def derivePublicKey(key):
"""
Use the macOS Keychain key to derive the public key.
:param c_void_p key: The macOS Keychain private key.
:return: The public key encoding Blob.
:rtype: Blob
"""
osx = Osx.get()
exportedKey = None
try:
exportedKey = c_void_p()
res = osx._security.SecItemExport(key, osx._kSecFormatOpenSSL, 0,
None, pointer(exportedKey))
if res != None:
# TODO: check for errSecAuthFailed
raise TpmBackEndOsx.Error("Failed to export the private key")
privateKey = TpmPrivateKey()
privateKey.loadPkcs1(TpmBackEndOsx._CFDataToBlob(exportedKey))
return privateKey.derivePublicKey()
finally:
if exportedKey != None:
cf.CFRelease(exportedKey)
def sign(self, data, keyName, digestAlgorithm = DigestAlgorithm.SHA256):
"""
Fetch the private key for keyName and sign the data, returning a
signature Blob.
:param data: Pointer the input byte buffer to sign.
:type data: An array type with int elements
:param Name keyName: The name of the signing key.
:param digestAlgorithm: (optional) the digest algorithm. If omitted,
use DigestAlgorithm.SHA256.
:type digestAlgorithm: int from DigestAlgorithm
:return: The signature Blob.
:rtype: Blob
"""
keyURI = keyName.toUri()
if not self.doesKeyExist(keyName, KeyClass.PRIVATE):
raise SecurityException(
"FilePrivateKeyStorage.sign: private key doesn't exist")
# Read the private key.
base64Content = None
with open(self.nameTransform(keyURI, ".pri")) as keyFile:
base64Content = keyFile.read()
pkcs8Der = base64.b64decode(base64Content)
privateKey = TpmPrivateKey()
try:
privateKey.loadPkcs8(pkcs8Der)
return privateKey.sign(Blob(data, False).toBytes(), digestAlgorithm)
except Exception as ex:
raise SecurityException("Error in sign: " + str(ex))
def _doImportKey(self, keyName, pkcs8, password):
"""
A protected method to import an encoded private key with name keyName in
PKCS #8 format, possibly passwprd-encrypted.
:param Name keyName: The name of the key to use in the TPM.
:param pkcs8: The input byte buffer. If the password is supplied, this
is a PKCS #8 EncryptedPrivateKeyInfo. If the password is none, this is
an unencrypted PKCS #8 PrivateKeyInfo.
:type pkcs8: an array which implements the buffer protocol
:param password: The password for decrypting the private key. If the
password is supplied, use it to decrypt the PKCS #8
EncryptedPrivateKeyInfo. If the password is None, import an
unencrypted PKCS #8 PrivateKeyInfo.
:type password: an array which implements the buffer protocol
:raises TpmBackEnd.Error: For an error importing the key.
"""
try:
if password != None:
raise TpmBackEnd.Error(
"Private key password-encryption is not implemented")
else:
key = TpmPrivateKey()
key.loadPkcs8(pkcs8)
# Copy the Name.
self._keys[Name(keyName)] = key
except TpmPrivateKey.Error as ex:
raise TpmBackEnd.Error("Cannot import private key: " + str(ex))
def _doImportKey(self, keyName, pkcs8, password):
"""
A protected method to import an encoded private key with name keyName in
PKCS #8 format, possibly password-encrypted.
:param Name keyName: The name of the key to use in the TPM.
:param pkcs8: The input byte buffer. If the password is supplied, this
is a PKCS #8 EncryptedPrivateKeyInfo. If the password is none, this is
an unencrypted PKCS #8 PrivateKeyInfo.
:type pkcs8: an array which implements the buffer protocol
:param password: The password for decrypting the private key, which
should have characters in the range of 1 to 127. If the password is
supplied, use it to decrypt the PKCS #8 EncryptedPrivateKeyInfo. If
the password is None, import an unencrypted PKCS #8 PrivateKeyInfo.
:type password: an array which implements the buffer protocol
:raises TpmBackEnd.Error: For an error importing the key.
"""
try:
key = TpmPrivateKey()
if password != None:
key.loadEncryptedPkcs8(pkcs8, password)
else:
key.loadPkcs8(pkcs8)
except TpmPrivateKey.Error as ex:
raise TpmBackEnd.Error("Cannot import private key: " + str(ex))
self._saveKey(keyName, key)
def sign(self, data, keyName, digestAlgorithm=DigestAlgorithm.SHA256):
"""
Fetch the private key for keyName and sign the data, returning a
signature Blob.
:param data: Pointer the input byte buffer to sign.
:type data: An array type with int elements
:param Name keyName: The name of the signing key.
:param digestAlgorithm: (optional) the digest algorithm. If omitted,
use DigestAlgorithm.SHA256.
:type digestAlgorithm: int from DigestAlgorithm
:return: The signature Blob.
