def getmpass(txt=" to confirm this"): pdb = open(f'{homef}/passman.pdb', 'rb') iv = base64.b64decode(pdb.readline().strip(b'\n')) hash = pdb.readline().strip(b'\n') r = pdb.read() while True: pw = getpass.getpass(f'Please enter your master password{txt}: ') padder = PKCS7(256).padder() ppw = padder.update(pw.encode()) + padder.finalize() cipher = Cipher(algorithms.AES(ppw), modes.CBC(iv), backend=default_backend()) dec = cipher.decryptor() rd = dec.update(r) + dec.finalize() padder = PKCS7(1024).unpadder() try: prd = padder.update(rd) + padder.finalize() except: print('Wrong password, try again.') continue if hash == hashlib.sha256(r).hexdigest().encode(): break print('Wrong password, try again.') return prd, pw, iv
def _encrypt_data( self, data: bytes) -> Tuple[Union[TripleDES, AES], bytes, bytes]: """Build the ciphertext of the ``messageData``. Args: data (bytes): Data to encrypt as the ``messageData`` of the SCEP Request Returns: Tuple of 3DES key, IV, and cipher text encrypted with 3DES """ symkey, iv = None, None # TODO: this is horribad and needs abstraction if self._encryption_algorithm_id.native == 'tripledes_3key': symkey = TripleDES(os.urandom(8)) iv = os.urandom(8) elif self._encryption_algorithm_id.native == 'aes128_cbc': symkey = AES(os.urandom(16)) iv = os.urandom(16) cipher = Cipher(symkey, modes.CBC(iv), backend=default_backend()) encryptor = cipher.encryptor() if self._encryption_algorithm_id.native == 'tripledes_3key': padder = PKCS7(TripleDES.block_size).padder() elif self._encryption_algorithm_id.native == 'aes128_cbc': padder = PKCS7(AES.block_size).padder() padded = padder.update(data) padded += padder.finalize() ciphertext = encryptor.update(padded) + encryptor.finalize() return symkey, iv, ciphertext
class EncryptionManager(object): key: bytes = token_bytes(32) iv: bytes = token_bytes(16) c: Cipher = Cipher( algorithms.AES(key), modes.CBC(iv), backend=default_backend() ) encryptor: Callable = c.encryptor() decryptor: Callable = c.decryptor() padder: Callable = PKCS7(128).padder() unpadder: Callable = PKCS7(128).unpadder() def update_encryptor(self, plaintext: bytes) -> bytes: return self.encryptor.update(self.padder.update(plaintext)) def finalize_encryptor(self): return self.encryptor.update(self.padder.finalize()) \ + self.encryptor.finalize() def update_decryptor(self, ciphertext: bytes) -> bytes: return self.unpadder.update(self.decryptor.update(ciphertext)) def finalize_decryptor(self) -> bytes: return self.unpadder.update(self.decryptor.finalize()) \ + self.unpadder.finalize()
def __init__(self, key_len=32, key=None, msg_padding='PKCS7'): Encrypter.__init__(self) if key: self.key = key else: self.key = os.urandom(key_len) if msg_padding == 'PKCS7': self.padder = PKCS7(128).padder() self.unpadder = PKCS7(128).unpadder()
def __init__(self, key_len=32, key=None, msg_padding="PKCS7"): Encrypter.__init__(self) if key: self.key = key else: self.key = os.urandom(key_len) if msg_padding == "PKCS7": self.padder = PKCS7(128).padder() self.unpadder = PKCS7(128).unpadder() else: raise Unsupported("Message padding: {}".format(msg_padding)) self.iv = None
