def test_mech_conversions(self, flavor):
"""
Test that converting each mechanism works as expected w/ valid params.
"""
params = MECH_PARAMS[flavor]
mech = Mechanism(flavor, params=params)
cmech = mech.to_c_mech()
# Would prefer to check if it's a c_void_p, but it gets transformed directly to
# an int/long depending on memory location.
assert isinstance(cmech.pParameter, (integer_types, c_ulong))
assert isinstance(cmech.usParameterLen, (integer_types, c_ulong))
assert isinstance(cmech, CK_MECHANISM)
assert cmech.mechanism == flavor
def test_null_mechanism_indirect_instantiation(self):
"""
Test automech by instantiating Mechanism() instead of AutoMech()
:return:
"""
# Patch the mechanism lookup so that we don't have to have an undefined
# mechanism to test the automech.
with patch.dict(MECH_LOOKUP, {}, clear=True):
pymech = Mechanism(CKM_RSA_PKCS_PSS)
assert isinstance(pymech, NullMech)
cmech = pymech.to_c_mech()
assert cmech.pParameter is None
assert cmech.usParameterLen == 0
def test_default_iv6_params(self):
"""
Verify passing no IV to a mech requiring an IV will use the default value.
"""
cmech = Mechanism(CKM_AES_CBC).to_c_mech()
rawiv = cast(cmech.pParameter, POINTER(c_ubyte))
iv = [rawiv[x] for x in range(cmech.usParameterLen)]
assert iv == [1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8]
def test_default_iv_params(self):
"""
Verify passing no IV to a mech requiring an IV will use the default value.
"""
cmech = Mechanism(CKM_DES3_CBC).to_c_mech()
rawiv = cast(cmech.pParameter, POINTER(c_ubyte))
iv = [rawiv[x] for x in range(cmech.usParameterLen)]
assert iv == [0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38]
def test_missing_params(self, flavor, params):
"""
Test that missing parameters for various mechs raises the appropriate exception.
:param crypto_session:
:return:
"""
with pytest.raises(MechanismException) as excinfo:
mech = Mechanism(flavor)
for x in params:
assert x in str(excinfo.value)
def encrypt(password, kek_label, plaintext_path):
'''
Encrypt plain text to cipher text
password - string CryptoUser role password
kek_label - string label of decryption key in HSM
plaintext_path - path of base64 encoded data to be encrypted
'''
plaintext = open(plaintext_path, 'rb').read()
encrypted = None
i = 0
while i < 2:
try:
auth_session = None
_initialize()
auth_session = c_open_session_ex(i)
login_ex(auth_session, i, password, CKU_CRYPTO_USER)
kek_handle = None
kek_handle = c_find_objects_ex(auth_session, {
CKA_KEY_TYPE: CKK_AES,
CKA_LABEL: kek_label
}, 1)
if kek_handle:
params = {"iv": list(range(16)), "AAD": [], "ulTagBits": 128}
mechanism = Mechanism(mech_type=CKM_AES_GCM, params=params)
encrypted = c_encrypt_ex(auth_session, kek_handle[0],
plaintext, mechanism)
encrypted = array.array('B', list(
range(16))).tostring() + encrypted
break
else:
i += 1
except LunaCallException:
print("Exception running key mgmt operation on slot " + str(i))
print(traceback.format_exc())
i += 1
finally:
if auth_session:
c_logout_ex(auth_session)
c_close_session_ex(auth_session)
c_finalize_ex()
if encrypted:
ciphertext = base64.b64encode(encrypted)
return ciphertext
else:
raise Exception("Failed to encrypt DEK")
def decrypt(password, kek_label, path_to_plain_text):
'''
Decrypt cipher text to plain text
password - string CryptoUser role password
kek_label - string label of decryption key in HSM
path_to_plain_text - path of base64 encoded data to be decrypted
'''
ciphertext = open(path_to_plain_text, 'rb').read()
decrypted = None
i = 0
while i < 2:
try:
cipher = base64.b64decode(ciphertext)
auth_session = None
_initialize()
auth_session = c_open_session_ex(i)
login_ex(auth_session, i, password, CKU_CRYPTO_USER)
kek_handle = None
kek_handle = c_find_objects_ex(auth_session,
{CKA_KEY_TYPE: CKK_AES, CKA_LABEL: kek_label},
1)
if kek_handle:
params = {"iv": cipher[:16], "AAD": [], "ulTagBits": 128}
mechanism = Mechanism(mech_type=CKM_AES_GCM, params=params)
decrypted = c_decrypt_ex(auth_session, kek_handle[0], cipher[16:], mechanism)
break
else:
i += 1
except LunaCallException:
i += 1
except Exception:
raise("Failed to decrypt DEK")
finally:
if auth_session:
c_logout_ex(auth_session)
c_close_session_ex(auth_session)
c_finalize_ex()
if decrypted:
return decrypted
else:
raise Exception("Failed to decrypt DEK")
"""
Testcases for string helpers
"""
import pytest
from pycryptoki.mechanism import Mechanism
from pycryptoki.defines import CKM_DES_ECB, CKM_AES_CBC
from pycryptoki.string_helpers import _decode, _coerce_mech_to_str
@pytest.mark.parametrize("value,ret",
[(b"this is a test string", u"this is a test string"),
(b"\x01\x23\x82\x20\x01\xb6\x09\xd2\xb6|gN\xcc",
u"0123822001b609d2b67c674ecc"),
(None, None),
(b"", u"")])
def test_decode(value, ret):
assert _decode(value) == ret
CBC_OUT = """Iv16Mechanism(mech_type: CKM_AES_CBC,
iv: [0, 1, 2, 3, 4, 5, 6, 7])"""
@pytest.mark.parametrize("mech,output",
[({"mech_type": CKM_DES_ECB}, "NullMech(mech_type: CKM_DES_ECB)"),
(Mechanism(CKM_AES_CBC, params={'iv': list(range(8))}), CBC_OUT)])
def test_mech_printing(mech, output):
assert _coerce_mech_to_str(mech) == output
