diff options
| -rw-r--r-- | cryptography/fernet.py | 9 | ||||
| -rw-r--r-- | tests/test_fernet.py | 9 |
2 files changed, 16 insertions, 2 deletions
diff --git a/cryptography/fernet.py b/cryptography/fernet.py index c0c5631f..c5474af4 100644 --- a/cryptography/fernet.py +++ b/cryptography/fernet.py @@ -38,7 +38,10 @@ class Fernet(object): backend = default_backend() key = base64.urlsafe_b64decode(key) - assert len(key) == 32 + if len(key) != 32: + raise ValueError( + "Fernet key must be 32 url-safe base64-encoded bytes" + ) self._signing_key = key[:16] self._encryption_key = key[16:] @@ -88,7 +91,9 @@ class Fernet(object): except (TypeError, binascii.Error): raise InvalidToken - assert six.indexbytes(data, 0) == 0x80 + if six.indexbytes(data, 0) != 0x80: + raise InvalidToken + timestamp = struct.unpack(">Q", data[1:9])[0] iv = data[9:25] ciphertext = data[25:-32] diff --git a/tests/test_fernet.py b/tests/test_fernet.py index 48df867c..77661180 100644 --- a/tests/test_fernet.py +++ b/tests/test_fernet.py @@ -69,6 +69,11 @@ class TestFernet(object): with pytest.raises(InvalidToken): f.decrypt(token.encode("ascii"), ttl=ttl_sec) + def test_invalid_start_byte(self, backend): + f = Fernet(Fernet.generate_key(), backend=backend) + with pytest.raises(InvalidToken): + f.decrypt(base64.urlsafe_b64encode(b"\x81")) + def test_unicode(self, backend): f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) with pytest.raises(TypeError): @@ -84,3 +89,7 @@ class TestFernet(object): def test_default_backend(self): f = Fernet(Fernet.generate_key()) assert f._backend is default_backend() + + def test_bad_key(self, backend): + with pytest.raises(ValueError): + Fernet(base64.urlsafe_b64encode(b"abc"), backend=backend) |