def _decryptAndImportKdk(self, kdkData, onError): """ :param Data kdkData: :param onError: On error, this calls onError(errorCode, message) :type onError: function object :return: True for success, false for error (where this has called onError). :rtype: bool """ try: logging.getLogger(__name__).info("Decrypting and importing KDK " + kdkData.getName().toUri()) encryptedContent = EncryptedContent() encryptedContent.wireDecodeV2(kdkData.getContent()) safeBag = SafeBag(encryptedContent.getPayload()) secret = self._keyChain.getTpm().decrypt( encryptedContent.getPayloadKey().toBytes(), self._credentialsKey.getName()) if secret.isNull(): onError( EncryptError.ErrorCode.TpmKeyNotFound, "Could not decrypt secret, " + credentialsKey_.getName().toUri() + " not found in TPM") return False self._internalKeyChain.importSafeBag(safeBag, secret.toBytes()) return True except Exception as ex: onError( EncryptError.ErrorCode.DecryptionFailure, "Failed to decrypt KDK [" + kdkData.getName().toUri() + "]: " + repr(ex)) return False
def _decryptAndImportKdk(self, kdkData, onError): """ :param Data kdkData: :param onError: On error, this calls onError(errorCode, message) :type onError: function object :return: True for success, false for error (where this has called onError). :rtype: bool """ try: logging.getLogger(__name__).info("Decrypting and importing KDK " + kdkData.getName().toUri()) encryptedContent = EncryptedContent() encryptedContent.wireDecodeV2(kdkData.getContent()) safeBag = SafeBag(encryptedContent.getPayload()) secret = self._keyChain.getTpm().decrypt( encryptedContent.getPayloadKey().toBytes(), self._credentialsKey.getName()) if secret.isNull(): onError(EncryptError.ErrorCode.TpmKeyNotFound, "Could not decrypt secret, " + self._credentialsKey.getName().toUri() + " not found in TPM") return False self._internalKeyChain.importSafeBag(safeBag, secret.toBytes()) return True except Exception as ex: onError(EncryptError.ErrorCode.DecryptionFailure, "Failed to decrypt KDK [" + kdkData.getName().toUri() + "]: " + repr(ex)) return False
def _decrypt(encryptedContent, keyBits, onPlainText, onError): """ Decrypt encryptedContent using keyBits. :param encryptedContent: The EncryptedContent to decrypt, or a Blob which is first decoded as an EncryptedContent. :type encryptedContent: Blob or EncryptedContent :param {Blob} keyBits The key value. :param onPlainText: When encryptedBlob is decrypted, this calls onPlainText(decryptedBlob) with the decrypted Blob. :type onPlainText: function object :param onError: This calls onError(errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. :type onError: function object """ if isinstance(encryptedContent, Blob): # Decode as EncryptedContent. encryptedBlob = encryptedContent encryptedContent = EncryptedContent() encryptedContent.wireDecode(encryptedBlob) payload = encryptedContent.getPayload() if encryptedContent.getAlgorithmType() == EncryptAlgorithmType.AesCbc: # Prepare the parameters. decryptParams = EncryptParams(EncryptAlgorithmType.AesCbc) decryptParams.setInitialVector(encryptedContent.getInitialVector()) # Decrypt the content. try: content = AesAlgorithm.decrypt(keyBits, payload, decryptParams) except Exception as ex: try: onError(EncryptError.ErrorCode.InvalidEncryptedFormat, repr(ex)) except: logging.exception("Error in onError") return onPlainText(content) elif encryptedContent.getAlgorithmType( ) == EncryptAlgorithmType.RsaOaep: # Prepare the parameters. decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) # Decrypt the content. try: content = RsaAlgorithm.decrypt(keyBits, payload, decryptParams) except Exception as ex: Consumer._callOnError( onError, EncryptError.ErrorCode.InvalidEncryptedFormat, repr(ex)) return onPlainText(content) else: Consumer._callOnError( onError, EncryptError.ErrorCode.UnsupportedEncryptionScheme, repr(encryptedContent.getAlgorithmType()))
