def test_parallel_sessions(self):
authkey1 = AuthenticationKey.put_derived(
self.session,
0,
"Test authkey 1",
1,
CAPABILITY.NONE,
CAPABILITY.NONE,
"one",
)
authkey2 = AuthenticationKey.put_derived(
self.session,
0,
"Test authkey 2",
2,
CAPABILITY.NONE,
CAPABILITY.NONE,
"two",
)
authkey3 = AuthenticationKey.put_derived(
self.session,
0,
"Test authkey 3",
1,
CAPABILITY.NONE,
CAPABILITY.NONE,
"three",
)
session1 = self.hsm.create_session_derived(authkey1.id, "one")
session2 = self.hsm.create_session_derived(authkey2.id, "two")
session3 = self.hsm.create_session_derived(authkey3.id, "three")
session2.close()
session1.send_secure_cmd(COMMAND.ECHO, b"hello")
session3.send_secure_cmd(COMMAND.ECHO, b"hi")
session1.send_secure_cmd(COMMAND.ECHO, b"hello")
session3.send_secure_cmd(COMMAND.ECHO, b"greetings")
session1.close()
session3.send_secure_cmd(COMMAND.ECHO, b"good bye")
session3.close()
authkey1.delete()
authkey2.delete()
authkey3.delete()
def test_change_raw_keys(self):
self.require_version((2, 1, 0), "Change authentication key")
key_enc = a2b_hex("090b47dbed595654901dee1cc655e420")
key_mac = a2b_hex("592fd483f759e29909a04c4505d2ce0a")
# Create an auth key with the capability to change
authkey = AuthenticationKey.put(
self.session,
0,
"Test CHANGE authkey",
1,
CAPABILITY.CHANGE_AUTHENTICATION_KEY,
CAPABILITY.NONE,
key_enc,
key_mac,
)
with self.hsm.create_session_derived(authkey.id,
"password") as session:
key_enc, key_mac = password_to_key("second_password")
authkey.with_session(session).change_key(key_enc, key_mac)
with self.hsm.create_session_derived(authkey.id, "second_password"):
pass
authkey.delete()
def test_change_password(self):
self.require_version((2, 1, 0), "Change authentication key")
# Create an auth key with the capability to change
authkey = AuthenticationKey.put_derived(
self.session,
0,
"Test CHANGE authkey",
1,
CAPABILITY.CHANGE_AUTHENTICATION_KEY,
CAPABILITY.NONE,
"first_password",
)
# Can't change the password of another key
with self.assertRaises(YubiHsmDeviceError) as context:
authkey.change_password("second_password")
self.assertEqual(context.exception.code, ERROR.INVALID_ID)
# Try again, using the new auth key
with self.hsm.create_session_derived(authkey.id,
"first_password") as session:
authkey.with_session(session).change_password("second_password")
with self.assertRaises(YubiHsmAuthenticationError):
self.hsm.create_session_derived(authkey.id, "first_password")
self.hsm.create_session_derived(authkey.id, "second_password").close()
authkey.delete()
with self.assertRaises(YubiHsmDeviceError) as context:
self.hsm.create_session_derived(authkey.id, "second_password")
self.assertEqual(context.exception.code, ERROR.OBJECT_NOT_FOUND)
def _set_up_key(self, capability):
password = b2a_hex(self.session.get_pseudo_random(32))
key = AuthenticationKey.put_derived(self.session, 0,
'Test Delete authkey', 1,
capability, 0, password)
session = self.hsm.create_session_derived(key.id, password)
return key, session
def test_change_password(self, hsm, session):
# Create an auth key with the capability to change
authkey = AuthenticationKey.put_derived(
session,
0,
"Test CHANGE authkey",
1,
CAPABILITY.CHANGE_AUTHENTICATION_KEY,
CAPABILITY.NONE,
"first_password",
)
