@@ -303,54 +303,64 @@ def decrypt_keyfile_data(
303303 if coldkey_name is not None and password is None :
304304 password = get_coldkey_password_from_environment (coldkey_name )
305305
306- try :
307- password = (
308- getpass .getpass ("Enter password to unlock key: " )
309- if password is None
310- else password
311- )
312- with console .status (":key: Decrypting key..." ):
313- # NaCl SecretBox decrypt.
314- if keyfile_data_is_encrypted_nacl (keyfile_data ):
315- password = bytes (password , "utf-8" )
316- kdf = pwhash .argon2i .kdf
317- key = kdf (
318- secret .SecretBox .KEY_SIZE ,
319- password ,
320- NACL_SALT ,
321- opslimit = pwhash .argon2i .OPSLIMIT_SENSITIVE ,
322- memlimit = pwhash .argon2i .MEMLIMIT_SENSITIVE ,
323- )
324- box = secret .SecretBox (key )
325- decrypted_keyfile_data = box .decrypt (keyfile_data [len ("$NACL" ) :])
326- # Ansible decrypt.
327- elif keyfile_data_is_encrypted_ansible (keyfile_data ):
328- vault = Vault (password )
329- try :
306+ finished_password_input = False
307+ while not finished_password_input :
308+ try :
309+ password_input : str = (
310+ getpass .getpass ("Enter password to unlock key: " )
311+ if password is None
312+ else password
313+ )
314+ with console .status (":key: Decrypting key..." ):
315+ # NaCl SecretBox decrypt.
316+ if keyfile_data_is_encrypted_nacl (keyfile_data ):
317+ password = bytes (password_input , "utf-8" )
318+ kdf = pwhash .argon2i .kdf
319+ key = kdf (
320+ secret .SecretBox .KEY_SIZE ,
321+ password ,
322+ NACL_SALT ,
323+ opslimit = pwhash .argon2i .OPSLIMIT_SENSITIVE ,
324+ memlimit = pwhash .argon2i .MEMLIMIT_SENSITIVE ,
325+ )
326+ box = secret .SecretBox (key )
327+ decrypted_keyfile_data = box .decrypt (keyfile_data [len ("$NACL" ) :])
328+ finished_password_input = True
329+
330+ # Ansible decrypt.
331+ elif keyfile_data_is_encrypted_ansible (keyfile_data ):
332+ vault = Vault (password )
330333 decrypted_keyfile_data = vault .load (keyfile_data )
331- except AnsibleVaultError :
332- raise KeyFileError ("Invalid password" )
333- # Legacy decrypt.
334- elif keyfile_data_is_encrypted_legacy (keyfile_data ):
335- __SALT = (
336- b"Iguesscyborgslikemyselfhaveatendencytobeparanoidaboutourorigins"
337- )
338- kdf = PBKDF2HMAC (
339- algorithm = hashes .SHA256 (),
340- salt = __SALT ,
341- length = 32 ,
342- iterations = 10000000 ,
343- backend = default_backend (),
344- )
345- key = base64 .urlsafe_b64encode (kdf .derive (password .encode ()))
346- cipher_suite = Fernet (key )
347- decrypted_keyfile_data = cipher_suite .decrypt (keyfile_data )
348- # Unknown.
334+ finished_password_input = True
335+
336+ # Legacy decrypt.
337+ elif keyfile_data_is_encrypted_legacy (keyfile_data ):
338+ __SALT = b"Iguesscyborgslikemyselfhaveatendencytobeparanoidaboutourorigins"
339+ kdf = PBKDF2HMAC (
340+ algorithm = hashes .SHA256 (),
341+ salt = __SALT ,
342+ length = 32 ,
343+ iterations = 10000000 ,
344+ backend = default_backend (),
345+ )
346+ key = base64 .urlsafe_b64encode (kdf .derive (password .encode ()))
347+ cipher_suite = Fernet (key )
348+ decrypted_keyfile_data = cipher_suite .decrypt (keyfile_data )
349+ finished_password_input = True
350+ # Unknown.
351+ else :
352+ raise KeyFileError (f"keyfile data: { str (keyfile_data )} )
353+
354+ except (InvalidSignature , InvalidKey , InvalidToken , AnsibleVaultError ):
355+ console .print ("Wrong password, try again" )
356+ password = None
357+
358+ except Exception as e :
359+ if "Decryption failed. Ciphertext failed verification" in str (e ):
360+ console .print ("Wrong password, try again" )
361+ password = None
349362 else :
350- raise KeyFileError (f"keyfile data: { keyfile_data .decode ()} )
351-
352- except (InvalidSignature , InvalidKey , InvalidToken ):
353- raise KeyFileError ("Invalid password" )
363+ raise
354364
355365 if not isinstance (decrypted_keyfile_data , bytes ):
356366 decrypted_keyfile_data = json .dumps (decrypted_keyfile_data ).encode ()
0 commit comments