def _decrypt(encryptedContent, keyBits, onPlainText, onError): """ Decrypt encryptedContent using keyBits. :param encryptedContent: The EncryptedContent to decrypt, or a Blob which is first decoded as an EncryptedContent. :type encryptedContent: Blob or EncryptedContent :param {Blob} keyBits The key value. :param onPlainText: When encryptedBlob is decrypted, this calls onPlainText(decryptedBlob) with the decrypted Blob. :type onPlainText: function object :param onError: This calls onError(errorCode, message) for an error, where errorCode is from EncryptError.ErrorCode and message is a str. :type onError: function object """ if isinstance(encryptedContent, Blob): # Decode as EncryptedContent. encryptedBlob = encryptedContent encryptedContent = EncryptedContent() encryptedContent.wireDecode(encryptedBlob) payload = encryptedContent.getPayload() if encryptedContent.getAlgorithmType() == EncryptAlgorithmType.AesCbc: # Prepare the parameters. decryptParams = EncryptParams(EncryptAlgorithmType.AesCbc) decryptParams.setInitialVector(encryptedContent.getInitialVector()) # Decrypt the content. try: content = AesAlgorithm.decrypt(keyBits, payload, decryptParams) except Exception as ex: try: onError(EncryptError.ErrorCode.InvalidEncryptedFormat, repr(ex)) except: logging.exception("Error in onError") return onPlainText(content) elif encryptedContent.getAlgorithmType() == EncryptAlgorithmType.RsaOaep: # Prepare the parameters. decryptParams = EncryptParams(EncryptAlgorithmType.RsaOaep) # Decrypt the content. try: content = RsaAlgorithm.decrypt(keyBits, payload, decryptParams) except Exception as ex: Consumer._callOnError(onError, EncryptError.ErrorCode.InvalidEncryptedFormat, repr(ex)) return onPlainText(content) else: Consumer._callOnError(onError, EncryptError.ErrorCode.UnsupportedEncryptionScheme, repr(encryptedContent.getAlgorithmType()))
def _decryptCkAndProcessPendingDecrypts(self, contentKey, ckData, kdkKeyName, onError): logging.getLogger(__name__).info("Decrypting CK data ", ckData.getName().toUri()) content = EncryptedContent() try: content.wireDecodeV2(ckData.getContent()) except Exception as ex: onError(EncryptError.ErrorCode.InvalidEncryptedFormat, "Error decrypting EncryptedContent: " + repr(ex)) return try: ckBits = self._internalKeyChain.getTpm().decrypt( content.getPayload().toBytes(), kdkKeyName) except Exception as ex: # We don't expect this from the in-memory KeyChain. onError(EncryptError.ErrorCode.DecryptionFailure, "Error decrypting the CK EncryptedContent " + repr(ex)) return if ckBits.isNull(): onError( EncryptError.ErrorCode.TpmKeyNotFound, "Could not decrypt secret, " + kdkKeyName.toUri() + " not found in TPM") return contentKey.bits = ckBits contentKey.isRetrieved = True for pendingDecrypt in contentKey.pendingDecrypts: # TODO: If this calls onError, should we quit? DecryptorV2._doDecrypt(pendingDecrypt.encryptedContent, contentKey.bits, pendingDecrypt.onSuccess, pendingDecrypt.onError) contentKey.pendingDecrypts = []
def _decryptCkAndProcessPendingDecrypts( self, contentKey, ckData, kdkKeyName, onError): logging.getLogger(__name__).info("Decrypting CK data " + ckData.getName().toUri()) content = EncryptedContent() try: content.wireDecodeV2(ckData.getContent()) except Exception as ex: onError(EncryptError.ErrorCode.InvalidEncryptedFormat, "Error decrypting EncryptedContent: " + repr(ex)) return try: ckBits = self._internalKeyChain.getTpm().decrypt( content.getPayload().toBytes(), kdkKeyName) except Exception as ex: # We don't expect this from the in-memory KeyChain. onError(EncryptError.ErrorCode.DecryptionFailure, "Error decrypting the CK EncryptedContent " + repr(ex)) return if ckBits.isNull(): onError(EncryptError.ErrorCode.TpmKeyNotFound, "Could not decrypt secret, " + kdkKeyName.toUri() + " not found in TPM") return contentKey.bits = ckBits contentKey.isRetrieved = True for pendingDecrypt in contentKey.pendingDecrypts: # TODO: If this calls onError, should we quit? DecryptorV2._doDecrypt( pendingDecrypt.encryptedContent, contentKey.bits, pendingDecrypt.onSuccess, pendingDecrypt.onError) contentKey.pendingDecrypts = []