def keypair(request, session, curve):
if request.param == Mode.GENERATE:
asymkey = AsymmetricKey.generate(
session,
0,
"Generate EC",
0xFFFF,
CAPABILITY.SIGN_ECDSA | CAPABILITY.DERIVE_ECDH,
ALGORITHM.for_curve(curve()),
)
public_key = asymkey.get_public_key()
else:
key = ec.generate_private_key(curve(), backend=default_backend())
asymkey = AsymmetricKey.put(
session,
0,
"SECP ECDSA Sign Sign",
0xFFFF,
CAPABILITY.SIGN_ECDSA | CAPABILITY.DERIVE_ECDH,
key,
)
public_key = key.public_key()
assert public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
) == asymkey.get_public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
yield asymkey, public_key
asymkey.delete()
def eddsa_keypair(request, session):
if request.param == Mode.GENERATE:
key = None
asymkey = AsymmetricKey.generate(
session,
0,
"Generate EC",
0xFFFF,
CAPABILITY.SIGN_EDDSA,
ALGORITHM.EC_ED25519,
)
public_key = asymkey.get_public_key()
else:
key = ed25519.Ed25519PrivateKey.generate()
asymkey = AsymmetricKey.put(session, 0, "Test Ed25519", 0xFFFF,
CAPABILITY.SIGN_EDDSA, key)
public_key = key.public_key()
assert public_key.public_bytes(
serialization.Encoding.Raw,
serialization.PublicFormat.Raw) == asymkey.get_public_key(
).public_bytes(serialization.Encoding.Raw,
serialization.PublicFormat.Raw)
yield asymkey, public_key, key
asymkey.delete()
def sign(self, bytes, keynum=-1):
if keynum == -1:
keynum = self.keynum
key = AsymmetricKey(self.session, keynum)
sig = key.sign_eddsa(bytes)
encoded_sig = base64.standard_b64encode(sig).decode()
return encoded_sig
def pubkey_rsa(self, keysize):
key = rsa.generate_private_key(public_exponent=0x10001,
key_size=keysize,
backend=default_backend())
asymkey = AsymmetricKey.put(self.session, 0, "Pubkey RSA", 0xFFFF,
CAPABILITY.SIGN_PKCS, key)
pub = asymkey.get_public_key()
self.assertEqual(
pub.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
),
key.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
),
)
data = os.urandom(64)
resp = asymkey.sign_pkcs1v1_5(data)
pub.verify(resp, data, padding.PKCS1v15(), hashes.SHA256())
asymkey.delete()
def rsa_pss_sign(self, keysize, hashtype, mgf1hash=None):
if mgf1hash is None:
mgf1hash = hashtype
key = rsa.generate_private_key(public_exponent=0x10001,
key_size=keysize,
backend=default_backend())
asymkey = AsymmetricKey.put(self.session, 0, "RSA PSS Sign", 0xFFFF,
CAPABILITY.SIGN_PSS, key)
# No salt
data = os.urandom(64)
resp = asymkey.sign_pss(data, 0, hash=hashtype, mgf_hash=mgf1hash)
key.public_key().verify(resp, data,
padding.PSS(padding.MGF1(mgf1hash), 0),
hashtype)
# Max - len salt
saltlen = keysize // 8 - hashtype.digest_size - 2
data = os.urandom(64)
resp = asymkey.sign_pss(data,
saltlen,
hash=hashtype,
mgf_hash=mgf1hash)
key.public_key().verify(
resp,
data,
padding.PSS(padding.MGF1(mgf1hash), padding.PSS.MAX_LENGTH),
hashtype,
)
asymkey.delete()
def test_rsa_pkcs1_decrypt_errors(self):
rawmessages = [
