def pyca_tests():
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives.asymmetric import rsa, padding
Cipher(
algorithms.TripleDES(key),
modes.CBC(iv)) # Noncompliant {{Use secure mode and padding scheme.}}
# ^^^^^^^^^^^^^
Cipher(algorithms.Blowfish(key), modes.GCM(iv)) # Compliant
Cipher() # Compliant
args = []
Cipher(algorithms.Blowfish(key), *args) # Compliant
Cipher(algorithms.Blowfish(key), modes.ECB()) # Noncompliant
Cipher(algorithms.AES(key), modes.CBC(iv)) # Noncompliant
Cipher(mode=modes.CBC(iv), algorithm=algorithms.AES(key)) # Noncompliant
Cipher(algorithms.AES(key), modes.OFB(iv)) # Compliant
Cipher(algorithms.AES(key), modes.ECB()) # Noncompliant
private_key = rsa.generate_private_key()
public_key = private_key.public_key()
ciphertext = public_key.encrypt(message, padding.OAEP())
private_key.decrypt(ciphertext, padding.OAEP()) # Compliant
public_key.encrypt(message, padding.PKCS1v15()) # Noncompliant
# ^^^^^^^^^^^^^^^^^^
public_key.encrypt(padding=padding.PKCS1v15(),
plaintext=message) # Noncompliant
private_key.decrypt(ciphertext, padding.PKCS1v15()) # Noncompliant
private_key.decrypt(padding=padding.PKCS1v15(),
ciphertext=ciphertext) # Noncompliant
print(padding.PKCS1v15()) # OK
def decryptChunk(chunk, bfKey):
''' Decrypt a given encrypted chunk with a blowfish key. '''
cipher = Cipher(algorithms.Blowfish(bfKey),
modes.CBC(bytes([i for i in range(8)])), default_backend())
decryptor = cipher.decryptor()
decChunk = decryptor.update(chunk) + decryptor.finalize()
return decChunk
def __init__(self,
cipher_mode=None,
initialization_vector=None,
key=None,
**kwargs):
"""Initializes a decrypter.
Args:
cipher_mode (Optional[str]): cipher mode.
initialization_vector (Optional[bytes]): initialization vector.
key (Optional[bytes]): key.
kwargs (dict): keyword arguments depending on the decrypter.
Raises:
ValueError: when key is not set or the cipher mode is not supported.
"""
if not key:
raise ValueError('Missing key.')
if cipher_mode not in self._ENCRYPTION_MODES:
raise ValueError(
'Unsupported cipher mode: {0!s}'.format(cipher_mode))
algorithm = algorithms.Blowfish(key)
super(BlowfishDecrypter,
self).__init__(algorithm=algorithm,
cipher_mode=cipher_mode,
initialization_vector=initialization_vector,
**kwargs)
def cryptography_blowfish(keysize=32, data_size=1024, mode_str=""):
plaintext = get_random_bytes(data_size * 1024)
key = get_random_bytes(keysize)
algorithm = algorithms.Blowfish(key)
mode = eval(mode_str)
cipher = Cipher(algorithm, mode=mode(), backend=default_backend())
encryptor = cipher.encryptor()
_ = encryptor.update(plaintext)
class TestBlowfishModeECB(object):
test_ECB = generate_encrypt_test(
load_nist_vectors,
os.path.join("ciphers", "Blowfish"),
["bf-ecb.txt"],
lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)),
lambda **kwargs: modes.ECB(),
)
class TestBlowfishModeCFB:
test_cfb = generate_encrypt_test(
load_nist_vectors,
os.path.join("ciphers", "Blowfish"),
["bf-cfb.txt"],
lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)),
lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)),
)
def test_blowfish(msg: str) -> int:
key = os.urandom(16)
iv = os.urandom(8)
cipher = Cipher(algorithms.Blowfish(key), modes.CBC(iv))
encryptor = cipher.encryptor()
ct = encryptor.update(bytes(msg, 'utf-8')) + encryptor.finalize()
decryptor = cipher.decryptor()
decrypted_message = decryptor.update(ct) + decryptor.finalize()
return getsizeof(ct)
def DBlowFish(path,key,iv):
f=open(os.path.join(path+"/Segments","1.txt"),"rb")
content=f.read()
f.close()
backend = default_backend()
cipher = Cipher(algorithms.Blowfish(key), modes.CBC(iv), backend=backend)
decryptor = cipher.decryptor()
content=decryptor.update(content) + decryptor.finalize()
