コード例 #1
0
def sym_key_params(request, auth_session, usage_set):
    """
    Generate a key, setting the usage limit by the method described in
    ``usage_set``

    Return that key handle.
    """
    usage_type, limit = usage_set
    key_gen, mechanism = request.param
    key_template = get_session_template(get_default_key_template(key_gen))
    usage_template = {CKA_USAGE_LIMIT: limit}
    if usage_type in ("create", "both", "create_then_use"):
        key_template.update(usage_template)

    h_key = c_generate_key_ex(auth_session,
                              mechanism=key_gen,
                              template=key_template)
    try:
        if usage_type in ("create_then_use", ):
            c_encrypt_ex(auth_session,
                         h_key,
                         b'a' * 2048,
                         mechanism={"mech_type": mechanism})
        if usage_type in ("setattr", "both", "create_then_use"):
            c_set_attribute_value_ex(auth_session, h_key, usage_template)
        yield SymParams(h_key, mechanism)
    finally:
        c_destroy_object(auth_session, h_key)
コード例 #2
0
    def test_usagelimit_exceed_sym(self, auth_session, sym_key_params):
        """Test that changing the usage limit works as expected

           Gen key w/ limit = 5
           Set limit = 2
           Use key 2x
           Verify next usage returns CKR_KEY_NOT_ACTIVE
        """
        LOG.info(
            "Verify that crypto operation returns error CKR_KEY_NOT_ACTIVE \
                  if user try to use crypto object more than limit set on CKA_USAGE_LIMIT"
        )
        usage_lim_template = {CKA_USAGE_LIMIT: 2}

        key, mechanism = sym_key_params

        c_set_attribute_value_ex(auth_session, key, usage_lim_template)

        c_encrypt_ex(auth_session, key, b'a' * 2048, mechanism=mechanism)

        c_encrypt_ex(auth_session, key, b'a' * 2048, mechanism=mechanism)

        return_val, data = c_encrypt(auth_session,
                                     key,
                                     b'a' * 2048,
                                     mechanism=mechanism)

        py_template = c_get_attribute_value_ex(
            auth_session, key, template={CKA_USAGE_COUNT: None})

        usage_val_out = py_template[CKA_USAGE_COUNT]
        LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s",
                 usage_val_out)
        assert return_val == CKR_KEY_NOT_ACTIVE, "Key should be inactive -- exceeded usage count!"
コード例 #3
0
    def test_usagelimit_sym(self, auth_session, sym_key_params, usage_set):
        """Test: Verify that CKA_USAGE_COUNT attribute increments as user
                  uses the symmetric crypto object

          Gen key w/ limit set to 5
          Use key 5x
          Verify usage count == 5
        """
        _, new_limit = usage_set
        LOG.info(
            "Test: Verify that CKA_USAGE_COUNT attribute increments as user \
                  uses the symmetric crypto object")

        key, mechanism = sym_key_params

        for _ in range(5):
            c_encrypt_ex(auth_session,
                         key,
                         b'a' * 2048,
                         mechanism={"mech_type": mechanism})

        py_template = c_get_attribute_value_ex(
            auth_session, key, template={CKA_USAGE_COUNT: None})

        usage_val_out = py_template[CKA_USAGE_COUNT]
        LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s",
                 usage_val_out)

        assert new_limit == usage_val_out, "reported USAGE LIMIT does not match"
コード例 #4
0
    def test_set_attribute_usage_count_check_error_CKR_KEY_NOT_ACTIVE_3des(
            self):
        """Test: Verify that crypto operation returns error CKR_KEY_NOT_ACTIVE
                  if user try to use crypto object more than limit set on CKA_USAGE_LIMIT
            Procedure:
            Generate a 3DES key
            Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2
            Use RSA public key 3 times for encryption


        """

        LOG.info(
            "Verify that crypto operation returns error CKR_KEY_NOT_ACTIVE \
                  if user try to use crypto object more than limit set on CKA_USAGE_LIMIT"
        )
        usage_lim_template = {CKA_USAGE_LIMIT: 2}

        h_key = c_generate_key_ex(self.h_session,
                                  mechanism=CKM_DES3_KEY_GEN,
                                  template=CKM_DES3_KEY_GEN_TEMP)
        LOG.info("Called c-generate: Key handle -" + str(h_key))

        c_set_attribute_value_ex(self.h_session, h_key, usage_lim_template)

        c_encrypt_ex(self.h_session,
                     h_key,
                     b'a' * 2048,
                     mechanism={"mech_type": CKM_DES3_ECB})

        c_encrypt_ex(self.h_session,
                     h_key,
                     b'a' * 2048,
                     mechanism={"mech_type": CKM_DES3_ECB})

        return_val, data = c_encrypt(self.h_session,
                                     h_key,
                                     b'a' * 2048,
                                     mechanism={"mech_type": CKM_DES3_ECB})
        LOG.info("Called C_Encrypt, return code: %s", return_val)

        py_template = c_get_attribute_value_ex(
            self.h_session, h_key, template={CKA_USAGE_COUNT: None})

        usage_val_out = py_template[CKA_USAGE_COUNT]
        LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s",
                 usage_val_out)

        assert return_val == CKR_KEY_NOT_ACTIVE, "reported error code does not match"
コード例 #5
0
    def test_usage_limit_attribute_check_Assym(self):
        """Test: Verify that CKA_USAGE_COUNT attribute increments as user
                  use the assymetric crypto object
            Procedure:
            Generate a RSA Key pair
            Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2
            Use RSA public key twice for encryption
            Use C_getAttributeValue to verify that CKA_USAGE_COUNT is 2


        """

        LOG.info(
            "Test: Verify that CKA_USAGE_COUNT attribute increments as user \
                  use the assymetric crypto object")

        usage_lim_template = {CKA_USAGE_LIMIT: 2}
        usage_count = 2

        h_pbkey, h_prkey = c_generate_key_pair_ex(
            self.h_session,
            mechanism=CKM_RSA_PKCS_KEY_PAIR_GEN,
            pbkey_template=CKM_RSA_PKCS_KEY_PAIR_GEN_PUBTEMP,
            prkey_template=CKM_RSA_PKCS_KEY_PAIR_GEN_PRIVTEMP)

        LOG.info(
            "Called c-generate: Public Key handle -%s Private Key Handle -%s",
            h_pbkey, h_prkey)

        c_set_attribute_value_ex(self.h_session, h_pbkey, usage_lim_template)
        c_encrypt_ex(self.h_session,
                     h_pbkey,
                     b'a' * 20,
                     mechanism={"mech_type": CKM_RSA_PKCS})

        c_encrypt_ex(self.h_session,
                     h_pbkey,
                     b'a' * 20,
                     mechanism={"mech_type": CKM_RSA_PKCS})

        py_template = c_get_attribute_value_ex(
            self.h_session, h_pbkey, template={CKA_USAGE_COUNT: None})

        usage_val_out = py_template[CKA_USAGE_COUNT]
        LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s",
                 usage_val_out)
        assert usage_count == usage_val_out, "reported USAGE LIMIT does not match"
コード例 #6
0
    def test_set_attribute_usage_count_check_error_CKR_KEY_NOT_ACTIVE_rsa(
            self):
        """Test: Verify that crypto operation returns error CKR_KEY_NOT_ACTIVE
                  if user try to use crypto object more than limit set on CKA_USAGE_LIMIT
            Procedure:
            Generate a RSA Key pair
            Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2
            Use RSA public key 3 times for encryption


        """

        usage_lim_template = {CKA_USAGE_LIMIT: 2}

        h_pbkey, h_prkey = c_generate_key_pair_ex(
            self.h_session,
            mechanism=CKM_RSA_PKCS_KEY_PAIR_GEN,
            pbkey_template=CKM_RSA_PKCS_KEY_PAIR_GEN_PUBTEMP,
            prkey_template=CKM_RSA_PKCS_KEY_PAIR_GEN_PRIVTEMP)

        LOG.info(
            "Called c-generate: Public Key handle -%s Private Key Handle - %s",
            h_pbkey, h_prkey)

        c_set_attribute_value_ex(self.h_session, h_pbkey, usage_lim_template)

        c_encrypt_ex(self.h_session,
                     h_pbkey,
                     b'a' * 20,
                     mechanism={"mech_type": CKM_RSA_PKCS})

        c_encrypt_ex(self.h_session,
                     h_pbkey,
                     b'a' * 20,
                     mechanism={"mech_type": CKM_RSA_PKCS})

        return_val, data = c_encrypt(self.h_session,
                                     h_pbkey,
                                     b'a' * 20,
                                     mechanism={"mech_type": CKM_RSA_PKCS})
        LOG.info("Called C_Encrypt, return code: %s", return_val)
        py_template = c_get_attribute_value_ex(
            self.h_session, h_pbkey, template={CKA_USAGE_COUNT: None})

        usage_val_out = py_template[CKA_USAGE_COUNT]
        assert return_val == CKR_KEY_NOT_ACTIVE, "reported error code does not match"
コード例 #7
0
    def test_usage_limit_attribute_check_sym_des(self):
        """Test: Verify that CKA_USAGE_COUNT attribute increments as user
                  use the symmetric crypto object
            Procedure:
            Generate a DES Key
            Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2
            Use des key twice for encryption
            Use C_getAttributeValue to verify that CKA_USAGE_COUNT is 2


        """
        LOG.info(
            "Test: Verify that CKA_USAGE_COUNT attribute increments as user \
                  use the symmetric crypto object")
        usage_lim_template = {CKA_USAGE_LIMIT: 2}

        usage_count = 2

        h_key = c_generate_key_ex(self.h_session,
                                  mechanism=CKM_DES_KEY_GEN,
                                  template=CKM_DES_KEY_GEN_TEMP)
        LOG.info("Called c-generate: Key handle -%s", h_key)

        c_set_attribute_value_ex(self.h_session, h_key, usage_lim_template)

        c_encrypt_ex(self.h_session,
                     h_key,
                     b'a' * 2048,
                     mechanism={"mech_type": CKM_DES_ECB})

        c_encrypt_ex(self.h_session,
                     h_key,
                     b'a' * 2048,
                     mechanism={"mech_type": CKM_DES_ECB})

        py_template = c_get_attribute_value_ex(
            self.h_session, h_key, template={CKA_USAGE_COUNT: None})

        usage_val_out = py_template[CKA_USAGE_COUNT]
        LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s",
                 usage_val_out)

        assert usage_count == usage_val_out, "reported USAGE LIMIT does not match"
コード例 #8
0
def encrypt(password, kek_label, plaintext_path):
    '''
        Encrypt plain text to cipher text
        password - string CryptoUser role password
        kek_label - string label of decryption key in HSM
        plaintext_path - path of base64 encoded data to be encrypted
    '''
    plaintext = open(plaintext_path, 'rb').read()
    encrypted = None
    i = 0
    while i < 2:
        try:
            auth_session = None
            _initialize()
            auth_session = c_open_session_ex(i)
            login_ex(auth_session, i, password, CKU_CRYPTO_USER)

            kek_handle = None
            kek_handle = c_find_objects_ex(auth_session, {
                CKA_KEY_TYPE: CKK_AES,
                CKA_LABEL: kek_label
            }, 1)
            if kek_handle:
                params = {"iv": list(range(16)), "AAD": [], "ulTagBits": 128}
                mechanism = Mechanism(mech_type=CKM_AES_GCM, params=params)
                encrypted = c_encrypt_ex(auth_session, kek_handle[0],
                                         plaintext, mechanism)
                encrypted = array.array('B', list(
                    range(16))).tostring() + encrypted
                break
            else:
                i += 1
        except LunaCallException:
            print("Exception running key mgmt operation on slot " + str(i))
            print(traceback.format_exc())
            i += 1
        finally:
            if auth_session:
                c_logout_ex(auth_session)
                c_close_session_ex(auth_session)
            c_finalize_ex()

    if encrypted:
        ciphertext = base64.b64encode(encrypted)
        return ciphertext
    else:
        raise Exception("Failed to encrypt DEK")
コード例 #9
0
    def test_x9_key_derive(self, auth_session, curve_type):
        """
        Test we can do X9 key derivation
        """
        derived_key2 = derived_key1 = pub_key1 = pub_key2 = prv_key2 = prv_key1 = None
        derived_template = {
            CKA_CLASS: CKO_SECRET_KEY,
            CKA_KEY_TYPE: CKK_DES,
            CKA_ENCRYPT: True,
            CKA_DECRYPT: True,
            CKA_PRIVATE: True,
            CKA_SENSITIVE: True
        }
        pub_temp, priv_temp = get_default_key_pair_template(
            CKM_ECDSA_KEY_PAIR_GEN)
        priv_temp = get_session_template(priv_temp)
        pub_temp = get_session_template(pub_temp)
        pub_temp[CKA_ECDSA_PARAMS] = curve_list[curve_type]