:rtype: Blob
"""
keyURI = keyName.toUri()
if not self.doesKeyExist(keyName, KeyClass.PRIVATE):
raise SecurityException(
"FilePrivateKeyStorage.sign: private key doesn't exist")
# Read the private key.
base64Content = None
with open(self.nameTransform(keyURI, ".pri")) as keyFile:
base64Content = keyFile.read()
pkcs8Der = base64.b64decode(base64Content)
privateKey = TpmPrivateKey()
try:
privateKey.loadPkcs8(pkcs8Der)
return privateKey.sign(
Blob(data, False).toBytes(), digestAlgorithm)
except Exception as ex:
raise SecurityException("Error in sign: " + str(ex))
def _loadKey(self, keyName):
"""
Load the private key with name keyName from the key file directory.
:param Name keyName: The name of the key.
:return: The key loaded into a TpmPrivateKey.
:rtype: TpmPrivateKey
"""
key = TpmPrivateKey()
base64Content = None
try:
with open(self._toFilePath(keyName)) as keyFile:
base64Content = keyFile.read()
except Exception as ex:
raise TpmBackEndFile.Error(
"Error reading private key file: " + str(ex))
pkcs = base64.b64decode(base64Content)
try:
key.loadPkcs1(pkcs, None)
except Exception as ex:
raise TpmBackEndFile.Error(
"Error decoding private key file: " + str(ex))
return key
def _loadKey(self, keyName):
"""
Load the private key with name keyName from the key file directory.
:param Name keyName: The name of the key.
:return: The key loaded into a TpmPrivateKey.
:rtype: TpmPrivateKey
"""
key = TpmPrivateKey()
base64Content = None
try:
with open(self._toFilePath(keyName)) as keyFile:
base64Content = keyFile.read()
except Exception as ex:
raise TpmBackEndFile.Error("Error reading private key file: " +
str(ex))
pkcs = base64.b64decode(base64Content)
try:
key.loadPkcs1(pkcs, None)
except Exception as ex:
raise TpmBackEndFile.Error("Error decoding private key file: " +
str(ex))
return key
def test_rsa_decryption(self):
dataSet = self.rsaKeyTestData
pkcs8 = base64.b64decode(dataSet.privateKeyPkcs8Unencrypted)
key = TpmPrivateKey()
key.loadPkcs8(pkcs8)
plainText = Blob([0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07])
cipherTextBase64 = (
"i2XNpZ2JbLa4JmBTdDrGmsd4/0C+p+BSCpW3MuPBNe5uChQ0eRO1dvjTnEqwSECY\n"
+
"38en9JZwcyb0It/TSFNXHlq+Z1ZpffnjIJxQR9HcgwvwQJh6WRH0vu38tvGkGuNv\n"
+
"60Rdn85hqSy1CikmXCeWXL9yCqeqcP21R94G/T3FuA+c1FtFko8KOzCwvrTXMO6n\n"
+
"5PNsqlLXabSGr+jz4EwOsSCgPkiDf9U6tXoSPRA2/YvqFQdaiUXIVlomESvaqqZ8\n"
+
"FxPs2BON0lobM8gT+xdzbRKofp+rNjNK+5uWyeOnXJwzCszh17cdJl2BH1dZwaVD\n"
+ "PmTiSdeDQXZ94U5boDQ4Aw==\n")
cipherText = base64.b64decode(cipherTextBase64)
decryptedText = key.decrypt(cipherText)
self.assertTrue(decryptedText.equals(plainText))
def derivePublicKey(key):
"""
Use the macOS Keychain key to derive the public key.
:param c_void_p key: The macOS Keychain private key.
:return: The public key encoding Blob.
:rtype: Blob
"""
osx = Osx.get()
exportedKey = None
try:
exportedKey = c_void_p()
res = osx._security.SecItemExport(
key, osx._kSecFormatOpenSSL, 0, None, pointer(exportedKey))
if res != None:
# TODO: check for errSecAuthFailed
raise TpmBackEndOsx.Error(
"Failed to export the private key")
privateKey = TpmPrivateKey()
privateKey.loadPkcs1(TpmBackEndOsx._CFDataToBlob(exportedKey))
return privateKey.derivePublicKey()
finally:
if exportedKey != None:
cf.CFRelease(exportedKey)
def test_derive_public_key(self):
for dataSet in self.keyTestData:
pkcs8 = base64.b64decode(dataSet.privateKeyPkcs8Unencrypted)
key = TpmPrivateKey()
key.loadPkcs8(pkcs8)
# Derive the public key and compare.
publicKeyBits = key.derivePublicKey()
expected = base64.b64decode(dataSet.publicKeyEncoding)
self.assertTrue(publicKeyBits.equals(Blob(expected)))
def test_derive_public_key(self):
for dataSet in self.keyTestData:
pkcs8 = base64.b64decode(dataSet.privateKeyPkcs8Unencrypted)
key = TpmPrivateKey()
key.loadPkcs8(pkcs8)
# Derive the public key and compare.
publicKeyBits = key.derivePublicKey()
expected = base64.b64decode(dataSet.publicKeyEncoding)
self.assertTrue(publicKeyBits.equals(Blob(expected)))
def deriveEncryptKey(keyBits):
"""
Derive a new encrypt key from the given decrypt key value.
