def decryptAES(self, db_encrypted):
length = len(db_encrypted)
ciphertext = db_encrypted[:length - 28]
# iv es de 12 bytes
iv = db_encrypted[length - 28:length - 16]
# tag es de 16 bytes
tag = db_encrypted[length - 16:]
# Construct a Cipher object, with the key, iv, and additionally the GCM tag used for authenticating the message.
decryptor = Cipher(algorithms.AES(self.derivated_key),
modes.GCM(iv, tag),
backend=default_backend()).decryptor()
# We put associated_data back in or the tag will fail to verify when we finalize the decryptor.
decryptor.authenticate_additional_data(str.encode(self.username))
plaintext_database = None
try:
# Decryption gets us the authenticated plaintext.
plaintext_database = decryptor.update(
ciphertext) + decryptor.finalize()
except:
pass
return plaintext_database
def _decrypt_aesgcm(key, nonce, ciphertext_tag, associated_data):
"""
Decrypts a ciphertext with associated data with AES GCM.
Args:
key: encryption key
nonce: nonce for encryption
ciphertext_tag: ciphertext with appended tag to decrypt
associated_data: additional authenticated associated data (the AD in AEAD)
Returns:
decrypted plaintext
"""
if len(ciphertext_tag) < MAC_BYTES:
raise NoiseError('Truncated ciphertext (length < authentication tag length).')
algo = algorithms.AES(key)
assert len(nonce) == 12, 'Expected 96 bit nonce for AES-GCM'
ciphertext, tag = ciphertext_tag[:-MAC_BYTES], ciphertext_tag[-MAC_BYTES:]
mode = modes.GCM(nonce, tag)
decryptor = Cipher(algo, mode, backend).decryptor()
decryptor.authenticate_additional_data(associated_data)
try:
return decryptor.update(ciphertext) + decryptor.finalize()
except InvalidTag as invalid_tag:
raise NoiseError('GMAC failure') from invalid_tag
def encrypt(key, iv, plaintext, associated_data):
encryptor = Cipher(algorithms.AES(key),
modes.GCM(iv),
backend=default_backend()).encryptor()
encryptor.authenticate_additional_data(associated_data)
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return (ciphertext, encryptor.tag)
def encrypt(master_keys, key_id, plaintext, encryption_context):
"""Encrypt data using a master key material.
NOTE: This is not necessarily what KMS does, but it retains the same properties.
NOTE: This function is NOT compatible with KMS APIs.
:param dict master_keys: Mapping of a KmsBackend's known master keys
:param str key_id: Key ID of moto master key
:param bytes plaintext: Plaintext data to encrypt
:param dict[str, str] encryption_context: KMS-style encryption context
:returns: Moto-structured ciphertext blob encrypted under a moto master key in master_keys
:rtype: bytes
"""
try:
key = master_keys[key_id]
except KeyError:
is_alias = key_id.startswith("alias/") or ":alias/" in key_id
raise NotFoundException("{id_type} {key_id} is not found.".format(
id_type="Alias" if is_alias else "keyId", key_id=key_id))
if plaintext == b"":
raise ValidationException(
"1 validation error detected: Value at 'plaintext' failed to satisfy constraint: Member must have length greater than or equal to 1"
)
iv = os.urandom(IV_LEN)
aad = _serialize_encryption_context(encryption_context=encryption_context)
encryptor = Cipher(algorithms.AES(key.key_material),
modes.GCM(iv),
backend=default_backend()).encryptor()
encryptor.authenticate_additional_data(aad)
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return _serialize_ciphertext_blob(ciphertext=Ciphertext(
key_id=key_id, iv=iv, ciphertext=ciphertext, tag=encryptor.tag))
def encrypt(self, data):
"""
.. warning::
This should really have thread controls in it.
If two threads are simutaneously encrypting,
there is a small chance that the IVs would be the same.
This would be **extremely** bad.
:param data: The data to encrypt
:type data: bytes
:returns: IV + payload + TAG
:rtype: bytes
"""
# Grab && increment iv
iv = self.iv
self.iv = (int.from_bytes(iv, 'big') + 1).to_bytes(len(iv), 'big')
# TODO: Do we have to make the encryptor every time?
# Make the encryptor
encryptor = Cipher(algorithms.AES(self.key),
modes.GCM(iv),
backend=default_backend()
).encryptor()
# Encrypt the data
encryptor.authenticate_additional_data(iv)
ciphertext = encryptor.update(data) + encryptor.finalize()
return iv + ciphertext + encryptor.tag
def encrypt(plaintext, key, associated_data=''):
"""Encrypts provided plaintext using AES-GCM.
Encrypts plaintext with a provided key and optional associated data. Uses
a 96 bit IV.
Args:
plaintext: The plaintext to be encrypted
key: The AES-GCM key
associated_data: Associated data (optional)
Returns:
iv: The IV
ciphertext: The ciphertext
tag: The GCM TAG
Raises:
None
"""
iv = os.urandom(12)
encryptor = Cipher(
algorithms.AES(key), modes.GCM(iv),
backend=default_backend()).encryptor()
encryptor.authenticate_additional_data(associated_data)
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return (iv, ciphertext, encryptor.tag)
def decrypt(ciphertext, key, iv, tag, associated_data=''):
"""Decrypts provided plaintext using AES-GCM.
Decrypts ciphertext with a provided key, iv, tag, and optional associated
data.
