def test_long_length_derive_key(self, key_type, d_type, valid_mechanisms):
"""
Test deriving a key
:param key_type: key generation mechanism
:param d_type: derive mechanism
"""
key_template = get_session_template(get_default_key_template(key_type))
if key_type not in valid_mechanisms:
pytest.skip("Not a valid mechanism on this product")
h_base_key = c_generate_key_ex(self.h_session, key_type, key_template)
mech = NullMech(d_type).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
ret, h_derived_key = c_derive_key(self.h_session,
h_base_key,
key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_OK)
verify_object_attributes(self.h_session, h_derived_key,
key_template)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)
def test_derive_dukpt_ipek(self, valid_mechanisms):
"""
Test derive key for the new dukpt ipek mechanism
"""
if CKM_DES2_DUKPT_IPEK not in valid_mechanisms:
pytest.skip(
'This test is only valid for FWs that support CKM_DES2_DUKPT_IPEK'
)
key_template = get_session_template(
get_default_key_template(CKM_DES2_KEY_GEN))
ret, h_base_key = c_generate_key(self.h_session, CKM_DES2_KEY_GEN,
key_template)
mech = StringDataDerivationMechanism(mech_type=CKM_DES2_DUKPT_IPEK,
params={
'data': 0xffff9876543210e00000
}).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
derived_key_template[CKA_LABEL] = b"DUKPT IPEK"
ret, h_derived_key = c_derive_key(self.h_session,
h_base_key,
derived_key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_OK)
verify_object_attributes(self.h_session, h_derived_key,
derived_key_template)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)
def test_too_long_length_derives(self, key_type, d_type, valid_mechanisms):
"""
Verify that trying to derive a key that is too long for the given derivation function
will return CKR_KEY_SIZE_RANGE
:param key_type:
:param d_type:
"""
if key_type not in valid_mechanisms:
pytest.skip("Not a valid mechanism on this product")
key_template = get_session_template(get_default_key_template(key_type))
h_base_key = c_generate_key_ex(self.h_session, key_type, key_template)
mech = NullMech(d_type).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
ret, h_derived_key = c_derive_key(self.h_session,
h_base_key,
key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_KEY_SIZE_RANGE)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)
def test_derive_key(self, key_type, d_type):
"""
Test derive key for using parametrized hash
:param key_type: Key-gen mechanism
:param d_type: Hash mech
"""
key_template = get_default_key_template(key_type)
h_base_key = c_generate_key_ex(self.h_session, key_type, key_template)
mech = NullMech(d_type).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
ret, h_derived_key = c_derive_key(self.h_session,
h_base_key,
key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_OK)
verify_object_attributes(self.h_session, h_derived_key,
key_template)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)