def test_integer_bytes_conversion2(self): # test integer to bytes, then bytes to integer == original key = Fernet.generate_key() fernet = Fernet(key) for i in range(10000): assert fernet._bytes_to_integer(fernet._integer_to_bytes(i)) == i
def load_projectxml(self) -> bool: """Collect the connection information from an xml file.""" file_name = self.filename if not os.path.isfile(file_name): raise ValueError("El proyecto %r no existe." % file_name) tree = ET.parse(file_name) root = tree.getroot() version = VersionNumber(root.get("Version"), default="1.0") self.version = version self.description = "" for xmldescription in root.findall("name"): self.description = xmldescription.text or "" profile_pwd = "" for profile in root.findall("profile-data"): profile_pwd = getattr(profile.find("password"), "text", "") if profile_pwd: break self.password_required = True self.checkProfilePasswordForVersion(self.project_password, profile_pwd, version) if self.project_password and self.version > VERSION_1_1: key_salt = hashlib.sha256(profile_pwd.encode()).digest() key = hashlib.pbkdf2_hmac("sha256", self.project_password.encode(), key_salt, 10000) key64 = base64.urlsafe_b64encode(key) self.fernet = Fernet(key64) else: self.fernet = None from pineboolib.application.database.pnsqldrivers import PNSqlDrivers sql_drivers_manager = PNSqlDrivers() self.database = self.retrieveCipherSubElement(root, "database-name") for db in root.findall("database-server"): self.host = self.retrieveCipherSubElement(db, "host") port_text = self.retrieveCipherSubElement(db, "port") self.port = int(port_text) if port_text else None self.type = self.retrieveCipherSubElement(db, "type") # FIXME: Move this to project, or to the connection handler. if self.type not in sql_drivers_manager.aliasList(): LOGGER.warning( "Esta versión de pineboo no soporta el driver '%s'" % self.type) for credentials in root.findall("database-credentials"): self.username = self.retrieveCipherSubElement( credentials, "username") self.password = self.retrieveCipherSubElement( credentials, "password") if self.password and self.fernet is None: self.password = base64.b64decode(self.password).decode() self.password_required = False return True
def test_subkey_gen_bad_length(self): # test subkey generation function when given bad input length key = Fernet.generate_key() fernet = Fernet(key) KEY = os.urandom(15) with pytest.raises(AssertionError) as e: fernet._generate_subkey(KEY)
def test_Functionality(self): key = Fernet.generate_key() fernet = Fernet(key) # decrypt(encrypt(msg)) == msg for i in xrange(20): msg = os.urandom(6) assert fernet.decrypt(fernet.encrypt(msg)) == msg
def test_integer_bytes_conversion(self): # test bytes to integer, then integer to bytes == original key = Fernet.generate_key() fernet = Fernet(key) for i in range(10000): b = os.urandom(16) assert fernet._integer_to_bytes(fernet._bytes_to_integer(b)) == b
def test_empty_bytes(self): # test _bytes_to_integer function when given empty bytes key = Fernet.generate_key() fernet = Fernet(key) b = os.urandom(0) with pytest.raises(AssertionError) as e: fernet._bytes_to_integer(b)
def test_xor(self): # check xor for normal functionality key = Fernet.generate_key() fernet = Fernet(key) x = bytes(bytearray(16)) for i in xrange(20): y = os.urandom(16) assert(fernet._xor(x, y) == y) # xor of 0 and y == y
def encrypt(filename, filename_encrpt, keys): f = Fernet(keys) with open(filename, "rb") as file: # read all file data file_data = file.read() # encrypt data encrypted_data = f.encrypt(file_data) # write the encrypted file with open(filename_encrpt, "wb") as file: file.write(encrypted_data)
def test_AES_ECB(self): # AES_ECB_128 test with RFC test vectors key = Fernet.generate_key() fernet = Fernet(key) KEY = '2b7e151628aed2a6abf7158809cf4f3c'.decode('hex') AES_128 = '7df76b0c1ab899b33e42f047b91b546f'.decode('hex') CONST_ZERO = 0x00000000000000000000000000000000 assert fernet._AES_ECB(fernet._integer_to_bytes(CONST_ZERO), KEY) == AES_128