Args:
ciphertext: The ciphertext
key: An AES-128 key
iv: The IV
tag: The GCM Tag
associated_data: Associated data (optional)
Returns:
The plaintext
Raises:
cryptography.exceptions.InvalidTag
"""
decryptor = Cipher(
algorithms.AES(key), modes.GCM(iv, tag),
backend=default_backend()).decryptor()
decryptor.authenticate_additional_data(associated_data)
return decryptor.update(ciphertext) + decryptor.finalize()
def decrypt(key, associated_data, iv, ciphertext, tag):
decryptor = Cipher(algorithms.AES(key),
modes.GCM(iv, tag),
backend=default_backend()).decryptor()
decryptor.authenticate_additional_data(associated_data)
return decryptor.update(ciphertext) + decryptor.finalize()
def decrypt(self, orig_pkt, assoclen=None):
"""decrypt a MACsec frame for this Secure Association"""
hdr = copy.deepcopy(orig_pkt)
del hdr[MACsec].payload
pktlen = len(orig_pkt)
if self.send_sci:
hdrlen = NOSCI_LEN + SCI_LEN
else:
hdrlen = NOSCI_LEN
if assoclen is None or not self.do_encrypt:
if self.do_encrypt:
assoclen = hdrlen
else:
assoclen = pktlen - self.icvlen
iv = self.make_iv(hdr)
assoc, ct, icv = MACsecSA.split_pkt(orig_pkt, assoclen, self.icvlen)
decryptor = Cipher(algorithms.AES(self.key),
modes.GCM(iv, icv),
backend=default_backend()).decryptor()
decryptor.authenticate_additional_data(assoc)
pt = assoc[hdrlen:assoclen]
pt += decryptor.update(ct)
pt += decryptor.finalize()
hdr[MACsec].type = struct.unpack('!H', pt[0:2])[0]
hdr[MACsec].payload = Raw(pt[2:])
return hdr
def encrypt(self, orig_pkt, assoclen=None):
"""encrypt a MACsec frame for this Secure Association"""
hdr = copy.deepcopy(orig_pkt)
del hdr[MACsec].payload
del hdr[MACsec].type
pktlen = len(orig_pkt)
if self.send_sci:
hdrlen = NOSCI_LEN + SCI_LEN
else:
hdrlen = NOSCI_LEN
if assoclen is None or not self.do_encrypt:
if self.do_encrypt:
assoclen = hdrlen
else:
assoclen = pktlen
iv = self.make_iv(orig_pkt)
assoc, pt, _ = MACsecSA.split_pkt(orig_pkt, assoclen)
encryptor = Cipher(
algorithms.AES(self.key),
modes.GCM(iv),
backend=default_backend()
).encryptor()
encryptor.authenticate_additional_data(assoc)
ct = encryptor.update(pt) + encryptor.finalize()
hdr[MACsec].payload = Raw(assoc[hdrlen:assoclen] + ct + encryptor.tag)
return hdr
def decrypt(self, orig_pkt, assoclen=None):
"""decrypt a MACsec frame for this Secure Association"""
hdr = copy.deepcopy(orig_pkt)
del hdr[MACsec].payload
pktlen = len(orig_pkt)
if self.send_sci:
hdrlen = NOSCI_LEN + SCI_LEN
else:
hdrlen = NOSCI_LEN
if assoclen is None or not self.do_encrypt:
if self.do_encrypt:
assoclen = hdrlen
else:
assoclen = pktlen - self.icvlen
iv = self.make_iv(hdr)
assoc, ct, icv = MACsecSA.split_pkt(orig_pkt, assoclen, self.icvlen)
decryptor = Cipher(
algorithms.AES(self.key),
modes.GCM(iv, icv),
backend=default_backend()
).decryptor()
decryptor.authenticate_additional_data(assoc)
pt = assoc[hdrlen:assoclen]
pt += decryptor.update(ct)
pt += decryptor.finalize()
hdr[MACsec].type = struct.unpack('!H', pt[0:2])[0]
hdr[MACsec].payload = Raw(pt[2:])
return hdr
def decrypt(packed_encrypted_data, key, mac_key='', backend=BACKEND):
""" Decrypts packed encrypted data as returned by encrypt with the same key.
If extra data is present, returns plaintext, extra_data. If not,
returns plaintext. Raises InvalidTag on authentication failure. """
header, ciphertext, iv, tag, extra_data = load_data(packed_encrypted_data)
algorithm, mode, authentication_algorithm = header.split('_', 2)
if algorithm.lower() in hashlib.algorithms_guaranteed:
return cryptographyless.decrypt(packed_encrypted_data, key, mac_key, backend)
mode_args = (iv, tag) if mode in AEAD_MODES else (iv, )
decryptor = Cipher(getattr(algorithms, algorithm)(key),
getattr(modes, mode)(*mode_args),
backend=BACKEND).decryptor()
if mode in AEAD_MODES:
decryptor.authenticate_additional_data(extra_data)
else:
if not mac_key:
raise ValueError("mac_key not supplied for {} mode".format(header))
if not verify_mac(mac_key, save_data(tag, header + ciphertext + iv + extra_data), authentication_algorithm):
raise InvalidTag("Failed to authenticate data")
plaintext = decryptor.update(ciphertext) + decryptor.finalize()
if extra_data:
return (plaintext, extra_data)
else:
return plaintext
def decrypt(self, data):
"""
Decrypts an AESGCM payload.
