def test_01_default_security_module(self):
config = current_app.config
hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE")})
hsm.setup_module({"file": config.get("PI_ENCFILE")})
self.assertTrue(hsm is not None, hsm)
self.assertTrue(hsm.secFile is not None, hsm.secFile)
self.assertTrue(hsm.is_ready)
def test_04_random(self):
config = current_app.config
hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE"),
"crypted": True})
r = hsm.random(20)
self.assertTrue(len(r) == 20, r)
self.assertFalse(hsm.is_ready)
def test_07_encrypted_key_file(self):
config = current_app.config
hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE_ENC"),
"crypted": True})
# The HSM is not ready, since the file is crypted and we did not
# provide the password, yet
self.assertFalse(hsm.is_ready)
# Now, provide the password, that will decrypt the encrypted file
# But the password is missing
self.assertRaises(Exception, hsm.setup_module, {})
# As long as the HSM is not ready, we can not encrypt and not decrypt
self.assertRaises(Exception, hsm.encrypt, "data", "iv")
self.assertRaises(Exception, hsm.decrypt, "data", "iv")
# If we provide a wrong password, that decryption will fail with a
# unicode error and an exception is raised.
self.assertRaises(Exception, hsm.setup_module,
{"password": "******"})
# Now we provide the password
hsm.setup_module({"password": "******"})
self.assertTrue(hsm.is_ready)
self.assertTrue(0 in hsm.secrets, hsm.secrets)
self.assertTrue(1 in hsm.secrets, hsm.secrets)
self.assertTrue(2 in hsm.secrets, hsm.secrets)
# test _get_secret
# this raises an exception, that the file does not contain a 4th key
self.assertRaises(Exception, hsm._get_secret, 4)
# calling the same slot two times, returns the cache the second time
self.assertTrue(hsm._get_secret(2))
self.assertTrue(hsm._get_secret(2))
def test_07_encrypted_key_file(self):
config = current_app.config
hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE_ENC"),
"crypted": True})
# The HSM is not ready, since the file is crypted and we did not
# provide the password, yet
self.assertFalse(hsm.is_ready)
# Now, provide the password, that will decrypt the encrypted file
# But the password is missing
self.assertRaises(Exception, hsm.setup_module, {})
# As long as the HSM is not ready, we can not encrypt and not decrypt
self.assertRaises(Exception, hsm.encrypt, "data", "iv")
self.assertRaises(Exception, hsm.decrypt, "data", "iv")
# If we provide a wrong password, that decryption will fail with a
# unicode error and an exception is raised.
self.assertRaises(Exception, hsm.setup_module,
{"password": "******"})
# Now we provide the password
hsm.setup_module({"password": "******"})
self.assertTrue(hsm.is_ready)
self.assertTrue(0 in hsm.secrets, hsm.secrets)
self.assertTrue(1 in hsm.secrets, hsm.secrets)
self.assertTrue(2 in hsm.secrets, hsm.secrets)
# test _get_secret
# this raises an exception, that the file does not contain a 4th key
self.assertRaises(Exception, hsm._get_secret, 4)
# calling the same slot two times, returns the cache the second time
self.assertTrue(hsm._get_secret(2))
self.assertTrue(hsm._get_secret(2))
def test_04_random(self):
config = current_app.config
hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE"),
"crypted": True})
r = hsm.random(20)
self.assertTrue(len(r) == 20, r)
self.assertFalse(hsm.is_ready)
def test_01_default_security_module(self):
config = current_app.config
hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE")})
hsm.setup_module({"file": config.get("PI_ENCFILE")})
self.assertTrue(hsm is not None, hsm)
self.assertTrue(hsm.secFile is not None, hsm.secFile)
self.assertTrue(hsm.is_ready)
def test_06_password_encrypt_decrypt(self):
res = DefaultSecurityModule.password_encrypt("secrettext", "password1")
self.assertTrue(
len(res) == len("80f1833450a74224c32d03fe4161735c"
":c1944e8c0982d5c35992a9b25abad18a2"
"8cac15585ed2fbab05bd2b1ea2cc44b"), res)
res = DefaultSecurityModule.password_decrypt(res, "password1")
self.assertTrue(res == b"secrettext", res)
# encrypt and decrypt binary data like the enckey
enckey = geturandom(96)
cipher = DefaultSecurityModule.password_encrypt(
enckey, "top secret "
"!!!")
clear = DefaultSecurityModule.password_decrypt(cipher, "top secret "
"!!!")
