def test_generate_symmetric(self):
secret = models.Secret()
secret.bit_length = 128
secret.algorithm = 'AES'
generate_dto = plugin_import.GenerateDTO(
secret.algorithm,
secret.bit_length,
None, None)
kek_meta = mock.MagicMock()
kek_meta.kek_label = 'pkek'
kek_meta.plugin_meta = ('{"iv": "iv==",'
'"hmac": "hmac",'
'"wrapped_key": "wrappedkey==",'
'"mkek_label": "mkek_label",'
'"hmac_label": "hmac_label"}')
response_dto = self.plugin.generate_symmetric(generate_dto,
kek_meta,
mock.MagicMock())
self.assertEqual(response_dto.cypher_text, b'0')
self.assertIn('iv', response_dto.kek_meta_extended)
self.assertEqual(self.pkcs11.get_key_handle.call_count, 2)
self.assertEqual(self.pkcs11.get_session.call_count, 2)
self.assertEqual(self.pkcs11.generate_random.call_count, 1)
self.assertEqual(self.pkcs11.verify_hmac.call_count, 1)
self.assertEqual(self.pkcs11.unwrap_key.call_count, 1)
self.assertEqual(self.pkcs11.encrypt.call_count, 1)
self.assertEqual(self.pkcs11.return_session.call_count, 1)
def test_generate_1024_bit_DSA_key_with_passphrase(self):
generate_dto = plugin.GenerateDTO('dsa', 1024, None, 'Passphrase')
kek_meta_dto = self._get_mocked_kek_meta_dto()
self.assertRaises(ValueError, self.plugin.generate_asymmetric,
generate_dto,
kek_meta_dto,
mock.MagicMock())
def test_generate_2048_bit_DSA_key(self):
generate_dto = plugin.GenerateDTO('dsa', 2048, None, None)
kek_meta_dto = self._get_mocked_kek_meta_dto()
self.assertRaises(ValueError, self.plugin.generate_asymmetric,
generate_dto,
kek_meta_dto,
mock.MagicMock())
def generate_symmetric_key(self, key_spec, context):
"""Generate a symmetric key.
:param key_spec: KeySpec that contains details on the type of key to
generate
:param context: StoreCryptoContext for secret
:returns: a dictionary that contains metadata about the key
"""
# Find HSM-style 'crypto' plugin.
plugin_type = _determine_generation_type(key_spec.alg)
if crypto.PluginSupportTypes.SYMMETRIC_KEY_GENERATION != plugin_type:
raise sstore.SecretAlgorithmNotSupportedException(key_spec.alg)
generating_plugin = manager.get_manager().get_plugin_store_generate(
plugin_type, key_spec.alg, key_spec.bit_length, key_spec.mode)
# Find or create a key encryption key metadata.
kek_datum_model, kek_meta_dto = _find_or_create_kek_objects(
generating_plugin, context.project_model)
# Create an encrypted datum instance and add the created cypher text.
generate_dto = crypto.GenerateDTO(key_spec.alg, key_spec.bit_length,
key_spec.mode, None)
# Create the encrypted meta.
response_dto = generating_plugin.generate_symmetric(
generate_dto, kek_meta_dto, context.project_model.external_id)
# Convert binary data into a text-based format.
_store_secret_and_datum(context, context.secret_model, kek_datum_model,
response_dto)
return None
def test_generate_calls_generate_random(self):
with mock.patch.object(self.plugin, 'encrypt') as encrypt_mock:
encrypt_mock.return_value = None
secret = models.Secret()
secret.bit_length = 128
secret.algorithm = "AES"
generate_dto = plugin_import.GenerateDTO(secret.algorithm,
secret.bit_length, None,
None)
self.plugin.generate_symmetric(generate_dto, mock.MagicMock(),
mock.MagicMock())
self.assertEqual(self.lib.C_GenerateRandom.call_count, 2)
def generate_asymmetric_key(self, key_spec, context):
"""Generates an asymmetric key.
Returns a AsymmetricKeyMetadataDTO object containing
metadata(s) for asymmetric key components. The metadata
can be used to retrieve individual components of
asymmetric key pair.