f=open(os.path.join(path+"/temp/Segments","1.txt"),"wb")
f.write(content)
f.close()
def encryptAuth(self):
"""Encrypt the authentification credentials to store in the database"""
bs = int(algorithms.Blowfish.block_size / 8)
backend = default_backend()
iv = os.urandom(bs)
cipher = Cipher(algorithms.Blowfish(self.db.passw.encode('utf-8')), modes.CBC(iv), backend=backend)
encryptor = cipher.encryptor()
conf=json.dumps(self.auth).encode('utf-8')
#padd with spaces to be a multiple of bs
plen = bs - divmod(len(conf), bs)[1]
pad = b' '*plen
self.userentry.auth = iv + encryptor.update(conf+pad) + encryptor.finalize()
def decryptAuth(self):
"""Decrypt the authenficiation credentials as stored in the database"""
if self.userentry.auth:
bs=int(algorithms.Blowfish.block_size/8)
backend = default_backend()
iv = self.userentry.auth[0:bs]
encr=self.userentry.auth[bs:]
cipher = Cipher(algorithms.Blowfish(self.db.passw.encode('utf-8')), modes.CBC(iv), backend=backend)
decryptor = cipher.decryptor()
self.auth=json.loads(decryptor.update(encr) + decryptor.finalize())
else:
self.auth={}
async def dl_and_decrypt_track(url, SNG_ID, filename):
SNG_ID = str(SNG_ID).encode('ascii')
blowfish_key = get_blowfish_key(SNG_ID)
async with aiofiles.open(filename, 'wb') as filestream:
r = await request_get(url) # pylint: disable=no-member
async for i, chunk in asyncenumerate(r.content.iter_chunked(2048)):
if i % 3 or len(chunk) < 2048:
await filestream.write(chunk)
else:
cipher = Cipher(algorithms.Blowfish(blowfish_key),
modes.CBC(bytes([i for i in range(8)])),
default_backend())
decryptor = cipher.decryptor()
chunk = decryptor.update(chunk) + decryptor.finalize()
await filestream.write(chunk)
def BlowFish(key, iv):
f = open(os.path.join(os.getcwd() + "\Segments", "1.txt"), "r")
content = f.read()
f.close()
content = content.encode()
b = len(content)
if (b % 8 != 0):
while (b % 8 != 0):
content += " ".encode()
b = len(content)
backend = default_backend()
cipher = Cipher(algorithms.Blowfish(key), modes.CBC(iv), backend=backend)
encryptor = cipher.encryptor()
cont = encryptor.update(content) + encryptor.finalize()
open(os.path.join(os.getcwd() + "\Segments", "1.txt"), "w").close()
f = open(os.path.join(os.getcwd() + "\Segments", "1.txt"), "wb")
f.write(cont)
f.close()
def downloadTrack(filename, ext, url, bfKey):
''' Download and decrypts a track. Resumes download for tmp files.'''
if os.path.isfile(filename + '.tmp'):
print(f"Resuming download: {filename}{ext}...")
filesize = os.stat(filename + '.tmp').st_size # size downloaded file
# reduce filesize to a multiple of 2048 for seamless decryption
filesize = filesize - (filesize % 2048)
i = filesize / 2048
req = resumeDownload(url, filesize)
else:
print(f"Downloading: {filename}{ext}...")
filesize = 0
i = 0
req = requests_retry_session().get(url, stream=True)
if req.headers['Content-length'] == '0':
print("Empty file, skipping...\n")
return False
# make dirs if they do not exist yet
fileDir = os.path.dirname(filename + ext)
if not os.path.isdir(fileDir):
os.makedirs(fileDir)
# Decrypt content and write to file
with open(filename + '.tmp', 'ab') as fd:
fd.seek(filesize) # jump to end of the file in order to append to it
# Only every third 2048 byte block is encrypted.
for chunk in req.iter_content(2048):
if i % 3 > 0:
fd.write(chunk)
elif len(chunk) < 2048:
fd.write(chunk)
break
else:
cipher = Cipher(algorithms.Blowfish(bfKey),
modes.CBC(bytes([i for i in range(8)])),
default_backend())
decryptor = cipher.decryptor()
decdata = decryptor.update(chunk) + decryptor.finalize()
fd.write(decdata)
i += 1
os.rename(filename + '.tmp', filename + ext)
return True
def decrypt_text(encrypted_text, key, iv):
"""Decrypts encrypted text using Blowfish and CBC.
