def _get_session_key():
try:
if os_environ.get('BW_SESSION'):
return SymmetricCryptoKey(b64decode(os_environ['BW_SESSION']))
except Exception as e:
T.error(e)
print('Session key is invalid.')
return None
def __init__(self,
encrypted_string_or_type: str,
data: str = None,
iv: str = None,
mac: str = None):
if data:
enc_type = EncryptionType(encrypted_string_or_type)
self.encryptedString = encrypted_string_or_type + '.' + data
if iv:
self.encryptedString += '|' + iv
if mac:
self.encryptedString += '|' + mac
self.encryptionType = enc_type
self.data = data
self.iv = iv
self.mac = mac
return
self.encryptedString = str(encrypted_string_or_type)
if self.encryptedString is None:
return
header_pieces = self.encryptedString.split('.')
if len(header_pieces) == 2:
try:
self.encryptionType = EncryptionType(int(header_pieces[0]))
enc_pieces = header_pieces[1].split('|')
except Exception as e:
T.error(e)
return
else:
enc_pieces = self.encryptedString.split('|')
self.encryptionType = EncryptionType.AesCbc128_HmacSha256_B64 \
if len(enc_pieces) == 3 else EncryptionType.AesCbc256_B64
if self.encryptionType == EncryptionType.AesCbc128_HmacSha256_B64 \
or self.encryptionType == EncryptionType.AesCbc256_HmacSha256_B64:
if len(enc_pieces) != 3:
return
self.iv = enc_pieces[0]
self.data = enc_pieces[1]
self.mac = enc_pieces[2]
elif self.encryptionType == EncryptionType.AesCbc256_B64:
if len(enc_pieces) != 2:
return
self.iv = enc_pieces[0]
self.data = enc_pieces[1]
elif self.encryptionType == EncryptionType.Rsa2048_OaepSha256_B64 \
or self.encryptionType == EncryptionType.Rsa2048_OaepSha1_B64:
if len(enc_pieces) != 1:
return
self.data = enc_pieces[0]
else:
return
def rsa_decrypt(self, enc_value):
header_pieces = enc_value.split('.')
enc_type: EncryptionType = None
enc_pieces = None
if len(header_pieces) == 1:
enc_type = EncryptionType.Rsa2048_OaepSha256_B64
enc_pieces = [header_pieces[0]]
elif len(header_pieces) == 2:
try:
enc_type = EncryptionType(int(header_pieces[0]))
enc_pieces = header_pieces[1].split('|')
except Exception as e:
T.error(e)
if enc_type != EncryptionType.Rsa2048_OaepSha256_B64 \
and enc_type != EncryptionType.Rsa2048_OaepSha1_B64 \
and enc_type != EncryptionType.Rsa2048_OaepSha256_HmacSha256_B64 \
and enc_type != EncryptionType.Rsa2048_OaepSha1_HmacSha256_B64:
raise Exception('encType unavailable')
if enc_pieces is None or len(enc_pieces) <= 0:
raise Exception('encPieces unavailable')
data = b64decode(enc_pieces[0])
private_key = self.get_private_key()
if private_key is None:
raise Exception('No private key')
if enc_type == EncryptionType.Rsa2048_OaepSha256_B64 \
or enc_type == EncryptionType.Rsa2048_OaepSha256_HmacSha256_B64:
alg = hashes.SHA256()
elif enc_type == EncryptionType.Rsa2048_OaepSha1_B64 \
or enc_type == EncryptionType.Rsa2048_OaepSha1_HmacSha256_B64:
alg = hashes.SHA1()
else:
raise Exception('encType unavailable.')
return serialization\
.load_der_private_key(private_key, None, default_backend())\
.decrypt(data,
padding.OAEP(
mgf=padding.MGF1(
algorithm=alg,
),
algorithm=alg,
label=None
))
def decrypt(self, org_id):
if self.decryptedValue:
return self.decryptedValue
cypto_service = ContainerService.ContainerService().get_crypto_service(
)
if not cypto_service:
raise Exception('Container service not initialized')
try:
org_key = cypto_service.get_org_key(org_id)
self.decryptedValue = cypto_service.decrypt_to_utf8(self, org_key)
except Exception as e:
T.error(e)
self.decryptedValue = '[error: cannot decrypt]'
return self.decryptedValue
def aes_decrypt_to_utf8(self, enc_type, data, iv, mac, key):
key_for_enc = self.get_key_for_encryption(key)
the_key = self.resolve_legacy_key(enc_type, key_for_enc)
if the_key.macKey is not None and mac is None:
return None
if the_key.encType != enc_type:
T.error('encType unavailable')
return None
fast_params = self.aes_decrypt_fast_parameters(data, iv, mac, the_key)
if fast_params.macKey and fast_params.mac:
computed_mac = hmac.new(fast_params.macKey, fast_params.macData,
hashlib_sha256).digest()
if not self.macs_compare(computed_mac, fast_params.mac):
T.error('mac failed')
return None
return self.aes_decrypt_fast(fast_params)
def aes_decrypt_to_bytes(self, enc_type, data, iv, mac, key):
key_for_enc = self.get_key_for_encryption(key)
the_key = self.resolve_legacy_key(enc_type, key_for_enc)
if the_key.macKey is not None and mac is None:
return None
if the_key.encType != enc_type:
return None
if the_key.macKey and mac:
mac_data = iv + data
computed_mac = hmac.new(the_key.macKey, mac_data,
hashlib_sha256).digest()
if computed_mac is None:
return None
if not self.macs_compare(mac, computed_mac):
T.error('mac failed')
return None
return self.aes_decrypt(data, iv, the_key.encKey)
def decrypt(self, enc_value) -> str:
try:
session_key = self._get_session_key()
if session_key is None:
return ''
dec_value = self.cryptoService.decrypt_from_bytes(
b64decode(enc_value), session_key)
if dec_value is None:
T.error('Failed to decrypt')
return ''
return b64encode(dec_value)
except Exception as e:
T.error(e)
T.error('Decrypt error')