"""
plugin_type = _determine_generation_type(key_spec.alg)
if crypto.PluginSupportTypes.ASYMMETRIC_KEY_GENERATION != plugin_type:
raise sstore.SecretAlgorithmNotSupportedException(key_spec.alg)
generating_plugin = manager.get_manager().get_plugin_store_generate(
plugin_type, key_spec.alg, key_spec.bit_length,
project_id=context.project_model.id)
# Find or create a key encryption key metadata.
kek_datum_model, kek_meta_dto = _find_or_create_kek_objects(
generating_plugin, context.project_model)
generate_dto = crypto.GenerateDTO(key_spec.alg,
key_spec.bit_length,
None, key_spec.passphrase)
# Create the encrypted meta.
private_key_dto, public_key_dto, passwd_dto = (
generating_plugin.generate_asymmetric(
generate_dto, kek_meta_dto, context.project_model.external_id
)
)
_store_secret_and_datum(
context,
context.private_secret_model,
kek_datum_model,
private_key_dto)
_store_secret_and_datum(
context,
context.public_secret_model,
kek_datum_model,
public_key_dto)
if key_spec.passphrase and passwd_dto:
_store_secret_and_datum(
context,
context.passphrase_secret_model,
kek_datum_model,
passwd_dto)
return sstore.AsymmetricKeyMetadataDTO()
def test_generate_1024_bit_RSA_key_in_pem(self):
generate_dto = plugin.GenerateDTO('rsa', 1024, None, 'changeme')
kek_meta_dto = self._get_mocked_kek_meta_dto()
private_dto, public_dto, passwd_dto = self.plugin.generate_asymmetric(
generate_dto, kek_meta_dto, mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text)
private_dto = self.plugin.decrypt(decrypt_dto, kek_meta_dto,
private_dto.kek_meta_extended,
mock.MagicMock())
private_dto = RSA.importKey(private_dto, 'changeme')
self.assertTrue(private_dto.has_private())
def test_generate_128_bit_hmac_key(self):
secret = models.Secret()
secret.bit_length = 128
secret.algorithm = "hmacsha256"
kek_meta_dto = self._get_mocked_kek_meta_dto()
generate_dto = plugin.GenerateDTO(secret.algorithm, secret.bit_length,
None, None)
response_dto = self.plugin.generate_symmetric(generate_dto,
kek_meta_dto,
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(response_dto.cypher_text)
key = self.plugin.decrypt(decrypt_dto, kek_meta_dto,
response_dto.kek_meta_extended,
mock.MagicMock())
self.assertEqual(16, len(key))
def test_generate_1024_DSA_key_in_pem_and_reconstruct_key_der(self):
generate_dto = plugin.GenerateDTO('dsa', 1024, None, None)
kek_meta_dto = self._get_mocked_kek_meta_dto()
private_dto, public_dto, passwd_dto = self.plugin.generate_asymmetric(
generate_dto, kek_meta_dto, mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text)
private_dto = self.plugin.decrypt(decrypt_dto, kek_meta_dto,
private_dto.kek_meta_extended,
mock.MagicMock())
prv_seq = asn1.DerSequence()
prv_seq.decode(private_dto)
p, q, g, y, x = prv_seq[1:]
private_dto = DSA.construct((y, g, p, q, x))
self.assertTrue(private_dto.has_private())
def test_generate_asymmetric_1024_bit_key(self):
generate_dto = plugin.GenerateDTO('rsa', 1024, None, None)
kek_meta_dto = self._get_mocked_kek_meta_dto()
private_dto, public_dto, passwd_dto = self.plugin.generate_asymmetric(
generate_dto, kek_meta_dto, mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text)
private_dto = self.plugin.decrypt(decrypt_dto, kek_meta_dto,
private_dto.kek_meta_extended,
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(public_dto.cypher_text)
public_dto = self.plugin.decrypt(decrypt_dto, kek_meta_dto,
public_dto.kek_meta_extended,
mock.MagicMock())
public_dto = RSA.importKey(public_dto)
private_dto = RSA.importKey(private_dto)
self.assertEqual(1023, public_dto.size())
self.assertEqual(1023, private_dto.size())
self.assertTrue(private_dto.has_private)
