item_num), pwd_lookup, reserved_words
+                match.group(sensitive_item_num), pwd_lookup, reserved_words, salt
             )
             output_line = compiled_re.sub(anon_val, output_line)
 

netconan/sensitive_item_removal.py

@@ -0,0 +1 @@
+"""Utilities for netconan."""

netconan/utils/__init__.py

@@ -0,0 +1,152 @@
+"""Encrypts and decryptes Juniper Type 9 hashes.
+
+This module is a derivative work based on the perl module Crypt-Juniper by Kevin Brintnall.
+https://metacpan.org/dist/Crypt-Juniper/view/lib/Crypt/Juniper.pm
+Used under the Artistic License https://dev.perl.org/licenses/artistic.html
+
+This work was modified from the original in the following ways:
+2025-01-21: Rob Ankeny(ankeny at gmail.com): Translated from perl to python.
+2025-01-23: Rob Ankeny(ankeny at gmail.com): Updated methods to have non-random outputs
+    for the benefit of deterministic outputs. Updated docstrings and method names to
+    better reflect these changes.
+"""
+
+import re
+from typing import List, Tuple
+
+MAGIC = "$9$"
+
+FAMILY = [
+    "QzF3n6/9CAtpu0O",
+    "B1IREhcSyrleKvMW8LXx",
+    "7N-dVbwsY2g4oaJZGUDj",
+    "iHkq.mPf5T",
+]
+
+EXTRA = {c: (3 - fam) for fam, chars in enumerate(FAMILY) for c in chars}
+
+NUM_ALPHA = list("".join(FAMILY))
+ALPHA_NUM = {char: idx for idx, char in enumerate(NUM_ALPHA)}
+
+
+ENCODING = [
+    [1, 4, 32],
+    [1, 16, 32],
+    [1, 8, 32],
+    [1, 64],
+    [1, 32],
+    [1, 4, 16, 128],
+    [1, 32, 64],
+]
+
+VALID = rf"^{re.escape(MAGIC)}[{re.escape(''.join(NUM_ALPHA))}]{{4,}}$"
+
+
+def juniper_decrypt(crypt: str) -> str:
+    """Decrypts a Juniper $9 encrypted secret.
+
+    Args:
+      crypt: String containing the secret to decrypt.
+
+    Returns:
+      String representing the decrypted secret.
+    """
+    if not crypt or not re.search(VALID, crypt):
+        raise ValueError("Invalid Juniper crypt string!")
+
+    chars = crypt[len(MAGIC) :]
+    first, chars = _nibble(chars, 1)
+    _, chars = _nibble(chars, EXTRA[first])
+
+    prev = first
+    decrypt = ""
+
+    while chars:
+        decode = ENCODING[len(decrypt) % len(ENCODING)]
+        nibble_len = len(decode)
+        nibble, chars = _nibble(chars, nibble_len)
+        gaps = []
+        for i, _ in enumerate(nibble):
+            gaps.append(_gap(prev, nibble[i]))
+            prev = nibble[i]
+        decrypt += _gap_decode(gaps, decode)
+    return decrypt
+
+
+def _nibble(chars: str, length: int) -> Tuple[str, str]:
+    nib = chars[:length]
+    chars = chars[length:]
+    return nib, chars
+
+
+def _gap(c1: str, c2: str) -> int:
+    diff = ALPHA_NUM[c2] - ALPHA_NUM[c1]
+    pos_diff = diff + len(NUM_ALPHA)
+    return pos_diff % len(NUM_ALPHA) - 1
+
+
+def _gap_decode(gaps: List[int], dec: List[int]) -> chr:
+    if len(gaps) != len(dec):
+        raise ValueError("Nibble and decode size not the same!")
+    num = sum(g * d for g, d in zip(gaps, dec))
+    return chr(num % 256)
+
+
+def juniper_nonrandom_encrypt(plain: str, salt: str = None) -> str:
+    """Encrypts a Juniper $9 encrypted secret.
+
+    Juniper encryption takes in a salt which should be a single character.
+    If not present it generates a random single alpha-numeric character.
+    It then uses this salt to get a random number between 0 and 3 from
+    the EXTRA dictionary. This number is then used to generate 0-3 random
+    characters from the family of characters.
+    Because netconan isn't actually creating true passwords that are to be used
+    in the wild and is about sharing, it is safe to ignore the randomness
+    in favor of generating predictable outputs.
+
+    Args:
+      plain: String containing the plaintext secret to be encrypted.
+      salt: Optional salt to be used when encrypting the secret.
+
+    Returns:
+      String representing the encrypted secret.
+    """
+    if salt is None:
+        salt = _fixedc(1)
+    salt = salt[0]
+    rand = _fixedc(EXTRA[salt])
+
+    pos = 0
+    prev = salt
+    crypt = f"{MAGIC}{salt}{rand}"
+    for p in plain:
+        encode = ENCODING[pos % len(ENCODING)]
+        crypt += _gap_encode(p, prev, encode)
+        prev = crypt[-1]
+        pos += 1
+    return crypt
+
+
+def _fixedc(count: int) -> str:
+    if count == 3:
+        return "net"
+    elif count == 2:
+        return "ne"
+    elif count == 1:
+        return "n"
+    else:
+        return ""
+
+
+def _gap_encode(pc: str, prev: str, enc: List[int]) -> str:
+    ord_val = ord(pc)
+    crypt = ""
+    gaps = []
+    for mod in reversed(enc):
+        gaps.insert(0, ord_val // mod)
+        ord_val %= mod
+    for gap in gaps:
+        gap += ALPHA_NUM[prev] + 1
+        prev = NUM_ALPHA[gap % len(NUM_ALPHA)]
+        crypt += prev
+    return crypt

