def generate_recovery_key(prv_key):
rec_key = _GCE.generate_key()
pub_key = PrivateKey(prv_key,
Base64Encoder).public_key.encode(Base64Encoder)
bkp_key = _GCE.symmetric_encrypt(rec_key, prv_key)
rec_key = _GCE.asymmetric_encrypt(pub_key, rec_key)
return Base64Encoder.encode(bkp_key), Base64Encoder.encode(rec_key)
def handle(self, *args, **options):
"""Handle the command"""
private_key = PrivateKey.generate()
public_key = private_key.public_key
self.stdout.write('--------------------------------------------------------------')
self.stdout.write('Private Key Base64 Encoded:')
self.stdout.write(Base64Encoder.encode(bytes(private_key)).decode("utf-8"))
self.stdout.write('--------------------------------------------------------------')
self.stdout.write('Public Key Base64 Encoded:')
self.stdout.write(Base64Encoder.encode(bytes(public_key)).decode("utf-8"))
self.stdout.write('--------------------------------------------------------------')
def handle(self, *args, **options):
"""Handle the command"""
private_key = PrivateKey.generate()
public_key = private_key.public_key
self.stdout.write(
'--------------------------------------------------------------')
self.stdout.write('Private Key Base64 Encoded:')
self.stdout.write(
Base64Encoder.encode(bytes(private_key)).decode("utf-8"))
self.stdout.write(
'--------------------------------------------------------------')
self.stdout.write('Public Key Base64 Encoded:')
self.stdout.write(
Base64Encoder.encode(bytes(public_key)).decode("utf-8"))
self.stdout.write(
'--------------------------------------------------------------')
def set_user_password(tid, user, password, cc):
# Regenerate the password hash only if different from the best choice on the platform
if user.hash_alg != 'ARGON2':
user.hash_alg = 'ARGON2'
user.salt = GCE.generate_salt()
password_hash = GCE.hash_password(password, user.salt)
# Check that the new password is different form the current password
if user.password == password_hash:
raise errors.PasswordReuseError
user.password = password_hash
user.password_change_date = datetime_now()
State.log(tid=tid,
type='change_password',
user_id=user.id,
object_id=user.id)
if not State.tenant_cache[tid].encryption and cc == '':
return None
enc_key = GCE.derive_key(password.encode(), user.salt)
if not cc:
# The first password change triggers the generation
# of the user encryption private key and its backup
cc, user.crypto_pub_key = GCE.generate_keypair()
user.crypto_bkp_key, user.crypto_rec_key = GCE.generate_recovery_key(
cc)
user.crypto_prv_key = Base64Encoder.encode(
GCE.symmetric_encrypt(enc_key, cc))
if State.tenant_cache[1].crypto_escrow_pub_key:
user.crypto_escrow_bkp1_key = Base64Encoder.encode(
GCE.asymmetric_encrypt(State.tenant_cache[1].crypto_escrow_pub_key,
cc))
if State.tenant_cache[tid].crypto_escrow_pub_key:
user.crypto_escrow_bkp2_key = Base64Encoder.encode(
GCE.asymmetric_encrypt(
State.tenant_cache[tid].crypto_escrow_pub_key, cc))
return cc
def invalid_settings():
"""
Fixture that runs a test against a set of invalid configurations
"""
settings = copy.copy(DEFAULT_SETTINGS)
settings.update({
'EXAMS_AUDIT_NACL_PUBLIC_KEY': Base64Encoder.encode('bad'),
})
with override_settings(**settings):
yield settings
def invalid_settings():
"""
Fixture that runs a test against a set of invalid configurations
"""
settings = copy.copy(DEFAULT_SETTINGS)
settings.update({
'EXAMS_AUDIT_NACL_PUBLIC_KEY': Base64Encoder.encode('bad'),
})
with override_settings(**settings):
yield settings
def valid_settings(private_key):
"""
Fixture that provides valid (passes checks in configure()) configuration
"""
settings = copy.copy(DEFAULT_SETTINGS)
settings.update({
'EXAMS_AUDIT_NACL_PUBLIC_KEY': Base64Encoder.encode(bytes(private_key.public_key)),
})
with override_settings(**settings):
yield DEFAULT_SETTINGS
def valid_settings(private_key):
