diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2013-12-16 15:29:30 -0800 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2013-12-16 15:29:30 -0800 |
| commit | fae20715b85e84297f01b60fc153cde93a7549c7 (patch) | |
| tree | a74997977c7a244c2a5d9514e06e8b2b054a1c2e | |
| parent | 6cf242bee212b5b6069865a48c6bdc4836f78ff6 (diff) | |
| download | cryptography-fae20715b85e84297f01b60fc153cde93a7549c7.tar.gz cryptography-fae20715b85e84297f01b60fc153cde93a7549c7.tar.bz2 cryptography-fae20715b85e84297f01b60fc153cde93a7549c7.zip | |
Address dreid's comments
| -rw-r--r-- | cryptography/fernet.py | 20 | ||||
| -rw-r--r-- | tests/test_fernet.py | 26 |
2 files changed, 28 insertions, 18 deletions
diff --git a/cryptography/fernet.py b/cryptography/fernet.py index 8bcaa40a..c0c5631f 100644 --- a/cryptography/fernet.py +++ b/cryptography/fernet.py @@ -33,12 +33,16 @@ _MAX_CLOCK_SKEW = 60 class Fernet(object): - def __init__(self, key): + def __init__(self, key, backend=None): + if backend is None: + backend = default_backend() + key = base64.urlsafe_b64decode(key) assert len(key) == 32 - self.signing_key = key[:16] - self.encryption_key = key[16:] - self.backend = default_backend() + + self._signing_key = key[:16] + self._encryption_key = key[16:] + self._backend = backend @classmethod def generate_key(cls): @@ -58,7 +62,7 @@ class Fernet(object): padder = padding.PKCS7(algorithms.AES.block_size).padder() padded_data = padder.update(data) + padder.finalize() encryptor = Cipher( - algorithms.AES(self.encryption_key), modes.CBC(iv), self.backend + algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend ).encryptor() ciphertext = encryptor.update(padded_data) + encryptor.finalize() @@ -66,7 +70,7 @@ class Fernet(object): b"\x80" + struct.pack(">Q", current_time) + iv + ciphertext ) - h = HMAC(self.signing_key, hashes.SHA256(), self.backend) + h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend) h.update(basic_parts) hmac = h.finalize() return base64.urlsafe_b64encode(basic_parts + hmac) @@ -93,14 +97,14 @@ class Fernet(object): raise InvalidToken if current_time + _MAX_CLOCK_SKEW < timestamp: raise InvalidToken - h = HMAC(self.signing_key, hashes.SHA256(), self.backend) + h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend) h.update(data[:-32]) hmac = h.finalize() if not constant_time.bytes_eq(hmac, data[-32:]): raise InvalidToken decryptor = Cipher( - algorithms.AES(self.encryption_key), modes.CBC(iv), self.backend + algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend ).decryptor() plaintext_padded = decryptor.update(ciphertext) try: diff --git a/tests/test_fernet.py b/tests/test_fernet.py index af64175e..48df867c 100644 --- a/tests/test_fernet.py +++ b/tests/test_fernet.py @@ -24,6 +24,7 @@ import pytest import six from cryptography.fernet import Fernet, InvalidToken +from cryptography.hazmat.backends import default_backend def json_parametrize(keys, fname): @@ -40,8 +41,8 @@ class TestFernet(object): @json_parametrize( ("secret", "now", "iv", "src", "token"), "generate.json", ) - def test_generate(self, secret, now, iv, src, token): - f = Fernet(secret.encode("ascii")) + def test_generate(self, secret, now, iv, src, token, backend): + f = Fernet(secret.encode("ascii"), backend=backend) actual_token = f._encrypt_from_parts( src.encode("ascii"), calendar.timegm(iso8601.parse_date(now).utctimetuple()), @@ -52,29 +53,34 @@ class TestFernet(object): @json_parametrize( ("secret", "now", "src", "ttl_sec", "token"), "verify.json", ) - def test_verify(self, secret, now, src, ttl_sec, token, monkeypatch): - f = Fernet(secret.encode("ascii")) + def test_verify(self, secret, now, src, ttl_sec, token, backend, + monkeypatch): + f = Fernet(secret.encode("ascii"), backend=backend) current_time = calendar.timegm(iso8601.parse_date(now).utctimetuple()) monkeypatch.setattr(time, "time", lambda: current_time) payload = f.decrypt(token.encode("ascii"), ttl=ttl_sec) assert payload == src.encode("ascii") @json_parametrize(("secret", "token", "now", "ttl_sec"), "invalid.json") - def test_invalid(self, secret, token, now, ttl_sec, monkeypatch): - f = Fernet(secret.encode("ascii")) + def test_invalid(self, secret, token, now, ttl_sec, backend, monkeypatch): + f = Fernet(secret.encode("ascii"), backend=backend) current_time = calendar.timegm(iso8601.parse_date(now).utctimetuple()) monkeypatch.setattr(time, "time", lambda: current_time) with pytest.raises(InvalidToken): f.decrypt(token.encode("ascii"), ttl=ttl_sec) - def test_unicode(self): - f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32)) + def test_unicode(self, backend): + f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) with pytest.raises(TypeError): f.encrypt(six.u("")) with pytest.raises(TypeError): f.decrypt(six.u("")) @pytest.mark.parametrize("message", [b"", b"Abc!", b"\x00\xFF\x00\x80"]) - def test_roundtrips(self, message): - f = Fernet(Fernet.generate_key()) + def test_roundtrips(self, message, backend): + f = Fernet(Fernet.generate_key(), backend=backend) assert f.decrypt(f.encrypt(message)) == message + + def test_default_backend(self): + f = Fernet(Fernet.generate_key()) + assert f._backend is default_backend() |