netconan/utils/juniper_secrets.py

@@ -73,7 +73,7 @@
     python_requires=">=3.9",
     # What does your project relate to?
     keywords="network configuration anonymizer",
-    packages=["netconan"],
+    packages=["netconan", "netconan.utils"],
     # Alternatively, if you want to distribute just a my_module.py, uncomment
     # this:
     #   py_modules=["my_module"],

setup.py

@@ -33,6 +33,9 @@
 ip address 11.11.11.11 0.0.0.0
 ip address 11.11.197.79 0.0.0.0
 # Sensitive word Addr here
+pre-shared-key ascii-text "123"; ## SECRET-DATA
+pre-shared-key ascii-text "$9$eZkvX7dbs4JG"; ## SECRET-DATA
+pre-shared-key ascii-text "$9$qmQF69A01R"; ## SECRET-DATA
 
 """
 
@@ -48,6 +51,9 @@
 ip address 11.11.11.11 0.0.0.0
 ip address 11.11.197.79 0.0.0.0
 # 3b836f word 10b348 here
+pre-shared-key ascii-text "146741862156641154150793826712647197746"; ## SECRET-DATA
+pre-shared-key ascii-text "$9$Tz/C0BIrKMhcs24oGUuOBRreM8X7dbMWDiqmTQcyre8X7-VgaZdVk.P5F3hSyKX7goJDHqZG69tu1IwY24GDHqmF69mPhSrlMWHq.5n/O1RyevRE"; ## SECRET-DATA
+pre-shared-key ascii-text "$9$Tz/C0BIrKMhcs24oGUuOBRreM8X7dbMWDiqmTQcyre8X7-VgaZdVk.P5F3hSyKX7goJDHqZG69tu1IwY24GDHqmF69mPhSrlMWHq.5n/O1RyevRE"; ## SECRET-DATA
 
 """
 