"""
Fixture that provides valid (passes checks in configure()) configuration
"""
settings = copy.copy(DEFAULT_SETTINGS)
settings.update({
'EXAMS_AUDIT_NACL_PUBLIC_KEY':
Base64Encoder.encode(bytes(private_key.public_key)),
})
with override_settings(**settings):
yield DEFAULT_SETTINGS
def get_auth(user_id, name, secret, nonce, method, uri, body=None):
if body is not None:
if not isinstance(body, str):
try:
body = json.dumps(body, separators=(',', ':'))
except ValueError as e:
logger.exception(
'invalid body. json or string are valid body type')
request_string = '{"method":"' + method + '","uri":"' + uri + ('",' if (
body is None) else '","body":' + body + ',') + '"nonce":' + nonce + '}'
logger.debug("message %s", request_string)
raw_signed = crypto_sign(request_string.encode(), bytes.fromhex(secret))
signature = Base64Encoder.encode(raw_signed[:crypto_sign_BYTES])
return 'SIGN ' + user_id + "." + name + ':' + signature.decode()
def get_cybersource_test_settings(private_key=None):
"""
Generates a valid set of settings for CyberSource
"""
if private_key is None:
private_key = PrivateKey.generate()
return {
"CYBERSOURCE_WSDL_URL":
(f"http://localhost/service/CyberSourceTransaction_{SERVICE_VERSION}.wsdl"
),
"CYBERSOURCE_MERCHANT_ID":
"merchant_id",
"CYBERSOURCE_TRANSACTION_KEY":
"transaction_key",
"CYBERSOURCE_INQUIRY_LOG_NACL_ENCRYPTION_KEY":
Base64Encoder.encode(bytes(private_key.public_key)),
}
################################################################################
# BEGIN MOCKS NECESSARY FOR DETERMINISTIC ENCRYPTION
VALID_PASSWORD1 = 'ACollectionOfDiplomaticHistorySince_1966_ToThe_Pr esentDay#'
VALID_PASSWORD2 = VALID_PASSWORD1
VALID_SALT1 = GCE.generate_salt()
VALID_SALT2 = GCE.generate_salt()
VALID_HASH1 = GCE.hash_password(VALID_PASSWORD1, VALID_SALT1)
VALID_HASH2 = GCE.hash_password(VALID_PASSWORD2, VALID_SALT2)
VALID_BASE64_IMG = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVQYV2NgYAAAAAMAAWgmWQ0AAAAASUVORK5CYII='
INVALID_PASSWORD = '******'
KEY = GCE.generate_key()
USER_KEY = GCE.derive_key(VALID_PASSWORD1, VALID_SALT1)
USER_PRV_KEY, USER_PUB_KEY = GCE.generate_keypair()
USER_PRV_KEY_ENC = Base64Encoder.encode(
GCE.symmetric_encrypt(USER_KEY, USER_PRV_KEY))
USER_BKP_KEY, USER_REC_KEY = GCE.generate_recovery_key(USER_PRV_KEY)
USER_REC_KEY_PLAIN = GCE.asymmetric_decrypt(USER_PRV_KEY,
Base64Encoder.decode(USER_REC_KEY))
USER_REC_KEY_PLAIN = Base32Encoder.encode(USER_REC_KEY_PLAIN).replace(
b'=', b'').decode('utf-8')
GCE_orig_generate_key = GCE.generate_key
GCE_orig_generate_keypair = GCE.generate_keypair
def mock_nullfunction(*args, **kwargs):
return
def mock_GCE_generate_key():
return KEY
def _base64(self, data: bytes):
return Base64Encoder.encode(data).decode('ASCII')
def challenge(self):
return Base64Encoder.encode(self.nonce())
message = 'abcdefg1234'
encoding = 'utf-8'
print('-' * 100)
print('KEY and MESSAGE')
print('-' * 100)
print('PRIKEY:', prikey)
print('PRIKEY(BASE64):', prikey.encode(Base64Encoder).decode(encoding))
print('PUBKEY:', pubkey)
print('PUBKEY(BASE64):', pubkey.encode(Base64Encoder).decode(encoding))
print('MESSAGE:', message)
print('-' * 100)
print('ENCRYPT with public key')
print('-' * 100)
box = SealedBox(pubkey)
encrypted = box.encrypt(message.encode(encoding=encoding))
print('ENCRYPTED MESSAGE:', encrypted)
print('ENCRYPTED MESSAGE(BASE64):',
Base64Encoder.encode(encrypted).decode(encoding))
print('-' * 100)
print('DECRYPT with private key')
print('-' * 100)
box = SealedBox(prikey)
decrypted = box.decrypt(encrypted).decode(encoding=encoding)
print('DECRYPTED MESSAGE:', decrypted)
def b2a(b):
return Base64Encoder.encode(b)
def write_file(file_name, data, base64=False):
if base64:
data = Base64Encoder.encode(data).decode('ascii')
f = open(file_name, 'w')
f.write(data)
f.close()
def b2a(b):
return Base64Encoder.encode(b)
