def test_encrypt_with_unicode_kek_must_pass(self):
"""Test plan:
Generate a kek
Encrypt with master kek
Convert to unicode
call plugin.encrypt on unencrypted
decrypt response cypher_text
Compare with unencrypted
"""
project_kek = fernet.Fernet.generate_key()
encryptor = fernet.Fernet(self.plugin.master_kek)
ENC_project_kek = encryptor.encrypt(project_kek)
UENC_project_kek = six.u(ENC_project_kek)
kek_meta_dto = self._get_mocked_kek_meta_dto()
kek_meta_dto.plugin_meta = UENC_project_kek
unencrypted = b'PlainTextSecret'
encrypt_dto = plugin.EncryptDTO(unencrypted)
response_dto = self.plugin.encrypt(encrypt_dto, kek_meta_dto,
mock.MagicMock())
project_encryptor = fernet.Fernet(project_kek)
decrypted = project_encryptor.decrypt(response_dto.cypher_text)
self.assertEqual(unencrypted, decrypted)
async def bind_self_to_agent_slot():
cryptor = fernet.Fernet(AGENT_BIND_SECRET_TOKEN)
while ASV.running:
# Token has ttl check, so regenerate every time
bind_token = cryptor.encrypt(b'Geppytto').decode('utf-8')
free_agent_slot = await (ASV.api_client.bind_to_free_slot(
ASV.advertise_address, ASV.is_steady, bind_token))
agent_info = free_agent_slot['data']
if agent_info is None:
logger.info('No free agent slot ...')
await asyncio.sleep(AGENT_BIND_CHECK_INTERVAL)
continue
ASV.agent_id = agent_info['id']
ASV.agent_name = agent_info['name']
ASV.user_id = agent_info['user_id']
ASV.last_ack_time = agent_info['last_ack_time']
ASV.access_token = agent_info['access_token']
ASV.api_client.set_access_token(ASV.access_token)
agent_info.pop('access_token') # Don't show token in log
logger.info('Successfully bounded to agent slot:' +
json.dumps(agent_info))
break
def crypto():
"""
Return a cryptography instance.
"""
keys = load_keys()
fernet_instances = [fernet.Fernet(key) for key in keys]
return fernet.MultiFernet(fernet_instances)
def generate_token(json_data, secret_key, namespace):
"""
Encrypt data using a provided secret_key and namespace.
The process is as follows:
* The secret_key is combined with the namespace and hashed using sha256. The namespace ensures that a token for
`invite-user` cannot be re-used by an attacker on the `reset-password` endpoint. Hashing is used to ensure the
key conforms to the 32 byte length requirement for Fernet.
* The combined secret key is used to initialise the Fernet encryption algorithm. Fernet is a wrapper around AES
that provides HMAC, TTL (time to live), and some quality of life features (url-safe base64 encoding)
The fernet spec can be viewed here: https://github.com/fernet/spec/blob/master/Spec.md
* The data is dumped from json and encrypted.
* The output data is returned as a urlsafe_base64 (https://tools.ietf.org/html/rfc4648#section-5) unicode string.
Fernet acepts and returns bytes, so call `.encode` before and `.decode` after to convert to strings, to ensure we
use regular python strings for as much of the code flow as possible
:param json_data: data to encrypt. Must be json-like blob that `json.dumps` will accept
:param secret_key: The secret key to encrypt with. No length/content restrictions. Must be a string type.
:param namespace: The namespace to encrypt with. No length/content restrictions. Must be a string type.
:return: returns a urlsale_base64 encoded encrypted unicode string.
:rtype: `unicode`
"""
secret_key = hash_string(secret_key + namespace)
data = json.dumps(json_data).encode('utf-8')
f = fernet.Fernet(secret_key.encode('utf-8'))
return f.encrypt(data).decode('utf-8')
def encrypt(unencrypted_data,
passphrase,
salt,
key_length=KEY_LENGTH,
iterations=ITERATIONS):
"""
Encrypt the data, using the provided passphrase and salt,
and return the encrypted data.
:param unencrypted_data: Secret data to encrypt
:type unencrypted_data: bytes
:param passphrase: Passphrase to use to generate encryption key. Must be
at least 24-byte long
:type passphrase: bytes
:param salt: salt to use to generate encryption key. Must be randomly
generated.
