Example #1
0
 def test_validate_key(self):
     """ Ensure successful key validation . """
     # Unset the global crypto engine state first.
     state.secret_key = None
     
     # Create a new key
     ekey = hashlib.sha256('encrypt').digest()
     skey = hashlib.sha256('sign').digest()
     key = MasterKey(encryption_key=ekey, signing_key=skey)
     
     # Now set new metadata
     util.initialize_key_metadata(key=key, salt=os.urandom(8), force_overwrite=True)
     
     # And then validate it.
     self.assertTrue(util.validate_key(key=key))
Example #2
0
def validate_passphrase(form, field):
    """
    """
    try:
        passphrase = field.data
        key = crypto_util.derive_configured_key(passphrase)
        if not crypto_util.validate_key(key):
            raise ValidationError("Invalid passphrase entered.")
    except ValidationError:
        raise
    except exc.MissingKeyMetadata:
        log.exception("Missing key metadata.")
        raise ValidationError("Database crypto has not yet been initialized.") 
    except:
        log.exception("Error validating passphrase.")
        raise ValidationError("Error validating passphrase (see server logs).")
Example #3
0
 def test_initialize(self):
     """ Test initiazation of key metadata. """
     ekey = hashlib.sha256('encrypt').digest()
     skey = hashlib.sha256('sign').digest()
     new_key = MasterKey(encryption_key=ekey, signing_key=skey)
     with self.assertRaises(exc.CryptoAlreadyInitialized):
         util.initialize_key_metadata(key=new_key, salt=os.urandom(8))
         
     # Uninitailzie engine
     state.secret_key = None
      
     with self.assertRaises(exc.ExistingKeyMetadata):
         util.initialize_key_metadata(key=new_key, salt=os.urandom(8))
         
     util.initialize_key_metadata(key=new_key, salt=os.urandom(8), force_overwrite=True)
     self.assertTrue(util.validate_key(new_key))
Example #4
0
 def secret_key(self, value):
     """
     Sets the combined encryption/signing key to the specified value, raising exception
     if the key is not 64 bytes.  Internally the key is split in half; one half used for
     encryption and the other for signing.
     """
     # Need a runtime import since otherwise we have circular dep
     from ensconce.crypto import util
     
     with self.key_lock:
         if value is None:
             self._secret_key = None
         else:
             if not isinstance(value, MasterKey):
                 value = CombinedMasterKey(value)
             if not util.validate_key(value):
                 raise IncorrectKey()
             
             self._secret_key = value