def test_long_length_derive_key(self, key_type, d_type, valid_mechanisms):
"""
Test deriving a key
:param key_type: key generation mechanism
:param d_type: derive mechanism
"""
key_template = get_session_template(get_default_key_template(key_type))
if key_type not in valid_mechanisms:
pytest.skip("Not a valid mechanism on this product")
ret, h_base_key = c_generate_key(
self.h_session, key_type, key_template)
mech = NullMech(d_type).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
ret, h_derived_key = c_derive_key(self.h_session,
h_base_key,
key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_OK)
verify_object_attributes(
self.h_session, h_derived_key, key_template)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)
def test_too_long_length_derives(self, key_type, d_type, valid_mechanisms):
"""
Verify that trying to derive a key that is too long for the given derivation function
will return CKR_KEY_SIZE_RANGE
:param key_type:
:param d_type:
"""
if key_type not in valid_mechanisms:
pytest.skip("Not a valid mechanism on this product")
key_template = get_session_template(get_default_key_template(key_type))
ret, h_base_key = c_generate_key(
self.h_session, key_type, key_template)
self.verify_ret(ret, CKR_OK)
mech = NullMech(d_type).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
ret, h_derived_key = c_derive_key(self.h_session, h_base_key,
key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_KEY_SIZE_RANGE)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)
def test_derive_key(self, key_type, d_type, valid_mechanisms):
"""
Test derive key for using parametrized hash
:param key_type: Key-gen mechanism
:param d_type: Hash mech
"""
if key_type not in valid_mechanisms:
pytest.skip("Not a valid mechanism on this product")
key_template = get_session_template(get_default_key_template(key_type))
ret, h_base_key = c_generate_key(
self.h_session, key_type, key_template)
self.verify_ret(ret, CKR_OK)
mech = NullMech(d_type).to_c_mech()
derived_key_template = key_template.copy()
del derived_key_template[CKA_VALUE_LEN]
ret, h_derived_key = c_derive_key(self.h_session, h_base_key,
key_template,
mechanism=mech)
try:
self.verify_ret(ret, CKR_OK)
verify_object_attributes(
self.h_session, h_derived_key, key_template)
finally:
if h_base_key:
c_destroy_object(self.h_session, h_base_key)
if h_derived_key:
c_destroy_object(self.h_session, h_derived_key)
def keys(auth_session):
""" Fixture containing keys"""
keys = {}
try:
for key_gen in set(param[1] for param in PARAM_LIST):
template = get_default_key_template(key_gen)
template[CKA_WRAP_WITH_TRUSTED] = False
ret, key_handle = c_generate_key(auth_session, key_gen, template)
ret2, wrap_handle = c_generate_key(auth_session, key_gen, template)
if ret == CKR_OK and ret2 == CKR_OK:
keys[key_gen] = key_handle, wrap_handle
elif ret2 != CKR_OK:
keys[key_gen] = key_handle, None
logger.info(
"Failed to generate key: {}\nReturn code: {}".format(
key_gen, ret2))
elif ret != CKR_OK:
keys[key_gen] = None, wrap_handle
logger.info(
"Failed to generate key: {}\nReturn code: {}".format(
key_gen, ret))
else:
logger.info(
"Failed to generate key: {}\nReturn code: {}".format(
key_gen, ret))
yield keys
finally:
for key, wrap in keys.values():
if key is not None:
c_destroy_object(auth_session, key)
if wrap is not None:
c_destroy_object(auth_session, wrap)
def generate_unwrap_temp(self, key_gen):
"""
Create an unwrap template which is slightly different then the original template
:param key_gen:
:return: the new unwrap template
"""
unwrap_temp = get_default_key_template(key_gen)
unwrap_temp.pop(CKA_DECRYPT, None)
unwrap_temp.pop(CKA_VERIFY, None)
unwrap_temp.pop(CKA_UNWRAP, None)
unwrap_temp.pop(CKA_EXTRACTABLE, None)
if key_gen not in VALUE_LEN:
unwrap_temp.pop(CKA_VALUE_LEN, None)
return unwrap_temp
def test_generate_key(self, key_type, valid_mechanisms):
"""
Test generation of keys for sym. crypto systems
:param key_type: key generation mechanism
"""
key_template = get_session_template(get_default_key_template(key_type))
ret, key_handle = c_generate_key(
self.h_session, key_type, key_template)
try:
if key_type not in valid_mechanisms:
self.verify_ret(ret, CKR_MECHANISM_INVALID)
else:
self.verify_ret(ret, CKR_OK)
self.verify_key_len(key_handle, key_handle)
finally:
c_destroy_object(self.h_session, key_handle)
def sym_keys(auth_session):
""" Fixture containing all sym. keys"""
keys = {}
try:
for key_type in SYM_TABLE.values():
template = get_session_template(get_default_key_template(key_type))
ret, key_handle = c_generate_key(auth_session, key_type, template)
if ret == CKR_OK:
keys[key_type] = key_handle
else:
logger.info("Failed to generate key: %s\nReturn code: %s",
key_type, ret)
yield keys
finally:
for handle in keys.values():
c_destroy_object(auth_session, handle)
def test_wrap_unwrap_key(self, mech, k_type, keys):
"""
Test key wrapping
:param mech: encryption mech
:param k_type: key gen mech
:param keys: keys fixture
"""
temp = get_default_key_template(k_type)
unwrap_temp = self.generate_unwrap_temp(k_type)
extra_p = EXTRA_PARAM[mech]
h_key, h_wrap_key = keys[k_type]
if h_key is None or h_wrap_key is None:
pytest.skip("No valid key found for {}".format(LOOKUP[mech][0]))
# Wrap the key
wrap_mech = {"mech_type": mech, "params": extra_p}
ret, wrapped_key = c_wrap_key(self.h_session,
h_wrap_key,
h_key,
mechanism=wrap_mech)
self.verify_ret(ret, CKR_OK)
h_unwrapped_key = None
try:
# Unwrap the Key
ret, h_unwrapped_key = c_unwrap_key(self.h_session,
h_wrap_key,
wrapped_key,
unwrap_temp,
mechanism=wrap_mech)
self.verify_ret(ret, CKR_OK)
# Verify all of the attributes against the originally generated attributes
verify_object_attributes(self.h_session, h_unwrapped_key, temp)
finally:
if h_unwrapped_key != None:
c_destroy_object(self.h_session, h_unwrapped_key)