def test_ecdsa_signverify(curve, hashname):
key_object = objects.ECCKey(0xE100)
pkey, _ = crypto.generate_pair(key_object, curve=curve)
key_object_fail = objects.ECCKey(0xE101)
pkey_fail, _ = crypto.generate_pair(key_object_fail, curve=curve)
ha = hashname
s = crypto.ecdsa_sign(key_object, tbs_str)
print('[{}]'.format(', '.join(hex(x) for x in list(s.signature))))
# Preparing a PublicKeyInfo
pubkey_info = keys.PublicKeyInfo.load(pkey)
# Load a public key into the oscrypto engine to using it in the verify function
public = load_public_key(pubkey_info)
ecdsa_verify(public, s.signature, tbs_str, ha)
# Assert wrong text
with pytest.raises(SignatureError):
ecdsa_verify(public, s.signature, tbs_str_fail, ha)
# Assert wrong key
with pytest.raises(SignatureError):
# Preparing a PublicKeyInfo
pubkey_info = keys.PublicKeyInfo.load(pkey_fail)
# Load a public key into the oscrypto engine to using it in the verify function
public = load_public_key(pubkey_info)
ecdsa_verify(public, s.signature, tbs_str, ha)
def test_keypair_faulty():
with pytest.raises(ValueError):
key_object = objects.ECCKey(0xe0f1)
pkey, _ = optiga_ec.generate_pair(key_object, curve='secp384')
with pytest.raises(ValueError):
key_object = objects.ECCKey(0xe0fc)
pkey, _ = optiga_ec.generate_pair(key_object, curve='secp384r1')
def test_meta_check_key_usage_ecc():
obj = objects.ECCKey(0xe0f1)
crypto.generate_pair(key_object=obj,
curve='secp256r1',
key_usage=['signature', 'authentication'])
assert ['signature', 'authentication'] == obj.meta['key_usage'] or \
['authentication', 'signature'] == obj.meta['key_usage']
def test_ecdh_external(curve, hazmat_curve):
key_object = objects.ECCKey(0xe0f1)
_, _ = optiga_ec.generate_pair(key_object, curve)
private_key = ec.generate_private_key(hazmat_curve, default_backend())
peer_public_key = private_key.public_key().public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
_ = optiga_ec.ecdh(key_object, peer_public_key, export=True)
def test_meta_assign_execute_ac():
obj = objects.ECCKey(0xe0f0)
old_meta = {'execute': obj.meta['execute']}
obj.meta = {'execute': 'never'}
with pytest.raises(IOError):
print(crypto.ecdsa_sign(obj, b'\x00\x00\x00'))
obj.meta = old_meta
def test_ecdh_faulty():
with pytest.raises(IOError):
key_object = objects.ECCKey(0xe0f1)
pkey, _ = optiga_ec.generate_pair(
key_object,
curve='secp384r1',
key_usage=['authentication', 'signature'])
# key agreement hasnt been selected, thus an error
optiga_ec.ecdh(key_object, pkey)
def test_ecdsa(oid, curve, max_sign_size, hashname):
key_object = objects.ECCKey(oid)
_, _ = crypto.generate_pair(key_object, curve=curve)
s = crypto.ecdsa_sign(key_object, tbs_str)
assert isinstance(s.signature, bytes)
assert len(s.signature) > 0
assert len(s.signature) <= max_sign_size
assert s.hash_alg == hashname
assert s.algorithm == hashname + '_ecdsa'
def test_hkdf(hash_alg, hazmat_curve, curve):
key = objects.ECCKey(0xe0f1)
_, _ = optiga_ec.generate_pair(key, curve=curve)
private_key = ec.generate_private_key(hazmat_curve, default_backend())
peer_public_key = private_key.public_key().public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
optiga_ec.ecdh(key, peer_public_key)
ses = objects.AcquiredSession()
derived_key = optiga_ec.hkdf(ses, 32, hash_algorithm=hash_alg, export=True)
def test_keypair_x_y(oid, curve, pub_key_size):
key_object = objects.ECCKey(oid)
pkey, _ = optiga_ec.generate_pair(key_object, curve=curve)
pkey, key = optiga_ec.generate_pair(key_object, curve=curve, export=True)
assert isinstance(pkey, bytes)
assert isinstance(key, bytes)
assert len(pkey) > 0
assert len(key) > 0
assert len(pkey) == pub_key_size
assert key_object.id == oid
assert key_object.curve == curve
def test_hmac(hash_alg, hazmat_curve, curve):
key = objects.ECCKey(0xe0f1)
_, _ = optiga_ec.generate_pair(key, curve=curve)
private_key = ec.generate_private_key(hazmat_curve, default_backend())
peer_public_key = private_key.public_key().public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
optiga_ec.ecdh(key, peer_public_key)
data = 'Hello world!'
ses = objects.AcquiredSession()
mac = optiga_ec.hmac(ses, str.encode(data), hash_algorithm=hash_alg)
def test_ecdh_verify():
key_object = objects.ECCKey(0xe0f1)
int_key_bytes, _ = optiga_ec.generate_pair(key_object, 'secp256r1')
private_key = ec.generate_private_key(ec.SECP256R1(), default_backend())
peer_public_key = private_key.public_key().public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
shared_secret = optiga_ec.ecdh(key_object, peer_public_key, export=True)
key = load_der_public_key(int_key_bytes, default_backend())
shared_secret_to_check = private_key.exchange(ec.ECDH(), key)
assert shared_secret == shared_secret_to_check
def test_csr_ecc(ki):
csr_key_obj = objects.ECCKey(0xe0f3)
pkey, _ = crypto.generate_pair(key_object=csr_key_obj, curve=ki)
builder = CSRBuilder(
{
'country_name': 'DE',
'state_or_province_name': 'Bayern',
'organization_name': 'Infineon Technologies AG',
'common_name': 'OPTIGA(TM) Trust IoT',
}, pkey)
builder.build(csr_key_obj)
def test_meta_check_algorithm_ecc(curve):
obj = objects.ECCKey(0xe0f1)
crypto.generate_pair(key_object=obj, curve=curve)
assert curve == obj.meta['algorithm']
def test_meta_read_key_meta():
obj = objects.ECCKey(0xe0f0)
print(obj.meta)
obj = objects.RSAKey(0xe0fc)
print(obj.meta)
def test_keypair_default():
key_object = objects.ECCKey(0xe0f1)
pkey, _ = optiga_ec.generate_pair(key_object, curve='secp256r1')
assert isinstance(pkey, bytes)
assert len(pkey) > 0
assert key_object.meta['algorithm'] == 'secp256r1'
def test_keypair_x_y_private_key_import(oid, curve):
key_object = objects.ECCKey(oid)
_, key = optiga_ec.generate_pair(key_object, curve=curve, export=True)
parsed_key = serialization.load_der_private_key(key, password=None, backend=default_backend())
assert isinstance(parsed_key, ec.EllipticCurvePrivateKey)
def test_keypair_x_y_public_key_import(oid, curve):
key_object = objects.ECCKey(oid)
pkey, _ = optiga_ec.generate_pair(key_object, curve=curve)
parsed_key = serialization.load_der_public_key(pkey, backend=default_backend())
assert isinstance(parsed_key, ec.EllipticCurvePublicKey)