def test_Functionality_extensive(self): # extensively test the decrpytion(encryption(msg)) == msg key = Fernet.generate_key() fernet = Fernet(key) # decrypt(encrypt(msg)) == msg for i in xrange(100): for l in range(20): msg = os.urandom(l) assert fernet.decrypt(fernet.encrypt(msg)) == msg
def test_CTR_test_vectors(self): # test CTR encryption and decryption using official RFC test vectors key = Fernet.generate_key() fernet = Fernet(key) KEY = 'AE6852F8121067CC4BF7A5765577F39E'.decode('hex') IV = '00000030000000000000000000000001'.decode('hex') PLAINTEXT = '53696E676C6520626C6F636B206D7367'.decode('hex') CIPHERTEXT = 'E4095D4FB7A7B3792D6175A3261311B8'.decode('hex') assert fernet._AES_CTR_encrypt(PLAINTEXT, IV, KEY) == CIPHERTEXT assert fernet._AES_CTR_decrypt(CIPHERTEXT, IV, KEY) == PLAINTEXT KEY = '7E24067817FAE0D743D6CE1F32539163'.decode('hex') IV = '006CB6DBC0543B59DA48D90B00000001'.decode('hex') PLAINTEXT = '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'.decode('hex') CIPHERTEXT = '5104A106168A72D9790D41EE8EDAD388EB2E1EFC46DA57C8FCE630DF9141BE28'.decode('hex') assert fernet._AES_CTR_encrypt(PLAINTEXT, IV, KEY) == CIPHERTEXT assert fernet._AES_CTR_decrypt(CIPHERTEXT, IV, KEY) == PLAINTEXT KEY = '7691BE035E5020A8AC6E618529F9A0DC'.decode('hex') IV = '00E0017B27777F3F4A1786F000000001'.decode('hex') PLAINTEXT = '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223'.decode('hex') CIPHERTEXT = 'C1CF48A89F2FFDD9CF4652E9EFDB72D74540A42BDE6D7836D59A5CEAAEF3105325B2072F'.decode('hex') assert fernet._AES_CTR_encrypt(PLAINTEXT, IV, KEY) == CIPHERTEXT assert fernet._AES_CTR_decrypt(CIPHERTEXT, IV, KEY) == PLAINTEXT
def test_CTR_functionality(self): # test CTR functionality (decrypt(encrypt(msg)) == msg) key = Fernet.generate_key() fernet = Fernet(key) # test encrypt than decrypt gives back original message for i in range(20): data = os.urandom(i) key = os.urandom(16) iv = os.urandom(16) assert fernet._AES_CTR_decrypt(fernet._AES_CTR_encrypt(data, iv, key), iv, key) == data
def save_projectxml(self, overwrite_existing: bool = True) -> None: """ Save the connection. """ profile = ET.Element("Profile") profile.set("Version", str(self.SAVE_VERSION)) description = self.description filename = self.filename if not os.path.exists(self.profile_dir): os.mkdir(self.profile_dir) if not overwrite_existing and os.path.exists(filename): raise ProfileAlreadyExistsError passwDB = self.password or "" profile_user = ET.SubElement(profile, "profile-data") profile_password = ET.SubElement(profile_user, "password") profile_password.text = self.encodeProfilePasswordForVersion( self.project_password, self.SAVE_VERSION) if self.project_password and self.SAVE_VERSION > VERSION_1_1: key_salt = hashlib.sha256(profile_password.text.encode()).digest() key = hashlib.pbkdf2_hmac("sha256", self.project_password.encode(), key_salt, 10000) key64 = base64.urlsafe_b64encode(key) self.fernet = Fernet(key64) else: # Mask the password if no cipher is used! passwDB = base64.b64encode(passwDB.encode()).decode() self.fernet = None name = ET.SubElement(profile, "name") name.text = description dbs = ET.SubElement(profile, "database-server") self.createCipherSubElement(dbs, "type", text=self.type) self.createCipherSubElement(dbs, "host", text=self.host or "") self.createCipherSubElement(dbs, "port", text=str(self.port) if self.port else "") dbc = ET.SubElement(profile, "database-credentials") self.createCipherSubElement(dbc, "username", text=self.username or "") self.createCipherSubElement(dbc, "password", text=passwDB) self.createCipherSubElement(profile, "database-name", text=self.database) pretty_print_xml(profile) tree = ET.ElementTree(profile) tree.write(filename, xml_declaration=True, encoding="utf-8") self.version = self.SAVE_VERSION
