def test_rotate_decrypt_no_shared_keys(self, backend): f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend) mf1 = MultiFernet([f1]) mf2 = MultiFernet([f2]) with pytest.raises(InvalidToken): mf2.rotate(mf1.encrypt(b"abc"))
def _rotate_key(self): """ create a new encryption key and rotate all credentials files. Will attempt to rotate credentials files to the new key . If any fail an exception is raised prior to return. """ self.log_callback.info( 'Starting key rotation with keys file {0} in directory {1}.'.format( self.encryption_keys_file, self.credentials_directory ) ) success = True # Create new key keys = [Fernet.generate_key().decode()] # Write both keys to file, new key is first with open(self.encryption_keys_file, 'r+') as f: keys += [key.strip() for key in f.readlines()] f.seek(0) f.write('\n'.join(keys)) fernet_keys = [Fernet(key) for key in keys] fernet = MultiFernet(fernet_keys) # Rotate all credentials files for root, dirs, files in os.walk(self.credentials_directory): for credentials_file in files: if credentials_file == 'wsgi.py': continue path = os.path.join(root, credentials_file) with open(path, 'r+b') as f: credentials = f.read().strip() try: credentials = fernet.rotate(credentials) except Exception as error: self.log_callback.error( 'Failed key rotation on credential file {0}:' ' {1}: {2}'.format( path, type(error).__name__, error ) ) success = False else: f.seek(0) f.write(credentials) if not success: raise MashCredentialsDatastoreException( 'All credentials files have not been rotated.' )
def test_rotate_preserves_timestamp(self, backend, monkeypatch): f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend) mf1 = MultiFernet([f1]) mf2 = MultiFernet([f2, f1]) plaintext = b"abc" original_time = int(time.time()) - 5 * 60 mf1_ciphertext = mf1.encrypt_at_time(plaintext, original_time) rotated_time, _ = Fernet._get_unverified_token_data( mf2.rotate(mf1_ciphertext)) assert int(time.time()) != rotated_time assert original_time == rotated_time
def test_rotate(self, backend): f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend) mf1 = MultiFernet([f1]) mf2 = MultiFernet([f2, f1]) plaintext = b"abc" mf1_ciphertext = mf1.encrypt(plaintext) assert mf2.decrypt(mf1_ciphertext) == plaintext rotated = mf2.rotate(mf1_ciphertext) assert rotated != mf1_ciphertext assert mf2.decrypt(rotated) == plaintext with pytest.raises(InvalidToken): mf1.decrypt(rotated)
def test_rotate_preserves_timestamp(self, backend, monkeypatch): f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend) mf1 = MultiFernet([f1]) mf2 = MultiFernet([f2, f1]) plaintext = b"abc" mf1_ciphertext = mf1.encrypt(plaintext) later = datetime.datetime.now() + datetime.timedelta(minutes=5) later_time = time.mktime(later.timetuple()) monkeypatch.setattr(time, "time", lambda: later_time) original_time, _ = Fernet._get_unverified_token_data(mf1_ciphertext) rotated_time, _ = Fernet._get_unverified_token_data( mf2.rotate(mf1_ciphertext)) assert later_time != rotated_time assert original_time == rotated_time
def test_rotate_preserves_timestamp(self, backend, monkeypatch): f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend) mf1 = MultiFernet([f1]) mf2 = MultiFernet([f2, f1]) plaintext = b"abc" mf1_ciphertext = mf1.encrypt(plaintext) later = datetime.datetime.now() + datetime.timedelta(minutes=5) later_time = time.mktime(later.timetuple()) monkeypatch.setattr(time, "time", lambda: later_time) original_time, _ = Fernet._get_unverified_token_data(mf1_ciphertext) rotated_time, _ = Fernet._get_unverified_token_data( mf2.rotate(mf1_ciphertext) ) assert later_time != rotated_time assert original_time == rotated_time
F = Fernet(key) info = "my deep dark secret" # 加密信息 token = F.encrypt(info.encode()) print("token: ", token) # 解密信息 de_info = F.decrypt(token) print(de_info.decode()) key1 = Fernet.generate_key() print("key1: ", key1) F1 = Fernet(key1) key2 = Fernet.generate_key() print("key2: ", key2) F2 = Fernet(key2) # MultiFernet performs all encryption options using the first key in the list provided. # MultiFernet attempts to decrypt tokens with each key in turn. FM = MultiFernet([F1, F2]) tokenFM = FM.encrypt(info.encode()) print("tokenFM: ", tokenFM) print("FM.decrypt: ", FM.decrypt(tokenFM)) key3 = Fernet.generate_key() print("key3: ", key3) F3 = Fernet(key3) FM2 = MultiFernet([F3, F1, F2]) # rotate a token by decrypt and re-encrypting it under the MultiFernet instance’s primary key. rotated = FM2.rotate(tokenFM) print("rotated: ", rotated) print(FM2.decrypt(rotated))
from cryptography.fernet import Fernet, MultiFernet # The sample code is extracted from the book Python Cryptography # The book can be downloaded from https://leanpub.com/cryptop # Online Crypto Playgroud https://8gwifi.org # Author Anish Nath key1 = Fernet(Fernet.generate_key()) key2 = Fernet(Fernet.generate_key()) key3 = Fernet(Fernet.generate_key()) plaintext = "Hello 8gwifi.org" f = MultiFernet([key1, key2, key3]) token = f.encrypt(plaintext) d = f.decrypt(token) assert d, plaintext # Rotating key key4 = Fernet(Fernet.generate_key()) key5 = Fernet(Fernet.generate_key()) f2 = MultiFernet([key4, key5, key1, key2, key3]) rotated = f2.rotate(token) d = f2.decrypt(token) assert d, plaintext
timestamp = key_object.extract_timestamp(encrypted_string) print("Timestamp of the encrypted string: %s" % timestamp) decrypted_string = key_object.decrypt(encrypted_string) print("Decrypted String: %s" % decrypted_string) # Rotation third_key = Fernet(Fernet.generate_key()) key_object_2 = MultiFernet([third_key, first_key, second_key]) rotated = key_object_2.rotate(encrypted_string) decrypted_string = key_object_2.decrypt(rotated) print("Decrypted String: %s" % decrypted_string) # Fernet Encryption using Passwords import base64 import os from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes