def encrypt(self, data, iv, slot_id=SecurityModule.TOKEN_KEY): """ security module methods: encrypt :param data: the data that is to be encrypted :type data: bytes :param iv: initialisation vector :type iv: bytes :param slot_id: slot of the key array. The key file contains 96 bytes, which are made up of 3 32byte keys. :type slot_id: int :return: encrypted data :rtype: bytes """ if self.is_ready is False: raise HSMException('setup of security module incomplete') key = self._get_secret(slot_id) # convert input to ascii, so we can securely append bin data input_data = binascii.b2a_hex(data) input_data += b"\x01\x02" padding = (16 - len(input_data) % 16) % 16 input_data += padding * b"\0" aes = AES.new(key, AES.MODE_CBC, iv) res = aes.encrypt(input_data) if self.crypted is False: zerome(key) del key return res
def decrypt(self, input_data, iv, slot_id=SecurityModule.TOKEN_KEY): """ Decrypt the given data with the key from the key slot :param input_data: the to be decrypted data :type input_data: bytes :param iv: initialisation vector (salt) :type iv: bytes :param slot_id: slot of the key array :type slot_id: int :return: decrypted data :rtype: bytes """ if self.is_ready is False: raise HSMException('setup of security module incomplete') key = self._get_secret(slot_id) aes = AES.new(key, AES.MODE_CBC, iv) output = aes.decrypt(input_data) eof = output.rfind(b"\x01\x02") if eof >= 0: output = output[:eof] # convert output from ascii, back to bin data data = binascii.unhexlify(output) if self.crypted is False: zerome(key) del key return data
def decrypt(self, input_data, iv, slot_id=0): """ Decrypt the given data with the key from the key slot :param input_data: the to be decrypted data :type input_data: byte string :param iv: initialisation vector (salt) :type iv: random bytes :param slot_id: slot of the key array :type slot_id: int :return: decrypted data :rtype: byte string """ if self.is_ready is False: raise Exception('setup of security module incomplete') key = self._get_secret(slot_id) aes = AES.new(key, AES.MODE_CBC, iv) output = aes.decrypt(input_data) eof = output.rfind(u"\x01\x02") if eof >= 0: output = output[:eof] # convert output from ascii, back to bin data data = binascii.a2b_hex(output) if self.crypted is False: zerome(key) del key return data
def encrypt(self, data, iv, slot_id=0): """ security module methods: encrypt :param data: the data that is to be encrypted :type data: byte string :param iv: initialisation vector :type iv: random bytes :param slot_id: slot of the key array. The key file contains 96 bytes, which are made up of 3 32byte keys. :type slot_id: int :return: encrypted data :rtype: byte string """ if self.is_ready is False: raise Exception('setup of security module incomplete') key = self._get_secret(slot_id) # convert input to ascii, so we can securely append bin data input_data = binascii.b2a_hex(data) input_data += u"\x01\x02" padding = (16 - len(input_data) % 16) % 16 input_data += padding * "\0" aes = AES.new(key, AES.MODE_CBC, iv) res = aes.encrypt(input_data) if self.crypted is False: zerome(key) del key return res
def main(): ## hook for local provider test sep = SecurityProvider() sep.load_config({}) sep.createHSMPool('default') sep.setupModule('default', {'passwd' : 'test123'}) ## runtime catch an hsm for session hsm = sep.getSecurityModule() passwo = 'password' encpass = hsm.encryptPassword(passwo) passw = hsm.decryptPassword(encpass) zerome(passw) hsm2 = sep.getSecurityModule(sessionId='session2') passwo = 'password' encpass = hsm2.encryptPassword(passwo) passw = hsm2.decryptPassword(encpass) zerome(passw) ## session shutdown sep.dropSecurityModule(sessionId='session2') sep.dropSecurityModule() return True
def checkOtp(self, anOtpVal, window=10, options=None): ''' check a provided otp value :param anOtpVal: the to be tested otp value :param window: the +/- window around the test time :param options: generic container for additional values \ here only used for seltest: setting the initTime :return: -1 for fail else the identified counter/time ''' res = -1 window = window * 2 initTime = 0 if options is not None and type(options) == dict: initTime = int(options.get('initTime', 0)) if (initTime == 0): otime = int(time.time() / 10) else: otime = int(initTime) if self.secretObject is None: key = self.key pin = self.pin else: key = self.secretObject.getKey() pin = self.secPin.getKey() for i in range(otime - window, otime + window): otp = unicode(self.calcOtp(i, key, pin)) if unicode(anOtpVal) == otp: res = i log.debug("otpvalue %r found at: %r" % (anOtpVal, res)) break if self.secretObject is not None: zerome(key) zerome(pin) del key del pin ## prevent access twice with last motp if res <= self.oldtime: log.warning("otpvalue %s checked once before (%r<=%r)" % (anOtpVal, res, self.oldtime)) res = -1 if res == -1: msg = 'checking motp failed' else: msg = 'checking motp sucess' log.debug("end. %s : returning result: %r, " % (msg, res)) return res
