def test_long_length_derive_key(self, key_type, d_type, valid_mechanisms):
"""
Test deriving a key
:param key_type: key generation mechanism
:param d_type: derive mechanism
"""
key_template = get_session_template(get_default_key_template(key_type))
if key_type not in valid_mechanisms:
pytest.skip("Not a valid mechanism on this product")
h_base_key = c_generate_key_ex(self.h_session, key_type, key_template)
mech = NullMech(d_type).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
ret, h_derived_key = c_derive_key(self.h_session,
h_base_key,
key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_OK)
verify_object_attributes(self.h_session, h_derived_key,
key_template)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)
def test_derive_dukpt_ipek(self, valid_mechanisms):
"""
Test derive key for the new dukpt ipek mechanism
"""
if CKM_DES2_DUKPT_IPEK not in valid_mechanisms:
pytest.skip(
'This test is only valid for FWs that support CKM_DES2_DUKPT_IPEK'
)
key_template = get_session_template(
get_default_key_template(CKM_DES2_KEY_GEN))
ret, h_base_key = c_generate_key(self.h_session, CKM_DES2_KEY_GEN,
key_template)
mech = StringDataDerivationMechanism(mech_type=CKM_DES2_DUKPT_IPEK,
params={
'data': 0xffff9876543210e00000
}).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
derived_key_template[CKA_LABEL] = b"DUKPT IPEK"
ret, h_derived_key = c_derive_key(self.h_session,
h_base_key,
derived_key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_OK)
verify_object_attributes(self.h_session, h_derived_key,
derived_key_template)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)
def test_wrap_unwrap_key(self, mech, k_type, keys):
"""
Test key wrapping
:param mech: encryption mech
:param k_type: key gen mech
:param keys: keys fixture
"""
temp = get_default_key_template(k_type)
unwrap_temp = self.generate_unwrap_temp(k_type)
extra_p = EXTRA_PARAM[mech]
h_key, h_wrap_key = keys[k_type]
if h_key is None or h_wrap_key is None:
pytest.fail("No valid key found for {}".format(LOOKUP[mech][0]))
# Wrap the key
wrap_mech = {"mech_type": mech, "params": extra_p}
ret, wrapped_key = c_wrap_key(self.h_session,
h_wrap_key,
h_key,
mechanism=wrap_mech)
self.verify_ret(ret, CKR_OK)
# Unwrap the Key
ret, h_unwrapped_key = c_unwrap_key(self.h_session,
h_wrap_key,
wrapped_key,
unwrap_temp,
mechanism=wrap_mech)
self.verify_ret(ret, CKR_OK)
# Verify all of the attributes against the originally generated attributes
verify_object_attributes(self.h_session, h_unwrapped_key, temp)
def test_derive_key(self, key_type, d_type):
"""
Test derive key for using parametrized hash
:param key_type: Key-gen mechanism
:param d_type: Hash mech
"""
key_template = get_default_key_template(key_type)
h_base_key = c_generate_key_ex(self.h_session, key_type, key_template)
mech = NullMech(d_type).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
ret, h_derived_key = c_derive_key(self.h_session,
h_base_key,
key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_OK)
verify_object_attributes(self.h_session, h_derived_key,
key_template)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)
def test_data_create(self):
"""Tests C_CreateObject with a data template and verifies the object's
attributes
"""
ret, h_object = c_create_object(self.h_session, DATA_TEMPLATE)
assert ret == CKR_OK, \
"The result of creating a data object should be CKR_OK, not" + ret_vals_dictionary[ret]
verify_object_attributes(self.h_session, h_object, DATA_TEMPLATE)
def test_certificate_create(self):
"""Tests C_CreateObject with a certificate template and verifies the object's
attributes
"""
ret, h_object = c_create_object(self.h_session, CERTIFICATE_TEMPLATE)
assert ret == CKR_OK, \
"The result code of creating a " \
"certificate should be CKR_OK, not " + ret_vals_dictionary[ret]
verify_object_attributes(self.h_session, h_object,
CERTIFICATE_TEMPLATE)
