Initial work on using session-based master key ciphers

netbox/secrets/api/urls.py

@@ -14,6 +14,7 @@ urlpatterns = [
     url(r'', include(router.urls)),
 
     # Miscellaneous
+    url(r'^get-session-key/$', views.GetSessionKey.as_view(), name='get_session_key'),
     url(r'^generate-keys/$', views.RSAKeyGeneratorView.as_view(), name='generate_keys'),
 
 ]

netbox/secrets/api/views.py

@@ -1,5 +1,7 @@
 import base64
+from Crypto.Cipher import XOR
 from Crypto.PublicKey import RSA
+import os
 
 from django.http import HttpResponseBadRequest
 
@@ -20,6 +22,7 @@ from . import serializers
 
 ERR_USERKEY_MISSING = "No UserKey found for the current user."
 ERR_USERKEY_INACTIVE = "UserKey has not been activated for decryption."
+ERR_PRIVKEY_MISSING = "Private key was not provided."
 ERR_PRIVKEY_INVALID = "Invalid private key."
 
 
@@ -38,7 +41,6 @@ class SecretRoleViewSet(ModelViewSet):
 #
 
 # TODO: Need to implement custom create() and update() methods to handle secret encryption.
-# TODO: Figure out a better way of transmitting the private key
 class SecretViewSet(WritableSerializerMixin, ModelViewSet):
     queryset = Secret.objects.select_related(
         'device__primary_ip4', 'device__primary_ip6', 'role',
@@ -54,58 +56,33 @@ class SecretViewSet(WritableSerializerMixin, ModelViewSet):
     authentication_classes = [BasicAuthentication, SessionAuthentication]
     permission_classes = [IsAuthenticated]
 
-    # The user's private key must be sent as a header (X-Private-Key). To overcome limitations around sending line
+    def _get_master_key(self, request):
-    # breaks in a header field, the key must be base64-encoded and stripped of all whitespace. This is a temporary
+        cached_key = request.session.get('cached_key', None)
-    # kludge until a more elegant approach can be devised.
+        session_key = request.COOKIES.get('session_key', None)
-    def _get_private_key(self, request):
+        if cached_key is None or session_key is None:
-        private_key_b64 = request.META.get('HTTP_X_PRIVATE_KEY', None)
-        if private_key_b64 is None:
             return None
-        # TODO: Handle invalid encoding
+
-        return base64.b64decode(private_key_b64)
+        cached_key = base64.b64decode(cached_key)
+        session_key = base64.b64decode(session_key)
+
+        xor = XOR.new(session_key)
+        master_key = xor.encrypt(cached_key)
+        return master_key
 
     def retrieve(self, request, *args, **kwargs):
-        private_key = self._get_private_key(request)
+        master_key = self._get_master_key(request)
         secret = self.get_object()
 
-        # Attempt to unlock the Secret if a private key was provided
+        if master_key is not None:
-        if private_key is not None:
-
-            try:
-                user_key = UserKey.objects.get(user=request.user)
-            except UserKey.DoesNotExist:
-                return HttpResponseBadRequest(ERR_USERKEY_MISSING)
-            if not user_key.is_active():
-                return HttpResponseBadRequest(ERR_USERKEY_INACTIVE)
-
-            master_key = user_key.get_master_key(private_key)
-            if master_key is None:
-                return HttpResponseBadRequest(ERR_PRIVKEY_INVALID)
-
             secret.decrypt(master_key)
 
         serializer = self.get_serializer(secret)
         return Response(serializer.data)
 
     def list(self, request, *args, **kwargs):
-        private_key = self._get_private_key(request)
+        master_key = self._get_master_key(request)
         queryset = self.filter_queryset(self.get_queryset())
 
-        # Attempt to unlock the Secrets if a private key was provided
-        master_key = None
-        if private_key is not None:
-
-            try:
-                user_key = UserKey.objects.get(user=request.user)
-            except UserKey.DoesNotExist:
-                return HttpResponseBadRequest(ERR_USERKEY_MISSING)
-            if not user_key.is_active():
-                return HttpResponseBadRequest(ERR_USERKEY_INACTIVE)
-
-            master_key = user_key.get_master_key(private_key)
-            if master_key is None:
-                return HttpResponseBadRequest(ERR_PRIVKEY_INVALID)
-
         # Pagination
         page = self.paginate_queryset(queryset)
         if page is not None:
@@ -145,3 +122,44 @@ class RSAKeyGeneratorView(APIView):
             'private_key': private_key,
             'public_key': public_key,
         })
+
+
+class GetSessionKey(APIView):
+    """
+    Cache an encrypted copy of the master key derived from the submitted private key.
+    """
+    permission_classes = [IsAuthenticated]
+
+    def post(self, request):
+
+        # Read private key
+        private_key = request.POST.get('private_key', None)
+        if private_key is None:
+            return HttpResponseBadRequest(ERR_PRIVKEY_MISSING)
+
+        # Validate user key
+        try:
+            user_key = UserKey.objects.get(user=request.user)
+        except UserKey.DoesNotExist:
+            return HttpResponseBadRequest(ERR_USERKEY_MISSING)
+        if not user_key.is_active():
+            return HttpResponseBadRequest(ERR_USERKEY_INACTIVE)
+
+        # Validate private key
+        master_key = user_key.get_master_key(private_key)
+        if master_key is None:
+            return HttpResponseBadRequest(ERR_PRIVKEY_INVALID)
+
+        # Generate a random 256-bit encryption key
+        session_key = os.urandom(32)
+        xor = XOR.new(session_key)
+        cached_key = xor.encrypt(master_key)
+
+        # Save XORed copy of the master key
+        request.session['cached_key'] = base64.b64encode(cached_key)
+
+        response = Response({
+            'session_key': base64.b64encode(session_key),
+        })
+        response.set_cookie('session_key', base64.b64encode(session_key))
+        return response