def test_encrypt_decrypt_sym(self):
# generate 256-bit key
key = os.urandom(32)
iv, cyphertext = crypto.encrypt_sym('data', key)
self.assertTrue(cyphertext is not None)
self.assertTrue(cyphertext != '')
self.assertTrue(cyphertext != 'data')
plaintext = crypto.decrypt_sym(cyphertext, key, iv)
self.assertEqual('data', plaintext)
def test_encrypt_decrypt_sym(self):
# generate 256-bit key
key = os.urandom(32)
iv, cyphertext = crypto.encrypt_sym('data', key)
self.assertTrue(cyphertext is not None)
self.assertTrue(cyphertext != '')
self.assertTrue(cyphertext != 'data')
plaintext = crypto.decrypt_sym(cyphertext, key, iv)
self.assertEqual('data', plaintext)
def test_decrypt_with_wrong_key_fails(self):
key = os.urandom(32)
iv, cyphertext = crypto.encrypt_sym('data', key)
self.assertTrue(cyphertext is not None)
self.assertTrue(cyphertext != '')
self.assertTrue(cyphertext != 'data')
wrongkey = os.urandom(32) # 256-bits key
# ensure keys are different in case we are extremely lucky
while wrongkey == key:
wrongkey = os.urandom(32)
plaintext = crypto.decrypt_sym(cyphertext, wrongkey, iv)
self.assertNotEqual('data', plaintext)
def test_decrypt_with_wrong_key_fails(self):
key = os.urandom(32)
iv, cyphertext = crypto.encrypt_sym('data', key)
self.assertTrue(cyphertext is not None)
self.assertTrue(cyphertext != '')
self.assertTrue(cyphertext != 'data')
wrongkey = os.urandom(32) # 256-bits key
# ensure keys are different in case we are extremely lucky
while wrongkey == key:
wrongkey = os.urandom(32)
plaintext = crypto.decrypt_sym(cyphertext, wrongkey, iv)
self.assertNotEqual('data', plaintext)
def test_decrypt_with_wrong_iv_fails(self):
key = os.urandom(32)
iv, cyphertext = crypto.encrypt_sym('data', key)
self.assertTrue(cyphertext is not None)
self.assertTrue(cyphertext != '')
self.assertTrue(cyphertext != 'data')
# get a different iv by changing the first byte
rawiv = binascii.a2b_base64(iv)
wrongiv = rawiv
while wrongiv == rawiv:
wrongiv = os.urandom(1) + rawiv[1:]
plaintext = crypto.decrypt_sym(
cyphertext, key, iv=binascii.b2a_base64(wrongiv))
self.assertNotEqual('data', plaintext)
def test_decrypt_with_wrong_iv_fails(self):
key = os.urandom(32)
iv, cyphertext = crypto.encrypt_sym('data', key)
self.assertTrue(cyphertext is not None)
self.assertTrue(cyphertext != '')
self.assertTrue(cyphertext != 'data')
# get a different iv by changing the first byte
rawiv = binascii.a2b_base64(iv)
wrongiv = rawiv
while wrongiv == rawiv:
wrongiv = os.urandom(1) + rawiv[1:]
plaintext = crypto.decrypt_sym(
cyphertext, key, iv=binascii.b2a_base64(wrongiv))
self.assertNotEqual('data', plaintext)
def _encrypt_storage_secret(self, decrypted_secret):
"""
Encrypt the storage secret.
An encrypted secret has the following structure:
{
'<secret_id>': {
'kdf': 'scrypt',
'kdf_salt': '<b64 repr of salt>'
'kdf_length': <key length>
'cipher': 'aes256',
'length': <secret length>,
'secret': '<encrypted b64 repr of storage_secret>',
}
}
:param decrypted_secret: The decrypted storage secret.
:type decrypted_secret: str
:return: The encrypted storage secret.
:rtype: dict
"""
# generate random salt
salt = os.urandom(self.SALT_LENGTH)
# get a 256-bit key
key = scrypt.hash(self._passphrase_as_string(), salt, buflen=32)
iv, ciphertext = encrypt_sym(decrypted_secret, key)
encrypted_secret_dict = {
# leap.soledad.crypto submodule uses AES256 for symmetric
# encryption.
self.KDF_KEY:
self.KDF_SCRYPT,
self.KDF_SALT_KEY:
binascii.b2a_base64(salt),
self.KDF_LENGTH_KEY:
len(key),
self.CIPHER_KEY:
self.CIPHER_AES256,
self.LENGTH_KEY:
len(decrypted_secret),
self.SECRET_KEY:
'%s%s%s' %
(str(iv), self.IV_SEPARATOR, binascii.b2a_base64(ciphertext)),
}
return encrypted_secret_dict
def _encrypt_storage_secret(self, decrypted_secret):
"""
Encrypt the storage secret.
An encrypted secret has the following structure:
{
'<secret_id>': {
'kdf': 'scrypt',
'kdf_salt': '<b64 repr of salt>'
'kdf_length': <key length>
'cipher': 'aes256',
'length': <secret length>,
'secret': '<encrypted b64 repr of storage_secret>',
}
}
:param decrypted_secret: The decrypted storage secret.
:type decrypted_secret: str
:return: The encrypted storage secret.
:rtype: dict
"""
# generate random salt
salt = os.urandom(self.SALT_LENGTH)
# get a 256-bit key
key = scrypt.hash(self._passphrase_as_string(), salt, buflen=32)
iv, ciphertext = encrypt_sym(decrypted_secret, key)
encrypted_secret_dict = {
# leap.soledad.crypto submodule uses AES256 for symmetric
# encryption.
self.KDF_KEY: self.KDF_SCRYPT,
self.KDF_SALT_KEY: binascii.b2a_base64(salt),
self.KDF_LENGTH_KEY: len(key),
self.CIPHER_KEY: self.CIPHER_AES256,
self.LENGTH_KEY: len(decrypted_secret),
self.SECRET_KEY: '%s%s%s' % (
str(iv), self.IV_SEPARATOR, binascii.b2a_base64(ciphertext)),
}
return encrypted_secret_dict
def encrypt(self, content):
iv, ciphertext = encrypt_sym(content, self.masterkey)
mac = self.gen_mac(iv, ciphertext)
return ''.join((mac, iv, ciphertext))
def encrypt(self, content):
iv, ciphertext = encrypt_sym(content, self.masterkey)
mac = self.gen_mac(iv, ciphertext)
return ''.join((mac, iv, ciphertext))
def test_raw_decrypt(benchmark, payload):
key = payload(32)
iv, ciphertext = encrypt_sym(payload(size), key)
benchmark(decrypt_sym, ciphertext, key, iv)
def encrypt(self, content):
iv, ciphertext = encrypt_sym(content, self.masterkey, EncryptionMethods.XSALSA20)
mac = self.gen_mac(iv, ciphertext)
return ''.join((mac, iv, ciphertext))
