Exemplo n.º 1
0
def sg_decrypt_from_priv_seed(to_decrypt, private_seed_hex):
    '''
    For use with a private seed on your local server.

    WARNING: placing the private seed on your local server defeats the whole
    purpose of rate limiting. If an attacker has access to your encrypted
    database and gets access to this seed on your server, they can easily
    decrypt the whole database. Only use this method if you know what you're
    doing. It's main purpose is recovery in case SecondGuard is down.
    '''
    prefix, encoding, seed_and_nonce_str, b64_iv_and_ciphertext = to_decrypt.split('$')
    seed_pub_hash_hex, nonce = seed_and_nonce_str.split('@')

    valid_pair = is_seed_hash_pair(
            private_seed_hex=private_seed_hex,
            seed_public_hash_hex=seed_pub_hash_hex,
            )
    if not valid_pair:
        err_msg = seed_pub_hash_hex
        err_msg += ' is not a valid private seed for the data you are trying to decrypt.'
        raise Exception(err_msg)

    unique_key = derive_child_key(
            private_seed_hex=private_seed_hex,
            nonce=nonce,
            )

    b64_text_to_decrypt = '$'.join(
            (
                prefix,
                encoding,
                # no seed_and_nonce_str
                b64_iv_and_ciphertext,
                )
            )

    return decrypt(
            b64_text_to_decrypt=b64_text_to_decrypt,
            key=unique_key[:KEY_LENGTH_IN_BYTES],
            )
 def test_derive_child_key(self):
     child_key = derive_child_key(
             private_seed_hex=self.priv_seed_hex,
             nonce=self.some_nonce,
             )
     assert self.child_key == child_key