crypto_secretbox.py 2.8 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586
  1. # Copyright 2013 Donald Stufft and individual contributors
  2. #
  3. # Licensed under the Apache License, Version 2.0 (the "License");
  4. # you may not use this file except in compliance with the License.
  5. # You may obtain a copy of the License at
  6. #
  7. # http://www.apache.org/licenses/LICENSE-2.0
  8. #
  9. # Unless required by applicable law or agreed to in writing, software
  10. # distributed under the License is distributed on an "AS IS" BASIS,
  11. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. # See the License for the specific language governing permissions and
  13. # limitations under the License.
  14. from nacl import exceptions as exc
  15. from nacl._sodium import ffi, lib
  16. from nacl.exceptions import ensure
  17. crypto_secretbox_KEYBYTES: int = lib.crypto_secretbox_keybytes()
  18. crypto_secretbox_NONCEBYTES: int = lib.crypto_secretbox_noncebytes()
  19. crypto_secretbox_ZEROBYTES: int = lib.crypto_secretbox_zerobytes()
  20. crypto_secretbox_BOXZEROBYTES: int = lib.crypto_secretbox_boxzerobytes()
  21. crypto_secretbox_MACBYTES: int = lib.crypto_secretbox_macbytes()
  22. crypto_secretbox_MESSAGEBYTES_MAX: int = (
  23. lib.crypto_secretbox_messagebytes_max()
  24. )
  25. def crypto_secretbox(message: bytes, nonce: bytes, key: bytes) -> bytes:
  26. """
  27. Encrypts and returns the message ``message`` with the secret ``key`` and
  28. the nonce ``nonce``.
  29. :param message: bytes
  30. :param nonce: bytes
  31. :param key: bytes
  32. :rtype: bytes
  33. """
  34. if len(key) != crypto_secretbox_KEYBYTES:
  35. raise exc.ValueError("Invalid key")
  36. if len(nonce) != crypto_secretbox_NONCEBYTES:
  37. raise exc.ValueError("Invalid nonce")
  38. padded = b"\x00" * crypto_secretbox_ZEROBYTES + message
  39. ciphertext = ffi.new("unsigned char[]", len(padded))
  40. res = lib.crypto_secretbox(ciphertext, padded, len(padded), nonce, key)
  41. ensure(res == 0, "Encryption failed", raising=exc.CryptoError)
  42. ciphertext = ffi.buffer(ciphertext, len(padded))
  43. return ciphertext[crypto_secretbox_BOXZEROBYTES:]
  44. def crypto_secretbox_open(
  45. ciphertext: bytes, nonce: bytes, key: bytes
  46. ) -> bytes:
  47. """
  48. Decrypt and returns the encrypted message ``ciphertext`` with the secret
  49. ``key`` and the nonce ``nonce``.
  50. :param ciphertext: bytes
  51. :param nonce: bytes
  52. :param key: bytes
  53. :rtype: bytes
  54. """
  55. if len(key) != crypto_secretbox_KEYBYTES:
  56. raise exc.ValueError("Invalid key")
  57. if len(nonce) != crypto_secretbox_NONCEBYTES:
  58. raise exc.ValueError("Invalid nonce")
  59. padded = b"\x00" * crypto_secretbox_BOXZEROBYTES + ciphertext
  60. plaintext = ffi.new("unsigned char[]", len(padded))
  61. res = lib.crypto_secretbox_open(plaintext, padded, len(padded), nonce, key)
  62. ensure(
  63. res == 0,
  64. "Decryption failed. Ciphertext failed verification",
  65. raising=exc.CryptoError,
  66. )
  67. plaintext = ffi.buffer(plaintext, len(padded))
  68. return plaintext[crypto_secretbox_ZEROBYTES:]