Relies on constants:
:attr:`~crypto.aesgcm.IV_SIZE`
:attr:`~crypto.aesgcm.TAG_SIZE`
:param data: The raw data to decrypt
:type data: bytes
:returns: Decrypted data
:rtype: bytes
"""
iv = data[:IV_SIZE]
payload = data[IV_SIZE:-TAG_SIZE]
tag = data[-TAG_SIZE:]
decryptor = Cipher(algorithms.AES(self.key),
modes.GCM(iv, tag),
backend=default_backend()).decryptor()
decryptor.authenticate_additional_data(iv)
return decryptor.update(payload) + decryptor.finalize()
def decrypt(value, key, stash=None):
"""
Return a decrypted value
"""
# extract fields using a regex
res = re.match(r'^ENC\[AES256_GCM,data:(.+),iv:(.+),aad:(.+),tag:(.+)\]$',
value)
# if the value isn't in encrypted form, return it as is
if res is None:
return value
enc_value = b64decode(res.group(1))
iv = b64decode(res.group(2))
aad = b64decode(res.group(3))
tag = b64decode(res.group(4))
decryptor = Cipher(algorithms.AES(key),
modes.GCM(iv, tag),
default_backend()
).decryptor()
decryptor.authenticate_additional_data(aad)
cleartext = decryptor.update(enc_value) + decryptor.finalize()
if stash:
# save the values for later if we need to reencrypt
stash['iv'] = iv
stash['aad'] = aad
stash['cleartext'] = cleartext
return cleartext
def AES_encrypt(session_key, plain_text, iv):
encryptor = Cipher(algorithms.AES(session_key),
modes.GCM(iv),
backend=default_backend()).encryptor()
encryptor.authenticate_additional_data(b'idk what this is')
cipher_text = encryptor.update(plain_text) + encryptor.finalize()
return (cipher_text, encryptor.tag)
def encrypt(self, data):
"""
.. warning::
This should really have thread controls in it.
If two threads are simutaneously encrypting,
there is a small chance that the IVs would be the same.
This would be **extremely** bad.
:param data: The data to encrypt
:type data: bytes
:returns: IV + payload + TAG
:rtype: bytes
"""
# Grab && increment iv
iv = self.iv
self.iv = (int.from_bytes(iv, 'big') + 1).to_bytes(len(iv), 'big')
# TODO: Do we have to make the encryptor every time?
# Make the encryptor
encryptor = Cipher(algorithms.AES(self.key),
modes.GCM(iv),
backend=default_backend()).encryptor()
# Encrypt the data
encryptor.authenticate_additional_data(iv)
ciphertext = encryptor.update(data) + encryptor.finalize()
return iv + ciphertext + encryptor.tag
def AES_gcm_decrypt(key, ciphertext, iv, tag, associated_data=None):
decryptor = Cipher(algorithms.AES(key),
modes.GCM(iv, tag),
backend=backends.default_backend()).decryptor()
if associated_data:
decryptor.authenticate_additional_data(associated_data)
return decryptor.update(ciphertext) + decryptor.finalize()
def AES_decrypt(session_key, cipher_text, iv, tag):
decryptor = Cipher(algorithms.AES(session_key),
modes.GCM(iv, tag),
backend=default_backend()).decryptor()
decryptor.authenticate_additional_data(b'idk what this is')
plain_text = decryptor.update(cipher_text) + decryptor.finalize()
return plain_text
def decrypt(self, data):
"""
Decrypts an AESGCM payload.
Relies on constants:
:attr:`~crypto.aesgcm.IV_SIZE`
:attr:`~crypto.aesgcm.TAG_SIZE`
:param data: The raw data to decrypt
:type data: bytes
:returns: Decrypted data
:rtype: bytes
"""
iv = data[:IV_SIZE]
payload = data[IV_SIZE: -TAG_SIZE]
tag = data[-TAG_SIZE:]
decryptor = Cipher(
algorithms.AES(self.key),
modes.GCM(iv, tag),
backend=default_backend()
).decryptor()
decryptor.authenticate_additional_data(iv)
return decryptor.update(payload) + decryptor.finalize()
def decrypt_with_shared_key(key, iv, tag, cipher_text, auth):
decryptor = Cipher(algorithms.AES(key),
modes.GCM(iv, tag),
backend=default_backend()).decryptor()
decryptor.authenticate_additional_data(auth)
result = decryptor.update(cipher_text) + decryptor.finalize()
return result
def decrypt(self, n, ad, ciphertext):
'''
Returns plaintext or raises MessageAuthenticationFailure exception
if fail to authenticate.
'''
if len(ciphertext) < 16:
raise ValueError(
'Invalid ciphertext length (len={0}), must be >16 bytes.'.format(len(ciphertext))
)
n = self._nonce(n)
decryptor = Cipher(
algorithms.AES(self.key),
modes.GCM(n, ciphertext[-16:]),
backend=default_backend()
).decryptor()
decryptor.authenticate_additional_data(ad)
try:
plaintext = decryptor.update(ciphertext[:-16]) + decryptor.finalize()
except _InvalidTag:
raise MessageAuthenticationFailure
except:
raise
return plaintext
def decrypt(key, associated_data, iv, ciphertext, tag):