def test_subkey_generation(self): # test subkey generation using RFC test vectors key = Fernet.generate_key() fernet = Fernet(key) KEY = '2b7e151628aed2a6abf7158809cf4f3c'.decode('hex') AES_128 = '7df76b0c1ab899b33e42f047b91b546f'.decode('hex') K1 = 'fbeed618357133667c85e08f7236a8de'.decode('hex') K2 = 'f7ddac306ae266ccf90bc11ee46d513b'.decode('hex') K1_, K2_ = fernet._generate_subkey(KEY) assert K1 == K1_ and K2 == K2_
def test_xor_bad_length(self): # test xor function when given mismatching lengths key = Fernet.generate_key() fernet = Fernet(key) # check xor functionality x = bytes(bytearray(16)) for i in xrange(1, 20): if i == 16: continue y = os.urandom(i) with pytest.raises(AssertionError) as e: fernet._xor(x, y)
def decrypt(filename, key): print("Decrypting...") f = Fernet(key) with open(filename, "rb") as fr: # read the encrypted data encrypted_data = fr.read() # decrypt data decrypted_data = f.decrypt(encrypted_data) # write the original file with open(filename, "wb") as fl: fl.write(decrypted_data) print("Finished") sys.exit()
def create_access_ticket(session_key, ticket_owner_key, client_id): access_ticket_raw = {} access_ticket_raw['timeStamp'] = time.time() access_ticket_raw['client_id'] = client_id access_ticket_raw['duration'] = client_id access_ticket_raw['session_key'] = session_key access_ticket_raw['session_id'] = Fernet.generate_key() rad_encryptor_engine = Fernet(ticket_owner_key) access_ticket_enc = rad_encryptor_engine.encrypt( json.dumps(access_ticket_raw, cls=BytesDump).encode()) return access_ticket_enc
def test_CMAC_test_vectors(self): # test using official RFC AES_CMAC test vectors key = Fernet.generate_key() fernet = Fernet(key) K = '2b7e151628aed2a6abf7158809cf4f3c'.decode('hex') LENGTH = 0 M = '' CMAC = 'bb1d6929e95937287fa37d129b756746'.decode('hex') assert fernet._AES_CMAC_generate(K, M, LENGTH) == CMAC LENGTH = 16 M = '6bc1bee22e409f96e93d7e117393172a'.decode('hex') CMAC = '070a16b46b4d4144f79bdd9dd04a287c'.decode('hex') assert fernet._AES_CMAC_generate(K, M, LENGTH) == CMAC LENGTH = 40 M = '6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411'.decode('hex') CMAC = 'dfa66747de9ae63030ca32611497c827'.decode('hex') assert fernet._AES_CMAC_generate(K, M, LENGTH) == CMAC LENGTH = 64 M = '6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710'.decode('hex') CMAC = '51f0bebf7e3b9d92fc49741779363cfe'.decode('hex') assert fernet._AES_CMAC_generate(K, M, LENGTH) == CMAC
def test_fernet(): current_time = int(time.time()) iv = os.urandom(16) from cryptography.fernet import Fernet as CFernet salt = os.urandom(16) key = pbkdf2_hmac('sha256', b"password", salt, 100000, dklen=32) ckey = base64.urlsafe_b64encode(key) cfernet = CFernet(ckey) ccipher = cfernet._encrypt_from_parts(b"Secret message!", current_time, iv) fernet = Fernet(ckey) cipher = fernet._encrypt_from_parts(b"Secret message!", current_time, iv) assert cipher == ccipher ctext = cfernet.decrypt(ccipher) text = fernet.decrypt(cipher) assert ctext == text
def test_CTR_decrypt(self): # test CTR decrypt function (encrypt with library API, decrypt with ours) key = Fernet.generate_key() fernet = Fernet(key) for i in range(20): data = os.urandom(i) key = os.urandom(16) iv = os.urandom(16) # encrypt with library APIs cipher = Cipher(algorithms.AES(key), modes.CTR(iv), backend=default_backend()) encryptor = cipher.encryptor() ct = encryptor.update(data) + encryptor.finalize() # decrypt with our APIs pt = fernet._AES_CTR_decrypt(ct, iv, key) assert data == pt
def test_CMAC_generate(self): # test AES_CMAC generation key = Fernet.generate_key() fernet = Fernet(key) # test against the cryptographi.io library APIs for i in range(20): M = os.urandom(i) K = os.urandom(16) # use library's API to generate CMAC c = cmac.CMAC(algorithms.AES(K), backend=default_backend()) c.update(M) lib_cmac = c.finalize() # use our function to generate CMAC cmac_ = fernet._AES_CMAC_generate(K, M, len(M)) # verify library CMAC vs our CMAC assert cmac_ == lib_cmac
