On Tue, Dec 4, 2012 at 1:26 AM, Sean Upton <[email protected]> wrote:
> For one of my add-ons, I need to sign trusted pickle data, and want: > In a related news, I had similar use case for encrypted in Archetypes field: https://github.com/miohtama/archetypes.encryptedfield > > (1) to use HMAC-SHA256 to sign a message. > > (2) want an easy -- as in "I do not want to think about managing my > own secret" easy -- way to use a per-site secret key. > > Is using the system secret from plone.keyring suitable here? Something > like: > > ## assume from this example that the local component site is set via > ## zope.component.hooks.setSite to a Plone site: > > # sign a pickle: > > >>> import hashlib > >>> import hmac > >>> import base64 > >>> import pickle > >>> from plone.keyring.interfaces import IKeyManager > >>> from zope.component import queryUtility > >>> from zope.component.hooks import setSite > >>> rawdata = {'this:'Arbitrary data woohoo!'} > >>> data = pickle.dumps(rawdata) > >>> secret = queryUtility(IKeyManager).secret() > >>> signature = hmac.new(secret, data, > digestmod=hashlib.sha256).hexdigest() > >>> payload = base64.b64encode(signature + data) > > > # read a pickle, assume identifier 'payload' has been read as a base64 > encoded > # string containing signature plus pickle data stream: > > > >>> input = base64.b64decode(payload) > >>> signature, msg = input[:64], input[64:] > >>> result = None > >>> if signature == hmac.new(secret, msg, > digestmod=hashlib.sha256).hexdigest(): > ... result = pickle.loads(msg) # signed, ergo trusted > ... > >>> > > My use case is something like session data (for lightweight form > wizard), but with a tiny dict of values that can easily fit after > serialization and signing into a <4KB cookie set by a browser view. > Given the small size of the dataset, I want to avoid using sessions > for unnecessary deployment complexity. > > Are there any drawbacks to using the system keyring secret for signing > (and trusting) data like this that I should be aware of? > > Sean > _______________________________________________ > Product-Developers mailing list > [email protected] > https://lists.plone.org/mailman/listinfo/plone-product-developers > > -- > Mikko Ohtamaa > <https://lists.plone.org/mailman/listinfo/plone-product-developers> > http://opensourcehacker.com > http://twitter.com/moo9000 > > > >
_______________________________________________ Product-Developers mailing list [email protected] https://lists.plone.org/mailman/listinfo/plone-product-developers
