def test_wrap_data_many(self):
key_label = "wrap key"
raw_key = os.urandom(24)
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.WRAP_DATA,
ALGORITHM.AES192_CCM_WRAP,
0,
raw_key,
)
u_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.UNWRAP_DATA,
ALGORITHM.AES192_CCM_WRAP,
0,
raw_key,
)
for l in range(1, 64):
data = os.urandom(l)
wrap = w_key.wrap_data(data)
with self.assertRaises(YubiHsmDeviceError) as context:
u_key.wrap_data(data)
self.assertTrue("INVALID_DATA" in str(context.exception))
plain = u_key.unwrap_data(wrap)
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.unwrap_data(wrap)
self.assertTrue("INVALID_DATA" in str(context.exception))
self.assertEqual(data, plain)
def test_wrap_data_many(session):
key_label = "wrap key"
raw_key = os.urandom(24)
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.WRAP_DATA,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.NONE,
raw_key,
)
u_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.UNWRAP_DATA,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.NONE,
raw_key,
)
for ln in range(1, 64):
data = os.urandom(ln)
wrap = w_key.wrap_data(data)
with pytest.raises(YubiHsmDeviceError) as context:
u_key.wrap_data(data)
assert context.value.code == ERROR.INVALID_DATA
plain = u_key.unwrap_data(wrap)
with pytest.raises(YubiHsmDeviceError) as context:
w_key.unwrap_data(wrap)
assert context.value.code == ERROR.INVALID_DATA
assert data == plain
def test_import_wrap_overwrite(self):
key_label = "wrap key"
raw_key = os.urandom(24)
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
opaque = Opaque.put(
self.session,
0,
"Test Opaque Object",
0xFFFF,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.OPAQUE_DATA,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
opaque_wrapped = w_key.export_wrapped(opaque)
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.import_wrapped(opaque_wrapped)
self.assertTrue("OBJECT_EXISTS" in str(context.exception))
opaque.delete()
opaque = w_key.import_wrapped(opaque_wrapped)
self.assertEqual(opaque.get(), b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa")
with self.assertRaises(YubiHsmDeviceError) as context:
opaque = w_key.import_wrapped(opaque_wrapped)
self.assertTrue("OBJECT_EXISTS" in str(context.exception))
def test_more_wrap_data(session):
w_id = random.randint(1, 0xFFFE)
key_label = "Key in List 0x%04x" % w_id
for size in (16, 24, 32):
if size == 16:
a = ALGORITHM.AES128_CCM_WRAP
elif size == 24:
a = ALGORITHM.AES192_CCM_WRAP
elif size == 32:
a = ALGORITHM.AES256_CCM_WRAP
key = WrapKey.put(
session,
w_id,
key_label,
1,
CAPABILITY.WRAP_DATA | CAPABILITY.UNWRAP_DATA,
a,
CAPABILITY.NONE,
os.urandom(size),
)
data = os.urandom(size)
wrap = key.wrap_data(data)
plain = key.unwrap_data(wrap)
assert data == plain
key.delete()
def test_import_wrap_overwrite(session):
key_label = "wrap key"
raw_key = os.urandom(24)
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
opaque = Opaque.put(
session,
0,
"Test Opaque Object",
0xFFFF,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.OPAQUE_DATA,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
opaque_wrapped = w_key.export_wrapped(opaque)
with pytest.raises(YubiHsmDeviceError) as context:
w_key.import_wrapped(opaque_wrapped)
assert context.value.code == ERROR.OBJECT_EXISTS
opaque.delete()
opaque = w_key.import_wrapped(opaque_wrapped)
assert opaque.get() == b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
with pytest.raises(YubiHsmDeviceError) as context:
opaque = w_key.import_wrapped(opaque_wrapped)
assert context.value.code == ERROR.OBJECT_EXISTS
def generate_wrap(self):
w_id = random.randint(1, 0xFFFE)
a_id = random.randint(1, 0xFFFE)
wrapkey = WrapKey.generate(
self.session,
w_id,
"Generate Wrap 0x%04x" % w_id,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