def test_CMAC_verify(self): # test CMAC verification function key = Fernet.generate_key() fernet = Fernet(key) # test against the cryptography.io library APIs for i in range(20): M = os.urandom(i) K = os.urandom(16) # use library API generation c = cmac.CMAC(algorithms.AES(K), backend=default_backend()) c.update(M) lib_cmac = c.finalize() # verify a library generated cmac assert fernet._AES_CMAC_verify(K, M, len(M), lib_cmac) # verify against our own API cmac_ = fernet._AES_CMAC_generate(K, M, len(M)) assert fernet._AES_CMAC_verify(K, M, len(M), cmac_) # # library verify our generated cmac c = cmac.CMAC(algorithms.AES(K), backend=default_backend()) c.update(M) try: c.verify(cmac_) except Exception: raise Exception
def __init__(self, key, backend=None): if backend is None: backend = default_backend() try: self._fernet1 = Fernet(key, backend) except ValueError: self._fernet1 = None self._backend = backend key = base64.urlsafe_b64decode(key) hkey = hkdf.HKDF(algorithm=hashes.SHA256(), length=32, salt="0" * 16, info="", backend=backend) stretched_key = hkey.derive(key) self._signing_key, self._encryption_key = stretched_key[:16], stretched_key[16:]
def __init__(self, key, backend=None): if backend is None: backend = default_backend() # initialize a fernet object self._f = Fernet(key, backend=backend) key = base64.urlsafe_b64decode(key) if len(key) != 32: raise ValueError( "Fernet2 key must be 32 url-safe base64-encoded bytes.") h0 = HMAC(key, hashes.SHA256(), backend=backend) h1 = HMAC(key, hashes.SHA256(), backend=backend) # h0.update(b"0") h1.update(b"1") k0 = h0.finalize()[:16] k1 = h1.finalize()[:16] self._signing_key = k0 self._encryption_key = k1 self._backend = backend
def test_timeout(self): # test exceeded time to live key = Fernet.generate_key() fernet = Fernet(key) ct = fernet.encrypt('Another secret message!') time.sleep(3) with pytest.raises(InvalidToken) as e: fernet.decrypt(ct, 2)
def test_increment_integer(self): # test the increment integer function key = Fernet.generate_key() fernet = Fernet(key) # test normal behavior for i in range(100): assert fernet._increment_integer(i) == i + 1 # test edge case i = 2**128-1 assert fernet._increment_integer(i) == 0 # test big integer with pytest.raises(AssertionError) as e: fernet._increment_integer(2**128) # test negative integer with pytest.raises(AssertionError) as e: fernet._increment_integer(-1)
def test_bad_CMAC(self): # test bad CMAC signature key = Fernet.generate_key() fernet = Fernet(key) ct = fernet.encrypt('Aanother message!') ct = list(base64.urlsafe_b64decode(ct)) # decode ciphertext ct.append(b'\x00') # modify CMAC ct = ''.join(ct) ct = base64.urlsafe_b64encode(ct) # encode ciphertext with pytest.raises(InvalidToken) as e: fernet.decrypt(ct)
def test_bad_version(self): # test incorrect version of Fernet 0x91 key = Fernet.generate_key() fernet = Fernet(key) ct = fernet.encrypt('Secret message!') ct = list(base64.urlsafe_b64decode(ct)) # decode ciphertext ct[0] = b'\x00' # change version ct = ''.join(ct) ct = base64.urlsafe_b64encode(ct) # encode ciphertext with pytest.raises(InvalidToken) as e: fernet.decrypt(ct)
def _do_websocketserver_handshake(self): """ Execute the websocket server handshake on the currently active websocket connection. The handshake is: - Get the protocol version from the server - Get the WebSocket server ID - Get the WebSocket server secret from Shotgun (used to encrypt the communications) This function validates the handshake by doing a dummy call to the server at the end of the handshake. """ self._secret = None # Grab the protocol version from the running Shotgun WebSocket server protocol_version_resp = self._send_and_recv("get_protocol_version") self._protocol_version = json.loads( protocol_version_resp)["protocol_version"] # Grab the WebSocket server ID from the Shotgun WebSocket server server_id_resp = self._call_server_method("get_ws_server_id") self._server_id = json.loads(server_id_resp)["ws_server_id"] # Ask for the secret for this server id. response = self._shotgun_connection._call_rpc( "retrieve_ws_server_secret", {"ws_server_id": self._server_id}) ws_server_secret = six.ensure_binary(response["ws_server_secret"]) if ws_server_secret[-1:] != b"=": ws_server_secret += b"=" self._secret = Fernet(ws_server_secret) # Make a dummy call to the server to make sure that the handshake is correctly done supported_command_repsp = self._call_server_method( "list_supported_commands") supported_commands = json.loads(supported_command_repsp).get( "reply", []) if "list_supported_commands" not in supported_commands: raise RuntimeError( "Unknown error in the websocket server handshake")
