def unseal(self, seal):
        try:
            plaintext = self.decrypt(seal)
            parts = plaintext.split(":")
            if len(parts) != 4:
                raise EncryptionException(_("Invalid seal"),
                                          _("Seal was not formatted properly"))

            timestring = parts[0]
            expiration = datetime.fromtimestamp(float(timestring))
            if datetime.now() > expiration:
                raise EncryptionException(_("Invalid seal"),
                                          _("Seal has expired"))
            random, data, sig = parts[1:4]
            sig_data = timestring + ":" + random + ":" + data
            if not self.verify_signature(sig, sig_data):
                raise EncryptionException(_("Invalid seal"),
                                          _("Seal integrity check failed"))

            return data
        except EncryptionException:
            raise
        except Exception, err:
            raise EncryptionException(_("Invalid seal"), _("Invalid seal"),
                                      err)
    def hash(self, plaintext, salt, iterations=None):
        # Verify a MasterSalt has been set
        if not self.master_salt or len(self.master_salt) < 20:
            raise Exception(
                _("There is an error in the application configuration. The MasterSalt has not been set properly. Please see the instructions in the README for setting up a crypto keyring. Currently, Encryptor_MasterSalt=%(value)s"
                  ) % {'value': self.master_salt})

        if iterations is None:
            iterations = self.hash_iterations

        try:
            digest = hashlib.new(self.hash_algorithm)
            digest.update(self.master_salt)
            digest.update(salt)
            digest.update(plaintext)

            bytes = digest.digest()
            for i in range(self.hash_iterations):
                digest = hashlib.new(self.hash_algorithm)
                digest.update(bytes)
                bytes = digest.digest()

            encoded = ESAPI.encoder().encode_for_base64(bytes)
            return encoded

        except ValueError, e:
            raise EncryptionException(
                _("Problem hashing"),
                _("Internal Error - Can't find hash algorithm ") +
                self.hash_algorithm)
 def sign(self, data):
     try:
         signer = keyczar.Signer.Read(self.keys_asymmetric_private_location)
         signature = signer.Sign(data)
         return signature
     except KeyczarError, err:
         raise EncryptionException(_("Problem signing"),
                                   _("Keyczar raised an error"), err)
 def decrypt(self, ciphertext):
     try:
         crypter = keyczar.Crypter.Read(self.keys_symmetric_location)
         plaintext = crypter.Decrypt(ciphertext)
         return plaintext
     except KeyczarError, err:
         raise EncryptionException(_("Problem decrypting"),
                                   _("Keyczar raised an error"), err)
    def __init__(self):
        Encryptor.__init__(self)
        self.logger = ESAPI.logger("DefaultEncryptor")

        # Hashing
        self.hash_algorithm = ESAPI.security_configuration(
        ).get_hash_algorithm()
        self.hash_iterations = ESAPI.security_configuration(
        ).get_hash_iterations()

        # Encryption
        self.encrypt_algorithm = ESAPI.security_configuration(
        ).get_encryption_algorithm()
        if self.encrypt_algorithm not in self.VALID_ENCRYPTION_ALGOS:
            raise EncryptionException(
                _("Encryption Failure - Unknown algorithm for encryption: %(algorithm)s"
                  ) % {'algorithm': self.encrypt_algorithm})

        self.encryption_key_length = ESAPI.security_configuration(
        ).get_encryption_key_length()
        self.master_salt = ESAPI.security_configuration().get_master_salt()

        # Public key crypto
        self.signing_algorithm = ESAPI.security_configuration(
        ).get_digital_signature_algorithm()
        if self.signing_algorithm not in self.VALID_SIGNING_ALGOS:
            raise EncryptionException(
                _("Failure to encrypt"),
                _("Encryption Failure - Unknown algorithm for signing: %(algorithm)s"
                  ) % {'algorithm': self.signing_algorithm})
        self.signing_key_length = ESAPI.security_configuration(
        ).get_digital_signature_key_length()

        # Key locations
        self.keys_location = os.path.realpath(ESAPI.security_configuration(
        ).get_encryption_keys_location()) + '/'
        self.keys_symmetric_location = self.keys_location + "symmetric"
        self.keys_asymmetric_private_location = self.keys_location + "asymmetric-private"
        self.keys_asymmetric_public_location = self.keys_location + "asymmetric-public"
Esempio n. 6
0
            except EncodingException, extra:
                self.logger.error(
                    Logger.SECURITY_FAILURE,
                    _("Problem encrypting state in cookie - skipping entry"),
                    extra=extra)

        encrypted = ESAPI.encryptor().encrypt(buf)
        if len(encrypted) > self.MAX_COOKIE_LEN:
            self.logger.error(
                Logger.SECURITY_FAILURE,
                _("Problem encrypting state in cookie because of max cookie length"
                  ))
            raise EncryptionException(
                _("Encryption Exception"),
                _("Encrypted cookie state length of %(len)s is longer than allowed %(allowed)s."
                  ) % {
                      'len': len(encrypted),
                      'allowed': self.MAX_COOKIE_LEN
                  })

        self.add_cookie(response, key=self.ESAPI_STATE, value=encrypted)

    def get_cookie(self, name, request=None):
        if request is None:
            request = self.current_request

        morsel = request.cookies.get(name, None)

        if morsel is None:
            return None