def test_asym_encrypt_decrypt(self, m_type, params, asym_keys,
auth_session, valid_mechanisms):
"""
test encryption decryption calls of asym. crypto's
:param m_type: mechanism flavor
:param params: extra params
:param asym_keys: key fixture
:param auth_session:
"""
if asym_keys.get(ASYM_TABLE[m_type]) is None:
pytest.skip("No valid key found for {}".format(
MECHANISM_LOOKUP_EXT[m_type][0]))
expected_retcode = ret_val(m_type, RAW, valid_mechanisms)
pub_key, prv_key = asym_keys[ASYM_TABLE[m_type]]
mech = {"mech_type": m_type, "params": params}
ret, decrypt_this = c_encrypt(auth_session,
pub_key,
RAW,
mechanism=mech)
self.verify_ret(ret, expected_retcode)
if expected_retcode == CKR_OK:
ret, decrypted_data = c_decrypt(auth_session,
prv_key,
decrypt_this,
mechanism=mech)
self.verify_ret(ret, expected_retcode)
self.verify_data(RAW, decrypted_data.replace(b"\x00", b""))
def test_sym_encrypt_decrypt(self, m_type, params, data, sym_keys,
auth_session, valid_mechanisms):
"""
test encryption decryption calls of sym. crypto's
:param m_type: mechanism flavor
:param params: extra params
:param data: testing data
:param sym_keys: key fixture
:param auth_session:
"""
# Auto-fail when key-generation fails
if sym_keys.get(SYM_TABLE[m_type]) is None:
pytest.skip("No valid key found for {}".format(
MECHANISM_LOOKUP_EXT[m_type][0]))
exp_ret = ret_val(m_type, data, valid_mechanisms)
h_key = sym_keys[SYM_TABLE[m_type]]
# AES_GCM Requires smaller data sizes.
if m_type == CKM_AES_GCM and data == PAD:
data = b"a" * 0xff0
mech = {"mech_type": m_type, "params": params}
ret, encrypted = c_encrypt(auth_session, h_key, data, mechanism=mech)
self.verify_ret(ret, exp_ret)
# If not expecting error, proceed with testing
if exp_ret in (CKR_OK, KEY_SIZE_RANGE):
ret, end_data = c_decrypt(auth_session,
h_key,
encrypted,
mechanism=mech)
self.verify_ret(ret, exp_ret)
self.verify_data(data, end_data)
def test_encrypt_wrap_unwrap_decrypt_key(self, mech, k_type, keys):
"""
Test that encrypt/decrypt works with wrapped keys
:param mech: encryption mech
:param k_type: key gen mech
:param keys: keys fixture
"""
unwrap_temp = self.generate_unwrap_temp(k_type)
h_key, h_wrap_key = keys[k_type]
extra_p = EXTRA_PARAM[mech]
if h_key is None or h_wrap_key is None:
pytest.skip("No valid key found for {}".format(LOOKUP[mech][0]))
# Encrypt some data
data_to_encrypt = b"a" * 512
enc_mech = {"mech_type": mech}
ret, encrypted_data = c_encrypt(self.h_session,
h_key,
data_to_encrypt,
mechanism=enc_mech)
self.verify_ret(ret, CKR_OK)
# Wrap the key
wrap_mech = {"mech_type": mech, "params": extra_p}
ret, wrapped_key = c_wrap_key(self.h_session,
h_wrap_key,
h_key,
mechanism=wrap_mech)
self.verify_ret(ret, CKR_OK)
h_unwrapped_key = None
try:
# Unwrap the Key
ret, h_unwrapped_key = c_unwrap_key(self.h_session,
h_wrap_key,
wrapped_key,
unwrap_temp,
mechanism=wrap_mech)
self.verify_ret(ret, CKR_OK)
# Decrypt the data
ret, decrypted_string = c_decrypt(self.h_session,
h_unwrapped_key,
encrypted_data,
mechanism=enc_mech)
self.verify_ret(ret, CKR_OK)
assert decrypted_string == data_to_encrypt, \
"The decrypted data should be the same as the data that was encrypted. " \
"Instead found " + str(decrypted_string)
finally:
if h_unwrapped_key != None:
