From 27085845eb561972d947e700f194e8fe0ad7f443 Mon Sep 17 00:00:00 2001 From: Kevin Froman Date: Wed, 30 Dec 2020 07:48:19 +0000 Subject: [PATCH] added work on faster and safer database for blocks and general KV --- src/safedb/securestring/__init__.py | 29 +++++++++++++++++++++++----- tests/test_secure_string.py | 30 ++++++++++++++++++++++++++--- 2 files changed, 51 insertions(+), 8 deletions(-) diff --git a/src/safedb/securestring/__init__.py b/src/safedb/securestring/__init__.py index 55cd753b..a78b2900 100644 --- a/src/safedb/securestring/__init__.py +++ b/src/safedb/securestring/__init__.py @@ -11,7 +11,7 @@ _rinseoff = f"{app_root}/src/rinseoff/rinseoffcli" -def generate_secure_string_key_file(): +def generate_key_file(): if os.path.exists(secure_erase_key_file): raise FileExistsError @@ -34,7 +34,7 @@ def generate_secure_string_key_file(): -def secure_string_create(plaintext: Union[bytes, bytearray, str]) -> bytes: +def protect_string(plaintext: Union[bytes, bytearray, str]) -> bytes: """Create a "secure" string. Dont really rely on this, and dont use for comms This is just to make forensics a little harder""" @@ -43,7 +43,6 @@ def secure_string_create(plaintext: Union[bytes, bytearray, str]) -> bytes: except AttributeError: pass - process = subprocess.Popen( ["dotnet", "run", "--project", _rinseoff, @@ -56,7 +55,27 @@ def secure_string_create(plaintext: Union[bytes, bytearray, str]) -> bytes: if res[0] and not res[1]: return res[0] else: - logger.warn("Error when encrypting plaintext", terminal=True) + logger.warn("Error when protecting string for database", terminal=True) for line in res[1].decode('utf-8').split('\n'): logger.error(line, terminal=True) - raise subprocess.CalledProcessError \ No newline at end of file + raise subprocess.CalledProcessError + + +def unprotect_string(ciphertext: Union[bytes, bytearray]) -> bytes: + process = subprocess.Popen( + ["dotnet", "run", + "--project", _rinseoff, + "load", "stdin", f"{secure_erase_key_file}"], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + stdin=subprocess.PIPE) + res = process.communicate(ciphertext) + + if res[0] and not res[1]: + return res[0] + else: + logger.warn( + "Error when decrypting ciphertext from database", terminal=True) + for line in res[1].decode('utf-8').split('\n'): + logger.error(line, terminal=True) + raise subprocess.CalledProcessError diff --git a/tests/test_secure_string.py b/tests/test_secure_string.py index 2bd2b61d..9fa6d191 100644 --- a/tests/test_secure_string.py +++ b/tests/test_secure_string.py @@ -11,23 +11,47 @@ import unittest, json from utils import identifyhome, createdirs from onionrsetup import setup_config from safedb import securestring +import subprocess +from nacl.secret import SecretBox import filepaths createdirs.create_dirs() setup_config() + +_rinseoff = f"{filepaths.app_root}/src/rinseoff/rinseoffcli" + class TestSecureString(unittest.TestCase): def test_keyfile_gen(self): assert not os.path.exists(filepaths.secure_erase_key_file) - securestring.generate_secure_string_key_file() + securestring.generate_key_file() assert os.path.exists(filepaths.secure_erase_key_file) - def test_secure_string_encrypt(self): + def test_protect_string(self): with open(filepaths.secure_erase_key_file, 'wb') as ef: ef.write(os.urandom(32)) pt = "hello world" - enc = securestring.secure_string_create(pt) + enc = securestring.protect_string(pt) self.assertTrue(len(enc) > len(pt)) + def test_unprotect_string(self): + key = os.urandom(32) + with open(filepaths.secure_erase_key_file, 'wb') as ef: + ef.write(key) + msg = b"test hello world" + box = SecretBox(key) + enc = box.encrypt(msg) + nonce = enc.nonce + enc = nonce + enc.ciphertext + p = subprocess.Popen( + ["dotnet", "run", + "--project", _rinseoff, + "load", "stdin", f"{filepaths.secure_erase_key_file}"], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + stdin=subprocess.PIPE) + res = p.communicate(enc) + self.assertTrue(res[0] == msg) + unittest.main()