def test_reset(hsm, session, connect_hsm): Opaque.put( session, 0, "Test opaque data", 1, CAPABILITY.NONE, ALGORITHM.OPAQUE_DATA, b"dummyobject", ) session.reset_device() hsm.close() time.sleep(5) # Wait for device to reboot with connect_hsm() as hsm: # Re-connect since device restarted. with hsm.create_session_derived(1, DEFAULT_KEY) as session: assert len(session.list_objects()) == 1 auth_key = session.get_object(1, OBJECT.AUTHENTICATION_KEY) # Check details of default key info = auth_key.get_info() assert info.capabilities & CAPABILITY.ALL == CAPABILITY.ALL assert info.id == 1 assert info.size == 40 assert info.domains == 0xFFFF assert info.object_type == OBJECT.AUTHENTICATION_KEY assert info.algorithm == ALGORITHM.AES128_YUBICO_AUTHENTICATION assert info.sequence == 0 assert info.origin == ORIGIN.IMPORTED assert info.label == "DEFAULT AUTHKEY CHANGE THIS ASAP" assert info.capabilities == info.delegated_capabilities
def test_reset(self): Opaque.put(self.session, 0, "Test opaque data", 1, 0, OBJECT.OPAQUE, b"dummyobject") self.session.reset_device() self.hsm.close() time.sleep(5) # Wait for device to reboot self.connect_hsm() # Re-connect since device restarted. self.session = self.hsm.create_session_derived(1, DEFAULT_KEY) self.assertEqual(len(self.session.list_objects()), 1) auth_key = self.session.get_object(1, OBJECT.AUTHENTICATION_KEY) # Check details of default key info = auth_key.get_info() self.assertEqual(info.capabilities & CAPABILITY.ALL, CAPABILITY.ALL) self.assertEqual(info.id, 1) self.assertEqual(info.size, 40) self.assertEqual(info.domains, 0xFFFF) self.assertEqual(info.object_type, OBJECT.AUTHENTICATION_KEY) self.assertEqual(info.algorithm, ALGORITHM.AES128_YUBICO_AUTHENTICATION) self.assertEqual(info.sequence, 0) self.assertEqual(info.origin, ORIGIN.IMPORTED) self.assertEqual(info.label, "DEFAULT AUTHKEY CHANGE THIS ASAP") self.assertEqual(info.capabilities, info.delegated_capabilities)
def test_put_too_big(self): with self.assertRaises(YubiHsmDeviceError) as cm: Opaque.put(self.session, 0, 'Test large Opaque', 1, CAPABILITY.NONE, ALGORITHM.OPAQUE_DATA, os.urandom(1969)) self.assertEqual(cm.exception.code, ERROR.WRONG_LENGTH) # Make sure our session is still working self.assertEqual(len(self.session.get_pseudo_random(123)), 123)
def test_put_empty(self): # Can't put an empty object with self.assertRaises(ValueError): Opaque.put( self.session, 0, "Test PUT empty Opaque", 1, CAPABILITY.NONE, ALGORITHM.OPAQUE_DATA, b"", )
def test_put_too_big(session): with pytest.raises(YubiHsmInvalidRequestError): Opaque.put( session, 0, "Test large Opaque", 1, CAPABILITY.NONE, ALGORITHM.OPAQUE_DATA, os.urandom(1976), ) # Make sure our session is still working assert len(session.get_pseudo_random(123)) == 123
def test_import_wrap_overwrite(session): key_label = "wrap key" raw_key = os.urandom(24) w_key = WrapKey.put( session, 0, key_label, 1, CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.EXPORTABLE_UNDER_WRAP, raw_key, ) opaque = Opaque.put( session, 0, "Test Opaque Object", 0xFFFF, CAPABILITY.EXPORTABLE_UNDER_WRAP, ALGORITHM.OPAQUE_DATA, b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", ) opaque_wrapped = w_key.export_wrapped(opaque) with pytest.raises(YubiHsmDeviceError) as context: w_key.import_wrapped(opaque_wrapped) assert context.value.code == ERROR.OBJECT_EXISTS opaque.delete() opaque = w_key.import_wrapped(opaque_wrapped) assert opaque.get() == b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" with pytest.raises(YubiHsmDeviceError) as context: opaque = w_key.import_wrapped(opaque_wrapped) assert context.value.code == ERROR.OBJECT_EXISTS
def test_import_wrap_overwrite(self): key_label = "wrap key" raw_key = os.urandom(24) w_key = WrapKey.put( self.session, 0, key_label, 1, CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.EXPORTABLE_UNDER_WRAP, raw_key, ) opaque = Opaque.put( self.session, 0, "Test Opaque Object", 0xFFFF, CAPABILITY.EXPORTABLE_UNDER_WRAP, ALGORITHM.OPAQUE_DATA, b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", ) opaque_wrapped = w_key.export_wrapped(opaque) with self.assertRaises(YubiHsmDeviceError) as context: w_key.import_wrapped(opaque_wrapped) self.assertTrue("OBJECT_EXISTS" in str(context.exception)) opaque.delete() opaque = w_key.import_wrapped(opaque_wrapped) self.assertEqual(opaque.get(), b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa") with self.assertRaises(YubiHsmDeviceError) as context: opaque = w_key.import_wrapped(opaque_wrapped) self.assertTrue("OBJECT_EXISTS" in str(context.exception))
def test_data(self): for size in (1, 256, 1234, 1968): data = os.urandom(size) opaque = Opaque.put(self.session, 0, 'Test data Opaque', 1, CAPABILITY.NONE, ALGORITHM.OPAQUE_DATA, data) self.assertEqual(data, opaque.get()) opaque.delete()