# Construct a Cipher object, with the key, iv, and additionally the
# GCM tag used for authenticating the message.
# OK.. all the objects passed in to this function are of type bytearray, but, it turns
# out that the Cipher suite needs strings, despite saying in the documentation that it needs
# bytes. Consequently all the parameter objects had to be converted to strings, hence the str()
# around each one.
# The moral of this story is strong typing is good.
try:
decryptor = Cipher(
algorithms.AES(str(key)), modes.GCM(str(iv), str(tag)), backend=default_backend()
).decryptor()
# We put associated_data back in or the tag will fail to verify
# when we finalize the decryptor.
decryptor.authenticate_additional_data(str(associated_data))
# Decryption gets us the authenticated plaintext.
# If the tag does not match an InvalidTag exception will be raised.
ret = decryptor.update(str(ciphertext)) + decryptor.finalize()
except Exception as e:
print(" Failed to de-crypt Measurement with exception: {}: {}".format(e.__class__.__name__, e))
ret = None
return ret
def encrypt(data='', key='', mac_key='', iv=None, extra_data='', algorithm="AES",
mode="GCM", backend=BACKEND, iv_size=16, hash_algorithm="SHA256",
return_mode="cryptogram"):
""" Encrypts data with the specified key. Returns packed encrypted bytes.
If an iv is not supplied a random one of iv_size will be generated.
By default, the GCM mode of operation is used and the iv is
automatically included in the extra_data authenticated by the mode.
Note that not all algorithms may support all modes of operation
with all backends.
A mac key is required when GCM mode is not in used. This function
will refuse to encrypt data without authentication/integrity checks,
as this is considered a serious flaw in security.
Technically speaking, 'iv' is not always the correct term for the
parameter passed, depending on the mode of operation used. However,
using two different fields for what are functionally the same would
increase complexity needlessly. """
assert data and key, "data" if not data else "key"
if algorithm.lower() in hashlib.algorithms_guaranteed:
return cryptographyless.encrypt(data, key, iv, extra_data, algorithm, mode,
backend, iv_size, mac_key, hash_algorithm)
header = algorithm + '_' + mode
if mode not in AEAD_MODES:
if not mac_key:
raise ValueError("Unable to authenticate data because no mac key was supplied for {} mode".format(header))
else:
header += "_" + hash_algorithm
else:
header += "_" + "AEAD"
if not iv and iv != 0: # 0 is a valid nonce for CTR mode.
iv = random_bytes(iv_size)
if mode != "ECB":
mode_args = (iv, )
else:
mode_args = tuple()
encryptor = Cipher(getattr(algorithms, algorithm)(key),
getattr(modes, mode)(*mode_args),
backend=BACKEND).encryptor()
if mode in AEAD_MODES:
encryptor.authenticate_additional_data(extra_data)
ciphertext = encryptor.update(data) + encryptor.finalize()
if mode in AEAD_MODES:
mac_tag = encryptor.tag
else:
mac_tag = generate_mac(mac_key, header + ciphertext + iv + extra_data, hash_algorithm)
if return_mode == "cryptogram":
return save_data(header, ciphertext, iv, mac_tag, extra_data)
else:
assert return_mode == "values"
return header, ciphertext, iv, mac_tag, extra_data
def encrypt_message_symmetric_key(key, plaintext, associated_data):
# Generate a random 96-bit IV.
iv = os.urandom(IV_SIZE)
# Construct an AES-GCM Cipher object with the given key and a randomly generated IV.
encryptor = Cipher(algorithms.AES(key), modes.GCM(iv), backend=default_backend()).encryptor()
encryptor.authenticate_additional_data(associated_data)
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return iv, ciphertext, encryptor.tag
def decrypt(self, key, additional_data, iv, payload, gcm_tag):
decryptor = Cipher(algorithms.AES(key),
modes.GCM(iv, gcm_tag, 12),
backend=default_backend()).decryptor()
decryptor.authenticate_additional_data(additional_data)
return decryptor.update(payload) + decryptor.finalize()
def encrypt_block(self, block_id, data):
iv_int = unpack_iv(self.iv)
encryptor = Cipher(algorithms.AES(self.file_key),
modes.GCM(pack_iv(iv_int + block_id)),
backend=default_backend()).encryptor()
encryptor.authenticate_additional_data(self.blocks)
ciphertext = encryptor.update(data) + encryptor.finalize()
return ciphertext + encryptor.tag
def decrypt(value, key, aad=b'', stash=None, digest=None):
"""Return a decrypted value."""
valre = b'^ENC\[AES256_GCM,data:(.+),iv:(.+),tag:(.+)'
# extract fields using a regex
if INPUT_VERSION >= 0.8:
valre += b',type:(.+)'
valre += b'\]'
res = re.match(valre, value.encode('utf-8'))
# if the value isn't in encrypted form, return it as is
if res is None:
return value
enc_value = b64decode(res.group(1))
iv = b64decode(res.group(2))
tag = b64decode(res.group(3))
valtype = 'str'
if INPUT_VERSION >= 0.8:
valtype = res.group(4)
decryptor = Cipher(algorithms.AES(key),
modes.GCM(iv, tag),
default_backend()
).decryptor()
decryptor.authenticate_additional_data(aad)
cleartext = decryptor.update(enc_value) + decryptor.finalize()
if stash:
# save the values for later if we need to reencrypt
stash['iv'] = iv
stash['aad'] = aad
stash['cleartext'] = cleartext
if digest:
digest.update(cleartext)
if valtype == b'bytes':
return cleartext
if valtype == b'str':
