inspect fernet tokens generated by keystone

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for lbragstad from gravatar.com lbragstad

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Apache Software License (Apache Software License)

Author: Lance Bragstad

Classifiers

Project description

A tool for inspecting the contents of a Fernet token, local to the server it was generated from.

Installation

$ pip install fernet-inspector

Usage

>>> fernet-inspector -h
usage: fernet-inspector [-h] [-k KEY_REPOSITORY] token

Inspect the contents of a Keystone Fernet token from the host it was issued
from.

positional arguments:
  token                 token to decrypt

optional arguments:
  -h, --help            show this help message and exit
  -k KEY_REPOSITORY, --key-repository KEY_REPOSITORY
                        location of Fernet key repository.

You should be able to decrypt a Keystone Fernet token and get the resulting payload:

>>> fernet-inspector <token-to-decrypt>
[2, '\xb0>\xd9\x14\x03kF\xb3\x94\xc9@A\x9e\x12\xda\x0f', 1, 'Z\xce\xd8U5ZH\xf6\xae\xd8n@;\x9a\x98`', 1442338543.238753, ['\xf0\xa8\x03T\x07\xbaJk\x8c;G\x9cG\xab\xdfX']]

This tool is only meant to supply information about a token. It’s not intended to make assumptions about a particular token format in Keystone, or assertions about the order in which the data was packed.

Now you can map to the appropriate payload based on the first element of the payload, which is the token version. The first element is 2 in this case, which means we are dealing with a ProjectScopedPayload of the keystone.token.providers.fernet.token_formatter.py:TokenFormatter class. Note that the last element of this particular token is a list. Keystone token formats uses lists for both audit IDs and group IDs. The audit ID, as keystone knows generates it, is done like:

base64.urlsafe_b64encode(uuid.uuid4().bytes)[:-2]

Where the group IDs within a list are converted to bytes. When the fernet_inspector tool encounters a list of values in the payload, it leaves the values as is. This tool doesn’t know enough context about the order in which Keystone packs tokens to make accurate assumptions about how to organize the data. This would require fernet_inspector to track upstream Keystone token formats in order to operated effectively. Instead, fernet_inspector will leave values packed in lists in their UUID byte format. The values can still be calculated based on the UUID.bytes representation. For example, converting UUID.bytes representation to a Keystone audit ID:

>>> import base64
>>> base64.urlsafe_b64encode('\x80w\x02D\x1a\xa4M\xec\xb2\xea\nB\x87\x86\x14\x18')
'gHcCRBqkTeyy6gpCh4YUGA=='

Converting UUID.bytes representation to UUID.hex format:

>>> import uuid
>>> uuid.UUID(bytes='\x80w\x02D\x1a\xa4M\xec\xb2\xea\nB\x87\x86\x14\x18').hex
'807702441aa44decb2ea0a4287861418'

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for lbragstad from gravatar.com lbragstad

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: Apache Software License (Apache Software License)

Author: Lance Bragstad

Classifiers

Release history Release notifications | RSS feed

0.1.6

0.1.5

0.1.4

0.1.3

This version

0.1.2

0.1.1

0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fernet_inspector-0.1.2.tar.gz (8.4 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page