def test_derive_key_and_wrap(self, params): """ Tests CA_DeriveKeyAndWrap function :param params:valid AES_KWP wrap mechanism """ key_template = get_default_key_template(CKM_AES_KEY_GEN) h_base_key = c_generate_key_ex(self.h_session, CKM_AES_KEY_GEN, key_template) derived_key_template = key_template.copy() h_wrapping_key = c_generate_key_ex(self.h_session, CKM_AES_KEY_GEN, key_template) wrap_mech = {"mech_type": CKM_AES_KWP, "params": params} wrapped_key = ca_derive_key_and_wrap_ex(self.h_session, CKM_SHA256_KEY_DERIVATION, h_base_key, derived_key_template, h_wrapping_key, wrap_mech) assert wrapped_key, "CA_DeriveKeyAndWrap returned an empty buffer"
def test_long_length_derive_key(self, key_type, d_type, valid_mechanisms): """ Test deriving a key :param key_type: key generation mechanism :param d_type: derive mechanism """ key_template = get_session_template(get_default_key_template(key_type)) if key_type not in valid_mechanisms: pytest.skip("Not a valid mechanism on this product") h_base_key = c_generate_key_ex(self.h_session, key_type, key_template) mech = NullMech(d_type).to_c_mech() derived_key_template = key_template.copy() del derived_key_template[CKA_VALUE_LEN] ret, h_derived_key = c_derive_key(self.h_session, h_base_key, key_template, mechanism=mech) try: self.verify_ret(ret, CKR_OK) verify_object_attributes(self.h_session, h_derived_key, key_template) finally: if h_base_key: c_destroy_object(self.h_session, h_base_key) if h_derived_key: c_destroy_object(self.h_session, h_derived_key)
def test_too_long_length_derives(self, key_type, d_type, valid_mechanisms): """ Verify that trying to derive a key that is too long for the given derivation function will return CKR_KEY_SIZE_RANGE :param key_type: :param d_type: """ if key_type not in valid_mechanisms: pytest.skip("Not a valid mechanism on this product") key_template = get_session_template(get_default_key_template(key_type)) h_base_key = c_generate_key_ex(self.h_session, key_type, key_template) mech = NullMech(d_type).to_c_mech() derived_key_template = key_template.copy() del derived_key_template[CKA_VALUE_LEN] ret, h_derived_key = c_derive_key(self.h_session, h_base_key, key_template, mechanism=mech) try: self.verify_ret(ret, CKR_KEY_SIZE_RANGE) finally: if h_base_key: c_destroy_object(self.h_session, h_base_key) if h_derived_key: c_destroy_object(self.h_session, h_derived_key)
def test_derive_key(self, key_type, d_type): """ Test derive key for using parametrized hash :param key_type: Key-gen mechanism :param d_type: Hash mech """ key_template = get_default_key_template(key_type) h_base_key = c_generate_key_ex(self.h_session, key_type, key_template) mech = NullMech(d_type).to_c_mech() derived_key_template = key_template.copy() del derived_key_template[CKA_VALUE_LEN] ret, h_derived_key = c_derive_key(self.h_session, h_base_key, key_template, mechanism=mech) try: self.verify_ret(ret, CKR_OK) verify_object_attributes(self.h_session, h_derived_key, key_template) finally: if h_base_key: c_destroy_object(self.h_session, h_base_key) if h_derived_key: c_destroy_object(self.h_session, h_derived_key)