def aes_cbc_dec(aesKey, bsEncMsg, bsMacMsg): ''' AuthenticatedEncryption - Check mac then decrypt given encrypted message. ''' ### Prepare for mac sha256 = SHA256() hmac = HMAC(aesKey, sha256, default_backend()) ### do mac hmac.update(bsEncMsg) macMsg = hmac.finalize() if (macMsg != bsMacMsg): raise Exception("ERRR:AEDecrypt:Mismatch, skipping") return None ### Prepare for decryption blockLen = 16 iv = os.urandom(blockLen) aes = AES(aesKey) cbc = CBC(iv) aesCbc = Cipher(aes, cbc, default_backend()) aesCbcDec = aesCbc.decryptor() ### do decrypt decMsg = aesCbcDec.update(bsEncMsg) decFina = aesCbcDec.finalize() decMsg = decMsg + decFina # do pkcs7 depadding unpad = PKCS7(blockLen * 8).unpadder() decMsg = unpad.update(decMsg) decMsg += unpad.finalize() # Discard the initial random block, as corresponding enc and this dec uses # non communicated random iv and inturn discardable random 0th block decMsg = decMsg[blockLen:] return decMsg
def verifyToken(token, mustBeAdmin): if token is None: return None, None tokenB = base64.b64decode(token) tokenS = tokenB.decode("utf-8") tokenJS = json.JSONDecoder().decode(tokenS) id2 = tokenJS["id"] nowS = tokenJS["now"] sharedkey = id2sharedKey.get(id2) if sharedkey is None: return None, None username = id2username.get(id2) if username is None: return None, None if mustBeAdmin and username != "admin": return None, None nowEnc = base64.b64decode(tokenJS["nowEnc"]) ivS = tokenJS["iv"] ivB = base64.b64decode(ivS) aesAlg = algorithms.AES(sharedkey) cipher = Cipher(aesAlg, modes.CBC(ivB)) decryptor = cipher.decryptor() nowDecB = decryptor.update(nowEnc) + decryptor.finalize() unpadder = PKCS7(128).unpadder() nowDecB = unpadder.update(nowDecB) + unpadder.finalize() nowDecS = nowDecB.decode("utf-8") if nowS != nowDecS: # so sharedKey was not working return None, None now = datetime.utcnow() clntNow = datetime.utcfromtimestamp(int(nowS) / 1000) diff = int((now - clntNow).total_seconds()) if -600 < diff < 600: # clntNow within 10 minutes before or after now return expiration(id2), username return None, None
def test_validate_encryption(self): # Arrange self.bbs.require_encryption = True kek = KeyWrapper('key1') self.bbs.key_encryption_key = kek blob_name = self._create_small_blob('block_blob') # Act self.bbs.require_encryption = False self.bbs.key_encryption_key = None blob = self.bbs.get_blob_to_bytes(self.container_name, blob_name) encryption_data = _dict_to_encryption_data( loads(blob.metadata['encryptiondata'])) iv = encryption_data.content_encryption_IV content_encryption_key = _validate_and_unwrap_cek( encryption_data, kek, None) cipher = _generate_AES_CBC_cipher(content_encryption_key, iv) decryptor = cipher.decryptor() unpadder = PKCS7(128).unpadder() content = decryptor.update(blob.content) + decryptor.finalize() content = unpadder.update(content) + unpadder.finalize() self.assertEqual(self.bytes, content)
async def _test_validate_encryption_async(self): # Arrange await self._setup() self.bsc.require_encryption = True kek = KeyWrapper('key1') self.bsc.key_encryption_key = kek blob = await self._create_small_blob(BlobType.BlockBlob) # Act blob.require_encryption = False blob.key_encryption_key = None content = await blob.download_blob() data = await content.content_as_bytes() encryption_data = _dict_to_encryption_data( loads(content.properties.metadata['encryptiondata'])) iv = encryption_data.content_encryption_IV content_encryption_key = _validate_and_unwrap_cek( encryption_data, kek, None) cipher = _generate_AES_CBC_cipher(content_encryption_key, iv) decryptor = cipher.decryptor() unpadder = PKCS7(128).unpadder() content = decryptor.update(data) + decryptor.finalize() content = unpadder.update(content) + unpadder.finalize() self.assertEqual(self.bytes, content)
