1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
# -*- coding: utf-8 -*-
# _secrets/__init__.py
# Copyright (C) 2016 LEAP
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from collections import namedtuple
from leap.soledad.common.log import getLogger
from leap.soledad.client._secrets.storage import SecretsStorage
from leap.soledad.client._secrets.crypto import SecretsCrypto
from leap.soledad.client._secrets.util import emit
logger = getLogger(__name__)
SecretLength = namedtuple('SecretLength', 'name length')
class Secrets(object):
lengths = {
'remote': 512,
'salt': 64,
'local': 448,
}
def __init__(self, uuid, passphrase, url, local_path, creds, userid,
shared_db=None):
self._passphrase = passphrase
self._secrets = {}
self._user_data = {'uuid': uuid, 'userid': userid}
self.crypto = SecretsCrypto(self.get_passphrase)
self.storage = SecretsStorage(
uuid, self.get_passphrase, url, local_path, creds, userid,
shared_db=shared_db)
self._bootstrap()
#
# bootstrap
#
def _bootstrap(self):
force_storage = False
# attempt to load secrets from local storage
encrypted = self.storage.load_local()
# if not found, attempt to load secrets from remote storage
if not encrypted:
encrypted = self.storage.load_remote()
if not encrypted:
# if not found, generate new secrets
secrets = self._generate()
encrypted = self.crypto.encrypt(secrets)
force_storage = True
else:
# decrypt secrets found either in local or remote storage
secrets = self.crypto.decrypt(encrypted)
self._secrets = secrets
if encrypted['version'] < self.crypto.VERSION or force_storage:
self.storage.save_local(encrypted)
self.storage.save_remote(encrypted)
#
# generation
#
@emit('creating')
def _generate(self):
logger.info("generating new set of secrets...")
secrets = {}
for name, length in self.lengths.iteritems():
secret = os.urandom(length)
secrets[name] = secret
logger.info("new set of secrets successfully generated")
return secrets
#
# crypto
#
def _encrypt(self):
# encrypt secrets
secrets = self._secrets
encrypted = self.crypto.encrypt(secrets)
# create the recovery document
data = {'secret': encrypted, 'version': 2}
return data
def get_passphrase(self):
return self._passphrase.encode('utf-8')
@property
def passphrase(self):
return self.get_passphrase()
def change_passphrase(self, new_passphrase):
self._passphrase = new_passphrase
encrypted = self.crypto.encrypt(self._secrets)
self.storage.save_local(encrypted)
self.storage.save_remote(encrypted)
@property
def remote(self):
return self._secrets.get('remote')
@property
def salt(self):
return self._secrets.get('salt')
@property
def local(self):
return self._secrets.get('local')
|
