def setup_contexts(self, mechanism, sym_key, iv):
# Get a PK11 slot based on the cipher
slot = nss.get_best_slot(mechanism)
if sym_key is None:
sym_key = slot.key_gen(
mechanism,
None,
slot.get_best_key_length(mechanism))
# If initialization vector was supplied use it, otherwise set it to
# None
if iv:
iv_data = nss.read_hex(iv)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
else:
iv_length = nss.get_iv_length(mechanism)
if iv_length > 0:
iv_data = nss.generate_random(iv_length)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
else:
iv_param = None
# Create an encoding context
encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,
sym_key, iv_param)
# Create a decoding context
decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,
sym_key, iv_param)
return encoding_ctx, decoding_ctx
def setup_contexts(self, mechanism, sym_key, iv):
# Get a PK11 slot based on the cipher
slot = nss.get_best_slot(mechanism)
if sym_key is None:
sym_key = slot.key_gen(mechanism, None,
slot.get_best_key_length(mechanism))
# If initialization vector was supplied use it, otherwise set it to
# None
if iv:
iv_data = nss.read_hex(iv)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
else:
iv_length = nss.get_iv_length(mechanism)
if iv_length > 0:
iv_data = nss.generate_random(iv_length)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
else:
iv_param = None
# Create an encoding context
encoding_ctx = nss.create_context_by_sym_key(mechanism,
nss.CKA_ENCRYPT, sym_key,
iv_param)
# Create a decoding context
decoding_ctx = nss.create_context_by_sym_key(mechanism,
nss.CKA_DECRYPT, sym_key,
iv_param)
return encoding_ctx, decoding_ctx
def verify_sym_key(archived_key, archived_iv, algorithm, plain_text):
""" This function verifies whether archived key is usable, Actually
verifying this is senseless, reason any random data can be used for encryption,
but still just for the heck of it.
"""
# Initialize NSS
nss.nss_init_nodb()
# Decode the base64 string to binary
key = base64.decodestring(archived_data)
# Currently we are assuming the mechanism to AES
# Will need to add other mechanisms later, but
# this is just an example.
mechanism = nss.CKM_AES_CBC_PAD
# Get the best pkcs11 slot
slot = nss.get_best_slot(mechanism)
# convert the binary to hex with separtor as :
pki_key = nss.data_to_hex(data=key,separator=":")
# create a nssSecItem object out of it.
key_si = nss.SecItem(nss.read_hex(pki_key))
# Import the key to the slot
sym_key = nss.import_sym_key(slot, mechanism, nss.PK11_OriginUnwrap, nss.CKA_ENCRYPT, key_si)
# Same for the nonce data
iv = base64.decodestring(archived_iv)
iv_data = nss.data_to_hex(data=iv,separator=":")
iv_si = nss.SecItem(nss.read_hex(iv_data))
iv_param = nss.param_from_iv(mechanism, iv_si)
encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,sym_key, iv_param)
decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,sym_key, iv_param)
cipher_text = encoding_ctx.cipher_op(plain_text)
cipher_text += encoding_ctx.digest_final()
print cipher_text
decoded_text = decoding_ctx.cipher_op(cipher_text)
decoded_text += decoding_ctx.digest_final()
print decoded_text
def setup_contexts(mechanism, key, iv):
# Get a PK11 slot based on the cipher
slot = nss.get_best_slot(mechanism)
# If key was supplied use it, otherwise generate one
if key:
if verbose:
print("using supplied key data")
print("key:\n%s" % (key))
key_si = nss.SecItem(nss.read_hex(key))
sym_key = nss.import_sym_key(slot, mechanism, nss.PK11_OriginUnwrap,
nss.CKA_ENCRYPT, key_si)
else:
if verbose:
print("generating key data")
sym_key = slot.key_gen(mechanism, None,
slot.get_best_key_length(mechanism))
# If initialization vector was supplied use it, otherwise set it to None
if iv:
if verbose:
print("supplied iv:\n%s" % (iv))
iv_data = nss.read_hex(iv)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