# Welcome to python compatibility hell... :(
# Python 2 treats everything as str, but python 3 treats bytes and str
# as different types. So if a file was encrypted by sops with py2, and
# contains bytes data, it will have type 'str' and py3 will decode
# it as utf-8. This will result in a UnicodeDecodeError exception
# because random bytes are not unicode. So the little try block below
# catches it and returns the raw bytes if the value isn't unicode.
cv = cleartext
try:
cv = cleartext.decode('utf-8')
except UnicodeDecodeError:
return cleartext
return cv
if valtype == b'int':
return int(cleartext.decode('utf-8'))
if valtype == b'float':
return float(cleartext.decode('utf-8'))
if valtype == b'bool':
if cleartext.lower() == b'true':
return True
return False
panic("unknown type "+valtype, 23)
def AES_gcm_decrypt(key, ciphertext, iv, tag, associated_data=None):
decryptor = Cipher(
algorithms.AES(key),
modes.GCM(iv, tag),
backend= backends.default_backend()
).decryptor()
if associated_data:
decryptor.authenticate_additional_data(associated_data)
return decryptor.update(ciphertext) + decryptor.finalize()
def encrypt(key, plaintext, associated_data):
iv = os.urandom(12)
encryptor = Cipher(
algorithms.AES(key),
modes.GCM(iv, min_tag_length=12),
).encryptor()
encryptor.authenticate_additional_data(associated_data)
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return (iv, ciphertext, encryptor.tag)
def decrypt_message_symmetric_key(key, associated_data, iv, ciphertext, tag):
# Construct a Cipher object, with the key, iv, and additionally the GCM tag used for authenticating the message
try:
decryptor = Cipher(algorithms.AES(key), modes.GCM(iv, tag), backend=default_backend()).decryptor()
decryptor.authenticate_additional_data(associated_data)
return decryptor.update(ciphertext) + decryptor.finalize()
except InvalidTag:
# print "Invalid tag exception"
return None
def gcm_encrypt(_key, _nonce, _pt, _ad):
encryptor = Cipher(algorithms.AES(_key),
modes.GCM(_nonce),
backend=default_backend()).encryptor()
encryptor.authenticate_additional_data(_ad)
ct = encryptor.update(_pt) + encryptor.finalize()
return ct, encryptor.tag
def gcm_decrypt(_key, _nonce, _cipher, _tag, _ad):
decryptor = Cipher(algorithms.AES(_key),
modes.GCM(_nonce, _tag),
backend=default_backend()).decryptor()
decryptor.authenticate_additional_data(_ad)
pt = decryptor.update(_cipher) + decryptor.finalize()
return pt
def decrypt(value, key, aad=b'', stash=None, digest=None):
"""Return a decrypted value."""
valre = b'^ENC\[AES256_GCM,data:(.+),iv:(.+),tag:(.+)'
# extract fields using a regex
if INPUT_VERSION >= 0.8:
valre += b',type:(.+)'
valre += b'\]'
res = re.match(valre, value.encode('utf-8'))
# if the value isn't in encrypted form, return it as is
if res is None:
return value
enc_value = b64decode(res.group(1))
iv = b64decode(res.group(2))
tag = b64decode(res.group(3))
valtype = 'str'
if INPUT_VERSION >= 0.8:
valtype = res.group(4)
decryptor = Cipher(algorithms.AES(key), modes.GCM(iv, tag),
default_backend()).decryptor()
decryptor.authenticate_additional_data(aad)
cleartext = decryptor.update(enc_value) + decryptor.finalize()
if stash:
# save the values for later if we need to reencrypt
stash['iv'] = iv
stash['aad'] = aad
stash['cleartext'] = cleartext
if digest:
digest.update(cleartext)
if valtype == b'bytes':
return cleartext
if valtype == b'str':
# Welcome to python compatibility hell... :(
# Python 2 treats everything as str, but python 3 treats bytes and str
# as different types. So if a file was encrypted by sops with py2, and
# contains bytes data, it will have type 'str' and py3 will decode
# it as utf-8. This will result in a UnicodeDecodeError exception
# because random bytes are not unicode. So the little try block below
# catches it and returns the raw bytes if the value isn't unicode.
cv = cleartext
try:
cv = cleartext.decode('utf-8')
except UnicodeDecodeError:
return cleartext
return cv
if valtype == b'int':
return int(cleartext.decode('utf-8'))
if valtype == b'float':
return float(cleartext.decode('utf-8'))
if valtype == b'bool':
if cleartext.lower() == b'true':
return True
return False
panic("unknown type " + valtype, 23)
def AES_gcm_encrypt(key, plaintext, associated_data=None):
iv = os.urandom(12)
encryptor = Cipher(algorithms.AES(key),
modes.GCM(iv),
backend=backends.default_backend()).encryptor()
if associated_data:
encryptor.authenticate_additional_data(associated_data)
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return (iv, ciphertext, encryptor.tag)
def encryptDataWithAES(key, dataFromFile, authenticationString):
iv = os.urandom(32)
encryptor = Cipher(algorithms.AES(key),
modes.GCM(iv),
backend=default_backend()).encryptor()
encryptor.authenticate_additional_data(authenticationString)
ciphertext = encryptor.update(dataFromFile) + encryptor.finalize()
return (iv, ciphertext, encryptor.tag)
def decrypt(salt, passphrase, associated_data, iv, ciphertext, tag):
key = hashlib.pbkdf2_hmac("sha256", passphrase.encode("utf8"), salt, 1000)
decryptor = Cipher(algorithms.AES(key),
modes.GCM(iv, tag),
backend=default_backend()).decryptor()
decryptor.authenticate_additional_data(associated_data)
text = decryptor.update(ciphertext) + decryptor.finalize()
text = text.decode("utf8")
return (text)
def decryptMessage(self, rObj, kObj, aVal):
iv = kObj.server_write_IV
tag = aVal[0:16]
ciphertext = aVal[16:]
decryptor = Cipher(algorithms.AES(kObj.server_write_key),
modes.GCM(iv, tag),
backend=default_backend()).decryptor()
decryptor.authenticate_additional_data(kObj.server_write_MAC_key)
decryptedVal = decryptor.update(ciphertext) + decryptor.finalize()
print("decryptedVal", decryptedVal)
def gmac(
security_control: SecurityControlField,
system_title: bytes,
invocation_counter: int,
key: bytes,
auth_key: bytes,
challenge: bytes,
):
"""
GMAC is quite simply GCM mode where all data is supplied as additional
authenticated data.