)
asymkey = AsymmetricKey.generate(
self.session,
a_id,
"Generate Wrap 0x%04x" % a_id,
0xFFFF,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.EC_P256,
)
origin = asymkey.get_info().origin
self.assertEqual(origin, 0x01)
self.assertTrue(origin.generated)
self.assertFalse(origin.imported)
self.assertFalse(origin.wrapped)
pub = asymkey.get_public_key()
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data)
pub.verify(resp, data, ec.ECDSA(hashes.SHA256()))
wrapped = wrapkey.export_wrapped(asymkey)
wrapped2 = wrapkey.export_wrapped(asymkey)
self.assertNotEqual(wrapped, wrapped2)
asymkey.delete()
self.assertRaises(YubiHsmDeviceError, asymkey.get_public_key)
asymkey = wrapkey.import_wrapped(wrapped)
origin = asymkey.get_info().origin
self.assertEqual(origin, 0x11)
self.assertTrue(origin.generated)
self.assertFalse(origin.imported)
self.assertTrue(origin.wrapped)
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data)
self.assertNotEqual(resp, None)
pub.verify(resp, data, ec.ECDSA(hashes.SHA256()))
wrapkey.delete()
def test_export_wrap(self):
w_id = random.randint(1, 0xfffe)
wrapkey = WrapKey.put(
self.session, w_id, 'Test Export Wrap 0x%04x' % w_id, 1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
os.urandom(24))
eckey = ec.generate_private_key(ec.SECP384R1(),
backend=default_backend())
a_id = random.randint(1, 0xfffe)
asymkey = AsymmetricKey.put(
self.session, a_id, 'Test Export Wrap 0x%04x' % a_id, 0xffff,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP, eckey)
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data, hash=hashes.SHA384())
eckey.public_key().verify(resp, data, ec.ECDSA(hashes.SHA384()))
wrapped = wrapkey.export_wrapped(asymkey)
# NOTE: the code below works to decrypt a wrapped object, but relies on
# understanding the internal object representation which we don't feel
# like doing here.
# nonce = wrapped[:13]
# data = wrapped[13:-8]
# nonce = '\x01' + nonce + '\x00\x01'
# decryptor = Cipher(algorithms.AES(wrapkey.key),
# mode=modes.CTR(nonce),
# backend=default_backend()).decryptor()
# dec = decryptor.update(data)
# numbers = eckey.private_numbers()
# serialized = int_from_bytes(numbers.private_value, 'big')
# self.assertEqual(serialized, dec[-len(serialized):])
asymkey.delete()
asymkey = wrapkey.import_wrapped(wrapped)
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data, hash=hashes.SHA384())
eckey.public_key().verify(resp, data, ec.ECDSA(hashes.SHA384()))
asymkey.delete()
asymkey = wrapkey.import_wrapped(wrapped)
self.assertIsInstance(asymkey, AsymmetricKey)
def test_wrap_key(hsm, session):
obj = WrapKey.put(
session,
0,
"Test delete",
1,
CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.NONE,
os.urandom(24),
)
_test_delete(hsm, session, obj, CAPABILITY.DELETE_WRAP_KEY)
def test_wrap_key(self):
obj = WrapKey.put(
self.session,
0,
"Test delete",
1,
CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
0,
os.urandom(24),
)
self._test_delete(obj, CAPABILITY.DELETE_WRAP_KEY)
def test_generate_wrap(session):
w_id = random.randint(1, 0xFFFE)
a_id = random.randint(1, 0xFFFE)
wrapkey = WrapKey.generate(
session,
w_id,
"Generate Wrap 0x%04x" % w_id,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
)
asymkey = AsymmetricKey.generate(
session,
a_id,
"Generate Wrap 0x%04x" % a_id,
0xFFFF,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.EC_P256,
)
origin = asymkey.get_info().origin
assert origin == ORIGIN.GENERATED
pub = asymkey.get_public_key()
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data)
pub.verify(resp, data, ec.ECDSA(hashes.SHA256()))
wrapped = wrapkey.export_wrapped(asymkey)
wrapped2 = wrapkey.export_wrapped(asymkey)
assert wrapped != wrapped2
asymkey.delete()
pytest.raises(YubiHsmDeviceError, asymkey.get_public_key)