        pub_key1, prv_key1 = c_generate_key_pair_ex(auth_session,
                                                    CKM_ECDSA_KEY_PAIR_GEN,
                                                    pbkey_template=pub_temp,
                                                    prkey_template=priv_temp)
        try:
            pub_key2, prv_key2 = c_generate_key_pair_ex(
                auth_session,
                CKM_ECDSA_KEY_PAIR_GEN,
                pbkey_template=pub_temp,
                prkey_template=priv_temp)

            pub_key1_raw = c_get_attribute_value_ex(
                auth_session, pub_key1, {CKA_EC_POINT: None})[CKA_EC_POINT]
            pub_key2_raw = c_get_attribute_value_ex(
                auth_session, pub_key2, {CKA_EC_POINT: None})[CKA_EC_POINT]
            derived_key1 = c_derive_key_ex(auth_session,
                                           h_base_key=prv_key2,
                                           template=derived_template,
                                           mechanism={
                                               "mech_type": CKM_ECDH1_DERIVE,
                                               "params": {
                                                   "kdf": CKD_NULL,
                                                   "sharedData": None,
                                                   "publicData": pub_key1_raw
                                               }
                                           })

            derived_key2 = c_derive_key_ex(auth_session,
                                           h_base_key=prv_key1,
                                           template=derived_template,
                                           mechanism={
                                               "mech_type": CKM_ECDH1_DERIVE,
                                               "params": {
                                                   "kdf": CKD_NULL,
                                                   "sharedData": None,
                                                   "publicData": pub_key2_raw
                                               }
                                           })
            cipher_data = c_encrypt_ex(auth_session,
                                       derived_key1,
                                       data=DATA,
                                       mechanism=CKM_DES_ECB)
            restored_text = c_decrypt_ex(auth_session,
                                         derived_key2,
                                         cipher_data,
                                         mechanism=CKM_DES_ECB)
            assert DATA == restored_text.rstrip(b'\x00')
        finally:
            for key in (pub_key1, prv_key1, pub_key2, prv_key2, derived_key1,
                        derived_key2):
                if key:
                    c_destroy_object(auth_session, key)
コード例 #10
0
    def test_symmetric_key_expiry_des(self):
        """Test: Verify that user is not able to use the symmetric object after date specified in
                    CKA_END_DATE attribute
            Procedure:
            Generate a DES Key des1
            Use des1 in encrypt operation. Should work fine
            Using audit role, change the date of HSM to 12/31/2013
            Use des1 in encrypt operation


        """

        logger.info(
            "Test: Verify that user is not able to use the symmetric object after date "
            "specified in \
                    CKA_END_DATE attribute")

        end_d = {'year': b"2013", 'month': b"12", 'day': b"31"}

        CKM_KEY_GEN_TEMP = {
            CKA_CLASS: CKO_SECRET_KEY,
            CKA_KEY_TYPE: CKK_DES,
            CKA_TOKEN: True,
            CKA_SENSITIVE: True,
            CKA_PRIVATE: True,
            CKA_ENCRYPT: True,
            CKA_DECRYPT: True,
            CKA_SIGN: True,
            CKA_VERIFY: True,
            CKA_WRAP: True,
            CKA_UNWRAP: True,
            CKA_DERIVE: True,
            CKA_VALUE_LEN: 8,
            CKA_EXTRACTABLE: True,
            CKA_LABEL: b"DES Key",
            CKA_END_DATE: end_d
        }

        h_key = c_generate_key_ex(self.h_session,
                                  flavor=CKM_DES_KEY_GEN,
                                  template=CKM_KEY_GEN_TEMP)
        logger.info("Called c-generate: Key handle -" + str(h_key))

        c_encrypt_ex(self.h_session, CKM_DES_ECB, h_key, b"a" * 512)

        c_logout_ex(self.h_session)
        c_close_session_ex(self.h_session)

        ca_init_audit_ex(self.admin_slot, AUDITOR_PASSWORD, AUDITOR_LABEL)

        h_session2 = c_open_session_ex(slot_num=self.admin_slot,
                                       flags=(CKF_SERIAL_SESSION
                                              | CKF_AUDIT_SESSION))
        login_ex(h_session2, self.admin_slot, AUDITOR_PASSWORD, CKU_AUDIT)

        dt = datetime(2014, 1, 31)
        epoch = datetime.utcfromtimestamp(0)
        delta = dt - epoch
        hsm_dt = delta.total_seconds()
        hsm_new_date = int(hsm_dt)

        ca_time_sync_ex(h_session2, hsm_new_date)

        hsm_time = ca_get_time_ex(h_session2)

        c_logout_ex(h_session2)
        c_close_session_ex(h_session2)

        h_session = c_open_session_ex(slot_num=self.admin_slot)
        login_ex(h_session, self.admin_slot, CO_PASSWORD, CKU_USER)

        return_val = c_encrypt(h_session, h_key,
                               b"This is some data to sign ..   ", CKM_DES_ECB)

        assert return_val == CKR_KEY_NOT_ACTIVE, "return value should be CKR_KEY_NOT_ACTIVE"
        c_logout_ex(h_session)
        c_close_session_ex(h_session)
コード例 #11
0
    def test_asymmetric_key_expiry_rsa(self):
        """Test: Verify that user is not able to use the rsa asymmetric object after date
        specified in
                    CKA_END_DATE attribute
            Procedure:
            Generate a rsa Key rsa1
            Use des1 in encrypt operation. Should work fine
            Using audit role, change the date of HSM to 12/31/2013
            Use rsa1 in encrypt operation


        """

        logger.info(
            "Test: Verify that user is not able to use the rsa asymmetric object after "
            "date specified in \
                    CKA_END_DATE attribute")
        end_d = {'year': b"2013", 'month': b"12", 'day': b"31"}

        CKM_RSA_PKCS_KEY_PAIR_GEN_PUBTEMP = {
            CKA_TOKEN: True,
            CKA_PRIVATE: True,
            CKA_MODIFIABLE: True,
            CKA_ENCRYPT: True,
            CKA_VERIFY: True,
            CKA_WRAP: True,
            CKA_MODULUS_BITS: 1024,  # long 0 - MAX_RSA_KEY_NBITS
            CKA_PUBLIC_EXPONENT: 3,  # byte
            CKA_END_DATE: end_d,
            CKA_LABEL: "RSA Public Key"
        }

        CKM_RSA_PKCS_KEY_PAIR_GEN_PRIVTEMP = {
            CKA_TOKEN: True,
            CKA_PRIVATE: True,
            CKA_SENSITIVE: True,
            CKA_MODIFIABLE: True,
            CKA_EXTRACTABLE: True,
            CKA_DECRYPT: True,
            CKA_SIGN: True,
            CKA_UNWRAP: True,
            CKA_END_DATE: end_d,
            CKA_LABEL: b"RSA Private Key"
        }

        h_pbkey, h_prkey = c_generate_key_pair_ex(
            self.h_session,
            flavor=CKM_RSA_PKCS_KEY_PAIR_GEN,
            pbkey_template=CKM_RSA_PKCS_KEY_PAIR_GEN_PUBTEMP,
            prkey_template=CKM_RSA_PKCS_KEY_PAIR_GEN_PRIVTEMP,
            mech=None)
        logger.info("Called c-generate: Public Key handle -" + str(h_pbkey) +
                    "Private Key Handle" + str(h_prkey))

        c_encrypt_ex(self.h_session, CKM_RSA_PKCS, h_pbkey,
                     b"This is some data to sign ..   ")

        c_logout_ex(self.h_session)
        c_close_session_ex(self.h_session)

        ca_init_audit_ex(self.admin_slot, AUDITOR_PASSWORD, AUDITOR_LABEL)

        h_session2 = c_open_session_ex(slot_num=self.admin_slot,
                                       flags=(CKF_SERIAL_SESSION
                                              | CKF_AUDIT_SESSION))
        login(h_session2, self.admin_slot, AUDITOR_PASSWORD, CKU_AUDIT)

        dt = datetime(2014, 1, 31)
        epoch = datetime.utcfromtimestamp(0)
        delta = dt - epoch
        hsm_dt = delta.total_seconds()
        hsm_new_date = int(hsm_dt)
        ca_time_sync_ex(h_session2, hsm_new_date)

        hsm_time = ca_get_time_ex(h_session2)
        #        print datetime.fromtimestamp(float(hsm_time.value))
        c_logout_ex(h_session2)
        c_close_session_ex(h_session2)

        h_session = c_open_session_ex(slot_num=self.admin_slot)
        login_ex(h_session, self.admin_slot, CO_PASSWORD, CKU_USER)

        return_val = c_encrypt(h_session, h_pbkey,
                               b"This is some data to sign ..   ",
                               CKM_RSA_PKCS)
        logger.info("Called C_Encrypt, return code: " + str(return_val))
        assert return_val == CKR_KEY_NOT_ACTIVE, "Expected return code is CKR_KEY_NOT_ACTIVE"