Example::
# use the same key and iv used in encrypting the text
text = decrypt_text(enc_text, key, iv)
"""
cipher = Cipher(algorithms.Blowfish(key),
modes.CBC(iv),
backend=default_backend())
decryptor = cipher.decryptor()
# CBC requires padding
unpadder = padding.PKCS7(algorithms.Blowfish.block_size).unpadder()
padded_data = decryptor.update(encrypted_text) + decryptor.finalize()
# decrypt the encrypted text
text = unpadder.update(padded_data) + unpadder.finalize()
return text
def pycaExamples():
import os
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
key = os.urandom(16)
iv = os.urandom(16)
tdes4 = Cipher(algorithms.TripleDES(key),
mode=None,
backend=default_backend()
) # Noncompliant {{Use a strong cipher algorithm.}}
# ^^^^^^^^^^^^^^^^^^^^
bf3 = Cipher(algorithms.Blowfish(key),
mode=None,
backend=default_backend()
) # Noncompliant {{Use a strong cipher algorithm.}}
# ^^^^^^^^^^^^^^^^^^^
rc42 = Cipher(algorithms.ARC4(key), mode=None, backend=default_backend()
) # Noncompliant {{Use a strong cipher algorithm.}}
def get_cipher(self):
if self.method.startswith('aes'):
return Cipher(algorithms.AES(self.key), modes.CFB(self.iv),
default_backend())
if self.method.startswith('bf'):
return Cipher(algorithms.Blowfish(self.key), modes.CFB(self.iv),
default_backend())
if self.method.startswith('camellia'):
return Cipher(algorithms.Camellia(self.key), modes.CFB(self.iv),
default_backend())
if self.method.startswith('cast5'):
return Cipher(algorithms.CAST5(self.key), modes.CFB(self.iv),
default_backend())
if self.method.startswith('seed'):
return Cipher(algorithms.SEED(self.key), modes.CFB(self.iv),
default_backend())
if self.method.startswith('idea'):
return Cipher(algorithms.IDEA(self.key), modes.CFB(self.iv),
default_backend())
if self.method.startswith('rc4'):
return Cipher(algorithms.ARC4(self.key), None, default_backend())
raise ValueError('crypto method %s not supported!' % self.method)
async def decrypt_track(track_buffer, info, out_filename):
SNG_ID = str(info['SNG_ID']).encode('ascii')
blowfish_key = get_blowfish_key(SNG_ID)
async with aiofiles.open(out_filename, 'wb') as decrypted_stream:
chunk_size = 2048
progress = 0
file_length = len(track_buffer)
while progress < file_length:
if (file_length - progress) < 2048:
chunk_size = file_length - progress
chunk = track_buffer[progress:progress + chunk_size]
if progress % (chunk_size * 3) == 0 and chunk_size == 2048:
cipher = Cipher(algorithms.Blowfish(blowfish_key),
modes.CBC(bytes([i for i in range(8)])),
default_backend())
decryptor = cipher.decryptor()
chunk = decryptor.update(chunk) + decryptor.finalize()
await decrypted_stream.write(chunk)
progress += chunk_size
def encrypt_text(text, key, iv):
"""Encrypts plain text using Blowfish and CBC.