def decrypt(self, k, a, iv, e, t): """ Decrypt according to the selected encryption and hashing functions. :param k: Encryption key (optional) :param a: Additional Authenticated Data :param iv: Initialization Vector :param e: Ciphertext :param t: Authentication Tag Returns plaintext or raises an error """ hkey = k[:self.keysize] dkey = k[self.keysize:] # verify mac if not constant_time.bytes_eq(t, self._mac(hkey, a, iv, e)): raise InvalidJWEData('Failed to verify MAC') # decrypt cipher = Cipher(algorithms.AES(dkey), modes.CBC(iv), backend=self.backend) decryptor = cipher.decryptor() d = decryptor.update(e) + decryptor.finalize() unpadder = PKCS7(self.blocksize).unpadder() return unpadder.update(d) + unpadder.finalize()
def decrypter_fichier(self, nom_fichier, secret, iv): """ Utilise la cle privee en memoire pour decrypter le contenu. :param contenu: :return: """ self._logger.info( '------- JavascriptPythonSymetric.decrypter_fichier() ----------') keyb = b64decode(secret) ivb = b64decode(iv) with open('/tmp/dict_encrypt/%s' % nom_fichier, 'rb') as fichier: contenub = fichier.read() cipher = Cipher(algorithms.AES(keyb), modes.CBC(ivb), backend=default_backend()) decryptor = cipher.decryptor() resultat = decryptor.update(contenub) + decryptor.finalize() # self._logger.info("Message decrypte (%d)" % len(resultat)) # On utilise AES 256, blocks de taille 256 bits. unpadder = PKCS7(128).unpadder() resultat_unpadded = unpadder.update(resultat) + unpadder.finalize() # self._logger.info("Message unpadded (%d):\n%s" % (len(resultat_unpadded), binascii.hexlify(resultat_unpadded))) # resultat_string = resultat_unpadded.decode('utf-8') # self._logger.info("Message string: %s" % resultat_string) with open('/tmp/dict_encrypt/decrypt/%s' % nom_fichier, 'wb') as output: output.write(resultat_unpadded)
def decrypt_blob_bytes(data: bytes, length: int, key: bytes, iv: bytes) -> bytes: if len(data) != length: raise ValueError("unexpected length") cipher = Cipher(AES(key), modes.CBC(iv), backend=BACKEND) unpadder = PKCS7(AES.block_size).unpadder() decryptor = cipher.decryptor() return unpadder.update(decryptor.update(data) + decryptor.finalize()) + unpadder.finalize()
def test_validate_encryption(self, resource_group, location, storage_account, storage_account_key): self._setup(storage_account.name, storage_account_key) self.bsc.require_encryption = True kek = KeyWrapper('key1') self.bsc.key_encryption_key = kek blob = self._create_small_blob(BlobType.BlockBlob) # Act blob.require_encryption = False blob.key_encryption_key = None content = blob.download_blob() data = content.content_as_bytes() encryption_data = _dict_to_encryption_data( loads(content.properties.metadata['encryptiondata'])) iv = encryption_data.content_encryption_IV content_encryption_key = _validate_and_unwrap_cek( encryption_data, kek, None) cipher = _generate_AES_CBC_cipher(content_encryption_key, iv) decryptor = cipher.decryptor() unpadder = PKCS7(128).unpadder() content = decryptor.update(data) + decryptor.finalize() content = unpadder.update(content) + unpadder.finalize() self.assertEqual(self.bytes, content)
