def test_validate_key(self): """ Ensure successful key validation . """ # Unset the global crypto engine state first. state.secret_key = None # Create a new key ekey = hashlib.sha256('encrypt').digest() skey = hashlib.sha256('sign').digest() key = MasterKey(encryption_key=ekey, signing_key=skey) # Now set new metadata util.initialize_key_metadata(key=key, salt=os.urandom(8), force_overwrite=True) # And then validate it. self.assertTrue(util.validate_key(key=key))
def validate_passphrase(form, field): """ """ try: passphrase = field.data key = crypto_util.derive_configured_key(passphrase) if not crypto_util.validate_key(key): raise ValidationError("Invalid passphrase entered.") except ValidationError: raise except exc.MissingKeyMetadata: log.exception("Missing key metadata.") raise ValidationError("Database crypto has not yet been initialized.") except: log.exception("Error validating passphrase.") raise ValidationError("Error validating passphrase (see server logs).")
def test_initialize(self): """ Test initiazation of key metadata. """ ekey = hashlib.sha256('encrypt').digest() skey = hashlib.sha256('sign').digest() new_key = MasterKey(encryption_key=ekey, signing_key=skey) with self.assertRaises(exc.CryptoAlreadyInitialized): util.initialize_key_metadata(key=new_key, salt=os.urandom(8)) # Uninitailzie engine state.secret_key = None with self.assertRaises(exc.ExistingKeyMetadata): util.initialize_key_metadata(key=new_key, salt=os.urandom(8)) util.initialize_key_metadata(key=new_key, salt=os.urandom(8), force_overwrite=True) self.assertTrue(util.validate_key(new_key))
def secret_key(self, value): """ Sets the combined encryption/signing key to the specified value, raising exception if the key is not 64 bytes. Internally the key is split in half; one half used for encryption and the other for signing. """ # Need a runtime import since otherwise we have circular dep from ensconce.crypto import util with self.key_lock: if value is None: self._secret_key = None else: if not isinstance(value, MasterKey): value = CombinedMasterKey(value) if not util.validate_key(value): raise IncorrectKey() self._secret_key = value