fix: Resolve service name transmission and vault case sensitivity issues

Fixed DecryptLabsRemoteCDM sending 'generic' instead of proper service names and added case-insensitive vault lookups for SQLite/MySQL vaults. Also added local vault integration to DecryptLabsRemoteCDM
2026-03-12 01:19:02 +00:00 · 2025-09-09 18:53:11 +00:00
parent 6137146705
commit 04b540b363
3 changed files with 129 additions and 70 deletions
--- a/unshackle/vaults/MySQL.py
+++ b/unshackle/vaults/MySQL.py
@@ -28,26 +28,33 @@ class MySQL(Vault):
            raise PermissionError(f"MySQL vault {self.slug} has no SELECT permission.")

    def get_key(self, kid: Union[UUID, str], service: str) -> Optional[str]:
-        if not self.has_table(service):
-            # no table, no key, simple
-            return None
-
        if isinstance(kid, UUID):
            kid = kid.hex

+        service_variants = [service]
+        if service != service.lower():
+            service_variants.append(service.lower())
+        if service != service.upper():
+            service_variants.append(service.upper())
+
        conn = self.conn_factory.get()
        cursor = conn.cursor()

        try:
-            cursor.execute(
-                # TODO: SQL injection risk
-                f"SELECT `id`, `key_` FROM `{service}` WHERE `kid`=%s AND `key_`!=%s",
-                (kid, "0" * 32),
-            )
-            cek = cursor.fetchone()
-            if not cek:
-                return None
-            return cek["key_"]
+            for service_name in service_variants:
+                if not self.has_table(service_name):
+                    continue
+
+                cursor.execute(
+                    # TODO: SQL injection risk
+                    f"SELECT `id`, `key_` FROM `{service_name}` WHERE `kid`=%s AND `key_`!=%s",
+                    (kid, "0" * 32),
+                )
+                cek = cursor.fetchone()
+                if cek:
+                    return cek["key_"]
+
+            return None
        finally:
            cursor.close()

--- a/unshackle/vaults/SQLite.py
+++ b/unshackle/vaults/SQLite.py
@@ -19,22 +19,30 @@ class SQLite(Vault):
        self.conn_factory = ConnectionFactory(self.path)

    def get_key(self, kid: Union[UUID, str], service: str) -> Optional[str]:
-        if not self.has_table(service):
-            # no table, no key, simple
-            return None
-
        if isinstance(kid, UUID):
            kid = kid.hex

        conn = self.conn_factory.get()
        cursor = conn.cursor()

+        # Try both the original service name and lowercase version to handle case sensitivity issues
+        service_variants = [service]
+        if service != service.lower():
+            service_variants.append(service.lower())
+        if service != service.upper():
+            service_variants.append(service.upper())
+
        try:
-            cursor.execute(f"SELECT `id`, `key_` FROM `{service}` WHERE `kid`=? AND `key_`!=?", (kid, "0" * 32))
-            cek = cursor.fetchone()
-            if not cek:
-                return None
-            return cek[1]
+            for service_name in service_variants:
+                if not self.has_table(service_name):
+                    continue
+                    
+                cursor.execute(f"SELECT `id`, `key_` FROM `{service_name}` WHERE `kid`=? AND `key_`!=?", (kid, "0" * 32))
+                cek = cursor.fetchone()
+                if cek:
+                    return cek[1]
+            
+            return None
        finally:
            cursor.close()