def list_kek_labels(password): ''' List labels of upto 100 keys password - string CryptoUser role password ''' # HSM slot id for HA slot_id = 5 labels = [] try: auth_session = None _initialize() auth_session = c_open_session_ex(slot_id) login_ex(auth_session, slot_id, password, CKU_CRYPTO_USER) key_handles = c_find_objects_ex(auth_session, {CKA_KEY_TYPE: CKK_AES}, 100) for handle in key_handles: label = c_get_attribute_value_ex( auth_session, handle, Attributes({CKA_LABEL: b'01234567890123456789012345'})) labels.append(label[3].decode("utf-8")) except LunaCallException: print("Exception running key mgmt operation") print(traceback.format_exc()) raise Exception('Exception running key mgmt operation') finally: if auth_session: c_logout_ex(auth_session) c_close_session_ex(auth_session) c_finalize_ex() return labels
def hsm_configured(pytestconfig): """ Factory reset & init the hsm. """ c_initialize_ex() try: if pytestconfig.getoption("reset"): slot = hsm_config["test_slot"] c_close_all_sessions_ex(slot) ca_factory_reset_ex(slot) # Initialize the Admin Token session_flags = (CKF_SERIAL_SESSION | CKF_RW_SESSION | CKF_SO_SESSION) _ = c_open_session_ex(slot, session_flags) c_init_token_ex(slot, hsm_config['admin_pwd'], ADMIN_PARTITION_LABEL) # TODO: This will need to change for testing on CO slots. # In the meantime, we test on the admin slot just fine. # slot = get_token_by_label_ex(ADMIN_PARTITION_LABEL) # c_close_all_sessions_ex(slot) # h_session = c_open_session_ex(slot, session_flags) # login_ex(h_session, slot, hsm_config['admin_pwd'], 0) # c_init_pin_ex(h_session, hsm_config['co_pwd']) # c_logout_ex(h_session) c_close_all_sessions_ex(slot) yield finally: c_finalize_ex()
def pytest_configure(config): """ Set up the globals for this test run. """ if config.getoption("loglevel", None): logger = logging.getLogger() log_formatter = logging.Formatter('%(asctime)s:%(name)s:%(levelname)s: %(message)s') console_handler = logging.StreamHandler(sys.stdout) console_handler.setFormatter(log_formatter) logger.addHandler(console_handler) logger.setLevel(config.getoption("loglevel").upper()) hsm_config["test_slot"] = config.getoption("test_slot") hsm_config["user"] = config.getoption("user") c_initialize_ex() try: # Factory Reset slot = hsm_config["test_slot"] token_info = c_get_token_info_ex(slot) flags = token_info['flags'] is_ped = (flags & CKF_PROTECTED_AUTHENTICATION_PATH) != 0 hsm_config["is_ped"] = is_ped raw_firmware = token_info['firmwareVersion'] hsm_config['firmware'] = "{}.{}.{}".format(raw_firmware.major, raw_firmware.minor / 10, raw_firmware.minor % 10) if is_ped: admin_pwd = None co_pwd = config.getoption("copassword", default=None) else: admin_pwd = config.getoption("password") co_pwd = config.getoption("copassword", default=CO_PASSWORD) if admin_pwd: admin_pwd = admin_pwd if co_pwd: co_pwd = co_pwd hsm_config['admin_pwd'] = admin_pwd hsm_config['co_pwd'] = co_pwd if config.getoption("user") == "CO": hsm_config['password'] = co_pwd else: hsm_config['password'] = admin_pwd finally: c_finalize_ex()
def open(self): """ Open the session, initializing cryptoki if necessary. :return: session handle """ if self.manage_init: c_initialize_ex() try: self.session = c_open_session_ex(self.slot, self.flags) return self.session except: if self.manage_init: c_finalize_ex() raise