:param Blob keyBits: The key value of the decrypt key (PKCS8-encoded
private key).
:return: The new encrypt key (DER-encoded public key).
:rtype: EncryptKey
"""
privateKey = TpmPrivateKey()
privateKey.loadPkcs8(keyBits.toBytes())
return EncryptKey(privateKey.derivePublicKey())
def deriveEncryptKey(keyBits):
"""
Derive a new encrypt key from the given decrypt key value.
:param Blob keyBits: The key value of the decrypt key (PKCS8-encoded
private key).
:return: The new encrypt key (DER-encoded public key).
:rtype: EncryptKey
"""
privateKey = TpmPrivateKey()
privateKey.loadPkcs8(keyBits.toBytes())
return EncryptKey(privateKey.derivePublicKey())
def decrypt(keyBits, encryptedData, params):
"""
Decrypt the encryptedData using the keyBits according the encrypt params.
:param Blob keyBits: The key value (PKCS8-encoded private key).
:param Blob encryptedData: The data to decrypt.
:param EncryptParams params: This decrypts according to
params.getAlgorithmType().
:return: The decrypted data.
:rtype: Blob
"""
privateKey = TpmPrivateKey()
privateKey.loadPkcs8(keyBits.toBytes())
return privateKey.decrypt(
encryptedData.toBytes(), params.getAlgorithmType())
def decrypt(keyBits, encryptedData, params):
"""
Decrypt the encryptedData using the keyBits according the encrypt params.
:param Blob keyBits: The key value (PKCS8-encoded private key).
:param Blob encryptedData: The data to decrypt.
:param EncryptParams params: This decrypts according to
params.getAlgorithmType().
:return: The decrypted data.
:rtype: Blob
"""
privateKey = TpmPrivateKey()
privateKey.loadPkcs8(keyBits.toBytes())
return privateKey.decrypt(encryptedData.toBytes(),
params.getAlgorithmType())
def generateKeyPair(self, keyName, params):
"""
Generate a pair of asymmetric keys.
:param Name keyName: The name of the key pair.
:param KeyParams params: The parameters of the key.
"""
if self.doesKeyExist(keyName, KeyClass.PUBLIC):
raise SecurityException("Public key already exists")
if self.doesKeyExist(keyName, KeyClass.PRIVATE):
raise SecurityException("Private key already exists")
try:
privateKey = TpmPrivateKey.generatePrivateKey(params)
privateKeyDer = privateKey.toPkcs8().toBytes()
publicKeyDer = privateKey.derivePublicKey().toBytes()
except Exception as ex:
raise SecurityException("Error in generatePrivateKey: " + str(ex))
keyUri = keyName.toUri()
keyFilePathNoExtension = self.maintainMapping(keyUri)
publicKeyFilePath = keyFilePathNoExtension + ".pub"
privateKeyFilePath = keyFilePathNoExtension + ".pri"
with open(publicKeyFilePath, 'w') as keyFile:
keyFile.write(Common.base64Encode(publicKeyDer, True))
with open(privateKeyFilePath, 'w') as keyFile:
keyFile.write(Common.base64Encode(privateKeyDer, True))
os.chmod(publicKeyFilePath, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
os.chmod(privateKeyFilePath, stat.S_IRUSR)
def generateKeyPair(self, keyName, params):
"""
Generate a pair of asymmetric keys.
:param Name keyName: The name of the key pair.
:param KeyParams params: The parameters of the key.
"""
if self.doesKeyExist(keyName, KeyClass.PUBLIC):
raise SecurityException("Public key already exists")
if self.doesKeyExist(keyName, KeyClass.PRIVATE):
raise SecurityException("Private key already exists")
try:
privateKey = TpmPrivateKey.generatePrivateKey(params)
privateKeyDer = privateKey.toPkcs8().toBytes()
publicKeyDer = privateKey.derivePublicKey().toBytes()
except Exception as ex:
raise SecurityException("Error in generatePrivateKey: " + str(ex))
keyUri = keyName.toUri()
keyFilePathNoExtension = self.maintainMapping(keyUri)
publicKeyFilePath = keyFilePathNoExtension + ".pub"
privateKeyFilePath = keyFilePathNoExtension + ".pri"
with open(publicKeyFilePath, 'w') as keyFile:
keyFile.write(Common.base64Encode(publicKeyDer, True))
with open(privateKeyFilePath, 'w') as keyFile:
keyFile.write(Common.base64Encode(privateKeyDer, True))
os.chmod(publicKeyFilePath, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
os.chmod(privateKeyFilePath, stat.S_IRUSR)
def setPrivateKeyForKeyName(self, keyName, keyType, privateKeyDer):
"""
Set the private key for the keyName.
:param Name keyName: The key name.
:param keyType: The KeyType, such as KeyType.RSA.
:type keyType: an int from KeyType
:param privateKeyDer: The private key DER byte array.
