Compare commits

...

11 Commits

Author SHA1 Message Date
65b3d4d409 Merge pull request 'feat: Add cache encryption' (#9) from lash/encrypt into master
Reviewed-on: #9
2022-01-23 06:59:16 +00:00
lash
0bfe054b90
Auto-complete origin on missing port, magic shutil terminal size 2022-01-21 14:38:06 +00:00
lash
fe410e0fc6 Merge remote-tracking branch 'origin/master' into lash/encrypt 2022-01-21 11:29:41 +00:00
lash
3663665d91
Update packaging and deps 2022-01-21 11:28:22 +00:00
lash
140df0d1c6
Add pycryptodome dep 2022-01-21 11:09:17 +00:00
lash
c5b4c41db0
Bump version 2022-01-21 11:04:17 +00:00
lash
d302c5754c
Add AES CTR with key as iv 2022-01-21 10:59:27 +00:00
lash
36b4fcab93
Add back crypt module 2022-01-21 10:15:43 +00:00
lash
f17e31d801
Return address on shortcircuited dud lookup 2022-01-21 10:13:11 +00:00
lash
64c7fa950c
Clean pollution from encrypt branch 2022-01-21 10:06:29 +00:00
lash
b057cb65ff
WIP add AES to local cache 2022-01-21 10:03:01 +00:00
11 changed files with 102 additions and 16 deletions

View File

@ -1,3 +1,5 @@
- 0.0.6
* Add cache encryption, with AES-CTR-128
- 0.0.5 - 0.0.5
* Replace logs with colorized progress output on default loglevel * Replace logs with colorized progress output on default loglevel
* Do not repeat already failed metadata lookups * Do not repeat already failed metadata lookups

View File

@ -1,7 +1,7 @@
# import notifier # import notifier
from clicada.cli.notify import NotifyWriter from clicada.cli.notify import NotifyWriter
notifier = NotifyWriter() notifier = NotifyWriter()
notifier.notify('loading script') #notifier.notify('loading script')
# standard imports # standard imports
import os import os
@ -22,6 +22,7 @@ from clicada.cli.http import (
HTTPSession, HTTPSession,
PGPClientSession, PGPClientSession,
) )
from clicada.crypt.aes import AESCTREncrypt
logg = logging.getLogger() logg = logging.getLogger()
@ -150,6 +151,7 @@ class CmdCtrl:
auth_db_path = self.get('AUTH_DB_PATH', default_auth_db_path) auth_db_path = self.get('AUTH_DB_PATH', default_auth_db_path)
self.__auth = PGPAuthCrypt(auth_db_path, self.get('AUTH_KEY'), self.get('AUTH_KEYRING_PATH')) self.__auth = PGPAuthCrypt(auth_db_path, self.get('AUTH_KEY'), self.get('AUTH_KEYRING_PATH'))
self.__auth.get_secret(self.get('AUTH_PASSPHRASE')) self.__auth.get_secret(self.get('AUTH_PASSPHRASE'))
self.encrypter = AESCTREncrypt(auth_db_path, self.__auth.secret)
def get(self, k, default=None): def get(self, k, default=None):

View File

@ -26,6 +26,7 @@ class PGPAuthCrypt:
raise AuthError('invalid key {}'.format(auth_key)) raise AuthError('invalid key {}'.format(auth_key))
self.auth_key = auth_key self.auth_key = auth_key
self.gpg = gnupg.GPG(gnupghome=pgp_dir) self.gpg = gnupg.GPG(gnupghome=pgp_dir)
self.secret = None
def get_secret(self, passphrase=''): def get_secret(self, passphrase=''):
@ -49,10 +50,11 @@ class PGPAuthCrypt:
f.write(secret.data) f.write(secret.data)
f.close() f.close()
f = open(p, 'rb') f = open(p, 'rb')
self.secret = self.gpg.decrypt_file(f, passphrase=passphrase) secret = self.gpg.decrypt_file(f, passphrase=passphrase)
if not self.secret.ok: if not secret.ok:
raise AuthError('could not decrypt encryption secret. wrong password?') raise AuthError('could not decrypt encryption secret. wrong password?')
f.close() f.close()
self.secret = secret.data
self.__passphrase = passphrase self.__passphrase = passphrase

