def asym_key(auth_session, usage_set):
"""
Generate a key pair & set the USAGE limit by some method (on creation or c_setattr, or both)
:return: private key handle
"""
usage_type, limit = usage_set
pubtemp, privtemp = get_default_key_pair_template(
CKM_RSA_PKCS_KEY_PAIR_GEN)
usage_template = {CKA_USAGE_LIMIT: limit}
if usage_type in ("create", "both", "create_then_use"):
privtemp.update(usage_template)
pubkey, privkey = c_generate_key_pair_ex(auth_session,
CKM_RSA_PKCS_KEY_PAIR_GEN,
get_session_template(pubtemp),
get_session_template(privtemp))
try:
if usage_type == "create_then_use":
with open(_get_data_file('sha1pkcs_plain.der'), 'rb') as df:
data = df.read()
c_sign_ex(auth_session, privkey, data, CKM_RSA_PKCS)
if usage_type in ("setattr", "both", "create_then_use"):
c_set_attribute_value_ex(auth_session, privkey, usage_template)
yield privkey
finally:
c_destroy_object(auth_session, pubkey)
c_destroy_object(auth_session, privkey)
def asym_keys(auth_session):
""" Fixture containing all asym. keys """
keys = {}
try:
for key_type in ASYM_TABLE.values():
pub_temp, prv_temp = get_default_key_pair_template(key_type)
ret, pub_key, prv_key = c_generate_key_pair(
auth_session, key_type, pub_temp, prv_temp)
if ret == CKR_OK:
keys[key_type] = (pub_key, prv_key)
else:
logger.info("Failed to generate key: %s\nReturn code: %s",
key_type, ret)
yield keys
finally:
for pub_key, prv_key in keys.values():
c_destroy_object(auth_session, pub_key)
c_destroy_object(auth_session, prv_key)
def pair_params(key_gen):
""" Return the params tuple given the key_gen mech """
return (key_gen, ) + get_default_key_pair_template(key_gen)
def test_x9_key_derive(self, auth_session, curve_type):
"""
Test we can do X9 key derivation
"""
derived_key2 = derived_key1 = pub_key1 = pub_key2 = prv_key2 = prv_key1 = None
derived_template = {
CKA_CLASS: CKO_SECRET_KEY,
CKA_KEY_TYPE: CKK_DES,
CKA_ENCRYPT: True,
CKA_DECRYPT: True,
CKA_PRIVATE: True,
CKA_SENSITIVE: True
}
pub_temp, priv_temp = get_default_key_pair_template(
CKM_ECDSA_KEY_PAIR_GEN)
priv_temp = get_session_template(priv_temp)
pub_temp = get_session_template(pub_temp)
pub_temp[CKA_ECDSA_PARAMS] = curve_list[curve_type]
pub_key1, prv_key1 = c_generate_key_pair_ex(auth_session,
CKM_ECDSA_KEY_PAIR_GEN,
pbkey_template=pub_temp,
prkey_template=priv_temp)
try:
pub_key2, prv_key2 = c_generate_key_pair_ex(
auth_session,
CKM_ECDSA_KEY_PAIR_GEN,
pbkey_template=pub_temp,
prkey_template=priv_temp)
pub_key1_raw = c_get_attribute_value_ex(
auth_session, pub_key1, {CKA_EC_POINT: None})[CKA_EC_POINT]
pub_key2_raw = c_get_attribute_value_ex(
auth_session, pub_key2, {CKA_EC_POINT: None})[CKA_EC_POINT]
derived_key1 = c_derive_key_ex(auth_session,
h_base_key=prv_key2,
template=derived_template,
mechanism={
"mech_type": CKM_ECDH1_DERIVE,
"params": {
"kdf": CKD_NULL,
"sharedData": None,
"publicData": pub_key1_raw
}
})
derived_key2 = c_derive_key_ex(auth_session,
h_base_key=prv_key1,
template=derived_template,
mechanism={
"mech_type": CKM_ECDH1_DERIVE,
"params": {
"kdf": CKD_NULL,
"sharedData": None,
"publicData": pub_key2_raw
}
})
cipher_data = c_encrypt_ex(auth_session,
derived_key1,
data=DATA,
mechanism=CKM_DES_ECB)
restored_text = c_decrypt_ex(auth_session,
derived_key2,
cipher_data,
mechanism=CKM_DES_ECB)
assert DATA == restored_text.rstrip(b'\x00')
finally:
for key in (pub_key1, prv_key1, pub_key2, prv_key2, derived_key1,
derived_key2):
if key:
c_destroy_object(auth_session, key)
