def test_reset(self):
Opaque.put(self.session, 0, "Test opaque data", 1, 0, OBJECT.OPAQUE,
b"dummyobject")
self.session.reset_device()
self.hsm.close()
time.sleep(5) # Wait for device to reboot
self.connect_hsm() # Re-connect since device restarted.
self.session = self.hsm.create_session_derived(1, DEFAULT_KEY)
self.assertEqual(len(self.session.list_objects()), 1)
auth_key = self.session.get_object(1, OBJECT.AUTHENTICATION_KEY)
# Check details of default key
info = auth_key.get_info()
self.assertEqual(info.capabilities & CAPABILITY.ALL, CAPABILITY.ALL)
self.assertEqual(info.id, 1)
self.assertEqual(info.size, 40)
self.assertEqual(info.domains, 0xFFFF)
self.assertEqual(info.object_type, OBJECT.AUTHENTICATION_KEY)
self.assertEqual(info.algorithm,
ALGORITHM.AES128_YUBICO_AUTHENTICATION)
self.assertEqual(info.sequence, 0)
self.assertEqual(info.origin, ORIGIN.IMPORTED)
self.assertEqual(info.label, "DEFAULT AUTHKEY CHANGE THIS ASAP")
self.assertEqual(info.capabilities, info.delegated_capabilities)
def test_reset(hsm, session, connect_hsm):
Opaque.put(
session,
0,
"Test opaque data",
1,
CAPABILITY.NONE,
ALGORITHM.OPAQUE_DATA,
b"dummyobject",
)
session.reset_device()
hsm.close()
time.sleep(5) # Wait for device to reboot
with connect_hsm() as hsm: # Re-connect since device restarted.
with hsm.create_session_derived(1, DEFAULT_KEY) as session:
assert len(session.list_objects()) == 1
auth_key = session.get_object(1, OBJECT.AUTHENTICATION_KEY)
# Check details of default key
info = auth_key.get_info()
assert info.capabilities & CAPABILITY.ALL == CAPABILITY.ALL
assert info.id == 1
assert info.size == 40
assert info.domains == 0xFFFF
assert info.object_type == OBJECT.AUTHENTICATION_KEY
assert info.algorithm == ALGORITHM.AES128_YUBICO_AUTHENTICATION
assert info.sequence == 0
assert info.origin == ORIGIN.IMPORTED
assert info.label == "DEFAULT AUTHKEY CHANGE THIS ASAP"
assert info.capabilities == info.delegated_capabilities
def test_put_too_big(self):
with self.assertRaises(YubiHsmDeviceError) as cm:
Opaque.put(self.session, 0, 'Test large Opaque',
1, CAPABILITY.NONE, ALGORITHM.OPAQUE_DATA,
os.urandom(1969))
self.assertEqual(cm.exception.code, ERROR.WRONG_LENGTH)
# Make sure our session is still working
self.assertEqual(len(self.session.get_pseudo_random(123)), 123)
def test_put_empty(self):
# Can't put an empty object
with self.assertRaises(ValueError):
Opaque.put(
self.session,
0,
"Test PUT empty Opaque",
1,
CAPABILITY.NONE,
ALGORITHM.OPAQUE_DATA,
b"",
)
def test_put_too_big(session):
with pytest.raises(YubiHsmInvalidRequestError):
Opaque.put(
session,
0,
"Test large Opaque",
1,
CAPABILITY.NONE,
ALGORITHM.OPAQUE_DATA,
os.urandom(1976),
)
# Make sure our session is still working
assert len(session.get_pseudo_random(123)) == 123
def test_import_wrap_overwrite(session):
key_label = "wrap key"
raw_key = os.urandom(24)
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
opaque = Opaque.put(
session,
0,
"Test Opaque Object",
0xFFFF,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.OPAQUE_DATA,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
opaque_wrapped = w_key.export_wrapped(opaque)
with pytest.raises(YubiHsmDeviceError) as context:
w_key.import_wrapped(opaque_wrapped)
assert context.value.code == ERROR.OBJECT_EXISTS
opaque.delete()
opaque = w_key.import_wrapped(opaque_wrapped)
assert opaque.get() == b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
with pytest.raises(YubiHsmDeviceError) as context:
opaque = w_key.import_wrapped(opaque_wrapped)
assert context.value.code == ERROR.OBJECT_EXISTS
def test_import_wrap_overwrite(self):
key_label = "wrap key"
raw_key = os.urandom(24)
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
opaque = Opaque.put(
self.session,
0,
"Test Opaque Object",
0xFFFF,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.OPAQUE_DATA,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
opaque_wrapped = w_key.export_wrapped(opaque)
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.import_wrapped(opaque_wrapped)
self.assertTrue("OBJECT_EXISTS" in str(context.exception))
opaque.delete()
opaque = w_key.import_wrapped(opaque_wrapped)
self.assertEqual(opaque.get(), b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa")
with self.assertRaises(YubiHsmDeviceError) as context:
opaque = w_key.import_wrapped(opaque_wrapped)
self.assertTrue("OBJECT_EXISTS" in str(context.exception))
def test_certificate(session):
private_key = ec.generate_private_key(
ALGORITHM.EC_P256.to_curve(), default_backend()
)
name = x509.Name(
[x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, u"Test Certificate")]
)
