Skip to content

Commit 6d4270e

Browse files
roherohe
committed
Mkae it possible to use all (most?) hash algorithms in cryptography.hazmat.primitives.hashes .
1 parent 8aba9a4 commit 6d4270e

File tree

2 files changed

+44
-6
lines changed

2 files changed

+44
-6
lines changed

src/cryptojwt/jwe/fernet.py

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,20 +7,33 @@
77
from cryptography.hazmat.primitives import hashes
88
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
99

10-
from cryptojwt import as_unicode
1110
from cryptojwt.jwe import Encrypter
1211
from cryptojwt.utils import as_bytes
1312

1413

14+
DEFAULT_ITERATIONS = 390000
15+
16+
1517
class FernetEncrypter(Encrypter):
16-
def __init__(self, password: str, salt: Optional[bytes] = ""):
18+
def __init__(self,
19+
password: str,
20+
salt: Optional[bytes] = "",
21+
hash_alg: Optional[str] = "SHA256",
22+
digest_size: Optional[int] = 0,
23+
iterations: Optional[int] = DEFAULT_ITERATIONS):
1724
Encrypter.__init__(self)
1825
if not salt:
1926
salt = os.urandom(16)
2027
else:
2128
salt = as_bytes(salt)
2229

23-
kdf = PBKDF2HMAC(algorithm=hashes.SHA256(), length=32, salt=salt, iterations=390000)
30+
_alg = getattr(hashes, hash_alg)
31+
# A bit special for SHAKE* and BLAKE* hashes
32+
if hash_alg.startswith("SHAKE") or hash_alg.startswith("BLAKE"):
33+
_algorithm = _alg(digest_size)
34+
else:
35+
_algorithm = _alg()
36+
kdf = PBKDF2HMAC(algorithm=_algorithm, length=32, salt=salt, iterations=iterations)
2437
self.key = base64.urlsafe_b64encode(kdf.derive(as_bytes(password)))
2538
self.core = Fernet(self.key)
2639

tests/test_07_jwe.py

Lines changed: 28 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,9 @@
66
import string
77
import sys
88

9-
import pytest
109
from cryptography.hazmat.backends import default_backend
1110
from cryptography.hazmat.primitives.asymmetric import ec
11+
import pytest
1212

1313
from cryptojwt.exception import BadSyntax
1414
from cryptojwt.exception import HeaderError
@@ -139,7 +139,8 @@ def test_jwe_09_a1():
139139

140140
b64_ejek = (
141141
b"ApfOLCaDbqs_JXPYy2I937v_xmrzj"
142-
b"-Iss1mG6NAHmeJViM6j2l0MHvfseIdHVyU2BIoGVu9ohvkkWiRq5DL2jYZTPA9TAdwq3FUIVyoH-Pedf6elHIVFi2KGDEspYMtQARMMSBcS7pslx6flh1Cfh3GBKysztVMEhZ_maFkm4PYVCsJsvq6Ct3fg2CJPOs0X1DHuxZKoIGIqcbeK4XEO5a0h5TAuJObKdfO0dKwfNSSbpu5sFrpRFwV2FTTYoqF4zI46N9-_hMIznlEpftRXhScEJuZ9HG8C8CHB1WRZ_J48PleqdhF4o7fB5J1wFqUXBtbtuGJ_A2Xe6AEhrlzCOw"
142+
b"-Iss1mG6NAHmeJViM6j2l0MHvfseIdHVyU2BIoGVu9ohvkkWiRq5DL2jYZTPA9TAdwq3FUIVyoH"
143+
b"-Pedf6elHIVFi2KGDEspYMtQARMMSBcS7pslx6flh1Cfh3GBKysztVMEhZ_maFkm4PYVCsJsvq6Ct3fg2CJPOs0X1DHuxZKoIGIqcbeK4XEO5a0h5TAuJObKdfO0dKwfNSSbpu5sFrpRFwV2FTTYoqF4zI46N9-_hMIznlEpftRXhScEJuZ9HG8C8CHB1WRZ_J48PleqdhF4o7fB5J1wFqUXBtbtuGJ_A2Xe6AEhrlzCOw"
143144
)
144145

145146
iv = intarr2bytes([227, 197, 117, 252, 2, 219, 233, 68, 180, 225, 77, 219])
@@ -244,7 +245,8 @@ def test_jwe_09_a1():
244245
[
245246
b"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ",
246247
b"ApfOLCaDbqs_JXPYy2I937v_xmrzj"
247-
b"-Iss1mG6NAHmeJViM6j2l0MHvfseIdHVyU2BIoGVu9ohvkkWiRq5DL2jYZTPA9TAdwq3FUIVyoH-Pedf6elHIVFi2KGDEspYMtQARMMSBcS7pslx6flh1Cfh3GBKysztVMEhZ_maFkm4PYVCsJsvq6Ct3fg2CJPOs0X1DHuxZKoIGIqcbeK4XEO5a0h5TAuJObKdfO0dKwfNSSbpu5sFrpRFwV2FTTYoqF4zI46N9-_hMIznlEpftRXhScEJuZ9HG8C8CHB1WRZ_J48PleqdhF4o7fB5J1wFqUXBtbtuGJ_A2Xe6AEhrlzCOw",
248+
b"-Iss1mG6NAHmeJViM6j2l0MHvfseIdHVyU2BIoGVu9ohvkkWiRq5DL2jYZTPA9TAdwq3FUIVyoH"
249+
b"-Pedf6elHIVFi2KGDEspYMtQARMMSBcS7pslx6flh1Cfh3GBKysztVMEhZ_maFkm4PYVCsJsvq6Ct3fg2CJPOs0X1DHuxZKoIGIqcbeK4XEO5a0h5TAuJObKdfO0dKwfNSSbpu5sFrpRFwV2FTTYoqF4zI46N9-_hMIznlEpftRXhScEJuZ9HG8C8CHB1WRZ_J48PleqdhF4o7fB5J1wFqUXBtbtuGJ_A2Xe6AEhrlzCOw",
248250
b"48V1_ALb6US04U3b",
249251
b"5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6jiSdiwkIr3ajwQzaBtQD_A",
250252
b"ghEgxninkHEAMp4xZtB2mA",
@@ -655,3 +657,26 @@ def test_fernet():
655657
decrypter = encrypter
656658
resp = decrypter.decrypt(_token)
657659
assert resp == plain
660+
661+
662+
def test_fernet_sha512():
663+
encryption_key = SYMKey(use="enc", key="DukeofHazardpass", kid="some-key-id")
664+
665+
encrypter = FernetEncrypter(encryption_key.key, hash_alg="SHA512")
666+
_token = encrypter.encrypt(plain)
667+
668+
decrypter = encrypter
669+
resp = decrypter.decrypt(_token)
670+
assert resp == plain
671+
672+
673+
def test_fernet_blake2s():
674+
encryption_key = SYMKey(use="enc", key="DukeofHazardpass", kid="some-key-id")
675+
676+
encrypter = FernetEncrypter(encryption_key.key, hash_alg="BLAKE2s", digest_size=32,
677+
iterations=1000)
678+
_token = encrypter.encrypt(plain)
679+
680+
decrypter = encrypter
681+
resp = decrypter.decrypt(_token)
682+
assert resp == plain

0 commit comments

Comments
 (0)