Py3 support for encrypted databags code

Author: fpedrini

chef/aes.py

@@ -1,9 +1,8 @@
 import os
+import sys
 
 from ctypes import *
-from rsa import load_crypto_lib, SSLError
-
-_eay = load_crypto_lib()
+from chef.rsa import _eay, SSLError
 
 c_int_p = POINTER(c_int)
 
@@ -91,7 +90,7 @@ def __init__(self, key, iv, salt='12345678'):
         self.key_data = create_string_buffer(key)
         self.iv = create_string_buffer(iv)
         self.encryptor = self.decryptor = None
-        self.salt = create_string_buffer(salt)
+        self.salt = create_string_buffer(salt.encode('utf8'))
 
         self.encryptor = EVP_CIPHER_CTX()
         self._init_cipher(byref(self.encryptor), 1)
@@ -107,6 +106,9 @@ def _init_cipher(self, ctypes_cipher, crypt_mode):
         EVP_CIPHER_CTX_set_padding(ctypes_cipher, c_int(1))
 
     def _process_data(self, ctypes_cipher, data):
+        # Guard against str passed in when using python3
+        if sys.version_info[0] > 2 and isinstance(data, str):
+            data = data.encode('utf8')
         length = c_int(len(data))
         buf_length = c_int(length.value + AES_BLOCK_SIZE)
         buf = create_string_buffer(buf_length.value)
@@ -125,7 +127,3 @@ def encrypt(self, data):
 
     def decrypt(self, data):
         return self._process_data(byref(self.decryptor), data)
-
-
-
-

chef/encrypted_data_bag_item.py

@@ -1,14 +1,19 @@
 from chef.exceptions import ChefUnsupportedEncryptionVersionError, ChefDecryptionError
-from chef.aes import AES256Cipher
+from chef.aes import AES256Cipher, EVP_MAX_IV_LENGTH
 from chef.utils import json
 from chef.data_bag import DataBagItem
 
 import os
+import sys
 import hmac
 import base64
 import chef
 import hashlib
+import binascii
 import itertools
+import six
+from six.moves import filterfalse, zip_longest
+
 
 class EncryptedDataBagItem(DataBagItem):
     SUPPORTED_ENCRYPTION_VERSIONS = (1,2)
@@ -39,10 +44,10 @@ class EncryptorVersion1(object):
     VERSION = 1
 
     def __init__(self, key, data):
-        self.plain_key = key
-        self.key = hashlib.sha256(key).digest()
+        self.plain_key = key.encode('utf8')
+        self.key = hashlib.sha256(key.encode('utf8')).digest()
         self.data = data
-        self.iv = os.urandom(8).encode('hex')
+        self.iv = binascii.hexlify(os.urandom(int(EVP_MAX_IV_LENGTH/2)))
         self.encryptor = AES256Cipher(key=self.key, iv=self.iv)
         self.encrypted_data = None
 
@@ -54,8 +59,8 @@ def encrypt(self):
 
     def to_dict(self):
         return {
-            "encrypted_data": base64.standard_b64encode(self.encrypt()),
-            "iv": base64.standard_b64encode(self.iv),
+            "encrypted_data": base64.standard_b64encode(self.encrypt()).decode('utf8'),
+            "iv": base64.standard_b64encode(self.iv).decode('utf8'),
             "version": self.VERSION,
             "cipher": "aes-256-cbc"
             }
@@ -78,11 +83,11 @@ def _generate_hmac(self):
 
     def to_dict(self):
         result = super(EncryptorVersion2, self).to_dict()
-        result['hmac'] = base64.standard_b64encode(self.hmac)
+        result['hmac'] = base64.standard_b64encode(self.hmac).decode('utf8')
         return result
 
 def get_decryption_version(data):
-    if data.has_key('version'):
+    if 'version' in data:
         if str(data['version']) in map(str, EncryptedDataBagItem.SUPPORTED_ENCRYPTION_VERSIONS):
             return data['version']
         else:
@@ -99,7 +104,7 @@ def create_decryptor(key, data):
 
 class DecryptorVersion1(object):
     def __init__(self, key, data, iv):
-        self.key = hashlib.sha256(key).digest()
+        self.key = hashlib.sha256(key.encode('utf8')).digest()
         self.data = base64.standard_b64decode(data)
         self.iv = base64.standard_b64decode(iv)
         self.decryptor = AES256Cipher(key=self.key, iv=self.iv)
@@ -120,10 +125,16 @@ def __init__(self, key, data, iv, hmac):
         self.encoded_data = data
 
     def _validate_hmac(self):
-        expected_hmac = hmac.new(self.key, self.encoded_data, hashlib.sha256).digest()
+        encoded_data = self.encoded_data.encode('utf8')
+
+        expected_hmac = hmac.new(self.key, encoded_data, hashlib.sha256).digest()
         valid = len(expected_hmac) ^ len(self.hmac)
-        for expected_char, candidate_char in itertools.izip_longest(expected_hmac, self.hmac):
-            valid |= ord(expected_char) ^ ord(candidate_char)
+        for expected_char, candidate_char in zip_longest(expected_hmac, self.hmac):
+            if sys.version_info[0] > 2:
+                valid |= expected_char ^ candidate_char
+            else:
+                valid |= ord(expected_char) ^ ord(candidate_char)
+            
         return valid == 0
 
     def decrypt(self):

chef/tests/test_aes.py

@@ -10,14 +10,15 @@
 class AES256CipherTestCase(ChefTestCase):
     def setUp(self):
         super(AES256CipherTestCase, self).setUp()
-        key = hashlib.sha256(open(os.path.join(TEST_ROOT, 'encryption_key')).read()).digest()
+        enc_key = open(os.path.join(TEST_ROOT, 'encryption_key')).read()
+        key = hashlib.sha256(enc_key.encode('utf8')).digest()
         iv = base64.standard_b64decode('GLVikZLxG0SWYnb68Pr8Ag==\n')
         self.cipher = AES256Cipher(key, iv)
 
     def test_encrypt(self):
         encrypted_value = self.cipher.encrypt('{"json_wrapper":"secr3t c0d3"}')
-        self.assertEquals(base64.standard_b64encode(encrypted_value).strip(), "Ym5T8umtSd0wgjDYq1ZDK5dAh6OjgrTxlloGNf2xYhg=")
+        self.assertEquals(base64.standard_b64encode(encrypted_value).strip(), "Ym5T8umtSd0wgjDYq1ZDK5dAh6OjgrTxlloGNf2xYhg=".encode('utf8'))
 
     def test_decrypt(self):
         decrypted_value = self.cipher.decrypt(base64.standard_b64decode('Ym5T8umtSd0wgjDYq1ZDK5dAh6OjgrTxlloGNf2xYhg=\n'))
-        self.assertEquals(decrypted_value, '{"json_wrapper":"secr3t c0d3"}')
+        self.assertEquals(decrypted_value, '{"json_wrapper":"secr3t c0d3"}'.encode('utf8'))