def decode_row_batch(crypt: CryptoOptions, data) -> vpb.RowBatchData:
jwe = JsonWebEncryption()
rb = vpb.RowBatchData()
data = jwe.deserialize_compact(data, crypt.jwk_private_key)
rb.ParseFromString(data['payload'])
return rb
def forgot_password_token(mode) :
"""
@app.route('/forgot_password_token/', methods = ['GET', 'POST'])
This function is called from email to decode token and reset password.
"""
if request.method == 'GET' :
token = request.args.get('token')
key = privatekey.get_key(mode.owner_talao, 'rsa_key', mode)
jwe = JsonWebEncryption()
try :
data = jwe.deserialize_compact(token, key)
except :
flash ('Incorrect data', 'danger')
logging.warning('JWE did not decrypt')
return render_template('./login/login_password.html')
payload = json.loads(data['payload'].decode('utf-8'))
if payload['expired'] < datetime.timestamp(datetime.now()) :
flash ('Delay expired (3 minutes maximum)', 'danger')
return render_template('./login/login_password.html')
session['email_password'] = payload['email']
session['username_password'] = payload['username']
return render_template('./login/update_password_external.html')
if request.method == 'POST' :
if session['email_password'] != request.form['email'] :
flash('Incorrect email', 'danger')
return render_template('./login/update_password_external.html')
ns.update_password(session['username_password'], request.form['password'], mode)
flash('Password updated', "success")
del session['email_password']
del session['username_password']
return render_template('./login/login_password.html')
def decrypt(self, token, key, type='AES'):
if type == 'AES':
data = SJCL.decrypt(self, token, key)
return data.decode()
else:
jwe = JsonWebEncryption()
data = jwe.deserialize_compact(token, key)
return data['payload'].decode()
def test_compact_rsa(self):
jwe = JsonWebEncryption(algorithms=JWE_ALGORITHMS)
s = jwe.serialize_compact({
'alg': 'RSA-OAEP',
'enc': 'A256GCM'
}, 'hello', read_file_path('rsa_public.pem'))
data = jwe.deserialize_compact(s, read_file_path('rsa_private.pem'))
header, payload = data['header'], data['payload']
self.assertEqual(payload, b'hello')
self.assertEqual(header['alg'], 'RSA-OAEP')
def test_ecdh_es_with_okp(self):
jwe = JsonWebEncryption(algorithms=JWE_ALGORITHMS)
key = OKPKey.generate_key('X25519', is_private=True)
for alg in [
"ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"
]:
protected = {'alg': alg, 'enc': 'A128GCM'}
data = jwe.serialize_compact(protected, b'hello', key)
rv = jwe.deserialize_compact(data, key)
self.assertEqual(rv['payload'], b'hello')
def test_with_zip_header(self):
jwe = JsonWebEncryption()
s = jwe.serialize_compact(
{
'alg': 'RSA-OAEP',
'enc': 'A128CBC-HS256',
'zip': 'DEF'
}, 'hello', read_file_path('rsa_public.pem'))
data = jwe.deserialize_compact(s, read_file_path('rsa_private.pem'))
header, payload = data['header'], data['payload']
self.assertEqual(payload, b'hello')
self.assertEqual(header['alg'], 'RSA-OAEP')
def test_dir_alg_c20p(self):
jwe = JsonWebEncryption(algorithms=JWE_ALGORITHMS)
key = OctKey.generate_key(256, is_private=True)
protected = {'alg': 'dir', 'enc': 'C20P'}
data = jwe.serialize_compact(protected, b'hello', key)
rv = jwe.deserialize_compact(data, key)
self.assertEqual(rv['payload'], b'hello')
key2 = OctKey.generate_key(128, is_private=True)
self.assertRaises(ValueError, jwe.deserialize_compact, data, key2)
self.assertRaises(ValueError, jwe.serialize_compact, protected,
b'hello', key2)
def test_aes_gcm_jwe(self):
jwe = JsonWebEncryption(algorithms=JWE_ALGORITHMS)
sizes = [128, 192, 256]
_enc_choices = [
'A128CBC-HS256', 'A192CBC-HS384', 'A256CBC-HS512', 'A128GCM',
'A192GCM', 'A256GCM'
]
for s in sizes:
alg = 'A{}GCMKW'.format(s)
key = os.urandom(s // 8)
