def keypair(request, session, curve): if request.param == Mode.GENERATE: asymkey = AsymmetricKey.generate( session, 0, "Generate EC", 0xFFFF, CAPABILITY.SIGN_ECDSA | CAPABILITY.DERIVE_ECDH, ALGORITHM.for_curve(curve()), ) public_key = asymkey.get_public_key() else: key = ec.generate_private_key(curve(), backend=default_backend()) asymkey = AsymmetricKey.put( session, 0, "SECP ECDSA Sign Sign", 0xFFFF, CAPABILITY.SIGN_ECDSA | CAPABILITY.DERIVE_ECDH, key, ) public_key = key.public_key() assert public_key.public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo, ) == asymkey.get_public_key().public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo, ) yield asymkey, public_key asymkey.delete()
def eddsa_keypair(request, session): if request.param == Mode.GENERATE: key = None asymkey = AsymmetricKey.generate( session, 0, "Generate EC", 0xFFFF, CAPABILITY.SIGN_EDDSA, ALGORITHM.EC_ED25519, ) public_key = asymkey.get_public_key() else: key = ed25519.Ed25519PrivateKey.generate() asymkey = AsymmetricKey.put(session, 0, "Test Ed25519", 0xFFFF, CAPABILITY.SIGN_EDDSA, key) public_key = key.public_key() assert public_key.public_bytes( serialization.Encoding.Raw, serialization.PublicFormat.Raw) == asymkey.get_public_key( ).public_bytes(serialization.Encoding.Raw, serialization.PublicFormat.Raw) yield asymkey, public_key, key asymkey.delete()
def sign(self, bytes, keynum=-1): if keynum == -1: keynum = self.keynum key = AsymmetricKey(self.session, keynum) sig = key.sign_eddsa(bytes) encoded_sig = base64.standard_b64encode(sig).decode() return encoded_sig
def pubkey_rsa(self, keysize): key = rsa.generate_private_key(public_exponent=0x10001, key_size=keysize, backend=default_backend()) asymkey = AsymmetricKey.put(self.session, 0, "Pubkey RSA", 0xFFFF, CAPABILITY.SIGN_PKCS, key) pub = asymkey.get_public_key() self.assertEqual( pub.public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo, ), key.public_key().public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo, ), ) data = os.urandom(64) resp = asymkey.sign_pkcs1v1_5(data) pub.verify(resp, data, padding.PKCS1v15(), hashes.SHA256()) asymkey.delete()
def rsa_pss_sign(self, keysize, hashtype, mgf1hash=None): if mgf1hash is None: mgf1hash = hashtype key = rsa.generate_private_key(public_exponent=0x10001, key_size=keysize, backend=default_backend()) asymkey = AsymmetricKey.put(self.session, 0, "RSA PSS Sign", 0xFFFF, CAPABILITY.SIGN_PSS, key) # No salt data = os.urandom(64) resp = asymkey.sign_pss(data, 0, hash=hashtype, mgf_hash=mgf1hash) key.public_key().verify(resp, data, padding.PSS(padding.MGF1(mgf1hash), 0), hashtype) # Max - len salt saltlen = keysize // 8 - hashtype.digest_size - 2 data = os.urandom(64) resp = asymkey.sign_pss(data, saltlen, hash=hashtype, mgf_hash=mgf1hash) key.public_key().verify( resp, data, padding.PSS(padding.MGF1(mgf1hash), padding.PSS.MAX_LENGTH), hashtype, ) asymkey.delete()
