def suite():
"""
Create a test suite with all our tests.
If the OS environment variable 'YHSM_ZAP' is set and evaluates to true,
we will include the special test case class that erases the current
YubiHSM config and creates a new one with known keys to be used by the
other tests. NOTE that this is ONLY POSSIBLE if the YubiHSM is already
in DEBUG mode.
"""
global test_modules
# Check if we have a YubiHSM present, and start with locking it's keystore
# XXX produce a better error message than 'error: None' when initializing fails
hsm = pyhsm.YHSM(device = os.getenv('YHSM_DEVICE', '/dev/ttyACM0'))
try:
hsm.unlock("BADPASSPHRASE99")
except pyhsm.exception.YHSM_CommandFailed, e:
if hsm.version.have_key_store_decrypt():
if e.status != pyhsm.defines.YSM_MISMATCH:
raise
else:
if e.status != pyhsm.defines.YSM_KEY_STORAGE_LOCKED and \
e.status != pyhsm.defines.YSM_FUNCTION_DISABLED:
raise
def __init__(self, filename, debug):
self.section = _CONFIG_SECTION
_CONFIG_DEFAULTS['debug'] = str(debug)
self.config = ConfigParser.ConfigParser(_CONFIG_DEFAULTS)
if not self.config.read([filename]):
raise EduIDAPIError(
"Failed loading config file {!r}".format(filename))
# split on comma and strip. cache result.
tmp_add_raw_allow = str(self.config.get(self.section,
'add_raw_allow')) # for pylint
self._parsed_add_raw_allow = \
[x.strip() for x in tmp_add_raw_allow.split(',')]
self.keys = eduid_api.keystore.KeyStore(self.keystore_fn)
self._parsed_oath_aead_keyhandle = None
self.yhsm = None
kh_str = self.config.get(self.section, 'oath_aead_keyhandle')
if self.oath_yhsm_device or kh_str:
try:
import pyhsm
if kh_str:
self._parsed_oath_aead_keyhandle = pyhsm.util.key_handle_to_int(
kh_str.strip())
try:
self.yhsm = pyhsm.YHSM(device=self.oath_yhsm_device)
# stir up the pool
for _ in xrange(10):
self.yhsm.random(32)
except pyhsm.exception.YHSM_Error:
raise EduIDAPIError('YubiHSM init error')
except ImportError:
raise EduIDAPIError(
"yhsm settings present, but import of pyhsm failed")
def main():
args = parse_args()
args_fixup(args)
hsm = pyhsm.YHSM(device=args.device, debug=args.debug)
nonce, aead = generate_aead(hsm, args)
return display_oath_entry(args, nonce, aead)
def main():
args = parse_args()
args_fixup(args)
print "Key handle : %s" % (args.key_handle)
print "YHSM device : %s" % (args.device)
print ""
hsm = pyhsm.YHSM(device = args.device, debug=args.debug)
nonce, aead = generate_aead(hsm, args)
oath_c = validate_oath_c(hsm, args, nonce, aead)
if not store_oath_entry(args, nonce, aead, oath_c):
return 1
def main():
args = parse_args()
if args.debug:
print "YHSM device : %s" % (args.device)
print ""
hsm = pyhsm.YHSM(device=args.device, debug=args.debug)
status = 1
if args.otp:
status = validate_otp(hsm, args)
elif args.oath:
status = validate_oath(hsm, args)
return status
def main():
args = parse_args()
args_fixup(args)
hsm = pyhsm.YHSM(device=args.device, debug=args.debug)
# Load our key
nonce = args.nonce.decode('hex')
aead = args.aead.decode('hex')
data = args.data.decode('hex')
hsm.load_temp_key(nonce, args.key_handle, aead)
print hsm.hmac_sha1(pyhsm.defines.YSM_TEMP_KEY_HANDLE,
data).get_hash().encode('hex')
return True
def main():
args = parse_args()
args_fixup(args)
print "output dir : %s" % (args.output_dir)
print "keys to generate : %s" % (args.count)
print "key handles : %s" % (args.key_handles)
print "start public_id : %s (0x%x)" % (args.start_id, args.start_id)
print "YHSM device : %s" % (args.device)
print ""
if os.path.isfile(args.device):
hsm = pyhsm.soft_hsm.SoftYHSM.from_file(args.device)
else:
hsm = pyhsm.YHSM(device=args.device)
gen_keys(hsm, args)
def main():
args = parse_args()
args_fixup(args)
hsm = pyhsm.YHSM(device=args.device, debug=args.debug)
nonce = args.nonce.decode('hex')
aead = args.aead.decode('hex')
new_counter = pyhsm.oath_hotp.search_for_oath_code(hsm, args.key_handle, nonce, aead, \
args.counter, args.token, args.look_ahead)
if new_counter == args.counter + 1:
print new_counter
return True
print "FAIL"
return False
def main():
"""
The main function that will be executed when running this as a stand alone script.
