def test_derive_key_and_wrap(self, params):
"""
Tests CA_DeriveKeyAndWrap function
:param params:valid AES_KWP wrap mechanism
"""
key_template = get_default_key_template(CKM_AES_KEY_GEN)
h_base_key = c_generate_key_ex(self.h_session, CKM_AES_KEY_GEN, key_template)
derived_key_template = key_template.copy()
h_wrapping_key = c_generate_key_ex(self.h_session, CKM_AES_KEY_GEN, key_template)
wrap_mech = {"mech_type": CKM_AES_KWP, "params": params}
wrapped_key = ca_derive_key_and_wrap_ex(self.h_session, CKM_SHA256_KEY_DERIVATION, h_base_key,
derived_key_template, h_wrapping_key, wrap_mech)
assert wrapped_key, "CA_DeriveKeyAndWrap returned an empty buffer"
def test_long_length_derive_key(self, key_type, d_type, valid_mechanisms):
"""
Test deriving a key
:param key_type: key generation mechanism
:param d_type: derive mechanism
"""
key_template = get_session_template(get_default_key_template(key_type))
if key_type not in valid_mechanisms:
pytest.skip("Not a valid mechanism on this product")
h_base_key = c_generate_key_ex(self.h_session, key_type, key_template)
mech = NullMech(d_type).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
ret, h_derived_key = c_derive_key(self.h_session,
h_base_key,
key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_OK)
verify_object_attributes(self.h_session, h_derived_key,
key_template)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)
def test_too_long_length_derives(self, key_type, d_type, valid_mechanisms):
"""
Verify that trying to derive a key that is too long for the given derivation function
will return CKR_KEY_SIZE_RANGE
:param key_type:
:param d_type:
"""
if key_type not in valid_mechanisms:
pytest.skip("Not a valid mechanism on this product")
key_template = get_session_template(get_default_key_template(key_type))
h_base_key = c_generate_key_ex(self.h_session, key_type, key_template)
mech = NullMech(d_type).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
ret, h_derived_key = c_derive_key(self.h_session,
h_base_key,
key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_KEY_SIZE_RANGE)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)
def test_derive_key(self, key_type, d_type):
"""
Test derive key for using parametrized hash
:param key_type: Key-gen mechanism
:param d_type: Hash mech
"""
key_template = get_default_key_template(key_type)
h_base_key = c_generate_key_ex(self.h_session, key_type, key_template)
mech = NullMech(d_type).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
ret, h_derived_key = c_derive_key(self.h_session,
h_base_key,
key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_OK)
verify_object_attributes(self.h_session, h_derived_key,
key_template)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)
def test_set_attribute_usage_limit_sym(self):
"""Test: Verify that user is able to set CKA_USAGE_LIMIT attribute on
an symmetric crypto object
Procedure:
Generate a DES Key
Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 5
Use C_getAttributeValue to verify
"""
LOG.info(
"Test: Verify that user is able to set CKA_USAGE_LIMIT attribute on \
an symmetric crypto object")
usage_template = {CKA_USAGE_LIMIT: 5}
h_key = c_generate_key_ex(self.h_session,
mechanism=CKM_DES_KEY_GEN,
template=CKM_DES_KEY_GEN_TEMP)
LOG.info("Called c-generate: Key handle -%s", h_key)
usage_limit = 5
c_set_attribute_value_ex(self.h_session, h_key, usage_template)
out_template = c_get_attribute_value_ex(
self.h_session, h_key, template={CKA_USAGE_LIMIT: None})
usage_val_out = out_template[CKA_USAGE_LIMIT]
LOG.info("CKA_USAGE_LIMIT reported by C_GetAttributeValue :%s",
usage_val_out)
assert usage_limit == usage_val_out, "reported USAGE LIMIT does not match"
def sym_key_params(request, auth_session, usage_set):
"""
Generate a key, setting the usage limit by the method described in
``usage_set``
Return that key handle.