:type salt: bytes
:param key_length: Length of the encryption key to generate, in bytes.
Will default to 32, if not provided.
:type key_length: positive integer.
:param iterations: A large number, used as seed to increase the entropy
in randomness of the generated key for encryption, and hence greatly
increase the security of encrypted data. will default to 10000, if not
provided.
:type iterations: positive integer.
:return: Encrypted secret data
:rtype: bytes
"""
return fernet.Fernet(
_generate_key(passphrase, salt, key_length,
iterations)).encrypt(unencrypted_data)
def file_encrypt_and_upload(self,file):
#file代表文件位置
#该函数处理数据加密以及上传至ipfs以及区块链的功能
with open(file,"rb") as f:
data=f.read()
encrpted_file=fernet.Fernet(self.key).encrypt(data)
with open("%s_encrypted"%file,"wb") as f_:
f_.write(encrpted_file)
res=self.client.add("%s_encrypted"%file)
#删除加密文件,防止积累
os.remove("./%s_encrypted"%file)
upload=[]#可能需要加密
upload.append(res['Hash'])
key=str(self.key,encoding="utf-8")
upload.append(key)
upload=" ".join(upload)#上链字符串数据
print(upload)
ciphertext,capsule=pre.encrypt(self.pub_key,bytes(upload,encoding="utf-8"))
#print(ciphertext)
#可能需要非对称加密
upload_data=self.w3.toHex(ciphertext)
txo = {}
txo['from'] = self.w3.eth.accounts[0]
txo['to'] = self.w3.eth.accounts[1]
txo['value'] = self.w3.toHex(0)
txo['data'] = upload_data
self.w3.geth.personal.unlockAccount(self.w3.eth.accounts[0], "123456")
transaction_hash = self.w3.eth.sendTransaction(txo)#交易hash可以以数据库形式存储
self.w3.geth.miner.start()
self.w3.eth.waitForTransactionReceipt(transaction_hash)
self.w3.geth.miner.stop()
print("成功上链")
#建立交易哈希与capsule的键值关系,保存至json文件
#self.record[transaction_hash]=capsule
capsule=capsule.to_bytes()#capsule
#print(type(capsule))
#transaction_hash=transaction_hash.hex()
data={transaction_hash:capsule}
print(data)
if not os.path.exists("data.pkl"):
list=[]
with open("data.pkl","wb") as f:
list.append(data)
pickle.dump(list,f)
else:
fr=open("data.pkl","rb")
old_pickle=pickle.load(fr)
fr.close()
old_pickle.append(data)
with open("data.pkl","wb") as f:
pickle.dump(old_pickle,f)
data={"IP":self.IP,"tx_hash":transaction_hash.hex()}
responce=requests.post(url="http://10.134.205.182:8085/sendjson",json=data,verify=False)
if responce.status_code==200:
print("上传完毕")
def file_encrypt_and_upload(self, file):
symmetric_key = fernet.Fernet.generate_key()
with open(file, "rb") as f:
data = f.read()
encrpted_file = fernet.Fernet(symmetric_key).encrypt(data)
encrypted_key, capsule = pre.encrypt(self.pub_key, symmetric_key)
print(encrypted_key)
upload = encrpted_file + b" " + encrypted_key
res = self.client.add_bytes(upload)
print(res, capsule)
data_now = {res: capsule}
self.record.update(data_now)
capsule = capsule.to_bytes()
data = {res: capsule}
if not os.path.exists("data.pkl"):
list = []
with open("data.pkl", "wb") as f:
list.append(data)
pickle.dump(list, f)
print("file upload sucess")
else:
fr = open("data.pkl", "rb")
old_pickle = pickle.load(fr)
fr.close()
old_pickle.append(data)
with open("data.pkl", "wb") as f:
pickle.dump(old_pickle, f)
print("file upload success")
def cloak(self, msg):
symetric = settings.SYMETRIC_SECRET_KEY
ff = fernet.Fernet(symetric)
msg = msg.encode('utf-8')
enc = ff.encrypt(msg)
henc = binascii.hexlify(enc).decode('utf-8')
return "%s%s" % (self.HEADER, henc)
async def add_secret(app: Sanic, secret: str, passphrase: str,
ttl: Optional[int]) -> str:
"""
Add a secret to app.db.
