def encrypt(self, data, iv, slot_id=SecurityModule.TOKEN_KEY):
"""
security module methods: encrypt
:param data: the data that is to be encrypted
:type data: bytes
:param iv: initialisation vector
:type iv: bytes
:param slot_id: slot of the key array. The key file contains 96
bytes, which are made up of 3 32byte keys.
:type slot_id: int
:return: encrypted data
:rtype: bytes
"""
if self.is_ready is False:
raise HSMException('setup of security module incomplete')
key = self._get_secret(slot_id)
# convert input to ascii, so we can securely append bin data
input_data = binascii.b2a_hex(data)
input_data += b"\x01\x02"
padding = (16 - len(input_data) % 16) % 16
input_data += padding * b"\0"
aes = AES.new(key, AES.MODE_CBC, iv)
res = aes.encrypt(input_data)
if self.crypted is False:
zerome(key)
del key
return res
def decrypt(self, input_data, iv, slot_id=SecurityModule.TOKEN_KEY):
"""
Decrypt the given data with the key from the key slot
:param input_data: the to be decrypted data
:type input_data: bytes
:param iv: initialisation vector (salt)
:type iv: bytes
:param slot_id: slot of the key array
:type slot_id: int
:return: decrypted data
:rtype: bytes
"""
if self.is_ready is False:
raise HSMException('setup of security module incomplete')
key = self._get_secret(slot_id)
aes = AES.new(key, AES.MODE_CBC, iv)
output = aes.decrypt(input_data)
eof = output.rfind(b"\x01\x02")
if eof >= 0:
output = output[:eof]
# convert output from ascii, back to bin data
data = binascii.unhexlify(output)
if self.crypted is False:
zerome(key)
del key
return data
def decrypt(self, input_data, iv, slot_id=0):
"""
Decrypt the given data with the key from the key slot
:param input_data: the to be decrypted data
:type input_data: byte string
:param iv: initialisation vector (salt)
:type iv: random bytes
:param slot_id: slot of the key array
:type slot_id: int
:return: decrypted data
:rtype: byte string
"""
if self.is_ready is False:
raise Exception('setup of security module incomplete')
key = self._get_secret(slot_id)
aes = AES.new(key, AES.MODE_CBC, iv)
output = aes.decrypt(input_data)
eof = output.rfind(u"\x01\x02")
if eof >= 0:
output = output[:eof]
# convert output from ascii, back to bin data
data = binascii.a2b_hex(output)
if self.crypted is False:
zerome(key)
del key
return data
def encrypt(self, data, iv, slot_id=0):
"""
security module methods: encrypt
:param data: the data that is to be encrypted
:type data: byte string
:param iv: initialisation vector
:type iv: random bytes
:param slot_id: slot of the key array. The key file contains 96
bytes, which are made up of 3 32byte keys.
:type slot_id: int
:return: encrypted data
:rtype: byte string
"""
if self.is_ready is False:
raise Exception('setup of security module incomplete')
key = self._get_secret(slot_id)
# convert input to ascii, so we can securely append bin data
input_data = binascii.b2a_hex(data)
input_data += u"\x01\x02"
padding = (16 - len(input_data) % 16) % 16
input_data += padding * "\0"
aes = AES.new(key, AES.MODE_CBC, iv)
res = aes.encrypt(input_data)
if self.crypted is False:
zerome(key)
del key
return res
def main():
## hook for local provider test
sep = SecurityProvider()
sep.load_config({})
sep.createHSMPool('default')
sep.setupModule('default', {'passwd' : 'test123'})
## runtime catch an hsm for session
hsm = sep.getSecurityModule()
passwo = 'password'
encpass = hsm.encryptPassword(passwo)
passw = hsm.decryptPassword(encpass)
zerome(passw)
hsm2 = sep.getSecurityModule(sessionId='session2')
passwo = 'password'
encpass = hsm2.encryptPassword(passwo)
passw = hsm2.decryptPassword(encpass)
zerome(passw)
## session shutdown
sep.dropSecurityModule(sessionId='session2')
sep.dropSecurityModule()
return True
def checkOtp(self, anOtpVal, window=10, options=None):
'''
check a provided otp value
:param anOtpVal: the to be tested otp value
:param window: the +/- window around the test time
:param options: generic container for additional values \
here only used for seltest: setting the initTime
:return: -1 for fail else the identified counter/time
'''
res = -1
window = window * 2
initTime = 0
if options is not None and type(options) == dict:
initTime = int(options.get('initTime', 0))
if (initTime == 0):
otime = int(time.time() / 10)
else:
otime = int(initTime)
if self.secretObject is None:
key = self.key
pin = self.pin
else:
key = self.secretObject.getKey()
pin = self.secPin.getKey()
for i in range(otime - window, otime + window):
otp = unicode(self.calcOtp(i, key, pin))
if unicode(anOtpVal) == otp:
res = i
log.debug("otpvalue %r found at: %r" %
(anOtpVal, res))
break
if self.secretObject is not None:
zerome(key)
zerome(pin)
del key
del pin
## prevent access twice with last motp
if res <= self.oldtime:
log.warning("otpvalue %s checked once before (%r<=%r)" %
(anOtpVal, res, self.oldtime))
res = -1
if res == -1:
msg = 'checking motp failed'
else:
msg = 'checking motp sucess'
log.debug("end. %s : returning result: %r, " % (msg, res))
return res
def checkOtp(self, anOtpVal, window=10, options=None):
'''
check a provided otp value
:param anOtpVal: the to be tested otp value
:type anOtpVal: str
:param window: the +/- window around the test time
