def get_decryption_context(alg_id, sym_key, params_base64):
# Build a decryption context using the same parameters used
# when the encryption context was created.
# Do NOT use the params returned by get_pbe_crypto_mechanism()
# because the params often include an IV (Initialization Vector)
# created with random data, therefore the params used in the
# encryption context will not match the params needed for the
# decryption context. Instead use the params used in the
# encryption context. For interoperability reasons we exchange the
# params as base64 encoded binary data.
mechanism, params = alg_id.get_pbe_crypto_mechanism(sym_key)
# Recreate the params used during encryption by initializing a
# SecItem from base64 text data (indicated by ascii=True)
params = nss.SecItem(params_base64, ascii=True)
if not options.quiet:
print(
fmt_info(
"get_pbe_crypto_mechanism (decrypting) returned mechanism:",
nss.key_mechanism_type_name(mechanism),
))
print()
# Now we have enough information to create a decrypting context
decrypt_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,
sym_key, params)
return decrypt_ctx
def get_decryption_context(alg_id, sym_key, params_base64):
# Build a decryption context using the same parameters used
# when the encryption context was created.
# Do NOT use the params returned by get_pbe_crypto_mechanism()
# because the params often include an IV (Initialization Vector)
# created with random data, therefore the params used in the
# encryption context will not match the params needed for the
# decryption context. Instead use the params used in the
# encryption context. For interoperability reasons we exchange the
# params as base64 encoded binary data.
mechanism, params = alg_id.get_pbe_crypto_mechanism(sym_key)
# Recreate the params used during encryption by initializing a
# SecItem from base64 text data (indicated by ascii=True)
params = nss.SecItem(params_base64, ascii=True)
if not options.quiet:
print(fmt_info("get_pbe_crypto_mechanism (decrypting) returned mechanism:",
nss.key_mechanism_type_name(mechanism)))
print()
# Now we have enough information to create a decrypting context
decrypt_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,
sym_key, params)
return decrypt_ctx
def get_encryption_context(alg_id, sym_key):
# In order for NSS to encrypt and decrypt data it needs an
# encryption context to perform the operation in. The cipher used
# for the encryption context is specified with a PK11 mechanism.
# The cipher likely also needs additional parameters (i.e. an
# Initialization Vector (IV) and possibly other values.
# The get_pbe_crypto_mechanism() call computes the mechanism
# and parameters for the PBE symmetric key we're using.
#
# Because the decryption context needs the same params used in
# the encryption context we save the param block returned by
# get_pbe_crypto_mechanism(). So that it can be passed to
# create_context_by_sym_key() when creating the decryption context.
# It's often the case the decryption is performed by a separate
# process so in this example we illustrate exchanging the param
# as base64 data.
mechanism, params = alg_id.get_pbe_crypto_mechanism(sym_key)
# Format the params binary data into a base64 string. The zero
# passed for the chars_per_line parameter indicates we want the
# base64 data as one single string as opposed to a list of wrapped
# strings.
params_base64 = params.to_base64(0)
if not options.quiet:
print(
fmt_info(
"get_pbe_crypto_mechanism (encrypting) returned mechanism:",
nss.key_mechanism_type_name(mechanism),
))
print(
fmt_info("get_pbe_crypto_mechanism (encrypting) returned params:",
params))
print()
# Now we have enough information to create an encrypting context
# and decrypting the data.
encrypt_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,
sym_key, params)
# Return the encrypting context and it's parameter block so that the
# decryption context can use the same parameter block.
return encrypt_ctx, params_base64
def get_encryption_context(alg_id, sym_key):
# In order for NSS to encrypt and decrypt data it needs an
# encryption context to perform the operation in. The cipher used
# for the encryption context is specified with a PK11 mechanism.
# The cipher likely also needs additional parameters (i.e. an
# Initialization Vector (IV) and possibly other values.
# The get_pbe_crypto_mechanism() call computes the mechanism
# and parameters for the PBE symmetric key we're using.
#
# Because the decryption context needs the same params used in
# the encryption context we save the param block returned by
# get_pbe_crypto_mechanism(). So that it can be passed to
# create_context_by_sym_key() when creating the decryption context.
# It's often the case the decryption is performed by a separate
# process so in this example we illustrate exchanging the param
# as base64 data.
mechanism, params = alg_id.get_pbe_crypto_mechanism(sym_key)
# Format the params binary data into a base64 string. The zero
# passed for the chars_per_line parameter indicates we want the
# base64 data as one single string as opposed to a list of wrapped
# strings.
params_base64 = params.to_base64(0)
if not options.quiet:
print(fmt_info("get_pbe_crypto_mechanism (encrypting) returned mechanism:",
nss.key_mechanism_type_name(mechanism)))
print(fmt_info("get_pbe_crypto_mechanism (encrypting) returned params:",
params))
print()
# Now we have enough information to create an encrypting context
# and decrypting the data.
encrypt_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,
sym_key, params)
# Return the encrypting context and it's parameter block so that the
# decryption context can use the same parameter block.
return encrypt_ctx, params_base64
