def test_meta_check_key_usage_rsa():
obj = objects.RSAKey(0xe0fc)
crypto.generate_pair(key_object=obj,
key_size=1024,
key_usage=['key_agreement', 'encryption'])
assert ['key_agreement', 'encryption'] == obj.meta['key_usage'] or \
['encryption', 'key_agreement'] == obj.meta['key_usage']
def test_meta_check_key_usage_ecc():
obj = objects.ECCKey(0xe0f1)
crypto.generate_pair(key_object=obj,
curve='secp256r1',
key_usage=['signature', 'authentication'])
assert ['signature', 'authentication'] == obj.meta['key_usage'] or \
['authentication', 'signature'] == obj.meta['key_usage']
def test_keypair_faulty(): with pytest.raises(ValueError): k = objects.RSAKey(0xe0fc) crypto.generate_pair(key_object=k, key_size=100) with pytest.raises(ValueError): objects.RSAKey(0xe0f1)
def test_ecdsa_signverify(curve, hashname):
key_object = objects.ECCKey(0xE100)
pkey, _ = crypto.generate_pair(key_object, curve=curve)
key_object_fail = objects.ECCKey(0xE101)
pkey_fail, _ = crypto.generate_pair(key_object_fail, curve=curve)
ha = hashname
s = crypto.ecdsa_sign(key_object, tbs_str)
print('[{}]'.format(', '.join(hex(x) for x in list(s.signature))))
# Preparing a PublicKeyInfo
pubkey_info = keys.PublicKeyInfo.load(pkey)
# Load a public key into the oscrypto engine to using it in the verify function
public = load_public_key(pubkey_info)
ecdsa_verify(public, s.signature, tbs_str, ha)
# Assert wrong text
with pytest.raises(SignatureError):
ecdsa_verify(public, s.signature, tbs_str_fail, ha)
# Assert wrong key
with pytest.raises(SignatureError):
# Preparing a PublicKeyInfo
pubkey_info = keys.PublicKeyInfo.load(pkey_fail)
# Load a public key into the oscrypto engine to using it in the verify function
public = load_public_key(pubkey_info)
ecdsa_verify(public, s.signature, tbs_str, ha)
def test_keypair_faulty():
with pytest.raises(ValueError):
key_object = objects.ECCKey(0xe0f1)
pkey, _ = optiga_ec.generate_pair(key_object, curve='secp384')
with pytest.raises(ValueError):
key_object = objects.ECCKey(0xe0fc)
pkey, _ = optiga_ec.generate_pair(key_object, curve='secp384r1')
def test_keypair_x_y(oid, curve, pub_key_size):
key_object = objects.ECCKey(oid)
pkey, _ = optiga_ec.generate_pair(key_object, curve=curve)
pkey, key = optiga_ec.generate_pair(key_object, curve=curve, export=True)
assert isinstance(pkey, bytes)
assert isinstance(key, bytes)
assert len(pkey) > 0
assert len(key) > 0
assert len(pkey) == pub_key_size
assert key_object.id == oid
assert key_object.curve == curve
def test_keypair_2k_keyid(ki): k = objects.RSAKey(ki) pkey, _ = crypto.generate_pair(key_object=k, key_size=2048) assert isinstance(pkey, bytes) assert len(pkey) > 0 assert k.id == ki assert k.key_size == 2048
def test_ecdh_external(curve, hazmat_curve):
key_object = objects.ECCKey(0xe0f1)
_, _ = optiga_ec.generate_pair(key_object, curve)
private_key = ec.generate_private_key(hazmat_curve, default_backend())
peer_public_key = private_key.public_key().public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
_ = optiga_ec.ecdh(key_object, peer_public_key, export=True)
def test_ecdh_faulty():
with pytest.raises(IOError):
key_object = objects.ECCKey(0xe0f1)
pkey, _ = optiga_ec.generate_pair(
key_object,
curve='secp384r1',
key_usage=['authentication', 'signature'])
# key agreement hasnt been selected, thus an error
optiga_ec.ecdh(key_object, pkey)
def test_ecdsa(oid, curve, max_sign_size, hashname):
key_object = objects.ECCKey(oid)
_, _ = crypto.generate_pair(key_object, curve=curve)
s = crypto.ecdsa_sign(key_object, tbs_str)
assert isinstance(s.signature, bytes)
assert len(s.signature) > 0
assert len(s.signature) <= max_sign_size
assert s.hash_alg == hashname
assert s.algorithm == hashname + '_ecdsa'
def test_hkdf(hash_alg, hazmat_curve, curve):
key = objects.ECCKey(0xe0f1)
_, _ = optiga_ec.generate_pair(key, curve=curve)
private_key = ec.generate_private_key(hazmat_curve, default_backend())
peer_public_key = private_key.public_key().public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
optiga_ec.ecdh(key, peer_public_key)
ses = objects.AcquiredSession()
derived_key = optiga_ec.hkdf(ses, 32, hash_algorithm=hash_alg, export=True)
def test_hmac(hash_alg, hazmat_curve, curve):
key = objects.ECCKey(0xe0f1)
_, _ = optiga_ec.generate_pair(key, curve=curve)
private_key = ec.generate_private_key(hazmat_curve, default_backend())
peer_public_key = private_key.public_key().public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
optiga_ec.ecdh(key, peer_public_key)
data = 'Hello world!'
