def decrypt(self, enc_data, iv, key_id=SecurityModule.TOKEN_KEY):
"""
Decrypt the given data with the key from the key slot
:param enc_data: the to be decrypted data
:type enc_data: bytes
:param iv: initialisation vector (salt)
:type iv: bytes
:param key_id: slot of the key array
:type key_id: int
:return: decrypted data
:rtype: bytes
"""
if self.is_ready is False:
raise HSMException('setup of security module incomplete')
key = self._get_secret(key_id)
output = aes_cbc_decrypt(key, iv, enc_data)
# remove padding
eof = output.rfind(b"\x01\x02")
if eof >= 0:
output = output[:eof]
# convert output from ascii, back to bin data
data = binascii.unhexlify(output)
if self.crypted is False:
zerome(key)
del key
return data
def password_decrypt(enc_data, password):
"""
Decrypt the given data with the password.
A key is derived from the password. The data is hexlified data, the IV
is the first part, separated with a ":".
:param enc_data: The hexlified data
:type enc_data: str
:param password: The password, that is used to decrypt the data
:type password: str or bytes
:return: The clear test
:rtype: bytes
"""
bkey = create_key_from_password(password)
# split the input data
iv_hex, cipher_hex = enc_data.strip().split(":")
iv_bin = binascii.unhexlify(iv_hex)
cipher_bin = binascii.unhexlify(cipher_hex)
output = aes_cbc_decrypt(bkey, iv_bin, cipher_bin)
# remove padding
eof = output.rfind(b"\x01\x02")
if eof >= 0:
output = output[:eof]
cleartext = binascii.unhexlify(output)
return cleartext
def reencrypt(enc_data, iv, old_key, new_key):
# decrypt LinOTP
iv = binascii.unhexlify(iv)
input_data = binascii.unhexlify(enc_data)
output = aes_cbc_decrypt(old_key, iv, input_data)
if not output:
raise Exception('invalid encoded secret!')
# unpad
output = output.rstrip(b'\0')
data = binascii.unhexlify(output)
# encrypt anew
iv = os.urandom(16)
input_data = binascii.b2a_hex(data)
input_data += b"\x01\x02"
padding = (16 - len(input_data) % 16) % 16
input_data += padding * b"\0"
res = aes_cbc_encrypt(new_key, iv, input_data)
return hexlify_and_unicode(res), hexlify_and_unicode(iv)
def reencrypt(enc_data, iv, old_key, new_key):
# decrypt LinOTP
iv = binascii.unhexlify(iv)
input = binascii.unhexlify(enc_data)
output = aes_cbc_decrypt(old_key, iv, input)
eof = len(output) - 1
if eof == -1:
raise Exception('invalid encoded secret!')
# unpad
while output[eof] == '\0':
eof -= 1
output = output[0:eof - 1]
data = binascii.unhexlify(output)
# encrypt anew
iv = os.urandom(16)
input_data = binascii.b2a_hex(data)
input_data += b"\x01\x02"
padding = (16 - len(input_data) % 16) % 16
input_data += padding * b"\0"
res = aes_cbc_encrypt(new_key, iv, input_data)
return hexlify_and_unicode(res), hexlify_and_unicode(iv)