"""
usage_type, limit = usage_set
key_gen, mechanism = request.param
key_template = get_session_template(get_default_key_template(key_gen))
usage_template = {CKA_USAGE_LIMIT: limit}
if usage_type in ("create", "both", "create_then_use"):
key_template.update(usage_template)
h_key = c_generate_key_ex(auth_session,
mechanism=key_gen,
template=key_template)
try:
if usage_type in ("create_then_use", ):
c_encrypt_ex(auth_session,
h_key,
b'a' * 2048,
mechanism={"mech_type": mechanism})
if usage_type in ("setattr", "both", "create_then_use"):
c_set_attribute_value_ex(auth_session, h_key, usage_template)
yield SymParams(h_key, mechanism)
finally:
c_destroy_object(auth_session, h_key)
def test_set_attribute_usage_count_check_error_CKR_KEY_NOT_ACTIVE_3des(
self):
"""Test: Verify that crypto operation returns error CKR_KEY_NOT_ACTIVE
if user try to use crypto object more than limit set on CKA_USAGE_LIMIT
Procedure:
Generate a 3DES key
Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2
Use RSA public key 3 times for encryption
"""
LOG.info(
"Verify that crypto operation returns error CKR_KEY_NOT_ACTIVE \
if user try to use crypto object more than limit set on CKA_USAGE_LIMIT"
)
usage_lim_template = {CKA_USAGE_LIMIT: 2}
h_key = c_generate_key_ex(self.h_session,
mechanism=CKM_DES3_KEY_GEN,
template=CKM_DES3_KEY_GEN_TEMP)
LOG.info("Called c-generate: Key handle -" + str(h_key))
c_set_attribute_value_ex(self.h_session, h_key, usage_lim_template)
c_encrypt_ex(self.h_session,
h_key,
b'a' * 2048,
mechanism={"mech_type": CKM_DES3_ECB})
c_encrypt_ex(self.h_session,
h_key,
b'a' * 2048,
mechanism={"mech_type": CKM_DES3_ECB})
return_val, data = c_encrypt(self.h_session,
h_key,
b'a' * 2048,
mechanism={"mech_type": CKM_DES3_ECB})
LOG.info("Called C_Encrypt, return code: %s", return_val)
py_template = c_get_attribute_value_ex(
self.h_session, h_key, template={CKA_USAGE_COUNT: None})
usage_val_out = py_template[CKA_USAGE_COUNT]
LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s",
usage_val_out)
assert return_val == CKR_KEY_NOT_ACTIVE, "reported error code does not match"
def test_modifyusagecount(self, command_type):
"""Test modify usage count
:param command_type:
"""
key_handle = c_generate_key_ex(
self.h_session, CKM_DES_KEY_GEN,
get_session_template(CKM_DES_KEY_GEN_TEMP))
try:
ret = ca_modifyusagecount(self.h_session, key_handle, command_type,
0)
assert ret == CKR_OK, \
"Return code should be " + ret_vals_dictionary[CKR_OK] + \
" not " + ret_vals_dictionary[ret]
finally:
c_destroy_object(self.h_session, key_handle)
def test_usage_limit_attribute_check_sym_des(self):
"""Test: Verify that CKA_USAGE_COUNT attribute increments as user
use the symmetric crypto object
Procedure:
Generate a DES Key
Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2
Use des key twice for encryption
Use C_getAttributeValue to verify that CKA_USAGE_COUNT is 2
"""
LOG.info(
"Test: Verify that CKA_USAGE_COUNT attribute increments as user \
use the symmetric crypto object")
usage_lim_template = {CKA_USAGE_LIMIT: 2}
usage_count = 2
h_key = c_generate_key_ex(self.h_session,
mechanism=CKM_DES_KEY_GEN,
