def _get_or_create_fernet_psk():
"""Gets or creates a pre-shared key to be used with the Fernet algorithm.
The pre-shared key is cached in a global to prevent the expense of
recalculating it.
Uses the MAAS secret (typically /var/lib/maas/secret) to derive the key.
:return: A pre-shared key suitable for use with the Fernet class.
"""
with _fernet_lock:
global _fernet_psk
if _fernet_psk is None:
secret = get_shared_secret_from_filesystem()
if secret is None:
raise MissingSharedSecret("MAAS shared secret not found.")
# Keying material is required by PBKDF2 to be a byte string.
kdf = PBKDF2HMAC(
algorithm=hashes.SHA256(),
length=32,
# XXX: It might be better to use the maas_id for the salt.
# But that requires the maas_id to be known in advance by all
# parties to the encrypted communication. The format of the
# cached pre-shared key would also need to change.
salt=b"",
# XXX: an infrequently-changing variable iteration count might
# be nice, but that would require protocol support, and
# changing the way the PSK is cached.
iterations=DEFAULT_ITERATION_COUNT,
backend=default_backend()
)
key = kdf.derive(secret)
key = urlsafe_b64encode(key)
_fernet_psk = key
else:
key = _fernet_psk
return key
评论列表
文章目录
