def test_mech_conversions(self, flavor): """ Test that converting each mechanism works as expected w/ valid params. """ params = MECH_PARAMS[flavor] mech = Mechanism(flavor, params=params) cmech = mech.to_c_mech() # Would prefer to check if it's a c_void_p, but it gets transformed directly to # an int/long depending on memory location. assert isinstance(cmech.pParameter, (integer_types, c_ulong)) assert isinstance(cmech.usParameterLen, (integer_types, c_ulong)) assert isinstance(cmech, CK_MECHANISM) assert cmech.mechanism == flavor
def test_null_mechanism_indirect_instantiation(self): """ Test automech by instantiating Mechanism() instead of AutoMech() :return: """ # Patch the mechanism lookup so that we don't have to have an undefined # mechanism to test the automech. with patch.dict(MECH_LOOKUP, {}, clear=True): pymech = Mechanism(CKM_RSA_PKCS_PSS) assert isinstance(pymech, NullMech) cmech = pymech.to_c_mech() assert cmech.pParameter is None assert cmech.usParameterLen == 0
def test_default_iv6_params(self): """ Verify passing no IV to a mech requiring an IV will use the default value. """ cmech = Mechanism(CKM_AES_CBC).to_c_mech() rawiv = cast(cmech.pParameter, POINTER(c_ubyte)) iv = [rawiv[x] for x in range(cmech.usParameterLen)] assert iv == [1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8]
def test_default_iv_params(self): """ Verify passing no IV to a mech requiring an IV will use the default value. """ cmech = Mechanism(CKM_DES3_CBC).to_c_mech() rawiv = cast(cmech.pParameter, POINTER(c_ubyte)) iv = [rawiv[x] for x in range(cmech.usParameterLen)] assert iv == [0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38]
def test_missing_params(self, flavor, params): """ Test that missing parameters for various mechs raises the appropriate exception. :param crypto_session: :return: """ with pytest.raises(MechanismException) as excinfo: mech = Mechanism(flavor) for x in params: assert x in str(excinfo.value)
def encrypt(password, kek_label, plaintext_path): ''' Encrypt plain text to cipher text password - string CryptoUser role password kek_label - string label of decryption key in HSM plaintext_path - path of base64 encoded data to be encrypted ''' plaintext = open(plaintext_path, 'rb').read() encrypted = None i = 0 while i < 2: try: auth_session = None _initialize() auth_session = c_open_session_ex(i) login_ex(auth_session, i, password, CKU_CRYPTO_USER) kek_handle = None kek_handle = c_find_objects_ex(auth_session, { CKA_KEY_TYPE: CKK_AES, CKA_LABEL: kek_label }, 1) if kek_handle: params = {"iv": list(range(16)), "AAD": [], "ulTagBits": 128} mechanism = Mechanism(mech_type=CKM_AES_GCM, params=params) encrypted = c_encrypt_ex(auth_session, kek_handle[0], plaintext, mechanism) encrypted = array.array('B', list( range(16))).tostring() + encrypted break else: i += 1 except LunaCallException: print("Exception running key mgmt operation on slot " + str(i)) print(traceback.format_exc()) i += 1 finally: if auth_session: c_logout_ex(auth_session) c_close_session_ex(auth_session) c_finalize_ex() if encrypted: ciphertext = base64.b64encode(encrypted) return ciphertext else: raise Exception("Failed to encrypt DEK")
def decrypt(password, kek_label, path_to_plain_text): ''' Decrypt cipher text to plain text password - string CryptoUser role password kek_label - string label of decryption key in HSM path_to_plain_text - path of base64 encoded data to be decrypted ''' ciphertext = open(path_to_plain_text, 'rb').read() decrypted = None i = 0 while i < 2: try: cipher = base64.b64decode(ciphertext) auth_session = None _initialize() auth_session = c_open_session_ex(i) login_ex(auth_session, i, password, CKU_CRYPTO_USER) kek_handle = None kek_handle = c_find_objects_ex(auth_session, {CKA_KEY_TYPE: CKK_AES, CKA_LABEL: kek_label}, 1) if kek_handle: params = {"iv": cipher[:16], "AAD": [], "ulTagBits": 128} mechanism = Mechanism(mech_type=CKM_AES_GCM, params=params) decrypted = c_decrypt_ex(auth_session, kek_handle[0], cipher[16:], mechanism) break else: i += 1 except LunaCallException: i += 1 except Exception: raise("Failed to decrypt DEK") finally: if auth_session: c_logout_ex(auth_session) c_close_session_ex(auth_session) c_finalize_ex() if decrypted: return decrypted else: raise Exception("Failed to decrypt DEK")
""" Testcases for string helpers """ import pytest from pycryptoki.mechanism import Mechanism from pycryptoki.defines import CKM_DES_ECB, CKM_AES_CBC from pycryptoki.string_helpers import _decode, _coerce_mech_to_str @pytest.mark.parametrize("value,ret", [(b"this is a test string", u"this is a test string"), (b"\x01\x23\x82\x20\x01\xb6\x09\xd2\xb6|gN\xcc", u"0123822001b609d2b67c674ecc"), (None, None), (b"", u"")]) def test_decode(value, ret): assert _decode(value) == ret CBC_OUT = """Iv16Mechanism(mech_type: CKM_AES_CBC, iv: [0, 1, 2, 3, 4, 5, 6, 7])""" @pytest.mark.parametrize("mech,output", [({"mech_type": CKM_DES_ECB}, "NullMech(mech_type: CKM_DES_ECB)"), (Mechanism(CKM_AES_CBC, params={'iv': list(range(8))}), CBC_OUT)]) def test_mech_printing(mech, output): assert _coerce_mech_to_str(mech) == output