o ɶdTO@s ddlZddlZddlZddlZddlmZddlmZddlm Z m Z ddl m Z ddl mZmZddlmZmZddlmZmZmZdd lmZmZmZmZdd lmZdd lmZe e!d d dZ"e"Z#ddZ$ddZ%GdddeZ&GdddeZ'ddZ(dS)N)six)default_backend)Ciphermodes)Lock)serialize_headerdeserialize_header_from_stream)EncryptedDataHeader$EncryptedDataHeaderDataEncryptionKey)DEFAULT_MAX_GCM_ENCRYPTION_SIZEDEFAULT_ALGORITHM$DEFAULT_MAX_ENCRYPTION_SIZE_SENTINEL)convert_to_bytesconvert_to_strgenerate_random_iv$convert_encryption_context_to_string) Algorithm)CryptoResultStreamcCsjd}t|tkr-d}t|} |t}|||}t|dkr" |S||j|d7}|}q|j|d}|S)NrT)data)len2MAX_ENCRYPTOR_DECRYPTOR_UPDATE_CHUNK_SIZE_IN_BYTES memoryviewupdate)ZcryptorrresultZ start_indexmemviewZ end_indexZ next_datarEusr/lib/python3.10/site-packages/oci/encryption/internal/streaming.py_update_cryptor_with_data(s    r!c Cs|durdSt|tstdg}g}g}t|D]7\}}ttkr't|ts-t|tjs3||n | dr=||ttkrFt|tsLt|tjsQ||q|sV|rbtd t|t||rmt d t|zt |WdSt y}z t d t|d}~ww)Nz!encryption_context must be a dictzoci-zjencryption_context must be a dict with string keys and string values. Invalid keys: {}. Invalid values: {}zKencryption_context cannot contain keys with prefix 'oci-'. Invalid keys: {}z7encryption_context must be JSON serializable. Error: {}) isinstancedict TypeErrorrZ iteritemsstrbytesZ string_typesappend startswithformat ValueErrorjsondumps)encryption_contextZ invalid_keysZinvalid_valuesZinvalid_prefix_keyskeyvalueerrr _validate_encryption_context<sF       r1c@s\eZdZedfddZddZddZdd Zd d Zd d Z ddZ ddZ dddZ dS)StreamEncryptorNcCst|_||_|jstd|j|j|_||_t|||_ t t ||_ t |jj|_t|j|jj|j|jtd}||_d|_|ture|jjjtjjkr[t|_ntdt|j|durut|tsrt d||_d|_!d|_"d|_#d|_$d|_%t&|_'d|_(dS) a Provides a stream that wraps 'stream_to_encrypt' and allows reading data from the underlying stream encrypted under the provided master key. :param int max_encryption_size: (optional) Max number of bytes able to be encrypted by this StreamEncryptor. The default value differs based on the algorithm used. For GCM (the default algorithm) the default value is 2147483647 bytes. This is provided mainly for use with authenticated encryption algorithms that require verification of an authentication tag upon decryption. Because decrypting using these algorithms will buffer the entire payload into memory before returning it, this max_encryption_size provides a sanity check against encrypting payloads too large to decrypt. This is possible because encryption does not require holding the entire payload in memory. The 2147483647 byte limit was chosen because that is the maximum number of bytes that can be encrypted or decrypted by the OCI Java SDK. This is to avoid users accidentally encrypting payloads in Python that cannot be decrypted in Java. Explicitly passing this value as None will disable the size check and allow encrypting payloads up to the maximum size supported by the algorithm. :param dict encryption_context: (optional) Optional additional data to be provided as input to authenticated encryption algorithms. This must be a dict with keys that are strings and values that are strings. Keys may NOT match the prefix oci-* as that namespace is reserved for OCI internal keys that may be added to the AAD. zNmaster_key_provider must contain a primary master key in order to encrypt data algorithmmodeZbackendNz#Unrecognized algorithm provided: {}z/argument max_encryption_size must be an integerrrF))r _algorithmZget_primary_master_key_primary_master_keyr*Zgenerate_data_encryption_key_data_encryption_key_stream_to_encryptr1_encryption_contextrr_encryption_context_bytesrZiv_lenivrr4Zplaintext_key_bytesr5r encryptor_max_encryption_sizer namerZGCMr r)r%r"intr$_header_content_buffer_bytes_written_total_bytes_written_excluding_header _finalizedr_lock_closed)selfmaster_key_providerZstream_to_encryptZmax_encryption_sizer-cipherrrr __init__hsL     zStreamEncryptor.