summaryrefslogtreecommitdiff
path: root/trove/common/crypto_utils.py
blob: 657d81582ac0ab4a104a60a36c37f1f928523337 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# Copyright 2016 Tesora, Inc.
# All Rights Reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.
#

# Encryption/decryption handling

import hashlib
import os
from oslo_utils import encodeutils
import random
import string

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import algorithms
from cryptography.hazmat.primitives.ciphers import Cipher
from cryptography.hazmat.primitives.ciphers import modes
from trove.common import stream_codecs


IV_BYTE_COUNT = 16
_CRYPT_BACKEND = None


def _get_cipher(key, iv):
    global _CRYPT_BACKEND
    if not _CRYPT_BACKEND:
        _CRYPT_BACKEND = default_backend()

    return Cipher(algorithms.AES(key), modes.CBC(iv),
                  backend=_CRYPT_BACKEND)


def _encrypt(key, iv, data):
    encryptor = _get_cipher(key, iv).encryptor()
    return encryptor.update(data) + encryptor.finalize()


def _decrypt(key, iv, data):
    decryptor = _get_cipher(key, iv).decryptor()
    return decryptor.update(data) + decryptor.finalize()


def encode_data(data):
    # NOTE(zhaochao) No need to encoding string object any more,
    # as Base64Codec is now using oslo_serialization.base64 which
    # could take care of this.
    return stream_codecs.Base64Codec().serialize(data)


def decode_data(data):
    return stream_codecs.Base64Codec().deserialize(data)


# Pad the data string to an multiple of pad_size
def pad_for_encryption(data, pad_size=IV_BYTE_COUNT):
    pad_count = pad_size - (len(data) % pad_size)
    return data + bytes((pad_count,)) * pad_count


# Unpad the data string by stripping off excess characters
def unpad_after_decryption(data):
    return data[:len(data) - data[-1]]


def encrypt_data(data, key, iv_byte_count=IV_BYTE_COUNT):
    data = encodeutils.to_utf8(data)
    key = encodeutils.to_utf8(key)
    md5_key = encodeutils.safe_encode(hashlib.md5(key).hexdigest())
    iv = os.urandom(iv_byte_count)
    iv = iv[:iv_byte_count]
    data = pad_for_encryption(data, iv_byte_count)
    encrypted = _encrypt(md5_key, bytes(iv), data)
    return iv + encrypted


def decrypt_data(data, key, iv_byte_count=IV_BYTE_COUNT):
    key = encodeutils.to_utf8(key)
    md5_key = encodeutils.safe_encode(hashlib.md5(key).hexdigest())
    iv = data[:iv_byte_count]
    decrypted = _decrypt(md5_key, bytes(iv), bytes(data[iv_byte_count:]))
    return unpad_after_decryption(decrypted)


def generate_random_key(length=32, chars=None):
    chars = chars if chars else (string.ascii_uppercase +
                                 string.ascii_lowercase + string.digits)
    return ''.join(random.choice(chars) for _ in range(length))