def test_rotate_decrypt_no_shared_keys(self, backend):
f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend)
mf1 = MultiFernet([f1])
mf2 = MultiFernet([f2])
with pytest.raises(InvalidToken):
mf2.rotate(mf1.encrypt(b"abc"))
def test_rotate_decrypt_no_shared_keys(self, backend):
f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend)
mf1 = MultiFernet([f1])
mf2 = MultiFernet([f2])
with pytest.raises(InvalidToken):
mf2.rotate(mf1.encrypt(b"abc"))
def _rotate_key(self):
"""
create a new encryption key and rotate all credentials files.
Will attempt to rotate credentials files to the new key . If
any fail an exception is raised prior to return.
"""
self.log_callback.info(
'Starting key rotation with keys file {0} in directory {1}.'.format(
self.encryption_keys_file, self.credentials_directory
)
)
success = True
# Create new key
keys = [Fernet.generate_key().decode()]
# Write both keys to file, new key is first
with open(self.encryption_keys_file, 'r+') as f:
keys += [key.strip() for key in f.readlines()]
f.seek(0)
f.write('\n'.join(keys))
fernet_keys = [Fernet(key) for key in keys]
fernet = MultiFernet(fernet_keys)
# Rotate all credentials files
for root, dirs, files in os.walk(self.credentials_directory):
for credentials_file in files:
if credentials_file == 'wsgi.py':
continue
path = os.path.join(root, credentials_file)
with open(path, 'r+b') as f:
credentials = f.read().strip()
try:
credentials = fernet.rotate(credentials)
except Exception as error:
self.log_callback.error(
'Failed key rotation on credential file {0}:'
' {1}: {2}'.format(
path, type(error).__name__, error
)
)
success = False
else:
f.seek(0)
f.write(credentials)
if not success:
raise MashCredentialsDatastoreException(
'All credentials files have not been rotated.'
)
def test_rotate_preserves_timestamp(self, backend, monkeypatch):
f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend)
mf1 = MultiFernet([f1])
mf2 = MultiFernet([f2, f1])
plaintext = b"abc"
original_time = int(time.time()) - 5 * 60
mf1_ciphertext = mf1.encrypt_at_time(plaintext, original_time)
rotated_time, _ = Fernet._get_unverified_token_data(
mf2.rotate(mf1_ciphertext))
assert int(time.time()) != rotated_time
assert original_time == rotated_time
def test_rotate(self, backend):
f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend)
mf1 = MultiFernet([f1])
mf2 = MultiFernet([f2, f1])
plaintext = b"abc"
mf1_ciphertext = mf1.encrypt(plaintext)
assert mf2.decrypt(mf1_ciphertext) == plaintext
rotated = mf2.rotate(mf1_ciphertext)
assert rotated != mf1_ciphertext
assert mf2.decrypt(rotated) == plaintext
with pytest.raises(InvalidToken):
mf1.decrypt(rotated)
def test_rotate(self, backend):
f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend)
mf1 = MultiFernet([f1])
mf2 = MultiFernet([f2, f1])
plaintext = b"abc"
mf1_ciphertext = mf1.encrypt(plaintext)
assert mf2.decrypt(mf1_ciphertext) == plaintext
rotated = mf2.rotate(mf1_ciphertext)
assert rotated != mf1_ciphertext
assert mf2.decrypt(rotated) == plaintext
with pytest.raises(InvalidToken):
mf1.decrypt(rotated)
def test_rotate_preserves_timestamp(self, backend, monkeypatch):
f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend)
mf1 = MultiFernet([f1])
mf2 = MultiFernet([f2, f1])
plaintext = b"abc"
mf1_ciphertext = mf1.encrypt(plaintext)
later = datetime.datetime.now() + datetime.timedelta(minutes=5)
later_time = time.mktime(later.timetuple())
monkeypatch.setattr(time, "time", lambda: later_time)
original_time, _ = Fernet._get_unverified_token_data(mf1_ciphertext)
rotated_time, _ = Fernet._get_unverified_token_data(
mf2.rotate(mf1_ciphertext))
assert later_time != rotated_time
assert original_time == rotated_time
def test_rotate_preserves_timestamp(self, backend, monkeypatch):
f1 = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
f2 = Fernet(base64.urlsafe_b64encode(b"\x01" * 32), backend=backend)
mf1 = MultiFernet([f1])
mf2 = MultiFernet([f2, f1])
plaintext = b"abc"
mf1_ciphertext = mf1.encrypt(plaintext)
later = datetime.datetime.now() + datetime.timedelta(minutes=5)
later_time = time.mktime(later.timetuple())
monkeypatch.setattr(time, "time", lambda: later_time)
original_time, _ = Fernet._get_unverified_token_data(mf1_ciphertext)
rotated_time, _ = Fernet._get_unverified_token_data(
mf2.rotate(mf1_ciphertext)
)
assert later_time != rotated_time
assert original_time == rotated_time
F = Fernet(key)
info = "my deep dark secret"
# 加密信息
token = F.encrypt(info.encode())
print("token: ", token)
# 解密信息
de_info = F.decrypt(token)
print(de_info.decode())
key1 = Fernet.generate_key()
print("key1: ", key1)
F1 = Fernet(key1)
key2 = Fernet.generate_key()
print("key2: ", key2)
F2 = Fernet(key2)
# MultiFernet performs all encryption options using the first key in the list provided.
# MultiFernet attempts to decrypt tokens with each key in turn.
FM = MultiFernet([F1, F2])
tokenFM = FM.encrypt(info.encode())
print("tokenFM: ", tokenFM)
print("FM.decrypt: ", FM.decrypt(tokenFM))
key3 = Fernet.generate_key()
print("key3: ", key3)
F3 = Fernet(key3)
FM2 = MultiFernet([F3, F1, F2])
# rotate a token by decrypt and re-encrypting it under the MultiFernet instance’s primary key.
rotated = FM2.rotate(tokenFM)
print("rotated: ", rotated)
print(FM2.decrypt(rotated))
from cryptography.fernet import Fernet, MultiFernet # The sample code is extracted from the book Python Cryptography # The book can be downloaded from https://leanpub.com/cryptop # Online Crypto Playgroud https://8gwifi.org # Author Anish Nath key1 = Fernet(Fernet.generate_key()) key2 = Fernet(Fernet.generate_key()) key3 = Fernet(Fernet.generate_key()) plaintext = "Hello 8gwifi.org" f = MultiFernet([key1, key2, key3]) token = f.encrypt(plaintext) d = f.decrypt(token) assert d, plaintext # Rotating key key4 = Fernet(Fernet.generate_key()) key5 = Fernet(Fernet.generate_key()) f2 = MultiFernet([key4, key5, key1, key2, key3]) rotated = f2.rotate(token) d = f2.decrypt(token) assert d, plaintext
timestamp = key_object.extract_timestamp(encrypted_string)
print("Timestamp of the encrypted string: %s" % timestamp)
decrypted_string = key_object.decrypt(encrypted_string)
print("Decrypted String: %s" % decrypted_string)
# Rotation
third_key = Fernet(Fernet.generate_key())
key_object_2 = MultiFernet([third_key, first_key, second_key])
rotated = key_object_2.rotate(encrypted_string)
decrypted_string = key_object_2.decrypt(rotated)
print("Decrypted String: %s" % decrypted_string)
# Fernet Encryption using Passwords
import base64
import os
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