one_day = datetime.timedelta(1, 0, 0)
certificate = (
x509.CertificateBuilder()
.subject_name(name)
.issuer_name(name)
.not_valid_before(datetime.datetime.today() - one_day)
.not_valid_after(datetime.datetime.today() + one_day)
.serial_number(int(uuid.uuid4()))
.public_key(private_key.public_key())
.sign(private_key, hashes.SHA256(), default_backend())
)
certobj = Opaque.put_certificate(
session, 0, "Test certificate Opaque", 1, CAPABILITY.NONE, certificate
)
assert certificate == certobj.get_certificate()
certobj.delete()
def test_data(self):
for size in (1, 256, 1234, 1968):
data = os.urandom(size)
opaque = Opaque.put(self.session, 0, 'Test data Opaque', 1,
CAPABILITY.NONE, ALGORITHM.OPAQUE_DATA, data)
self.assertEqual(data, opaque.get())
opaque.delete()
def test_opaque(hsm, session):
obj = Opaque.put(
session,
0,
"Test opaque data",
1,
CAPABILITY.NONE,
ALGORITHM.OPAQUE_DATA,
b"data",
)
_test_delete(hsm, session, obj, CAPABILITY.DELETE_OPAQUE)
def test_data(session):
for size in (1, 256, 1234, 1968):
data = os.urandom(size)
opaque = Opaque.put(
session,
0,
"Test data Opaque",
1,
CAPABILITY.NONE,
ALGORITHM.OPAQUE_DATA,
data,
)
assert data == opaque.get()
opaque.delete()
def test_import_wrap_permissions(session):
key_label = "wrap key"
raw_key = os.urandom(24)
opaque = Opaque.put(
session,
0,
"Test Opaque Object",
0xFFFF,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.OPAQUE_DATA,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.NONE,
raw_key,
)
with pytest.raises(YubiHsmDeviceError) as context:
w_key.export_wrapped(opaque)
assert context.value.code == ERROR.INSUFFICIENT_PERMISSIONS
w_key.delete()
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
w_key.id += 1
with pytest.raises(YubiHsmDeviceError) as context:
w_key.export_wrapped(opaque)
assert context.value.code == ERROR.OBJECT_NOT_FOUND
w_key.id -= 1
w_key.delete()
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
with pytest.raises(YubiHsmDeviceError) as context:
w_key.export_wrapped(opaque)
assert context.value.code == ERROR.INSUFFICIENT_PERMISSIONS
w_key.delete()
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
opaque_wrapped = w_key.export_wrapped(opaque)
with pytest.raises(YubiHsmDeviceError) as context:
w_key.import_wrapped(opaque_wrapped)
assert context.value.code == ERROR.INSUFFICIENT_PERMISSIONS
w_key.delete()
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.IMPORT_WRAPPED | CAPABILITY.EXPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
opaque_wrapped = w_key.export_wrapped(opaque)
opaque.delete()
w_key.id += 1
with pytest.raises(YubiHsmDeviceError) as context:
w_key.import_wrapped(opaque_wrapped)
assert context.value.code == ERROR.OBJECT_NOT_FOUND
w_key.id -= 1
opaque = w_key.import_wrapped(opaque_wrapped)
assert opaque.get() == b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
def test_import_wrap_permissions(self):
key_label = "wrap key"
raw_key = os.urandom(24)
opaque = Opaque.put(
self.session,
0,
"Test Opaque Object",
0xFFFF,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.OPAQUE_DATA,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
0,
raw_key,
)
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.export_wrapped(opaque)
self.assertTrue("INSUFFICIENT_PERMISSIONS" in str(context.exception))
w_key.delete()
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
w_key.id += 1
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.export_wrapped(opaque)
self.assertTrue("OBJECT_NOT_FOUND" in str(context.exception))
w_key.id -= 1
w_key.delete()
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.export_wrapped(opaque)
self.assertTrue("INSUFFICIENT_PERMISSIONS" in str(context.exception))
w_key.delete()
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
opaque_wrapped = w_key.export_wrapped(opaque)
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.import_wrapped(opaque_wrapped)
self.assertTrue("INSUFFICIENT_PERMISSIONS" in str(context.exception))
w_key.delete()
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.IMPORT_WRAPPED | CAPABILITY.EXPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
opaque_wrapped = w_key.export_wrapped(opaque)
opaque.delete()
w_key.id += 1
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.import_wrapped(opaque_wrapped)
self.assertTrue("OBJECT_NOT_FOUND" in str(context.exception))
w_key.id -= 1
opaque = w_key.import_wrapped(opaque_wrapped)
self.assertEqual(opaque.get(), b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa")
def test_opaque(self):
obj = Opaque.put(self.session, 0, 'Test opaque data', 1, 0,
OBJECT.OPAQUE, b'data')
self._test_delete(obj, CAPABILITY.DELETE_OPAQUE)