def _decryptAndImportKdk(self, kdkData, onError):
"""
:param Data kdkData:
:param onError: On error, this calls onError(errorCode, message)
:type onError: function object
:return: True for success, false for error (where this has called onError).
:rtype: bool
"""
try:
logging.getLogger(__name__).info("Decrypting and importing KDK " +
kdkData.getName().toUri())
encryptedContent = EncryptedContent()
encryptedContent.wireDecodeV2(kdkData.getContent())
safeBag = SafeBag(encryptedContent.getPayload())
secret = self._keyChain.getTpm().decrypt(
encryptedContent.getPayloadKey().toBytes(),
self._credentialsKey.getName())
if secret.isNull():
onError(
EncryptError.ErrorCode.TpmKeyNotFound,
"Could not decrypt secret, " +
credentialsKey_.getName().toUri() + " not found in TPM")
return False
self._internalKeyChain.importSafeBag(safeBag, secret.toBytes())
return True
except Exception as ex:
onError(
EncryptError.ErrorCode.DecryptionFailure,
"Failed to decrypt KDK [" + kdkData.getName().toUri() + "]: " +
repr(ex))
return False
def _decryptAndImportKdk(self, kdkData, onError):
"""
:param Data kdkData:
:param onError: On error, this calls onError(errorCode, message)
:type onError: function object
:return: True for success, false for error (where this has called onError).
:rtype: bool
"""
try:
logging.getLogger(__name__).info("Decrypting and importing KDK " +
kdkData.getName().toUri())
encryptedContent = EncryptedContent()
encryptedContent.wireDecodeV2(kdkData.getContent())
safeBag = SafeBag(encryptedContent.getPayload())
secret = self._keyChain.getTpm().decrypt(
encryptedContent.getPayloadKey().toBytes(),
self._credentialsKey.getName())
if secret.isNull():
onError(EncryptError.ErrorCode.TpmKeyNotFound,
"Could not decrypt secret, " + self._credentialsKey.getName().toUri() +
" not found in TPM")
return False
self._internalKeyChain.importSafeBag(safeBag, secret.toBytes())
return True
except Exception as ex:
onError(EncryptError.ErrorCode.DecryptionFailure,
"Failed to decrypt KDK [" + kdkData.getName().toUri() + "]: " +
repr(ex))
return False
def _decrypt(encryptedContent, keyBits, onPlainText, onError):
"""
Decrypt encryptedContent using keyBits.
:param encryptedContent: The EncryptedContent to decrypt, or a Blob
which is first decoded as an EncryptedContent.
:type encryptedContent: Blob or EncryptedContent
:param {Blob} keyBits The key value.
:param onPlainText: When encryptedBlob is decrypted, this calls
onPlainText(decryptedBlob) with the decrypted Blob.
:type onPlainText: function object
:param onError: This calls onError(errorCode, message) for an error,
where errorCode is from EncryptError.ErrorCode and message is a str.
:type onError: function object
"""
if isinstance(encryptedContent, Blob):
# Decode as EncryptedContent.
encryptedBlob = encryptedContent
encryptedContent = EncryptedContent()
encryptedContent.wireDecode(encryptedBlob)
payload = encryptedContent.getPayload()
if encryptedContent.getAlgorithmType() == EncryptAlgorithmType.AesCbc:
# Prepare the parameters.
decryptParams = EncryptParams(EncryptAlgorithmType.AesCbc)
decryptParams.setInitialVector(encryptedContent.getInitialVector())
# Decrypt the content.
try:
content = AesAlgorithm.decrypt(keyBits, payload, decryptParams)
except Exception as ex:
try:
onError(EncryptError.ErrorCode.InvalidEncryptedFormat,
repr(ex))
except:
logging.exception("Error in onError")
return
onPlainText(content)
elif encryptedContent.getAlgorithmType(
) == EncryptAlgorithmType.RsaOaep:
# Prepare the parameters.
decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep)
# Decrypt the content.
try:
content = RsaAlgorithm.decrypt(keyBits, payload, decryptParams)
except Exception as ex:
Consumer._callOnError(
onError, EncryptError.ErrorCode.InvalidEncryptedFormat,
repr(ex))
return
onPlainText(content)
else:
Consumer._callOnError(
onError, EncryptError.ErrorCode.UnsupportedEncryptionScheme,
repr(encryptedContent.getAlgorithmType()))
def _decrypt(encryptedContent, keyBits, onPlainText, onError):
"""
Decrypt encryptedContent using keyBits.
:param encryptedContent: The EncryptedContent to decrypt, or a Blob
which is first decoded as an EncryptedContent.
