def test_invalid_key_store(): # invalid key store length with pytest.raises(SPSDKError): KeyStore(KeySourceType.KEYSTORE, bytes(range(10))) # key-store specified in OTP mode with pytest.raises(SPSDKError): KeyStore(KeySourceType.OTP, bytes(range(10))) with pytest.raises( SPSDKError, match="KeyStore can be initialized only if key_source == KEYSTORE" ): KeyStore(KeySourceType.OTP, bytes(1424)) key_store = KeyStore(KeySourceType.KEYSTORE, bytes([0] * KeyStore.KEY_STORE_SIZE)) with pytest.raises(SPSDKError, match="Invalid length of hmac key"): key_store.derive_hmac_key(hmac_key=bytes(31)) with pytest.raises(SPSDKError, match="Invalid length of master key"): key_store.derive_enc_image_key(master_key=bytes(31)) with pytest.raises(SPSDKError, match="Invalid length of master key"): key_store.derive_sb_kek_key(master_key=bytes(31)) with pytest.raises(SPSDKError, match="Invalid length of master key"): key_store.derive_otfad_kek_key(master_key=bytes(31), otfad_input=bytes(16)) with pytest.raises(SPSDKError, match="Invalid length of input"): key_store.derive_otfad_kek_key(master_key=bytes(32), otfad_input=bytes(15))
def encrypt(self, raw_image: bytes) -> bytes: """Encrypt image if needed. :param raw_image: Input raw image to encrypt. :return: Encrypted image. """ assert self.hmac_key and self.ctr_init_vector key = self.hmac_key if not self.key_store or self.key_store.key_source == KeySourceType.OTP: key = KeyStore.derive_enc_image_key(key) aes = AES.new(key, AES.MODE_CTR, initial_value=self.ctr_init_vector, nonce=bytes()) return aes.encrypt(raw_image + self.tz.export())