summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordrebs <drebs@leap.se>2012-12-20 11:35:19 -0200
committerdrebs <drebs@leap.se>2012-12-20 11:35:19 -0200
commitd4e139929f6353d9b587ef201bd693e1502ab9f0 (patch)
tree91acaea49422facae8e689f7fba1f87a643bb520
parent0799298acb902a7509f889bc01b22f610f8b0207 (diff)
Use doc_id with HMAC for symmetric encryption
-rw-r--r--__init__.py14
-rw-r--r--backends/leap.py4
2 files changed, 10 insertions, 8 deletions
diff --git a/__init__.py b/__init__.py
index 4325d773..9f5d6e22 100644
--- a/__init__.py
+++ b/__init__.py
@@ -6,6 +6,7 @@ import os
import string
import random
import cStringIO
+import hmac
from soledad.util import GPGWrapper
class Soledad(object):
@@ -39,7 +40,7 @@ class Soledad(object):
def _load_secret(self):
try:
with open(self.SECRET_PATH) as f:
- self._secret = self._gpg.decrypt(f.read())
+ self._secret = str(self._gpg.decrypt(f.read()))
except IOError as e:
raise IOError('Failed to open secret file %s.' % self.SECRET_PATH)
@@ -72,12 +73,13 @@ class Soledad(object):
return str(self._gpg.encrypt(data, self._fingerprint, sign=sign,
passphrase=passphrase, symmetric=symmetric))
- def encrypt_symmetric(self, data, sign=None):
- return self.encrypt(data, sign=sign, passphrase=self._secret,
- symmetric=True)
+ def encrypt_symmetric(self, doc_id, data, sign=None):
+ h = hmac.new(self._secret, doc_id).hexdigest()
+ return self.encrypt(data, sign=sign, passphrase=h, symmetric=True)
def decrypt(self, data, passphrase=None, symmetric=False):
return str(self._gpg.decrypt(data, passphrase=passphrase))
- def decrypt_symmetric(self, data):
- return self.decrypt(data, passphrase=self._secret)
+ def decrypt_symmetric(self, doc_id, data):
+ h = hmac.new(self._secret, doc_id).hexdigest()
+ return self.decrypt(data, passphrase=h)
diff --git a/backends/leap.py b/backends/leap.py
index c019ed3f..9fbd49fe 100644
--- a/backends/leap.py
+++ b/backends/leap.py
@@ -37,7 +37,7 @@ class LeapDocument(Document):
"""
if not self._soledad:
raise NoSoledadInstance()
- ciphertext = self._soledad.encrypt_symmetric(self.get_json())
+ ciphertext = self._soledad.encrypt_symmetric(self.doc_id, self.get_json())
return json.dumps({'_encrypted_json' : ciphertext})
def set_encrypted_json(self, encrypted_json):
@@ -47,7 +47,7 @@ class LeapDocument(Document):
if not self._soledad:
raise NoSoledadInstance()
ciphertext = json.loads(encrypted_json)['_encrypted_json']
- plaintext = self._soledad.decrypt_symmetric(ciphertext)
+ plaintext = self._soledad.decrypt_symmetric(self.doc_id, ciphertext)
return self.set_json(plaintext)