From 1723845a90a696424593d8d44bbf0b21022b8b7d Mon Sep 17 00:00:00 2001 From: Jakob Schlyter Date: Wed, 27 Apr 2022 12:22:14 +0200 Subject: [PATCH] if a pre-derived key is supplied to FernetEncrypter, prefer that to password/salt --- pyproject.toml | 2 +- src/cryptojwt/jwe/fernet.py | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 48ec79da..a1c6d34c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -22,7 +22,7 @@ exclude_lines = [ [tool.poetry] name = "cryptojwt" -version = "1.8.1" +version = "1.8.2" description = "Python implementation of JWT, JWE, JWS and JWK" authors = ["Roland Hedberg "] license = "Apache-2.0" diff --git a/src/cryptojwt/jwe/fernet.py b/src/cryptojwt/jwe/fernet.py index 90b02d31..1bdfd98a 100644 --- a/src/cryptojwt/jwe/fernet.py +++ b/src/cryptojwt/jwe/fernet.py @@ -25,7 +25,13 @@ def __init__( ): Encrypter.__init__(self) - if password is not None: + if key is not None: + if not isinstance(key, bytes): + raise TypeError("Raw key must be bytes") + if len(key) != 32: + raise ValueError("Raw key must be 32 bytes") + self.key = base64.urlsafe_b64encode(key) + elif password is not None: _alg = getattr(hashes, hash_alg) # A bit special for SHAKE* and BLAKE* hashes if hash_alg.startswith("SHAKE") or hash_alg.startswith("BLAKE"): @@ -35,12 +41,6 @@ def __init__( salt = as_bytes(salt) if salt else os.urandom(16) kdf = PBKDF2HMAC(algorithm=_algorithm, length=32, salt=salt, iterations=iterations) self.key = base64.urlsafe_b64encode(kdf.derive(as_bytes(password))) - elif key is not None: - if not isinstance(key, bytes): - raise TypeError("Raw key must be bytes") - if len(key) != 32: - raise ValueError("Raw key must be 32 bytes") - self.key = base64.urlsafe_b64encode(key) else: self.key = Fernet.generate_key()