View File

@ -3,6 +3,7 @@ import hashlib
import urllib.parse import urllib.parse
import os import os
import logging import logging
from socket import getservbyname
# external imports # external imports
from usumbufu.client.base import ( from usumbufu.client.base import (
@ -48,7 +49,15 @@ class HTTPSession:
def __init__(self, url, auth=None, origin=None): def __init__(self, url, auth=None, origin=None):
self.base_url = url self.base_url = url
url_parts = urllib.parse.urlsplit(self.base_url) url_parts = urllib.parse.urlsplit(self.base_url)
url_parts_origin = (url_parts[0], url_parts[1], '', '', '',) url_parts_origin_host = url_parts[1].split(":")
host = url_parts_origin_host[0]
try:
host = host + ':' + url_parts_origin_host[1]
except IndexError:
host = host + ':' + str(getservbyname(url_parts[0]))
logg.info('changed origin with missing port number from {} to {}'.format(url_parts[1], host))
url_parts_origin = (url_parts[0], host, '', '', '',)
self.origin = origin self.origin = origin
if self.origin == None: if self.origin == None:
self.origin = urllib.parse.urlunsplit(url_parts_origin) self.origin = urllib.parse.urlunsplit(url_parts_origin)

View File

@ -1,12 +1,13 @@
# standard imports # standard imports
import os import os
import sys import sys
import shutil
class NotifyWriter: class NotifyWriter:
def __init__(self, writer=sys.stdout): def __init__(self, writer=sys.stdout):
(c, r) = os.get_terminal_size() (c, r) = shutil.get_terminal_size()
self.cols = c self.cols = c
self.fmt = "\r{:" + "<{}".format(c) + "}" self.fmt = "\r{:" + "<{}".format(c) + "}"
self.w = writer self.w = writer

View File

@ -56,7 +56,7 @@ def execute(ctrl):
store_path = '.clicada' store_path = '.clicada'
user_phone_file_label = 'phone' user_phone_file_label = 'phone'
user_phone_store = FileUserStore(ctrl.opener('meta'), ctrl.chain(), user_phone_file_label, store_path, int(ctrl.get('FILESTORE_TTL'))) user_phone_store = FileUserStore(ctrl.opener('meta'), ctrl.chain(), user_phone_file_label, store_path, int(ctrl.get('FILESTORE_TTL')), encrypter=ctrl.encrypter)
ctrl.notify('resolving identifier {} to wallet address'.format(ctrl.get('_IDENTIFIER'))) ctrl.notify('resolving identifier {} to wallet address'.format(ctrl.get('_IDENTIFIER')))
user_address = user_phone_store.by_phone(ctrl.get('_IDENTIFIER'), update=ctrl.get('_FORCE')) user_address = user_phone_store.by_phone(ctrl.get('_IDENTIFIER'), update=ctrl.get('_FORCE'))
@ -78,7 +78,7 @@ def execute(ctrl):
token_store = FileTokenStore(ctrl.chain(), ctrl.conn(), 'token', store_path) token_store = FileTokenStore(ctrl.chain(), ctrl.conn(), 'token', store_path)
user_address_file_label = 'address' user_address_file_label = 'address'
user_address_store = FileUserStore(ctrl.opener('meta'), ctrl.chain(), user_address_file_label, store_path, int(ctrl.get('FILESTORE_TTL'))) user_address_store = FileUserStore(ctrl.opener('meta'), ctrl.chain(), user_address_file_label, store_path, int(ctrl.get('FILESTORE_TTL')), encrypter=ctrl.encrypter)
ctrl.notify('resolving metadata for address {}'.format(user_address_normal)) ctrl.notify('resolving metadata for address {}'.format(user_address_normal))
try: try:

42
clicada/crypt/aes.py Normal file
View File

@ -0,0 +1,42 @@
# standard imports
import os
import logging
import hashlib
from Crypto.Cipher import AES
from Crypto.Util import Counter
from .base import Encrypter
logg = logging.getLogger(__name__)
class AESCTREncrypt(Encrypter):
aes_block_size = 1 << 7
counter_bytes = int(128 / 8)
def __init__(self, db_dir, secret):
self.secret = secret
def key_to_iv(self, k):
h = hashlib.sha256()
h.update(k.encode('utf-8'))
h.update(self.secret)
z = h.digest()
return int.from_bytes(z[:self.counter_bytes], 'big')
def encrypt(self, k, v):
iv = self.key_to_iv(k)
ctr = Counter.new(self.aes_block_size, initial_value=iv)
cipher = AES.new(self.secret, AES.MODE_CTR, counter=ctr)
return cipher.encrypt(v)
def decrypt(self, k, v):
iv = self.key_to_iv(k)
ctr = Counter.new(self.aes_block_size, initial_value=iv)
cipher = AES.new(self.secret, AES.MODE_CTR, counter=ctr)
return cipher.decrypt(v)