def test_rsa_pkcs1_decrypt_errors(self): rawmessages = [ # no actual padding bytes: b"\x00\x02\x00" + b"\xc3" * 236 + b"\x00", # first byte != 0x00: b"\x01\x02" + b"\xc3" * 237 + b"\x00", # second byte != 0x02: b"\x00\x01" + b"\xc3" * 237 + b"\x00", # only 7 bytes of padding: b"\x00\x02" + b"\xc3" * 7 + b"\x00" + b"\x3c" * 246, ] rsakey = rsa.generate_private_key(public_exponent=0x10001, key_size=2048, backend=default_backend()) key = AsymmetricKey.put(self.session, 0, "pkcs1 test", 0xFFFF, CAPABILITY.DECRYPT_PKCS, rsakey) numbers = key.get_public_key().public_numbers() for m in rawmessages: error = ERROR.OK m = m.ljust(256, b"\xc3") m_int = int_from_bytes(m, "big") enc = pow(m_int, numbers.e, numbers.n) try: key.decrypt_pkcs1v1_5(int_to_bytes(enc).rjust(256, b"\x00")) except YubiHsmDeviceError as e: error = e.code self.assertEqual(error, ERROR.INVALID_DATA) key.delete()
def test_bad_ecdh_keys(self): pubkeys = [ # this is a public key not on the curve (p256) "04cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebaca", # noqa E501 # all zeroes public key "0400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", # noqa E501 # all ff public key "04ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", # noqa E501 ] key = AsymmetricKey.generate( self.session, 0, "badkey ecdh test", 0xFFFF, CAPABILITY.DERIVE_ECDH, ALGORITHM.EC_P256, ) keyid = struct.pack("!H", key.id) for pubkey in pubkeys: with self.assertRaises(YubiHsmDeviceError) as context: self.session.send_secure_cmd(COMMAND.DERIVE_ECDH, keyid + a2b_hex(pubkey)) self.assertEqual(context.exception.code, ERROR.INVALID_DATA) key.delete()
def oaep_rsa_decrypt(self, keylength, hashtype, mgf1hash=None): if mgf1hash is None: mgf1hash = hashtype key = rsa.generate_private_key(public_exponent=0x10001, key_size=keylength, backend=default_backend()) asymkey = AsymmetricKey.put(self.session, 0, "OAEP RSA Decrypt", 0xFFFF, CAPABILITY.DECRYPT_OAEP, key) data = os.urandom(64) ciphertext = key.public_key().encrypt( data, padding.OAEP(mgf=padding.MGF1(algorithm=mgf1hash), algorithm=hashtype, label=None), ) dec = asymkey.decrypt_oaep(ciphertext, hash=hashtype, mgf_hash=mgf1hash) self.assertEqual(data, dec) asymkey.delete()
def generate_wrap(self): w_id = random.randint(1, 0xFFFE) a_id = random.randint(1, 0xFFFE) wrapkey = WrapKey.generate( self.session, w_id, "Generate Wrap 0x%04x" % w_id, 1, CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP, ) asymkey = AsymmetricKey.generate( self.session, a_id, "Generate Wrap 0x%04x" % a_id, 0xFFFF, CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP, ALGORITHM.EC_P256, ) origin = asymkey.get_info().origin self.assertEqual(origin, 0x01) self.assertTrue(origin.generated) self.assertFalse(origin.imported) self.assertFalse(origin.wrapped) pub = asymkey.get_public_key() data = os.urandom(64) resp = asymkey.sign_ecdsa(data) pub.verify(resp, data, ec.ECDSA(hashes.SHA256())) wrapped = wrapkey.export_wrapped(asymkey) wrapped2 = wrapkey.export_wrapped(asymkey) self.assertNotEqual(wrapped, wrapped2) asymkey.delete() self.assertRaises(YubiHsmDeviceError, asymkey.get_public_key) asymkey = wrapkey.import_wrapped(wrapped) origin = asymkey.get_info().origin self.assertEqual(origin, 0x11) self.assertTrue(origin.generated) self.assertFalse(origin.imported) self.assertTrue(origin.wrapped) data = os.urandom(64) resp = asymkey.sign_ecdsa(data) self.assertNotEqual(resp, None) pub.verify(resp, data, ec.ECDSA(hashes.SHA256())) wrapkey.delete()
def test_vectors(self): for v in self.vectors: key = load_ed25519_private_key(v["key"]) k = AsymmetricKey.put(self.session, 0, "Test Ed25519", 0xFFFF, CAPABILITY.SIGN_EDDSA, key) self.assertEqual(serialize_ed25519_public_key(k.get_public_key()), v["pubkey"]) self.assertEqual(k.sign_eddsa(v["msg"]), v["sig"]) k.delete()