:type privateKeyDer: str, or an array type with int elements which is
converted to str
"""
privateKey = TpmPrivateKey()
try:
privateKey.loadPkcs8(privateKeyDer, keyType)
except Exception as ex:
raise SecurityException("Error in loadPkcs8: " + str(ex))
self._privateKeyStore[keyName.toUri()] = privateKey
def setPrivateKeyForKeyName(self, keyName, keyType, privateKeyDer):
"""
Set the private key for the keyName.
:param Name keyName: The key name.
:param keyType: The KeyType, such as KeyType.RSA.
:type keyType: an int from KeyType
:param privateKeyDer: The private key DER byte array.
:type privateKeyDer: str, or an array type with int elements which is
converted to str
"""
privateKey = TpmPrivateKey()
try:
privateKey.loadPkcs8(privateKeyDer, keyType)
except Exception as ex:
raise SecurityException("Error in loadPkcs8: " + str(ex))
self._privateKeyStore[keyName.toUri()] = privateKey
def test_save_load(self):
for dataSet in self.keyTestData:
# Load the key in PKCS #1 format.
pkcs1 = base64.b64decode(dataSet.privateKeyPkcs1)
key1 = TpmPrivateKey()
key1.loadPkcs1(pkcs1)
# Save the key in PKCS #1 format.
savedPkcs1Key = key1.toPkcs1()
self.assertTrue(savedPkcs1Key.equals(Blob(pkcs1)))
pkcs8 = base64.b64decode(dataSet.privateKeyPkcs8Unencrypted)
key8 = TpmPrivateKey()
key8.loadPkcs8(pkcs8)
# Save the key in PKCS #8 format.
savedPkcs8Key = key8.toPkcs8()
self.assertTrue(savedPkcs8Key.equals(Blob(pkcs8)))
def test_generate_key(self):
for dataSet in self.keyTestData:
key = TpmPrivateKey.generatePrivateKey(dataSet.keyParams)
publicKeyBits = key.derivePublicKey()
publicKey = PublicKey(publicKeyBits)
data = Blob([0x01, 0x02, 0x03, 0x04])
# Sign and verify.
signature = key.sign(data.toBytes(), DigestAlgorithm.SHA256)
result = VerificationHelpers.verifySignature(
data, signature, publicKey)
self.assertTrue(result)
# Check that another generated private key is different.
key2 = TpmPrivateKey.generatePrivateKey(dataSet.keyParams)
self.assertTrue(not key.toPkcs8().equals(key2.toPkcs8()))
def test_generate_key(self):
for dataSet in self.keyTestData:
key = TpmPrivateKey.generatePrivateKey(dataSet.keyParams)
publicKeyBits = key.derivePublicKey()
publicKey = PublicKey(publicKeyBits)
data = Blob([0x01, 0x02, 0x03, 0x04])
# Sign and verify.
signature = key.sign(data.toBytes(), DigestAlgorithm.SHA256)
result = VerificationHelpers.verifySignature(
data, signature, publicKey)
self.assertTrue(result)
# Check that another generated private key is different.
key2 = TpmPrivateKey.generatePrivateKey(dataSet.keyParams)
self.assertTrue(not key.toPkcs8().equals(key2.toPkcs8()))
def test_generate_key(self):
for dataSet in self.keyTestData:
key = TpmPrivateKey.generatePrivateKey(dataSet.keyParams)
publicKeyBits = key.derivePublicKey()
publicKey = PublicKey(publicKeyBits)
data = Blob([0x01, 0x02, 0x03, 0x04])
# Sign and verify.
signature = key.sign(data.toBytes(), DigestAlgorithm.SHA256)
# TODO: Move verify into PublicKey?
if dataSet.keyParams.getKeyType() == KeyType.ECDSA:
cryptoPublicKey = load_der_public_key(
publicKeyBits.toBytes(), backend = default_backend())
verifier = cryptoPublicKey.verifier(
signature.toBytes(), ec.ECDSA(hashes.SHA256()))
verifier.update(data.toBytes())
try:
verifier.verify()
result = True
except InvalidSignature:
result = False
elif dataSet.keyParams.getKeyType() == KeyType.RSA:
cryptoPublicKey = load_der_public_key(
publicKeyBits.toBytes(), backend = default_backend())
verifier = cryptoPublicKey.verifier(
signature.toBytes(), padding.PKCS1v15(), hashes.SHA256())
verifier.update(data.toBytes())
try:
verifier.verify()
result = True
except InvalidSignature:
result = False
else:
# We don't expect this.
self.fail("Unrecognized key type")
self.assertTrue(result)
# Check that another generated private key is different.
key2 = TpmPrivateKey.generatePrivateKey(dataSet.keyParams)
self.assertTrue(not key.toPkcs8().equals(key2.toPkcs8()))
def generateKey(params):
"""
Generate a new random decrypt key for RSA based on the given params.
:param RsaKeyParams params: The key params with the key size (in bits).
:return: The new decrypt key (PKCS8-encoded private key).
