Source code for nacl.secret

from __future__ import absolute_import
from __future__ import division

from . import six

from . import nacl, encoding
from .exceptions import CryptoError
from .utils import EncryptedMessage


[docs]class SecretBox(encoding.Encodable, six.StringFixer, object): """ The SecretBox class encrypts and decrypts messages using the given secret key. The ciphertexts generated by :class:`~nacl.secret.Secretbox` include a 16 byte authenticator which is checked as part of the decryption. An invalid authenticator will cause the decrypt function to raise an exception. The authenticator is not a signature. Once you've decrypted the message you've demonstrated the ability to create arbitrary valid message, so messages you send are repudiable. For non-repudiable messages, sign them after encryption. :param key: The secret key used to encrypt and decrypt messages :param encoder: The encoder class used to decode the given key :cvar KEY_SIZE: The size that the key is required to be. :cvar NONCE_SIZE: The size that the nonce is required to be. """ KEY_SIZE = nacl.lib.crypto_secretbox_KEYBYTES NONCE_SIZE = nacl.lib.crypto_secretbox_NONCEBYTES def __init__(self, key, encoder=encoding.RawEncoder): key = encoder.decode(key) if len(key) != self.KEY_SIZE: raise ValueError("The key must be exactly %s bytes long" % nacl.lib.crypto_secretbox_KEYBYTES) self._key = key def __bytes__(self): return self._key
[docs] def encrypt(self, plaintext, nonce, encoder=encoding.RawEncoder): """ Encrypts the plaintext message using the given nonce and returns the ciphertext encoded with the encoder. .. warning:: It is **VITALLY** important that the nonce is a nonce, i.e. it is a number used only once for any given key. If you fail to do this, you compromise the privacy of the messages encrypted. Give your nonces a different prefix, or have one side use an odd counter and one an even counter. Just make sure they are different. :param plaintext: [:class:`bytes`] The plaintext message to encrypt :param nonce: [:class:`bytes`] The nonce to use in the encryption :param encoder: The encoder to use to encode the ciphertext :rtype: [:class:`nacl.utils.EncryptedMessage`] """ if len(nonce) != self.NONCE_SIZE: raise ValueError("The nonce must be exactly %s bytes long" % nacl.lib.crypto_secretbox_NONCEBYTES) padded = b"\x00" * nacl.lib.crypto_secretbox_ZEROBYTES + plaintext ciphertext = nacl.ffi.new("unsigned char[]", len(padded)) if not nacl.lib.crypto_secretbox( ciphertext, padded, len(padded), nonce, self._key, ): raise CryptoError("Encryption failed") box_zeros = nacl.lib.crypto_secretbox_BOXZEROBYTES ciphertext = nacl.ffi.buffer(ciphertext, len(padded))[box_zeros:] encoded_nonce = encoder.encode(nonce) encoded_ciphertext = encoder.encode(ciphertext) return EncryptedMessage._from_parts( encoded_nonce, encoded_ciphertext, encoder.encode(nonce + ciphertext), )
[docs] def decrypt(self, ciphertext, nonce=None, encoder=encoding.RawEncoder): """ Decrypts the ciphertext using the given nonce and returns the plaintext message. :param ciphertext: [:class:`bytes`] The encrypted message to decrypt :param nonce: [:class:`bytes`] The nonce used when encrypting the ciphertext :param encoder: The encoder used to decode the ciphertext. :rtype: [:class:`bytes`] """ # Decode our ciphertext ciphertext = encoder.decode(ciphertext) if nonce is None: # If we were given the nonce and ciphertext combined, split them. nonce = ciphertext[:self.NONCE_SIZE] ciphertext = ciphertext[self.NONCE_SIZE:] if len(nonce) != self.NONCE_SIZE: raise ValueError("The nonce must be exactly %s bytes long" % nacl.lib.crypto_secretbox_NONCEBYTES) padded = b"\x00" * nacl.lib.crypto_secretbox_BOXZEROBYTES + ciphertext plaintext = nacl.ffi.new("unsigned char[]", len(padded)) if not nacl.lib.crypto_secretbox_open( plaintext, padded, len(padded), nonce, self._key, ): raise CryptoError( "Decryption failed. Ciphertext failed verification") box_zeros = nacl.lib.crypto_secretbox_ZEROBYTES plaintext = nacl.ffi.buffer(plaintext, len(padded))[box_zeros:] return plaintext