Merge pull request #490 from PR0M3TH3AN/codex/modify-decrypt_parent_seed-for-aes-gcm-and-fernet

Handle legacy Fernet parent seed files
2025-09-08 15:28:44 +00:00 · 2025-07-13 09:12:51 -04:00
parent a93f7c6628 0ba38c3dc2
commit e203ce0e1b
1 changed files with 29 additions and 13 deletions
--- a/src/password_manager/encryption.py
+++ b/src/password_manager/encryption.py
@@ -124,29 +124,45 @@ class EncryptionManager:
            raise

    def decrypt_parent_seed(self) -> str:
-        """
-        Decrypts and returns the parent seed from 'parent_seed.enc' within the fingerprint directory.
+        """Decrypt and return the stored parent seed."""

-        :return: The decrypted parent seed.
-        """
-        try:
        parent_seed_path = self.fingerprint_dir / "parent_seed.enc"
+        try:
            with exclusive_lock(parent_seed_path) as fh:
                fh.seek(0)
                encrypted_data = fh.read()

-            decrypted_data = self.decrypt_data(encrypted_data)
-            parent_seed = decrypted_data.decode("utf-8").strip()
-
+            try:
+                decrypted = self.decrypt_data(encrypted_data)
+                parent_seed = decrypted.decode("utf-8").strip()
                logger.debug(
                    f"Parent seed decrypted successfully from '{parent_seed_path}'."
                )
                return parent_seed
-        except InvalidTag:
+            except (InvalidTag, InvalidToken):
+                logger.info(
+                    "AES-GCM decryption failed for parent seed, attempting Fernet fallback"
+                )
+                try:
+                    decrypted = self.fernet.decrypt(encrypted_data)
+                except InvalidToken as e:
                    logger.error(
-                "Invalid encryption key or corrupted data while decrypting parent seed."
+                        f"Fernet decryption failed for '{parent_seed_path}': {e}",
+                        exc_info=True,
                    )
                    raise
+
+                parent_seed = decrypted.decode("utf-8").strip()
+
+            legacy_path = parent_seed_path.with_suffix(
+                parent_seed_path.suffix + ".fernet"
+            )
+            os.rename(parent_seed_path, legacy_path)
+            self.encrypt_parent_seed(parent_seed)
+            logger.debug(
+                f"Parent seed decrypted with Fernet and re-encrypted using AES-GCM at '{parent_seed_path}'."
+            )
+            return parent_seed
        except Exception as e:
            logger.error(f"Failed to decrypt parent seed: {e}", exc_info=True)
            print(colored(f"Error: Failed to decrypt parent seed: {e}", "red"))