Example::
import os
# keep the same key and iv for decrypting the text
key = os.urandom(32)
iv = os.urandom(8)
enc_text = encrypt_text("secret-text", key, iv)
"""
cipher = Cipher(algorithms.Blowfish(key),
modes.CBC(iv),
backend=default_backend())
encryptor = cipher.encryptor()
# CBC requires padding
padder = padding.PKCS7(algorithms.Blowfish.block_size).padder()
padded_data = padder.update(text) + padder.finalize()
# encrypt the text
encrypted_text = encryptor.update(padded_data) + encryptor.finalize()
return encrypted_text
# for complete details.
import binascii
import os
import pytest
from cryptography.hazmat.primitives.ciphers import algorithms, modes
from .utils import generate_encrypt_test
from ...utils import load_nist_vectors
@pytest.mark.supported(
only_if=lambda backend: backend.cipher_supported(
algorithms.Blowfish(b"\x00" * 56), modes.ECB()),
skip_message="Does not support Blowfish ECB",
)
class TestBlowfishModeECB:
test_ecb = generate_encrypt_test(
load_nist_vectors,
os.path.join("ciphers", "Blowfish"),
["bf-ecb.txt"],
lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)),
lambda **kwargs: modes.ECB(),
)
@pytest.mark.supported(
only_if=lambda backend: backend.cipher_supported(
algorithms.Blowfish(b"\x00" * 56), modes.CBC(b"\x00" * 8)),
# cf. https://github.com/PyCQA/bandit/blob/b78c938c0bd03d201932570f5e054261e10c5750/examples/ciphers.py from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.hazmat.primitives.ciphers import algorithms from cryptography.hazmat.primitives.ciphers import modes from cryptography.hazmat.backends import default_backend from struct import pack # ruleid:insecure-cipher-algorithm-rc4 cipher = Cipher(algorithms.ARC4(key), mode=None, backend=default_backend()) encryptor = cipher.encryptor() ct = encryptor.update(b"a secret message") # ruleid:insecure-cipher-algorithm-blowfish cipher = Cipher(algorithms.Blowfish(key), mode=None, backend=default_backend()) encryptor = cipher.encryptor() ct = encryptor.update(b"a secret message") # ruleid:insecure-cipher-algorithm-idea cipher = Cipher(algorithms.IDEA(key), mode=None, backend=default_backend()) encryptor = cipher.encryptor() ct = encryptor.update(b"a secret message") # ok cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) encryptor = cipher.encryptor() ct = encryptor.update(b"a secret message") + encryptor.finalize()
def blowfish_decrypt(ciphertext, key, mode, unpadder=pad.pkcs7_unpad_8):
return symmetric_decrypt(ciphertext, algorithms.Blowfish(key), mode, unpadder=unpadder)
def decrypt(key, ciphertext):
cipher = Cipher(algorithms.Blowfish(key),
mode=None,
backend=default_backend())
decryptor = cipher.decryptor()
return decryptor.update(ciphertext)
from __future__ import absolute_import, division, print_function
import binascii
import os
import pytest
from cryptography.hazmat.primitives.ciphers import algorithms, modes
from .utils import generate_encrypt_test
from ...utils import load_nist_vectors
@pytest.mark.supported(
only_if=lambda backend: backend.cipher_supported(
algorithms.Blowfish("\x00" * 56), modes.ECB()
),
skip_message="Does not support Blowfish ECB",
)
@pytest.mark.cipher
class TestBlowfishModeECB(object):
test_ECB = generate_encrypt_test(
load_nist_vectors,
os.path.join("ciphers", "Blowfish"),
["bf-ecb.txt"],
lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)),
lambda **kwargs: modes.ECB(),
)
@pytest.mark.supported(
def encrypt(key, plaintext):
cipher = Cipher(algorithms.Blowfish(key),
mode=None,
backend=default_backend())
encryptor = cipher.encryptor()
return encryptor.update(plaintext)
def blowfish_encrypt(plaintext, key, mode, padder=pad.pkcs7_pad_8):
return symmetric_encrypt(plaintext, algorithms.Blowfish(key), mode, padder=padder)
import os from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.backends import default_backend key = os.urandom(16) iv = os.urandom(16) tdes4 = Cipher(algorithms.TripleDES(key), mode=None, backend=default_backend()) # Noncompliant: Triple DES is vulnerable to meet-in-the-middle attack bf3 = Cipher(algorithms.Blowfish(key), mode=None, backend=default_backend()) # Noncompliant: Blowfish use a 64-bit block size makes it vulnerable to birthday attacks rc42 = Cipher(algorithms.ARC4(key), mode=None, backend=default_backend()) # Noncompliant: vulnerable to several attacks (see https://en.wikipedia.org/wiki/RC4#Security)
def download_track(self,
track,
download_dir,
quality=None,
fallback=True,
filename=None,
renew=False,
with_metadata=True,
with_lyrics=True,
tag_separator=", ",
**kwargs):
"""Downloads the given track
Arguments:
track {dict} -- Track dictionary, similar to the {info} value that is returned {using get_track()}
download_dir {str} -- Directory (without {filename}) where the file is to be saved.