ses = objects.AcquiredSession()
mac = optiga_ec.hmac(ses, str.encode(data), hash_algorithm=hash_alg)
def test_ecdh_verify():
key_object = objects.ECCKey(0xe0f1)
int_key_bytes, _ = optiga_ec.generate_pair(key_object, 'secp256r1')
private_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
peer_public_key = private_key.public_key().public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
shared_secret = optiga_ec.ecdh(key_object, peer_public_key, export=True)
key = load_der_public_key(int_key_bytes, default_backend())
shared_secret_to_check = private_key.exchange(ec.ECDH(), key)
assert shared_secret == shared_secret_to_check
def test_csr_ecc(ki):
csr_key_obj = objects.ECCKey(0xe0f3)
pkey, _ = crypto.generate_pair(key_object=csr_key_obj, curve=ki)
builder = CSRBuilder(
{
'country_name': 'DE',
'state_or_province_name': 'Bayern',
'organization_name': 'Infineon Technologies AG',
'common_name': 'OPTIGA(TM) Trust IoT',
}, pkey)
builder.build(csr_key_obj)
def test_keypair_x_y_private_key_import(oid, curve):
key_object = objects.ECCKey(oid)
_, key = optiga_ec.generate_pair(key_object, curve=curve, export=True)
parsed_key = serialization.load_der_private_key(key, password=None, backend=default_backend())
assert isinstance(parsed_key, ec.EllipticCurvePrivateKey)
def test_keypair_1k(): k = objects.RSAKey(0xe0fc) pkey, _ = crypto.generate_pair(key_object=k, key_size=1024) assert isinstance(pkey, bytes) assert len(pkey) > 0 assert k.key_size == 1024
def test_meta_check_algorithm_ecc(curve):
obj = objects.ECCKey(0xe0f1)
crypto.generate_pair(key_object=obj, curve=curve)
assert curve == obj.meta['algorithm']
def test_keypair_default():
key_object = objects.ECCKey(0xe0f1)
pkey, _ = optiga_ec.generate_pair(key_object, curve='secp256r1')
assert isinstance(pkey, bytes)
assert len(pkey) > 0
assert key_object.meta['algorithm'] == 'secp256r1'
def test_meta_check_algorithm_rsa(key_size):
obj = objects.RSAKey(0xe0fc)
crypto.generate_pair(key_object=obj, key_size=key_size)
assert ('rsa' + str(key_size)) == obj.meta['algorithm']
def setup_keys_2k():
k1 = objects.RSAKey(0xe0fc)
k2 = objects.RSAKey(0xe0fd)
pytest.twok, _ = crypto.generate_pair(key_object=k1, key_size=2048)
pytest.twok_fail, _ = crypto.generate_pair(key_object=k2, key_size=2048)
return k1, k2
def test_keypair_x_y_public_key_import(oid, curve):
key_object = objects.ECCKey(oid)
pkey, _ = optiga_ec.generate_pair(key_object, curve=curve)
parsed_key = serialization.load_der_public_key(pkey, backend=default_backend())
assert isinstance(parsed_key, ec.EllipticCurvePublicKey)
def setup_keys_1k():
k1 = objects.RSAKey(0xe0fc)
k2 = objects.RSAKey(0xe0fd)
pytest.onek, _ = crypto.generate_pair(key_object=k1, key_size=1024)
pytest.onek_fail, _ = crypto.generate_pair(key_object=k2, key_size=1024)
return k1, k2
