def test_generate_1024_bit_RSA_key_in_pem(self):
generate_dto = plugin.GenerateDTO('rsa', 1024, None, 'changeme')
kek_meta_dto = self._get_mocked_kek_meta_dto()
private_dto, public_dto, passwd_dto = self.plugin.generate_asymmetric(
generate_dto, kek_meta_dto, mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text)
private_dto = self.plugin.decrypt(decrypt_dto, kek_meta_dto,
private_dto.kek_meta_extended,
mock.MagicMock())
private_dto = RSA.importKey(private_dto, 'changeme')
self.assertTrue(private_dto.has_private())
def test_generate_asymmetric_1024_bit_key(self):
generate_dto = plugin.GenerateDTO('rsa', 1024, None, None)
kek_meta_dto = self._get_mocked_kek_meta_dto()
private_dto, public_dto, passwd_dto = self.plugin.generate_asymmetric(
generate_dto, kek_meta_dto, mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text)
private_dto = self.plugin.decrypt(decrypt_dto, kek_meta_dto,
private_dto.kek_meta_extended,
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(public_dto.cypher_text)
public_dto = self.plugin.decrypt(decrypt_dto, kek_meta_dto,
public_dto.kek_meta_extended,
mock.MagicMock())
public_dto = RSA.importKey(public_dto)
private_dto = RSA.importKey(private_dto)
self.assertEqual(1023, public_dto.size())
self.assertEqual(1023, private_dto.size())
self.assertTrue(private_dto.has_private)
def test_generate_128_bit_hmac_key(self):
secret = models.Secret()
secret.bit_length = 128
secret.algorithm = "hmacsha256"
kek_meta_dto = self._get_mocked_kek_meta_dto()
generate_dto = plugin.GenerateDTO(secret.algorithm, secret.bit_length,
None, None)
response_dto = self.plugin.generate_symmetric(generate_dto,
kek_meta_dto,
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(response_dto.cypher_text)
key = self.plugin.decrypt(decrypt_dto, kek_meta_dto,
response_dto.kek_meta_extended,
mock.MagicMock())
self.assertEqual(16, len(key))
def test_decrypt(self):
def c_decrypt(session, ct, ctlen, pt, ptlen):
pt[ptlen[0] - 1] = 1
return p11_crypto.CKR_OK
self.lib.C_Decrypt.side_effect = c_decrypt
self.lib.C_DecryptInit.return_value = p11_crypto.CKR_OK
ct = b"somedatasomedatasomedatasomedata"
kek_meta_extended = '{"iv": "AQIDBAUGBwgJCgsMDQ4PEA=="}'
decrypt_dto = plugin_import.DecryptDTO(ct)
with mock.patch.object(self.plugin, '_unwrap_key') as unwrap_key_mock:
unwrap_key_mock.return_value = 'unwrapped_key'
self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
kek_meta_extended, mock.MagicMock())
self.assertEqual(self.lib.C_Decrypt.call_count, 1)
def test_generate_1024_DSA_key_in_pem_and_reconstruct_key_der(self):
generate_dto = plugin.GenerateDTO('dsa', 1024, None, None)
kek_meta_dto = self._get_mocked_kek_meta_dto()
private_dto, public_dto, passwd_dto = self.plugin.generate_asymmetric(
generate_dto, kek_meta_dto, mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text)
private_dto = self.plugin.decrypt(decrypt_dto, kek_meta_dto,
private_dto.kek_meta_extended,
mock.MagicMock())
prv_seq = asn1.DerSequence()
prv_seq.decode(private_dto)
p, q, g, y, x = prv_seq[1:]
private_dto = DSA.construct((y, g, p, q, x))
self.assertTrue(private_dto.has_private())
def test_decrypt(self):
def c_decrypt(session, ct, ctlen, pt, ptlen):
pt[ptlen[0] - 1] = 1
return pkcs11.CKR_OK
self.lib.C_Decrypt.side_effect = c_decrypt
self.lib.C_DecryptInit.return_value = pkcs11.CKR_OK
ct = b"somedatasomedatasomedatasomedata"
kek_meta_extended = '{"iv": "AQIDBAUGBwgJCgsMDQ4PEA=="}'
