def _validate_certificate_params_dict(self, certificate_params_dict): certificate_params_is_valid = False generate_new_certificate = False for key in certificate_params_dict: if key not in ['C', 'CN', 'L', 'O', 'ST', 'OU', 'emailAddress']: if key not in ['private_key_path', 'certificate_path']: logger.error( "Invalid Key is being passed in configuration!" + repr(key)) raise RuntimeError( "Invalid Key is being passed in configuration!") else: # pre-generated cert/key, check if exist if os.path.exists( certificate_params_dict['private_key_path'] ) is False: err_str = "private_key_path does not exist: {0}!".format( certificate_params_dict['private_key_path']) logger.error(err_str) certificate_params_is_valid = False raise RuntimeError(err_str) if os.path.exists( certificate_params_dict['certificate_path'] ) is False: err_str = "certificate_path does not exist: {0}!".format( certificate_params_dict['certificate_path']) logger.error(err_str) certificate_params_is_valid = False raise RuntimeError(err_str) cert_version = crypto.cert.get_version( crypto.cert.get_text( c_path.load_data_from_file( certificate_params_dict['certificate_path']))) if cert_version == crypto.cert.CERT_V3: generate_new_certificate = False certificate_params_is_valid = True else: logger.critical('Certificate version is incorrect: ' + str(cert_version)) raise RuntimeError( 'Invalid certificate: ' + certificate_params_dict['certificate_path']) else: # generate new cert/key certificate_params_is_valid = True generate_new_certificate = True return certificate_params_is_valid, generate_new_certificate
def decrypt(self, message, key, iv, ciphername=AesCbcBase.CIPHERNAME_128): message_path, decrypted_message_path = None, None try: message_path = c_path.create_tmp_file(message) decrypted_message_path = c_path.create_tmp_file() cmd = [ self.openssl, 'enc', ciphername, '-d', '-in', message_path, '-K', key, '-iv', iv, '-out', decrypted_message_path, '-nopad' ] run_command(cmd) return c_path.load_data_from_file(decrypted_message_path) finally: c_path.remove_tmp_file(message_path) c_path.remove_tmp_file(decrypted_message_path)
def _populate_database(cls, data_prov_object, level, path): """ Recursively creates and fills in the DataProvObject including all of it's children :param data_prov_object: the highest level of the DataProvObject hierarchy :type data_prov_object: DataProvObject :param level: the level depth of the current data prov hierarchy. Should be set to 1 when initially calling _populate_database :type level: int :param path: the path in the file system corresponding to the current data prov level through which to scan and populate the DataProvObject :type path: str :rtype: None :raises: RuntimeError """ for item in os.listdir(path): if item.endswith(".xml") and level == BINARY_FILE_LEVEL: data_prov_object.config = cls._get_config( c_path.join(path, item)) # allow for unix style hidden folders to exist elif item.startswith("."): continue elif c_path.validate_dir(c_path.join( path, item)) and level == BINARY_FILE_LEVEL: raise RuntimeError( "DataProvisioner: found directory {0} in binary_file level of DataProvisioner. \ Directories are not allowed in the binary_file level".format( item)) elif not c_path.validate_dir(c_path.join( path, item)) and level != BINARY_FILE_LEVEL: raise RuntimeError( "DataProvisioner: found binary file {0} in level {1} of DataProvisioner. \ Binary files are only allowed at the binary_file level".format( item, cls._level_num_to_name(level))) elif level == 4: try: data_prov_object.files[item] = c_path.load_data_from_file( c_path.join(path, item)) except: raise RuntimeError( "DataProvisioner: Can't open {0}".format( c_path.join(path, item))) # recursively populate database children if level < BINARY_FILE_LEVEL: child_data_prov_object = DataProvObject( item, c_path.join(path, item)) data_prov_object.children[item] = child_data_prov_object cls._populate_database(child_data_prov_object, level + 1, c_path.join(path, item))
def encrypt(self, message, key, iv, aad): message_path, encrypted_message_path = None, None try: message_path = c_path.create_tmp_file(message) encrypted_message_path = c_path.create_tmp_file() cmd = [ self.crypto_ccm, '--input-file', message_path, '--key', key, '--iv', iv, '--output', encrypted_message_path, '--operation=encrypt', '--aad', aad ] run_command(cmd, log=False) return c_path.load_data_from_file(encrypted_message_path) finally: c_path.remove_tmp_file(message_path) c_path.remove_tmp_file(encrypted_message_path)
def decrypt(self, message, key, iv): message_path, decrypted_message_path = None, None try: message_path = c_path.create_tmp_file(message) decrypted_message_path = c_path.create_tmp_file() cmd = [ self.crypto_cbc, '--input-file', message_path, '--key', key, '--iv', iv, '--output', decrypted_message_path, '--operation=decrypt' ] run_command(cmd, log=False) return c_path.load_data_from_file(decrypted_message_path) finally: c_path.remove_tmp_file(message_path) c_path.remove_tmp_file(decrypted_message_path)
def encrypt_segment(self, binary_segment, segment_num): ''' Encrypt elf segments using cbc encryption input: binary_segment: A string representing the binary segment that needs to be encrypted. segment_num: The segment number, used to calculate the segment IV output: encrypted_binary_segment: CBC encrypted segment ''' if len(binary_segment) < 16 and len(binary_segment) != 0: raise RuntimeError("The input plaintext is less than the minimum.") else: pt_fn = c_path.create_tmp_file(data=binary_segment) op_fn = c_path.create_tmp_file() self.encryption_parameters.ssd_p.enc_segment( segment_num, pt_fn, op_fn) encrypted_binary_segment = c_path.load_data_from_file(op_fn) os.unlink(pt_fn) os.unlink(op_fn) return encrypted_binary_segment
def decrypt(self, message, key, iv, aad): message_path, decrypted_message_path = None, None try: message_path = c_path.create_tmp_file(message) decrypted_message_path = c_path.create_tmp_file() cmd = [ self.crypto_ccm, '--input-file', message_path, '--key', key, '--iv', iv, '--output', decrypted_message_path, '--operation=decrypt', '--aad', aad ] output = run_command(cmd, log=False) # Check there is no issue with the output if "Caught HashVerificationFailed..." in output: raise RuntimeError(output) return c_path.load_data_from_file(decrypted_message_path) finally: c_path.remove_tmp_file(message_path) c_path.remove_tmp_file(decrypted_message_path)
def encrypt(self, message, key, iv): """ Function to encrypt binary with a CBC 128 bit cipher. input: binary_blob: Binary blob to encrypt hex_preexisting_128_bit_key: hex representarion of 128bit key | None, if None, the key is generated hex_preexisting_iv: hex representarion of image IV | None, if None, the IV is generated output: (encrypted_binary, encryption_key, image_iv): Tuple with the encrypted binary, the key, and the IV """ message_path, encrypted_message_path = None, None try: message_path = c_path.create_tmp_file(message) encrypted_message_path = c_path.create_tmp_file() cmd = [ self.crypto_cbc, '--operation=encrypt', '--input-file', message_path, '--output', encrypted_message_path, '--key', key, '--iv', iv, ] run_command(cmd) return c_path.load_data_from_file(encrypted_message_path) finally: if message_path is not None: c_path.remove_tmp_file(message_path) if encrypted_message_path is not None: c_path.remove_tmp_file(encrypted_message_path)
def _generate_new_encryption_params_blob(self): enc_xml_fname = c_path.store_data_to_temp_file('') self.ssd_p.gen_signed_ssd_xml(enc_xml_fname) enc_xml = c_path.load_data_from_file(enc_xml_fname) os.unlink(enc_xml_fname) return enc_xml