def test_opaque(hsm, session): obj = Opaque.put( session, 0, "Test opaque data", 1, CAPABILITY.NONE, ALGORITHM.OPAQUE_DATA, b"data", ) _test_delete(hsm, session, obj, CAPABILITY.DELETE_OPAQUE)
def test_data(session): for size in (1, 256, 1234, 1968): data = os.urandom(size) opaque = Opaque.put( session, 0, "Test data Opaque", 1, CAPABILITY.NONE, ALGORITHM.OPAQUE_DATA, data, ) assert data == opaque.get() opaque.delete()
def test_import_wrap_permissions(session): key_label = "wrap key" raw_key = os.urandom(24) opaque = Opaque.put( session, 0, "Test Opaque Object", 0xFFFF, CAPABILITY.EXPORTABLE_UNDER_WRAP, ALGORITHM.OPAQUE_DATA, b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", ) w_key = WrapKey.put( session, 0, key_label, 1, CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.NONE, raw_key, ) with pytest.raises(YubiHsmDeviceError) as context: w_key.export_wrapped(opaque) assert context.value.code == ERROR.INSUFFICIENT_PERMISSIONS w_key.delete() w_key = WrapKey.put( session, 0, key_label, 1, CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.EXPORTABLE_UNDER_WRAP, raw_key, ) w_key.id += 1 with pytest.raises(YubiHsmDeviceError) as context: w_key.export_wrapped(opaque) assert context.value.code == ERROR.OBJECT_NOT_FOUND w_key.id -= 1 w_key.delete() w_key = WrapKey.put( session, 0, key_label, 1, CAPABILITY.IMPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.EXPORTABLE_UNDER_WRAP, raw_key, ) with pytest.raises(YubiHsmDeviceError) as context: w_key.export_wrapped(opaque) assert context.value.code == ERROR.INSUFFICIENT_PERMISSIONS w_key.delete() w_key = WrapKey.put( session, 0, key_label, 1, CAPABILITY.EXPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.EXPORTABLE_UNDER_WRAP, raw_key, ) opaque_wrapped = w_key.export_wrapped(opaque) with pytest.raises(YubiHsmDeviceError) as context: w_key.import_wrapped(opaque_wrapped) assert context.value.code == ERROR.INSUFFICIENT_PERMISSIONS w_key.delete() w_key = WrapKey.put( session, 0, key_label, 1, CAPABILITY.IMPORT_WRAPPED | CAPABILITY.EXPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.EXPORTABLE_UNDER_WRAP, raw_key, ) opaque_wrapped = w_key.export_wrapped(opaque) opaque.delete() w_key.id += 1 with pytest.raises(YubiHsmDeviceError) as context: w_key.import_wrapped(opaque_wrapped) assert context.value.code == ERROR.OBJECT_NOT_FOUND w_key.id -= 1 opaque = w_key.import_wrapped(opaque_wrapped) assert opaque.get() == b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
def test_import_wrap_permissions(self): key_label = "wrap key" raw_key = os.urandom(24) opaque = Opaque.put( self.session, 0, "Test Opaque Object", 0xFFFF, CAPABILITY.EXPORTABLE_UNDER_WRAP, ALGORITHM.OPAQUE_DATA, b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", ) w_key = WrapKey.put( self.session, 0, key_label, 1, CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, 0, raw_key, ) with self.assertRaises(YubiHsmDeviceError) as context: w_key.export_wrapped(opaque) self.assertTrue("INSUFFICIENT_PERMISSIONS" in str(context.exception)) w_key.delete() w_key = WrapKey.put( self.session, 0, key_label, 1, CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.EXPORTABLE_UNDER_WRAP, raw_key, ) w_key.id += 1 with self.assertRaises(YubiHsmDeviceError) as context: w_key.export_wrapped(opaque) self.assertTrue("OBJECT_NOT_FOUND" in str(context.exception)) w_key.id -= 1 w_key.delete() w_key = WrapKey.put( self.session, 0, key_label, 1, CAPABILITY.IMPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.EXPORTABLE_UNDER_WRAP, raw_key, ) with self.assertRaises(YubiHsmDeviceError) as context: w_key.export_wrapped(opaque) self.assertTrue("INSUFFICIENT_PERMISSIONS" in str(context.exception)) w_key.delete() w_key = WrapKey.put( self.session, 0, key_label, 1, CAPABILITY.EXPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.EXPORTABLE_UNDER_WRAP, raw_key, ) opaque_wrapped = w_key.export_wrapped(opaque) with self.assertRaises(YubiHsmDeviceError) as context: w_key.import_wrapped(opaque_wrapped) self.assertTrue("INSUFFICIENT_PERMISSIONS" in str(context.exception)) w_key.delete() w_key = WrapKey.put( self.session, 0, key_label, 1, CAPABILITY.IMPORT_WRAPPED | CAPABILITY.EXPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.EXPORTABLE_UNDER_WRAP, raw_key, ) opaque_wrapped = w_key.export_wrapped(opaque) opaque.delete() w_key.id += 1 with self.assertRaises(YubiHsmDeviceError) as context: w_key.import_wrapped(opaque_wrapped) self.assertTrue("OBJECT_NOT_FOUND" in str(context.exception)) w_key.id -= 1 opaque = w_key.import_wrapped(opaque_wrapped) self.assertEqual(opaque.get(), b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa")
def test_opaque(self): obj = Opaque.put(self.session, 0, 'Test opaque data', 1, 0, OBJECT.OPAQUE, b'data') self._test_delete(obj, CAPABILITY.DELETE_OPAQUE)