:type encryptedContent: Blob or EncryptedContent
:param {Blob} keyBits The key value.
:param onPlainText: When encryptedBlob is decrypted, this calls
onPlainText(decryptedBlob) with the decrypted Blob.
:type onPlainText: function object
:param onError: This calls onError(errorCode, message) for an error,
where errorCode is from EncryptError.ErrorCode and message is a str.
:type onError: function object
"""
if isinstance(encryptedContent, Blob):
# Decode as EncryptedContent.
encryptedBlob = encryptedContent
encryptedContent = EncryptedContent()
encryptedContent.wireDecode(encryptedBlob)
payload = encryptedContent.getPayload()
if encryptedContent.getAlgorithmType() == EncryptAlgorithmType.AesCbc:
# Prepare the parameters.
decryptParams = EncryptParams(EncryptAlgorithmType.AesCbc)
decryptParams.setInitialVector(encryptedContent.getInitialVector())
# Decrypt the content.
try:
content = AesAlgorithm.decrypt(keyBits, payload, decryptParams)
except Exception as ex:
try:
onError(EncryptError.ErrorCode.InvalidEncryptedFormat, repr(ex))
except:
logging.exception("Error in onError")
return
onPlainText(content)
elif encryptedContent.getAlgorithmType() == EncryptAlgorithmType.RsaOaep:
# Prepare the parameters.
decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep)
# Decrypt the content.
try:
content = RsaAlgorithm.decrypt(keyBits, payload, decryptParams)
except Exception as ex:
Consumer._callOnError(onError,
EncryptError.ErrorCode.InvalidEncryptedFormat, repr(ex))
return
onPlainText(content)
else:
Consumer._callOnError(onError,
EncryptError.ErrorCode.UnsupportedEncryptionScheme,
repr(encryptedContent.getAlgorithmType()))
def _decryptCkAndProcessPendingDecrypts(self, contentKey, ckData,
kdkKeyName, onError):
logging.getLogger(__name__).info("Decrypting CK data ",
ckData.getName().toUri())
content = EncryptedContent()
try:
content.wireDecodeV2(ckData.getContent())
except Exception as ex:
onError(EncryptError.ErrorCode.InvalidEncryptedFormat,
"Error decrypting EncryptedContent: " + repr(ex))
return
try:
ckBits = self._internalKeyChain.getTpm().decrypt(
content.getPayload().toBytes(), kdkKeyName)
except Exception as ex:
# We don't expect this from the in-memory KeyChain.
onError(EncryptError.ErrorCode.DecryptionFailure,
"Error decrypting the CK EncryptedContent " + repr(ex))
return
if ckBits.isNull():
onError(
EncryptError.ErrorCode.TpmKeyNotFound,
"Could not decrypt secret, " + kdkKeyName.toUri() +
" not found in TPM")
return
contentKey.bits = ckBits
contentKey.isRetrieved = True
for pendingDecrypt in contentKey.pendingDecrypts:
# TODO: If this calls onError, should we quit?
DecryptorV2._doDecrypt(pendingDecrypt.encryptedContent,
contentKey.bits, pendingDecrypt.onSuccess,
pendingDecrypt.onError)
contentKey.pendingDecrypts = []
def _decryptCkAndProcessPendingDecrypts(
self, contentKey, ckData, kdkKeyName, onError):
logging.getLogger(__name__).info("Decrypting CK data " +
ckData.getName().toUri())
content = EncryptedContent()
try:
content.wireDecodeV2(ckData.getContent())
except Exception as ex:
onError(EncryptError.ErrorCode.InvalidEncryptedFormat,
"Error decrypting EncryptedContent: " + repr(ex))
return
try:
ckBits = self._internalKeyChain.getTpm().decrypt(
content.getPayload().toBytes(), kdkKeyName)
except Exception as ex:
# We don't expect this from the in-memory KeyChain.
onError(EncryptError.ErrorCode.DecryptionFailure,
"Error decrypting the CK EncryptedContent " + repr(ex))
return
if ckBits.isNull():
onError(EncryptError.ErrorCode.TpmKeyNotFound,
"Could not decrypt secret, " + kdkKeyName.toUri() +
" not found in TPM")
return
contentKey.bits = ckBits
contentKey.isRetrieved = True
for pendingDecrypt in contentKey.pendingDecrypts:
# TODO: If this calls onError, should we quit?
DecryptorV2._doDecrypt(
pendingDecrypt.encryptedContent, contentKey.bits,
pendingDecrypt.onSuccess, pendingDecrypt.onError)
contentKey.pendingDecrypts = []