asymkey = wrapkey.import_wrapped(wrapped)
origin = asymkey.get_info().origin
assert origin == ORIGIN.IMPORTED_WRAPPED | ORIGIN.GENERATED
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data)
assert resp is not None
pub.verify(resp, data, ec.ECDSA(hashes.SHA256()))
wrapkey.delete()
def key_in_list(self, keytype, algorithm=None):
dom = None
cap = 0
key_label = "%s%s" % (str(
uuid.uuid4()), b"\xf0\x9f\x98\x83".decode("utf8"))
if keytype == OBJECT.ASYMMETRIC_KEY:
dom = 0xFFFF
key = AsymmetricKey.generate(self.session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.WRAP_KEY:
dom = 0x01
key = WrapKey.generate(self.session, 0, key_label, dom, cap,
algorithm, cap)
elif keytype == OBJECT.HMAC_KEY:
dom = 0x01
key = HmacKey.generate(self.session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.AUTHENTICATION_KEY:
dom = 0x01
key = AuthenticationKey.put_derived(
self.session,
0,
key_label,
dom,
cap,
0,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
objlist = self.session.list_objects(object_id=key.id,
object_type=key.object_type)
self.assertEqual(objlist[0].id, key.id)
self.assertEqual(objlist[0].object_type, key.object_type)
objinfo = objlist[0].get_info()
self.assertEqual(objinfo.id, key.id)
self.assertEqual(objinfo.object_type, key.object_type)
self.assertEqual(objinfo.domains, dom)
self.assertEqual(objinfo.capabilities, cap)
if algorithm:
self.assertEqual(objinfo.algorithm, algorithm)
if key.object_type == OBJECT.AUTHENTICATION_KEY:
self.assertEqual(objinfo.origin, ORIGIN.IMPORTED)
else:
self.assertEqual(objinfo.origin, ORIGIN.GENERATED)
self.assertEqual(objinfo.label, key_label)
key.delete()
def test_wrap_data(self):
w_id = random.randint(1, 0xfffe)
key_label = 'Key in List 0x%04x' % w_id
key = WrapKey.generate(self.session, w_id, key_label, 1,
CAPABILITY.WRAP_DATA | CAPABILITY.UNWRAP_DATA,
ALGORITHM.AES256_CCM_WRAP, 0)
for size in (1, 16, 128, 1024, 1989):
data = os.urandom(size)
wrapped = key.wrap_data(data)
data2 = key.unwrap_data(wrapped)
self.assertEqual(data, data2)
def key_in_list(self, session, keytype, algorithm=None):
dom = None
cap = CAPABILITY.NONE
key_label = "%s%s" % (str(uuid.uuid4()), b"\xf0\x9f\x98\x83".decode())
key: YhsmObject
if keytype == OBJECT.ASYMMETRIC_KEY:
dom = 0xFFFF
key = AsymmetricKey.generate(session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.WRAP_KEY:
dom = 0x01
key = WrapKey.generate(session, 0, key_label, dom, cap, algorithm,
cap)
elif keytype == OBJECT.HMAC_KEY:
dom = 0x01
key = HmacKey.generate(session, 0, key_label, dom, cap, algorithm)
elif keytype == OBJECT.AUTHENTICATION_KEY:
dom = 0x01
key = AuthenticationKey.put_derived(
session,
0,
key_label,
dom,
cap,
cap,
"password",
)
objlist = session.list_objects(object_id=key.id,
object_type=key.object_type)
assert objlist[0].id == key.id
assert objlist[0].object_type == key.object_type
objinfo = objlist[0].get_info()
assert objinfo.id == key.id
assert objinfo.object_type == key.object_type
assert objinfo.domains == dom
assert objinfo.capabilities == cap
if algorithm:
assert objinfo.algorithm == algorithm
if key.object_type == OBJECT.AUTHENTICATION_KEY:
assert objinfo.origin == ORIGIN.IMPORTED
else:
assert objinfo.origin == ORIGIN.GENERATED
assert objinfo.label == key_label
key.delete()
def test_wrap_data(session):
w_id = random.randint(1, 0xFFFE)
key_label = "Key in List 0x%04x" % w_id
key = WrapKey.generate(
session,
w_id,
key_label,
1,
CAPABILITY.WRAP_DATA | CAPABILITY.UNWRAP_DATA,
ALGORITHM.AES256_CCM_WRAP,
CAPABILITY.NONE,
)
for size in (1, 16, 128, 1024, 1989):
data = os.urandom(size)
wrapped = key.wrap_data(data)
data2 = key.unwrap_data(wrapped)
assert data == data2
def test_more_wrap_data(self):
w_id = random.randint(1, 0xfffe)
key_label = 'Key in List 0x%04x' % w_id
for size in (16, 24, 32):
