def opdata1_decrypt_item(data, key, hmac_key, aes_size=C_AES_SIZE, ignore_hmac=False): key_size = KEY_SIZE[aes_size] assert len(key) == key_size assert len(data) >= OPDATA1_MINIMUM_SIZE plaintext_length, iv, cryptext, expected_hmac, hmac_d_data = opdata1_unpack(data) if not ignore_hmac: verifier = HMAC(hmac_key, SHA256(), backend=_backend) verifier.update(hmac_d_data) if len(verifier.copy().finalize()) != len(expected_hmac): raise ValueError("Got unexpected HMAC length (expected %d bytes, got %d bytes)" % ( len(expected_hmac), len(got_hmac) )) try: verifier.verify(expected_hmac) except InvalidSignature: raise ValueError("HMAC did not match for opdata1 record") aes = Cipher(algorithms.AES(key), modes.CBC(iv), backend=_backend) decryptor = aes.decryptor() decrypted = decryptor.update(cryptext) + decryptor.finalize() unpadded = padding.ab_unpad(decrypted, plaintext_length) return unpadded