diff --git a/src/cryptography/fernet.py b/src/cryptography/fernet.py index 64c12c69a84d..c2e01fc50210 100644 --- a/src/cryptography/fernet.py +++ b/src/cryptography/fernet.py @@ -12,8 +12,6 @@ from cryptography import utils from cryptography.exceptions import InvalidSignature -from cryptography.hazmat.backends import _get_backend -from cryptography.hazmat.backends.interfaces import Backend from cryptography.hazmat.primitives import hashes, padding from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.primitives.hmac import HMAC @@ -30,10 +28,8 @@ class Fernet(object): def __init__( self, key: typing.Union[bytes, str], - backend: typing.Optional[Backend] = None, + backend: typing.Any = None, ): - backend = _get_backend(backend) - key = base64.urlsafe_b64decode(key) if len(key) != 32: raise ValueError( @@ -42,7 +38,6 @@ def __init__( self._signing_key = key[:16] self._encryption_key = key[16:] - self._backend = backend @classmethod def generate_key(cls) -> bytes: @@ -63,7 +58,8 @@ def _encrypt_from_parts( padder = padding.PKCS7(algorithms.AES.block_size).padder() padded_data = padder.update(data) + padder.finalize() encryptor = Cipher( - algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend + algorithms.AES(self._encryption_key), + modes.CBC(iv), ).encryptor() ciphertext = encryptor.update(padded_data) + encryptor.finalize() @@ -71,7 +67,7 @@ def _encrypt_from_parts( b"\x80" + struct.pack(">Q", current_time) + iv + ciphertext ) - h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend) + h = HMAC(self._signing_key, hashes.SHA256()) h.update(basic_parts) hmac = h.finalize() return base64.urlsafe_b64encode(basic_parts + hmac) @@ -118,7 +114,7 @@ def _get_unverified_token_data(token: bytes) -> typing.Tuple[int, bytes]: return timestamp, data def _verify_signature(self, data: bytes) -> None: - h = HMAC(self._signing_key, hashes.SHA256(), backend=self._backend) + h = HMAC(self._signing_key, hashes.SHA256()) h.update(data[:-32]) try: h.verify(data[-32:]) @@ -144,7 +140,7 @@ def _decrypt_data( iv = data[9:25] ciphertext = data[25:-32] decryptor = Cipher( - algorithms.AES(self._encryption_key), modes.CBC(iv), self._backend + algorithms.AES(self._encryption_key), modes.CBC(iv) ).decryptor() plaintext_padded = decryptor.update(ciphertext) try: diff --git a/src/cryptography/hazmat/backends/__init__.py b/src/cryptography/hazmat/backends/__init__.py index 64eedecb57e4..775689cb14a3 100644 --- a/src/cryptography/hazmat/backends/__init__.py +++ b/src/cryptography/hazmat/backends/__init__.py @@ -2,26 +2,10 @@ # 2.0, and the BSD License. See the LICENSE file in the root of this repository # for complete details. -import typing - from cryptography.hazmat.backends.interfaces import Backend -_default_backend: typing.Optional[Backend] = None - def default_backend() -> Backend: - global _default_backend - - if _default_backend is None: - from cryptography.hazmat.backends.openssl.backend import backend - - _default_backend = backend - - return _default_backend - + from cryptography.hazmat.backends.openssl.backend import backend -def _get_backend(backend: typing.Optional[Backend]) -> Backend: - if backend is None: - return default_backend() - else: - return backend + return backend diff --git a/tests/hazmat/backends/test_no_backend.py b/tests/hazmat/backends/test_no_backend.py deleted file mode 100644 index 282238d70843..000000000000 --- a/tests/hazmat/backends/test_no_backend.py +++ /dev/null @@ -1,15 +0,0 @@ -# This file is dual licensed under the terms of the Apache License, Version -# 2.0, and the BSD License. See the LICENSE file in the root of this repository -# for complete details. - - -from cryptography.hazmat.backends import _get_backend, default_backend - - -def test_get_backend_no_backend(): - assert _get_backend(None) is default_backend() - - -def test_get_backend(): - faux_backend = object() - assert _get_backend(faux_backend) is faux_backend # type: ignore[arg-type] diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index af9cb343e90f..2ca62a03aff9 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -13,6 +13,7 @@ from cryptography import utils, x509 from cryptography.exceptions import InternalError, _Reasons +from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends.openssl.backend import backend from cryptography.hazmat.backends.openssl.ec import _sn_to_elliptic_curve from cryptography.hazmat.primitives import hashes, serialization @@ -58,6 +59,9 @@ class TestOpenSSL(object): def test_backend_exists(self): assert backend + def test_is_default_backend(self): + assert backend is default_backend() + def test_openssl_version_text(self): """ This test checks the value of OPENSSL_VERSION_TEXT. diff --git a/tests/test_fernet.py b/tests/test_fernet.py index a8a140e98266..d3090e04cf70 100644 --- a/tests/test_fernet.py +++ b/tests/test_fernet.py @@ -16,7 +16,6 @@ import pytest from cryptography.fernet import Fernet, InvalidToken, MultiFernet -from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.ciphers import algorithms, modes import cryptography_vectors @@ -33,11 +32,6 @@ def json_parametrize(keys, filename): ) -def test_default_backend(): - f = Fernet(Fernet.generate_key()) - assert f._backend is default_backend() - - @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( algorithms.AES(b"\x00" * 32), modes.CBC(b"\x00" * 16)