def generate_hmac(self, expect_len, hmactype):
caps = CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC
hmackey = HmacKey.generate(self.session, 0, 'Generate HMAC', 1, caps,
hmactype)
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
self.assertEqual(len(resp), expect_len)
self.assertTrue(hmackey.verify_hmac(resp, data))
resp2 = hmackey.sign_hmac(data)
self.assertEqual(len(resp2), expect_len)
self.assertEqual(resp, resp2)
data = os.urandom(64)
resp2 = hmackey.sign_hmac(data)
self.assertEqual(len(resp2), expect_len)
self.assertNotEqual(resp, resp2)
self.assertTrue(hmackey.verify_hmac(resp2, data))
hmackey = HmacKey.generate(self.session, 0, 'Generate HMAC', 1, caps,
hmactype)
resp = hmackey.sign_hmac(data)
self.assertEqual(len(resp), expect_len)
self.assertNotEqual(resp, resp2)
self.assertTrue(hmackey.verify_hmac(resp, data))
hmackey.delete()
def test_generate_hmac(session, algorithm, expect_len):
caps = CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC
hmackey = HmacKey.generate(session, 0, "Generate HMAC", 1, caps, algorithm)
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
assert len(resp) == expect_len
assert hmackey.verify_hmac(resp, data)
resp2 = hmackey.sign_hmac(data)
assert len(resp2) == expect_len
assert resp == resp2
data = os.urandom(64)
resp2 = hmackey.sign_hmac(data)
assert len(resp2) == expect_len
assert resp != resp2
assert hmackey.verify_hmac(resp2, data)
hmackey = HmacKey.generate(session, 0, "Generate HMAC", 1, caps, algorithm)
resp = hmackey.sign_hmac(data)
assert len(resp) == expect_len
assert resp != resp2
assert hmackey.verify_hmac(resp, data)
hmackey.delete()
def test_full_log(session):
hmackey = HmacKey.generate(
session,
0,
"Test Full Log",
1,
CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC,
ALGORITHM.HMAC_SHA256,
)
for i in range(0, 30):
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
assert len(resp) == 32
assert hmackey.verify_hmac(resp, data)
boot, auth, logs = session.get_log_entries()
last_digest = logs[0].digest
for i in range(1, len(logs)):
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(logs[i].data)
digest.update(last_digest)
last_digest = digest.finalize()[:16]
assert last_digest == logs[i].digest
def key_in_list(self, keytype, algorithm=None):
dom = None
cap = 0
key_label = "%s%s" % (str(
uuid.uuid4()), b"\xf0\x9f\x98\x83".decode("utf8"))
if keytype == OBJECT.ASYMMETRIC_KEY:
dom = 0xFFFF
key = AsymmetricKey.generate(self.session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.WRAP_KEY:
dom = 0x01
key = WrapKey.generate(self.session, 0, key_label, dom, cap,
algorithm, cap)
elif keytype == OBJECT.HMAC_KEY:
dom = 0x01
key = HmacKey.generate(self.session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.AUTHENTICATION_KEY:
dom = 0x01
key = AuthenticationKey.put_derived(
self.session,
0,
key_label,
dom,
cap,
0,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
objlist = self.session.list_objects(object_id=key.id,
object_type=key.object_type)
self.assertEqual(objlist[0].id, key.id)
self.assertEqual(objlist[0].object_type, key.object_type)
objinfo = objlist[0].get_info()
self.assertEqual(objinfo.id, key.id)
self.assertEqual(objinfo.object_type, key.object_type)
self.assertEqual(objinfo.domains, dom)
self.assertEqual(objinfo.capabilities, cap)
if algorithm:
self.assertEqual(objinfo.algorithm, algorithm)
if key.object_type == OBJECT.AUTHENTICATION_KEY:
self.assertEqual(objinfo.origin, ORIGIN.IMPORTED)
else:
self.assertEqual(objinfo.origin, ORIGIN.GENERATED)
self.assertEqual(objinfo.label, key_label)
key.delete()
def key_in_list(self, session, keytype, algorithm=None):
dom = None
cap = CAPABILITY.NONE
key_label = "%s%s" % (str(uuid.uuid4()), b"\xf0\x9f\x98\x83".decode())
key: YhsmObject
if keytype == OBJECT.ASYMMETRIC_KEY:
dom = 0xFFFF
