def unseal(self, seal):
try:
plaintext = self.decrypt(seal)
parts = plaintext.split(":")
if len(parts) != 4:
raise EncryptionException(_("Invalid seal"),
_("Seal was not formatted properly"))
timestring = parts[0]
expiration = datetime.fromtimestamp(float(timestring))
if datetime.now() > expiration:
raise EncryptionException(_("Invalid seal"),
_("Seal has expired"))
random, data, sig = parts[1:4]
sig_data = timestring + ":" + random + ":" + data
if not self.verify_signature(sig, sig_data):
raise EncryptionException(_("Invalid seal"),
_("Seal integrity check failed"))
return data
except EncryptionException:
raise
except Exception, err:
raise EncryptionException(_("Invalid seal"), _("Invalid seal"),
err)
def hash(self, plaintext, salt, iterations=None):
# Verify a MasterSalt has been set
if not self.master_salt or len(self.master_salt) < 20:
raise Exception(
_("There is an error in the application configuration. The MasterSalt has not been set properly. Please see the instructions in the README for setting up a crypto keyring. Currently, Encryptor_MasterSalt=%(value)s"
) % {'value': self.master_salt})
if iterations is None:
iterations = self.hash_iterations
try:
digest = hashlib.new(self.hash_algorithm)
digest.update(self.master_salt)
digest.update(salt)
digest.update(plaintext)
bytes = digest.digest()
for i in range(self.hash_iterations):
digest = hashlib.new(self.hash_algorithm)
digest.update(bytes)
bytes = digest.digest()
encoded = ESAPI.encoder().encode_for_base64(bytes)
return encoded
except ValueError, e:
raise EncryptionException(
_("Problem hashing"),
_("Internal Error - Can't find hash algorithm ") +
self.hash_algorithm)
def sign(self, data):
try:
signer = keyczar.Signer.Read(self.keys_asymmetric_private_location)
signature = signer.Sign(data)
return signature
except KeyczarError, err:
raise EncryptionException(_("Problem signing"),
_("Keyczar raised an error"), err)
def decrypt(self, ciphertext):
try:
crypter = keyczar.Crypter.Read(self.keys_symmetric_location)
plaintext = crypter.Decrypt(ciphertext)
return plaintext
except KeyczarError, err:
raise EncryptionException(_("Problem decrypting"),
_("Keyczar raised an error"), err)
def __init__(self):
Encryptor.__init__(self)
self.logger = ESAPI.logger("DefaultEncryptor")
# Hashing
self.hash_algorithm = ESAPI.security_configuration(
).get_hash_algorithm()
self.hash_iterations = ESAPI.security_configuration(
).get_hash_iterations()
# Encryption
self.encrypt_algorithm = ESAPI.security_configuration(
).get_encryption_algorithm()
if self.encrypt_algorithm not in self.VALID_ENCRYPTION_ALGOS:
raise EncryptionException(
_("Encryption Failure - Unknown algorithm for encryption: %(algorithm)s"
) % {'algorithm': self.encrypt_algorithm})
self.encryption_key_length = ESAPI.security_configuration(
).get_encryption_key_length()
self.master_salt = ESAPI.security_configuration().get_master_salt()
# Public key crypto
self.signing_algorithm = ESAPI.security_configuration(
).get_digital_signature_algorithm()
if self.signing_algorithm not in self.VALID_SIGNING_ALGOS:
raise EncryptionException(
_("Failure to encrypt"),
_("Encryption Failure - Unknown algorithm for signing: %(algorithm)s"
) % {'algorithm': self.signing_algorithm})
self.signing_key_length = ESAPI.security_configuration(
).get_digital_signature_key_length()
# Key locations
self.keys_location = os.path.realpath(ESAPI.security_configuration(
).get_encryption_keys_location()) + '/'
self.keys_symmetric_location = self.keys_location + "symmetric"
self.keys_asymmetric_private_location = self.keys_location + "asymmetric-private"
self.keys_asymmetric_public_location = self.keys_location + "asymmetric-public"
except EncodingException, extra:
self.logger.error(
Logger.SECURITY_FAILURE,
_("Problem encrypting state in cookie - skipping entry"),
extra=extra)
encrypted = ESAPI.encryptor().encrypt(buf)
if len(encrypted) > self.MAX_COOKIE_LEN:
self.logger.error(
Logger.SECURITY_FAILURE,
_("Problem encrypting state in cookie because of max cookie length"
))
raise EncryptionException(
_("Encryption Exception"),
_("Encrypted cookie state length of %(len)s is longer than allowed %(allowed)s."
) % {
'len': len(encrypted),
'allowed': self.MAX_COOKIE_LEN
})
self.add_cookie(response, key=self.ESAPI_STATE, value=encrypted)
def get_cookie(self, name, request=None):
if request is None:
request = self.current_request
morsel = request.cookies.get(name, None)
if morsel is None:
return None