8
clicada/crypt/base.py Normal file
View File

@ -0,0 +1,8 @@
class Encrypter:
def encrypt(self, v):
raise NotImplementedError()
def decrypt(self, v):
raise NotImplementedError()

View File

@ -65,7 +65,7 @@ class Account(Person):
class FileUserStore: class FileUserStore:
def __init__(self, metadata_opener, chain_spec, label, store_base_path, ttl): def __init__(self, metadata_opener, chain_spec, label, store_base_path, ttl, encrypter=None):
invalidate_before = datetime.datetime.now() - datetime.timedelta(seconds=ttl) invalidate_before = datetime.datetime.now() - datetime.timedelta(seconds=ttl)
self.invalidate_before = int(invalidate_before.timestamp()) self.invalidate_before = int(invalidate_before.timestamp())
self.have_xattr = False self.have_xattr = False
@ -82,6 +82,7 @@ class FileUserStore:
self.__validate_dir() self.__validate_dir()
self.metadata_opener = metadata_opener self.metadata_opener = metadata_opener
self.failed_entities = {} self.failed_entities = {}
self.encrypter = encrypter
def __validate_dir(self): def __validate_dir(self):
@ -108,8 +109,14 @@ class FileUserStore:
if have_file and not its_time and not force: if have_file and not its_time and not force:
raise FileExistsError('user resolution already exists for {}'.format(k)) raise FileExistsError('user resolution already exists for {}'.format(k))
ve = v
f = None
if self.encrypter != None:
ve = self.encrypter.encrypt(k, ve.encode('utf-8'))
f = open(p, 'wb')
else:
f = open(p, 'w') f = open(p, 'w')
f.write(v) f.write(ve)
f.close() f.close()
logg.info('added user store {} record {} -> {}'.format(self.label, k, v)) logg.info('added user store {} record {} -> {}'.format(self.label, k, v))
@ -174,12 +181,21 @@ class FileUserStore:
self.__unstick(p) self.__unstick(p)
self.check_expiry(p) self.check_expiry(p)
f = None
if self.encrypter != None:
f = open(p, 'rb')
else:
f = open(p, 'r') f = open(p, 'r')
r = f.read() v = f.read()
f.close() f.close()
if self.encrypter != None:
v = self.encrypter.decrypt(k, v)
logg.debug('>>>>>>>>>>>>< v decoded {}'.format(v))
v = v.decode('utf-8')
logg.debug('retrieved {} from {}'.format(k, p)) logg.debug('retrieved {} from {}'.format(k, p))
return r.strip() return v.strip()
def by_phone(self, phone, update=False): def by_phone(self, phone, update=False):

View File

@ -1,7 +1,10 @@
usumbufu~=0.3.4 usumbufu~=0.3.5
confini~=0.5.1 confini~=0.5.3
cic-eth-registry~=0.6.1 cic-eth-registry~=0.6.1
cic-types~=0.2.1a8 cic-types~=0.2.1a8
phonenumbers==8.12.12 phonenumbers==8.12.12
eth-erc20~=0.1.2 eth-erc20~=0.1.2
hexathon~=0.1.0 hexathon~=0.1.0
pycryptodome~=3.10.1
chainlib-eth~=0.0.21
chainlib~=0.0.17

View File

@ -1,6 +1,6 @@
[metadata] [metadata]
name = clicada name = clicada
version = 0.0.5a1 version = 0.0.6a2
description = CLI CRM tool for the cic-stack custodial wallet system description = CLI CRM tool for the cic-stack custodial wallet system
author = Louis Holbrook author = Louis Holbrook
author_email = dev@holbrook.no author_email = dev@holbrook.no
@ -34,3 +34,4 @@ packages =
clicada.cli clicada.cli
clicada.tx clicada.tx
clicada.user clicada.user
clicada.crypt