"""
my_name = os.path.basename(sys.argv[0])
if not my_name:
my_name = "yhsm-validation-server"
syslog.openlog(my_name, syslog.LOG_PID, syslog.LOG_LOCAL0)
global args
args = parse_args()
args_fixup()
global hsm
try:
hsm = pyhsm.YHSM(device=args.device, debug=args.debug)
except serial.SerialException, e:
my_log_message(
args, syslog.LOG_ERR,
'Failed opening YubiHSM device "%s" : %s' % (args.device, e))
return 1
def main():
args = parse_args()
args_fixup(args)
if sys.stdin.readline() != "# ykksm 1\n":
sys.stderr.write(
"Did not get '# ykksm 1' header as first line of input.\n")
sys.exit(1)
print "output dir : %s" % (args.output_dir)
print "key handles : %s" % (args.key_handles)
print "YHSM device : %s" % (args.device)
print ""
if args.aes_key:
keys = {kh: args.aes_key for kh in args.key_handles}
hsm = SoftYHSM(keys, args.debug)
elif os.path.isfile(args.device):
hsm = SoftYHSM.from_file(args.device, debug=args.debug)
else:
hsm = pyhsm.YHSM(device=args.device, debug=args.debug)
return not import_keys(hsm, args)
def main():
"""
Main program.
"""
my_name = os.path.basename(sys.argv[0])
if not my_name:
my_name = "yhsm-yubikey-ksm"
syslog.openlog(my_name, syslog.LOG_PID, syslog.LOG_LOCAL0)
args = parse_args()
args_fixup(args)
aead_backend = None
if args.db_url:
# Using an SQL database for AEADs
try:
aead_backend = SQLBackend(args.db_url, args.key_handles)
except Exception as e:
my_log_message(args.debug or args.verbose, syslog.LOG_ERR,
'Could not connect to database "%s" : %s' % (args.db_url, e))
return 1
else:
# Using the filesystem for AEADs
try:
aead_backend = FSBackend(args.aead_dir, args.key_handles)
except Exception as e:
my_log_message(args.debug or args.verbose, syslog.LOG_ERR,
'Could not create AEAD FSBackend: %s' % e)
return 1
if args.device == '-':
# Using a soft-HSM with keys from stdin
try:
hsm = SoftYHSM.from_json(sys.stdin.read(), debug=args.debug)
except ValueError as e:
my_log_message(args.debug or args.verbose, syslog.LOG_ERR,
'Failed opening soft YHSM from stdin : %s' % (e))
return 1
elif os.path.isfile(args.device):
# Using a soft-HSM from file
try:
hsm = SoftYHSM.from_file(args.device, debug=args.debug)
except ValueError as e:
my_log_message(args.debug or args.verbose, syslog.LOG_ERR,
'Failed opening soft YHSM "%s" : %s' % (args.device, e))
return 1
else:
# Using a real HSM
try:
hsm = pyhsm.YHSM(device=args.device, debug=args.debug)
context.files_preserve = [hsm.get_raw_device()]
except serial.SerialException as e:
my_log_message(args.debug or args.verbose, syslog.LOG_ERR,
'Failed opening YubiHSM device "%s" : %s' % (args.device, e))
return 1
if args.daemon:
with context:
run(hsm, aead_backend, args)
else:
try:
run(hsm, aead_backend, args)
except KeyboardInterrupt:
print ""
print "Shutting down"
print ""