def generate_hmac(self, expect_len, hmactype):
caps = CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC
hmackey = HmacKey.generate(self.session, 0, 'Generate HMAC', 1, caps,
hmactype)
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
self.assertEqual(len(resp), expect_len)
self.assertTrue(hmackey.verify_hmac(resp, data))
resp2 = hmackey.sign_hmac(data)
self.assertEqual(len(resp2), expect_len)
self.assertEqual(resp, resp2)
data = os.urandom(64)
resp2 = hmackey.sign_hmac(data)
self.assertEqual(len(resp2), expect_len)
self.assertNotEqual(resp, resp2)
self.assertTrue(hmackey.verify_hmac(resp2, data))
hmackey = HmacKey.generate(self.session, 0, 'Generate HMAC', 1, caps,
hmactype)
resp = hmackey.sign_hmac(data)
self.assertEqual(len(resp), expect_len)
self.assertNotEqual(resp, resp2)
self.assertTrue(hmackey.verify_hmac(resp, data))
hmackey.delete()
def test_hmac_vectors(self):
key1_id = random.randint(1, 0xfffe)
key2_id = random.randint(1, 0xfffe)
key3_id = random.randint(1, 0xfffe)
key4_id = random.randint(1, 0xfffe)
caps = CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC
for v in self.vectors:
key1 = HmacKey.put(self.session, key1_id,
'Test HMAC Vectors 0x%04x' % key1_id, 1, caps,
v['key'], ALGORITHM.HMAC_SHA1)
key2 = HmacKey.put(self.session, key2_id,
'Test HMAC Vectors 0x%04x' % key2_id, 1, caps,
v['key'], ALGORITHM.HMAC_SHA256)
key3 = HmacKey.put(self.session, key3_id,
'Test HMAC Vectors 0x%04x' % key3_id, 1, caps,
v['key'], ALGORITHM.HMAC_SHA384)
key4 = HmacKey.put(self.session, key4_id,
'Test HMAC Vectors 0x%04x' % key4_id, 1, caps,
v['key'], ALGORITHM.HMAC_SHA512)
self.assertEqual(key1.sign_hmac(v['chal']), v['exp_sha1'])
self.assertEqual(key2.sign_hmac(v['chal']), v['exp_sha256'])
self.assertEqual(key3.sign_hmac(v['chal']), v['exp_sha384'])
self.assertEqual(key4.sign_hmac(v['chal']), v['exp_sha512'])
self.assertTrue(key1.verify_hmac(v['exp_sha1'], v['chal']))
self.assertTrue(key2.verify_hmac(v['exp_sha256'], v['chal']))
self.assertTrue(key3.verify_hmac(v['exp_sha384'], v['chal']))
self.assertTrue(key4.verify_hmac(v['exp_sha512'], v['chal']))
key1.delete()
key2.delete()
key3.delete()
key4.delete()
def test_generate_hmac(session, algorithm, expect_len):
caps = CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC
hmackey = HmacKey.generate(session, 0, "Generate HMAC", 1, caps, algorithm)
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
assert len(resp) == expect_len
assert hmackey.verify_hmac(resp, data)
resp2 = hmackey.sign_hmac(data)
assert len(resp2) == expect_len
assert resp == resp2
data = os.urandom(64)
resp2 = hmackey.sign_hmac(data)
assert len(resp2) == expect_len
assert resp != resp2
assert hmackey.verify_hmac(resp2, data)
hmackey = HmacKey.generate(session, 0, "Generate HMAC", 1, caps, algorithm)
resp = hmackey.sign_hmac(data)
assert len(resp) == expect_len
assert resp != resp2
assert hmackey.verify_hmac(resp, data)
hmackey.delete()
def test_hmac_vectors(session, vector):
key1_id = random.randint(1, 0xFFFE)
key2_id = random.randint(1, 0xFFFE)
key3_id = random.randint(1, 0xFFFE)
key4_id = random.randint(1, 0xFFFE)
caps = CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC
key1 = HmacKey.put(
session,
key1_id,
"Test HMAC Vectors 0x%04x" % key1_id,
1,
caps,
vector["key"],
ALGORITHM.HMAC_SHA1,
)
key2 = HmacKey.put(
session,
key2_id,
"Test HMAC Vectors 0x%04x" % key2_id,
1,
caps,
vector["key"],
ALGORITHM.HMAC_SHA256,
)
key3 = HmacKey.put(
session,
key3_id,
"Test HMAC Vectors 0x%04x" % key3_id,
1,
caps,
vector["key"],
ALGORITHM.HMAC_SHA384,
)
key4 = HmacKey.put(
session,
key4_id,
"Test HMAC Vectors 0x%04x" % key4_id,
1,
caps,
vector["key"],
ALGORITHM.HMAC_SHA512,
)
assert key1.sign_hmac(vector["chal"]) == vector["exp_sha1"]
assert key2.sign_hmac(vector["chal"]) == vector["exp_sha256"]
assert key3.sign_hmac(vector["chal"]) == vector["exp_sha384"]
assert key4.sign_hmac(vector["chal"]) == vector["exp_sha512"]
