async def _import_symmetric_test_key(self, client, name):
key_material = codecs.decode("e27ed0c84512bbd55b6af434d237c11feba311870f80f2c2e3364260f31c82c8", "hex_codec")
key = JsonWebKey(
kty="oct-HSM",
key_ops=["encrypt", "decrypt", "wrapKey", "unwrapKey"],
k=key_material,
)
imported_key = await client.import_key(name, key) # the key material isn't returned by the service
key.kid = imported_key.id
key_vault_key = KeyVaultKey(key_id=imported_key.id, jwk=vars(key)) # create a key containing the material
assert key_vault_key.key.k == key_material
assert key_vault_key.key.kid == imported_key.id == key_vault_key.id
return key_vault_key
def test_local_only_mode_no_service_calls():
"""A local-only CryptographyClient shouldn't call the service if an operation can't be performed locally"""
mock_client = mock.Mock()
jwk = JsonWebKey(kty="RSA", key_ops=[], n=b"10011", e=b"10001")
client = CryptographyClient.from_jwk(jwk=jwk)
client._client = mock_client
with pytest.raises(NotImplementedError):
client.decrypt(EncryptionAlgorithm.rsa_oaep, b"...")
assert mock_client.decrypt.call_count == 0
with pytest.raises(NotImplementedError):
client.encrypt(EncryptionAlgorithm.a256_gcm, b"...")
assert mock_client.encrypt.call_count == 0
with pytest.raises(NotImplementedError):
client.sign(SignatureAlgorithm.rs256, b"...")
assert mock_client.sign.call_count == 0
with pytest.raises(NotImplementedError):
client.verify(SignatureAlgorithm.es256, b"...", b"...")
assert mock_client.verify.call_count == 0
with pytest.raises(NotImplementedError):
client.unwrap_key(KeyWrapAlgorithm.rsa_oaep, b"...")
assert mock_client.unwrap_key.call_count == 0
with pytest.raises(NotImplementedError):
client.wrap_key(KeyWrapAlgorithm.aes_256, b"...")
assert mock_client.wrap_key.call_count == 0
def _import_test_key(self, client, name):
def _to_bytes(hex):
if len(hex) % 2:
hex = "0{}".format(hex)
return codecs.decode(hex, "hex_codec")
key = JsonWebKey(
kty="RSA",
key_ops=["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"],
n=_to_bytes(
"00a0914d00234ac683b21b4c15d5bed887bdc959c2e57af54ae734e8f00720d775d275e455207e3784ceeb60a50a4655dd72a7a94d271e8ee8f7959a669ca6e775bf0e23badae991b4529d978528b4bd90521d32dd2656796ba82b6bbfc7668c8f5eeb5053747fd199319d29a8440d08f4412d527ff9311eda71825920b47b1c46b11ab3e91d7316407e89c7f340f7b85a34042ce51743b27d4718403d34c7b438af6181be05e4d11eb985d38253d7fe9bf53fc2f1b002d22d2d793fa79a504b6ab42d0492804d7071d727a06cf3a8893aa542b1503f832b296371b6707d4dc6e372f8fe67d8ded1c908fde45ce03bc086a71487fa75e43aa0e0679aa0d20efe35"
),
e=_to_bytes("10001"),
d=_to_bytes(
"627c7d24668148fe2252c7fa649ea8a5a9ed44d75c766cda42b29b660e99404f0e862d4561a6c95af6a83d213e0a2244b03cd28576473215073785fb067f015da19084ade9f475e08b040a9a2c7ba00253bb8125508c9df140b75161d266be347a5e0f6900fe1d8bbf78ccc25eeb37e0c9d188d6e1fc15169ba4fe12276193d77790d2326928bd60d0d01d6ead8d6ac4861abadceec95358fd6689c50a1671a4a936d2376440a41445501da4e74bfb98f823bd19c45b94eb01d98fc0d2f284507f018ebd929b8180dbe6381fdd434bffb7800aaabdd973d55f9eaf9bb88a6ea7b28c2a80231e72de1ad244826d665582c2362761019de2e9f10cb8bcc2625649"