:rtype: DecryptKey
"""
privateKey = TpmPrivateKey.generatePrivateKey(params)
return DecryptKey(privateKey.toPkcs8())
def generateKey(params):
"""
Generate a new random decrypt key for RSA based on the given params.
:param RsaKeyParams params: The key params with the key size (in bits).
:return: The new decrypt key (PKCS8-encoded private key).
:rtype: DecryptKey
"""
privateKey = TpmPrivateKey.generatePrivateKey(params)
return DecryptKey(privateKey.toPkcs8())
def test_rsa_decryption(self):
dataSet = self.rsaKeyTestData
pkcs8 = base64.b64decode(dataSet.privateKeyPkcs8Unencrypted)
key = TpmPrivateKey()
key.loadPkcs8(pkcs8)
plainText = Blob([0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07])
cipherTextBase64 = (
"i2XNpZ2JbLa4JmBTdDrGmsd4/0C+p+BSCpW3MuPBNe5uChQ0eRO1dvjTnEqwSECY\n" +
"38en9JZwcyb0It/TSFNXHlq+Z1ZpffnjIJxQR9HcgwvwQJh6WRH0vu38tvGkGuNv\n" +
"60Rdn85hqSy1CikmXCeWXL9yCqeqcP21R94G/T3FuA+c1FtFko8KOzCwvrTXMO6n\n" +
"5PNsqlLXabSGr+jz4EwOsSCgPkiDf9U6tXoSPRA2/YvqFQdaiUXIVlomESvaqqZ8\n" +
"FxPs2BON0lobM8gT+xdzbRKofp+rNjNK+5uWyeOnXJwzCszh17cdJl2BH1dZwaVD\n" +
"PmTiSdeDQXZ94U5boDQ4Aw==\n")
cipherText = base64.b64decode(cipherTextBase64)
decryptedText = key.decrypt(cipherText)
self.assertTrue(decryptedText.equals(plainText))
def generateKeyPair(self, keyName, params):
"""
Generate a pair of asymmetric keys.
:param Name keyName: The name of the key pair.
:param KeyParams params: The parameters of the key.
"""
privateKey = None
try:
privateKey = TpmPrivateKey.generatePrivateKey(params)
except Exception as ex:
raise SecurityException("Error in generatePrivateKey: " + str(ex))
publicKeyDer = None
try:
publicKeyDer = privateKey.derivePublicKey()
except Exception as ex:
raise SecurityException("Error in derivePublicKey: " + str(ex))
self._privateKeyStore[keyName.toUri()] = privateKey
self._publicKeyStore[keyName.toUri()] = PublicKey(publicKeyDer)
def generateKeyPair(self, keyName, params):
"""
Generate a pair of asymmetric keys.
:param Name keyName: The name of the key pair.
:param KeyParams params: The parameters of the key.
"""
privateKey = None
try:
privateKey = TpmPrivateKey.generatePrivateKey(params)
except Exception as ex:
raise SecurityException("Error in generatePrivateKey: " + str(ex))
publicKeyDer = None
try:
publicKeyDer = privateKey.derivePublicKey()
except Exception as ex:
raise SecurityException("Error in derivePublicKey: " + str(ex))
self._privateKeyStore[keyName.toUri()] = privateKey
self._publicKeyStore[keyName.toUri()] = PublicKey(publicKeyDer)
def _doCreateKey(self, identityName, params):
"""
Create a key for identityName according to params. The created key is
named as: /<identityName>/[keyId]/KEY . The key name is set in the
returned TpmKeyHandle.
:param Name identityName: The name if the identity.
:param KeyParams params: The KeyParams for creating the key.
:return: The handle of the created key.
:rtype: TpmKeyHandle
:raises TpmBackEnd.Error: If the key cannot be created.
"""
try:
key = TpmPrivateKey.generatePrivateKey(params)
except Exception as ex:
raise TpmBackEndFile.Error(
"Error in TpmPrivateKey.generatePrivateKey: " + str(ex))
keyHandle = TpmKeyHandleMemory(key)
TpmBackEnd.setKeyName(keyHandle, identityName, params)
self._saveKey(keyHandle.getKeyName(), key)
return keyHandle
def _doCreateKey(self, identityName, params):
"""
Create a key for identityName according to params. The created key is
named as: /<identityName>/[keyId]/KEY . The key name is set in the
returned TpmKeyHandle.
:param Name identityName: The name if the identity.
:param KeyParams params: The KeyParams for creating the key.
:return: The handle of the created key.
:rtype: TpmKeyHandle
:raises TpmBackEnd.Error: If the key cannot be created.