decrypt_dto = plugin_import.DecryptDTO(ct)
kek_meta = mock.MagicMock()
kek_meta.plugin_meta = ('{"iv":123,'
'"hmac": "hmac",'
'"wrapped_key": "wrapped_key",'
'"mkek_label": "mkek_label",'
'"hmac_label": "hmac_label"}')
with mock.patch.object(self.plugin.pkcs11, 'unwrap_key') as key_mock:
key_mock.return_value = 'unwrapped_key'
self.plugin.decrypt(decrypt_dto, kek_meta, kek_meta_extended,
mock.MagicMock())
self.assertEqual(self.lib.C_Decrypt.call_count, 1)
def test_decrypt(self):
ct = b'ctct'
kek_meta_extended = '{"iv":"AAAA"}'
decrypt_dto = plugin_import.DecryptDTO(ct)
kek_meta = mock.MagicMock()
kek_meta.kek_label = 'pkek'
kek_meta.plugin_meta = ('{"iv": "iv==",'
'"hmac": "hmac",'
'"wrapped_key": "wrappedkey==",'
'"mkek_label": "mkek_label",'
'"hmac_label": "hmac_label"}')
pt = self.plugin.decrypt(decrypt_dto, kek_meta, kek_meta_extended,
mock.MagicMock())
self.assertEqual(b'0', pt)
self.assertEqual(2, self.pkcs11.get_key_handle.call_count)
self.assertEqual(2, self.pkcs11.get_session.call_count)
self.assertEqual(1, self.pkcs11.verify_hmac.call_count)
self.assertEqual(1, self.pkcs11.unwrap_key.call_count)
self.assertEqual(1, self.pkcs11.decrypt.call_count)
self.assertEqual(1, self.pkcs11.return_session.call_count)
def get_secret(self, secret_type, metadata, context):
"""Retrieve a secret.
:param secret_type: secret type
:param metadata: secret metadata
:param context: StoreCryptoContext for secret
:returns: SecretDTO that contains secret
"""
if (not context.secret_model or
not context.secret_model.encrypted_data):
raise sstore.SecretNotFoundException()
# TODO(john-wood-w) Need to revisit 1 to many datum relationship.
datum_model = context.secret_model.encrypted_data[0]
# Find HSM-style 'crypto' plugin.
decrypting_plugin = manager.get_manager().get_plugin_retrieve(
datum_model.kek_meta_project.plugin_name)
# wrap the KEKDatum instance in our DTO
kek_meta_dto = crypto.KEKMetaDTO(datum_model.kek_meta_project)
# Convert from text-based storage format to binary.
encrypted = base64.b64decode(datum_model.cypher_text)
decrypt_dto = crypto.DecryptDTO(encrypted)
# Decrypt the secret.
secret = decrypting_plugin.decrypt(decrypt_dto,
kek_meta_dto,
datum_model.kek_meta_extended,
context.project_model.external_id)
secret = base64.b64encode(secret)
key_spec = sstore.KeySpec(alg=context.secret_model.algorithm,
bit_length=context.secret_model.bit_length,
mode=context.secret_model.mode)
return sstore.SecretDTO(secret_type,
secret, key_spec,
datum_model.content_type)
def test_decrypt_bad_session(self):
self.pkcs11.get_session.return_value = mock.DEFAULT
self.pkcs11.get_session.side_effect = ex.P11CryptoPluginException(
'Testing error handling')
ct = b'ctct'
kek_meta_extended = '{"iv":"AAAA"}'
decrypt_dto = plugin_import.DecryptDTO(ct)
kek_meta = mock.MagicMock()
kek_meta.kek_label = 'pkek'
kek_meta.plugin_meta = ('{"iv": "iv==",'
'"hmac": "hmac",'
'"wrapped_key": "wrappedkey==",'
'"mkek_label": "mkek_label",'
'"hmac_label": "hmac_label"}')
self.assertRaises(ex.P11CryptoPluginException, self.plugin._decrypt,
decrypt_dto, kek_meta, kek_meta_extended,
mock.MagicMock())
self.assertEqual(2, self.pkcs11.get_key_handle.call_count)
self.assertEqual(2, self.pkcs11.get_session.call_count)
self.assertEqual(1, self.pkcs11.verify_hmac.call_count)
self.assertEqual(1, self.pkcs11.unwrap_key.call_count)
self.assertEqual(0, self.pkcs11.decrypt.call_count)
self.assertEqual(0, self.pkcs11.return_session.call_count)
