Blame - cryptography/fernet.py - platform/external/python/cryptography

blob: c19309d55f2b3bca3a70ac3b69170b0648c9fa42 [file] [log] [blame]

Alex Gaynor	8912d3a	2013-11-02 14:04:19 -0700	[diff] [blame]	1	# Licensed under the Apache License, Version 2.0 (the "License");
				2	# you may not use this file except in compliance with the License.
				3	# You may obtain a copy of the License at
				4	#
				5	# http://www.apache.org/licenses/LICENSE-2.0
				6	#
				7	# Unless required by applicable law or agreed to in writing, software
				8	# distributed under the License is distributed on an "AS IS" BASIS,
				9	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
				10	# implied.
				11	# See the License for the specific language governing permissions and
				12	# limitations under the License.
				13
Alex Gaynor	02fad00	2013-10-30 14:16:13 -0700	[diff] [blame]	14	import base64
Alex Gaynor	69ab59e	2013-10-31 15:26:43 -0700	[diff] [blame]	15	import binascii
Alex Gaynor	02fad00	2013-10-30 14:16:13 -0700	[diff] [blame]	16	import os
				17	import struct
				18	import time
				19
Alex Gaynor	bbeba71	2013-10-30 14:29:58 -0700	[diff] [blame]	20	import six
				21
Alex Gaynor	b9bc6c3	2013-12-27 08:23:14 -0800	[diff] [blame]	22	from cryptography.exceptions import InvalidSignature
Alex Gaynor	f272c14	2013-12-15 22:18:49 -0800	[diff] [blame]	23	from cryptography.hazmat.backends import default_backend
Alex Gaynor	b9bc6c3	2013-12-27 08:23:14 -0800	[diff] [blame]	24	from cryptography.hazmat.primitives import padding, hashes
Alex Gaynor	02fad00	2013-10-30 14:16:13 -0700	[diff] [blame]	25	from cryptography.hazmat.primitives.hmac import HMAC
Alex Gaynor	dcc3f66	2013-11-07 14:28:16 -0800	[diff] [blame]	26	from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
Alex Gaynor	02fad00	2013-10-30 14:16:13 -0700	[diff] [blame]	27
				28
Alex Gaynor	38f3455	2013-10-31 14:50:00 -0700	[diff] [blame]	29	class InvalidToken(Exception):
				30	pass
				31
				32
Alex Gaynor	3417656	2013-11-23 07:47:23 -0800	[diff] [blame]	33	_MAX_CLOCK_SKEW = 60
				34
Alex Gaynor	2c58bbe	2013-10-31 16:31:38 -0700	[diff] [blame]	35
Alex Gaynor	02fad00	2013-10-30 14:16:13 -0700	[diff] [blame]	36	class Fernet(object):
Alex Gaynor	fae2071	2013-12-16 15:29:30 -0800	[diff] [blame]	37	def __init__(self, key, backend=None):
				38	if backend is None:
				39	backend = default_backend()
				40
Alex Gaynor	898fe0f	2013-11-20 16:38:32 -0800	[diff] [blame]	41	key = base64.urlsafe_b64decode(key)
Alex Gaynor	a8f0b63	2013-12-16 15:44:06 -0800	[diff] [blame]	42	if len(key) != 32:
				43	raise ValueError(
				44	"Fernet key must be 32 url-safe base64-encoded bytes"
				45	)
Alex Gaynor	fae2071	2013-12-16 15:29:30 -0800	[diff] [blame]	46
				47	self._signing_key = key[:16]
				48	self._encryption_key = key[16:]
				49	self._backend = backend
Alex Gaynor	02fad00	2013-10-30 14:16:13 -0700	[diff] [blame]	50
Alex Gaynor	36597b4	2013-11-22 10:25:13 -0800	[diff] [blame]	51	@classmethod
				52	def generate_key(cls):
				53	return base64.urlsafe_b64encode(os.urandom(32))
				54
Alex Gaynor	02fad00	2013-10-30 14:16:13 -0700	[diff] [blame]	55	def encrypt(self, data):
				56	current_time = int(time.time())
				57	iv = os.urandom(16)
				58	return self._encrypt_from_parts(data, current_time, iv)
				59
				60	def _encrypt_from_parts(self, data, current_time, iv):
Alex Gaynor	38f3455	2013-10-31 14:50:00 -0700	[diff] [blame]	61	if isinstance(data, six.text_type):
Alex Gaynor	c1ea0a0	2013-10-31 15:03:53 -0700	[diff] [blame]	62	raise TypeError(
				63	"Unicode-objects must be encoded before encryption"
				64	)
Alex Gaynor	38f3455	2013-10-31 14:50:00 -0700	[diff] [blame]	65
Alex Gaynor	dcc3f66	2013-11-07 14:28:16 -0800	[diff] [blame]	66	padder = padding.PKCS7(algorithms.AES.block_size).padder()
Alex Gaynor	02fad00	2013-10-30 14:16:13 -0700	[diff] [blame]	67	padded_data = padder.update(data) + padder.finalize()
Alex Gaynor	dcc3f66	2013-11-07 14:28:16 -0800	[diff] [blame]	68	encryptor = Cipher(