def encrypt(password, kek_label, plaintext_path): ''' Encrypt plain text to cipher text password - string CryptoUser role password kek_label - string label of decryption key in HSM plaintext_path - path of base64 encoded data to be encrypted ''' plaintext = open(plaintext_path, 'rb').read() encrypted = None i = 0 while i < 2: try: auth_session = None _initialize() auth_session = c_open_session_ex(i) login_ex(auth_session, i, password, CKU_CRYPTO_USER) kek_handle = None kek_handle = c_find_objects_ex(auth_session, { CKA_KEY_TYPE: CKK_AES, CKA_LABEL: kek_label }, 1) if kek_handle: params = {"iv": list(range(16)), "AAD": [], "ulTagBits": 128} mechanism = Mechanism(mech_type=CKM_AES_GCM, params=params) encrypted = c_encrypt_ex(auth_session, kek_handle[0], plaintext, mechanism) encrypted = array.array('B', list( range(16))).tostring() + encrypted break else: i += 1 except LunaCallException: print("Exception running key mgmt operation on slot " + str(i)) print(traceback.format_exc()) i += 1 finally: if auth_session: c_logout_ex(auth_session) c_close_session_ex(auth_session) c_finalize_ex() if encrypted: ciphertext = base64.b64encode(encrypted) return ciphertext else: raise Exception("Failed to encrypt DEK")
def decrypt(password, kek_label, path_to_plain_text): ''' Decrypt cipher text to plain text password - string CryptoUser role password kek_label - string label of decryption key in HSM path_to_plain_text - path of base64 encoded data to be decrypted ''' ciphertext = open(path_to_plain_text, 'rb').read() decrypted = None i = 0 while i < 2: try: cipher = base64.b64decode(ciphertext) auth_session = None _initialize() auth_session = c_open_session_ex(i) login_ex(auth_session, i, password, CKU_CRYPTO_USER) kek_handle = None kek_handle = c_find_objects_ex(auth_session, {CKA_KEY_TYPE: CKK_AES, CKA_LABEL: kek_label}, 1) if kek_handle: params = {"iv": cipher[:16], "AAD": [], "ulTagBits": 128} mechanism = Mechanism(mech_type=CKM_AES_GCM, params=params) decrypted = c_decrypt_ex(auth_session, kek_handle[0], cipher[16:], mechanism) break else: i += 1 except LunaCallException: i += 1 except Exception: raise("Failed to decrypt DEK") finally: if auth_session: c_logout_ex(auth_session) c_close_session_ex(auth_session) c_finalize_ex() if decrypted: return decrypted else: raise Exception("Failed to decrypt DEK")
def generate_keys(password, kek_plain_text): ''' Generate AES keys password - string CryptoOfficer role password kek_plain_text - kek label ''' # HSM slot id for HA slot_id = 5 c_initialize_ex() auth_session = c_open_session_ex(slot_id) login_ex(auth_session, slot_id, password) CKM_AES_KEY_GEN_TEMP[CKA_LABEL] = bytes(kek_plain_text, 'utf-8') key_handle = c_generate_key_ex(auth_session, CKM_AES_KEY_GEN, CKM_AES_KEY_GEN_TEMP) c_logout_ex(auth_session) c_close_session_ex(auth_session) c_finalize_ex() return key_handle
def close(self): """Close the session. Finalize if we initialized.""" c_close_session_ex(self.session) if self.manage_init: c_finalize_ex()
def __exit__(self, exc_type, exc_value, exc_traceback): """Finalize cryptoki""" c_finalize_ex()
from pycryptoki.session_management import (c_initialize_ex, c_get_info_ex, c_get_slot_list_ex, get_firmware_version, c_get_token_info_ex, c_finalize_ex) c_initialize_ex() print("C_GetInfo: ") print("\n".join("\t{}: {}".format(x, y) for x, y in c_get_info_ex().items())) slot_list = c_get_slot_list_ex() print("C_GetSlotList:") print("\n".join("\t{}".format(x) for x in slot_list)) # Use the first available Slot ID: slot_id = slot_list[0] token_info = c_get_token_info_ex(slot_id) print("C_GetTokenInfo:") print("\n".join("\t{}: {}".format(x, y) for x, y in token_info.items())) print("Firmware version: {}".format(get_firmware_version(slot_id))) c_finalize_ex()