def _encryptDecryptWithKey(self, value, aeskey):
reader = util.BytesReader(value)
writer, getoutput = util.BytesWriter()
aeskey.EncryptIO(reader, writer)
reader2 = util.BytesReader(getoutput())
writer2, getoutput2 = util.BytesWriter()
header2 = reader2.read(constants.HEADER_SIZE)
aeskey.DecryptIO(header2, reader2, writer2)
return getoutput2()
def __testStreamEncryptAndStandardDecrypt(self, subdir, input_data,
stream_buffer_size, len_to_write,
stream_source):
crypter = keyczar.Crypter.Read(os.path.join(TEST_DATA, subdir))
ciphertext_stream = io.BytesIO()
if stream_source is None:
encoder = None
decoder = None
else:
encoder = util.IncrementalBase64WSStreamWriter
decoder = util.Base64WSDecode
encryption_stream = crypter.CreateEncryptingStreamWriter(
ciphertext_stream, encoder=encoder)
self.__writeToStream(encryption_stream, input_data, len_to_write)
encryption_stream.close()
ciphertext = ciphertext_stream.getvalue()
if decoder:
ciphertext = decoder(ciphertext)
cipherreader = util.BytesReader(ciphertext)
plainwriter, getplain = util.BytesWriter()
crypter.DecryptIO(cipherreader, plainwriter)
plaintext = getplain()
self.assertEqual(
len(input_data), len(plaintext),
'Wrong length for buffer:%d, write len:%d' %
(stream_buffer_size, len_to_write))
self.assertEqual(
input_data, plaintext, 'Not equals for buffer:%d, write len:%d' %
(stream_buffer_size, len_to_write))
def Decrypt(self, ciphertext, decoder=util.Base64WSDecode):
"""
Decrypts the given ciphertext and returns the plaintext.
@param ciphertext: ciphertext to be decrypted - by default is Base64 encoded
@type ciphertext: string
@param decoder: function to perform decoding. Defaults to Base64, use None
for no decoding.
@type encoder: function
@return: plaintext message
@rtype: string
@raise ShortCiphertextError: if length is too short to have Header, IV, Sig
@raise BadVersionError: if header specifies an illegal version
@raise BadFormatError: if header specifies an illegal format
@raise KeyNotFoundError: if key specified in header doesn't exist
@raise InvalidSignatureError: if the signature can't be verified
"""
data_bytes = decoder(ciphertext) if decoder else ciphertext
reader = util.BytesReader(data_bytes)
writer, getvalue = util.BytesWriter()
self.DecryptIO(reader, writer)
return util.RawString(getvalue())
def AttachedVerify(self, signed_data, nonce):
"""
Verifies the signature in the signed blob corresponds to the data
in the signed blob and the provided nonce, and returns the data.
@param signed_data: the blob, produced by AttachedSign, containing
data and signature.
@type signed_data: string
@param nonce: Nonce string that was used when the signature was
generated. If the provided value doesn't match, verification will
fail.
@type sig: string
@return: If verification succeeds, the extracted data will be returned,
otherwise, None
@rtype: string
"""
decoded_data = util.Base64WSDecode(signed_data)
reader = util.BytesReader(decoded_data)
writer, getoutput = util.BytesWriter()
nonce = util.RawBytes(nonce)
if self.AttachedVerifyIO(reader, writer, nonce):
return util.RawString(getoutput())
return None
def Decrypt(self, signed_ciphertext):
"""
Verifies the signature on the given ciphertext and, if successful,
decrypts it and returns the decrypted plaintext.
If verification fails, returns None.
"""
reader = util.BytesReader(util.Base64WSDecode(signed_ciphertext))
writer, getoutput = util.BytesWriter()
if not self._verifier.AttachedVerifyIO(reader, writer,
self._session.nonce):
return None
return self._session.crypter.Decrypt(getoutput(), None)
def DecryptIO(self, reader, writer):
"""
Decrypts from an IO reader and writes the plaintext to an IO writer.
@param reader: binary ciphertext to be decrypted
@type reader: io.BufferedReader
@param writer: writer to recieve binary plaintext
@type encoder: io.BufferedWriter
@raise ShortCiphertextError: if length is too short to have Header, IV, Sig
@raise BadVersionError: if header specifies an illegal version
@raise BadFormatError: if header specifies an illegal format
@raise KeyNotFoundError: if key specified in header doesn't exist
@raise InvalidSignatureError: if the signature can't be verified
"""
header = util.ReadLength(reader, constants.HEADER_SIZE)
if len(header) < constants.HEADER_SIZE:
raise errors.ShortCiphertextError(len(header))
matchedkeys = self._ParseHeader(header)
tempwriter = writer
multiplekeys = len(matchedkeys) > 1
for key in matchedkeys:
if multiplekeys:
# if we have more than one key possiblity we need
# to take precations
if not reader.seekable():
# read the entire stream if it's not seekable
reader = util.BytesReader(header + util.ReadAll(reader))
reader.seek(constants.HEADER_SIZE)
# use a temp writer
tempwriter, getvalue = util.BytesWriter()
try:
key.DecryptIO(header, reader, tempwriter)
if multiplekeys:
#write to final output on success
writer.write(getvalue())
writer.flush()
return
except errors.InvalidSignatureError:
pass
except errors.OaepDecodingError:
pass
except:
pass # we should pass on all exceptions
# as to not leak anything more than
# invalid cipher text
raise errors.InvalidSignatureError()
def _decryptWithKey(self, value, aeskey):
reader = util.BytesReader(value)
header = reader.read(constants.HEADER_SIZE)
writer, getoutput = util.BytesWriter()
aeskey.DecryptIO(header, reader, writer)
return getoutput()
def _encryptWithKey(self, value, aeskey):
reader = util.BytesReader(value)
writer, getoutput = util.BytesWriter()
aeskey.EncryptIO(reader, writer)
return getoutput()
def __init__(self, crypter, session_material):
material_bytes = util.Base64WSDecode(session_material)
writer, getoutput = util.BytesWriter()
reader = util.BytesReader(material_bytes)
crypter.DecryptIO(reader, writer)
self._session = _Session.LoadPackedKey(getoutput())