"""
try:
key = TpmPrivateKey.generatePrivateKey(params)
except Exception as ex:
raise TpmBackEndFile.Error(
"Error in TpmPrivateKey.generatePrivateKey: " + str(ex))
keyHandle = TpmKeyHandleMemory(key)
TpmBackEnd.setKeyName(keyHandle, identityName, params)
self._saveKey(keyHandle.getKeyName(), key)
return keyHandle
def test_import_export(self):
privateKeyPkcs1Base64 = (
"MIIEpAIBAAKCAQEAw0WM1/WhAxyLtEqsiAJgWDZWuzkYpeYVdeeZcqRZzzfRgBQT\n" +
"sNozS5t4HnwTZhwwXbH7k3QN0kRTV826Xobws3iigohnM9yTK+KKiayPhIAm/+5H\n" +
"GT6SgFJhYhqo1/upWdueojil6RP4/AgavHhopxlAVbk6G9VdVnlQcQ5Zv0OcGi73\n" +
"c+EnYD/YgURYGSngUi/Ynsh779p2U69/te9gZwIL5PuE9BiO6I39cL9z7EK1SfZh\n" +
"OWvDe/qH7YhD/BHwcWit8FjRww1glwRVTJsA9rH58ynaAix0tcR/nBMRLUX+e3rU\n" +
"RHg6UbSjJbdb9qmKM1fTGHKUzL/5pMG6uBU0ywIDAQABAoIBADQkckOIl4IZMUTn\n" +
"W8LFv6xOdkJwMKC8G6bsPRFbyY+HvC2TLt7epSvfS+f4AcYWaOPcDu2E49vt2sNr\n" +
"cASly8hgwiRRAB3dHH9vcsboiTo8bi2RFvMqvjv9w3tK2yMxVDtmZamzrrnaV3YV\n" +
"Q+5nyKo2F/PMDjQ4eUAKDOzjhBuKHsZBTFnA1MFNI+UKj5X4Yp64DFmKlxTX/U2b\n" +
"wzVywo5hzx2Uhw51jmoLls4YUvMJXD0wW5ZtYRuPogXvXb/of9ef/20/wU11WFKg\n" +
"Xb4gfR8zUXaXS1sXcnVm3+24vIs9dApUwykuoyjOqxWqcHRec2QT2FxVGkFEraze\n" +
"CPa4rMECgYEA5Y8CywomIcTgerFGFCeMHJr8nQGqY2V/owFb3k9maczPnC9p4a9R\n" +
"c5szLxA9FMYFxurQZMBWSEG2JS1HR2mnjigx8UKjYML/A+rvvjZOMe4M6Sy2ggh4\n" +
"SkLZKpWTzjTe07ByM/j5v/SjNZhWAG7sw4/LmPGRQkwJv+KZhGojuOkCgYEA2cOF\n" +
"T6cJRv6kvzTz9S0COZOVm+euJh/BXp7oAsAmbNfOpckPMzqHXy8/wpdKl6AAcB57\n" +
"OuztlNfV1D7qvbz7JuRlYwQ0cEfBgbZPcz1p18HHDXhwn57ZPb8G33Yh9Omg0HNA\n" +
"Imb4LsVuSqxA6NwSj7cpRekgTedrhLFPJ+Ydb5MCgYEAsM3Q7OjILcIg0t6uht9e\n" +
"vrlwTsz1mtCV2co2I6crzdj9HeI2vqf1KAElDt6G7PUHhglcr/yjd8uEqmWRPKNX\n" +
"ddnnfVZB10jYeP/93pac6z/Zmc3iU4yKeUe7U10ZFf0KkiiYDQd59CpLef/2XScS\n" +
"HB0oRofnxRQjfjLc4muNT+ECgYEAlcDk06MOOTly+F8lCc1bA1dgAmgwFd2usDBd\n" +
"Y07a3e0HGnGLN3Kfl7C5i0tZq64HvxLnMd2vgLVxQlXGPpdQrC1TH+XLXg+qnlZO\n" +
"ivSH7i0/gx75bHvj75eH1XK65V8pDVDEoSPottllAIs21CxLw3N1ObOZWJm2EfmR\n" +
"cuHICmsCgYAtFJ1idqMoHxES3mlRpf2JxyQudP3SCm2WpGmqVzhRYInqeatY5sUd\n" +
"lPLHm/p77RT7EyxQHTlwn8FJPuM/4ZH1rQd/vB+Y8qAtYJCexDMsbvLW+Js+VOvk\n" +
"jweEC0nrcL31j9mF0vz5E6tfRu4hhJ6L4yfWs0gSejskeVB/w8QY4g==\n")
for tpm in self.backEndList:
if tpm is self.backEndOsx:
# TODO: Implement TpmBackEndOsx import/export.
continue
keyName = Name("/Test/KeyName/KEY/1")
tpm.deleteKey(keyName)
self.assertEquals(False, tpm.hasKey(keyName))
privateKey = TpmPrivateKey()
privateKeyPkcs1Encoding = Blob(base64.b64decode(privateKeyPkcs1Base64))
privateKey.loadPkcs1(privateKeyPkcs1Encoding.buf())
password = Blob("password").toBytes()
encryptedPkcs8 = privateKey.toEncryptedPkcs8(password)
tpm.importKey(keyName, encryptedPkcs8.buf(), password)
self.assertEquals(True, tpm.hasKey(keyName))
try:
