def verify_sym_key(archived_key, archived_iv, algorithm, plain_text):
""" This function verifies whether archived key is usable, Actually
verifying this is senseless, reason any random data can be used for encryption,
but still just for the heck of it.
"""
# Initialize NSS
nss.nss_init_nodb()
# Decode the base64 string to binary
key = base64.decodestring(archived_data)
# Currently we are assuming the mechanism to AES
# Will need to add other mechanisms later, but
# this is just an example.
mechanism = nss.CKM_AES_CBC_PAD
# Get the best pkcs11 slot
slot = nss.get_best_slot(mechanism)
# convert the binary to hex with separtor as :
pki_key = nss.data_to_hex(data=key,separator=":")
# create a nssSecItem object out of it.
key_si = nss.SecItem(nss.read_hex(pki_key))
# Import the key to the slot
sym_key = nss.import_sym_key(slot, mechanism, nss.PK11_OriginUnwrap, nss.CKA_ENCRYPT, key_si)
# Same for the nonce data
iv = base64.decodestring(archived_iv)
iv_data = nss.data_to_hex(data=iv,separator=":")
iv_si = nss.SecItem(nss.read_hex(iv_data))
iv_param = nss.param_from_iv(mechanism, iv_si)
encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,sym_key, iv_param)
decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,sym_key, iv_param)
cipher_text = encoding_ctx.cipher_op(plain_text)
cipher_text += encoding_ctx.digest_final()
print cipher_text
decoded_text = decoding_ctx.cipher_op(cipher_text)
decoded_text += decoding_ctx.digest_final()
print decoded_text
def setup_contexts(mechanism, key, iv):
# Get a PK11 slot based on the cipher
slot = nss.get_best_slot(mechanism)
# If key was supplied use it, otherwise generate one
if key:
if verbose:
print("using supplied key data")
print("key:\n%s" % (key))
key_si = nss.SecItem(nss.read_hex(key))
sym_key = nss.import_sym_key(slot, mechanism, nss.PK11_OriginUnwrap,
nss.CKA_ENCRYPT, key_si)
else:
if verbose:
print("generating key data")
sym_key = slot.key_gen(mechanism, None,
slot.get_best_key_length(mechanism))
# If initialization vector was supplied use it, otherwise set it to None
if iv:
if verbose:
print("supplied iv:\n%s" % (iv))
iv_data = nss.read_hex(iv)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
else:
iv_length = nss.get_iv_length(mechanism)
if iv_length > 0:
iv_data = nss.generate_random(iv_length)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
if verbose:
print("generated %d byte initialization vector: %s" %
(iv_length, nss.data_to_hex(iv_data, separator=":")))
else:
iv_param = None
# Create an encoding context
encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,
sym_key, iv_param)
# Create a decoding context
decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,
sym_key, iv_param)
return encoding_ctx, decoding_ctx
def setup_contexts(mechanism, key, iv):
# Get a PK11 slot based on the cipher
slot = nss.get_best_slot(mechanism)
# If key was supplied use it, otherwise generate one
if key:
if verbose:
print "using supplied key data"
print "key:\n%s" % (key)
key_si = nss.SecItem(nss.read_hex(key))
sym_key = nss.import_sym_key(slot, mechanism, nss.PK11_OriginUnwrap,
nss.CKA_ENCRYPT, key_si)
else:
if verbose:
print "generating key data"
sym_key = slot.key_gen(mechanism, None, slot.get_best_key_length(mechanism))
# If initialization vector was supplied use it, otherwise set it to None
if iv:
if verbose:
print "supplied iv:\n%s" % (iv)
iv_data = nss.read_hex(iv)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
else:
iv_length = nss.get_iv_length(mechanism)
if iv_length > 0:
iv_data = nss.generate_random(iv_length)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
if verbose:
print "generated %d byte initialization vector: %s" % \
(iv_length, nss.data_to_hex(iv_data, separator=":"))
else:
iv_param = None
# Create an encoding context
encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,
sym_key, iv_param)
# Create a decoding context
decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,
sym_key, iv_param)
return encoding_ctx, decoding_ctx
def __call__(self, element, mac=None):
(mech, ivlen) = fetch(element, "./xenc:EncryptionMethod/@Algorithm", convertAlgorithm)
data = fetch(element, "./xenc:CipherData/xenc:CipherValue/text()", base64.b64decode)
# If a MAC is present, perform validation.
if mac:
tmp = self.__hmac.copy()
tmp.update(data)
if tmp.digest() != mac:
raise ValidationError("MAC validation failed!")
# Decrypt the data.
slot = nss.get_best_slot(mech)
key = nss.import_sym_key(slot, mech, nss.PK11_OriginUnwrap, nss.CKA_ENCRYPT, self.__key)
iv = nss.param_from_iv(mech, nss.SecItem(data[0:ivlen/8]))
ctx = nss.create_context_by_sym_key(mech, nss.CKA_DECRYPT, key, iv)
out = ctx.cipher_op(data[ivlen / 8:])
out += ctx.digest_final()
return out
def __call__(self, element, mac=None):
(mech, ivlen) = fetch(element, "./xenc:EncryptionMethod/@Algorithm", convertAlgorithm)
data = fetch(element, "./xenc:CipherData/xenc:CipherValue/text()", base64.b64decode)
# If a MAC is present, perform validation.
if mac:
tmp = self.__hmac.copy()
tmp.update(data)
if tmp.digest() != mac:
raise ValidationError("MAC validation failed!")
# Decrypt the data.
slot = nss.get_best_slot(mech)
key = nss.import_sym_key(slot, mech, nss.PK11_OriginUnwrap, nss.CKA_ENCRYPT, self.__key)
iv = nss.param_from_iv(mech, nss.SecItem(data[0:ivlen//8]))
ctx = nss.create_context_by_sym_key(mech, nss.CKA_DECRYPT, key, iv)
out = ctx.cipher_op(data[ivlen // 8:])
out += ctx.digest_final()
return out