Keyword Arguments:
quality {str} -- Use values from {constants.track_formats}, will get the default quality if None or an invalid is given. (default: {None})
filename {str} -- Filename with or without the extension (default: {None})
renew {bool} -- Will renew the track object (default: {False})
with_metadata {bool} -- If true, will write id3 tags into the file. (default: {True})
with_lyrics {bool} -- If true, will find and save lyrics of the given track. (default: {True})
tag_separator {str} -- Separator to separate multiple artists (default: {", "})
"""
if with_lyrics:
if "LYRICS" in track:
lyric_data = track["LYRICS"]
else:
try:
if "DATA" in track:
lyric_data = self.get_track_lyrics(
track["DATA"]["SNG_ID"])["info"]
else:
lyric_data = self.get_track_lyrics(
track["SNG_ID"])["info"]
except APIRequestError:
with_lyrics = False
if "DATA" in track:
track = track["DATA"]
tags = self.get_track_tags(track, separator=tag_separator)
url, quality_key = self.get_track_download_url(track,
quality,
fallback=fallback,
renew=renew,
**kwargs)
blowfish_key = util.get_blowfish_key(track["SNG_ID"])
# quality = self._select_valid_quality(track, quality)
quality = track_formats.TRACK_FORMAT_MAP[quality_key]
title = tags["title"]
ext = quality["ext"]
if not filename:
filename = title + ext
if not str(filename).endswith(ext):
filename += ext
filename = util.clean_filename(filename)
download_dir = path.normpath(download_dir)
download_path = path.join(download_dir, filename)
util.create_folders(download_dir)
print("Starting download of:", title)
res = self.session.get(url, cookies=self.get_cookies(), stream=True)
chunk_size = 2048
total_filesize = int(res.headers["Content-Length"])
current_filesize = 0
i = 0
pbar = tqdm(res.iter_content(chunk_size),
total=total_filesize,
unit="B",
unit_scale=True,
unit_divisor=1024,
leave=False,
desc=title)
with open(download_path, "wb") as f:
f.seek(current_filesize)
for chunk in pbar:
chunk_len = len(chunk)
if i % 3 > 0:
f.write(chunk)
elif len(chunk) < chunk_size:
f.write(chunk)
pbar.update(chunk_len)
break
else:
cipher = Cipher(algorithms.Blowfish(blowfish_key),
modes.CBC(bytes([i for i in range(8)])),
default_backend())
decryptor = cipher.decryptor()
dec_data = decryptor.update(chunk) + decryptor.finalize()
f.write(dec_data)
chunk_len = len(dec_data)
i += 1
current_filesize += chunk_size
pbar.update(chunk_len)
pbar.close()
if with_metadata:
if ext.lower() == ".flac":
self._write_flac_tags(download_path, track, tags=tags)
else:
self._write_mp3_tags(download_path, track, tags=tags)
if with_lyrics:
lyrics_path = path.join(download_dir, filename[:-len(ext)])
self.save_lyrics(lyric_data, lyrics_path)
print("Track downloaded to:", download_path)
def int_dec_rnd(et: bytes, key, iv):
cipher = Cipher(algorithms.Blowfish(key), modes.CBC(iv), backend=backend)
decryptor = cipher.decryptor()
pt = decryptor.update(et) + decryptor.finalize()
return pt
def int_enc_rnd(int64: bytes, key, iv):
cipher = Cipher(algorithms.Blowfish(key), modes.CBC(iv), backend=backend)
encryptor = cipher.encryptor()
ct = encryptor.update(int64) + encryptor.finalize()
return ct
def __init__(self, key):
self.blowfish = Cipher(
algorithms.Blowfish(key), mode=modes.ECB(),
backend=default_backend()
).decryptor()
