123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188 |
- # This file is dual licensed under the terms of the Apache License, Version
- # 2.0, and the BSD License. See the LICENSE file in the root of this repository
- # for complete details.
- import struct
- import typing
- from cryptography.hazmat.backends import _get_backend
- from cryptography.hazmat.backends.interfaces import Backend
- from cryptography.hazmat.primitives.ciphers import Cipher
- from cryptography.hazmat.primitives.ciphers.algorithms import AES
- from cryptography.hazmat.primitives.ciphers.modes import ECB
- from cryptography.hazmat.primitives.constant_time import bytes_eq
- def _wrap_core(
- wrapping_key: bytes,
- a: bytes,
- r: typing.List[bytes],
- backend: Backend,
- ) -> bytes:
- # RFC 3394 Key Wrap - 2.2.1 (index method)
- encryptor = Cipher(AES(wrapping_key), ECB(), backend).encryptor()
- n = len(r)
- for j in range(6):
- for i in range(n):
- # every encryption operation is a discrete 16 byte chunk (because
- # AES has a 128-bit block size) and since we're using ECB it is
- # safe to reuse the encryptor for the entire operation
- b = encryptor.update(a + r[i])
- # pack/unpack are safe as these are always 64-bit chunks
- a = struct.pack(
- ">Q", struct.unpack(">Q", b[:8])[0] ^ ((n * j) + i + 1)
- )
- r[i] = b[-8:]
- assert encryptor.finalize() == b""
- return a + b"".join(r)
- def aes_key_wrap(
- wrapping_key: bytes,
- key_to_wrap: bytes,
- backend: typing.Optional[Backend] = None,
- ) -> bytes:
- backend = _get_backend(backend)
- if len(wrapping_key) not in [16, 24, 32]:
- raise ValueError("The wrapping key must be a valid AES key length")
- if len(key_to_wrap) < 16:
- raise ValueError("The key to wrap must be at least 16 bytes")
- if len(key_to_wrap) % 8 != 0:
- raise ValueError("The key to wrap must be a multiple of 8 bytes")
- a = b"\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6"
- r = [key_to_wrap[i : i + 8] for i in range(0, len(key_to_wrap), 8)]
- return _wrap_core(wrapping_key, a, r, backend)
- def _unwrap_core(
- wrapping_key: bytes,
- a: bytes,
- r: typing.List[bytes],
- backend: Backend,
- ) -> typing.Tuple[bytes, typing.List[bytes]]:
- # Implement RFC 3394 Key Unwrap - 2.2.2 (index method)
- decryptor = Cipher(AES(wrapping_key), ECB(), backend).decryptor()
- n = len(r)
- for j in reversed(range(6)):
- for i in reversed(range(n)):
- # pack/unpack are safe as these are always 64-bit chunks
- atr = (
- struct.pack(
- ">Q", struct.unpack(">Q", a)[0] ^ ((n * j) + i + 1)
- )
- + r[i]
- )
- # every decryption operation is a discrete 16 byte chunk so
- # it is safe to reuse the decryptor for the entire operation
- b = decryptor.update(atr)
- a = b[:8]
- r[i] = b[-8:]
- assert decryptor.finalize() == b""
- return a, r
- def aes_key_wrap_with_padding(
- wrapping_key: bytes,
- key_to_wrap: bytes,
- backend: typing.Optional[Backend] = None,
- ) -> bytes:
- backend = _get_backend(backend)
- if len(wrapping_key) not in [16, 24, 32]:
- raise ValueError("The wrapping key must be a valid AES key length")
- aiv = b"\xA6\x59\x59\xA6" + struct.pack(">i", len(key_to_wrap))
- # pad the key to wrap if necessary
- pad = (8 - (len(key_to_wrap) % 8)) % 8
- key_to_wrap = key_to_wrap + b"\x00" * pad
- if len(key_to_wrap) == 8:
- # RFC 5649 - 4.1 - exactly 8 octets after padding
- encryptor = Cipher(AES(wrapping_key), ECB(), backend).encryptor()
- b = encryptor.update(aiv + key_to_wrap)
- assert encryptor.finalize() == b""
- return b
- else:
- r = [key_to_wrap[i : i + 8] for i in range(0, len(key_to_wrap), 8)]
- return _wrap_core(wrapping_key, aiv, r, backend)
- def aes_key_unwrap_with_padding(
- wrapping_key: bytes,
- wrapped_key: bytes,
- backend: typing.Optional[Backend] = None,
- ) -> bytes:
- backend = _get_backend(backend)
- if len(wrapped_key) < 16:
- raise InvalidUnwrap("Must be at least 16 bytes")
- if len(wrapping_key) not in [16, 24, 32]:
- raise ValueError("The wrapping key must be a valid AES key length")
- if len(wrapped_key) == 16:
- # RFC 5649 - 4.2 - exactly two 64-bit blocks
- decryptor = Cipher(AES(wrapping_key), ECB(), backend).decryptor()
- b = decryptor.update(wrapped_key)
- assert decryptor.finalize() == b""
- a = b[:8]
- data = b[8:]
- n = 1
- else:
- r = [wrapped_key[i : i + 8] for i in range(0, len(wrapped_key), 8)]
- encrypted_aiv = r.pop(0)
- n = len(r)
- a, r = _unwrap_core(wrapping_key, encrypted_aiv, r, backend)
- data = b"".join(r)
- # 1) Check that MSB(32,A) = A65959A6.
- # 2) Check that 8*(n-1) < LSB(32,A) <= 8*n. If so, let
- # MLI = LSB(32,A).
- # 3) Let b = (8*n)-MLI, and then check that the rightmost b octets of
- # the output data are zero.
- (mli,) = struct.unpack(">I", a[4:])
- b = (8 * n) - mli
- if (
- not bytes_eq(a[:4], b"\xa6\x59\x59\xa6")
- or not 8 * (n - 1) < mli <= 8 * n
- or (b != 0 and not bytes_eq(data[-b:], b"\x00" * b))
- ):
- raise InvalidUnwrap()
- if b == 0:
- return data
- else:
- return data[:-b]
- def aes_key_unwrap(
- wrapping_key: bytes,
- wrapped_key: bytes,
- backend: typing.Optional[Backend] = None,
- ) -> bytes:
- backend = _get_backend(backend)
- if len(wrapped_key) < 24:
- raise InvalidUnwrap("Must be at least 24 bytes")
- if len(wrapped_key) % 8 != 0:
- raise InvalidUnwrap("The wrapped key must be a multiple of 8 bytes")
- if len(wrapping_key) not in [16, 24, 32]:
- raise ValueError("The wrapping key must be a valid AES key length")
- aiv = b"\xa6\xa6\xa6\xa6\xa6\xa6\xa6\xa6"
- r = [wrapped_key[i : i + 8] for i in range(0, len(wrapped_key), 8)]
- a = r.pop(0)
- a, r = _unwrap_core(wrapping_key, a, r, backend)
- if not bytes_eq(a, aiv):
- raise InvalidUnwrap()
- return b"".join(r)
- class InvalidUnwrap(Exception):
- pass
|