Merge pull request #6622 from wwitzel3/devel

Implement Fernet256 using AES-256-CBC
2026-01-11 10:00:01 -03:30 · 2017-06-16 16:31:17 -04:00 · 2017-06-16 16:31:17 -04:00 · 2b98f2b9c9
commit 2b98f2b9c9
parent 6baf505797 7f72d5c6d1
1 changed files with 24 additions and 5 deletions
--- a/awx/main/utils/encryption.py
+++ b/awx/main/utils/encryption.py
@ -4,7 +4,7 @@ import logging

 import six
 from cryptography.fernet import Fernet, InvalidToken
-
+from cryptography.hazmat.backends import default_backend
 from django.utils.encoding import smart_str


@ -13,6 +13,25 @@ __all__ = ['get_encryption_key', 'encrypt_field', 'decrypt_field', 'decrypt_valu
 logger = logging.getLogger('awx.main.utils.encryption')


+class Fernet256(Fernet):
+    '''Not techincally Fernet, but uses the base of the Fernet spec and uses AES-256-CBC
+    instead of AES-128-CBC. All other functionality remain identical.
+    '''
+    def __init__(self, key, backend=None):
+        if backend is None:
+            backend = default_backend()
+
+        key = base64.urlsafe_b64decode(key)
+        if len(key) != 64:
+            raise ValueError(
+                "Fernet key must be 64 url-safe base64-encoded bytes."
+            )
+
+        self._signing_key = key[:32]
+        self._encryption_key = key[32:]
+        self._backend = backend
+
+
 def get_encryption_key(field_name, pk=None):
    '''
    Generate key for encrypted password based on field name,
@ -23,12 +42,12 @@ def get_encryption_key(field_name, pk=None):
               that is not database-persistent (like a read-only setting)
    '''
    from django.conf import settings
-    h = hashlib.sha256()
+    h = hashlib.sha512()
    h.update(settings.SECRET_KEY)
    if pk is not None:
        h.update(str(pk))
    h.update(field_name)
-    return base64.b64encode(h.digest())
+    return base64.urlsafe_b64encode(h.digest())


 def encrypt_field(instance, field_name, ask=False, subfield=None, skip_utf8=False):
@ -46,7 +65,7 @@ def encrypt_field(instance, field_name, ask=False, subfield=None, skip_utf8=Fals
        utf8 = type(value) == six.text_type
    value = smart_str(value)
    key = get_encryption_key(field_name, getattr(instance, 'pk', None))
-    f = Fernet(key)
+    f = Fernet256(key)
    encrypted = f.encrypt(value)
    b64data = base64.b64encode(encrypted)
    tokens = ['$encrypted', 'AESCBC', b64data]
@ -67,7 +86,7 @@ def decrypt_value(encryption_key, value):
    if algo != 'AESCBC':
        raise ValueError('unsupported algorithm: %s' % algo)
    encrypted = base64.b64decode(b64data)
-    f = Fernet(encryption_key)
+    f = Fernet256(encryption_key)
    value = f.decrypt(encrypted)
    # If the encrypted string contained a UTF8 marker, decode the data
    if utf8: