def generate_wrap(self):
w_id = random.randint(1, 0xFFFE)
a_id = random.randint(1, 0xFFFE)
wrapkey = WrapKey.generate(
self.session,
w_id,
"Generate Wrap 0x%04x" % w_id,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
)
asymkey = AsymmetricKey.generate(
self.session,
a_id,
"Generate Wrap 0x%04x" % a_id,
0xFFFF,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.EC_P256,
)
origin = asymkey.get_info().origin
self.assertEqual(origin, 0x01)
self.assertTrue(origin.generated)
self.assertFalse(origin.imported)
self.assertFalse(origin.wrapped)
pub = asymkey.get_public_key()
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data)
pub.verify(resp, data, ec.ECDSA(hashes.SHA256()))
wrapped = wrapkey.export_wrapped(asymkey)
wrapped2 = wrapkey.export_wrapped(asymkey)
self.assertNotEqual(wrapped, wrapped2)
asymkey.delete()
self.assertRaises(YubiHsmDeviceError, asymkey.get_public_key)
asymkey = wrapkey.import_wrapped(wrapped)
origin = asymkey.get_info().origin
self.assertEqual(origin, 0x11)
self.assertTrue(origin.generated)
self.assertFalse(origin.imported)
self.assertTrue(origin.wrapped)
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data)
self.assertNotEqual(resp, None)
pub.verify(resp, data, ec.ECDSA(hashes.SHA256()))
wrapkey.delete()
def test_generate_wrap(session):
w_id = random.randint(1, 0xFFFE)
a_id = random.randint(1, 0xFFFE)
wrapkey = WrapKey.generate(
session,
w_id,
"Generate Wrap 0x%04x" % w_id,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
)
asymkey = AsymmetricKey.generate(
session,
a_id,
"Generate Wrap 0x%04x" % a_id,
0xFFFF,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.EC_P256,
)
origin = asymkey.get_info().origin
assert origin == ORIGIN.GENERATED
pub = asymkey.get_public_key()
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data)
pub.verify(resp, data, ec.ECDSA(hashes.SHA256()))
wrapped = wrapkey.export_wrapped(asymkey)
wrapped2 = wrapkey.export_wrapped(asymkey)
assert wrapped != wrapped2
asymkey.delete()
pytest.raises(YubiHsmDeviceError, asymkey.get_public_key)
asymkey = wrapkey.import_wrapped(wrapped)
origin = asymkey.get_info().origin
assert origin == ORIGIN.IMPORTED_WRAPPED | ORIGIN.GENERATED
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data)
assert resp is not None
pub.verify(resp, data, ec.ECDSA(hashes.SHA256()))
wrapkey.delete()
def key_in_list(self, keytype, algorithm=None):
dom = None
cap = 0
key_label = "%s%s" % (str(
uuid.uuid4()), b"\xf0\x9f\x98\x83".decode("utf8"))
if keytype == OBJECT.ASYMMETRIC_KEY:
dom = 0xFFFF
key = AsymmetricKey.generate(self.session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.WRAP_KEY:
dom = 0x01
key = WrapKey.generate(self.session, 0, key_label, dom, cap,
algorithm, cap)
elif keytype == OBJECT.HMAC_KEY:
dom = 0x01
key = HmacKey.generate(self.session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.AUTHENTICATION_KEY:
dom = 0x01
key = AuthenticationKey.put_derived(
self.session,
0,
key_label,
dom,
cap,
0,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
objlist = self.session.list_objects(object_id=key.id,
object_type=key.object_type)
self.assertEqual(objlist[0].id, key.id)
self.assertEqual(objlist[0].object_type, key.object_type)
objinfo = objlist[0].get_info()
self.assertEqual(objinfo.id, key.id)
self.assertEqual(objinfo.object_type, key.object_type)
self.assertEqual(objinfo.domains, dom)
self.assertEqual(objinfo.capabilities, cap)
if algorithm:
self.assertEqual(objinfo.algorithm, algorithm)
if key.object_type == OBJECT.AUTHENTICATION_KEY:
self.assertEqual(objinfo.origin, ORIGIN.IMPORTED)
else:
self.assertEqual(objinfo.origin, ORIGIN.GENERATED)
self.assertEqual(objinfo.label, key_label)
key.delete()
def test_wrap_data(self):
w_id = random.randint(1, 0xfffe)
key_label = 'Key in List 0x%04x' % w_id
key = WrapKey.generate(self.session, w_id, key_label, 1,
CAPABILITY.WRAP_DATA | CAPABILITY.UNWRAP_DATA,
ALGORITHM.AES256_CCM_WRAP, 0)
for size in (1, 16, 128, 1024, 1989):
data = os.urandom(size)
wrapped = key.wrap_data(data)
data2 = key.unwrap_data(wrapped)
self.assertEqual(data, data2)
def key_in_list(self, session, keytype, algorithm=None):
dom = None
cap = CAPABILITY.NONE
key_label = "%s%s" % (str(uuid.uuid4()), b"\xf0\x9f\x98\x83".decode())
key: YhsmObject
if keytype == OBJECT.ASYMMETRIC_KEY:
dom = 0xFFFF
key = AsymmetricKey.generate(session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.WRAP_KEY:
dom = 0x01
key = WrapKey.generate(session, 0, key_label, dom, cap, algorithm,
cap)
elif keytype == OBJECT.HMAC_KEY:
dom = 0x01
key = HmacKey.generate(session, 0, key_label, dom, cap, algorithm)
elif keytype == OBJECT.AUTHENTICATION_KEY:
dom = 0x01
key = AuthenticationKey.put_derived(
session,
0,
key_label,
dom,
cap,
cap,
"password",
)
objlist = session.list_objects(object_id=key.id,
object_type=key.object_type)
assert objlist[0].id == key.id
assert objlist[0].object_type == key.object_type
objinfo = objlist[0].get_info()
assert objinfo.id == key.id
assert objinfo.object_type == key.object_type
assert objinfo.domains == dom
assert objinfo.capabilities == cap
if algorithm:
assert objinfo.algorithm == algorithm
if key.object_type == OBJECT.AUTHENTICATION_KEY:
assert objinfo.origin == ORIGIN.IMPORTED
else:
assert objinfo.origin == ORIGIN.GENERATED
assert objinfo.label == key_label
key.delete()
def test_wrap_data(session):
w_id = random.randint(1, 0xFFFE)
key_label = "Key in List 0x%04x" % w_id
key = WrapKey.generate(
session,
w_id,
key_label,
1,
CAPABILITY.WRAP_DATA | CAPABILITY.UNWRAP_DATA,
ALGORITHM.AES256_CCM_WRAP,
CAPABILITY.NONE,
)
for size in (1, 16, 128, 1024, 1989):
data = os.urandom(size)
wrapped = key.wrap_data(data)
data2 = key.unwrap_data(wrapped)
assert data == data2