if size == 16:
a = ALGORITHM.AES128_CCM_WRAP
elif size == 24:
a = ALGORITHM.AES192_CCM_WRAP
elif size == 32:
a = ALGORITHM.AES256_CCM_WRAP
key = WrapKey.put(self.session, w_id, key_label, 1,
CAPABILITY.WRAP_DATA | CAPABILITY.UNWRAP_DATA, a,
0, os.urandom(size))
data = os.urandom(size)
wrap = key.wrap_data(data)
plain = key.unwrap_data(wrap)
self.assertEqual(data, plain)
key.delete()
def test_import_wrap_permissions(self):
key_label = "wrap key"
raw_key = os.urandom(24)
opaque = Opaque.put(
self.session,
0,
"Test Opaque Object",
0xFFFF,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.OPAQUE_DATA,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
0,
raw_key,
)
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.export_wrapped(opaque)
self.assertTrue("INSUFFICIENT_PERMISSIONS" in str(context.exception))
w_key.delete()
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
w_key.id += 1
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.export_wrapped(opaque)
self.assertTrue("OBJECT_NOT_FOUND" in str(context.exception))
w_key.id -= 1
w_key.delete()
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.export_wrapped(opaque)
self.assertTrue("INSUFFICIENT_PERMISSIONS" in str(context.exception))
w_key.delete()
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
opaque_wrapped = w_key.export_wrapped(opaque)
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.import_wrapped(opaque_wrapped)
self.assertTrue("INSUFFICIENT_PERMISSIONS" in str(context.exception))
w_key.delete()
w_key = WrapKey.put(
self.session,
0,
key_label,
1,
CAPABILITY.IMPORT_WRAPPED | CAPABILITY.EXPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
opaque_wrapped = w_key.export_wrapped(opaque)
opaque.delete()
w_key.id += 1
with self.assertRaises(YubiHsmDeviceError) as context:
w_key.import_wrapped(opaque_wrapped)
self.assertTrue("OBJECT_NOT_FOUND" in str(context.exception))
w_key.id -= 1
opaque = w_key.import_wrapped(opaque_wrapped)
self.assertEqual(opaque.get(), b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa")
def test_import_wrap_permissions(session):
key_label = "wrap key"
raw_key = os.urandom(24)
opaque = Opaque.put(
session,
0,
"Test Opaque Object",
0xFFFF,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.OPAQUE_DATA,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.NONE,
raw_key,
)
with pytest.raises(YubiHsmDeviceError) as context:
w_key.export_wrapped(opaque)
assert context.value.code == ERROR.INSUFFICIENT_PERMISSIONS
w_key.delete()
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
w_key.id += 1
with pytest.raises(YubiHsmDeviceError) as context:
w_key.export_wrapped(opaque)
assert context.value.code == ERROR.OBJECT_NOT_FOUND
w_key.id -= 1
w_key.delete()
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
with pytest.raises(YubiHsmDeviceError) as context:
w_key.export_wrapped(opaque)
assert context.value.code == ERROR.INSUFFICIENT_PERMISSIONS
w_key.delete()
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.EXPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
opaque_wrapped = w_key.export_wrapped(opaque)
with pytest.raises(YubiHsmDeviceError) as context:
w_key.import_wrapped(opaque_wrapped)
assert context.value.code == ERROR.INSUFFICIENT_PERMISSIONS
w_key.delete()
w_key = WrapKey.put(
session,
0,
key_label,
1,
CAPABILITY.IMPORT_WRAPPED | CAPABILITY.EXPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.EXPORTABLE_UNDER_WRAP,
raw_key,
)
opaque_wrapped = w_key.export_wrapped(opaque)
opaque.delete()
w_key.id += 1
with pytest.raises(YubiHsmDeviceError) as context:
w_key.import_wrapped(opaque_wrapped)
assert context.value.code == ERROR.OBJECT_NOT_FOUND
w_key.id -= 1
opaque = w_key.import_wrapped(opaque_wrapped)
assert opaque.get() == b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