assert key1.verify_hmac(vector["exp_sha1"], vector["chal"])
assert key2.verify_hmac(vector["exp_sha256"], vector["chal"])
assert key3.verify_hmac(vector["exp_sha384"], vector["chal"])
assert key4.verify_hmac(vector["exp_sha512"], vector["chal"])
key1.delete()
key2.delete()
key3.delete()
key4.delete()
def test_hmac_vectors(self):
key1_id = random.randint(1, 0xFFFE)
key2_id = random.randint(1, 0xFFFE)
key3_id = random.randint(1, 0xFFFE)
key4_id = random.randint(1, 0xFFFE)
caps = CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC
for v in self.vectors:
key1 = HmacKey.put(
self.session,
key1_id,
"Test HMAC Vectors 0x%04x" % key1_id,
1,
caps,
v["key"],
ALGORITHM.HMAC_SHA1,
)
key2 = HmacKey.put(
self.session,
key2_id,
"Test HMAC Vectors 0x%04x" % key2_id,
1,
caps,
v["key"],
ALGORITHM.HMAC_SHA256,
)
key3 = HmacKey.put(
self.session,
key3_id,
"Test HMAC Vectors 0x%04x" % key3_id,
1,
caps,
v["key"],
ALGORITHM.HMAC_SHA384,
)
key4 = HmacKey.put(
self.session,
key4_id,
"Test HMAC Vectors 0x%04x" % key4_id,
1,
caps,
v["key"],
ALGORITHM.HMAC_SHA512,
)
self.assertEqual(key1.sign_hmac(v["chal"]), v["exp_sha1"])
self.assertEqual(key2.sign_hmac(v["chal"]), v["exp_sha256"])
self.assertEqual(key3.sign_hmac(v["chal"]), v["exp_sha384"])
self.assertEqual(key4.sign_hmac(v["chal"]), v["exp_sha512"])
self.assertTrue(key1.verify_hmac(v["exp_sha1"], v["chal"]))
self.assertTrue(key2.verify_hmac(v["exp_sha256"], v["chal"]))
self.assertTrue(key3.verify_hmac(v["exp_sha384"], v["chal"]))
self.assertTrue(key4.verify_hmac(v["exp_sha512"], v["chal"]))
key1.delete()
key2.delete()
key3.delete()
key4.delete()
def test_full_log(session):
hmackey = HmacKey.generate(
session,
0,
"Test Full Log",
1,
CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC,
ALGORITHM.HMAC_SHA256,
)
for i in range(0, 30):
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
assert len(resp) == 32
assert hmackey.verify_hmac(resp, data)
boot, auth, logs = session.get_log_entries()
last_digest = logs[0].digest
for i in range(1, len(logs)):
digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
digest.update(logs[i].data)
digest.update(last_digest)
last_digest = digest.finalize()[:16]
assert last_digest == logs[i].digest
def key_in_list(self, keytype, algorithm=None):
dom = None
cap = 0
key_label = "%s%s" % (str(
uuid.uuid4()), b"\xf0\x9f\x98\x83".decode("utf8"))
if keytype == OBJECT.ASYMMETRIC_KEY:
dom = 0xFFFF
key = AsymmetricKey.generate(self.session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.WRAP_KEY:
dom = 0x01
key = WrapKey.generate(self.session, 0, key_label, dom, cap,
algorithm, cap)
elif keytype == OBJECT.HMAC_KEY:
dom = 0x01
key = HmacKey.generate(self.session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.AUTHENTICATION_KEY:
dom = 0x01
key = AuthenticationKey.put_derived(
self.session,
0,
key_label,
dom,
cap,
0,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
objlist = self.session.list_objects(object_id=key.id,
object_type=key.object_type)
self.assertEqual(objlist[0].id, key.id)
self.assertEqual(objlist[0].object_type, key.object_type)
objinfo = objlist[0].get_info()
self.assertEqual(objinfo.id, key.id)
self.assertEqual(objinfo.object_type, key.object_type)
self.assertEqual(objinfo.domains, dom)
self.assertEqual(objinfo.capabilities, cap)
if algorithm:
self.assertEqual(objinfo.algorithm, algorithm)
if key.object_type == OBJECT.AUTHENTICATION_KEY:
self.assertEqual(objinfo.origin, ORIGIN.IMPORTED)
else:
self.assertEqual(objinfo.origin, ORIGIN.GENERATED)
self.assertEqual(objinfo.label, key_label)
key.delete()
def key_in_list(self, session, keytype, algorithm=None):
dom = None
cap = CAPABILITY.NONE
key_label = "%s%s" % (str(uuid.uuid4()), b"\xf0\x9f\x98\x83".decode())
key: YhsmObject
if keytype == OBJECT.ASYMMETRIC_KEY:
dom = 0xFFFF
key = AsymmetricKey.generate(session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.WRAP_KEY:
dom = 0x01
key = WrapKey.generate(session, 0, key_label, dom, cap, algorithm,
cap)
