How to get jCryption work with django and python-rsa (or another python library) -


i want send secret data client, want encrypt it.

i'm using jcryption in client side. uses handshaking in beginning of connection, procedures happen follows:

  1. client generate random aes password.
  2. client request rsa publickey form server
  3. server send it
  4. client use rsa public key encrypt password , send server.
  5. now, both use password encrypt data send each other.

my problem in step of sending password encrypted rsa (step 4), since jcryption sends in hex format, python-rsa expect binary integer ,,

how convert jcryption output format python-rsa can deal with, or there library can ?

the rsa ciphertext this:

to\xa75[\x9a\x07s4\x86\xbc\xae\xe3\xd5s)1\x0cd5\xdfy\xf7\xeds9\xf3~\n\x9fa$\xa9\xfb;\x04\x1e\x18\xf4\xea\x7f\x91\xd9\xb7[\xd3\x138\xb6b\x9c\xb6\x1b\xe7\x11\x9ab\x1d@`y\x9c0\xe8\xb6!\x8b~lg\xabo\xbeny\xf7xu\x89yw\xb0\xda@\x10\x0c\xe7\x85\x9bx\x8f\x02e\xdalf|\xa6\x0e\x8e\x8e\x9d\xd8=\x9bqlo7\x0fd\x19/]t?\xf1\x96\x1b\xb9\x8bv\xb4\xb4rs\x1c\xb9

and data send jcryption looked this:

11a6ebb863c379255df711aba86ad3986d6ecc33402a1596e6036b8d33f41932909a3e8c10cc4e0d2ece5f369808020ac7241a4285c80e6e483a1f6b43d933149961f50b72a808c769d39215ce08c33cfdb543b68bb0cf644f32dccf7eb90547290d47b96758449df3e7d4ec 2b50aef21ff4735c79f74bf5214ff356e4338ff2b292110ad537d160e41e34b350c7bc857601a943f915285e62f308fb6bd61d275321b68fbf27a52fbffc27b9ad15810795ccdea6d9776246b84b00503c2711d49a3f101af6f2c822d697a71aeca684e20328071ce84da907

ok i've done quest first want it's easier obtain letsencrypt free cert https did later.

for solution need openssl installed.

lets write views our ajaxes

getting public key. if don't have 1 in project directory generate pair.

    def public_key(req):         if not os.path.isfile(os.path.join(settings.base_dir, 'form_key.pem')) or not os.path.isfile(os.path.join( settings.base_dir,'form_key_pub.pem')):             check_call(['openssl', 'genrsa', '-out', os.path.join(settings.base_dir,'form_key.pem'), '4096'])             check_call(['openssl', 'rsa', '-pubout', '-in', os.path.join(settings.base_dir,'form_key.pem'), '-out', os.path.join(settings.base_dir,'form_key_pub.pem')])         f = open(os.path.join(settings.base_dir,'form_key_pub.pem'))         key = f.read()         f.close()         return jsonresponse({"publickey": key}) 

ok, , handshake. csrf protect view need patch jcryption javascript library didn't. save aes key in session storage here.

    @csrf_exempt     def handshake(req):         if req.method == 'post':             encb64key = req.post['key']             encb64key = re.sub(r'[^a-za-z0-9/=+]', '', encb64key)             enckey = b64decode(encb64key)             openssl = popen(['openssl', 'rsautl', '-decrypt', '-inkey', os.path.join(settings.base_dir,'form_key.pem')], stdin = pipe, stdout=pipe, stderr=pipe)             key, stderr = openssl.communicate(enckey)             print stderr             key = re.sub(r'[^a-za-z0-9]', '', key)             req.session['form_key'] = key              openssl = popen(['openssl', 'enc', '-aes-256-cbc', '-pass', 'pass:'+key, '-a', '-e'], stdin = pipe, stdout = pipe, stderr = pipe)             enckey , stderr = openssl.communicate(key)             print stderr             enckey = re.sub('[^a-za-z0-9/+=]', '' , enckey)             return jsonresponse({'challenge': enckey})         raise http404()  

lets choose urls views in urls.py

    url('^pubkey', public_key, name = 'publickey'),     url('^handshake', handshake, name = 'handshake'), 

and tricky part. our own middleware. need add middleware_classes in settings.py . 'myapp.views.jcryptionmiddleware' if place in myapp's views.py file.

the trick send wrong post data 'jcryption' attr. middleware decrypts apropriate data in attr , rewrites post data in request object it. read middlewares in django documentation.

    class jcryptionmiddleware(object):         def process_view(self, request, callback, callback_args, callback_kwargs):             jcryptedb64 = request.post.get('jcryption', '')             if jcryptedb64:                 try:                     jcrypted = b64decode(jcryptedb64)                     p = popen(['openssl', 'enc', '-aes-256-cbc', '-pass', 'pass:'+request.session['form_key'], '-d'], stdin = pipe, stdout = pipe, stderr = pipe)                     qstr, stderr = p.communicate(jcrypted)                     print stderr                     wasmutable = request.post._mutable                     request.post._mutable = true                     request.post.__init__(qstr)                     request.post._mutable = wasmutable                 except exception e:                     print e             return none 

and client code in page form template.

    <script src="{{ static_url }}js/jquery.min.js"></script>     <script src="{{ static_url }}js/jcryption.js"></script>     <script>     $(function() {         $('form').jcryption({"getkeysurl": "/pubkey", "handshakeurl": "/handshake"});     });     </script> 

see urls our urls.py .

for example can encrypt admin login form. copy login.html django contrib admin templates/admin/login.html , add javascript code template.

ta da! don't use this, use https.


Comments

Popular posts from this blog

Why does Ruby on Rails generate add a blank line to the end of a file? -

keyboard - Smiles and long press feature in Android -

node.js - Bad Request - node js ajax post -