alpcentaur
/
basabuuka_prototyp
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
4.1 GiB
Tree: ec2e973427
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ec2e973427'
${ noResults }
basabuuka_prototyp/venv/lib/python3.5/site-packages/cryptography/fernet.py

173 lines
5.2 KiB
Raw Normal View History

initial commit
4 years ago
 
  1. # This file is dual licensed under the terms of the Apache License, Version
  2. # 2.0, and the BSD License. See the LICENSE file in the root of this repository
  3. # for complete details.
  4. 

  5. from __future__ import absolute_import, division, print_function
  6. 

  7. import base64
  8. import binascii
  9. import os
  10. import struct
  11. import time
  12. 

  13. import six
  14. 

  15. from cryptography.exceptions import InvalidSignature
  16. from cryptography.hazmat.backends import default_backend
  17. from cryptography.hazmat.primitives import hashes, padding
  18. from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
  19. from cryptography.hazmat.primitives.hmac import HMAC
  20. 

  21. 

  22. class InvalidToken(Exception):
  23.     pass
  24. 

  25. 

  26. _MAX_CLOCK_SKEW = 60
  27. 

  28. 

  29. class Fernet(object):
  30.     def __init__(self, key, backend=None):
  31.         if backend is None:
  32.             backend = default_backend()
  33. 

  34.         key = base64.urlsafe_b64decode(key)
  35.         if len(key) != 32:
  36.             raise ValueError(
  37.                 "Fernet key must be 32 url-safe base64-encoded bytes."
  38.             )
  39. 

  40.         self._signing_key = key[:16]
  41.         self._encryption_key = key[16:]
  42.         self._backend = backend
  43. 

  44.     @classmethod
  45.     def generate_key(cls):
  46.         return base64.urlsafe_b64encode(os.urandom(32))
  47. 

  48.     def encrypt(self, data):
  49.         current_time = int(time.time())
  50.         iv = os.urandom(16)
  51.         return self._encrypt_from_parts(data, current_time, iv)
  52. 

  53.     def _encrypt_from_parts(self, data, current_time, iv):
  54.         if not isinstance(data, bytes):
  55.             raise TypeError("data must be bytes.")
  56. 

  57.         padder = padding.PKCS7(algorithms.AES.block_size).padder()
  58.         padded_data = padder.update(data) + padder.finalize()
  59.         encryptor = Cipher(
  60.             algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend
  61.         ).encryptor()
  62.         ciphertext = encryptor.update(padded_data) + encryptor.finalize()
  63. 

  64.         basic_parts = (
  65.             b"\x80" + struct.pack(">Q", current_time) + iv + ciphertext
  66.         )
  67. 

  68.         h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend)
  69.         h.update(basic_parts)
  70.         hmac = h.finalize()
  71.         return base64.urlsafe_b64encode(basic_parts + hmac)
  72. 

  73.     def decrypt(self, token, ttl=None):
  74.         timestamp, data = Fernet._get_unverified_token_data(token)
  75.         return self._decrypt_data(data, timestamp, ttl)
  76. 

  77.     def extract_timestamp(self, token):
  78.         timestamp, data = Fernet._get_unverified_token_data(token)
  79.         # Verify the token was not tampered with.
  80.         self._verify_signature(data)
  81.         return timestamp
  82. 

  83.     @staticmethod
  84.     def _get_unverified_token_data(token):
  85.         if not isinstance(token, bytes):
  86.             raise TypeError("token must be bytes.")
  87. 

  88.         try:
  89.             data = base64.urlsafe_b64decode(token)
  90.         except (TypeError, binascii.Error):
  91.             raise InvalidToken
  92. 

  93.         if not data or six.indexbytes(data, 0) != 0x80:
  94.             raise InvalidToken
  95. 

  96.         try:
  97.             timestamp, = struct.unpack(">Q", data[1:9])
  98.         except struct.error:
  99.             raise InvalidToken
  100.         return timestamp, data
  101. 

  102.     def _verify_signature(self, data):
  103.         h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend)
  104.         h.update(data[:-32])
  105.         try:
  106.             h.verify(data[-32:])
  107.         except InvalidSignature:
  108.             raise InvalidToken
  109. 

  110.     def _decrypt_data(self, data, timestamp, ttl):
  111.         current_time = int(time.time())
  112.         if ttl is not None:
  113.             if timestamp + ttl < current_time:
  114.                 raise InvalidToken
  115. 

  116.             if current_time + _MAX_CLOCK_SKEW < timestamp:
  117.                 raise InvalidToken
  118. 

  119.         self._verify_signature(data)
  120. 

  121.         iv = data[9:25]
  122.         ciphertext = data[25:-32]
  123.         decryptor = Cipher(
  124.             algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend
  125.         ).decryptor()
  126.         plaintext_padded = decryptor.update(ciphertext)
  127.         try:
  128.             plaintext_padded += decryptor.finalize()
  129.         except ValueError:
  130.             raise InvalidToken
  131.         unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()
  132. 

  133.         unpadded = unpadder.update(plaintext_padded)
  134.         try:
  135.             unpadded += unpadder.finalize()
  136.         except ValueError:
  137.             raise InvalidToken
  138.         return unpadded
  139. 

  140. 

  141. class MultiFernet(object):
  142.     def __init__(self, fernets):
  143.         fernets = list(fernets)
  144.         if not fernets:
  145.             raise ValueError(
  146.                 "MultiFernet requires at least one Fernet instance"
  147.             )
  148.         self._fernets = fernets
  149. 

  150.     def encrypt(self, msg):
  151.         return self._fernets[0].encrypt(msg)
  152. 

  153.     def rotate(self, msg):
  154.         timestamp, data = Fernet._get_unverified_token_data(msg)
  155.         for f in self._fernets:
  156.             try:
  157.                 p = f._decrypt_data(data, timestamp, None)
  158.                 break
  159.             except InvalidToken:
  160.                 pass
  161.         else:
  162.             raise InvalidToken
  163. 

  164.         iv = os.urandom(16)
  165.         return self._fernets[0]._encrypt_from_parts(p, timestamp, iv)
  166. 

  167.     def decrypt(self, msg, ttl=None):
  168.         for f in self._fernets:
  169.             try:
  170.                 return f.decrypt(msg, ttl)
  171.             except InvalidToken:
  172.                 pass
  173.         raise InvalidToken