If the GCM input is restricted to data that is not to be encrypted, the resulting
specialization of GCM, called GMAC, is simply an authentication mode on the input
data.
"""
if security_control.encrypted:
raise CipheringError(
"Security for GMAC is set to encrypted, but this is not a "
"valid choice since GMAC only authenticates ")
if len(system_title) != 8:
raise ValueError(
f"System Title must be of lenght 8, not {len(system_title)}")
# initialization vector is 12 bytes long and consists of the system_title (8 bytes)
# and invocation_counter (4 bytes)
iv = system_title + invocation_counter.to_bytes(4, "big")
# Making sure the keys are of correct length for specified security suite
validate_key(security_control.security_suite, key)
validate_key(security_control.security_suite, auth_key)
# Construct an AES-GCM Cipher object with the given key and iv
encryptor = Cipher(
algorithms.AES(key),
modes.GCM(initialization_vector=iv,
tag=None,
min_tag_length=TAG_LENGTH),
).encryptor()
# associated_data will be authenticated but not encrypted,
# so we put all data in the associated data.
associated_data = security_control.to_bytes() + auth_key + challenge
encryptor.authenticate_additional_data(associated_data)
# Making sure to add an empty byte string as input. Then it will only be the
# associated_data that will be authenticated.
ciphertext = encryptor.update(b"") + encryptor.finalize()
# We want the tag as it is the authenticated data. Need to truncated it first
tag = encryptor.tag[:TAG_LENGTH]
# ciphertext is really b"" here.
return ciphertext + tag
def encrypt_image(name, key, iv, ad):
img = Image.open(name)
img = img.convert(mode='RGB')
encryptor = Cipher(
algorithms.AES(key),
modes.GCM(iv),
backend=default_backend()
).encryptor()
encryptor.authenticate_additional_data(ad)
ciphertext = encryptor.update(img.tobytes()) + encryptor.finalize()
return ciphertext, encryptor.tag, img
def encryptedHandshakeMessage(self, rObj, hObj, kObj, b):
print("encryptedHandshakeMessage.....")
serialization = bytearray()
serialization.extend(uint8(rObj.contentType))
serialization.extend(uint16(rObj.version))
rObj.epoch = 1
serialization.extend(uint16(rObj.epoch))
rObj.seqNumber = 0
serialization.extend(uint48(rObj.seqNumber))
masterSecretVal = self.prf(hObj.preMasterSecret, b'master secret',
clientRandom + hObj.serverRandom,
hashes.SHA256(), 48)
hObj.masterSecret = masterSecretVal
key_expansion = self.prf(masterSecretVal, b'key expansion',
clientRandom + hObj.serverRandom,
hashes.SHA256(), 200)
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
h = b''.join(handshake_messages)
digest.update(h)
seed = digest.finalize()
final_handshake_msg = self.prf(masterSecretVal, b'client finished',
seed, hashes.SHA256(), 12)
bytes_to_msg = b'\x14' + self.nb_to_n_bytes(len(final_handshake_msg),
3) + final_handshake_msg
handshake_messages.append(bytes_to_msg)
self.deriveKey(hObj, kObj, key_expansion)
iv = kObj.client_write_IV
nonce = urandom(8)
algorithm = algorithms.AES(kObj.client_write_key)
auth_data = self.nb_to_n_bytes(0, 8) + self.nb_to_n_bytes(
22, 1) + DTLS_VERSION + self.nb_to_n_bytes(len(bytes_to_msg), 2)
encryptor = Cipher(algorithm,
modes.GCM(iv + nonce),
backend=default_backend()).encryptor()
encryptor.authenticate_additional_data(auth_data)
result = encryptor.update(final_handshake_msg) + encryptor.finalize()
print("length,,,,,", len(result), len(encryptor.tag), len(nonce))
finalSecretMessage = nonce + result + encryptor.tag
rObj.length = len(finalSecretMessage)
serialization.extend(uint16(rObj.length))
serialization.extend(finalSecretMessage)
b += serialization
del serialization
def encrypt(key, cleartext, clienthash, recipienthash):
AESEncryptionKey = key
clientMessage = cleartext + "/msg"
AESEncryptionKeyHashed = hashlib.sha256(AESEncryptionKey).digest()
AESEncryptionIV = urandom(16)
clientEncryptor = Cipher(algorithms.AES(AESEncryptionKeyHashed), modes.GCM(AESEncryptionIV), backend=default_backend()).encryptor()
clientMessageHeader = "S/" + str(clienthash) + "/R/" + str(recipienthash)
clientEncryptor.authenticate_additional_data(clientMessageHeader)
ciphertext = clientEncryptor.update(clientMessage) + clientEncryptor.finalize()
return ciphertext, AESEncryptionIV, clientEncryptor.tag
def encrypt_and_sign(self, header, data):
encryptor = Cipher(self._cipher(self._key), GCM(self._iv),
default_backend()).encryptor()
if header:
encryptor.authenticate_additional_data(header)
ciphertext = encryptor.update(data) + encryptor.finalize()
self._update_iv()
return ciphertext, encryptor.tag
def aes_encrypt(aeskey, plaintext, associated_data):
try:
iv = os.urandom(16)
encryptor = Cipher(algorithms.AES(aeskey),
modes.GCM(iv),
backend=default_backend()).encryptor()
encryptor.authenticate_additional_data(associated_data)
