def _decryptAndImportKdk(self, kdkData, onError):
"""
:param Data kdkData:
:param onError: On error, this calls onError(errorCode, message)
:type onError: function object
:return: True for success, false for error (where this has called onError).
:rtype: bool
"""
try:
logging.getLogger(__name__).info("Decrypting and importing KDK " +
kdkData.getName().toUri())
encryptedContent = EncryptedContent()
encryptedContent.wireDecodeV2(kdkData.getContent())
safeBag = SafeBag(encryptedContent.getPayload())
secret = self._keyChain.getTpm().decrypt(
encryptedContent.getPayloadKey().toBytes(),
self._credentialsKey.getName())
if secret.isNull():
onError(
EncryptError.ErrorCode.TpmKeyNotFound,
"Could not decrypt secret, " +
credentialsKey_.getName().toUri() + " not found in TPM")
return False
self._internalKeyChain.importSafeBag(safeBag, secret.toBytes())
return True
except Exception as ex:
onError(
EncryptError.ErrorCode.DecryptionFailure,
"Failed to decrypt KDK [" + kdkData.getName().toUri() + "]: " +
repr(ex))
return False
def _decryptAndImportKdk(self, kdkData, onError):
"""
:param Data kdkData:
:param onError: On error, this calls onError(errorCode, message)
:type onError: function object
:return: True for success, false for error (where this has called onError).
:rtype: bool
"""
try:
logging.getLogger(__name__).info("Decrypting and importing KDK " +
kdkData.getName().toUri())
encryptedContent = EncryptedContent()
encryptedContent.wireDecodeV2(kdkData.getContent())
safeBag = SafeBag(encryptedContent.getPayload())
secret = self._keyChain.getTpm().decrypt(
encryptedContent.getPayloadKey().toBytes(),
self._credentialsKey.getName())
if secret.isNull():
onError(EncryptError.ErrorCode.TpmKeyNotFound,
"Could not decrypt secret, " + self._credentialsKey.getName().toUri() +
" not found in TPM")
return False
self._internalKeyChain.importSafeBag(safeBag, secret.toBytes())
return True
except Exception as ex:
onError(EncryptError.ErrorCode.DecryptionFailure,
"Failed to decrypt KDK [" + kdkData.getName().toUri() + "]: " +
repr(ex))
return False
def _decryptCkAndProcessPendingDecrypts(self, contentKey, ckData,
kdkKeyName, onError):
logging.getLogger(__name__).info("Decrypting CK data ",
ckData.getName().toUri())
content = EncryptedContent()
try:
content.wireDecodeV2(ckData.getContent())
except Exception as ex:
onError(EncryptError.ErrorCode.InvalidEncryptedFormat,
"Error decrypting EncryptedContent: " + repr(ex))
return
try:
ckBits = self._internalKeyChain.getTpm().decrypt(
content.getPayload().toBytes(), kdkKeyName)
except Exception as ex:
# We don't expect this from the in-memory KeyChain.
onError(EncryptError.ErrorCode.DecryptionFailure,
"Error decrypting the CK EncryptedContent " + repr(ex))
return
if ckBits.isNull():
onError(
EncryptError.ErrorCode.TpmKeyNotFound,
"Could not decrypt secret, " + kdkKeyName.toUri() +
" not found in TPM")
return
contentKey.bits = ckBits
contentKey.isRetrieved = True
for pendingDecrypt in contentKey.pendingDecrypts:
# TODO: If this calls onError, should we quit?
DecryptorV2._doDecrypt(pendingDecrypt.encryptedContent,
contentKey.bits, pendingDecrypt.onSuccess,
pendingDecrypt.onError)
contentKey.pendingDecrypts = []
def _decryptCkAndProcessPendingDecrypts(
self, contentKey, ckData, kdkKeyName, onError):
logging.getLogger(__name__).info("Decrypting CK data " +
ckData.getName().toUri())
content = EncryptedContent()
try:
content.wireDecodeV2(ckData.getContent())
except Exception as ex:
onError(EncryptError.ErrorCode.InvalidEncryptedFormat,
"Error decrypting EncryptedContent: " + repr(ex))
return
try:
ckBits = self._internalKeyChain.getTpm().decrypt(
content.getPayload().toBytes(), kdkKeyName)
except Exception as ex:
# We don't expect this from the in-memory KeyChain.
onError(EncryptError.ErrorCode.DecryptionFailure,
"Error decrypting the CK EncryptedContent " + repr(ex))
return
if ckBits.isNull():
onError(EncryptError.ErrorCode.TpmKeyNotFound,
"Could not decrypt secret, " + kdkKeyName.toUri() +
" not found in TPM")
return
contentKey.bits = ckBits
contentKey.isRetrieved = True
for pendingDecrypt in contentKey.pendingDecrypts:
# TODO: If this calls onError, should we quit?
DecryptorV2._doDecrypt(
pendingDecrypt.encryptedContent, contentKey.bits,
pendingDecrypt.onSuccess, pendingDecrypt.onError)
contentKey.pendingDecrypts = []