for enc in _enc_choices:
protected = {'alg': alg, 'enc': enc}
data = jwe.serialize_compact(protected, b'hello', key)
rv = jwe.deserialize_compact(data, key)
self.assertEqual(rv['payload'], b'hello')
def test_ecdh_es_jwe(self):
jwe = JsonWebEncryption(algorithms=JWE_ALGORITHMS)
key = {
"kty": "EC",
"crv": "P-256",
"x": "gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0",
"y": "SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps",
"d": "0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo"
}
for alg in [
"ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"
]:
protected = {'alg': alg, 'enc': 'A128GCM'}
data = jwe.serialize_compact(protected, b'hello', key)
rv = jwe.deserialize_compact(data, key)
self.assertEqual(rv['payload'], b'hello')
def jweRsaDecryptFromBase64UrlToken(rsaPrivateKey, jweTokenBase64Url): jwe = JsonWebEncryption() return jwe.deserialize_compact(jweTokenBase64Url, rsaPrivateKey)
def _get(workspace_contract_from, private_key_from, workspace_contract_user,
documentId, mode):
# @documentID is int
if not isinstance(documentId, int):
documentId = int(documentId)
logging.error('doc_id must be int')
w3 = mode.w3
contract = w3.eth.contract(workspace_contract_user,
abi=constante.workspace_ABI)
#try :
(doctype, doctypeversion, unused, issuer, unused, unused, ipfshash, unused,
unused) = contract.functions.getDocument(documentId).call()
#except :
# logging.error('connexion blockchain talaonet impossble, document.py')
# return None, None, None, None, None, None, None
if doctype in [50000, 40000, 10000, 15000, 20000, 11000]:
privacy = 'public'
if doctype in [50001, 40001, 15001, 20001]:
privacy = 'private'
if doctype in [50002, 40002, 20002]:
privacy = 'secret'
workspace_contract_identity = workspace_contract_user
# download from IPFS
ipfs_data = Talao_ipfs.ipfs_get(ipfshash.decode('utf-8'))
# previous version (deprecated)
if privacy == 'public' and doctypeversion == 2:
return issuer, workspace_contract_identity, ipfs_data, ipfshash.decode(
), privacy, "", 0
# data encrypted server side with AES algo and server keys (public, private, secret)
elif doctypeversion == 3:
msg = privatekey.decrypt_data(workspace_contract_user, ipfs_data,
privacy, mode)
if msg:
# decrypt avec algo AES-EAX ou AES-CBC
return issuer, workspace_contract_user, msg, ipfshash.decode(
'utf-8'), privacy, "", 0
else:
# la clé RSA n'est pas disponible sur le serveur
logging.warning('Cannot decrypt data')
return issuer, workspace_contract_user, {
"data": 'Encrypted'
}, ipfshash.decode('utf-8'), privacy, "", 0
# data encrypted server side as JWE with RSA identity key
elif doctypeversion == 4:
jwe = JsonWebEncryption()
address_user = contracts_to_owners(workspace_contract_user, mode)
key = privatekey.get_key(address_user, 'rsa_key', mode)
data = jwe.deserialize_compact(ipfs_data['jwe'], key)
payload = data['payload']
return issuer, workspace_contract_user, payload.decode(
), ipfshash.decode(), privacy, "", 0
# data encrypted server side as JWE with AES key
elif doctypeversion == 5:
jwe = JsonWebEncryption()
address_user = contracts_to_owners(workspace_contract_user, mode)
if privacy == 'public':
secret = mode.aes_public_key.encode()
else:
secret = privatekey.get_key(address_user, privacy, mode)
data = jwe.deserialize_compact(ipfs_data['jwe'], secret)
payload = data['payload']
return issuer, workspace_contract_user, payload.decode(
), ipfshash.decode(), privacy, ipfs_data['id'], ipfs_data['sequence']
# data encrypted client side as JWE. There is no server decryption.
elif doctypeversion == 6:
return issuer, workspace_contract_user, ipfs_data[
'jwe'], ipfshash.decode(), privacy, "", 0
else:
logging.error('pb doctypeversion')
return None, None, None, None, None, None, None