elif keytype == OBJECT.HMAC_KEY:
dom = 0x01
key = HmacKey.generate(session, 0, key_label, dom, cap, algorithm)
elif keytype == OBJECT.AUTHENTICATION_KEY:
dom = 0x01
key = AuthenticationKey.put_derived(
session,
0,
key_label,
dom,
cap,
cap,
"password",
)
objlist = session.list_objects(object_id=key.id,
object_type=key.object_type)
assert objlist[0].id == key.id
assert objlist[0].object_type == key.object_type
objinfo = objlist[0].get_info()
assert objinfo.id == key.id
assert objinfo.object_type == key.object_type
assert objinfo.domains == dom
assert objinfo.capabilities == cap
if algorithm:
assert objinfo.algorithm == algorithm
if key.object_type == OBJECT.AUTHENTICATION_KEY:
assert objinfo.origin == ORIGIN.IMPORTED
else:
assert objinfo.origin == ORIGIN.GENERATED
assert objinfo.label == key_label
key.delete()
def test_wrong_chain(self):
hmackey = HmacKey.generate(
self.session, 0, 'Test Log hash chain', 1,
CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC,
ALGORITHM.HMAC_SHA256)
boot, auth, logs = self.session.get_log_entries()
last_line = logs.pop()
self.session.set_log_index(last_line.number)
hmackey.sign_hmac(b'hello')
hmackey.sign_hmac(b'hello')
hmackey.sign_hmac(b'hello')
with self.assertRaises(ValueError):
self.session.get_log_entries(logs.pop()) # Wrong number
wrong_line = last_line._replace(digest=os.urandom(16))
with self.assertRaises(YubiHsmInvalidResponseError):
self.session.get_log_entries(wrong_line)
def test_forced_log(hsm, session):
boot, auth, logs = session.get_log_entries()
last_line = logs.pop()
session.set_log_index(last_line.number)
session.set_force_audit(AUDIT.ON)
assert session.get_force_audit() == AUDIT.ON
hmackey = HmacKey.generate(
session,
0,
"Test Force Log",
1,
CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC,
ALGORITHM.HMAC_SHA256,
)
error = 0
for i in range(0, 32):
try:
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
assert len(resp) == 32
assert hmackey.verify_hmac(resp, data)
except YubiHsmDeviceError as e:
error = e.code
assert error == ERROR.LOG_FULL
device_info = hsm.get_device_info()
assert device_info.log_used == device_info.log_size
boot, auth, logs = session.get_log_entries(last_line)
last_line = logs.pop()
session.set_log_index(last_line.number)
session.set_force_audit(AUDIT.OFF)
assert session.get_force_audit() == AUDIT.OFF
for i in range(0, 32):
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
assert len(resp) == 32
assert hmackey.verify_hmac(resp, data)
def test_forced_log(self):
boot, auth, logs = self.session.get_log_entries()
last_line = logs.pop()
self.session.set_log_index(last_line.number)
self.session.set_force_audit(AUDIT.ON)
self.assertEqual(self.session.get_force_audit(), AUDIT.ON)
hmackey = HmacKey.generate(
self.session,
0,
"Test Force Log",
1,
CAPABILITY.SIGN_HMAC | CAPABILITY.VERIFY_HMAC,
ALGORITHM.HMAC_SHA256,
)
error = 0
for i in range(0, 32):
try:
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
self.assertEqual(len(resp), 32)
self.assertTrue(hmackey.verify_hmac(resp, data))
except YubiHsmDeviceError as e:
error = e.code
self.assertEqual(error, ERROR.LOG_FULL)
device_info = self.hsm.get_device_info()
self.assertEqual(device_info.log_used, device_info.log_size)
boot, auth, logs = self.session.get_log_entries(last_line)
last_line = logs.pop()
self.session.set_log_index(last_line.number)
self.session.set_force_audit(AUDIT.OFF)
self.assertEqual(self.session.get_force_audit(), AUDIT.OFF)
for i in range(0, 32):
data = os.urandom(64)
resp = hmackey.sign_hmac(data)
self.assertEqual(len(resp), 32)
self.assertTrue(hmackey.verify_hmac(resp, data))
def test_hmac_key(hsm, session):
obj = HmacKey.put(session, 0, "Test delete HMAC", 1, CAPABILITY.SIGN_HMAC,
b"key")
_test_delete(hsm, session, obj, CAPABILITY.DELETE_HMAC_KEY)
def test_hmac_key(self):
obj = HmacKey.put(self.session, 0, 'Test delete HMAC', 1,
CAPABILITY.SIGN_HMAC, b'key')
self._test_delete(obj, CAPABILITY.DELETE_HMAC_KEY)