# Can't import the same keyName again.
tpm.importKey(keyName, encryptedPkcs8.buf(), password)
self.fail("Did not throw the expected exception")
except TpmBackEnd.Error:
pass
else:
self.fail("Did not throw the expected exception")
exportedKey = tpm.exportKey(keyName, password)
self.assertEquals(True, tpm.hasKey(keyName))
privateKey2 = TpmPrivateKey()
privateKey2.loadEncryptedPkcs8(exportedKey.buf(), password)
privateKey2Pkcs1Encoding = privateKey2.toPkcs1()
self.assertTrue(privateKeyPkcs1Encoding.equals(privateKey2Pkcs1Encoding))
tpm.deleteKey(keyName)
self.assertEquals(False, tpm.hasKey(keyName))
try:
tpm.exportKey(keyName, password)
self.fail("Did not throw the expected exception")
except TpmBackEnd.Error:
pass
else:
self.fail("Did not throw the expected exception")
def test_import_export(self):
privateKeyPkcs1Base64 = (
"MIIEpAIBAAKCAQEAw0WM1/WhAxyLtEqsiAJgWDZWuzkYpeYVdeeZcqRZzzfRgBQT\n" +
"sNozS5t4HnwTZhwwXbH7k3QN0kRTV826Xobws3iigohnM9yTK+KKiayPhIAm/+5H\n" +
"GT6SgFJhYhqo1/upWdueojil6RP4/AgavHhopxlAVbk6G9VdVnlQcQ5Zv0OcGi73\n" +
"c+EnYD/YgURYGSngUi/Ynsh779p2U69/te9gZwIL5PuE9BiO6I39cL9z7EK1SfZh\n" +
"OWvDe/qH7YhD/BHwcWit8FjRww1glwRVTJsA9rH58ynaAix0tcR/nBMRLUX+e3rU\n" +
"RHg6UbSjJbdb9qmKM1fTGHKUzL/5pMG6uBU0ywIDAQABAoIBADQkckOIl4IZMUTn\n" +
"W8LFv6xOdkJwMKC8G6bsPRFbyY+HvC2TLt7epSvfS+f4AcYWaOPcDu2E49vt2sNr\n" +
"cASly8hgwiRRAB3dHH9vcsboiTo8bi2RFvMqvjv9w3tK2yMxVDtmZamzrrnaV3YV\n" +
"Q+5nyKo2F/PMDjQ4eUAKDOzjhBuKHsZBTFnA1MFNI+UKj5X4Yp64DFmKlxTX/U2b\n" +
"wzVywo5hzx2Uhw51jmoLls4YUvMJXD0wW5ZtYRuPogXvXb/of9ef/20/wU11WFKg\n" +
"Xb4gfR8zUXaXS1sXcnVm3+24vIs9dApUwykuoyjOqxWqcHRec2QT2FxVGkFEraze\n" +
"CPa4rMECgYEA5Y8CywomIcTgerFGFCeMHJr8nQGqY2V/owFb3k9maczPnC9p4a9R\n" +
"c5szLxA9FMYFxurQZMBWSEG2JS1HR2mnjigx8UKjYML/A+rvvjZOMe4M6Sy2ggh4\n" +
"SkLZKpWTzjTe07ByM/j5v/SjNZhWAG7sw4/LmPGRQkwJv+KZhGojuOkCgYEA2cOF\n" +
"T6cJRv6kvzTz9S0COZOVm+euJh/BXp7oAsAmbNfOpckPMzqHXy8/wpdKl6AAcB57\n" +
"OuztlNfV1D7qvbz7JuRlYwQ0cEfBgbZPcz1p18HHDXhwn57ZPb8G33Yh9Omg0HNA\n" +
"Imb4LsVuSqxA6NwSj7cpRekgTedrhLFPJ+Ydb5MCgYEAsM3Q7OjILcIg0t6uht9e\n" +
"vrlwTsz1mtCV2co2I6crzdj9HeI2vqf1KAElDt6G7PUHhglcr/yjd8uEqmWRPKNX\n" +
"ddnnfVZB10jYeP/93pac6z/Zmc3iU4yKeUe7U10ZFf0KkiiYDQd59CpLef/2XScS\n" +
"HB0oRofnxRQjfjLc4muNT+ECgYEAlcDk06MOOTly+F8lCc1bA1dgAmgwFd2usDBd\n" +
"Y07a3e0HGnGLN3Kfl7C5i0tZq64HvxLnMd2vgLVxQlXGPpdQrC1TH+XLXg+qnlZO\n" +
"ivSH7i0/gx75bHvj75eH1XK65V8pDVDEoSPottllAIs21CxLw3N1ObOZWJm2EfmR\n" +
"cuHICmsCgYAtFJ1idqMoHxES3mlRpf2JxyQudP3SCm2WpGmqVzhRYInqeatY5sUd\n" +
"lPLHm/p77RT7EyxQHTlwn8FJPuM/4ZH1rQd/vB+Y8qAtYJCexDMsbvLW+Js+VOvk\n" +
"jweEC0nrcL31j9mF0vz5E6tfRu4hhJ6L4yfWs0gSejskeVB/w8QY4g==\n")
for tpm in self.backEndList:
if tpm is self.backEndOsx:
