beaker/beaker/crypto/__init__.py at d414290f0c252e24bb00cf9319dcc953fedc7391 · bbangert/beaker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
"""Provide a crypto object, depending on the available modules.

The object has this interface:

aesEncrypt(DATA, KEY)
  Encrypt the DATA with key KEY.

aesDecrypt(DATA, KEY):
  Decrypt the DATA with key KEY.

has_aes
  True if the encryption provides AES encryption.

getKeyLength()
  Return the maximum size for keys for this crypto object, in bytes.

"""
import sys

from beaker.crypto.pbkdf2 import pbkdf2
from beaker.crypto.util import hmac, sha1, hmac_sha1, md5
from beaker import util
from beaker.exceptions import InvalidCryptoBackendError

keyLength = None
DEFAULT_NONCE_BITS = 128

CRYPTO_MODULES = {}

# Check if we're running on Jython
JYTHON = sys.platform.startswith('java')


def load_default_module():
    """Load the default crypto module and return it.

    Note: if no crypto module is available, return a dummy module
    which does not encrypt at all.

    """
    if JYTHON:
        try:
            from beaker.crypto import jcecrypto
            return jcecrypto
        except ImportError:
            pass
    else:
        try:
            from beaker.crypto import nsscrypto
            return nsscrypto
        except ImportError:
            try:
                from beaker.crypto import pycrypto
                return pycrypto
            except ImportError:
                pass
    from beaker.crypto import noencryption
    return noencryption


def register_crypto_module(name, mod):
    """
    Register the given module under the name given.
    """
    CRYPTO_MODULES[name] = mod


def get_crypto_module(name):
    """
    Get the active crypto module for this name
    """
    if name not in CRYPTO_MODULES:
        if name == 'default':
            register_crypto_module('default', load_default_module())
        elif name == 'nss':
            from beaker.crypto import nsscrypto
            register_crypto_module(name, nsscrypto)
        elif name == 'pycrypto':
            from beaker.crypto import pycrypto
            register_crypto_module(name, pycrypto)
        elif name == 'cryptography':
            from beaker.crypto import pyca_cryptography
            register_crypto_module(name, pyca_cryptography)
        else:
            raise InvalidCryptoBackendError(
                "No crypto backend with name '%s' is registered." % name)

    return CRYPTO_MODULES[name]


def generateCryptoKeys(master_key, salt, iterations, keylen):
    # NB: We XOR parts of the keystream into the randomly-generated parts, just
    # in case os.urandom() isn't as random as it should be.  Note that if
    # os.urandom() returns truly random data, this will have no effect on the
    # overall security.
    return pbkdf2(master_key, salt, iterations=iterations, dklen=keylen)


def get_nonce_size(number_of_bits):
    if number_of_bits % 8:
        raise ValueError('Nonce complexity currently supports multiples of 8')

    bytes = number_of_bits // 8
    b64bytes = ((4 * bytes // 3) + 3) & ~3
    return bytes, b64bytes