def test_01_default_security_module(self): config = current_app.config hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE")}) hsm.setup_module({"file": config.get("PI_ENCFILE")}) self.assertTrue(hsm is not None, hsm) self.assertTrue(hsm.secFile is not None, hsm.secFile) self.assertTrue(hsm.is_ready)
def test_04_random(self): config = current_app.config hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE"), "crypted": True}) r = hsm.random(20) self.assertTrue(len(r) == 20, r) self.assertFalse(hsm.is_ready)
def test_07_encrypted_key_file(self): config = current_app.config hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE_ENC"), "crypted": True}) # The HSM is not ready, since the file is crypted and we did not # provide the password, yet self.assertFalse(hsm.is_ready) # Now, provide the password, that will decrypt the encrypted file # But the password is missing self.assertRaises(Exception, hsm.setup_module, {}) # As long as the HSM is not ready, we can not encrypt and not decrypt self.assertRaises(Exception, hsm.encrypt, "data", "iv") self.assertRaises(Exception, hsm.decrypt, "data", "iv") # If we provide a wrong password, that decryption will fail with a # unicode error and an exception is raised. self.assertRaises(Exception, hsm.setup_module, {"password": "******"}) # Now we provide the password hsm.setup_module({"password": "******"}) self.assertTrue(hsm.is_ready) self.assertTrue(0 in hsm.secrets, hsm.secrets) self.assertTrue(1 in hsm.secrets, hsm.secrets) self.assertTrue(2 in hsm.secrets, hsm.secrets) # test _get_secret # this raises an exception, that the file does not contain a 4th key self.assertRaises(Exception, hsm._get_secret, 4) # calling the same slot two times, returns the cache the second time self.assertTrue(hsm._get_secret(2)) self.assertTrue(hsm._get_secret(2))
def test_06_password_encrypt_decrypt(self): res = DefaultSecurityModule.password_encrypt("secrettext", "password1") self.assertTrue( len(res) == len("80f1833450a74224c32d03fe4161735c" ":c1944e8c0982d5c35992a9b25abad18a2" "8cac15585ed2fbab05bd2b1ea2cc44b"), res) res = DefaultSecurityModule.password_decrypt(res, "password1") self.assertTrue(res == b"secrettext", res) # encrypt and decrypt binary data like the enckey enckey = geturandom(96) cipher = DefaultSecurityModule.password_encrypt( enckey, "top secret " "!!!") clear = DefaultSecurityModule.password_decrypt(cipher, "top secret " "!!!") self.assertTrue(enckey == clear, (enckey, clear)) # encrypt and decrypt binary data like the enckey enckey = geturandom(96) cipher = DefaultSecurityModule.password_encrypt( enckey, "topSecret123!") clear = DefaultSecurityModule.password_decrypt(cipher, "topSecret123!") self.assertTrue(enckey == clear, (enckey, clear))
def test_05_encrypt_decrypt(self): config = current_app.config hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE")}) cipher = hsm.encrypt(b"data", b"iv12345678901234") text = hsm.decrypt(cipher, b"iv12345678901234") self.assertEqual(text, b"data") cipher = hsm.encrypt_pin(u"pin") text = hsm.decrypt_pin(cipher) self.assertEqual(text, u"pin") cipher = hsm.encrypt_password(u"password") text = hsm.decrypt_password(cipher) self.assertEqual(text, u"password")
def test_05_encrypt_decrypt(self): config = current_app.config hsm = DefaultSecurityModule({"file": config.get("PI_ENCFILE")}) cipher = hsm.encrypt("data", "iv12345678901234") text = hsm.decrypt(cipher, "iv12345678901234") self.assertTrue(text == "data", text) cipher = hsm.encrypt_pin("data") text = hsm.decrypt_pin(cipher) self.assertTrue(text == "data", text) cipher = hsm.encrypt_password("data") text = hsm.decrypt_password(cipher) self.assertTrue(text == "data", text)
def create_enckey(): """ If the key of the given configuration does not exist, it will be created """ print filename = app.config.get("PI_ENCFILE") if os.path.isfile(filename): print("The file \n\t%s\nalready exist. We do not overwrite it!" % filename) sys.exit(1) f = open(filename, "w") f.write(DefaultSecurityModule.random(96)) f.close() print "Encryption key written to %s" % filename print "Please ensure to set the access rights for the correct user to 400!"
def encrypt_enckey(encfile): """ You will be asked for a password and the encryption key in the specified file will be encrypted with an AES key derived from your password. The encryption key in the file is a 96 bit binary key. The password based encrypted encryption key is a hex combination of an IV and the encrypted data. The result can be piped to a new enckey file. """ password = getpass() password2 = getpass(prompt='Confirm: ') if password != password2: import sys sys.exit('Error: passwords do not match.') f = open(encfile) enckey = f.read() f.close() res = DefaultSecurityModule.password_encrypt(enckey, password) print res
def test_06_password_encrypt_decrypt(self): res = DefaultSecurityModule.password_encrypt("secrettext", "password1") self.assertTrue(len(res) == len( "80f1833450a74224c32d03fe4161735c" ":c1944e8c0982d5c35992a9b25abad18a2" "8cac15585ed2fbab05bd2b1ea2cc44b"), res) res = DefaultSecurityModule.password_decrypt(res, "password1") self.assertTrue(res == "secrettext", res) # encrypt and decrypt binary data like the enckey enckey = geturandom(96) cipher = DefaultSecurityModule.password_encrypt(enckey, "top secret " "!!!") clear = DefaultSecurityModule.password_decrypt(cipher, "top secret " "!!!") self.assertTrue(enckey == clear, (enckey, clear)) # encrypt and decrypt binary data like the enckey enckey = geturandom(96) cipher = DefaultSecurityModule.password_encrypt(enckey, "topSecret123!") clear = DefaultSecurityModule.password_decrypt(cipher, "topSecret123!") self.assertTrue(enckey == clear, (enckey, clear))