add secrets and encrypt system to organization

2024-02-23 10:58:14 +01:00 · 2024-02-23 10:58:14 +01:00 · 365c58d87a
parent 22bca789bc
commit 365c58d87a
1 changed files with 66 additions and 0 deletions
--- a/oidc4vp/models.py
+++ b/oidc4vp/models.py
@ -1,6 +1,11 @@
 import json
 import requests
 import secrets
+import nacl
+import base64
+
+from nacl import pwhash, secret
+from django.core.cache import cache

 from django.conf import settings
 from django.http import QueryDict
@ -64,6 +69,8 @@ class Organization(models.Model):
        help_text=_("Url where to send the verificable presentation"),
        max_length=250
    )
+    encrypted_sensitive_data = models.CharField(max_length=255)
+    salt = models.CharField(max_length=255)

    def send(self, vp, code):
        """
@ -90,6 +97,65 @@ class Organization(models.Model):
        auth = (self.my_client_id, self.my_client_secret)
        return requests.get(url, auth=auth)

+    def derive_key_from_password(self, password=None):
+        if not password:
+            password = cache.get("KEY_DIDS").encode('utf-8')
+
+        kdf = pwhash.argon2i.kdf
+        ops = pwhash.argon2i.OPSLIMIT_INTERACTIVE
+        mem = pwhash.argon2i.MEMLIMIT_INTERACTIVE
+        return kdf(
+            secret.SecretBox.KEY_SIZE,
+            password,
+            self.get_salt(),
+            opslimit=ops,
+            memlimit=mem
+        )
+
+    def decrypt_sensitive_data(self, data=None):
+        sb_key = self.derive_key_from_password()
+        sb = secret.SecretBox(sb_key)
+        if not data:
+            data = self.get_encrypted_sensitive_data()
+        if not isinstance(data, bytes):
+            data = data.encode('utf-8')
+
+        return sb.decrypt(data).decode('utf-8')
+
+    def encrypt_sensitive_data(self, data):
+        sb_key = self.derive_key_from_password()
+        sb = secret.SecretBox(sb_key)
+        if not isinstance(data, bytes):
+            data = data.encode('utf-8')
+        
+        return base64.b64encode(sb.encrypt(data)).decode('utf-8')
+
+    def get_salt(self):
+        return base64.b64decode(self.salt.encode('utf-8'))
+
+    def set_salt(self):
+        self.salt = base64.b64encode(nacl.utils.random(16)).decode('utf-8')
+
+    def get_encrypted_sensitive_data(self):
+        return base64.b64decode(self.encrypted_sensitive_data.encode('utf-8'))
+
+    def set_encrypted_sensitive_data(self):
+        key = base64.b64encode(nacl.utils.random(64))
+        self.set_salt()
+
+        key_crypted = self.encrypt_sensitive_data(key)
+        self.encrypted_sensitive_data = key_crypted
+
+    def change_password_key(self, new_password):
+        data = self.decrypt_sensitive_data()
+        sb_key = self.derive_key_from_password(new_password)
+        sb = secret.SecretBox(sb_key)
+        if not isinstance(data, bytes):
+            data = data.encode('utf-8')
+        
+        encrypted_data = base64.b64encode(sb.encrypt(data)).decode('utf-8')
+        self.encrypted_sensitive_data = encrypted_data
+
    def __str__(self):
        return self.name