),
p=_to_bytes(
"00d1deac8d68ddd2c1fd52d5999655b2cf1565260de5269e43fd2a85f39280e1708ffff0682166cb6106ee5ea5e9ffd9f98d0becc9ff2cda2febc97259215ad84b9051e563e14a051dce438bc6541a24ac4f014cf9732d36ebfc1e61a00d82cbe412090f7793cfbd4b7605be133dfc3991f7e1bed5786f337de5036fc1e2df4cf3"
),
q=_to_bytes(
"00c3dc66b641a9b73cd833bc439cd34fc6574465ab5b7e8a92d32595a224d56d911e74624225b48c15a670282a51c40d1dad4bc2e9a3c8dab0c76f10052dfb053bc6ed42c65288a8e8bace7a8881184323f94d7db17ea6dfba651218f931a93b8f738f3d8fd3f6ba218d35b96861a0f584b0ab88ddcf446b9815f4d287d83a3237"
),
dp=_to_bytes(
"00c9a159be7265cbbabc9afcc4967eb74fe58a4c4945431902d1142da599b760e03838f8cbd26b64324fea6bdc9338503f459793636e59b5361d1e6951e08ddb089e1b507be952a81fbeaf7e76890ea4f536e25505c3f648b1e88377dfc19b4c304e738dfca07211b792286a392a704d0f444c0a802539110b7f1f121c00cff0a9"
),
dq=_to_bytes(
"00a0bd4c0a3d9f64436a082374b5caf2488bac1568696153a6a5e4cd85d186db31e2f58f024c617d29f37b4e6b54c97a1e25efec59c4d1fd3061ac33509ce8cae5c11f4cd2e83f41a8264f785e78dc0996076ee23dfdfc43d67c463afaa0180c4a718357f9a6f270d542479a0f213870e661fb950abca4a14ca290570ba7983347"
),
qi=_to_bytes(
"009fe7ae42e92bc04fcd5780464bd21d0c8ac0c599f9af020fde6ab0a7e7d1d39902f5d8fb6c614184c4c1b103fb46e94cd10a6c8a40f9991a1f28269f326435b6c50276fda6493353c650a833f724d80c7d522ba16c79f0eb61f672736b68fb8be3243d10943c4ab7028d09e76cfb5892222e38bc4d35585bf35a88cd68c73b07"
),
)
imported_key = client.import_key(name, key)
self._validate_rsa_key_bundle(imported_key, client.vault_url, name, key.kty, key.key_ops)
return imported_key
def _import_symmetric_test_key(self, client, name):
key = JsonWebKey(
kty="oct-HSM",
key_ops=["encrypt", "decrypt", "wrapKey", "unwrapKey"],
k=codecs.decode("e27ed0c84512bbd55b6af434d237c11feba311870f80f2c2e3364260f31c82c8", "hex_codec"),
)
imported_key = client.import_key(name, key)
return imported_key
async def test_aes_cbc_iv_validation():
"""The client should raise an error when an iv is not provided"""
jwk = JsonWebKey(kty="oct-HSM", key_ops=["encrypt", "decrypt"], k=os.urandom(32))
client = CryptographyClient.from_jwk(jwk=jwk)
with pytest.raises(ValueError) as ex:
await client.encrypt(EncryptionAlgorithm.a256_cbcpad, b"...")
assert "iv" in str(ex.value).lower()
async def test_aes_cbc_key_size_validation():
"""The client should raise an error when the key is an inappropriate size for the specified algorithm"""
jwk = JsonWebKey(kty="oct-HSM", key_ops=["encrypt", "decrypt"], k=os.urandom(64))
iv = os.urandom(16)
client = CryptographyClient.from_jwk(jwk=jwk)
with pytest.raises(AzureError) as ex:
await client.encrypt(EncryptionAlgorithm.a128_cbcpad, b"...", iv=iv) # requires 16-byte key
assert "key size" in str(ex.value).lower()
with pytest.raises(AzureError) as ex:
await client.encrypt(EncryptionAlgorithm.a192_cbcpad, b"...", iv=iv) # requires 24-byte key
assert "key size" in str(ex.value).lower()
with pytest.raises(AzureError) as ex:
await client.encrypt(EncryptionAlgorithm.a256_cbcpad, b"...", iv=iv) # requires 32-byte key
assert "key size" in str(ex.value).lower()