def test_set_attribute_usage_limit_sym(self): """Test: Verify that user is able to set CKA_USAGE_LIMIT attribute on an symmetric crypto object Procedure: Generate a DES Key Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 5 Use C_getAttributeValue to verify """ LOG.info( "Test: Verify that user is able to set CKA_USAGE_LIMIT attribute on \ an symmetric crypto object") usage_template = {CKA_USAGE_LIMIT: 5} h_key = c_generate_key_ex(self.h_session, mechanism=CKM_DES_KEY_GEN, template=CKM_DES_KEY_GEN_TEMP) LOG.info("Called c-generate: Key handle -%s", h_key) usage_limit = 5 c_set_attribute_value_ex(self.h_session, h_key, usage_template) out_template = c_get_attribute_value_ex( self.h_session, h_key, template={CKA_USAGE_LIMIT: None}) usage_val_out = out_template[CKA_USAGE_LIMIT] LOG.info("CKA_USAGE_LIMIT reported by C_GetAttributeValue :%s", usage_val_out) assert usage_limit == usage_val_out, "reported USAGE LIMIT does not match"
def sym_key_params(request, auth_session, usage_set): """ Generate a key, setting the usage limit by the method described in ``usage_set`` Return that key handle. """ usage_type, limit = usage_set key_gen, mechanism = request.param key_template = get_session_template(get_default_key_template(key_gen)) usage_template = {CKA_USAGE_LIMIT: limit} if usage_type in ("create", "both", "create_then_use"): key_template.update(usage_template) h_key = c_generate_key_ex(auth_session, mechanism=key_gen, template=key_template) try: if usage_type in ("create_then_use", ): c_encrypt_ex(auth_session, h_key, b'a' * 2048, mechanism={"mech_type": mechanism}) if usage_type in ("setattr", "both", "create_then_use"): c_set_attribute_value_ex(auth_session, h_key, usage_template) yield SymParams(h_key, mechanism) finally: c_destroy_object(auth_session, h_key)
def test_set_attribute_usage_count_check_error_CKR_KEY_NOT_ACTIVE_3des( self): """Test: Verify that crypto operation returns error CKR_KEY_NOT_ACTIVE if user try to use crypto object more than limit set on CKA_USAGE_LIMIT Procedure: Generate a 3DES key Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2 Use RSA public key 3 times for encryption """ LOG.info( "Verify that crypto operation returns error CKR_KEY_NOT_ACTIVE \ if user try to use crypto object more than limit set on CKA_USAGE_LIMIT" ) usage_lim_template = {CKA_USAGE_LIMIT: 2} h_key = c_generate_key_ex(self.h_session, mechanism=CKM_DES3_KEY_GEN, template=CKM_DES3_KEY_GEN_TEMP) LOG.info("Called c-generate: Key handle -" + str(h_key)) c_set_attribute_value_ex(self.h_session, h_key, usage_lim_template) c_encrypt_ex(self.h_session, h_key, b'a' * 2048, mechanism={"mech_type": CKM_DES3_ECB}) c_encrypt_ex(self.h_session, h_key, b'a' * 2048, mechanism={"mech_type": CKM_DES3_ECB}) return_val, data = c_encrypt(self.h_session, h_key, b'a' * 2048, mechanism={"mech_type": CKM_DES3_ECB}) LOG.info("Called C_Encrypt, return code: %s", return_val) py_template = c_get_attribute_value_ex( self.h_session, h_key, template={CKA_USAGE_COUNT: None}) usage_val_out = py_template[CKA_USAGE_COUNT] LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s", usage_val_out) assert return_val == CKR_KEY_NOT_ACTIVE, "reported error code does not match"
def test_modifyusagecount(self, command_type): """Test modify usage count :param command_type: """ key_handle = c_generate_key_ex( self.h_session, CKM_DES_KEY_GEN, get_session_template(CKM_DES_KEY_GEN_TEMP)) try: ret = ca_modifyusagecount(self.h_session, key_handle, command_type, 0) assert ret == CKR_OK, \ "Return code should be " + ret_vals_dictionary[CKR_OK] + \ " not " + ret_vals_dictionary[ret] finally: c_destroy_object(self.h_session, key_handle)
