def verify_sym_key(archived_key, archived_iv, algorithm, plain_text): """ This function verifies whether archived key is usable, Actually verifying this is senseless, reason any random data can be used for encryption, but still just for the heck of it. """ # Initialize NSS nss.nss_init_nodb() # Decode the base64 string to binary key = base64.decodestring(archived_data) # Currently we are assuming the mechanism to AES # Will need to add other mechanisms later, but # this is just an example. mechanism = nss.CKM_AES_CBC_PAD # Get the best pkcs11 slot slot = nss.get_best_slot(mechanism) # convert the binary to hex with separtor as : pki_key = nss.data_to_hex(data=key,separator=":") # create a nssSecItem object out of it. key_si = nss.SecItem(nss.read_hex(pki_key)) # Import the key to the slot sym_key = nss.import_sym_key(slot, mechanism, nss.PK11_OriginUnwrap, nss.CKA_ENCRYPT, key_si) # Same for the nonce data iv = base64.decodestring(archived_iv) iv_data = nss.data_to_hex(data=iv,separator=":") iv_si = nss.SecItem(nss.read_hex(iv_data)) iv_param = nss.param_from_iv(mechanism, iv_si) encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,sym_key, iv_param) decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,sym_key, iv_param) cipher_text = encoding_ctx.cipher_op(plain_text) cipher_text += encoding_ctx.digest_final() print cipher_text decoded_text = decoding_ctx.cipher_op(cipher_text) decoded_text += decoding_ctx.digest_final() print decoded_text
def setup_contexts(mechanism, key, iv): # Get a PK11 slot based on the cipher slot = nss.get_best_slot(mechanism) # If key was supplied use it, otherwise generate one if key: if verbose: print("using supplied key data") print("key:\n%s" % (key)) key_si = nss.SecItem(nss.read_hex(key)) sym_key = nss.import_sym_key(slot, mechanism, nss.PK11_OriginUnwrap, nss.CKA_ENCRYPT, key_si) else: if verbose: print("generating key data") sym_key = slot.key_gen(mechanism, None, slot.get_best_key_length(mechanism)) # If initialization vector was supplied use it, otherwise set it to None if iv: if verbose: print("supplied iv:\n%s" % (iv)) iv_data = nss.read_hex(iv) iv_si = nss.SecItem(iv_data) iv_param = nss.param_from_iv(mechanism, iv_si) else: iv_length = nss.get_iv_length(mechanism) if iv_length > 0: iv_data = nss.generate_random(iv_length) iv_si = nss.SecItem(iv_data) iv_param = nss.param_from_iv(mechanism, iv_si) if verbose: print("generated %d byte initialization vector: %s" % (iv_length, nss.data_to_hex(iv_data, separator=":"))) else: iv_param = None # Create an encoding context encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT, sym_key, iv_param) # Create a decoding context decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT, sym_key, iv_param) return encoding_ctx, decoding_ctx
def setup_contexts(mechanism, key, iv): # Get a PK11 slot based on the cipher slot = nss.get_best_slot(mechanism) # If key was supplied use it, otherwise generate one if key: if verbose: print "using supplied key data" print "key:\n%s" % (key) key_si = nss.SecItem(nss.read_hex(key)) sym_key = nss.import_sym_key(slot, mechanism, nss.PK11_OriginUnwrap, nss.CKA_ENCRYPT, key_si) else: if verbose: print "generating key data" sym_key = slot.key_gen(mechanism, None, slot.get_best_key_length(mechanism)) # If initialization vector was supplied use it, otherwise set it to None if iv: if verbose: print "supplied iv:\n%s" % (iv) iv_data = nss.read_hex(iv) iv_si = nss.SecItem(iv_data) iv_param = nss.param_from_iv(mechanism, iv_si) else: iv_length = nss.get_iv_length(mechanism) if iv_length > 0: iv_data = nss.generate_random(iv_length) iv_si = nss.SecItem(iv_data) iv_param = nss.param_from_iv(mechanism, iv_si) if verbose: print "generated %d byte initialization vector: %s" % \ (iv_length, nss.data_to_hex(iv_data, separator=":")) else: iv_param = None # Create an encoding context encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT, sym_key, iv_param) # Create a decoding context decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT, sym_key, iv_param) return encoding_ctx, decoding_ctx
def __call__(self, element, mac=None): (mech, ivlen) = fetch(element, "./xenc:EncryptionMethod/@Algorithm", convertAlgorithm) data = fetch(element, "./xenc:CipherData/xenc:CipherValue/text()", base64.b64decode) # If a MAC is present, perform validation. if mac: tmp = self.__hmac.copy() tmp.update(data) if tmp.digest() != mac: raise ValidationError("MAC validation failed!") # Decrypt the data. slot = nss.get_best_slot(mech) key = nss.import_sym_key(slot, mech, nss.PK11_OriginUnwrap, nss.CKA_ENCRYPT, self.__key) iv = nss.param_from_iv(mech, nss.SecItem(data[0:ivlen/8])) ctx = nss.create_context_by_sym_key(mech, nss.CKA_DECRYPT, key, iv) out = ctx.cipher_op(data[ivlen / 8:]) out += ctx.digest_final() return out
def __call__(self, element, mac=None): (mech, ivlen) = fetch(element, "./xenc:EncryptionMethod/@Algorithm", convertAlgorithm) data = fetch(element, "./xenc:CipherData/xenc:CipherValue/text()", base64.b64decode) # If a MAC is present, perform validation. if mac: tmp = self.__hmac.copy() tmp.update(data) if tmp.digest() != mac: raise ValidationError("MAC validation failed!") # Decrypt the data. slot = nss.get_best_slot(mech) key = nss.import_sym_key(slot, mech, nss.PK11_OriginUnwrap, nss.CKA_ENCRYPT, self.__key) iv = nss.param_from_iv(mech, nss.SecItem(data[0:ivlen//8])) ctx = nss.create_context_by_sym_key(mech, nss.CKA_DECRYPT, key, iv) out = ctx.cipher_op(data[ivlen // 8:]) out += ctx.digest_final() return out