@@ -63,6 +69,9 @@
 ip address 11.11.11.11 0.0.0.0
 ip address 11.11.197.79 0.0.0.0
 # 3b836f word 10b348 here
+pre-shared-key ascii-text "146741862156641154150793826712647197746"; ## SECRET-DATA
+pre-shared-key ascii-text "$9$Tz/C0BIrKMhcs24oGUuOBRreM8X7dbMWDiqmTQcyre8X7-VgaZdVk.P5F3hSyKX7goJDHqZG69tu1IwY24GDHqmF69mPhSrlMWHq.5n/O1RyevRE"; ## SECRET-DATA
+pre-shared-key ascii-text "$9$Tz/C0BIrKMhcs24oGUuOBRreM8X7dbMWDiqmTQcyre8X7-VgaZdVk.P5F3hSyKX7goJDHqZG69tu1IwY24GDHqmF69mPhSrlMWHq.5n/O1RyevRE"; ## SECRET-DATA
 
 """
 
@@ -76,7 +85,6 @@ def run_test(input_dir, output_dir, filename, ref, args):
     t_ref = ref.split("\n")
     with open(str(output_dir.join(filename))) as f_out:
         t_out = f_out.read().split("\n")
-
     # Make sure output file lines match ref lines
     assert t_ref == t_out
 

tests/end_to_end/test_end_to_end.py

@@ -0,0 +1,60 @@
+"""Tests Juniper secret encryption/decryption methods."""
+
+import pytest
+
+from netconan.utils import juniper_secrets
+
+
+@pytest.mark.parametrize(
+    "plain_text, expected",
+    [
+        ("abc", "$9$nnet/9pOBEyrv"),
+        ("123", "$9$nnet/p01RhrKM"),
+        ("netconan", "$9$nnet9pBcSe8xdApK8xdg4aZUi.5"),
+        (
+            "QjEf.WloKY4IBVGik9xeIO9xWN5F7S13",
+            "$9$nnet/pOleWN-bO18X-Vg4.P5F/tSyevL7yrx-bw4o6/CuOIKvLNds7NPQFnpuSylMXN4aZGi.Rh7dbs4ojikPFnCt0BRh9C",
+        ),
+    ],
+)
+def test_juniper_encrypt(plain_text, expected):
+    """Test encryption of secrets."""
+    assert juniper_secrets.juniper_nonrandom_encrypt(plain_text) == expected
+
+
+@pytest.mark.parametrize(
+    "encrypted, expected",
+    [
+        (
+            "$9$Ly.x7VYgJH.5SraGiH5TFn/CO1cylW8xs23/Ap1Ibs24aGf5F/A0EcNVs4Dj5QF6/AlKWdsg-VQ3n/tp-Vbs4JTQnCp0Lx",
+            "asvWWcb54DGWFvEjsENnhB__xY49Mn3R",
+        ),
+        ("$9$CSxptpBREyKvL", "abc"),
+        ("$9$-pV24JGDkmf", "123"),
+        ("$9$sSgJD.mTn9poJQn9pREcylvLN", "netconan"),
+        (
+            "$9$hzrSKWws4UDHWLoJDiPftuORSedVs2aGVbZDHkf5cSrvWXY2aUjqGUu1RhKvdVwgJUfTzF/txNGjHqf56/CuRhreM8xNyr",
+            "QjEf.WloKY4IBVGik9xeIO9xWN5F7S13",
+        ),
+    ],
+)
+def test_juniper_decrypt(encrypted, expected):
+    """Test decryption of secrets."""
+    assert juniper_secrets.juniper_decrypt(encrypted) == expected
+
+
+@pytest.mark.parametrize("encrypted", [("abcd"), ("$9$aaGi.Qz6t0IDi/t0IrlKM8x,s")])
+def test_invalid_juniper_decrypt(encrypted):
+    """Test raising errors when decrypting invalid secrets."""
+    with pytest.raises(ValueError):
+        juniper_secrets.juniper_decrypt(encrypted)
+
+
+def test_encryption_decryption():
+    """Test a large set of inputs to detect any possible encrypting/decrypting issues."""
+    for i in range(0, 1000):
+        plaintext = str(i)
+        decrypted = juniper_secrets.juniper_decrypt(
+            juniper_secrets.juniper_nonrandom_encrypt(plaintext, "t")
+        )
+        assert decrypted == plaintext