self.assertTrue(enckey == clear, (enckey, clear))
# encrypt and decrypt binary data like the enckey
enckey = geturandom(96)
cipher = DefaultSecurityModule.password_encrypt(
enckey, "topSecret123!")
clear = DefaultSecurityModule.password_decrypt(cipher, "topSecret123!")
self.assertTrue(enckey == clear, (enckey, clear))
def test_05_encrypt_decrypt(self):
config = current_app.config
hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE")})
cipher = hsm.encrypt(b"data", b"iv12345678901234")
text = hsm.decrypt(cipher, b"iv12345678901234")
self.assertEqual(text, b"data")
cipher = hsm.encrypt_pin(u"pin")
text = hsm.decrypt_pin(cipher)
self.assertEqual(text, u"pin")
cipher = hsm.encrypt_password(u"password")
text = hsm.decrypt_password(cipher)
self.assertEqual(text, u"password")
def test_05_encrypt_decrypt(self):
config = current_app.config
hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE")})
cipher = hsm.encrypt("data", "iv12345678901234")
text = hsm.decrypt(cipher, "iv12345678901234")
self.assertTrue(text == "data", text)
cipher = hsm.encrypt_pin("data")
text = hsm.decrypt_pin(cipher)
self.assertTrue(text == "data", text)
cipher = hsm.encrypt_password("data")
text = hsm.decrypt_password(cipher)
self.assertTrue(text == "data", text)
def create_enckey():
"""
If the key of the given configuration does not exist, it will be created
"""
print
filename = app.config.get("PI_ENCFILE")
if os.path.isfile(filename):
print("The file \n\t%s\nalready exist. We do not overwrite it!" %
filename)
sys.exit(1)
f = open(filename, "w")
f.write(DefaultSecurityModule.random(96))
f.close()
print "Encryption key written to %s" % filename
print "Please ensure to set the access rights for the correct user to 400!"
def test_05_encrypt_decrypt(self):
config = current_app.config
hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE")})
cipher = hsm.encrypt("data", "iv12345678901234")
text = hsm.decrypt(cipher, "iv12345678901234")
self.assertTrue(text == "data", text)
cipher = hsm.encrypt_pin("data")
text = hsm.decrypt_pin(cipher)
self.assertTrue(text == "data", text)
cipher = hsm.encrypt_password("data")
text = hsm.decrypt_password(cipher)
self.assertTrue(text == "data", text)
def test_05_encrypt_decrypt(self):
config = current_app.config
hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE")})
cipher = hsm.encrypt(b"data", b"iv12345678901234")
text = hsm.decrypt(cipher, b"iv12345678901234")
self.assertEqual(text, b"data")
cipher = hsm.encrypt_pin(u"pin")
text = hsm.decrypt_pin(cipher)
self.assertEqual(text, u"pin")
cipher = hsm.encrypt_password(u"password")
text = hsm.decrypt_password(cipher)
self.assertEqual(text, u"password")
def encrypt_enckey(encfile):
"""
You will be asked for a password and the encryption key in the specified
file will be encrypted with an AES key derived from your password.
The encryption key in the file is a 96 bit binary key.
The password based encrypted encryption key is a hex combination of an IV
and the encrypted data.
The result can be piped to a new enckey file.
"""
password = getpass()
password2 = getpass(prompt='Confirm: ')
if password != password2:
import sys
sys.exit('Error: passwords do not match.')
f = open(encfile)
enckey = f.read()
f.close()
res = DefaultSecurityModule.password_encrypt(enckey, password)
print res
def test_06_password_encrypt_decrypt(self):
res = DefaultSecurityModule.password_encrypt("secrettext", "password1")
self.assertTrue(len(res) == len(
"80f1833450a74224c32d03fe4161735c"
":c1944e8c0982d5c35992a9b25abad18a2"
"8cac15585ed2fbab05bd2b1ea2cc44b"), res)
res = DefaultSecurityModule.password_decrypt(res, "password1")
self.assertTrue(res == "secrettext", res)
# encrypt and decrypt binary data like the enckey
enckey = geturandom(96)
cipher = DefaultSecurityModule.password_encrypt(enckey, "top secret "
"!!!")
clear = DefaultSecurityModule.password_decrypt(cipher, "top secret "
"!!!")
self.assertTrue(enckey == clear, (enckey, clear))
# encrypt and decrypt binary data like the enckey
enckey = geturandom(96)
cipher = DefaultSecurityModule.password_encrypt(enckey, "topSecret123!")
clear = DefaultSecurityModule.password_decrypt(cipher, "topSecret123!")
self.assertTrue(enckey == clear, (enckey, clear))
