ERP5Security/ERP5KeyAuthPlugin: replace pycrypto by cryptography

pycrypto is unmaintained and the python3 version no longer work with buildout 3 (it uses a tricky way to run 2to3 in setup.py that no longer happens with pip based buildout3) Also make the rest of this file python3 compatible.

ERP5Security/ERP5KeyAuthPlugin: replace pycrypto by cryptography
pycrypto is unmaintained and the python3 version no longer work with buildout 3 (it uses a tricky way to run 2to3 in setup.py that no longer happens with pip based buildout3) Also make the rest of this file python3 compatible.
9964c13d · Jérome Perrin · 1e371494 · 9964c13d
Commit 9964c13d authored May 25, 2024 by Jérome Perrin
Hide whitespace changes
Inline Side-by-side

Showing with 39 additions and 16 deletions

product/ERP5Security/ERP5KeyAuthPlugin.py product/ERP5Security/ERP5KeyAuthPlugin.py +39 -16

No files found.
--- a/product/ERP5Security/ERP5KeyAuthPlugin.py
+++ b/product/ERP5Security/ERP5KeyAuthPlugin.py
@@ -27,12 +27,21 @@
 #
 ##############################################################################

-from base64 import encodestring, decodestring
+import six
+if six.PY2:
+  from base64 import encodestring as encodebytes, decodestring as decodebytes
+else:
+  from base64 import encodebytes, decodebytes
+from base64 import urlsafe_b64decode, urlsafe_b64encode
 from six.moves.urllib.parse import quote, unquote
 from DateTime import DateTime
 from zLOG import LOG, PROBLEM
 from Products.ERP5Type.Globals import InitializeClass
 from zope.interface import Interface
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.primitives import padding
+from cryptography.hazmat.backends import default_backend
+import os

 from AccessControl import ClassSecurityInfo

@@ -46,31 +55,45 @@ from Products.PluggableAuthService.plugins.CookieAuthHelper import CookieAuthHel

 from Products.ERP5Type.Cache import CachingMethod
 from Products.ERP5Type.UnrestrictedMethod import UnrestrictedMethod
+from Products.ERP5Type.Utils import bytes2str, str2bytes
 from Products.ERP5Security.ERP5UserManager import ERP5UserManager, \
                                                  _AuthenticationFailure
 from Products import ERP5Security

-from Crypto.Cipher import AES
-from Crypto import Random
-from base64 import urlsafe_b64decode, urlsafe_b64encode

 class AESCipher:
-  mode = AES.MODE_CFB

  def __init__(self, encryption_key):
    # AES key must be either 16, 24, or 32 bytes long
-    self.encryption_key = encryption_key.ljust(32)[:32]
+    self.encryption_key = str2bytes(encryption_key).ljust(32)[:32]

  def encrypt(self, login):
-    iv = Random.new().read(AES.block_size)
-    encryptor = AES.new(self.encryption_key, self.mode, IV=iv)
-    return urlsafe_b64encode(iv + encryptor.encrypt(login.ljust(((len(login)-1)/16+1)*16)))
+    iv = os.urandom(16)
+    cipher = Cipher(
+      algorithms.AES(self.encryption_key),
+      modes.CBC(iv),
+      backend=default_backend())
+    encryptor = cipher.encryptor()
+
+    padder = padding.PKCS7(algorithms.AES.block_size).padder()
+    padded_data = padder.update(str2bytes(login)) + padder.finalize()
+
+    ct = encryptor.update(padded_data) + encryptor.finalize()
+    return urlsafe_b64encode(iv + ct)

  def decrypt(self, crypted_login):
    decoded_crypted_login = urlsafe_b64decode(crypted_login)
-    iv = decoded_crypted_login[:AES.block_size]
-    decryptor = AES.new(self.encryption_key, self.mode, IV=iv)
-    return decryptor.decrypt(decoded_crypted_login[AES.block_size:]).rstrip()
+    iv = decoded_crypted_login[:16]
+    ct = decoded_crypted_login[16:]
+    cipher = Cipher(algorithms.AES(self.encryption_key), modes.CBC(iv), backend=default_backend())
+    decryptor = cipher.decryptor()
+
+    padded_data = decryptor.update(ct) + decryptor.finalize()
+
+    unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()
+    data = unpadder.update(padded_data) + unpadder.finalize()
+    return data
+

 # This cipher is weak. Do not use.
 class CesarCipher:
@@ -217,13 +240,13 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper):
  def encrypt(self, login):
    """Encrypt the login"""
    cipher = globals()['%sCipher' % self._getCipher()](self.encryption_key)
-    return cipher.encrypt(login)
+    return bytes2str(cipher.encrypt(login))

  security.declarePrivate('decrypt')
  def decrypt(self, crypted_login):
    """Decrypt string and return the login"""
    cipher = globals()['%sCipher' % self._getCipher()](self.encryption_key)
-    return cipher.decrypt(crypted_login)
+    return bytes2str(cipher.decrypt(crypted_login))

  ####################################
  #ILoginPasswordHostExtractionPlugin#
@@ -263,7 +286,7 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper):
            default_cookie = request.get(self.default_cookie_name, None)
            if default_cookie is not None:
              #Cookie is found
-              cookie_val = decodestring(unquote(default_cookie))
+              cookie_val = decodebytes(unquote(default_cookie))
              if cookie_val is not None:
                login, password = cookie_val.split(':')
                creds['login'] = login
@@ -298,7 +321,7 @@ class ERP5KeyAuthPlugin(ERP5UserManager, CookieAuthHelper):
      response.setCookie(self.cookie_name, quote(cookie_val), path='/')#, expires=expires)
      response.expireCookie(self.default_cookie_name, path='/')
    elif login is not None and new_password is not None:
-      cookie_val = encodestring('%s:%s' % (login, new_password))
+      cookie_val = encodebytes('%s:%s' % (login, new_password))
      cookie_val = cookie_val.rstrip()
      response.setCookie(self.default_cookie_name, quote(cookie_val), path='/')
      response.expireCookie(self.cookie_name, path='/')