diff options
-rw-r--r-- | custodia.conf | 18 | ||||
-rw-r--r-- | custodia/store/enclite.py | 37 | ||||
-rw-r--r-- | enclite.sample.key | 1 | ||||
-rw-r--r-- | requirements.txt | 1 |
4 files changed, 57 insertions, 0 deletions
diff --git a/custodia.conf b/custodia.conf index 79d7085..013d7e2 100644 --- a/custodia.conf +++ b/custodia.conf @@ -43,3 +43,21 @@ store = tenant1 [/tenant1/secrets] handler = custodia.root.Secrets store = tenant1 + + +# Encstore example +[store:encrypted] +handler = custodia.store.enclite.EncryptedStore +dburi = secrets.db +table = enclite +master_key = ./enclite.sample.key +master_enctype = A128CBC-HS256 + +[authz:encrypted] +handler = custodia.secrets.Namespaces +path = /enc/secrets/ +store = encrypted + +[/enc/secrets] +handler = custodia.root.Secrets +store = encrypted diff --git a/custodia/store/enclite.py b/custodia/store/enclite.py new file mode 100644 index 0000000..3641b9d --- /dev/null +++ b/custodia/store/enclite.py @@ -0,0 +1,37 @@ +# Copyright (C) 2015 Custodia Project Contributors - see LICENSE file + +from custodia.store.sqlite import SqliteStore +from jwcrypto.common import json_decode, json_encode +from jwcrypto import jwk, jwe + + +class EncryptedStore(SqliteStore): + + def __init__(self, config): + + super(EncryptedStore, self).__init__(config) + + if 'master_key' not in config: + raise ValueError('Missing "master_key" for Encrypted Store') + + with open(config['master_key']) as f: + data = f.read() + key = json_decode(data) + self.mkey = jwk.JWK(**key) # pylint: disable=star-args + + if 'master_enctype' in config: + self.enc = config['master_enctype'] + else: + self.enc = 'A256CBC_HS512' + + def get(self, key): + value = super(EncryptedStore, self).get(key) + E = jwe.JWE() + E.deserialize(value, self.mkey) + return E.payload.decode('utf-8') + + def set(self, key, value, replace=False): + E = jwe.JWE(value, json_encode({'alg': 'dir', 'enc': self.enc})) + E.add_recipient(self.mkey) + cvalue = E.serialize(compact=True) + return super(EncryptedStore, self).set(key, cvalue, replace) diff --git a/enclite.sample.key b/enclite.sample.key new file mode 100644 index 0000000..debda57 --- /dev/null +++ b/enclite.sample.key @@ -0,0 +1 @@ +{"kty":"oct","k":"tnUJ1XMLOXJ7y95SWmEeq514-YSbVQVo1Hc8eLdxkTE"} diff --git a/requirements.txt b/requirements.txt index d718706..fbeaf8e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1,2 @@ cherrypy +jwcrypto |