def test_eddsa_vectors(session, vector): key = ed25519.Ed25519PrivateKey.from_private_bytes(vector["key"]) k = AsymmetricKey.put(session, 0, "Test Ed25519", 0xFFFF, CAPABILITY.SIGN_EDDSA, key) assert (k.get_public_key().public_bytes( serialization.Encoding.Raw, serialization.PublicFormat.Raw) == vector["pubkey"]) assert k.sign_eddsa(vector["msg"]) == vector["sig"] k.delete()
def test_oaep_double0(self): data = a2b_hex( "77294f3a4f5cfc921d9255a6895f8d2397e7d312e1b10b41c88b025748f0b6d4c41c4bdc6309388648a3b7a07112a11f831d9d6e1af1408fae875be2868bc4d0" # noqa: E501 ) # this ciphertext is special as it decrypts to a valid plaintext # starting with 0000 ciphertext = a2b_hex( "add1fd0bc2e9439a76c53fa4655e4bef77394dee407903604d665ba0e506334ddffc689e3bec658fc15c80c70ffddb8a8ce578d441926106316067a8c5e8b5f2655d035eff1525cf697720baf510af722d14539ccaf605785a9f4cfd284e4b496c54684a0c72fae522be186aedcedf47da63408065345180e30d7cb003cd64b5ce508ea029999ad695f1f2464fb659db5c2779631f1c27d650bc8b7ae23048b8dc1d51ad9623a4af0f7363f74eed0e16d947322d1a3a76ef8dbdf9c0258f393c0f2d7ebaccfcc116f759f0e9077387de74b1cb82851e1ded0128e48bbde389bd407cf8339752b9c070bf22ad64eaa12ee996f474a6412f7642aa0fa66873b5d2" # noqa: E501 ) h = hashes.SHA1() rsapem = b""" -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA7mKlVPrZdxLkYrfGESb3KI4UbWKaKOfX49LqZ2pUypF13VRi yqfpBbjAJztEy8BvOgbIEJgDtRVyUHCO+pfs6uVakYEcbLZzP92iZaFTwa9//B+P Hq+vtNejdO5Zsqd1s11bCPy6vpPXeMPbbT5s9gR7ENGdNwUkusVRtQweJAd5icVU edewI/4npIZG7To0iKUS4OvuqKWi/ms9fpi5l5BeJkok+5P7nQlmE5H5P+MuHUaC KHPdzbfaqIYof11XhsUYzgvEZnhz/YPwDiMiLXpZD0kT7azZWjz38rmWCz0tdh7a Cs/Lu1n17KrtT62kXYeO1Ni5Osy43xEHcqp5WQIDAQABAoIBAHrv+J+4tknIPmwC pmzWEYSisTowLZyG5Dmj3irzFUNafNRl3oTwzyWaP857rGD/ntzn/mlAXDkZFFkT k0j87Lu/CFQdp5ERDqKTJFsRNeafIXvesqp6pDy5MJzvBucxoWuc64PZAl2iVO78 4r6WAQ9nBCiKUW+8gVKozBh4ZVriWRYhe1JD06OVrOxws2Aql8/3BooO14f0DeSe 6tgn49d3c6/lrFe/vB+46kDg4FNxeTozGgIcI6siVAFEaJkBU629SEGLJW1O1Zcx tL41xK27S/BW47sSE91D7TT/0DYH7c1KNNx4IRx8B+AHo/lkyCawVUVmeYPrjC90 oGe27gECgYEA/Pkk9p0+t9ir6gUibkh1XoAVzryPnMCeCXenpTvFKjfOXdr5Sy2w ZSYGJXcUm82G0XRB+WWyTtFvPUYCt7gJ3ncqrVSAa2LhgWowk0CpyOtm6isrRWrh 3wXj4mRzZuIe0XNnS/4gb/1+8I826r4CwOWrxUASP8bYTLB9nkglK/kCgYEA8TzR np/2lyJVbuqAMOymel0ZUEh+yWEOif5nQGely6QVmUmAuCH+pP8pmCCreAuu/mQ9 U1obXMmr5D0rH7jA4z8DAeGXSvPVN7MJlpS1HoPGzDnKuuDad8/rJUXyKOACYXw5 xeXtQnf+5AHC0G8IFmru1G4C6UsyRkG/gpVPUGECgYEA7OxeXQZKTh8Ea2mhpI4C Np5ZTkU1b4bKvG0vOsZu0ypvAWHrJyjEUwc4rHAJgh4MTTDH9U70n3Lw7v8Z3nzj 6VHMS4efunNiZjVRByiBm2Y0/c2uehYvMxQuKMMRfeL7IAkoTnjUYm6VK7HFqjaJ F6ZCqLtoHAkcXT7Sd6J0BekCgYEAy1Lshprils2MXljtxM6hHj87p6wCmK7iNzKi SelSF0psHe+Sux+D5gNeRmc6vopyat2HxqoKp/EenNdlcm4gvSgN29cM0lKjYjfX nAAoi9ibhOQs18fOuu8WjSrgCM2NlCbE9uRtTfmfbwOA9HawxVxJgehbMdB8RjUC OgioeeECgYBpGDz7CkblZQl8YXcOqFh9Y40ePG467gIaEesbiOIUVsN/J9Vkdy/U qMS+DogAW9kGj5MA/L1EQxpsZDRZSH15AM1FXeX5cjItOWkg5LzfTwqA29xaIC97 4ddiJOH50Tqy7YRs40IxF+995AgMq4PvP1K+SlV4hQ6W17JsT2UsBg== -----END RSA PRIVATE KEY----- """ key = serialization.load_pem_private_key(rsapem, password=None, backend=default_backend()) asymkey = AsymmetricKey.put(self.session, 0, "OAEP RSA Decrypt", 0xFFFF, CAPABILITY.ALL, key) plain = key.decrypt( ciphertext, padding.OAEP(mgf=padding.MGF1(algorithm=h), algorithm=h, label=None), ) self.assertEqual(plain, data) dec = asymkey.decrypt_oaep(ciphertext, hash=h, mgf_hash=h) self.assertEqual(dec, data) asymkey.delete()