def test_usage_limit_attribute_check_sym_des(self): """Test: Verify that CKA_USAGE_COUNT attribute increments as user use the symmetric crypto object Procedure: Generate a DES Key Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2 Use des key twice for encryption Use C_getAttributeValue to verify that CKA_USAGE_COUNT is 2 """ LOG.info( "Test: Verify that CKA_USAGE_COUNT attribute increments as user \ use the symmetric crypto object") usage_lim_template = {CKA_USAGE_LIMIT: 2} usage_count = 2 h_key = c_generate_key_ex(self.h_session, mechanism=CKM_DES_KEY_GEN, template=CKM_DES_KEY_GEN_TEMP) LOG.info("Called c-generate: Key handle -%s", h_key) c_set_attribute_value_ex(self.h_session, h_key, usage_lim_template) c_encrypt_ex(self.h_session, h_key, b'a' * 2048, mechanism={"mech_type": CKM_DES_ECB}) c_encrypt_ex(self.h_session, h_key, b'a' * 2048, mechanism={"mech_type": CKM_DES_ECB}) py_template = c_get_attribute_value_ex( self.h_session, h_key, template={CKA_USAGE_COUNT: None}) usage_val_out = py_template[CKA_USAGE_COUNT] LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s", usage_val_out) assert usage_count == usage_val_out, "reported USAGE LIMIT does not match"
def generate_keys(password, kek_plain_text): ''' Generate AES keys password - string CryptoOfficer role password kek_plain_text - kek label ''' # HSM slot id for HA slot_id = 5 c_initialize_ex() auth_session = c_open_session_ex(slot_id) login_ex(auth_session, slot_id, password) CKM_AES_KEY_GEN_TEMP[CKA_LABEL] = bytes(kek_plain_text, 'utf-8') key_handle = c_generate_key_ex(auth_session, CKM_AES_KEY_GEN, CKM_AES_KEY_GEN_TEMP) c_logout_ex(auth_session) c_close_session_ex(auth_session) c_finalize_ex() return key_handle
def test_symmetric_key_expiry_des(self): """Test: Verify that user is not able to use the symmetric object after date specified in CKA_END_DATE attribute Procedure: Generate a DES Key des1 Use des1 in encrypt operation. Should work fine Using audit role, change the date of HSM to 12/31/2013 Use des1 in encrypt operation """ logger.info( "Test: Verify that user is not able to use the symmetric object after date " "specified in \ CKA_END_DATE attribute") end_d = {'year': b"2013", 'month': b"12", 'day': b"31"} CKM_KEY_GEN_TEMP = { CKA_CLASS: CKO_SECRET_KEY, CKA_KEY_TYPE: CKK_DES, CKA_TOKEN: True, CKA_SENSITIVE: True, CKA_PRIVATE: True, CKA_ENCRYPT: True, CKA_DECRYPT: True, CKA_SIGN: True, CKA_VERIFY: True, CKA_WRAP: True, CKA_UNWRAP: True, CKA_DERIVE: True, CKA_VALUE_LEN: 8, CKA_EXTRACTABLE: True, CKA_LABEL: b"DES Key", CKA_END_DATE: end_d } h_key = c_generate_key_ex(self.h_session, flavor=CKM_DES_KEY_GEN, template=CKM_KEY_GEN_TEMP) logger.info("Called c-generate: Key handle -" + str(h_key)) c_encrypt_ex(self.h_session, CKM_DES_ECB, h_key, b"a" * 512) c_logout_ex(self.h_session) c_close_session_ex(self.h_session) ca_init_audit_ex(self.admin_slot, AUDITOR_PASSWORD, AUDITOR_LABEL) h_session2 = c_open_session_ex(slot_num=self.admin_slot, flags=(CKF_SERIAL_SESSION | CKF_AUDIT_SESSION)) login_ex(h_session2, self.admin_slot, AUDITOR_PASSWORD, CKU_AUDIT) dt = datetime(2014, 1, 31) epoch = datetime.utcfromtimestamp(0) delta = dt - epoch hsm_dt = delta.total_seconds() hsm_new_date = int(hsm_dt) ca_time_sync_ex(h_session2, hsm_new_date) hsm_time = ca_get_time_ex(h_session2) c_logout_ex(h_session2) c_close_session_ex(h_session2) h_session = c_open_session_ex(slot_num=self.admin_slot) login_ex(h_session, self.admin_slot, CO_PASSWORD, CKU_USER) return_val = c_encrypt(h_session, h_key, b"This is some data to sign .. ", CKM_DES_ECB) assert return_val == CKR_KEY_NOT_ACTIVE, "return value should be CKR_KEY_NOT_ACTIVE" c_logout_ex(h_session) c_close_session_ex(h_session)