예제 #1
0
    def password_encrypt(data, password):
        """
        Encrypt the given text with the password.
        A key is derived from the password and used to encrypt the text in
        AES MODE_CBC. The IV is returned together with the cipher text.
        <IV:Cipher>

        :param data: The text to encrypt
        :type data: str or bytes
        :param password: The password to derive a key from
        :type password: str or bytes
        :return: IV and cipher text
        :rtype: str
        """
        bkey = create_key_from_password(password)
        # convert input to ascii, so we can securely append bin data for padding
        input_data = binascii.hexlify(to_bytes(data))
        input_data += b"\x01\x02"
        padding = (16 - len(input_data) % 16) % 16
        input_data += padding * b"\0"
        iv = geturandom(16)
        cipher = aes_cbc_encrypt(bkey, iv, input_data)
        iv_hex = hexlify_and_unicode(iv)
        cipher_hex = hexlify_and_unicode(cipher)
        return "{0!s}:{1!s}".format(iv_hex, cipher_hex)
예제 #2
0
    def encrypt(self, data, iv, key_id=SecurityModule.TOKEN_KEY):
        """
        security module methods: encrypt

        :param data: the data that is to be encrypted
        :type data: bytes

        :param iv: initialisation vector
        :type iv: bytes

        :param key_id: slot of the key array. The key file contains 96
            bytes, which are made up of 3 32byte keys.
        :type key_id: int

        :return: encrypted data
        :rtype:  bytes
        """
        if self.is_ready is False:
            raise HSMException('setup of security module incomplete')

        key = self._get_secret(key_id)

        # convert input to ascii, so we can securely append bin data for padding
        input_data = binascii.b2a_hex(data)
        input_data += b"\x01\x02"
        padding = (16 - len(input_data) % 16) % 16
        input_data += padding * b"\0"

        res = aes_cbc_encrypt(key, iv, input_data)

        if self.crypted is False:
            zerome(key)
            del key
        return res
예제 #3
0
def reencrypt(enc_data, iv, old_key, new_key):
    # decrypt LinOTP
    iv = binascii.unhexlify(iv)
    input_data = binascii.unhexlify(enc_data)
    output = aes_cbc_decrypt(old_key, iv, input_data)
    if not output:
        raise Exception('invalid encoded secret!')
    # unpad
    output = output.rstrip(b'\0')
    data = binascii.unhexlify(output)

    # encrypt anew
    iv = os.urandom(16)
    input_data = binascii.b2a_hex(data)
    input_data += b"\x01\x02"
    padding = (16 - len(input_data) % 16) % 16
    input_data += padding * b"\0"

    res = aes_cbc_encrypt(new_key, iv, input_data)
    return hexlify_and_unicode(res), hexlify_and_unicode(iv)
예제 #4
0
def reencrypt(enc_data, iv, old_key, new_key):
    # decrypt LinOTP
    iv = binascii.unhexlify(iv)
    input = binascii.unhexlify(enc_data)
    output = aes_cbc_decrypt(old_key, iv, input)
    eof = len(output) - 1
    if eof == -1:
        raise Exception('invalid encoded secret!')
    # unpad
    while output[eof] == '\0':
        eof -= 1
    output = output[0:eof - 1]
    data = binascii.unhexlify(output)

    # encrypt anew
    iv = os.urandom(16)
    input_data = binascii.b2a_hex(data)
    input_data += b"\x01\x02"
    padding = (16 - len(input_data) % 16) % 16
    input_data += padding * b"\0"

    res = aes_cbc_encrypt(new_key, iv, input_data)
    return hexlify_and_unicode(res), hexlify_and_unicode(iv)