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return str(iv) + str(
encryptor.tag) + str(associated_data) + str(ciphertext)
except:
return -1
def encrypt(key, plaintext, associated_data):
#iv = os.urandom(12) #TODO: need to delete hardcoded iv below and use a random IV for each encryption
iv_array = [0] * 12
iv = "".join(map(chr, iv_array))
#print("iv in hex: ", iv.format(255, '#04x'))
# Construct AES-GCM Cipher object for encryption
encryptor = Cipher(algorithms.AES(key), modes.GCM(iv), backend=default_backend()).encryptor()
# Addition message used to calculate MAC but will not be encrypted
encryptor.authenticate_additional_data(associated_data)
# Encrypt the secret, GCM is basically AES-CTR + MAC
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return (iv, ciphertext, encryptor.tag)
def AES_gcm_encrypt(key, plaintext, associated_data=None):
iv = os.urandom(12)
encryptor = Cipher(
algorithms.AES(key),
modes.GCM(iv),
backend= backends.default_backend()
).encryptor()
if associated_data:
encryptor.authenticate_additional_data(associated_data)
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return (iv, ciphertext, encryptor.tag)
def encrypt(value, key, aad=b'', stash=None, digest=None, unencrypted=False):
"""Return an encrypted string of the value provided."""
if not value:
# if the value is empty, return it as is, don't encrypt
return ""
# if we don't want to encrypt, then digest return the value
if unencrypted:
if digest:
bvalue = to_bytes(value)
digest.update(bvalue)
return value
# save the original type
# the order in which we do this matters. For example, a bool
# is also an int, but an int isn't a bool, so we test for bool first
if isinstance(value, str) or \
(sys.version_info[0] == 2 and isinstance(value, unicode)): # noqa
valtype = 'str'
elif isinstance(value, bool):
valtype = 'bool'
elif isinstance(value, int):
valtype = 'int'
elif isinstance(value, float):
valtype = 'float'
else:
valtype = 'bytes'
value = to_bytes(value)
if digest:
digest.update(value)
# if we have a stash, and the value of cleartext has not changed,
# attempt to take the IV.
# if the stash has no existing value, or the cleartext has changed,
# generate new IV.
if stash and 'cleartext' in stash and stash['cleartext'] == value:
iv = stash['iv']
else:
iv = os.urandom(32)
encryptor = Cipher(algorithms.AES(key),
modes.GCM(iv),
default_backend()).encryptor()
encryptor.authenticate_additional_data(aad)
enc_value = encryptor.update(value) + encryptor.finalize()
return "ENC[AES256_GCM,data:{value},iv:{iv}," \
"tag:{tag},type:{valtype}]".format(
value=b64encode(enc_value).decode('utf-8'),
iv=b64encode(iv).decode('utf-8'),
tag=b64encode(encryptor.tag).decode('utf-8'),
valtype=valtype)
def encrypt(ptext, iv, aad, key):
encryptor = Cipher(
algorithms.AES(key),
modes.GCM(iv),
backend=default_backend()
).encryptor()
encryptor.authenticate_additional_data(aad)
# Encrypt the plaintext and get the associated ciphertext.
# GCM does not require padding.
ciphertext = encryptor.update(ptext) + encryptor.finalize()
return (ciphertext.hex(), encryptor.tag.hex())
def encrypt_and_sign(self, header, data):
"""Encrypt and sign a block of data"""
encryptor = Cipher(self._cipher(self._key), GCM(self._iv),
default_backend()).encryptor()
if header:
encryptor.authenticate_additional_data(header)
data = encryptor.update(data) + encryptor.finalize()
self._update_iv()
return header + data, encryptor.tag
def verify_and_decrypt(self, header, data, tag):
decryptor = Cipher(self._cipher(self._key), GCM(self._iv, tag),
default_backend()).decryptor()
if header:
decryptor.authenticate_additional_data(header)
try:
plaintext = decryptor.update(data) + decryptor.finalize()
except InvalidTag:
plaintext = None
self._update_iv()
return plaintext
def ecdh_decrypt(self, ciphertext, nonce, pubkey, privkey, aad=None):
ecdh_point_hash = self.get_ecdh_value(pubkey, privkey)
log.info('ECDH_POINT: %s' % ecdh_point_hash.encode('hex'))
# Encrypt PR using HMAC-DRBG
drbg = HMAC_DRBG(entropy=ecdh_point_hash, nonce=self.long_to_bytes(nonce))
encryption_key = drbg.generate(32)
iv = drbg.generate(12)
decryptor = Cipher(algorithms.AES(encryption_key), modes.GCM(iv, ciphertext[:16]), backend=default_backend()).decryptor()
if aad:
decryptor.authenticate_additional_data(aad)
return decryptor.update(ciphertext[16:]) + decryptor.finalize()
def decrypt(key, associated_data, iv, ciphertext, tag):
# Construct a Cipher object, with the key, iv, and additionally the
# GCM tag used for authenticating the message.
decryptor = Cipher(
algorithms.AES(key),
modes.GCM(iv, tag),
backend=default_backend()
).decryptor()
# We put associated_data back in or the tag will fail to verify
# when we finalize the decryptor.
decryptor.authenticate_additional_data(associated_data)
