1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
# Copyright 2016 Tesora, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Encryption/decryption handling
import hashlib
import os
from oslo_utils import encodeutils
import random
import string
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import algorithms
from cryptography.hazmat.primitives.ciphers import Cipher
from cryptography.hazmat.primitives.ciphers import modes
from trove.common import stream_codecs
IV_BYTE_COUNT = 16
_CRYPT_BACKEND = None
def _get_cipher(key, iv):
global _CRYPT_BACKEND
if not _CRYPT_BACKEND:
_CRYPT_BACKEND = default_backend()
return Cipher(algorithms.AES(key), modes.CBC(iv),
backend=_CRYPT_BACKEND)
def _encrypt(key, iv, data):
encryptor = _get_cipher(key, iv).encryptor()
return encryptor.update(data) + encryptor.finalize()
def _decrypt(key, iv, data):
decryptor = _get_cipher(key, iv).decryptor()
return decryptor.update(data) + decryptor.finalize()
def encode_data(data):
# NOTE(zhaochao) No need to encoding string object any more,
# as Base64Codec is now using oslo_serialization.base64 which
# could take care of this.
return stream_codecs.Base64Codec().serialize(data)
def decode_data(data):
return stream_codecs.Base64Codec().deserialize(data)
# Pad the data string to an multiple of pad_size
def pad_for_encryption(data, pad_size=IV_BYTE_COUNT):
pad_count = pad_size - (len(data) % pad_size)
return data + bytes((pad_count,)) * pad_count
# Unpad the data string by stripping off excess characters
def unpad_after_decryption(data):
return data[:len(data) - data[-1]]
def encrypt_data(data, key, iv_byte_count=IV_BYTE_COUNT):
data = encodeutils.to_utf8(data)
key = encodeutils.to_utf8(key)
md5_key = encodeutils.safe_encode(hashlib.md5(key).hexdigest())
iv = os.urandom(iv_byte_count)
iv = iv[:iv_byte_count]
data = pad_for_encryption(data, iv_byte_count)
encrypted = _encrypt(md5_key, bytes(iv), data)
return iv + encrypted
def decrypt_data(data, key, iv_byte_count=IV_BYTE_COUNT):
key = encodeutils.to_utf8(key)
md5_key = encodeutils.safe_encode(hashlib.md5(key).hexdigest())
iv = data[:iv_byte_count]
decrypted = _decrypt(md5_key, bytes(iv), bytes(data[iv_byte_count:]))
return unpad_after_decryption(decrypted)
def generate_random_key(length=32, chars=None):
chars = chars if chars else (string.ascii_uppercase +
string.ascii_lowercase + string.digits)
return ''.join(random.choice(chars) for _ in range(length))
|