# TODO: Implement TpmBackEndOsx import/export.
continue
keyName = Name("/Test/KeyName/KEY/1")
tpm.deleteKey(keyName)
self.assertEqual(False, tpm.hasKey(keyName))
privateKey = TpmPrivateKey()
privateKeyPkcs1Encoding = Blob(base64.b64decode(privateKeyPkcs1Base64))
privateKey.loadPkcs1(privateKeyPkcs1Encoding.buf())
password = Blob("password").toBytes()
encryptedPkcs8 = privateKey.toEncryptedPkcs8(password)
tpm.importKey(keyName, encryptedPkcs8.buf(), password)
self.assertEqual(True, tpm.hasKey(keyName))
try:
# Can't import the same keyName again.
tpm.importKey(keyName, encryptedPkcs8.buf(), password)
self.fail("Did not throw the expected exception")
except TpmBackEnd.Error:
pass
else:
self.fail("Did not throw the expected exception")
exportedKey = tpm.exportKey(keyName, password)
self.assertEqual(True, tpm.hasKey(keyName))
privateKey2 = TpmPrivateKey()
privateKey2.loadEncryptedPkcs8(exportedKey.buf(), password)
privateKey2Pkcs1Encoding = privateKey2.toPkcs1()
self.assertTrue(privateKeyPkcs1Encoding.equals(privateKey2Pkcs1Encoding))
tpm.deleteKey(keyName)
self.assertEqual(False, tpm.hasKey(keyName))
try:
tpm.exportKey(keyName, password)
self.fail("Did not throw the expected exception")
except TpmBackEnd.Error:
pass
else:
self.fail("Did not throw the expected exception")
def test_save_load(self):
for dataSet in self.keyTestData:
# Load the key in PKCS #1 format.
pkcs1 = base64.b64decode(dataSet.privateKeyPkcs1)
key1 = TpmPrivateKey()
key1.loadPkcs1(pkcs1)
# Save the key in PKCS #1 format.
savedPkcs1Key = key1.toPkcs1()
self.assertTrue(savedPkcs1Key.equals(Blob(pkcs1)))
# Load the key in unencrypted PKCS #8 format.
pkcs8 = base64.b64decode(dataSet.privateKeyPkcs8Unencrypted)
key8 = TpmPrivateKey()
key8.loadPkcs8(pkcs8)
# Save the key in unencrypted PKCS #8 format.
savedPkcs8Key = key8.toPkcs8()
self.assertTrue(savedPkcs8Key.equals(Blob(pkcs8)))
password = Blob("password").toBytes()
# Load the key in encrypted PKCS #8 format.
encryptedPkcs8 = base64.b64decode(dataSet.privateKeyPkcs8)
encryptedKey8 = TpmPrivateKey()
encryptedKey8.loadEncryptedPkcs8(encryptedPkcs8, password)
# Save the key in encrypted PKCS #8 format and resave as unencrypted.
savedEncryptedPkcs8Key = encryptedKey8.toEncryptedPkcs8(password)
key8 = TpmPrivateKey()
key8.loadEncryptedPkcs8(savedEncryptedPkcs8Key, password)
resavedPkcs8Key = key8.toPkcs8()
self.assertTrue(resavedPkcs8Key.equals(Blob(pkcs8)))
def test_save_load(self):
for dataSet in self.keyTestData:
# Load the key in PKCS #1 format.
pkcs1 = base64.b64decode(dataSet.privateKeyPkcs1)
key1 = TpmPrivateKey()
key1.loadPkcs1(pkcs1)
# Save the key in PKCS #1 format.
savedPkcs1Key = key1.toPkcs1()
self.assertTrue(savedPkcs1Key.equals(Blob(pkcs1)))
# Load the key in unencrypted PKCS #8 format.
pkcs8 = base64.b64decode(dataSet.privateKeyPkcs8Unencrypted)
key8 = TpmPrivateKey()
key8.loadPkcs8(pkcs8)
# Save the key in unencrypted PKCS #8 format.
savedPkcs8Key = key8.toPkcs8()
self.assertTrue(savedPkcs8Key.equals(Blob(pkcs8)))
password = Blob("password").toBytes()
# Load the key in encrypted PKCS #8 format.
encryptedPkcs8 = base64.b64decode(dataSet.privateKeyPkcs8)
encryptedKey8 = TpmPrivateKey()
encryptedKey8.loadEncryptedPkcs8(encryptedPkcs8, password)
# Save the key in encrypted PKCS #8 format and resave as unencrypted.
savedEncryptedPkcs8Key = encryptedKey8.toEncryptedPkcs8(password)
key8 = TpmPrivateKey()
key8.loadEncryptedPkcs8(savedEncryptedPkcs8Key, password)
resavedPkcs8Key = key8.toPkcs8()
self.assertTrue(resavedPkcs8Key.equals(Blob(pkcs8)))