else:
iv_length = nss.get_iv_length(mechanism)
if iv_length > 0:
iv_data = nss.generate_random(iv_length)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
if verbose:
print("generated %d byte initialization vector: %s" %
(iv_length, nss.data_to_hex(iv_data, separator=":")))
else:
iv_param = None
# Create an encoding context
encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,
sym_key, iv_param)
# Create a decoding context
decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,
sym_key, iv_param)
return encoding_ctx, decoding_ctx
def setup_contexts(mechanism, key, iv):
# Get a PK11 slot based on the cipher
slot = nss.get_best_slot(mechanism)
# If key was supplied use it, otherwise generate one
if key:
if verbose:
print "using supplied key data"
print "key:\n%s" % (key)
key_si = nss.SecItem(nss.read_hex(key))
sym_key = nss.import_sym_key(slot, mechanism, nss.PK11_OriginUnwrap,
nss.CKA_ENCRYPT, key_si)
else:
if verbose:
print "generating key data"
sym_key = slot.key_gen(mechanism, None, slot.get_best_key_length(mechanism))
# If initialization vector was supplied use it, otherwise set it to None
if iv:
if verbose:
print "supplied iv:\n%s" % (iv)
iv_data = nss.read_hex(iv)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
else:
iv_length = nss.get_iv_length(mechanism)
if iv_length > 0:
iv_data = nss.generate_random(iv_length)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
if verbose:
print "generated %d byte initialization vector: %s" % \
(iv_length, nss.data_to_hex(iv_data, separator=":"))
else:
iv_param = None
# Create an encoding context
encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,
sym_key, iv_param)
# Create a decoding context
decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,
sym_key, iv_param)
return encoding_ctx, decoding_ctx
def symmetric_wrap(self, data, wrapping_key, mechanism=nss.CKM_DES3_CBC_PAD,
nonce_iv=None):
"""
:param data Data to be wrapped
:param wrapping_key Symmetric key to wrap data
Wrap (encrypt) data using the supplied symmetric key
"""
if nonce_iv is None:
nonce_iv = nss.read_hex(self.nonce_iv)
encoding_ctx, _decoding_ctx = self.setup_contexts(mechanism,
wrapping_key,
nonce_iv)
wrapped_data = encoding_ctx.cipher_op(data) +\
encoding_ctx.digest_final()
return wrapped_data
def symmetric_unwrap(self, data, wrapping_key,
mechanism=nss.CKM_DES3_CBC_PAD, nonce_iv=None):
"""
:param data Data to be unwrapped
:param wrapping_key Symmetric key to unwrap data
:param nonce_iv iv data
Unwrap (decrypt) data using the supplied symmetric key
"""
if nonce_iv is None:
nonce_iv = nss.read_hex(self.nonce_iv)
_encoding_ctx, decoding_ctx = self.setup_contexts(mechanism,
wrapping_key,
nonce_iv)
unwrapped_data = decoding_ctx.cipher_op(data) \
+ decoding_ctx.digest_final()
return unwrapped_data
def symmetric_wrap(self,
data,
wrapping_key,
mechanism=nss.CKM_DES3_CBC_PAD,
nonce_iv=None):
"""
:param data Data to be wrapped
:param wrapping_key Symmetric key to wrap data
Wrap (encrypt) data using the supplied symmetric key
"""
if nonce_iv is None:
nonce_iv = nss.read_hex(self.nonce_iv)
encoding_ctx, _decoding_ctx = self.setup_contexts(
mechanism, wrapping_key, nonce_iv)
wrapped_data = encoding_ctx.cipher_op(data) +\
encoding_ctx.digest_final()
return wrapped_data
def symmetric_unwrap(self,
data,
wrapping_key,
mechanism=nss.CKM_DES3_CBC_PAD,
nonce_iv=None):
"""
:param data Data to be unwrapped
:param wrapping_key Symmetric key to unwrap data
:param nonce_iv iv data
Unwrap (decrypt) data using the supplied symmetric key
"""
if nonce_iv is None:
nonce_iv = nss.read_hex(self.nonce_iv)
_encoding_ctx, decoding_ctx = self.setup_contexts(
mechanism, wrapping_key, nonce_iv)
unwrapped_data = decoding_ctx.cipher_op(data) \
+ decoding_ctx.digest_final()
return unwrapped_data