def test_vectors(self): for v in self.vectors: key = load_ed25519_private_key(v['key']) k = AsymmetricKey.put(self.session, 0, 'Test Ed25519', 0xffff, CAPABILITY.SIGN_EDDSA, key) self.assertEqual(serialize_ed25519_public_key(k.get_public_key()), v['pubkey']) self.assertEqual(k.sign_eddsa(v['msg']), v['sig']) k.delete()
def test_generate_sign_long(self): key = AsymmetricKey.generate(self.session, 0, 'Test Ed25519', 0xffff, CAPABILITY.SIGN_EDDSA, ALGORITHM.EC_ED25519) pubkey = key.get_public_key() data = os.urandom(2019) sig = key.sign_eddsa(data) v_key = ed25519.VerifyingKey(serialize_ed25519_public_key(pubkey)) v_key.verify(sig, data) key.delete()
def test_asymmetric_key(hsm, session): obj = AsymmetricKey.put( session, 0, "Test delete asym", 0xFFFF, CAPABILITY.SIGN_ECDSA, ec.generate_private_key(ec.SECP384R1(), backend=default_backend()), ) _test_delete(hsm, session, obj, CAPABILITY.DELETE_ASYMMETRIC_KEY)
def test_export_wrap(self): w_id = random.randint(1, 0xfffe) wrapkey = WrapKey.put( self.session, w_id, 'Test Export Wrap 0x%04x' % w_id, 1, CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP, os.urandom(24)) eckey = ec.generate_private_key(ec.SECP384R1(), backend=default_backend()) a_id = random.randint(1, 0xfffe) asymkey = AsymmetricKey.put( self.session, a_id, 'Test Export Wrap 0x%04x' % a_id, 0xffff, CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP, eckey) data = os.urandom(64) resp = asymkey.sign_ecdsa(data, hash=hashes.SHA384()) eckey.public_key().verify(resp, data, ec.ECDSA(hashes.SHA384())) wrapped = wrapkey.export_wrapped(asymkey) # NOTE: the code below works to decrypt a wrapped object, but relies on # understanding the internal object representation which we don't feel # like doing here. # nonce = wrapped[:13] # data = wrapped[13:-8] # nonce = '\x01' + nonce + '\x00\x01' # decryptor = Cipher(algorithms.AES(wrapkey.key), # mode=modes.CTR(nonce), # backend=default_backend()).decryptor() # dec = decryptor.update(data) # numbers = eckey.private_numbers() # serialized = int_from_bytes(numbers.private_value, 'big') # self.assertEqual(serialized, dec[-len(serialized):]) asymkey.delete() asymkey = wrapkey.import_wrapped(wrapped) data = os.urandom(64) resp = asymkey.sign_ecdsa(data, hash=hashes.SHA384()) eckey.public_key().verify(resp, data, ec.ECDSA(hashes.SHA384())) asymkey.delete() asymkey = wrapkey.import_wrapped(wrapped) self.assertIsInstance(asymkey, AsymmetricKey)
def test_rsa_oaep_vectors(session, vector): asymkey = AsymmetricKey.put( session, 0, "OAEP Vectors", 0xFFFF, CAPABILITY.DECRYPT_OAEP, OAEP_VECTOR_KEY ) dec = asymkey.decrypt_oaep( vector["enc"], hash=hashes.SHA1(), mgf_hash=hashes.SHA1() ) assert vector["msg"] == dec asymkey.delete()
def generate_rsa_sign(self, algo): asymkey = AsymmetricKey.generate(self.session, 0, "Generate RSA Sign", 0xFFFF, CAPABILITY.SIGN_PKCS, algo) pub = asymkey.get_public_key() data = os.urandom(64) resp = asymkey.sign_pkcs1v1_5(data) pub.verify(resp, data, padding.PKCS1v15(), hashes.SHA256()) asymkey.delete()