# no actual padding bytes:
b"\x00\x02\x00" + b"\xc3" * 236 + b"\x00",
# first byte != 0x00:
b"\x01\x02" + b"\xc3" * 237 + b"\x00",
# second byte != 0x02:
b"\x00\x01" + b"\xc3" * 237 + b"\x00",
# only 7 bytes of padding:
b"\x00\x02" + b"\xc3" * 7 + b"\x00" + b"\x3c" * 246,
]
rsakey = rsa.generate_private_key(public_exponent=0x10001,
key_size=2048,
backend=default_backend())
key = AsymmetricKey.put(self.session, 0, "pkcs1 test", 0xFFFF,
CAPABILITY.DECRYPT_PKCS, rsakey)
numbers = key.get_public_key().public_numbers()
for m in rawmessages:
error = ERROR.OK
m = m.ljust(256, b"\xc3")
m_int = int_from_bytes(m, "big")
enc = pow(m_int, numbers.e, numbers.n)
try:
key.decrypt_pkcs1v1_5(int_to_bytes(enc).rjust(256, b"\x00"))
except YubiHsmDeviceError as e:
error = e.code
self.assertEqual(error, ERROR.INVALID_DATA)
key.delete()
def test_bad_ecdh_keys(self):
pubkeys = [
# this is a public key not on the curve (p256)
"04cdeb39edd03e2b1a11a5e134ec99d5f25f21673d403f3ecb47bd1fa676638958ea58493b8429598c0b49bbb85c3303ddb1553c3b761c2caacca71606ba9ebaca", # noqa E501
# all zeroes public key
"0400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", # noqa E501
# all ff public key
"04ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", # noqa E501
]
key = AsymmetricKey.generate(
self.session,
0,
"badkey ecdh test",
0xFFFF,
CAPABILITY.DERIVE_ECDH,
ALGORITHM.EC_P256,
)
keyid = struct.pack("!H", key.id)
for pubkey in pubkeys:
with self.assertRaises(YubiHsmDeviceError) as context:
self.session.send_secure_cmd(COMMAND.DERIVE_ECDH,
keyid + a2b_hex(pubkey))
self.assertEqual(context.exception.code, ERROR.INVALID_DATA)
key.delete()
def oaep_rsa_decrypt(self, keylength, hashtype, mgf1hash=None):
if mgf1hash is None:
mgf1hash = hashtype
key = rsa.generate_private_key(public_exponent=0x10001,
key_size=keylength,
backend=default_backend())
asymkey = AsymmetricKey.put(self.session, 0, "OAEP RSA Decrypt",
0xFFFF, CAPABILITY.DECRYPT_OAEP, key)
data = os.urandom(64)
ciphertext = key.public_key().encrypt(
data,
padding.OAEP(mgf=padding.MGF1(algorithm=mgf1hash),
algorithm=hashtype,
label=None),
)
dec = asymkey.decrypt_oaep(ciphertext,
hash=hashtype,
mgf_hash=mgf1hash)
self.assertEqual(data, dec)
asymkey.delete()
def generate_wrap(self):
w_id = random.randint(1, 0xFFFE)
a_id = random.randint(1, 0xFFFE)
wrapkey = WrapKey.generate(
self.session,
w_id,
"Generate Wrap 0x%04x" % w_id,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
)
asymkey = AsymmetricKey.generate(
self.session,
a_id,
"Generate Wrap 0x%04x" % a_id,
0xFFFF,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.EC_P256,
)
origin = asymkey.get_info().origin
self.assertEqual(origin, 0x01)
self.assertTrue(origin.generated)
self.assertFalse(origin.imported)
self.assertFalse(origin.wrapped)
pub = asymkey.get_public_key()
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data)
pub.verify(resp, data, ec.ECDSA(hashes.SHA256()))