:param options: generic container for additional values \
here only used for seltest: setting the initTime
:return: -1 for fail else the identified counter/time
'''
res = -1
window = window * 2
initTime = 0
if options is not None and type(options) == dict:
initTime = int(options.get('initTime', 0))
if initTime == 0:
otime = int(time.time() // 10)
else:
otime = initTime
if self.secretObject is None:
key = self.key
pin = self.pin
else:
key = self.secretObject.getKey()
pin = self.secPin.getKey()
for i in range(otime - window, otime + window):
otp = self.calcOtp(i, to_unicode(key), to_unicode(pin))
if anOtpVal == otp:
res = i
log.debug("otpvalue {0!r} found at: {1!r}".format(
anOtpVal, res))
break
if self.secretObject is not None:
zerome(key)
zerome(pin)
del key
del pin
## prevent access twice with last motp
if res <= self.oldtime:
log.warning(
"otpvalue {0!s} checked once before ({1!r}<={2!r})".format(
anOtpVal, res, self.oldtime))
res = -1
if res == -1:
msg = 'checking motp failed'
else:
msg = 'checking motp sucess'
log.debug("end. {0!s} : returning result: {1!r}, ".format(msg, res))
return res
def checkOtp(self, anOtpVal):
res = -1
key = self.secretObject.getKey()
if key == anOtpVal:
res = 0
zerome(key)
del key
return res
def check_password(self, password):
res = -1
key = self.secretObject.getKey()
if key == password:
res = 0
zerome(key)
del key
return res
def check_password(self, password):
res = -1
key = self.secretObject.getKey()
if key == password:
res = 0
zerome(key)
del key
return res
def decrypt(self, input_data, iv, slot_id=0):
'''
security module methods: decrypt
:param input_data: the to be decrypted data
:type input_data: byte string
:param iv: initialisation vector (salt)
:type iv: random bytes
:param slot_id: slot of the key array
:type slot_id: int
:return: decrypted data
:rtype: byte string
'''
log.debug('decrypt()')
if self.is_ready is False:
raise Exception('setup of security module incomplete')
key = self.getSecret(slot_id)
aes = AES.new(key, AES.MODE_CBC, iv)
# cko
# import privacyideaee.lib.yhsm as yhsm
# y = yhsm.YubiHSM(0x1111, password="******")
# y.unlock(password="******")
# log.debug("CKO in: %s" % input)
# output = binascii.hexlify(y.decrypt(input))
# log.debug("CKO out: %s" % output)
#
output = aes.decrypt(input_data)
# log.debug("CKO: output2: %s" % output)
eof = output.rfind(u"\x01\x02")
if eof >= 0:
output = output[:eof]
# convert output from ascii, back to bin data
data = binascii.a2b_hex(output)
if self.crypted is False:
zerome(key)
del key
return data
def getOtp(self, date_string=None):
key = self.secretObject.getKey()
if date_string is None:
date_string = datetime.now().strftime("%d%m%y")
input_data = key + date_string
md = hexlify(md5(input_data).digest())
md = md[len(md) - self.digits:]
otp = int(md, 16)
otp = unicode(otp)
otp = otp[len(otp) - self.digits:]
zerome(key)
del key
return otp
def encrypt(self, data, iv, slot_id=0):
'''
security module methods: encrypt
:param data: the to be encrypted data
:type data:byte string
:param iv: initialisation vector (salt)
:type iv: random bytes
:param slot_id: slot of the key array
:type slot_id: int
:return: encrypted data
:rtype: byte string
'''
log.debug('encrypt()')
if self.is_ready is False:
raise Exception('setup of security module incomplete')
key = self.getSecret(slot_id)
# convert input to ascii, so we can securely append bin data
input_data = binascii.b2a_hex(data)
input_data += u"\x01\x02"
padding = (16 - len(input_data) % 16) % 16
input_data += padding * "\0"
aes = AES.new(key, AES.MODE_CBC, iv)
# cko: ARGH: Only ECB!
# import privacyideaee.lib.yhsm as yhsm
# y = yhsm.YubiHSM(0x1111, password="******")
# y.unlock(password="******")
# res = y.encrypt(input)
#
res = aes.encrypt(input_data)
if self.crypted is False:
zerome(key)
del key
return res
def check_password(self, password):
"""
:param password:
:type password: str
:return: result of password check: 0 if success, -1 if failed
:rtype: int
"""
res = -1
key = self.secretObject.getKey()
# getKey() returns bytes and since we can not assume, that the
# password only contains printable characters, we need to compare
# bytes strings here. This also avoids making another copy of 'key'.
if safe_compare(key, password):
res = 0
zerome(key)
del key
return res
def check_password(self, password):
"""
:param password:
:type password: str
:return: result of password check: 0 if success, -1 if failed
:rtype: int
"""
res = -1
key = self.secretObject.getKey()
# getKey() returns bytes and since we can not assume, that the
# password only contains printable characters, we need to compare
# bytes strings here. This also avoids making another copy of 'key'.
if key == to_bytes(password):
res = 0
zerome(key)
del key
return res
def checkOtp(self, anOtpVal, window=0, options=None):
'''
window is the seconds before and after the current time
'''
res = -1
key = self.secretObject.getKey()
date_string = datetime.now().strftime("%d%m%y")
input_data = key + date_string
md = hexlify(md5(input_data).digest())
md = md[len(md) - self.digits:]
otp = int(md, 16)
otp = unicode(otp)
otp = otp[len(otp) - self.digits:]
if unicode(anOtpVal) == otp:
res = 1
zerome(key)
del key
return res