def test_generate_wrap(session): w_id = random.randint(1, 0xFFFE) a_id = random.randint(1, 0xFFFE) wrapkey = WrapKey.generate( session, w_id, "Generate Wrap 0x%04x" % w_id, 1, CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED, ALGORITHM.AES192_CCM_WRAP, CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP, ) asymkey = AsymmetricKey.generate( session, a_id, "Generate Wrap 0x%04x" % a_id, 0xFFFF, CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP, ALGORITHM.EC_P256, ) origin = asymkey.get_info().origin assert origin == ORIGIN.GENERATED pub = asymkey.get_public_key() data = os.urandom(64) resp = asymkey.sign_ecdsa(data) pub.verify(resp, data, ec.ECDSA(hashes.SHA256())) wrapped = wrapkey.export_wrapped(asymkey) wrapped2 = wrapkey.export_wrapped(asymkey) assert wrapped != wrapped2 asymkey.delete() pytest.raises(YubiHsmDeviceError, asymkey.get_public_key) asymkey = wrapkey.import_wrapped(wrapped) origin = asymkey.get_info().origin assert origin == ORIGIN.IMPORTED_WRAPPED | ORIGIN.GENERATED data = os.urandom(64) resp = asymkey.sign_ecdsa(data) assert resp is not None pub.verify(resp, data, ec.ECDSA(hashes.SHA256())) wrapkey.delete()
def bp_r1_ecdsa_sign(self, curve, hashtype): key = ec.generate_private_key(curve, backend=default_backend()) asymkey = AsymmetricKey.put(self.session, 0, "BP R1 ECDSA Sign", 0xFFFF, CAPABILITY.SIGN_ECDSA, key) data = os.urandom(64) resp = asymkey.sign_ecdsa(data, hash=hashtype) key.public_key().verify(resp, data, ec.ECDSA(hashtype)) asymkey.delete()
def generated_key(request, session): algorithm = request.param key = AsymmetricKey.generate( session, 0, "Test Attestation %x" % algorithm, 0xFFFF, CAPABILITY.NONE, algorithm, ) yield key key.delete()
def secp_ecdsa_sign(self, curve, hashtype, length=0): key = ec.generate_private_key(curve, backend=default_backend()) asymkey = AsymmetricKey.put(self.session, 0, 'SECP ECDSA Sign Sign', 0xffff, CAPABILITY.SIGN_ECDSA, key) data = os.urandom(64) resp = asymkey.sign_ecdsa(data, hash=hashtype, length=length) key.public_key().verify(resp, data, ec.ECDSA(hashtype)) asymkey.delete()
def test_import_sign(self): s_key, v_key = ed25519.create_keypair() key = AsymmetricKey.put(self.session, 0, 'Test Ed25519', 0xffff, CAPABILITY.SIGN_EDDSA, load_ed25519_private_key(s_key.to_seed())) data = os.urandom(129) sig = key.sign_eddsa(data) v_key.verify(sig, data) self.assertEqual(sig, s_key.sign(data)) pub = key.get_public_key() self.assertEqual(v_key.to_bytes(), serialize_ed25519_public_key(pub)) key.delete()
def generate_secp_sign(self, curve, hashtype, length=0): asymkey = AsymmetricKey.generate(self.session, 0, 'Generate SECP Sign', 0xffff, CAPABILITY.SIGN_ECDSA, curve) pub = asymkey.get_public_key() data = os.urandom(64) resp = asymkey.sign_ecdsa(data, hash=hashtype, length=length) pub.verify(resp, data, ec.ECDSA(hashtype)) asymkey.delete()
def key_in_list(self, keytype, algorithm=None): dom = None cap = 0 key_label = "%s%s" % (str( uuid.uuid4()), b"\xf0\x9f\x98\x83".decode("utf8")) if keytype == OBJECT.ASYMMETRIC_KEY: dom = 0xFFFF key = AsymmetricKey.generate(self.session, 0, key_label, dom, cap, algorithm) elif keytype == OBJECT.WRAP_KEY: dom = 0x01 key = WrapKey.generate(self.session, 0, key_label, dom, cap, algorithm, cap) elif keytype == OBJECT.HMAC_KEY: dom = 0x01 key = HmacKey.generate(self.session, 0, key_label, dom, cap, algorithm) elif keytype == OBJECT.AUTHENTICATION_KEY: dom = 0x01 key = AuthenticationKey.put_derived( self.session, 0, key_label, dom, cap, 0, b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa" b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", ) objlist = self.session.list_objects(object_id=key.id, object_type=key.object_type) self.assertEqual(objlist[0].id, key.id) self.assertEqual(objlist[0].object_type, key.object_type) objinfo = objlist[0].get_info() self.assertEqual(objinfo.id, key.id) self.assertEqual(objinfo.object_type, key.object_type) self.assertEqual(objinfo.domains, dom) self.assertEqual(objinfo.capabilities, cap) if algorithm: self.assertEqual(objinfo.algorithm, algorithm) if key.object_type == OBJECT.AUTHENTICATION_KEY: self.assertEqual(objinfo.origin, ORIGIN.IMPORTED) else: self.assertEqual(objinfo.origin, ORIGIN.GENERATED) self.assertEqual(objinfo.label, key_label) key.delete()
def secp_derive_ecdh(self, curve): devkey = ec.generate_private_key(curve, backend=default_backend()) asymkey = AsymmetricKey.put(self.session, 0, 'SECP ECDSA Decrypt', 0xffff, CAPABILITY.DERIVE_ECDH, devkey) ekey = ec.generate_private_key(curve, backend=default_backend()) secret = ekey.exchange(ec.ECDH(), devkey.public_key()) resp = asymkey.derive_ecdh(ekey.public_key()) self.assertEqual(secret, resp) asymkey.delete()
def generate_bp_r1_sign(self, curve, hashtype): asymkey = AsymmetricKey.generate(self.session, 0, "Generate BP R1 Sign", 0xFFFF, CAPABILITY.SIGN_ECDSA, curve) pub = asymkey.get_public_key() data = os.urandom(64) resp = asymkey.sign_ecdsa(data, hashtype) pub.verify(resp, data, ec.ECDSA(hashtype)) asymkey.delete()
def test_generate_sign_long(self): key = AsymmetricKey.generate( self.session, 0, "Test Ed25519", 0xFFFF, CAPABILITY.SIGN_EDDSA, ALGORITHM.EC_ED25519, ) pubkey = key.get_public_key() data = os.urandom(2019) sig = key.sign_eddsa(data) pubkey.verify(sig, data) key.delete()
def key_in_list(self, session, keytype, algorithm=None): dom = None cap = CAPABILITY.NONE key_label = "%s%s" % (str(uuid.uuid4()), b"\xf0\x9f\x98\x83".decode()) key: YhsmObject if keytype == OBJECT.ASYMMETRIC_KEY: dom = 0xFFFF key = AsymmetricKey.generate(session, 0, key_label, dom, cap, algorithm) elif keytype == OBJECT.WRAP_KEY: dom = 0x01 key = WrapKey.generate(session, 0, key_label, dom, cap, algorithm, cap) elif keytype == OBJECT.HMAC_KEY: dom = 0x01 key = HmacKey.generate(session, 0, key_label, dom, cap, algorithm) elif keytype == OBJECT.AUTHENTICATION_KEY: dom = 0x01 key = AuthenticationKey.put_derived( session, 0, key_label, dom, cap, cap, "password", ) objlist = session.list_objects(object_id=key.id, object_type=key.object_type) assert objlist[0].id == key.id assert objlist[0].object_type == key.object_type objinfo = objlist[0].get_info() assert objinfo.id == key.id assert objinfo.object_type == key.object_type assert objinfo.domains == dom assert objinfo.capabilities == cap if algorithm: assert objinfo.algorithm == algorithm if key.object_type == OBJECT.AUTHENTICATION_KEY: assert objinfo.origin == ORIGIN.IMPORTED else: assert objinfo.origin == ORIGIN.GENERATED assert objinfo.label == key_label key.delete()
def rsa_pkcs1v1_5_sign(self, keysize, hashtype): key = rsa.generate_private_key(public_exponent=0x10001, key_size=keysize, backend=default_backend()) asymkey = AsymmetricKey.put(self.session, 0, "RSA PKCS#1v1.5 Sign", 0xFFFF, CAPABILITY.SIGN_PKCS, key) data = os.urandom(64) resp = asymkey.sign_pkcs1v1_5(data, hash=hashtype) key.public_key().verify(resp, data, padding.PKCS1v15(), hashtype) asymkey.delete()