Victor Stinner
f9ed13a576
This change is backward compatible on Python 2: * Data encrypted with the old code can be decrypted with the new code * Data encrypted with the new code can be decrypted with the old code Effect on Python 2: it now is possible to encode Unicode strings which contain non-ASCII characters. Before encode_data() failed with UnicodeEncodeError. Changes: * pad_for_encryption(): replace chr() with six.int2byte() to get bytes on Python 3. * use byte strings in tests * encode_data() now encodes data to UTF-8 (if it is Unicode) * encrypt() and decrypt() now encode the encryption key to UTF-8 (if it's Unicode) * encrypt() now encodes data to UTF-8 (if it's Unicode), it's only needed on Python 3 since encode_data() returns Unicode on Python 3. * test_encode_decode_string(): test also Unicode * Add new unit tests on encrypt() and decrypt() with known values and hardcoded IV. * tox.ini: add test_common_extensions and test_crypto_utils to Python 3.4 (test_common_extensions already passed before). Note: UTF-8 is the defacto standard encoding in OpenStack. It is already used widely in all parts of OpenStack. Partially implements: blueprint trove-python3 Change-Id: I8e991994698d558177580595cf2c7da93ed1e1c8
71 lines
2.1 KiB
Python
71 lines
2.1 KiB
Python
# Copyright 2016 Tesora, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
|
|
# Encryption/decryption handling
|
|
|
|
from Crypto.Cipher import AES
|
|
from Crypto import Random
|
|
import hashlib
|
|
from oslo_utils import encodeutils
|
|
import six
|
|
|
|
from trove.common import stream_codecs
|
|
|
|
|
|
IV_BIT_COUNT = 16
|
|
|
|
|
|
def encode_data(data):
|
|
if isinstance(data, six.text_type):
|
|
data = data.encode('utf-8')
|
|
return stream_codecs.Base64Codec().serialize(data)
|
|
|
|
|
|
def decode_data(data):
|
|
return stream_codecs.Base64Codec().deserialize(data)
|
|
|
|
|
|
# Pad the data string to an multiple of pad_size
|
|
def pad_for_encryption(data, pad_size=IV_BIT_COUNT):
|
|
pad_count = pad_size - (len(data) % pad_size)
|
|
return data + six.int2byte(pad_count) * pad_count
|
|
|
|
|
|
# Unpad the data string by stripping off excess characters
|
|
def unpad_after_decryption(data):
|
|
return data[:len(data) - six.indexbytes(data, -1)]
|
|
|
|
|
|
def encrypt_data(data, key, iv_bit_count=IV_BIT_COUNT):
|
|
data = encodeutils.to_utf8(data)
|
|
key = encodeutils.to_utf8(key)
|
|
md5_key = hashlib.md5(key).hexdigest()
|
|
iv = Random.new().read(iv_bit_count)
|
|
iv = iv[:iv_bit_count]
|
|
aes = AES.new(md5_key, AES.MODE_CBC, iv)
|
|
data = pad_for_encryption(data, iv_bit_count)
|
|
encrypted = aes.encrypt(data)
|
|
return iv + encrypted
|
|
|
|
|
|
def decrypt_data(data, key, iv_bit_count=IV_BIT_COUNT):
|
|
key = encodeutils.to_utf8(key)
|
|
md5_key = hashlib.md5(key).hexdigest()
|
|
iv = data[:iv_bit_count]
|
|
aes = AES.new(md5_key, AES.MODE_CBC, bytes(iv))
|
|
decrypted = aes.decrypt(bytes(data[iv_bit_count:]))
|
|
return unpad_after_decryption(decrypted)
|