Exemple #1
0
    def testPKIWrap(self):
        vek = binascii.unhexlify("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f")

        publicKey = RSA.importKey(open(cert).read())
        cipher = PKCS1_OAEP.new(key=publicKey, hashAlgo=SHA256, mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
        ciphertext = cipher.encrypt(vek)

        key = RSA.importKey(open(privateKey).read())
        cipher = PKCS1_OAEP.new(key=key, hashAlgo=SHA256, mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
        vek2 = cipher.decrypt(ciphertext)
        self.assertEquals(vek, vek2)
Exemple #2
0
    def rsaEncrypt(self, data):
        rsa_key = self.getRsaPublicKey()
        rsa_chiper = PKCS1_OAEP.new(key=rsa_key,
                                    hashAlgo=SHA1,
                                    mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))

        return rsa_chiper.encrypt(data)
Exemple #3
0
def encrypt_and_upload_files(tmp_dir, s3_bucket, s3_prefix, hsm_key_id,
                             aws_default_region, hsm_key_param_name):
    hsm_key_file = b64decode(
        get_hsm_key(hsm_key_param_name, aws_default_region))
    hsm_key = RSA.import_key(hsm_key_file)
    for root, _, files in os.walk(tmp_dir):
        for name in files:
            session_key = get_random_bytes(16)
            # Session key gets encrypted with RSA HSM public key
            # This encryption cipher makes us compatible with DKS
            cipher_rsa = PKCS1_OAEP.new(
                key=hsm_key,
                hashAlgo=SHA256,
                mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
            enc_session_key = cipher_rsa.encrypt(session_key)
            # Data gets encrypted with AES session key (session_key)
            cipher_aes = AES.new(session_key, AES.MODE_EAX)
            in_file = os.path.join(root, name)
            out_file = in_file + ".gz.enc"
            with open(in_file, "rb") as fin, open(out_file, "wb") as fout:
                compressed_data = zlib.compress(fin.read())
                fout.write(cipher_aes.encrypt(compressed_data))
            s3_object_metadata = {
                "x-amz-meta-iv": b64encode(cipher_aes.nonce).decode(),
                "x-amz-meta-ciphertext": b64encode(enc_session_key).decode(),
                "x-amz-meta-datakeyencryptionkeyid": hsm_key_id,
            }
            upload_to_s3(out_file, s3_object_metadata, s3_bucket, s3_prefix,
                         aws_default_region)
Exemple #4
0
 def __init__(self, key):
     rsa_private = RSA.importKey(key)
     self.decrypter = PKCS1_OAEP.new(
         rsa_private,
         hashAlgo=SHA256,
         mgfunc=lambda x, y: pss.MGF1(x, y, SHA256))
     self.signer = PKCS1_v1_5.new(rsa_private)
Exemple #5
0
def rsaVerifySignatureFromBase64(publicKeyPem, message, signatureBase64):
    rsaPublicKey = RSA.import_key(publicKeyPem)
    signatureBytes = base64Decoding(signatureBase64)
    hashMessage = Hash.SHA256.new(message.encode("ascii"))
    verifier = pss.new(rsaPublicKey, mask_func=lambda x, y: pss.MGF1(x, y, Hash.SHA256), salt_bytes=Hash.SHA256.digest_size)
    try:
      verifier.verify(hashMessage, signatureBytes)
      return True
    except (ValueError):
      return False
Exemple #6
0
    def create(vek, keySizeBytes, certificatePath):
        #print("VEK: " + str(binascii.hexlify(vek)))
        publicKeyPem = open(certificatePath).read()
        publicKey = RSA.importKey(publicKeyPem)
        # Convert from PEM to DER

        lines = publicKeyPem.replace(" ", '').split()
        publicKeyDer = binascii.a2b_base64(''.join(lines[1:-1]))

        cert = x509.load_pem_x509_certificate(SmartStr(publicKeyPem), default_backend())
        subjectName = cert.subject.rfc4514_string()
        serial = cert.serial_number

        cipher = PKCS1_OAEP.new(key=publicKey, hashAlgo=SHA256, mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
        wrapped_key = cipher.encrypt(vek)
        #print("WrappedKey: " + str(binascii.hexlify(wrapped_key)))

        return CertEncryptedKeyBag(subjectName, serial, keySizeBytes, wrapped_key)
Exemple #7
0
 def unwrap_key(self, privateKey):
     key = RSA.importKey(open(privateKey).read())
     cipher = PKCS1_OAEP.new(key=key, hashAlgo=SHA256, mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
     vek = cipher.decrypt(self.wrappedKey)
     #print("VEK: " + str(binascii.hexlify(vek)))
     return vek
Exemple #8
0
 def __init__(self, keypath):
     f = open(keypath, 'r')
     rsa_private = RSA.importKey(f.read())
     self.decrypter = PKCS1_OAEP.new(rsa_private, hashAlgo=SHA256, mgfunc= lambda x, y: pss.MGF1(x, y, SHA1))
     self.signer = PKCS1_v1_5.new(rsa_private)