template=CKM_DES_KEY_GEN_TEMP)
LOG.info("Called c-generate: Key handle -%s", h_key)
c_set_attribute_value_ex(self.h_session, h_key, usage_lim_template)
c_encrypt_ex(self.h_session,
h_key,
b'a' * 2048,
mechanism={"mech_type": CKM_DES_ECB})
c_encrypt_ex(self.h_session,
h_key,
b'a' * 2048,
mechanism={"mech_type": CKM_DES_ECB})
py_template = c_get_attribute_value_ex(
self.h_session, h_key, template={CKA_USAGE_COUNT: None})
usage_val_out = py_template[CKA_USAGE_COUNT]
LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s",
usage_val_out)
assert usage_count == usage_val_out, "reported USAGE LIMIT does not match"
def generate_keys(password, kek_plain_text):
'''
Generate AES keys
password - string CryptoOfficer role password
kek_plain_text - kek label
'''
# HSM slot id for HA
slot_id = 5
c_initialize_ex()
auth_session = c_open_session_ex(slot_id)
login_ex(auth_session, slot_id, password)
CKM_AES_KEY_GEN_TEMP[CKA_LABEL] = bytes(kek_plain_text, 'utf-8')
key_handle = c_generate_key_ex(auth_session, CKM_AES_KEY_GEN,
CKM_AES_KEY_GEN_TEMP)
c_logout_ex(auth_session)
c_close_session_ex(auth_session)
c_finalize_ex()
return key_handle
def test_symmetric_key_expiry_des(self):
"""Test: Verify that user is not able to use the symmetric object after date specified in
CKA_END_DATE attribute
Procedure:
Generate a DES Key des1
Use des1 in encrypt operation. Should work fine
Using audit role, change the date of HSM to 12/31/2013
Use des1 in encrypt operation
"""
logger.info(
"Test: Verify that user is not able to use the symmetric object after date "
"specified in \
CKA_END_DATE attribute")
end_d = {'year': b"2013", 'month': b"12", 'day': b"31"}
CKM_KEY_GEN_TEMP = {
CKA_CLASS: CKO_SECRET_KEY,
CKA_KEY_TYPE: CKK_DES,
CKA_TOKEN: True,
CKA_SENSITIVE: True,
CKA_PRIVATE: True,
CKA_ENCRYPT: True,
CKA_DECRYPT: True,
CKA_SIGN: True,
CKA_VERIFY: True,
CKA_WRAP: True,
CKA_UNWRAP: True,
CKA_DERIVE: True,
CKA_VALUE_LEN: 8,
CKA_EXTRACTABLE: True,
CKA_LABEL: b"DES Key",
CKA_END_DATE: end_d
}
h_key = c_generate_key_ex(self.h_session,
flavor=CKM_DES_KEY_GEN,
template=CKM_KEY_GEN_TEMP)
logger.info("Called c-generate: Key handle -" + str(h_key))
c_encrypt_ex(self.h_session, CKM_DES_ECB, h_key, b"a" * 512)
c_logout_ex(self.h_session)
c_close_session_ex(self.h_session)
ca_init_audit_ex(self.admin_slot, AUDITOR_PASSWORD, AUDITOR_LABEL)
h_session2 = c_open_session_ex(slot_num=self.admin_slot,
flags=(CKF_SERIAL_SESSION
| CKF_AUDIT_SESSION))
login_ex(h_session2, self.admin_slot, AUDITOR_PASSWORD, CKU_AUDIT)
dt = datetime(2014, 1, 31)
epoch = datetime.utcfromtimestamp(0)
delta = dt - epoch
hsm_dt = delta.total_seconds()
hsm_new_date = int(hsm_dt)
ca_time_sync_ex(h_session2, hsm_new_date)
hsm_time = ca_get_time_ex(h_session2)
c_logout_ex(h_session2)
c_close_session_ex(h_session2)
h_session = c_open_session_ex(slot_num=self.admin_slot)
login_ex(h_session, self.admin_slot, CO_PASSWORD, CKU_USER)
return_val = c_encrypt(h_session, h_key,
b"This is some data to sign .. ", CKM_DES_ECB)
assert return_val == CKR_KEY_NOT_ACTIVE, "return value should be CKR_KEY_NOT_ACTIVE"
c_logout_ex(h_session)
c_close_session_ex(h_session)