:param app: Sanic app
:param secret: secret to add
:param passphrase: passphrase associated with a secret
:param ttl: secret time to live (optional)
:return: secret key to acquire secret afterwards
"""
key = get_fernet_key(app, passphrase)
sign = hmac.digest(key=key, msg=passphrase.encode(), digest='sha512').hex()
secret_key = secrets.token_hex(16)
cipher = fernet.Fernet(key)
encrypted = cipher.encrypt(secret.encode()).decode()
expires = None
if ttl:
expires = datetime.utcnow() + timedelta(seconds=ttl)
await app.db.secrets.insert_one({
'secret': encrypted,
'secret_key': secret_key,
'signature': sign,
'expires': expires, # for mongo index
'ttl': ttl, # for fernet check
})
return secret_key
def decloak(self, msg):
symmetric = self.get_key()
ff = fernet.Fernet(symmetric)
encrypted = msg.replace(self.HEADER, "", 1)
bytes = binascii.unhexlify(encrypted)
unencrypted = ff.decrypt(bytes).decode('utf-8')
return unencrypted
def decryptMsg(self, msg, key):
encryptionType = fernet.Fernet(key)
msg = encryptionType.decrypt(msg)
# msg = msg.decode("utf-8")
msg = json.loads(msg)
return msg
def initalizeCredential(self):
userhome = pl.Path.home()
path = userhome / ".config" / "webdav_backup" / "credential.json"
if not path.parent.exists():
path.parent.mkdir()
self.__credential_path = path
### Ask user for credential
uname = input("Username : "******"The WebDav url : ")
password = getpass.getpass("Your password : "******"useless_or_not"
with open(keypath, "w") as fid:
fid.write(token.decode())
self.__crypto = cfe.Fernet(token)
cpassword = self.__crypto.encrypt(password.encode()).decode()
data = {"username": uname, "url": url, "password": cpassword}
self.__config = Config(data)
with open(self.__credential_path, "w") as fid:
json.dump(self.__config, fid)
def save(self, *args):
migel = fernet.Fernet(base64.urlsafe_b64encode(
self._initialize()[:32]))
ding = "\n".join(args)
dong = migel.encrypt(ding.encode())
with open(self.file_name, "wb") as fh:
fh.write(dong)
def _decrypt(cls, data: bytes, password: Union[bytes, str]) -> bytes:
if isinstance(password, str):
password = cls._transform_password(password, PASS_HASH_SALT,
PASS_HASH_ITERATES)
fernet = _fernet.Fernet(password)
data = fernet.decrypt(data)
return b64.urlsafe_b64decode(data)
def configure_fernet():
keys = list(getattr(settings, 'ENCRYPTED_COOKIE_KEYS', None) or [])
if not len(keys):
raise ImproperlyConfigured(
'The ENCRYPTED_COOKIE_KEYS settings cannot be empty.')
