def test_decrypt_bad_session(self):
self.pkcs11.get_session.return_value = mock.DEFAULT
self.pkcs11.get_session.side_effect = ex.P11CryptoPluginException(
'Testing error handling'
)
ct = b'ctct'
kek_meta_extended = '{"iv":"AAAA"}'
decrypt_dto = plugin_import.DecryptDTO(ct)
kek_meta = mock.MagicMock()
kek_meta.kek_label = 'pkek'
kek_meta.plugin_meta = ('{"iv": "iv==",'
'"hmac": "hmac",'
'"wrapped_key": "wrappedkey==",'
'"mkek_label": "mkek_label",'
'"hmac_label": "hmac_label"}')
self.assertRaises(ex.P11CryptoPluginException,
self.plugin._decrypt,
decrypt_dto,
kek_meta,
kek_meta_extended,
mock.MagicMock())
self.assertEqual(2, self.pkcs11.get_key_handle.call_count)
self.assertEqual(2, self.pkcs11.get_session.call_count)
self.assertEqual(1, self.pkcs11.verify_hmac.call_count)
self.assertEqual(1, self.pkcs11.unwrap_key.call_count)
self.assertEqual(0, self.pkcs11.decrypt.call_count)
self.assertEqual(0, self.pkcs11.return_session.call_count)
def test_encrypt_bad_session(self):
self.pkcs11.get_session.return_value = mock.DEFAULT
self.pkcs11.get_session.side_effect = ex.P11CryptoPluginException(
'Testing error handling'
)
payload = b'test payload'
encrypt_dto = plugin_import.EncryptDTO(payload)
kek_meta = mock.MagicMock()
kek_meta.kek_label = 'pkek'
kek_meta.plugin_meta = ('{"iv": "iv==",'
'"hmac": "hmac",'
'"wrapped_key": "wrappedkey==",'
'"mkek_label": "mkek_label",'
'"hmac_label": "hmac_label"}')
self.assertRaises(ex.P11CryptoPluginException,
self.plugin._encrypt,
encrypt_dto,
kek_meta,
mock.MagicMock())
self.assertEqual(self.pkcs11.get_key_handle.call_count, 2)
self.assertEqual(self.pkcs11.get_session.call_count, 2)
self.assertEqual(self.pkcs11.verify_hmac.call_count, 1)
self.assertEqual(self.pkcs11.unwrap_key.call_count, 1)
self.assertEqual(self.pkcs11.encrypt.call_count, 0)
self.assertEqual(self.pkcs11.return_session.call_count, 0)
def _check_error(self, value):
if value != CKR_OK:
code = ERROR_CODES.get(value, 'CKR_????')
hex_code = "{hex} {code}".format(hex=hex(value), code=code)
if code == 'CKR_TOKEN_NOT_PRESENT':
raise exception.P11CryptoTokenException(slot_id=self.slot_id)
raise exception.P11CryptoPluginException(u._(
"HSM returned response code: {code}").format(code=hex_code))
def generate_key(self,
key_type,
key_length,
mechanism,
session,
key_label=None,
master_key=False,
encrypt=False,
sign=False,
wrap=False):
if not any((encrypt, sign, wrap)):
raise exception.P11CryptoPluginException()
if master_key and not key_label:
raise ValueError(u._("key_label must be set for master_keys"))
token = master_key
extractable = not master_key
# in some HSMs extractable keys cannot be marked sensitive
sensitive = self.always_set_cka_sensitive or not extractable
ck_attributes = [
Attribute(CKA_CLASS, CKO_SECRET_KEY),
Attribute(CKA_KEY_TYPE, _KEY_TYPES[key_type]),
Attribute(CKA_VALUE_LEN, key_length),
Attribute(CKA_TOKEN, token),
Attribute(CKA_PRIVATE, True),
Attribute(CKA_SENSITIVE, sensitive),
Attribute(CKA_ENCRYPT, encrypt),
Attribute(CKA_DECRYPT, encrypt),
Attribute(CKA_SIGN, sign),
Attribute(CKA_VERIFY, sign),
Attribute(CKA_WRAP, wrap),
Attribute(CKA_UNWRAP, wrap),
Attribute(CKA_EXTRACTABLE, extractable)
]
if master_key:
ck_attributes.append(Attribute(CKA_LABEL, key_label))
ck_attributes = self._build_attributes(ck_attributes)
mech = self.ffi.new("CK_MECHANISM *")
mech.mechanism = _KEY_GEN_MECHANISMS[mechanism]
obj_handle_ptr = self.ffi.new("CK_OBJECT_HANDLE *")
rv = self.lib.C_GenerateKey(session, mech, ck_attributes.template,
len(ck_attributes.template),
obj_handle_ptr)
self._check_error(rv)
return obj_handle_ptr[0]
def _check_error(self, value):
if value != CKR_OK and value != CKR_CRYPTOKI_ALREADY_INITIALIZED:
code = ERROR_CODES.get(value, 'CKR_????')
hex_code = "{hex} {code}".format(hex=hex(value), code=code)
if code == 'CKR_TOKEN_NOT_PRESENT':
raise exception.P11CryptoTokenException(slot_id=self.slot_id)
if code == 'EHOSTUNREACH':
raise exception.TrustwayProteccioException(
"Trustway Proteccio Error: {code}".format(code=hex_code))
raise exception.P11CryptoPluginException(
u._("HSM returned response code: {code}").format(
code=hex_code))
def generate_key(self,
key_length,
session,
key_label=None,
encrypt=False,
sign=False,
wrap=False,
master_key=False):
if not encrypt and not sign and not wrap:
raise exception.P11CryptoPluginException()
if master_key and not key_label:
raise ValueError(u._("key_label must be set for master_keys"))
token = True if master_key else False
extractable = False if master_key else True
ck_attributes = [
Attribute(CKA_CLASS, CKO_SECRET_KEY),
Attribute(CKA_KEY_TYPE, CKK_AES),
Attribute(CKA_VALUE_LEN, key_length),
Attribute(CKA_TOKEN, token),
Attribute(CKA_PRIVATE, True),
Attribute(CKA_SENSITIVE, True),
Attribute(CKA_ENCRYPT, encrypt),
Attribute(CKA_DECRYPT, encrypt),
Attribute(CKA_SIGN, sign),
Attribute(CKA_VERIFY, sign),
Attribute(CKA_WRAP, wrap),
Attribute(CKA_UNWRAP, wrap),
Attribute(CKA_EXTRACTABLE, extractable)
]
if master_key:
ck_attributes.append(Attribute(CKA_LABEL, key_label))
ck_attributes = self._build_attributes(ck_attributes)
mech = self.ffi.new("CK_MECHANISM *")
mech.mechanism = CKM_AES_KEY_GEN
obj_handle_ptr = self.ffi.new("CK_OBJECT_HANDLE *")
rv = self.lib.C_GenerateKey(session, mech, ck_attributes.template,
len(ck_attributes.template),
obj_handle_ptr)
self._check_error(rv)
return obj_handle_ptr[0]
def _rng_self_test(self, session):
test_random = self.generate_random(100, session)
if test_random == b'\x00' * 100:
raise exception.P11CryptoPluginException(
u._("Apparent RNG self-test failure."))