# Decryption gets us the authenticated plaintext.
# If the tag does not match an InvalidTag exception will be raised.
return decryptor.update(ciphertext) + decryptor.finalize()
def decrypt(self, ciphertext, client_id, offset):
iv, tag, ciphertext = ciphertext.strip().split(' ')
iv = self.decode_iv(iv)
tag = b64decode(self.padded(tag))
ciphertext = b64decode(self.padded(ciphertext))
decryptor = Cipher(
algorithms.AES(self.key),
modes.GCM(iv, tag),
backend=default_backend()
).decryptor()
decryptor.authenticate_additional_data(
self.format_auth_data(client_id, offset))
return decryptor.update(ciphertext) + decryptor.finalize()
def verify_and_decrypt(self, header, data, mac):
"""Verify the signature of and decrypt a block of data"""
decryptor = Cipher(self._cipher(self._key), GCM(self._iv, mac),
default_backend()).decryptor()
decryptor.authenticate_additional_data(header)
try:
data = decryptor.update(data) + decryptor.finalize()
except InvalidTag:
data = None
self._update_iv()
return data
def encrypt(self, n, ad, plaintext):
'''
Encrypts and returns concatenation of authentication tag and ciphertext.
'''
n = self._nonce(n)
encryptor = Cipher(
algorithms.AES(self.key),
modes.GCM(n, min_tag_length=16),
backend=default_backend()
).encryptor()
encryptor.authenticate_additional_data(ad)
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return ciphertext + encryptor.tag
def encrypt(self, plaintext, client_id, offset):
iv = self.generate_iv()
encryptor = Cipher(
algorithms.AES(self.key),
modes.GCM(iv),
backend=default_backend()
).encryptor()
encryptor.authenticate_additional_data(
self.format_auth_data(client_id, offset))
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return '{} {} {}\n'.format(
self.encode_iv(iv),
self.unpadded(b64encode(encryptor.tag)),
self.unpadded(b64encode(ciphertext)),
)
def decrypt(data, key):
# Generate a random 96-bit IV.
spl = data.split(b'.')
try:
header, _, iv, ciphertext, tag = [base64.b64decode(x) for x in spl]
except ValueError:
pass
encryptor = Cipher(
algorithms.AES(key),
modes.GCM(iv, tag),
backend=default_backend()
).decryptor()
encryptor.authenticate_additional_data(spl[0])
return encryptor.update(ciphertext) + encryptor.finalize()
def encrypt(data, key):
segments = []
header = {'alg': 'dir', 'enc': 'A256GCM'}
segments.append(base64.b64encode(json.dumps(header).encode()))
segments.append(b'') # Keywrapping is for suckers
iv = os.urandom(16)
segments.append(base64.b64encode(iv))
encryptor = Cipher(algorithms.AES(key), modes.GCM(iv), backend=default_backend()).encryptor()
encryptor.authenticate_additional_data(segments[0])
ciphertext = encryptor.update(data) + encryptor.finalize()
segments.append(base64.b64encode(ciphertext))
segments.append(base64.b64encode(encryptor.tag))
return b'.'.join(segments)
def encrypt(data, key):
segments = []
header = {"alg": "dir", "enc": "A256GCM"}
segments.append(base64.b64encode(json.dumps(header).encode()))
segments.append(b"") # Keywrapping is for suckers
iv = os.urandom(16)
segments.append(base64.b64encode(iv))
encryptor = Cipher(algorithms.AES(key), modes.GCM(iv), backend=backend).encryptor()
encryptor.authenticate_additional_data(segments[0])
ciphertext = encryptor.update(data) + encryptor.finalize()
segments.append(base64.b64encode(ciphertext))
segments.append(base64.b64encode(encryptor.tag))
return b".".join(segments)
def decrypt(key, IV, messageheader, ciphertext, messagetag):
AESEncryptionKey = key
AESEncryptionIV = IV
clientCipherText = ciphertext
AESEncryptionTag = messagetag
clientMessageHeader = str(messageheader)
AESEncryptionKeyHashed = hashlib.sha256(AESEncryptionKey).digest()
clientDecryptor = Cipher(algorithms.AES(AESEncryptionKeyHashed), modes.GCM(AESEncryptionIV, AESEncryptionTag), backend=default_backend()).decryptor()
try:
clientDecryptor.authenticate_additional_data(clientMessageHeader)
clearText = clientDecryptor.update(clientCipherText) + clientDecryptor.finalize()
if clearText.endswith("/msg"):
clearText = clearText[:(len(clearText)-4)]
return clearText
else:
return False
except:
return False
def encrypt(key, plaintext, associated_data):
# Generate a random 96-bit IV.
iv = os.urandom(12)
# Construct an AES-GCM Cipher object with the given key and a
# randomly generated IV.
encryptor = Cipher(
algorithms.AES(key),
modes.GCM(iv),
backend=default_backend()
).encryptor()
# associated_data will be authenticated but not encrypted,
# it must also be passed in on decryption.
encryptor.authenticate_additional_data(associated_data)
# Encrypt the plaintext and get the associated ciphertext.
# GCM does not require padding.
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
return (iv, ciphertext, encryptor.tag)