return fernet.MultiFernet([fernet.Fernet(k) for k in keys])
def __init__(
self,
secret_key: Union[str, bytes, bytearray],
*,
cookie_name: str = "AIOHTTP_SESSION",
domain: Optional[str] = None,
max_age: Optional[int] = None,
path: str = '/',
secure: Optional[bool] = None,
httponly: bool = True,
encoder: Callable[[Dict[str, Any]], str] = json.dumps,
decoder: Callable[[str], Dict[str, Any]] = json.loads) -> None:
super().__init__(cookie_name=cookie_name,
domain=domain,
max_age=max_age,
path=path,
secure=secure,
httponly=httponly,
encoder=encoder,
decoder=decoder)
if isinstance(secret_key, str):
pass
elif isinstance(secret_key, (bytes, bytearray)):
secret_key = base64.urlsafe_b64encode(secret_key)
# TODO: `Fernet` expects `bytes` so we should `.encode()` if
# `secret_key` is a string
self._fernet = fernet.Fernet(secret_key) # type: ignore[arg-type]
def test_compute_create_cert(self, mock_driver, mock_conf, mock_jinja,
mock_log_cfg):
createcompute = compute_tasks.CertComputeCreate()
key = utils.get_compatible_server_certs_key_passphrase()
fer = fernet.Fernet(key)
mock_log_cfg.return_value = 'FAKE CFG'
mock_driver.build.return_value = COMPUTE_ID
path = '/etc/octavia/certs/ca_01.pem'
self.useFixture(test_utils.OpenFixture(path, 'test'))
# Test execute()
test_cert = fer.encrypt(utils.get_compatible_value('test_cert'))
compute_id = createcompute.execute(_amphora_mock.id,
test_cert,
server_group_id=SERVER_GRPOUP_ID)
# Validate that the build method was called properly
mock_driver.build.assert_called_once_with(
name="amphora-" + _amphora_mock.id,
amphora_flavor=AMP_FLAVOR_ID,
image_tag=AMP_IMAGE_TAG,
image_owner='',
key_name=AMP_SSH_KEY_NAME,
sec_groups=AMP_SEC_GROUPS,
network_ids=AMP_NET,
port_ids=[],
user_data=None,
config_drive_files={
'/etc/rsyslog.d/10-rsyslog.conf': 'FAKE CFG',
'/etc/octavia/certs/server.pem': fer.decrypt(test_cert),
'/etc/octavia/certs/client_ca.pem': 'test',
'/etc/octavia/amphora-agent.conf': 'test_conf'
},
server_group_id=SERVER_GRPOUP_ID,
availability_zone=None)
self.assertEqual(COMPUTE_ID, compute_id)
# Test that a build exception is raised
self.useFixture(test_utils.OpenFixture(path, 'test'))
createcompute = compute_tasks.ComputeCreate()
self.assertRaises(TypeError,
createcompute.execute,
_amphora_mock,
config_drive_files=test_cert)
# Test revert()
_amphora_mock.compute_id = COMPUTE_ID
createcompute = compute_tasks.ComputeCreate()
createcompute.revert(compute_id, _amphora_mock.id)
# Validate that the delete method was called properly
mock_driver.delete.assert_called_once_with(COMPUTE_ID)
# Test that a delete exception is not raised
createcompute.revert(COMPUTE_ID, _amphora_mock.id)
def main(args):
# Not gonna salt because there's only going to be one password
# and we don't really care if somebody tries rainbow tables.
kdf = PBKDF2HMAC(algorithm=hashes.SHA256(),
length=32,
iterations=100000,
salt=("0" * 16).encode('utf-8'),
backend=default_backend())
key = base64.urlsafe_b64encode(kdf.derive(args.key[0].encode('utf-8')))
fern = fernet.Fernet(key)
output_list = []
for inc in INCLUDE:
result = subprocess.check_output(
shlex.split("find . -name '{}'".format(inc))).decode('utf-8')
output_list.extend(str(result).strip().split("\n"))
files = [
elem for elem in output_list if os.path.basename(elem) not in EXCLUDE
]
if args.encrypt:
for file in files:
with io.open(file, 'rb') as f:
token = fern.encrypt(f.read())
with io.open(file, 'wb') as f:
f.write(token)
return SUCCESS
elif args.decrypt:
for file in files:
with io.open(file, 'rb') as f:
out = fern.decrypt(f.read())
with io.open(file, 'wb') as f:
f.write(out)
return SUCCESS
else:
print("Encrypt/Decrypt option not specified")
return FAILURE
def __init__(self):
MainWindow.__init__(self)
self.DEBUG = False
self.LOCAL_PORT = 50001
self.REMOTE_PORT = 50001
self.MAX_BYTES = 65535
self.status = 0
# Creating and starting server thread
self.t1 = threading.Thread(target=self.server)
self.t1.start()
# Thread for showing always the current state (ONLINE, OFFLINE, CONNECTED)
self.statusThread = threading.Thread(target=self.statusRefresh)
self.statusThread.start()
self.currentIP = ''
self.dataSequence = 0 # Sequence number of current sending data packet
# List with sequence numbers of data packet's sent that haven't yet been uknowledged
self.dataSeqForAckList = []
# Sequence numbers of data packets that have already been received at least once
self.dataSeqList = []
self.getTimeOffset() # Create offset between the local machine and ntp time
# Two substates according to who sent first connection requesting packet
self.requestingConnection = False
self.receivingConnection = False
self.peerIsAlive = False
self.localEncryptionState = False
self.remoteEncryptionState = False
self.key = fernet.Fernet.generate_key()
self.crypto = fernet.Fernet(self.key)
def __init__(self, key):
self.key = key
self.m = hashlib.sha256()
self.m.update(str(key).encode())
self.fernet = fernet.Fernet(base64.urlsafe_b64encode(self.m.digest()))
def execute(self, amphora_id):
cert = self.cert_generator.generate_cert_key_pair(
cn=amphora_id, validity=CONF.certificates.cert_validity_time)
key = utils.get_six_compatible_server_certs_key_passphrase()
fer = fernet.Fernet(key)
return fer.encrypt(cert.certificate + cert.private_key)
def test_session_check_invtoken(self):
"""Test session check raise 401 on a stale cookie."""
