def test_parallel_sessions(self): authkey1 = AuthenticationKey.put_derived( self.session, 0, "Test authkey 1", 1, CAPABILITY.NONE, CAPABILITY.NONE, "one", ) authkey2 = AuthenticationKey.put_derived( self.session, 0, "Test authkey 2", 2, CAPABILITY.NONE, CAPABILITY.NONE, "two", ) authkey3 = AuthenticationKey.put_derived( self.session, 0, "Test authkey 3", 1, CAPABILITY.NONE, CAPABILITY.NONE, "three", ) session1 = self.hsm.create_session_derived(authkey1.id, "one") session2 = self.hsm.create_session_derived(authkey2.id, "two") session3 = self.hsm.create_session_derived(authkey3.id, "three") session2.close() session1.send_secure_cmd(COMMAND.ECHO, b"hello") session3.send_secure_cmd(COMMAND.ECHO, b"hi") session1.send_secure_cmd(COMMAND.ECHO, b"hello") session3.send_secure_cmd(COMMAND.ECHO, b"greetings") session1.close() session3.send_secure_cmd(COMMAND.ECHO, b"good bye") session3.close() authkey1.delete() authkey2.delete() authkey3.delete()
def test_change_raw_keys(self): self.require_version((2, 1, 0), "Change authentication key") key_enc = a2b_hex("090b47dbed595654901dee1cc655e420") key_mac = a2b_hex("592fd483f759e29909a04c4505d2ce0a") # Create an auth key with the capability to change authkey = AuthenticationKey.put( self.session, 0, "Test CHANGE authkey", 1, CAPABILITY.CHANGE_AUTHENTICATION_KEY, CAPABILITY.NONE, key_enc, key_mac, ) with self.hsm.create_session_derived(authkey.id, "password") as session: key_enc, key_mac = password_to_key("second_password") authkey.with_session(session).change_key(key_enc, key_mac) with self.hsm.create_session_derived(authkey.id, "second_password"): pass authkey.delete()
def test_change_password(self): self.require_version((2, 1, 0), "Change authentication key") # Create an auth key with the capability to change authkey = AuthenticationKey.put_derived( self.session, 0, "Test CHANGE authkey", 1, CAPABILITY.CHANGE_AUTHENTICATION_KEY, CAPABILITY.NONE, "first_password", ) # Can't change the password of another key with self.assertRaises(YubiHsmDeviceError) as context: authkey.change_password("second_password") self.assertEqual(context.exception.code, ERROR.INVALID_ID) # Try again, using the new auth key with self.hsm.create_session_derived(authkey.id, "first_password") as session: authkey.with_session(session).change_password("second_password") with self.assertRaises(YubiHsmAuthenticationError): self.hsm.create_session_derived(authkey.id, "first_password") self.hsm.create_session_derived(authkey.id, "second_password").close() authkey.delete() with self.assertRaises(YubiHsmDeviceError) as context: self.hsm.create_session_derived(authkey.id, "second_password") self.assertEqual(context.exception.code, ERROR.OBJECT_NOT_FOUND)
def _set_up_key(self, capability): password = b2a_hex(self.session.get_pseudo_random(32)) key = AuthenticationKey.put_derived(self.session, 0, 'Test Delete authkey', 1, capability, 0, password) session = self.hsm.create_session_derived(key.id, password) return key, session
def test_change_password(self, hsm, session): # Create an auth key with the capability to change authkey = AuthenticationKey.put_derived( session, 0, "Test CHANGE authkey", 1, CAPABILITY.CHANGE_AUTHENTICATION_KEY, CAPABILITY.NONE, "first_password", ) # Can't change the password of another key with pytest.raises(YubiHsmDeviceError) as context: authkey.change_password("second_password") assert context.value.code == ERROR.INVALID_ID # Try again, using the new auth key with hsm.create_session_derived(authkey.id, "first_password") as session: authkey.with_session(session).change_password("second_password") with pytest.raises(YubiHsmAuthenticationError): hsm.create_session_derived(authkey.id, "first_password") hsm.create_session_derived(authkey.id, "second_password").close() authkey.delete() with pytest.raises(YubiHsmDeviceError) as context: hsm.create_session_derived(authkey.id, "second_password") assert context.value.code == ERROR.OBJECT_NOT_FOUND
def test_authentication_key(hsm, session): obj = AuthenticationKey.put_derived( session, 0, "Test delete authkey", 1, CAPABILITY.GET_LOG_ENTRIES, CAPABILITY.NONE, session.get_pseudo_random(32).hex(), ) _test_delete(hsm, session, obj, CAPABILITY.DELETE_AUTHENTICATION_KEY)
def test_authentication_key(self): obj = AuthenticationKey.put_derived( self.session, 0, "Test delete authkey", 1, CAPABILITY.GET_LOG_ENTRIES, 0, b2a_hex(self.session.get_pseudo_random(32)), ) self._test_delete(obj, CAPABILITY.DELETE_AUTHENTICATION_KEY)