def __init__(self, key, backend=None): if backend is None: backend = default_backend() # initialize a fernet object self._f = Fernet(key, backend=backend) key = base64.urlsafe_b64decode(key) if len(key) != 32: raise ValueError( "Fernet2 key must be 32 url-safe base64-encoded bytes." ) h0 = HMAC(key, hashes.SHA256(), backend=backend) h1 = HMAC(key, hashes.SHA256(), backend=backend) # h0 .update(b"0") h1 .update(b"1") k0 = h0.finalize()[:16] k1 = h1.finalize()[:16] self._signing_key = k0 self._encryption_key = k1 self._backend = backend
def __decrypt(self, token: bytes, key: bytes) -> bytes: return Fernet(key).decrypt(token)
def __encrypt(self, message: bytes, key: bytes) -> bytes: return Fernet(key).encrypt(message)
class Fernet2(object): def __init__(self, key, backend=None): if backend is None: backend = default_backend() try: self._fernet1 = Fernet(key, backend) except ValueError: self._fernet1 = None self._backend = backend key = base64.urlsafe_b64decode(key) hkey = hkdf.HKDF(algorithm=hashes.SHA256(), length=32, salt='0'*16, info='', backend=backend) stretched_key = hkey.derive(key) self._signing_key, self._encryption_key = stretched_key[:16], stretched_key[16:] def SHA256hmac(self, key, data, sig=''): h = hmac.HMAC(key, hashes.SHA256(), backend=self._backend) h.update(data) if len(sig)>0: try: return h.verify(sig) except Exception as e: raise e else: return h.finalize() def _prf_hmac(self, key, data): out = self.SHA256hmac(key, data) while len(out)<len(data): out += self.SHA256hmac(key, out) return out[:len(data)] @classmethod def generate_key(cls): return base64.urlsafe_b64encode(os.urandom(32)) def encrypt(self, data, associated_data=''): iv = os.urandom(16) return self._encrypt_from_parts(data, associated_data, iv) def _encrypt_from_parts(self, data, associated_data, iv): if not isinstance(data, bytes): raise TypeError("data must be bytes.") padder = padding.PKCS7(algorithms.AES.block_size).padder() padded_data = padder.update(data) + padder.finalize() encryptor = Cipher( algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend ).encryptor() ciphertext = encryptor.update(padded_data) + encryptor.finalize() # MAC: version || ad || iv || ctx basic_parts = ( b"\x81" + bytes(associated_data) + iv + ciphertext ) tag = self.SHA256hmac(self._signing_key, basic_parts) # return: version || iv || ctx || tag return base64.urlsafe_b64encode(b"\x81" + iv + ciphertext + tag) def decrypt(self, ctxt, ttl=None, associated_data=''): if not isinstance(ctxt, bytes): raise TypeError("ctxt must be bytes.") try: data = base64.urlsafe_b64decode(ctxt) except (TypeError, binascii.Error): raise InvalidToken if not data: raise InvalidToken # return: version || iv || ctx || tag if six.indexbytes(data, 0) == 0x80: # This is a Fernet1 (old version) ctx, handle accordingly try: msg = self._fernet1.decrypt(ctxt, ttl=ttl) except Exception: raise InvalidToken return msg elif six.indexbytes(data, 0) != 0x81: raise InvalidToken assert not debug or not ttl, "You are calling new fernet with ttl values." # First, verify the tag basic_parts = ( b"\x81" + bytes(associated_data) + data[1:-32] ) try: self.SHA256hmac(self._signing_key, basic_parts, sig=data[-32:]) except InvalidSignature: raise InvalidToken # Now decrypt the text # version (1-byte) || iv (16-byte) || ctx || tag (32-byte) iv = data[1:17] ciphertext = data[17:-32] decryptor = Cipher( algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend ).decryptor() plaintext_padded = decryptor.update(ciphertext) try: plaintext_padded += decryptor.finalize() except ValueError: raise InvalidToken unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder() unpadded = unpadder.update(plaintext_padded) try: unpadded += unpadder.finalize() except ValueError: raise InvalidToken return unpadded
