diff options
author | drebs <drebs@leap.se> | 2012-12-20 11:35:19 -0200 |
---|---|---|
committer | drebs <drebs@leap.se> | 2012-12-20 11:35:19 -0200 |
commit | d4e139929f6353d9b587ef201bd693e1502ab9f0 (patch) | |
tree | 91acaea49422facae8e689f7fba1f87a643bb520 | |
parent | 0799298acb902a7509f889bc01b22f610f8b0207 (diff) |
Use doc_id with HMAC for symmetric encryption
-rw-r--r-- | __init__.py | 14 | ||||
-rw-r--r-- | backends/leap.py | 4 |
2 files changed, 10 insertions, 8 deletions
diff --git a/__init__.py b/__init__.py index 4325d773..9f5d6e22 100644 --- a/__init__.py +++ b/__init__.py @@ -6,6 +6,7 @@ import os import string import random import cStringIO +import hmac from soledad.util import GPGWrapper class Soledad(object): @@ -39,7 +40,7 @@ class Soledad(object): def _load_secret(self): try: with open(self.SECRET_PATH) as f: - self._secret = self._gpg.decrypt(f.read()) + self._secret = str(self._gpg.decrypt(f.read())) except IOError as e: raise IOError('Failed to open secret file %s.' % self.SECRET_PATH) @@ -72,12 +73,13 @@ class Soledad(object): return str(self._gpg.encrypt(data, self._fingerprint, sign=sign, passphrase=passphrase, symmetric=symmetric)) - def encrypt_symmetric(self, data, sign=None): - return self.encrypt(data, sign=sign, passphrase=self._secret, - symmetric=True) + def encrypt_symmetric(self, doc_id, data, sign=None): + h = hmac.new(self._secret, doc_id).hexdigest() + return self.encrypt(data, sign=sign, passphrase=h, symmetric=True) def decrypt(self, data, passphrase=None, symmetric=False): return str(self._gpg.decrypt(data, passphrase=passphrase)) - def decrypt_symmetric(self, data): - return self.decrypt(data, passphrase=self._secret) + def decrypt_symmetric(self, doc_id, data): + h = hmac.new(self._secret, doc_id).hexdigest() + return self.decrypt(data, passphrase=h) diff --git a/backends/leap.py b/backends/leap.py index c019ed3f..9fbd49fe 100644 --- a/backends/leap.py +++ b/backends/leap.py @@ -37,7 +37,7 @@ class LeapDocument(Document): """ if not self._soledad: raise NoSoledadInstance() - ciphertext = self._soledad.encrypt_symmetric(self.get_json()) + ciphertext = self._soledad.encrypt_symmetric(self.doc_id, self.get_json()) return json.dumps({'_encrypted_json' : ciphertext}) def set_encrypted_json(self, encrypted_json): @@ -47,7 +47,7 @@ class LeapDocument(Document): if not self._soledad: raise NoSoledadInstance() ciphertext = json.loads(encrypted_json)['_encrypted_json'] - plaintext = self._soledad.decrypt_symmetric(ciphertext) + plaintext = self._soledad.decrypt_symmetric(self.doc_id, ciphertext) return self.set_json(plaintext) |