File: _memcache_crypt.py

package info (click to toggle)
python-keystonemiddleware 10.9.0-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 1,288 kB
  • sloc: python: 10,017; makefile: 93; sh: 2
file content (224 lines) | stat: -rw-r--r-- 6,902 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
 
# Copyright 2010-2013 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.

"""
Utilities for memcache encryption and integrity check.

Data should be serialized before entering these functions. Encryption
has a dependency on the cryptography module. If cryptography is not
available, CryptoUnavailableError will be raised.

This module will not be called unless signing or encryption is enabled
in the config. It will always validate signatures, and will decrypt
data if encryption is enabled. It is not valid to mix protection
modes.

"""

import base64
import functools
import hashlib
import hmac
import math
import os

from keystonemiddleware.i18n import _

try:
    from cryptography.hazmat import backends as crypto_backends
    from cryptography.hazmat.primitives import ciphers
    from cryptography.hazmat.primitives.ciphers import algorithms
    from cryptography.hazmat.primitives.ciphers import modes
    from cryptography.hazmat.primitives import padding
except ImportError:
    ciphers = None


HASH_FUNCTION = hashlib.sha384
DIGEST_LENGTH = HASH_FUNCTION().digest_size
DIGEST_SPLIT = DIGEST_LENGTH // 3
DIGEST_LENGTH_B64 = 4 * int(math.ceil(DIGEST_LENGTH / 3.0))


class InvalidMacError(Exception):
    """raise when unable to verify MACed data.

    This usually indicates that data had been expectedly modified in memcache.

    """

    pass


class DecryptError(Exception):
    """raise when unable to decrypt encrypted data."""

    pass


class CryptoUnavailableError(Exception):
    """raise when Python Crypto module is not available."""

    pass


def assert_crypto_availability(f):
    """Ensure cryptography module is available."""
    @functools.wraps(f)
    def wrapper(*args, **kwds):
        if ciphers is None:
            raise CryptoUnavailableError()
        return f(*args, **kwds)
    return wrapper


def derive_keys(token, secret, strategy):
    """Derive keys for MAC and ENCRYPTION from the user-provided secret.

    The resulting keys should be passed to the protect and unprotect functions.

    As suggested by NIST Special Publication 800-108, this uses the
    first 128 bits from the sha384 KDF for the obscured cache key
    value, the second 128 bits for the message authentication key and
    the remaining 128 bits for the encryption key.

    This approach is faster than computing a separate hmac as the KDF
    for each desired key.
    """
    if not isinstance(secret, bytes):
        secret = secret.encode()

    if not isinstance(token, bytes):
        token = token.encode()

    if not isinstance(strategy, bytes):
        strategy = strategy.encode()

    digest = hmac.new(secret, token + strategy, HASH_FUNCTION).digest()
    return {'CACHE_KEY': digest[:DIGEST_SPLIT],
            'MAC': digest[DIGEST_SPLIT: 2 * DIGEST_SPLIT],
            'ENCRYPTION': digest[2 * DIGEST_SPLIT:],
            'strategy': strategy}


def sign_data(key, data):
    """Sign the data using the defined function and the derived key."""
    if not isinstance(key, bytes):
        key = key.encode()

    if not isinstance(data, bytes):
        data = data.encode()

    mac = hmac.new(key, data, HASH_FUNCTION).digest()
    return base64.b64encode(mac)


@assert_crypto_availability
def encrypt_data(key, data):
    """Encrypt the data with the given secret key.

    Padding is n bytes of the value n, where 1 <= n <= blocksize.
    """
    iv = os.urandom(16)
    cipher = ciphers.Cipher(
        algorithms.AES(key),
        modes.CBC(iv),
        backend=crypto_backends.default_backend())

    # AES algorithm uses block size of 16 bytes = 128 bits, defined in
    # algorithms.AES.block_size. Previously, we manually padded this using
    # bytes((padding,)) * padding.  Using ``cryptography``, we will
    # analogously use hazmat.primitives.padding to pad it to
    # the 128-bit block size.
    padder = padding.PKCS7(algorithms.AES.block_size).padder()
    padded_data = padder.update(data) + padder.finalize()
    encryptor = cipher.encryptor()
    return iv + encryptor.update(padded_data) + encryptor.finalize()


def decrypt_data(key, data):
    """Decrypt the data with the given secret key."""
    iv = data[:16]
    cipher = ciphers.Cipher(
        algorithms.AES(key),
        modes.CBC(iv),
        backend=crypto_backends.default_backend())
    try:
        decryptor = cipher.decryptor()
        result = decryptor.update(data[16:]) + decryptor.finalize()
    except Exception:
        raise DecryptError(_('Encrypted data appears to be corrupted.'))

    # Strip the last n padding bytes where n is the last value in
    # the plaintext
    unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()
    return unpadder.update(result) + unpadder.finalize()


def protect_data(keys, data):
    """Serialize data given a dict of keys.

    Given keys and serialized data, returns an appropriately protected string
    suitable for storage in the cache.

    """
    if keys['strategy'] == b'ENCRYPT':
        data = encrypt_data(keys['ENCRYPTION'], data)

    encoded_data = base64.b64encode(data)

    signature = sign_data(keys['MAC'], encoded_data)
    return signature + encoded_data


def unprotect_data(keys, signed_data):
    """De-serialize data given a dict of keys.

    Given keys and cached string data, verifies the signature, decrypts if
    necessary, and returns the original serialized data.

    """
    # cache backends return None when no data is found. We don't mind
    # that this particular special value is unsigned.
    if signed_data is None:
        return None

    # First we calculate the signature
    provided_mac = signed_data[:DIGEST_LENGTH_B64]
    calculated_mac = sign_data(
        keys['MAC'],
        signed_data[DIGEST_LENGTH_B64:])

    # Then verify that it matches the provided value
    if not hmac.compare_digest(provided_mac, calculated_mac):
        raise InvalidMacError(_('Invalid MAC; data appears to be corrupted.'))

    data = base64.b64decode(signed_data[DIGEST_LENGTH_B64:])

    # then if necessary decrypt the data
    if keys['strategy'] == b'ENCRYPT':
        data = decrypt_data(keys['ENCRYPTION'], data)

    return data


def get_cache_key(keys):
    """Return a cache key.

    Given keys generated by derive_keys(), returns a base64 encoded value
    suitable for use as a cache key in memcached.

    """
    return base64.b64encode(keys['CACHE_KEY'])