req = get_request_with_fernet()
_, req.cookies["MTD_SESSION"] = generate_cookie(req)
req.app["Crypt"] = fernet.Fernet(fernet.Fernet.generate_key())
with self.assertRaises(web.HTTPUnauthorized):
_check_csrf(req)
def __init__(self,
secret_key,
*,
cookie_name="AIOHTTP_SESSION",
domain=None,
max_age=None,
path='/',
secure=None,
httponly=True,
encoder=json.dumps,
decoder=json.loads,
samesite=None):
super().__init__(cookie_name=cookie_name,
domain=domain,
max_age=max_age,
path=path,
secure=secure,
httponly=httponly,
encoder=encoder,
decoder=decoder,
samesite=samesite)
if isinstance(secret_key, str):
pass
elif isinstance(secret_key, (bytes, bytearray)):
secret_key = base64.urlsafe_b64encode(secret_key)
self._fernet = fernet.Fernet(secret_key)
def execute(self,
amphora_id,
server_pem,
build_type_priority=constants.LB_CREATE_NORMAL_PRIORITY,
server_group_id=None,
ports=None,
flavor=None,
availability_zone=None):
"""Create an amphora
:returns: an amphora
"""
# load client certificate
with open(CONF.controller_worker.client_ca, 'r') as client_ca:
ca = client_ca.read()
key = utils.get_six_compatible_server_certs_key_passphrase()
fer = fernet.Fernet(key)
config_drive_files = {
'/etc/octavia/certs/server.pem': fer.decrypt(server_pem),
'/etc/octavia/certs/client_ca.pem': ca
}
return super(CertComputeCreate,
self).execute(amphora_id,
config_drive_files=config_drive_files,
build_type_priority=build_type_priority,
server_group_id=server_group_id,
ports=ports,
flavor=flavor,
availability_zone=availability_zone)
def from_config(cls, reactor, logger, queue, config_path):
with open(config_path) as f:
config = yaml.safe_load(f)
# TODO: bump this once alchimia properly handles pinning
thread_pool = ThreadPool(minthreads=1, maxthreads=1)
thread_pool.start()
reactor.addSystemEventTrigger('during', 'shutdown', thread_pool.stop)
return cls(
logger,
DownloadDatabase(reactor, thread_pool, config["db"]["uri"]),
FilePath(config["storage"]["filesystem"]),
fernet.MultiFernet(
[fernet.Fernet(key) for key in config["encryption_keys"]]),
VBMSClient(
reactor,
connect_vbms_path=config["connect_vbms"]["path"],
bundle_path=config["connect_vbms"]["bundle_path"],
endpoint_url=config["vbms"]["endpoint_url"],
keyfile=config["vbms"]["keyfile"],
samlfile=config["vbms"]["samlfile"],
key=config["vbms"].get("key"),
keypass=config["vbms"]["keypass"],
ca_cert=config["vbms"].get("ca_cert"),
client_cert=config["vbms"].get("client_cert"),
),
queue,
config["env"],
)
def Encrypt(data: any,
KeyFile: __file__ = ".Data/.encryptionKey",
DataFile: __file__ = ".Data/.encrypted") -> None:
# Adds the directory .Data incase it is not present
if not os.path.exists("./.Data"):
os.mkdir(".Data")
# check if data is a dictionary and convert it
# to a json type otherwise let it reamin as string
if (type(data) == dict):
data = json.dumps(data)
# generate the key and then dump the key to a file
key = xcrypt.Fernet.generate_key()
keyFile = open(KeyFile, 'wb')
pickle.dump(key, keyFile)
keyFile.close()
# Use the key generated to encrypt the data
encryptionType = xcrypt.Fernet(key)
# Change the data to BYTES since the eencryption supports
# only bytes
dataBytes = bytes(str(data), 'utf-8')
encryptedData = encryptionType.encrypt(b'%b' % (dataBytes))
# dumping the data in a file
cryptoFile = open(DataFile, 'wb')
pickle.dump(encryptedData, cryptoFile)
def unpack_token(fernet_token, fernet_keys):
"""Attempt to unpack a token using the supplied Fernet keys.