__init__cCsFt|j|jj|jj|jjdg}t||j|j j |j d}t |dS)N) master_key_idvault_idregionencrypted_data_key_bytes)encrypted_data_keysiv_bytes algorithm_id#additional_authenticated_data_bytes)encrypted_data_header) r r7Zget_identifierrMrNr8Zencrypted_key_bytesr r<r6idr;r)rHrPrTrrr _build_header_contents  z%StreamEncryptor._build_header_contentcCs>|jdtj}|jdtj|j}|j|||S)Nr)r9seekosSEEK_CURSEEK_ENDtell)rHZcur_poslengthrrr =_get_bytes_remaining_in_stream_to_encrypt_using_seek_and_tells   zMStreamEncryptor._get_bytes_remaining_in_stream_to_encrypt_using_seek_and_tellcCs||j|}|dkr't|jdr't|jdr't|jdr'|jr'|j|}|jdur:||jkr _max_encryption_size bytes. Total bytes requested to encrypt: {}. Max encryption size: {}.)rDhasattrr9r_r]r>r*r))rHsize_of_next_readZ!_total_bytes_requested_to_encryptrrr _enforce_max_encryption_sizes.   z,StreamEncryptor._enforce_max_encryption_sizecC|SNrrHrrr __enter__zStreamEncryptor.__enter__cC |dSrdcloserHtyper/ tracebackrrr __exit__ zStreamEncryptor.__exit__cC4|jzd|_d|_W|jdS|jwNTrrFacquirerGrBreleasererrr rj zStreamEncryptor.closecCs|jSrd)r:rerrr get_encryption_contextsz&StreamEncryptor.get_encryption_contextr^c Cs|jz|jr td|dkrW|jdS|dk}|js7||_|j|j7_|jr7|j |j|j |d|j s|t |jksI|r|rNd}n|t |j}d}|rat|j}nt|j|}t |}t|j |}||kpx|}|r||j |j j7}d|_ |j|7_|r|jdd}d|_n|jd|}|j|d|_|jt |7_|jt |jkr|jt |j|_nd|_|j dd|W|jS|jw)  Read up to size bytes from the object and return them. As a convenience, if size is unspecified or -1, all bytes until EOF are returned. If 0 bytes are returned, and size was not 0, this indicates end of file. :param int size: (optional) The number of bytes to attempt to read from the underlying stream. :rtype: bytes Cannot read from closed streamrrr^)raFTN)rFrsrGr*rtrArVrBr;r=authenticate_additional_datarbrErrr9readr!finalizetagrCrD) rHsizeREAD_ALLZsize_to_read_into_bufferZ reached_endZbytes_to_encryptZtotal_bytes_to_encrypt_sizeZ ciphertextoutputrrr rzsh K      zStreamEncryptor.readr^) __name__ __module__ __qualname__r rKrVr]rbrfrnrjrvrzrrrr r2gs R r2c@sNeZdZddZddZddZddZd d Zd d Zd dZ dddZ dS)StreamDecryptorcCsB||_||_d|_d|_d|_d|_d|_i|_t|_ d|_ dS)a Returns a StreamDecryptor which produces decrypted data based on the underlying stream supplied as 'stream_to_decrypt'. :param oci.encryption.MasterKeyProvider master_key_provider: (required) A MasterKeyProvider to use for decrypting the data. :param stream stream_to_encrypt: (required) The stream to be decrypted. NrF) _stream_to_decrypt_master_key_provider _decryptorr6rB_header_deserializedrEr:rrFrG)rHZstream_to_decryptrIrrr rK`s  zStreamDecryptor.__init__cCrcrdrrerrr rfyrgzStreamDecryptor.__enter__cCrhrdrirkrrr rn|rozStreamDecryptor.__exit__cCrprqrrrerrr rjruzStreamDecryptor.closecsfddtD}|stdj|d|_jd}|jj|j|j |j d}| |j }t |}t|j||jjtd}||_tjrattj|_|jjdSdS)Ncsg|] }j|jkr|qSr)rRrU).0Zalgoheaderrr szMStreamDecryptor._init_decryptor_and_header_related_fields..zGCould not decrypt payload encrypted using unrecognized algorithm ID: {}r)rLrMrNr3)rr*r)rRr6rPrZget_master_keyrLrMrNZdecryptrObase64 b64decoderr4r5rQrZ decryptorrrrSr+loadsrr:ry)rHrZmatching_algosZencrypted_data_keyZprimary_master_keyZdecrypted_dek_bytesZdek_plaintext_bytesrJrrr )_init_decryptor_and_header_related_fieldss@       z9StreamDecryptor._init_decryptor_and_header_related_fieldscCs6|js|jr tdd|_t|j}||dSdS)NrxT)rrGr*rrr)rHrrrr _handle_headers zStreamDecryptor._handle_headercCs2|jz ||jW|jS|jwrd)rFrsrr:rtrerrr rvs z&StreamDecryptor.get_encryption_contextr^cCs|jzw|jr td|dkrW|jdS||dk}|jsUd|_tt|j }||j j d}|d|j j }t |j |}||j |7}|j|7_|rb|jdd}d|_n|jd|}t|j}||d|_|W|jS|jw)rwrxrrr^TN)rFrsrGr*rtrrEr_read_full_stream_contentrr6Ztag_lenr!rZfinalize_with_tagrBr)rHr}r~Zbytes_to_decryptr|Zdecrypted_datarrrrr rzs6 ( zStreamDecryptor.readNr) rrrrKrfrnrjrrrvrzrrrr r_s ) rcCs t|dr t|jSt|S)Nreadall)r`rrrz)streamrrr rs   r))rXrmathr+Z oci._vendorrZcryptography.hazmat.backendsrZ&cryptography.hazmat.primitives.ciphersrr threadingrZ%oci.encryption.internal.serializationrrZoci.encryption.internal.modelsr r Z oci.encryption.internal.defaultsr r r Zoci.encryption.internal.utilsrrrrZoci.encryption.algorithmsrZoci.encryption.modelsrr@powZMAX_32_BIT_SIGNED_INTEGERrr!r1r2rrrrrr s.     +y #