def opdata1_decrypt_item(data, key, hmac_key, aes_size=C_AES_SIZE, ignore_hmac=False):
key_size = KEY_SIZE[aes_size]
assert len(key) == key_size
assert len(data) >= OPDATA1_MINIMUM_SIZE
plaintext_length, iv, cryptext, expected_hmac, hmac_d_data = opdata1_unpack(data)
if not ignore_hmac:
verifier = HMAC(hmac_key, SHA256(), backend=_backend)
verifier.update(hmac_d_data)
if len(verifier.copy().finalize()) != len(expected_hmac):
raise ValueError("Got unexpected HMAC length (expected %d bytes, got %d bytes)" % (
len(expected_hmac),
len(got_hmac)
))
try:
verifier.verify(expected_hmac)
except InvalidSignature:
raise ValueError("HMAC did not match for opdata1 record")
aes = Cipher(algorithms.AES(key), modes.CBC(iv), backend=_backend)
decryptor = aes.decryptor()
decrypted = decryptor.update(cryptext) + decryptor.finalize()
unpadded = padding.ab_unpad(decrypted, plaintext_length)
return unpadded