# Can't change the password of another key
with pytest.raises(YubiHsmDeviceError) as context:
authkey.change_password("second_password")
assert context.value.code == ERROR.INVALID_ID
# Try again, using the new auth key
with hsm.create_session_derived(authkey.id,
"first_password") as session:
authkey.with_session(session).change_password("second_password")
with pytest.raises(YubiHsmAuthenticationError):
hsm.create_session_derived(authkey.id, "first_password")
hsm.create_session_derived(authkey.id, "second_password").close()
authkey.delete()
with pytest.raises(YubiHsmDeviceError) as context:
hsm.create_session_derived(authkey.id, "second_password")
assert context.value.code == ERROR.OBJECT_NOT_FOUND
def test_authentication_key(hsm, session):
obj = AuthenticationKey.put_derived(
session,
0,
"Test delete authkey",
1,
CAPABILITY.GET_LOG_ENTRIES,
CAPABILITY.NONE,
session.get_pseudo_random(32).hex(),
)
_test_delete(hsm, session, obj, CAPABILITY.DELETE_AUTHENTICATION_KEY)
def test_authentication_key(self):
obj = AuthenticationKey.put_derived(
self.session,
0,
"Test delete authkey",
1,
CAPABILITY.GET_LOG_ENTRIES,
0,
b2a_hex(self.session.get_pseudo_random(32)),
)
self._test_delete(obj, CAPABILITY.DELETE_AUTHENTICATION_KEY)
def key_in_list(self, keytype, algorithm=None):
dom = None
cap = 0
key_label = "%s%s" % (str(
uuid.uuid4()), b"\xf0\x9f\x98\x83".decode("utf8"))
if keytype == OBJECT.ASYMMETRIC_KEY:
dom = 0xFFFF
key = AsymmetricKey.generate(self.session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.WRAP_KEY:
dom = 0x01
key = WrapKey.generate(self.session, 0, key_label, dom, cap,
algorithm, cap)
elif keytype == OBJECT.HMAC_KEY:
dom = 0x01
key = HmacKey.generate(self.session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.AUTHENTICATION_KEY:
dom = 0x01
key = AuthenticationKey.put_derived(
self.session,
0,
key_label,
dom,
cap,
0,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
objlist = self.session.list_objects(object_id=key.id,
object_type=key.object_type)
self.assertEqual(objlist[0].id, key.id)
self.assertEqual(objlist[0].object_type, key.object_type)
objinfo = objlist[0].get_info()
self.assertEqual(objinfo.id, key.id)
self.assertEqual(objinfo.object_type, key.object_type)
self.assertEqual(objinfo.domains, dom)
self.assertEqual(objinfo.capabilities, cap)
if algorithm:
self.assertEqual(objinfo.algorithm, algorithm)
if key.object_type == OBJECT.AUTHENTICATION_KEY:
self.assertEqual(objinfo.origin, ORIGIN.IMPORTED)
else:
self.assertEqual(objinfo.origin, ORIGIN.GENERATED)
self.assertEqual(objinfo.label, key_label)
key.delete()
def key_in_list(self, session, keytype, algorithm=None):
dom = None
cap = CAPABILITY.NONE
key_label = "%s%s" % (str(uuid.uuid4()), b"\xf0\x9f\x98\x83".decode())
key: YhsmObject
if keytype == OBJECT.ASYMMETRIC_KEY:
dom = 0xFFFF
key = AsymmetricKey.generate(session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.WRAP_KEY:
dom = 0x01
key = WrapKey.generate(session, 0, key_label, dom, cap, algorithm,
cap)
elif keytype == OBJECT.HMAC_KEY:
dom = 0x01
key = HmacKey.generate(session, 0, key_label, dom, cap, algorithm)
elif keytype == OBJECT.AUTHENTICATION_KEY:
dom = 0x01
key = AuthenticationKey.put_derived(
session,
0,
key_label,
dom,
cap,
cap,
"password",
)
objlist = session.list_objects(object_id=key.id,
object_type=key.object_type)