:param fernet_token: token to unpack
:type fernet_token: string
:param fernet_token: a list consisting of keys in the repository
:type fernet_token: string
:returns: the token payload
:raises: Exception in the event the token can't be unpacked
"""
# create a list of fernet instances
fernet_instances = [fernet.Fernet(key) for key in fernet_keys]
# create a encryption/decryption object from the fernet keys
crypt = fernet.MultiFernet(fernet_instances)
# attempt to decode the token
token = _restore_padding(six.binary_type(fernet_token))
serialized_payload = crypt.decrypt(token)
payload = msgpack.unpackb(serialized_payload)
translated_payload = []
for item in payload:
if isinstance(item, list):
translated_item = []
for i in item:
translated_item.append(i)
translated_payload.append(translated_item)
else:
translated_payload.append(item)
# present token values
return translated_payload
def encrypt(value, encryption_key=None):
if value is None:
return None, None
encryption_key = get_valid_encryption_key(encryption_key, fix_length=True)
encoded_key = base64.b64encode(encryption_key.encode('utf-8'))
sym = fernet.Fernet(encoded_key)
res = sym.encrypt(encodeutils.safe_encode(value))
return 'cryptography_decrypt_v1', encodeutils.safe_decode(res)
def reencrypt_variables_connections(old_fernet_key_str, new_fernet_key_str):
old_fernet_key = fernet.Fernet(old_fernet_key_str.encode("utf-8"))
new_fernet_key = fernet.Fernet(new_fernet_key_str.encode("utf-8"))
db = connector.connect(
host="127.0.0.1",
user="******",
database="airflow-db",
)
variable_cursor = db.cursor()
variable_cursor.execute("SELECT id, val, is_encrypted FROM variable")
rows = variable_cursor.fetchall()
for row in rows:
id = row[0]
val = row[1]
is_encrypted = row[2]
if is_encrypted:
updated_val = new_fernet_key.encrypt(
old_fernet_key.decrypt(bytes(val))).decode()
variable_cursor.execute(
"UPDATE variable SET val=%s WHERE id=%s", (updated_val, id))
db.commit()
conn_cursor = db.cursor()
conn_cursor.execute(
"SELECT id, password, extra, is_encrypted, is_extra_encrypted FROM "
"connection")
rows = conn_cursor.fetchall()
for row in rows:
id = row[0]
password = row[1]
extra = row[2]
is_encrypted = row[3]
is_extra_encrypted = row[4]
if is_encrypted:
updated_password = new_fernet_key.encrypt(
old_fernet_key.decrypt(bytes(password))).decode()
conn_cursor.execute(
"UPDATE connection SET password=%s WHERE id=%s",
(updated_password, id))
if is_extra_encrypted:
updated_extra = new_fernet_key.encrypt(
old_fernet_key.decrypt(bytes(extra))).decode()
conn_cursor.execute(
"UPDATE connection SET extra=%s WHERE id=%s",
(updated_extra, id))
db.commit()
def cryptography_decrypt_v1(value, encryption_key=None):
encryption_key = get_valid_encryption_key(encryption_key, fix_length=True)
encoded_key = base64.b64encode(encryption_key.encode('utf-8'))
sym = fernet.Fernet(encoded_key)
try:
return sym.decrypt(encodeutils.safe_encode(value))
except fernet.InvalidToken:
raise exception.InvalidEncryptionKey()