def __call__(self, element, mac=None): algo, mode, klen = fetch(element, "./xenc:EncryptionMethod/@Algorithm", convertAlgorithm) data = fetch(element, "./xenc:CipherData/xenc:CipherValue/text()", base64.b64decode) # Make sure the key is the right length. if len(self.__key) * 8 != klen: raise ValidationError("Invalid key length!") # If a MAC is present, perform validation. if mac: tmp = self.__hmac.copy() tmp.update(data) try: tmp.verify(mac) except InvalidSignature as e: raise ValidationError("MAC validation failed!", e) iv = data[:algo.block_size // 8] data = data[len(iv):] algorithm = algo(self.__key) cipher = Cipher(algorithm, mode(iv), default_backend()) decryptor = cipher.decryptor() padded = decryptor.update(data) padded += decryptor.finalize() unpadder = PKCS7(algorithm.block_size).unpadder() out = unpadder.update(padded) out += unpadder.finalize() return out
def __init__(self, key: bytes): self.buf = deque() self.key = key self.algorithm = algorithms.AES self.block_size = int(self.algorithm.block_size / 8) self.unpadder = PKCS7(self.block_size * 8).unpadder() self.cipher = None
def decrypt(self, cipher_text, iv=None, aad=None, tag=None): cipher_text = six.ensure_binary(cipher_text) try: iv = six.ensure_binary(iv) mode = self._mode(iv) if mode.name == "GCM": if tag is None: raise ValueError("tag cannot be None") cipher = aead.AESGCM(self._key) cipher_text_and_tag = cipher_text + tag try: plain_text = cipher.decrypt(iv, cipher_text_and_tag, aad) except InvalidTag: raise JWEError("Invalid JWE Auth Tag") else: cipher = Cipher(algorithms.AES(self._key), mode, backend=default_backend()) decryptor = cipher.decryptor() padded_plain_text = decryptor.update(cipher_text) padded_plain_text += decryptor.finalize() unpadder = PKCS7(algorithms.AES.block_size).unpadder() plain_text = unpadder.update(padded_plain_text) plain_text += unpadder.finalize() return plain_text except Exception as e: raise JWEError(e)
def decrypt(token): # lint-amnesty, pylint: disable=missing-function-docstring try: base64_decoded = urlsafe_b64decode(token) except (TypeError, Error): raise UsernameDecryptionException("base64url") # lint-amnesty, pylint: disable=raise-missing-from if len(base64_decoded) < AES_BLOCK_SIZE_BYTES: raise UsernameDecryptionException("initialization_vector") initialization_vector = base64_decoded[:AES_BLOCK_SIZE_BYTES] aes_encrypted = base64_decoded[AES_BLOCK_SIZE_BYTES:] aes_cipher = UsernameCipher._get_aes_cipher(initialization_vector) decryptor = aes_cipher.decryptor() unpadder = PKCS7(AES.block_size).unpadder() try: decrypted = decryptor.update(aes_encrypted) + decryptor.finalize() except ValueError: raise UsernameDecryptionException("aes") # lint-amnesty, pylint: disable=raise-missing-from try: unpadded = unpadder.update(decrypted) + unpadder.finalize() if len(unpadded) == 0: raise UsernameDecryptionException("padding") return unpadded except ValueError: raise UsernameDecryptionException("padding") # lint-amnesty, pylint: disable=raise-missing-from
def decrypt(token): try: base64_decoded = urlsafe_b64decode(token) except TypeError: raise UsernameDecryptionException("base64url") if len(base64_decoded) < AES_BLOCK_SIZE_BYTES: raise UsernameDecryptionException("initialization_vector") initialization_vector = base64_decoded[:AES_BLOCK_SIZE_BYTES] aes_encrypted = base64_decoded[AES_BLOCK_SIZE_BYTES:] aes_cipher = UsernameCipher._get_aes_cipher(initialization_vector) decryptor = aes_cipher.decryptor() unpadder = PKCS7(AES.block_size).unpadder() try: decrypted = decryptor.update(aes_encrypted) + decryptor.finalize() except ValueError: raise UsernameDecryptionException("aes") try: unpadded = unpadder.update(decrypted) + unpadder.finalize() if len(unpadded) == 0: raise UsernameDecryptionException("padding") return unpadded except ValueError: raise UsernameDecryptionException("padding")
