def testPKIWrap(self):
vek = binascii.unhexlify("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f")
publicKey = RSA.importKey(open(cert).read())
cipher = PKCS1_OAEP.new(key=publicKey, hashAlgo=SHA256, mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
ciphertext = cipher.encrypt(vek)
key = RSA.importKey(open(privateKey).read())
cipher = PKCS1_OAEP.new(key=key, hashAlgo=SHA256, mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
vek2 = cipher.decrypt(ciphertext)
self.assertEquals(vek, vek2)
def rsaEncrypt(self, data):
rsa_key = self.getRsaPublicKey()
rsa_chiper = PKCS1_OAEP.new(key=rsa_key,
hashAlgo=SHA1,
mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
return rsa_chiper.encrypt(data)
def encrypt_and_upload_files(tmp_dir, s3_bucket, s3_prefix, hsm_key_id,
aws_default_region, hsm_key_param_name):
hsm_key_file = b64decode(
get_hsm_key(hsm_key_param_name, aws_default_region))
hsm_key = RSA.import_key(hsm_key_file)
for root, _, files in os.walk(tmp_dir):
for name in files:
session_key = get_random_bytes(16)
# Session key gets encrypted with RSA HSM public key
# This encryption cipher makes us compatible with DKS
cipher_rsa = PKCS1_OAEP.new(
key=hsm_key,
hashAlgo=SHA256,
mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
enc_session_key = cipher_rsa.encrypt(session_key)
# Data gets encrypted with AES session key (session_key)
cipher_aes = AES.new(session_key, AES.MODE_EAX)
in_file = os.path.join(root, name)
out_file = in_file + ".gz.enc"
with open(in_file, "rb") as fin, open(out_file, "wb") as fout:
compressed_data = zlib.compress(fin.read())
fout.write(cipher_aes.encrypt(compressed_data))
s3_object_metadata = {
"x-amz-meta-iv": b64encode(cipher_aes.nonce).decode(),
"x-amz-meta-ciphertext": b64encode(enc_session_key).decode(),
"x-amz-meta-datakeyencryptionkeyid": hsm_key_id,
}
upload_to_s3(out_file, s3_object_metadata, s3_bucket, s3_prefix,
aws_default_region)
def __init__(self, key):
rsa_private = RSA.importKey(key)
self.decrypter = PKCS1_OAEP.new(
rsa_private,
hashAlgo=SHA256,
mgfunc=lambda x, y: pss.MGF1(x, y, SHA256))
self.signer = PKCS1_v1_5.new(rsa_private)
def rsaVerifySignatureFromBase64(publicKeyPem, message, signatureBase64):
rsaPublicKey = RSA.import_key(publicKeyPem)
signatureBytes = base64Decoding(signatureBase64)
hashMessage = Hash.SHA256.new(message.encode("ascii"))
verifier = pss.new(rsaPublicKey, mask_func=lambda x, y: pss.MGF1(x, y, Hash.SHA256), salt_bytes=Hash.SHA256.digest_size)
try:
verifier.verify(hashMessage, signatureBytes)
return True
except (ValueError):
return False
def create(vek, keySizeBytes, certificatePath):
#print("VEK: " + str(binascii.hexlify(vek)))
publicKeyPem = open(certificatePath).read()
publicKey = RSA.importKey(publicKeyPem)
# Convert from PEM to DER
lines = publicKeyPem.replace(" ", '').split()
publicKeyDer = binascii.a2b_base64(''.join(lines[1:-1]))
cert = x509.load_pem_x509_certificate(SmartStr(publicKeyPem), default_backend())
subjectName = cert.subject.rfc4514_string()
serial = cert.serial_number
cipher = PKCS1_OAEP.new(key=publicKey, hashAlgo=SHA256, mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
wrapped_key = cipher.encrypt(vek)
#print("WrappedKey: " + str(binascii.hexlify(wrapped_key)))
return CertEncryptedKeyBag(subjectName, serial, keySizeBytes, wrapped_key)
def unwrap_key(self, privateKey):
key = RSA.importKey(open(privateKey).read())
cipher = PKCS1_OAEP.new(key=key, hashAlgo=SHA256, mgfunc=lambda x, y: pss.MGF1(x, y, SHA1))
vek = cipher.decrypt(self.wrappedKey)
#print("VEK: " + str(binascii.hexlify(vek)))
return vek
def __init__(self, keypath):
f = open(keypath, 'r')
rsa_private = RSA.importKey(f.read())
self.decrypter = PKCS1_OAEP.new(rsa_private, hashAlgo=SHA256, mgfunc= lambda x, y: pss.MGF1(x, y, SHA1))
self.signer = PKCS1_v1_5.new(rsa_private)