[PR #1357] [MERGED] refactor cryptutils #2208

New issue

Closed

opened 2026-02-27 12:09:53 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 12:09:53 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/modoboa/modoboa/pull/1357
Author: @ghost
Created: 1/15/2018
Status: ✅ Merged
Merged: 1/18/2018
Merged by: @tonioo

Base: master ← Head: feature/refactor-cryptutils

📝 Commits (1)

e8ab4e2 refactor cryptutils

📊 Changes

2 files changed (+73 additions, -44 deletions)

View changed files

📝 modoboa/lib/cryptutils.py (+35 -44)
➕ modoboa/lib/tests/test_cryptutils.py (+38 -0)

📄 Description

Cryptography can be a black art, rather than rolling our own crypto
functions use the ones provided by the Python Cryptography module.

encrypt() and decrypt()
- ECB is insecure and the Python Cryptography module recommends[1]
  against using it. The Python Cryptography module offers Fernet[2]
  for encrypting values using a secret_key.
- Djangos settings.SECRET_KEY exists for things like encrypting
  passwords, use it instead of Modoboas own secret_key[3].
- settings.SECRET_KEY is truncated to 32 characters as Fernet requires
  a key 32 characters long.
random_key() uses Dangos get_random_string() method, the same
code used to generate settings.SECRET_KEY
add tests for cryptutil methods

[1] https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/?highlight=ecb#insecure-modes
[2] https://cryptography.io/en/latest/fernet/
[3] It's my intention to remove Modoboas secret_key as it can be replaced by Djangos settings.SECRET_KEY, I just need to make sure it won't break modoboa-pdfcredentials as it also uses it.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/modoboa/modoboa/pull/1357 **Author:** [@ghost](https://github.com/ghost) **Created:** 1/15/2018 **Status:** ✅ Merged **Merged:** 1/18/2018 **Merged by:** [@tonioo](https://github.com/tonioo) **Base:** `master` ← **Head:** `feature/refactor-cryptutils` --- ### 📝 Commits (1) - [`e8ab4e2`](https://github.com/modoboa/modoboa/commit/e8ab4e29126305f7d66f302351e76a0d894d119a) refactor cryptutils ### 📊 Changes **2 files changed** (+73 additions, -44 deletions) <details> <summary>View changed files</summary> 📝 `modoboa/lib/cryptutils.py` (+35 -44) ➕ `modoboa/lib/tests/test_cryptutils.py` (+38 -0) </details> ### 📄 Description Cryptography can be a black art, rather than rolling our own crypto functions use the ones provided by the Python Cryptography module. - `encrypt()` and `decrypt()` - ECB is insecure and the Python Cryptography module recommends[1] against using it. The Python Cryptography module offers Fernet[2] for encrypting values using a secret_key. - Djangos `settings.SECRET_KEY` exists for things like encrypting passwords, use it instead of Modoboas own `secret_key`[3]. - `settings.SECRET_KEY` is truncated to 32 characters as Fernet requires a key 32 characters long. - `random_key()` uses Dangos get_random_string() method, the same code used to generate settings.SECRET_KEY - add tests for cryptutil methods [1] https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/?highlight=ecb#insecure-modes [2] https://cryptography.io/en/latest/fernet/ [3] It's my intention to remove Modoboas `secret_key` as it can be replaced by Djangos `settings.SECRET_KEY`, I just need to make sure it won't break modoboa-pdfcredentials as it also uses it. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>