def test_too_long_length_derives(self, key_type, d_type, valid_mechanisms): """ Verify that trying to derive a key that is too long for the given derivation function will return CKR_KEY_SIZE_RANGE :param key_type: :param d_type: """ if key_type not in valid_mechanisms: pytest.skip("Not a valid mechanism on this product") key_template = get_session_template(get_default_key_template(key_type)) h_base_key = c_generate_key_ex(self.h_session, key_type, key_template) mech = NullMech(d_type).to_c_mech() derived_key_template = key_template.copy() del derived_key_template[CKA_VALUE_LEN] ret, h_derived_key = c_derive_key(self.h_session, h_base_key, key_template, mechanism=mech) try: self.verify_ret(ret, CKR_KEY_SIZE_RANGE) finally: if h_base_key: c_destroy_object(self.h_session, h_base_key) if h_derived_key: c_destroy_object(self.h_session, h_derived_key)
def test_long_length_derive_key(self, key_type, d_type, valid_mechanisms): """ Test deriving a key :param key_type: key generation mechanism :param d_type: derive mechanism """ key_template = get_session_template(get_default_key_template(key_type)) if key_type not in valid_mechanisms: pytest.skip("Not a valid mechanism on this product") h_base_key = c_generate_key_ex(self.h_session, key_type, key_template) mech = NullMech(d_type).to_c_mech() derived_key_template = key_template.copy() del derived_key_template[CKA_VALUE_LEN] ret, h_derived_key = c_derive_key(self.h_session, h_base_key, key_template, mechanism=mech) try: self.verify_ret(ret, CKR_OK) verify_object_attributes(self.h_session, h_derived_key, key_template) finally: if h_base_key: c_destroy_object(self.h_session, h_base_key) if h_derived_key: c_destroy_object(self.h_session, h_derived_key)
def keys(auth_session): """ Fixture containing keys""" keys = {} try: for key_gen in set(param[1] for param in PARAM_LIST): template = get_default_key_template(key_gen) ret, key_handle = c_generate_key(auth_session, key_gen, template) ret2, wrap_handle = c_generate_key(auth_session, key_gen, template) if ret == CKR_OK and ret2 == CKR_OK: keys[key_gen] = key_handle, wrap_handle elif ret2 != CKR_OK: keys[key_gen] = key_handle, None logger.info( "Failed to generate key: {}\nReturn code: {}".format( key_gen, ret2)) elif ret != CKR_OK: keys[key_gen] = None, wrap_handle logger.info( "Failed to generate key: {}\nReturn code: {}".format( key_gen, ret)) else: logger.info( "Failed to generate key: {}\nReturn code: {}".format( key_gen, ret)) yield keys finally: for key, wrap in keys.values(): if key is not None: c_destroy_object(auth_session, key) if wrap is not None: c_destroy_object(auth_session, wrap)
def test_derive_dukpt_ipek(self, valid_mechanisms): """ Test derive key for the new dukpt ipek mechanism """ if CKM_DES2_DUKPT_IPEK not in valid_mechanisms: pytest.skip( 'This test is only valid for FWs that support CKM_DES2_DUKPT_IPEK' ) key_template = get_session_template( get_default_key_template(CKM_DES2_KEY_GEN)) ret, h_base_key = c_generate_key(self.h_session, CKM_DES2_KEY_GEN, key_template) mech = StringDataDerivationMechanism(mech_type=CKM_DES2_DUKPT_IPEK, params={ 'data': 0xffff9876543210e00000 }).to_c_mech() derived_key_template = key_template.copy() del derived_key_template[CKA_VALUE_LEN] derived_key_template[CKA_LABEL] = b"DUKPT IPEK" ret, h_derived_key = c_derive_key(self.h_session, h_base_key, derived_key_template, mechanism=mech) try: self.verify_ret(ret, CKR_OK) verify_object_attributes(self.h_session, h_derived_key, derived_key_template) finally: if h_base_key: c_destroy_object(self.h_session, h_base_key) if h_derived_key: c_destroy_object(self.h_session, h_derived_key)
def test_derive_key(self, key_type, d_type): """ Test derive key for using parametrized hash :param key_type: Key-gen mechanism :param d_type: Hash mech """ key_template = get_default_key_template(key_type) h_base_key = c_generate_key_ex(self.h_session, key_type, key_template) mech = NullMech(d_type).to_c_mech() derived_key_template = key_template.copy() del derived_key_template[CKA_VALUE_LEN] ret, h_derived_key = c_derive_key(self.h_session, h_base_key, key_template, mechanism=mech) try: self.verify_ret(ret, CKR_OK) verify_object_attributes(self.h_session, h_derived_key, key_template) finally: if h_base_key: c_destroy_object(self.h_session, h_base_key) if h_derived_key: c_destroy_object(self.h_session, h_derived_key)