c_destroy_object(self.h_session, h_unwrapped_key)
def test_multi_sym_encrypt_decrypt(self, m_type, params, data, sym_keys,
auth_session, valid_mechanisms):
"""
test encryption decryption calls of sym. crypto's
:param m_type: mechanism flavor
:param params: extra params
:param data: testing data
:param sym_keys: key fixture
:param auth_session:
"""
# Auto-fail when key-generation is fails
if sym_keys.get(SYM_TABLE[m_type]) is None:
pytest.skip("No valid key found for {}".format(
MECHANISM_LOOKUP_EXT[m_type][0]))
exp_ret = ret_val(m_type, data, valid_mechanisms)
h_key = sym_keys[SYM_TABLE[m_type]]
encrypt_this = data
mech = {"mech_type": m_type, "params": params}
ret, encrypted = c_encrypt(
auth_session,
h_key,
encrypt_this,
mechanism=mech,
output_buffer=[0xffff, 0xffff, 0xffff, 0xffff])
self.verify_ret(ret, exp_ret)
# If not expecting error, proceed with testing
if exp_ret in (CKR_OK, KEY_SIZE_RANGE):
ret, end_data = c_decrypt(auth_session,
h_key,
encrypted,
mechanism=mech)
self.verify_ret(ret, exp_ret)
if m_type in PADDING_ALGORITHMS:
end_data = end_data.rstrip(b"\x00")
self.verify_data(b"".join(encrypt_this), end_data)
def test_x9_key_derive(self, auth_session, curve_type):
"""
Test we can do X9 key derivation
"""
derived_key2 = derived_key1 = pub_key1 = pub_key2 = prv_key2 = prv_key1 = None
derived_template = {
CKA_CLASS: CKO_SECRET_KEY,
CKA_KEY_TYPE: CKK_AES,
CKA_ENCRYPT: True,
CKA_DECRYPT: True,
CKA_PRIVATE: True,
CKA_SENSITIVE: True,
CKA_VALUE_LEN: 16
}
pub_temp, priv_temp = (CKM_ECDH_KEY_PAIR_GEN_PUBTEMP,
CKM_ECDH_KEY_PAIR_GEN_PRIVTEMP)
priv_temp = get_session_template(priv_temp)
pub_temp = get_session_template(pub_temp)
pub_temp[CKA_ECDSA_PARAMS] = curve_list[curve_type]
ret, pub_key1, prv_key1 = c_generate_key_pair(auth_session,
CKM_ECDSA_KEY_PAIR_GEN,
pbkey_template=pub_temp,
prkey_template=priv_temp)
self.verify_ret(ret, CKR_OK)
try:
ret, pub_key2, prv_key2 = c_generate_key_pair(auth_session,
CKM_ECDSA_KEY_PAIR_GEN,
pbkey_template=pub_temp,
prkey_template=priv_temp)
self.verify_ret(ret, CKR_OK)
ret, pub_key1_raw_ = c_get_attribute_value(auth_session,
pub_key1,
{CKA_EC_POINT: None})
pub_key1_raw = pub_key1_raw_[CKA_EC_POINT]
self.verify_ret(ret, CKR_OK)
ret, pub_key2_raw_ = c_get_attribute_value(auth_session,
pub_key2,
{CKA_EC_POINT: None})
pub_key2_raw = pub_key2_raw_[CKA_EC_POINT]
self.verify_ret(ret, CKR_OK)
ret, derived_key1 = c_derive_key(auth_session,
h_base_key=prv_key2,
template=derived_template,
mechanism={"mech_type": CKM_ECDH1_DERIVE,
"params": {"kdf": CKD_NULL,
"sharedData": None,
"publicData": pub_key1_raw}})
self.verify_ret(ret, CKR_OK)
ret, derived_key2 = c_derive_key(auth_session,
h_base_key=prv_key1,
template=derived_template,
mechanism={"mech_type": CKM_ECDH1_DERIVE,
"params": {"kdf": CKD_NULL,
"sharedData": None,
"publicData": pub_key2_raw}})
self.verify_ret(ret, CKR_OK)
ret, cipher_data = c_encrypt(auth_session,
derived_key1,
data=DATA,
mechanism=CKM_AES_ECB)
self.verify_ret(ret, CKR_OK)
ret, restored_text = c_decrypt(auth_session,
derived_key2,
cipher_data,
mechanism=CKM_AES_ECB)
self.verify_ret(ret, CKR_OK)
assert DATA == restored_text.rstrip(b'\x00')
finally:
for key in (pub_key1, prv_key1, pub_key2, prv_key2, derived_key1, derived_key2):
if key:
c_destroy_object(auth_session, key)