openstack/barbican
Code Issues Proposed changes

Beginning transition from pycrypto to cryptography

Browse Source 
This should be the initial steps to move from the pycrypto
package to the cryptography package.

Change-Id: Ie63bef7921f7e4ae9531233477fa6af4c48c773a
This commit is contained in:
Kevin Bishop 2014-05-30 14:27:36 -05:00
parent 4a3eab9e45
commit 01ffcedbfd
3 changed files with 7 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
barbican/crypto/plugin.py
View File

@ -15,7 +15,7 @@
import abc
from Crypto.Cipher import AES
from cryptography import fernet
from Crypto.PublicKey import DSA
from Crypto.PublicKey import RSA
from Crypto import Random
@ -36,7 +36,7 @@ simple_crypto_plugin_group = cfg.OptGroup(name='simple_crypto_plugin',
title="Simple Crypto Plugin Options")
simple_crypto_plugin_opts = [
cfg.StrOpt('kek',
default=b'sixteen_byte_key',
default=b'dGhpcnR5X3R3b19ieXRlX2tleWJsYWhibGFoYmxhaGg=',
help=u._('Key encryption key to be used by Simple Crypto '
'Plugin'))
]
@ -378,41 +378,21 @@ class SimpleCryptoPlugin(CryptoPluginBase):
def __init__(self, conf=CONF):
self.kek = conf.simple_crypto_plugin.kek
self.block_size = AES.block_size
def _pad(self, unencrypted):
"""Adds padding to unencrypted byte string."""
pad_length = self.block_size - (
len(unencrypted) % self.block_size
)
return unencrypted + (chr(pad_length) * pad_length)
def _strip_pad(self, unencrypted):
pad_length = ord(unencrypted[-1:])
unpadded = unencrypted[:-pad_length]
return unpadded
def encrypt(self, encrypt_dto, kek_meta_dto, keystone_id):
unencrypted = encrypt_dto.unencrypted
if not isinstance(unencrypted, str):
raise ValueError('Unencrypted data must be a byte type, '
'but was {0}'.format(type(unencrypted)))
padded_data = self._pad(unencrypted)
iv = Random.get_random_bytes(self.block_size)
encryptor = AES.new(self.kek, AES.MODE_CBC, iv)
cyphertext = iv + encryptor.encrypt(padded_data)
encryptor = fernet.Fernet(self.kek)
cyphertext = encryptor.encrypt(unencrypted)
return ResponseDTO(cyphertext, None)
def decrypt(self, encrypted_dto, kek_meta_dto, kek_meta_extended,
keystone_id):
encrypted = encrypted_dto.encrypted
iv = encrypted[:self.block_size]
cypher_text = encrypted[self.block_size:]
decryptor = AES.new(self.kek, AES.MODE_CBC, iv)
padded_secret = decryptor.decrypt(cypher_text)
return self._strip_pad(padded_secret)
decryptor = fernet.Fernet(self.kek)
return decryptor.decrypt(encrypted)
def bind_kek_metadata(self, kek_meta_dto):
kek_meta_dto.algorithm = 'aes'

26
barbican/tests/crypto/test_plugin.py
View File

@ -67,32 +67,6 @@ class WhenTestingSimpleCryptoPlugin(testtools.TestCase):
super(WhenTestingSimpleCryptoPlugin, self).setUp()
self.plugin = plugin.SimpleCryptoPlugin()
def test_pad_binary_string(self):
binary_string = b'some_binary_string'
padded_string = (
b'some_binary_string' +
b'\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e'
)
self.assertEqual(self.plugin._pad(binary_string), padded_string)
def test_pad_random_bytes(self):
random_bytes = Random.get_random_bytes(10)
padded_bytes = random_bytes + b'\x06\x06\x06\x06\x06\x06'
self.assertEqual(self.plugin._pad(random_bytes), padded_bytes)
def test_strip_padding_from_binary_string(self):
binary_string = b'some_binary_string'
padded_string = (
b'some_binary_string' +
b'\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e'
)
self.assertEqual(self.plugin._strip_pad(padded_string), binary_string)
def test_strip_padding_from_random_bytes(self):
random_bytes = Random.get_random_bytes(10)
padded_bytes = random_bytes + b'\x06\x06\x06\x06\x06\x06'
self.assertEqual(self.plugin._strip_pad(padded_bytes), random_bytes)
def test_encrypt_unicode_raises_value_error(self):
unencrypted = u'unicode_beer\U0001F37A'
encrypt_dto = plugin.EncryptDTO(unencrypted)

1
requirements.txt
View File

@ -1,5 +1,6 @@
alembic>=0.4.1
Babel>=1.3
cryptography>=0.4
eventlet>=0.13.0
iso8601>=0.1.9
jsonschema>=1.3.0,!=1.4.0