def encrypt(self, plain_text, aad=None): plain_text = ensure_binary(plain_text) try: iv = get_random_bytes(algorithms.AES.block_size // 8) mode = self._mode(iv) if mode.name == "GCM": cipher = aead.AESGCM(self._key) cipher_text_and_tag = cipher.encrypt(iv, plain_text, aad) cipher_text = cipher_text_and_tag[:len(cipher_text_and_tag) - 16] auth_tag = cipher_text_and_tag[-16:] else: cipher = Cipher(algorithms.AES(self._key), mode, backend=default_backend()) encryptor = cipher.encryptor() padder = PKCS7(algorithms.AES.block_size).padder() padded_data = padder.update(plain_text) padded_data += padder.finalize() cipher_text = encryptor.update( padded_data) + encryptor.finalize() auth_tag = None return iv, cipher_text, auth_tag except Exception as e: raise JWEError(e)
def encrypt(self, k, a, m): """ Encrypt according to the selected encryption and hashing functions. :param k: Encryption key (optional) :param a: Additional Authentication Data :param m: Plaintext Returns a dictionary with the computed data. """ hkey = k[:self.keysize] ekey = k[self.keysize:] # encrypt iv = os.urandom(self.blocksize // 8) cipher = Cipher(algorithms.AES(ekey), modes.CBC(iv), backend=self.backend) encryptor = cipher.encryptor() padder = PKCS7(self.blocksize).padder() padded_data = padder.update(m) + padder.finalize() e = encryptor.update(padded_data) + encryptor.finalize() # mac t = self._mac(hkey, a, iv, e) return (iv, e, t)
def build(payload, signing_key, key, iv, backend): backend = signing_key._backend signature = signing_key.sign( payload.decode('utf-8').encode('utf-16-le'), PKCS1v15(), SHA1()) sign_doc = etree.Element('SIGNATURE') etree.SubElement(sign_doc, 'VERSION').text = '1.0' etree.SubElement( sign_doc, 'DIGEST').text = binascii.hexlify(signature).decode().upper() _key_to_xml(signing_key.public_key(), sign_doc) signed = b'\xef\xbb\xbf' + payload + etree.tostring(sign_doc) compressor = zlib.compressobj(wbits=16 + zlib.MAX_WBITS) compressed = compressor.compress(signed) + compressor.flush() padder = PKCS7(len(iv) * 8).padder() padded = padder.update(compressed) + padder.finalize() encryptor = Cipher(AES(key), CBC(iv), backend=backend).encryptor() encrypted = encryptor.update(padded) + encryptor.finalize() doc = etree.Element('ARCHIVE') doc.set('TYPE', 'GEMSTONE') node = etree.SubElement(doc, 'RADIO') node.set('VERSION', '1') node.set('ENCODING', 'Base64') node.text = base64.b64encode(encrypted) return etree.tostring(doc)
async def _decrypt_v1(self, file_data: bytes, metadata: Dict[str, str], range_start: Optional[int] = None) -> bytes: if range_start: raise DecryptError( 'Cant do range get when not using KMS encryption') decryption_key = base64.b64decode(metadata['x-amz-key']) material_description = json.loads(metadata['x-amz-matdesc']) aes_key = await self._crypto_context.get_decryption_aes_key( decryption_key, material_description) # x-amz-key - Contains base64 encrypted key # x-amz-iv - AES IVs # x-amz-matdesc - JSON Description of client-side master key (used as encryption context as is) # x-amz-unencrypted-content-length - Unencrypted content length iv = base64.b64decode(metadata['x-amz-iv']) # TODO look at doing AES as stream # AES/CBC/PKCS5Padding aescbc = Cipher(AES(aes_key), CBC(iv), backend=self._backend).decryptor() padded_result = await self._loop.run_in_executor( None, lambda: (aescbc.update(file_data) + aescbc.finalize())) unpadder = PKCS7(AES.block_size).unpadder() result = await self._loop.run_in_executor( None, lambda: (unpadder.update(padded_result) + unpadder.finalize())) return result