Alex Gaynor	fae2071	2013-12-16 15:29:30 -0800	[diff] [blame]	69	algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend
Alex Gaynor	de36e90	2013-10-31 10:10:44 -0700	[diff] [blame]	70	).encryptor()
Alex Gaynor	02fad00	2013-10-30 14:16:13 -0700	[diff] [blame]	71	ciphertext = encryptor.update(padded_data) + encryptor.finalize()
				72
Alex Gaynor	1d2901c	2013-11-22 10:12:05 -0800	[diff] [blame]	73	basic_parts = (
				74	b"\x80" + struct.pack(">Q", current_time) + iv + ciphertext
Alex Gaynor	02fad00	2013-10-30 14:16:13 -0700	[diff] [blame]	75	)
Alex Gaynor	bbeba71	2013-10-30 14:29:58 -0700	[diff] [blame]	76
Alex Gaynor	fae2071	2013-12-16 15:29:30 -0800	[diff] [blame]	77	h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend)
Alex Gaynor	1d2901c	2013-11-22 10:12:05 -0800	[diff] [blame]	78	h.update(basic_parts)
				79	hmac = h.finalize()
				80	return base64.urlsafe_b64encode(basic_parts + hmac)
				81
Alex Gaynor	0d08963	2013-12-17 20:23:43 -0800	[diff] [blame]	82	def decrypt(self, token, ttl=None):
				83	if isinstance(token, six.text_type):
Alex Gaynor	c1ea0a0	2013-10-31 15:03:53 -0700	[diff] [blame]	84	raise TypeError(
				85	"Unicode-objects must be encoded before decryption"
				86	)
Alex Gaynor	38f3455	2013-10-31 14:50:00 -0700	[diff] [blame]	87
Alex Gaynor	1d2901c	2013-11-22 10:12:05 -0800	[diff] [blame]	88	current_time = int(time.time())
Alex Gaynor	38f3455	2013-10-31 14:50:00 -0700	[diff] [blame]	89
				90	try:
Alex Gaynor	0d08963	2013-12-17 20:23:43 -0800	[diff] [blame]	91	data = base64.urlsafe_b64decode(token)
Alex Gaynor	69ab59e	2013-10-31 15:26:43 -0700	[diff] [blame]	92	except (TypeError, binascii.Error):
Alex Gaynor	38f3455	2013-10-31 14:50:00 -0700	[diff] [blame]	93	raise InvalidToken
				94
Alex Gaynor	a8f0b63	2013-12-16 15:44:06 -0800	[diff] [blame]	95	if six.indexbytes(data, 0) != 0x80:
				96	raise InvalidToken
				97
Alex Gaynor	e78960f	2013-12-20 11:02:33 -0800	[diff] [blame]	98	try:
				99	timestamp, = struct.unpack(">Q", data[1:9])
				100	except struct.error:
				101	raise InvalidToken
Alex Gaynor	bbeba71	2013-10-30 14:29:58 -0700	[diff] [blame]	102	if ttl is not None:
Alex Gaynor	c3f7c37	2013-12-14 08:58:35 -0800	[diff] [blame]	103	if timestamp + ttl < current_time:
Alex Gaynor	38f3455	2013-10-31 14:50:00 -0700	[diff] [blame]	104	raise InvalidToken
Alex Gaynor	badee1b	2013-12-14 08:43:51 -0800	[diff] [blame]	105	if current_time + _MAX_CLOCK_SKEW < timestamp:
Alex Gaynor	3417656	2013-11-23 07:47:23 -0800	[diff] [blame]	106	raise InvalidToken
Alex Gaynor	fae2071	2013-12-16 15:29:30 -0800	[diff] [blame]	107	h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend)
Alex Gaynor	bbeba71	2013-10-30 14:29:58 -0700	[diff] [blame]	108	h.update(data[:-32])
Alex Gaynor	b9bc6c3	2013-12-27 08:23:14 -0800	[diff] [blame]	109	try:
				110	h.verify(data[-32:])
				111	except InvalidSignature:
Alex Gaynor	38f3455	2013-10-31 14:50:00 -0700	[diff] [blame]	112	raise InvalidToken
				113
Alex Gaynor	d66f372	2013-12-20 11:05:13 -0800	[diff] [blame]	114	iv = data[9:25]
				115	ciphertext = data[25:-32]
Alex Gaynor	dcc3f66	2013-11-07 14:28:16 -0800	[diff] [blame]	116	decryptor = Cipher(
Alex Gaynor	fae2071	2013-12-16 15:29:30 -0800	[diff] [blame]	117	algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend
Alex Gaynor	de36e90	2013-10-31 10:10:44 -0700	[diff] [blame]	118	).decryptor()
Alex Gaynor	09bff86	2013-11-22 17:27:08 -0800	[diff] [blame]	119	plaintext_padded = decryptor.update(ciphertext)
				120	try:
				121	plaintext_padded += decryptor.finalize()
				122	except ValueError:
				123	raise InvalidToken
Alex Gaynor	dcc3f66	2013-11-07 14:28:16 -0800	[diff] [blame]	124	unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()
Alex Gaynor	38f3455	2013-10-31 14:50:00 -0700	[diff] [blame]	125
				126	unpadded = unpadder.update(plaintext_padded)
				127	try:
				128	unpadded += unpadder.finalize()
				129	except ValueError:
				130	raise InvalidToken
				131	return unpadded