assert objlist[0].id == key.id
assert objlist[0].object_type == key.object_type
objinfo = objlist[0].get_info()
assert objinfo.id == key.id
assert objinfo.object_type == key.object_type
assert objinfo.domains == dom
assert objinfo.capabilities == cap
if algorithm:
assert objinfo.algorithm == algorithm
if key.object_type == OBJECT.AUTHENTICATION_KEY:
assert objinfo.origin == ORIGIN.IMPORTED
else:
assert objinfo.origin == ORIGIN.GENERATED
assert objinfo.label == key_label
key.delete()
def test_put_unicode_authkey(self):
# UTF-8 encoded unicode password
password = b'\xF0\x9F\x98\x81\xF0\x9F\x98\x83\xF0\x9F\x98\x84' \
.decode('utf8')
authkey = AuthenticationKey.put_derived(self.session, 0,
'Test PUT authkey', 1,
CAPABILITY.NONE,
CAPABILITY.NONE, password)
session = self.hsm.create_session_derived(authkey.id, password)
message = os.urandom(256)
resp = session.send_secure_cmd(COMMAND.ECHO, message)
self.assertEqual(resp, message)
authkey.delete()
session.close()
def test_put_unicode_authkey(self, hsm, session):
# UTF-8 encoded unicode password
password = b"\xF0\x9F\x98\x81\xF0\x9F\x98\x83\xF0\x9F\x98\x84".decode()
authkey = AuthenticationKey.put_derived(
session,
0,
"Test PUT authkey",
1,
CAPABILITY.NONE,
CAPABILITY.NONE,
password,
)
with hsm.create_session_derived(authkey.id, password) as session:
message = os.urandom(256)
resp = session.send_secure_cmd(COMMAND.ECHO, message)
assert resp == message
authkey.delete()
def test_change_raw_keys(self):
self.require_version((2, 1, 0), 'Change authentication key')
key_enc = a2b_hex('090b47dbed595654901dee1cc655e420')
key_mac = a2b_hex('592fd483f759e29909a04c4505d2ce0a')
# Create an auth key with the capability to change
authkey = AuthenticationKey.put(self.session, 0, 'Test CHANGE authkey',
1,
CAPABILITY.CHANGE_AUTHENTICATION_KEY,
CAPABILITY.NONE, key_enc, key_mac)
session = self.hsm.create_session_derived(authkey.id, 'password')
authkey2 = session.get_object(authkey.id, OBJECT.AUTHENTICATION_KEY)
key_enc, key_mac = password_to_key('second_password')
authkey2.change_key(key_enc, key_mac)
session.close()
self.hsm.create_session_derived(authkey.id, 'second_password').close()
authkey.delete()
capabilities = (
CAPABILITY.SIGN_EDDSA
+ CAPABILITY.GENERATE_ASYMMETRIC_KEY
+ CAPABILITY.EXPORT_WRAPPED
+ CAPABILITY.IMPORT_WRAPPED
+ CAPABILITY.GET_LOG_ENTRIES
+ CAPABILITY.WRAP_DATA
+ CAPABILITY.UNWRAP_DATA
+ CAPABILITY.DELETE_ASYMMETRIC_KEY
)
# Generate a private key on the YubiHSM for creating signatures:
authkey = AuthenticationKey.put_derived( # Generate a new key object in the YubiHSM.
session, # Secure YubiHsm session to use.
authkeynum, # Object ID, 0 to get one assigned.
"ndau Authentication key", # Label for the object.
1, # Domain(s) for the object.
capabilities, # Standard capabilities
capabilities, # Delegated capabilities
password, # Authentication password
)
print("Created " + str(authkey))
originalkey = session.get_object(1, OBJECT.AUTHENTICATION_KEY)
originalkey.delete()
hsm.close()
exit(0)
def _set_up_key(hsm, session, capability):
password = session.get_pseudo_random(32).hex()
key = AuthenticationKey.put_derived(session, 0, "Test Delete authkey", 1,
capability, CAPABILITY.NONE, password)
session = hsm.create_session_derived(key.id, password)
return key, session
