-
Notifications
You must be signed in to change notification settings - Fork 43
Expand file tree
/
Copy pathfield-encryption.py
More file actions
39 lines (33 loc) · 1.76 KB
/
Copy pathfield-encryption.py
File metadata and controls
39 lines (33 loc) · 1.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
from cbencryption import AES256CryptoProvider
from couchbase.bucket import Bucket
from couchbase.crypto import InMemoryKeyStore
# create insecure key store and register both public and private keys
keystore = InMemoryKeyStore()
keystore.set_key('mypublickey', b'!mysecretkey#9^5usdk39d&dlf)03sL')
keystore.set_key('myprivatekey', b'myauthpassword')
# create and register provider
provider = AES256CryptoProvider.AES256CryptoProvider(keystore, 'mypublickey', 'myprivatekey')
bucket = Bucket("couchbase://10.143.180.101:8091/default",password='password')
bucket.register_crypto_provider('AES-256-HMAC-SHA256', provider)
# encrypt document, the alg name must match the provider name and the kid must match a key in the keystore
prefix = '__crypt_'
document = {'message': 'The old grey goose jumped over the wrickety gate.'}
fieldspec = [{'alg': 'AES-256-HMAC-SHA256', 'name': 'message'}]
encrypted_document = bucket.encrypt_fields(document,
fieldspec,
prefix)
expected = {
"__crypt_message": {"alg": "AES-256-HMAC-SHA256",
"kid": "mypublickey",
"ciphertext": "sR6AFEIGWS5Fy9QObNOhbCgfg3vXH4NHVRK1qkhKLQqjkByg2n69lot89qFEJuBsVNTXR77PZR6RjN4h4M9evg=="
}
}
# retain only signature/iv-independent fields for comparison
def filter_encrypted(encrypted_dict):
return {k:v for k,v in encrypted_dict.items() if k in {"alg","kid","ciphertext"}}
subset_expected = filter_encrypted(expected)
subset_actual = filter_encrypted(encrypted_document)
assert subset_expected == subset_actual
# decrypt document using registered provider
decrypted_document = bucket.decrypt_fields(encrypted_document, fieldspec, prefix)
assert decrypted_document==document