def setKeyName(keyHandle, identityName, params):
"""
Set the key name in keyHandle according to identityName and params.
:param TpmKeyHandle keyHandle:
:param Name identityName:
:param KeyParams params:
"""
if params.getKeyIdType() == KeyIdType.USER_SPECIFIED:
keyId = params.getKeyId()
elif params.getKeyIdType() == KeyIdType.SHA256:
sha256 = hashes.Hash(hashes.SHA256(), backend=default_backend())
sha256.update(keyHandle.derivePublicKey().toBytes())
digest = sha256.finalize()
keyId = Name.Component(digest)
elif params.getKeyIdType() == KeyIdType.RANDOM:
if params.getKeyId().getValue().size() == 0:
raise TpmBackEnd.Error(
"setKeyName: The keyId is empty for type RANDOM")
keyId = params.getKeyId()
else:
raise TpmBackEnd.Error(
"setKeyName: unrecognized params.getKeyIdType()")
keyHandle.setKeyName(PibKey.constructKeyName(identityName, keyId))
def test_key_management(self):
for tpm in self.backEndList:
identityName = Name("/Test/KeyName")
keyId = Name.Component("1")
keyName = PibKey.constructKeyName(identityName, keyId)
# The key should not exist.
self.assertEquals(False, tpm.hasKey(keyName))
self.assertTrue(tpm.getKeyHandle(keyName) == None)
# Create a key, which should exist.
self.assertTrue(
tpm.createKey(identityName, RsaKeyParams(keyId)) != None)
self.assertTrue(tpm.hasKey(keyName))
self.assertTrue(tpm.getKeyHandle(keyName) != None)
# Create a key with the same name, which should throw an error.
try:
tpm.createKey(identityName, RsaKeyParams(keyId))
self.fail("Did not throw the expected exception")
except Tpm.Error:
pass
else:
self.fail("Did not throw the expected exception")
# Delete the key, then it should not exist.
tpm.deleteKey(keyName)
self.assertEquals(False, tpm.hasKey(keyName))
self.assertTrue(tpm.getKeyHandle(keyName) == None)
def test_key_management(self):
for tpm in self.backEndList:
identityName = Name("/Test/KeyName")
keyId = Name.Component("1")
keyName = PibKey.constructKeyName(identityName, keyId)
# The key should not exist.
self.assertEqual(False, tpm.hasKey(keyName))
self.assertTrue(tpm.getKeyHandle(keyName) == None)
# Create a key, which should exist.
self.assertTrue(
tpm.createKey(identityName, RsaKeyParams(keyId)) != None)
self.assertTrue(tpm.hasKey(keyName))
self.assertTrue(tpm.getKeyHandle(keyName) != None)
# Create a key with the same name, which should throw an error.
try:
tpm.createKey(identityName, RsaKeyParams(keyId))
self.fail("Did not throw the expected exception")
except Tpm.Error:
pass
else:
self.fail("Did not throw the expected exception")
# Delete the key, then it should not exist.
tpm.deleteKey(keyName)
self.assertEqual(False, tpm.hasKey(keyName))
self.assertTrue(tpm.getKeyHandle(keyName) == None)
def createKey(self, identityName, params):
"""
Create a key for the identityName according to params.
:param Name identityName: The name if the identity.
:param KeyParams params: The KeyParams for creating the key.
:return: The handle of the created key.
:rtype: TpmKeyHandle
:raises TpmBackEnd.Error: If the key cannot be created.
"""
# Do key name checking.
if params.getKeyIdType() == KeyIdType.USER_SPECIFIED:
# The keyId is pre-set.
keyName = PibKey.constructKeyName(identityName, params.getKeyId())
if self.hasKey(keyName):
raise Tpm.Error("Key `" + keyName.toUri() + "` already exists")
elif params.getKeyIdType() == KeyIdType.SHA256:
# The key name will be assigned in setKeyName after the key is generated.
pass
elif params.getKeyIdType() == KeyIdType.RANDOM:
random = bytearray(8)
while True:
for i in range(len(random)):
random[i] = _systemRandom.randint(0, 0xff)
keyId = Name.Component(Blob(random, False))
keyName = PibKey.constructKeyName(identityName, keyId)
if not self.hasKey(keyName):
# We got a unique one.
break
params.setKeyId(keyId)
else:
raise Tpm.Error("Unsupported key id type")
return self._doCreateKey(identityName, params)
def constructKeyName(identityName, params):
"""
Construct the key name according to identityName and params.