key = AsymmetricKey.generate(session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.WRAP_KEY:
dom = 0x01
key = WrapKey.generate(session, 0, key_label, dom, cap, algorithm,
cap)
elif keytype == OBJECT.HMAC_KEY:
dom = 0x01
key = HmacKey.generate(session, 0, key_label, dom, cap, algorithm)
elif keytype == OBJECT.AUTHENTICATION_KEY:
dom = 0x01
key = AuthenticationKey.put_derived(
session,
0,
key_label,
dom,
cap,
cap,
"password",
)
objlist = session.list_objects(object_id=key.id,
object_type=key.object_type)
assert objlist[0].id == key.id
assert objlist[0].object_type == key.object_type
objinfo = objlist[0].get_info()
assert objinfo.id == key.id
assert objinfo.object_type == key.object_type
assert objinfo.domains == dom
assert objinfo.capabilities == cap
if algorithm:
assert objinfo.algorithm == algorithm
if key.object_type == OBJECT.AUTHENTICATION_KEY:
assert objinfo.origin == ORIGIN.IMPORTED
else:
assert objinfo.origin == ORIGIN.GENERATED
assert objinfo.label == key_label
key.delete()
def test_wrong_chain(self):
hmackey = HmacKey.generate(
self.session, 0, 'Test Log hash chain', 1,
CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC,
ALGORITHM.HMAC_SHA256)
boot, auth, logs = self.session.get_log_entries()
last_line = logs.pop()
self.session.set_log_index(last_line.number)
hmackey.sign_hmac(b'hello')
hmackey.sign_hmac(b'hello')
hmackey.sign_hmac(b'hello')
with self.assertRaises(ValueError):
self.session.get_log_entries(logs.pop()) # Wrong number
wrong_line = last_line._replace(digest=os.urandom(16))
with self.assertRaises(YubiHsmInvalidResponseError):
self.session.get_log_entries(wrong_line)
def test_forced_log(hsm, session):
boot, auth, logs = session.get_log_entries()
last_line = logs.pop()
session.set_log_index(last_line.number)
session.set_force_audit(AUDIT.ON)
assert session.get_force_audit() == AUDIT.ON
hmackey = HmacKey.generate(
session,
0,
"Test Force Log",
1,
CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC,
ALGORITHM.HMAC_SHA256,
)
error = 0
for i in range(0, 32):
try:
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
assert len(resp) == 32
assert hmackey.verify_hmac(resp, data)
except YubiHsmDeviceError as e:
error = e.code
assert error == ERROR.LOG_FULL
device_info = hsm.get_device_info()
assert device_info.log_used == device_info.log_size
boot, auth, logs = session.get_log_entries(last_line)
last_line = logs.pop()
session.set_log_index(last_line.number)
session.set_force_audit(AUDIT.OFF)
assert session.get_force_audit() == AUDIT.OFF
for i in range(0, 32):
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
assert len(resp) == 32
assert hmackey.verify_hmac(resp, data)
def test_forced_log(self):
boot, auth, logs = self.session.get_log_entries()
last_line = logs.pop()
self.session.set_log_index(last_line.number)
self.session.set_force_audit(AUDIT.ON)
self.assertEqual(self.session.get_force_audit(), AUDIT.ON)
hmackey = HmacKey.generate(
self.session,
0,
"Test Force Log",
1,
CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC,
ALGORITHM.HMAC_SHA256,
)
error = 0
for i in range(0, 32):
try:
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
self.assertEqual(len(resp), 32)
self.assertTrue(hmackey.verify_hmac(resp, data))
except YubiHsmDeviceError as e:
error = e.code
self.assertEqual(error, ERROR.LOG_FULL)
device_info = self.hsm.get_device_info()
self.assertEqual(device_info.log_used, device_info.log_size)
boot, auth, logs = self.session.get_log_entries(last_line)
last_line = logs.pop()
self.session.set_log_index(last_line.number)
self.session.set_force_audit(AUDIT.OFF)
self.assertEqual(self.session.get_force_audit(), AUDIT.OFF)
for i in range(0, 32):
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
self.assertEqual(len(resp), 32)
self.assertTrue(hmackey.verify_hmac(resp, data))