def checkOtp(self, anOtpVal, window=10, options=None): ''' check a provided otp value :param anOtpVal: the to be tested otp value :type anOtpVal: str :param window: the +/- window around the test time :param options: generic container for additional values \ here only used for seltest: setting the initTime :return: -1 for fail else the identified counter/time ''' res = -1 window = window * 2 initTime = 0 if options is not None and type(options) == dict: initTime = int(options.get('initTime', 0)) if initTime == 0: otime = int(time.time() // 10) else: otime = initTime if self.secretObject is None: key = self.key pin = self.pin else: key = self.secretObject.getKey() pin = self.secPin.getKey() for i in range(otime - window, otime + window): otp = self.calcOtp(i, to_unicode(key), to_unicode(pin)) if anOtpVal == otp: res = i log.debug("otpvalue {0!r} found at: {1!r}".format( anOtpVal, res)) break if self.secretObject is not None: zerome(key) zerome(pin) del key del pin ## prevent access twice with last motp if res <= self.oldtime: log.warning( "otpvalue {0!s} checked once before ({1!r}<={2!r})".format( anOtpVal, res, self.oldtime)) res = -1 if res == -1: msg = 'checking motp failed' else: msg = 'checking motp sucess' log.debug("end. {0!s} : returning result: {1!r}, ".format(msg, res)) return res
def checkOtp(self, anOtpVal): res = -1 key = self.secretObject.getKey() if key == anOtpVal: res = 0 zerome(key) del key return res
def check_password(self, password): res = -1 key = self.secretObject.getKey() if key == password: res = 0 zerome(key) del key return res
def decrypt(self, input_data, iv, slot_id=0): ''' security module methods: decrypt :param input_data: the to be decrypted data :type input_data: byte string :param iv: initialisation vector (salt) :type iv: random bytes :param slot_id: slot of the key array :type slot_id: int :return: decrypted data :rtype: byte string ''' log.debug('decrypt()') if self.is_ready is False: raise Exception('setup of security module incomplete') key = self.getSecret(slot_id) aes = AES.new(key, AES.MODE_CBC, iv) # cko # import privacyideaee.lib.yhsm as yhsm # y = yhsm.YubiHSM(0x1111, password="******") # y.unlock(password="******") # log.debug("CKO in: %s" % input) # output = binascii.hexlify(y.decrypt(input)) # log.debug("CKO out: %s" % output) # output = aes.decrypt(input_data) # log.debug("CKO: output2: %s" % output) eof = output.rfind(u"\x01\x02") if eof >= 0: output = output[:eof] # convert output from ascii, back to bin data data = binascii.a2b_hex(output) if self.crypted is False: zerome(key) del key return data
def getOtp(self, date_string=None): key = self.secretObject.getKey() if date_string is None: date_string = datetime.now().strftime("%d%m%y") input_data = key + date_string md = hexlify(md5(input_data).digest()) md = md[len(md) - self.digits:] otp = int(md, 16) otp = unicode(otp) otp = otp[len(otp) - self.digits:] zerome(key) del key return otp
def encrypt(self, data, iv, slot_id=0): ''' security module methods: encrypt :param data: the to be encrypted data :type data:byte string :param iv: initialisation vector (salt) :type iv: random bytes :param slot_id: slot of the key array :type slot_id: int :return: encrypted data :rtype: byte string ''' log.debug('encrypt()') if self.is_ready is False: raise Exception('setup of security module incomplete') key = self.getSecret(slot_id) # convert input to ascii, so we can securely append bin data input_data = binascii.b2a_hex(data) input_data += u"\x01\x02" padding = (16 - len(input_data) % 16) % 16 input_data += padding * "\0" aes = AES.new(key, AES.MODE_CBC, iv) # cko: ARGH: Only ECB! # import privacyideaee.lib.yhsm as yhsm # y = yhsm.YubiHSM(0x1111, password="******") # y.unlock(password="******") # res = y.encrypt(input) # res = aes.encrypt(input_data) if self.crypted is False: zerome(key) del key return res
def check_password(self, password): """ :param password: :type password: str :return: result of password check: 0 if success, -1 if failed :rtype: int """ res = -1 key = self.secretObject.getKey() # getKey() returns bytes and since we can not assume, that the # password only contains printable characters, we need to compare # bytes strings here. This also avoids making another copy of 'key'. if safe_compare(key, password): res = 0 zerome(key) del key return res
def check_password(self, password): """ :param password: :type password: str :return: result of password check: 0 if success, -1 if failed :rtype: int """ res = -1 key = self.secretObject.getKey() # getKey() returns bytes and since we can not assume, that the # password only contains printable characters, we need to compare # bytes strings here. This also avoids making another copy of 'key'. if key == to_bytes(password): res = 0 zerome(key) del key return res
def checkOtp(self, anOtpVal, window=0, options=None): ''' window is the seconds before and after the current time ''' res = -1 key = self.secretObject.getKey() date_string = datetime.now().strftime("%d%m%y") input_data = key + date_string md = hexlify(md5(input_data).digest()) md = md[len(md) - self.digits:] otp = int(md, 16) otp = unicode(otp) otp = otp[len(otp) - self.digits:] if unicode(anOtpVal) == otp: res = 1 zerome(key) del key return res