class Fernet2(object): def __init__(self, key, backend=None): if backend is None: backend = default_backend() # initialize a fernet object self._f = Fernet(key, backend=backend) key = base64.urlsafe_b64decode(key) if len(key) != 32: raise ValueError( "Fernet2 key must be 32 url-safe base64-encoded bytes." ) h0 = HMAC(key, hashes.SHA256(), backend=backend) h1 = HMAC(key, hashes.SHA256(), backend=backend) # h0 .update(b"0") h1 .update(b"1") k0 = h0.finalize()[:16] k1 = h1.finalize()[:16] self._signing_key = k0 self._encryption_key = k1 self._backend = backend @classmethod def generate_key(cls): return base64.urlsafe_b64encode(os.urandom(32)) def encrypt(self, data, adata=""): # removed current time iv = os.urandom(16) return self._encrypt_from_parts(data, iv, adata) def _encrypt_from_parts(self, data, iv, adata=""): if not isinstance(data, bytes): raise TypeError("data must be bytes.") padder = padding.PKCS7(algorithms.AES.block_size).padder() padded_data = padder.update(data) + padder.finalize() encryptor = Cipher( algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend ).encryptor() # ctx = AES( iv || msg ) ctx = encryptor.update(padded_data) + encryptor.finalize() basic_parts = ( b"\x81" + iv + ctx ) # print(str(len(basic_parts)), "basic_parts_len == ", basic_parts) # print("iv = " + str(len(iv)), iv) # print(str(len(ctx)), "ctx == ", ctx) # print("adata == " , len(adata), adata) h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend) h.update(basic_parts+adata) # tag = HMAC( 0x81 || iv || ctx ) tag = h.finalize() # print("tag = " , len(tag)) return base64.urlsafe_b64encode( basic_parts + tag) def decrypt(self, token, ttl=None, adata=""): if not isinstance(token, bytes): raise TypeError("token must be bytes.") # print("token = ", token) try: data = base64.urlsafe_b64decode(token) except (TypeError, binascii.Error): raise InvalidToken # print("data = ", data) if not data or six.indexbytes(data, 0) == 0x80: print("80 version\n") # TODO: if 80: try: msg = self._f.decrypt(token, ttl) return msg except: raise InvalidToken elif not data or six.indexbytes(data, 0) == 0x81: # print("81 version\n") ############ VERIFYING adata # print("data = " + str(len(data)), data) h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend) basic_parts = data[:-32] basic_adata = basic_parts + bytes(adata) # print("==================", base64.urlsafe_b64decode(base64.urlsafe_b64encode(adata))) h.update(basic_adata) # print("basic_parts_len = " + str(len(basic_parts)), basic_parts) # print("basic_adata = " + str(len(basic_adata)), basic_adata) # print("adata = " , len(adata), adata) try: h.verify(data[-32:]) except InvalidSignature: raise InvalidToken ################ signature stuff from fernet.py # h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend) # h.update(data[:-32]) # get everything from data except for last 32 bytes # # print(h.update(data[:-32])) # try: # # verifying signature with the last 32 bytes # h.verify(data[-32:]) # except InvalidSignature: # raise InvalidToken ################ END-OF signature stuff from fernet.py # iv = data[9:25] iv = data[1:17] # print("iv == " + str(len(iv)), iv) # find out associated data in data # try satement, if adata_to_get = adata ciphertext = data[17:-32] decryptor = Cipher( algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend ).decryptor() plaintext_padded = decryptor.update(ciphertext) try: plaintext_padded += decryptor.finalize() except ValueError: raise InvalidToken unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder() unpadded = unpadder.update(plaintext_padded) try: unpadded += unpadder.finalize() except ValueError: raise InvalidToken return unpadded else: raise InvalidToken