def _pbkdf2(password, salt, rounds, keylen):
digest_size = 20 # sha1 generates 20-byte blocks
total_blocks = int((keylen+digest_size-1)/digest_size)
hmac_template = HMAC(password, None, sha1)
out = _bempty
for i in range(1, total_blocks+1):
hmac = hmac_template.copy()
hmac.update(salt + pack(">L", i))
block = tmp = hmac.digest()
for _j in range(rounds-1):
hmac = hmac_template.copy()
hmac.update(tmp)
tmp = hmac.digest()
# TODO: need to speed up this call
block = xor_bytes(block, tmp)
out += block
return out[:keylen]
def _pbkdf2(password, salt, rounds, keylen):
digest_size = 20 # sha1 generates 20-byte blocks
total_blocks = int((keylen+digest_size-1)/digest_size)
hmac_template = HMAC(password, None, sha1)
out = _bempty
for i in xrange(1, total_blocks+1):
hmac = hmac_template.copy()
hmac.update(salt + pack(">L",i))
block = tmp = hmac.digest()
for j in xrange(rounds-1):
hmac = hmac_template.copy()
hmac.update(tmp)
tmp = hmac.digest()
#TODO: need to speed up this call
block = xor_bytes(block, tmp)
out += block
return out[:keylen]
class Signer(object):
"""
When using an RSA algo, the secret is a PEM-encoded private key.
When using an HMAC algo, the secret is the HMAC signing secret.
Password-protected keyfiles are not supported.
"""
def __init__(self, secret, algorithm=None):
if algorithm is None:
algorithm = DEFAULT_SIGN_ALGORITHM
assert algorithm in ALGORITHMS, "Unknown algorithm"
if isinstance(secret, six.string_types):
secret = secret.encode("ascii")
self._hash = None
self.sign_algorithm, self.hash_algorithm = algorithm.split('-')
if self.sign_algorithm == 'hmac':
self._hash = HMAC(secret, digestmod=HASHES[self.hash_algorithm])
else:
raise NotImplementedError('Only hmac is supported')
@property
def algorithm(self):
return '%s-%s' % (self.sign_algorithm, self.hash_algorithm)
def _sign_hmac(self, data):
if isinstance(data, six.string_types): data = data.encode("ascii")
hmac = self._hash.copy()
hmac.update(data)
return hmac.digest()
def _sign(self, data):
if isinstance(data, six.string_types): data = data.encode("ascii")
signed = None
if self._hash:
signed = self._sign_hmac(data)
if not signed:
raise SystemError('No valid encryptor found.')
return base64.b64encode(signed).decode("ascii")
class DummyTokenIdentityPolicy(AbstractIdentityPolicy):
def __init__(self, server_secret=None):
'''
Makes identity tokens using HMAC(SHA-512) over a
server-side secret.
Provide a secret (20+ bytes) or we'll pick one
at runtime.
'''
if server_secret is None:
server_secret = os.urandom(32)
self.hmac = HMAC(server_secret, digestmod=sha512)
def _make_hmac(self, ident):
hm = self.hmac.copy()
hm.update(ident.encode('utf8'))
return hm.hexdigest()
async def identify(self, request):
# validate token
hdr = request.headers.get("Authorization")
if not hdr or ':' not in hdr:
return None
identity, check = hdr.rsplit(':', 1)
if check != self._make_hmac(identity):
return None
return identity
async def remember(self, request, response, identity, **kwargs):
# save token in storage and reply to client
response.headers['X-Token'] = identity + ':' + self._make_hmac(
identity)
async def forget(self, request, response):
token = request.headers.get("Authorization")
assert token
assert ':' in token