def key_in_list(self, keytype, algorithm=None): dom = None cap = 0 key_label = "%s%s" % (str( uuid.uuid4()), b"\xf0\x9f\x98\x83".decode("utf8")) if keytype == OBJECT.ASYMMETRIC_KEY: dom = 0xFFFF key = AsymmetricKey.generate(self.session, 0, key_label, dom, cap, algorithm) elif keytype == OBJECT.WRAP_KEY: dom = 0x01 key = WrapKey.generate(self.session, 0, key_label, dom, cap, algorithm, cap) elif keytype == OBJECT.HMAC_KEY: dom = 0x01 key = HmacKey.generate(self.session, 0, key_label, dom, cap, algorithm) elif keytype == OBJECT.AUTHENTICATION_KEY: dom = 0x01 key = AuthenticationKey.put_derived( self.session, 0, key_label, dom, cap, 0, b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", ) objlist = self.session.list_objects(object_id=key.id, object_type=key.object_type) self.assertEqual(objlist[0].id, key.id) self.assertEqual(objlist[0].object_type, key.object_type) objinfo = objlist[0].get_info() self.assertEqual(objinfo.id, key.id) self.assertEqual(objinfo.object_type, key.object_type) self.assertEqual(objinfo.domains, dom) self.assertEqual(objinfo.capabilities, cap) if algorithm: self.assertEqual(objinfo.algorithm, algorithm) if key.object_type == OBJECT.AUTHENTICATION_KEY: self.assertEqual(objinfo.origin, ORIGIN.IMPORTED) else: self.assertEqual(objinfo.origin, ORIGIN.GENERATED) self.assertEqual(objinfo.label, key_label) key.delete()
def key_in_list(self, session, keytype, algorithm=None): dom = None cap = CAPABILITY.NONE key_label = "%s%s" % (str(uuid.uuid4()), b"\xf0\x9f\x98\x83".decode()) key: YhsmObject if keytype == OBJECT.ASYMMETRIC_KEY: dom = 0xFFFF key = AsymmetricKey.generate(session, 0, key_label, dom, cap, algorithm) elif keytype == OBJECT.WRAP_KEY: dom = 0x01 key = WrapKey.generate(session, 0, key_label, dom, cap, algorithm, cap) elif keytype == OBJECT.HMAC_KEY: dom = 0x01 key = HmacKey.generate(session, 0, key_label, dom, cap, algorithm) elif keytype == OBJECT.AUTHENTICATION_KEY: dom = 0x01 key = AuthenticationKey.put_derived( session, 0, key_label, dom, cap, cap, "password", ) objlist = session.list_objects(object_id=key.id, object_type=key.object_type) assert objlist[0].id == key.id assert objlist[0].object_type == key.object_type objinfo = objlist[0].get_info() assert objinfo.id == key.id assert objinfo.object_type == key.object_type assert objinfo.domains == dom assert objinfo.capabilities == cap if algorithm: assert objinfo.algorithm == algorithm if key.object_type == OBJECT.AUTHENTICATION_KEY: assert objinfo.origin == ORIGIN.IMPORTED else: assert objinfo.origin == ORIGIN.GENERATED assert objinfo.label == key_label key.delete()
def test_put_unicode_authkey(self): # UTF-8 encoded unicode password password = b'\xF0\x9F\x98\x81\xF0\x9F\x98\x83\xF0\x9F\x98\x84' \ .decode('utf8') authkey = AuthenticationKey.put_derived(self.session, 0, 'Test PUT authkey', 1, CAPABILITY.NONE, CAPABILITY.NONE, password) session = self.hsm.create_session_derived(authkey.id, password) message = os.urandom(256) resp = session.send_secure_cmd(COMMAND.ECHO, message) self.assertEqual(resp, message) authkey.delete() session.close()
def test_put_unicode_authkey(self, hsm, session): # UTF-8 encoded unicode password password = b"\xF0\x9F\x98\x81\xF0\x9F\x98\x83\xF0\x9F\x98\x84".decode() authkey = AuthenticationKey.put_derived( session, 0, "Test PUT authkey", 1, CAPABILITY.NONE, CAPABILITY.NONE, password, ) with hsm.create_session_derived(authkey.id, password) as session: message = os.urandom(256) resp = session.send_secure_cmd(COMMAND.ECHO, message) assert resp == message authkey.delete()
def test_change_raw_keys(self): self.require_version((2, 1, 0), 'Change authentication key') key_enc = a2b_hex('090b47dbed595654901dee1cc655e420') key_mac = a2b_hex('592fd483f759e29909a04c4505d2ce0a') # Create an auth key with the capability to change authkey = AuthenticationKey.put(self.session, 0, 'Test CHANGE authkey', 1, CAPABILITY.CHANGE_AUTHENTICATION_KEY, CAPABILITY.NONE, key_enc, key_mac) session = self.hsm.create_session_derived(authkey.id, 'password') authkey2 = session.get_object(authkey.id, OBJECT.AUTHENTICATION_KEY) key_enc, key_mac = password_to_key('second_password') authkey2.change_key(key_enc, key_mac) session.close() self.hsm.create_session_derived(authkey.id, 'second_password').close() authkey.delete()
capabilities = ( CAPABILITY.SIGN_EDDSA + CAPABILITY.GENERATE_ASYMMETRIC_KEY + CAPABILITY.EXPORT_WRAPPED + CAPABILITY.IMPORT_WRAPPED + CAPABILITY.GET_LOG_ENTRIES + CAPABILITY.WRAP_DATA + CAPABILITY.UNWRAP_DATA + CAPABILITY.DELETE_ASYMMETRIC_KEY ) # Generate a private key on the YubiHSM for creating signatures: authkey = AuthenticationKey.put_derived( # Generate a new key object in the YubiHSM. session, # Secure YubiHsm session to use. authkeynum, # Object ID, 0 to get one assigned. "ndau Authentication key", # Label for the object. 1, # Domain(s) for the object. capabilities, # Standard capabilities capabilities, # Delegated capabilities password, # Authentication password ) print("Created " + str(authkey)) originalkey = session.get_object(1, OBJECT.AUTHENTICATION_KEY) originalkey.delete() hsm.close() exit(0)
def _set_up_key(hsm, session, capability): password = session.get_pseudo_random(32).hex() key = AuthenticationKey.put_derived(session, 0, "Test Delete authkey", 1, capability, CAPABILITY.NONE, password) session = hsm.create_session_derived(key.id, password) return key, session