:param Name identityName:
:param KeyParams params:
"""
if params.getKeyIdType() == KeyIdType.USER_SPECIFIED:
keyId = params.getKeyId()
# We don't have the keyHandle, so we can't support KeyIdType.SHA256.
elif params.getKeyIdType() == KeyIdType.RANDOM:
if params.getKeyId().getValue().size() == 0:
raise TpmBackEnd.Error(
"setKeyName: The keyId is empty for type RANDOM")
keyId = params.getKeyId()
else:
raise TpmBackEnd.Error(
"setKeyName: unrecognized params.getKeyIdType()")
return PibKey.constructKeyName(identityName, keyId)
def test_basic(self):
fixture = self.fixture
pibImpl = PibMemory()
# Start with an empty container.
container = PibKeyContainer(fixture.id1, pibImpl)
self.assertEqual(0, container.size())
self.assertEqual(0, len(container._keys))
# Add the first key.
key11 = container.add(fixture.id1Key1.buf(), fixture.id1Key1Name)
self.assertTrue(fixture.id1Key1Name.equals(key11.getName()))
self.assertTrue(key11.getPublicKey().equals(fixture.id1Key1))
self.assertEqual(1, container.size())
self.assertEqual(1, len(container._keys))
self.assertTrue(fixture.id1Key1Name in container._keys)
# Add the same key again.
key12 = container.add(fixture.id1Key1.buf(), fixture.id1Key1Name)
self.assertTrue(fixture.id1Key1Name.equals(key12.getName()))
self.assertTrue(key12.getPublicKey().equals(fixture.id1Key1))
self.assertEqual(1, container.size())
self.assertEqual(1, len(container._keys))
self.assertTrue(fixture.id1Key1Name in container._keys)
# Add the second key.
key21 = container.add(fixture.id1Key2.buf(), fixture.id1Key2Name)
self.assertTrue(fixture.id1Key2Name.equals(key21.getName()))
self.assertTrue(key21.getPublicKey().equals(fixture.id1Key2))
self.assertEqual(2, container.size())
self.assertEqual(2, len(container._keys))
self.assertTrue(fixture.id1Key1Name in container._keys)
self.assertTrue(fixture.id1Key2Name in container._keys)
# Get keys.
try:
container.get(fixture.id1Key1Name)
except Exception as ex:
self.fail("Unexpected exception: " + str(ex))
try:
container.get(fixture.id1Key2Name)
except Exception as ex:
self.fail("Unexpected exception: " + str(ex))
id1Key3Name = PibKey.constructKeyName(
fixture.id1, Name.Component("non-existing-id"))
try:
container.get(id1Key3Name)
self.fail("Did not throw the expected exception")
except Pib.Error:
pass
else:
self.fail("Did not throw the expected exception")
# Get and check keys.
key1 = container.get(fixture.id1Key1Name)
key2 = container.get(fixture.id1Key2Name)
self.assertTrue(fixture.id1Key1Name.equals(key1.getName()))
self.assertTrue(key1.getPublicKey().equals(fixture.id1Key1))
self.assertEqual(fixture.id1Key2Name, key2.getName())
self.assertTrue(key2.getPublicKey().equals(fixture.id1Key2))
# Create another container using the same PibImpl. The cache should be empty.
container2 = PibKeyContainer(fixture.id1, pibImpl)
self.assertEqual(2, container2.size())
self.assertEqual(0, len(container2._keys))
# Get a key. The cache should be filled.
try:
container2.get(fixture.id1Key1Name)
except Exception as ex:
self.fail("Unexpected exception: " + str(ex))
self.assertEqual(2, container2.size())
self.assertEqual(1, len(container2._keys))
try:
container2.get(fixture.id1Key2Name)
except Exception as ex:
self.fail("Unexpected exception: " + str(ex))
self.assertEqual(2, container2.size())
self.assertEqual(2, len(container2._keys))
# Remove a key.
container2.remove(fixture.id1Key1Name)
self.assertEqual(1, container2.size())
self.assertEqual(1, len(container2._keys))
self.assertTrue(not (fixture.id1Key1Name in container2._keys))
self.assertTrue(fixture.id1Key2Name in container2._keys)
# Remove another key.
container2.remove(fixture.id1Key2Name)
self.assertEqual(0, container2.size())
self.assertEqual(0, len(container2._keys))
self.assertTrue(not (fixture.id1Key2Name in container2._keys))