def encrypt(username): initialization_vector = os.urandom(AES_BLOCK_SIZE_BYTES) aes_cipher = UsernameCipher._get_aes_cipher(initialization_vector) encryptor = aes_cipher.encryptor() padder = PKCS7(AES.block_size).padder() padded = padder.update(username.encode("utf-8")) + padder.finalize() return urlsafe_b64encode(initialization_vector + encryptor.update(padded) + encryptor.finalize())
def encrypt(self, pt, is_filename=False): """ Encrypt and authenticate the given plaintext using AES and HMAC. if is_filename is True, the IV will be deterministically generated (derived from secret||pt), and the returned data will all be concatenated (not a tuple) :param pt: (bytes) plaintext :param is_filename: (bool) encrypting for filename :return: encrypted data: Union(Tuple, bytes) (iv||ct, tag) or iv||ct||tag in case of filename iv = initialization vector (128 bits) ct = ciphertext (encrypted message) tag = MAC tag (256 bits) """ # pad the plaintext to make its size a multiple of 256 bits (for CBC) padder = PKCS7(256).padder() padded_pt = padder.update(pt) + padder.finalize() iv = self.derive_key(self._secret + pt)[:16] if is_filename else os.urandom(16) cipher = Cipher(algorithms.AES(self._cipher_key), modes.CBC(iv), default_backend()) encryptor = cipher.encryptor() ct = encryptor.update(padded_pt) + encryptor.finalize() tag = self.get_hmac_tag(iv + ct) return iv + ct + tag if is_filename else (iv + ct, tag)
def pad(data): """ Pad the given `data` such that it fits into the proper AES block size """ if six.PY3 and not isinstance(data, (bytes, bytearray)): data = six.b(data) padder = PKCS7(AES.block_size).padder() return padder.update(data) + padder.finalize()
def encrypt_blob_bytes(key: bytes, iv: bytes, unencrypted: bytes) -> typing.Tuple[bytes, str]: cipher = Cipher(AES(key), modes.CBC(iv), backend=BACKEND) padder = PKCS7(AES.block_size).padder() encryptor = cipher.encryptor() encrypted = encryptor.update(padder.update(unencrypted) + padder.finalize()) + encryptor.finalize() digest = get_lbry_hash_obj() digest.update(encrypted) return encrypted, digest.hexdigest()
def aes_encrypt(secret, value): key = double_sha256(secret) init_vector = os.urandom(16) encryptor = Cipher(AES(key), modes.CBC(init_vector), default_backend()).encryptor() padder = PKCS7(AES.block_size).padder() padded_data = padder.update(value) + padder.finalize() encrypted_data2 = encryptor.update(padded_data) + encryptor.finalize() return base64.b64encode(encrypted_data2)
def aes_decrypt(secret, value): data = base64.b64decode(value) key = double_sha256(secret) init_vector, data = data[:16], data[16:] decryptor = Cipher(AES(key), modes.CBC(init_vector), default_backend()).decryptor() unpadder = PKCS7(AES.block_size).unpadder() result = unpadder.update(decryptor.update(data)) + unpadder.finalize() return result
def better_aes_encrypt(secret: str, value: bytes) -> bytes: init_vector = os.urandom(16) key = scrypt(secret.encode(), salt=init_vector) encryptor = Cipher(AES(key), modes.CBC(init_vector), default_backend()).encryptor() padder = PKCS7(AES.block_size).padder() padded_data = padder.update(value) + padder.finalize() encrypted_data = encryptor.update(padded_data) + encryptor.finalize() return base64.b64encode(b's:8192:16:1:' + init_vector + encrypted_data)
def pkcs7_unpadding(data: bytes, block_size): """ Args: block_size (int): the length of bytes, no the length of bit """ unpadder = PKCS7(block_size * 8).unpadder() return unpadder.update(data) + unpadder.finalize()