def test_invalid_key_store():
# invalid key store length
with pytest.raises(SPSDKError):
KeyStore(KeySourceType.KEYSTORE, bytes(range(10)))
# key-store specified in OTP mode
with pytest.raises(SPSDKError):
KeyStore(KeySourceType.OTP, bytes(range(10)))
with pytest.raises(
SPSDKError,
match="KeyStore can be initialized only if key_source == KEYSTORE"
):
KeyStore(KeySourceType.OTP, bytes(1424))
key_store = KeyStore(KeySourceType.KEYSTORE,
bytes([0] * KeyStore.KEY_STORE_SIZE))
with pytest.raises(SPSDKError, match="Invalid length of hmac key"):
key_store.derive_hmac_key(hmac_key=bytes(31))
with pytest.raises(SPSDKError, match="Invalid length of master key"):
key_store.derive_enc_image_key(master_key=bytes(31))
with pytest.raises(SPSDKError, match="Invalid length of master key"):
key_store.derive_sb_kek_key(master_key=bytes(31))
with pytest.raises(SPSDKError, match="Invalid length of master key"):
key_store.derive_otfad_kek_key(master_key=bytes(31),
otfad_input=bytes(16))
with pytest.raises(SPSDKError, match="Invalid length of input"):
key_store.derive_otfad_kek_key(master_key=bytes(32),
otfad_input=bytes(15))
def encrypt(self, raw_image: bytes) -> bytes:
"""Encrypt image if needed.
:param raw_image: Input raw image to encrypt.
:return: Encrypted image.
"""
assert self.hmac_key and self.ctr_init_vector
key = self.hmac_key
if not self.key_store or self.key_store.key_source == KeySourceType.OTP:
key = KeyStore.derive_enc_image_key(key)
aes = AES.new(key,
AES.MODE_CTR,
initial_value=self.ctr_init_vector,
nonce=bytes())
return aes.encrypt(raw_image + self.tz.export())