def test_wrap_unwrap_key(self, mech, k_type, keys): """ Test key wrapping :param mech: encryption mech :param k_type: key gen mech :param keys: keys fixture """ temp = get_default_key_template(k_type) unwrap_temp = self.generate_unwrap_temp(k_type) extra_p = EXTRA_PARAM[mech] h_key, h_wrap_key = keys[k_type] if h_key is None or h_wrap_key is None: pytest.fail("No valid key found for {}".format(LOOKUP[mech][0])) # Wrap the key wrap_mech = {"mech_type": mech, "params": extra_p} ret, wrapped_key = c_wrap_key(self.h_session, h_wrap_key, h_key, mechanism=wrap_mech) self.verify_ret(ret, CKR_OK) # Unwrap the Key ret, h_unwrapped_key = c_unwrap_key(self.h_session, h_wrap_key, wrapped_key, unwrap_temp, mechanism=wrap_mech) self.verify_ret(ret, CKR_OK) # Verify all of the attributes against the originally generated attributes verify_object_attributes(self.h_session, h_unwrapped_key, temp)
def sym_key_params(request, auth_session, usage_set): """ Generate a key, setting the usage limit by the method described in ``usage_set`` Return that key handle. """ usage_type, limit = usage_set key_gen, mechanism = request.param key_template = get_session_template(get_default_key_template(key_gen)) usage_template = {CKA_USAGE_LIMIT: limit} if usage_type in ("create", "both", "create_then_use"): key_template.update(usage_template) h_key = c_generate_key_ex(auth_session, mechanism=key_gen, template=key_template) try: if usage_type in ("create_then_use", ): c_encrypt_ex(auth_session, h_key, b'a' * 2048, mechanism={"mech_type": mechanism}) if usage_type in ("setattr", "both", "create_then_use"): c_set_attribute_value_ex(auth_session, h_key, usage_template) yield SymParams(h_key, mechanism) finally: c_destroy_object(auth_session, h_key)
def test_generate_key(self, key_type): """ Test generation of keys for sym. crypto systems :param key_type: key generation mechanism """ key_template = get_default_key_template(key_type) ret, key_handle = c_generate_key(self.h_session, key_type, key_template) self.verify_ret(ret, CKR_OK) self.verify_key_len(key_handle, key_handle)
def test_derive_key_and_wrap(self, params): """ Tests CA_DeriveKeyAndWrap function :param params:valid AES_KWP wrap mechanism """ key_template = get_default_key_template(CKM_AES_KEY_GEN) h_base_key = c_generate_key_ex(self.h_session, CKM_AES_KEY_GEN, key_template) derived_key_template = key_template.copy() h_wrapping_key = c_generate_key_ex(self.h_session, CKM_AES_KEY_GEN, key_template) wrap_mech = {"mech_type": CKM_AES_KWP, "params": params} wrapped_key = ca_derive_key_and_wrap_ex(self.h_session, CKM_SHA256_KEY_DERIVATION, h_base_key, derived_key_template, h_wrapping_key, wrap_mech) assert wrapped_key, "CA_DeriveKeyAndWrap returned an empty buffer"
def generate_unwrap_temp(self, key_gen): """ Create an unwrap template which is slightly different then the original template :param key_gen: :return: the new unwrap template """ unwrap_temp = get_default_key_template(key_gen) unwrap_temp.pop(CKA_DECRYPT, None) unwrap_temp.pop(CKA_VERIFY, None) unwrap_temp.pop(CKA_UNWRAP, None) unwrap_temp.pop(CKA_EXTRACTABLE, None) if key_gen not in VALUE_LEN: unwrap_temp.pop(CKA_VALUE_LEN, None) return unwrap_temp
def test_generate_key(self, key_type, valid_mechanisms): """ Test generation of keys for sym. crypto systems :param key_type: key generation mechanism """ key_template = get_session_template(get_default_key_template(key_type)) ret, key_handle = c_generate_key(self.h_session, key_type, key_template) try: if key_type not in valid_mechanisms: self.verify_ret(ret, CKR_MECHANISM_INVALID) else: self.verify_ret(ret, CKR_OK) self.verify_key_len(key_handle, key_handle) finally: c_destroy_object(self.h_session, key_handle)
def sym_keys(auth_session): """ Fixture containing all sym. keys """ keys = {} try: for key_type in SYM_KEYS: template = get_session_template(get_default_key_template(key_type)) ret, key_handle = c_generate_key(auth_session, key_type, template) if ret == CKR_OK: keys[key_type] = key_handle else: logger.info( "Failed to generate key: {}\nReturn code: {}".format( key_type, ret)) yield keys finally: for handle in keys.values(): c_destroy_object(auth_session, handle)
def test_attribute_delivery(self, local_rpyc): client = RemotePycryptokiClient("127.0.0.1", os.getpid()) client.test_attrs(get_default_key_template(CKM_AES_KEY_GEN))