wrapped = wrapkey.export_wrapped(asymkey)
wrapped2 = wrapkey.export_wrapped(asymkey)
self.assertNotEqual(wrapped, wrapped2)
asymkey.delete()
self.assertRaises(YubiHsmDeviceError, asymkey.get_public_key)
asymkey = wrapkey.import_wrapped(wrapped)
origin = asymkey.get_info().origin
self.assertEqual(origin, 0x11)
self.assertTrue(origin.generated)
self.assertFalse(origin.imported)
self.assertTrue(origin.wrapped)
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data)
self.assertNotEqual(resp, None)
pub.verify(resp, data, ec.ECDSA(hashes.SHA256()))
wrapkey.delete()
def test_vectors(self):
for v in self.vectors:
key = load_ed25519_private_key(v["key"])
k = AsymmetricKey.put(self.session, 0, "Test Ed25519", 0xFFFF,
CAPABILITY.SIGN_EDDSA, key)
self.assertEqual(serialize_ed25519_public_key(k.get_public_key()),
v["pubkey"])
self.assertEqual(k.sign_eddsa(v["msg"]), v["sig"])
k.delete()
def test_eddsa_vectors(session, vector):
key = ed25519.Ed25519PrivateKey.from_private_bytes(vector["key"])
k = AsymmetricKey.put(session, 0, "Test Ed25519", 0xFFFF,
CAPABILITY.SIGN_EDDSA, key)
assert (k.get_public_key().public_bytes(
serialization.Encoding.Raw,
serialization.PublicFormat.Raw) == vector["pubkey"])
assert k.sign_eddsa(vector["msg"]) == vector["sig"]
k.delete()
def test_oaep_double0(self):
data = a2b_hex(
"77294f3a4f5cfc921d9255a6895f8d2397e7d312e1b10b41c88b025748f0b6d4c41c4bdc6309388648a3b7a07112a11f831d9d6e1af1408fae875be2868bc4d0" # noqa: E501
)
# this ciphertext is special as it decrypts to a valid plaintext
# starting with 0000
ciphertext = a2b_hex(
"add1fd0bc2e9439a76c53fa4655e4bef77394dee407903604d665ba0e506334ddffc689e3bec658fc15c80c70ffddb8a8ce578d441926106316067a8c5e8b5f2655d035eff1525cf697720baf510af722d14539ccaf605785a9f4cfd284e4b496c54684a0c72fae522be186aedcedf47da63408065345180e30d7cb003cd64b5ce508ea029999ad695f1f2464fb659db5c2779631f1c27d650bc8b7ae23048b8dc1d51ad9623a4af0f7363f74eed0e16d947322d1a3a76ef8dbdf9c0258f393c0f2d7ebaccfcc116f759f0e9077387de74b1cb82851e1ded0128e48bbde389bd407cf8339752b9c070bf22ad64eaa12ee996f474a6412f7642aa0fa66873b5d2" # noqa: E501
)
h = hashes.SHA1()
rsapem = b"""
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA7mKlVPrZdxLkYrfGESb3KI4UbWKaKOfX49LqZ2pUypF13VRi
yqfpBbjAJztEy8BvOgbIEJgDtRVyUHCO+pfs6uVakYEcbLZzP92iZaFTwa9//B+P
Hq+vtNejdO5Zsqd1s11bCPy6vpPXeMPbbT5s9gR7ENGdNwUkusVRtQweJAd5icVU
edewI/4npIZG7To0iKUS4OvuqKWi/ms9fpi5l5BeJkok+5P7nQlmE5H5P+MuHUaC
KHPdzbfaqIYof11XhsUYzgvEZnhz/YPwDiMiLXpZD0kT7azZWjz38rmWCz0tdh7a
Cs/Lu1n17KrtT62kXYeO1Ni5Osy43xEHcqp5WQIDAQABAoIBAHrv+J+4tknIPmwC
pmzWEYSisTowLZyG5Dmj3irzFUNafNRl3oTwzyWaP857rGD/ntzn/mlAXDkZFFkT
k0j87Lu/CFQdp5ERDqKTJFsRNeafIXvesqp6pDy5MJzvBucxoWuc64PZAl2iVO78
4r6WAQ9nBCiKUW+8gVKozBh4ZVriWRYhe1JD06OVrOxws2Aql8/3BooO14f0DeSe
6tgn49d3c6/lrFe/vB+46kDg4FNxeTozGgIcI6siVAFEaJkBU629SEGLJW1O1Zcx
tL41xK27S/BW47sSE91D7TT/0DYH7c1KNNx4IRx8B+AHo/lkyCawVUVmeYPrjC90
oGe27gECgYEA/Pkk9p0+t9ir6gUibkh1XoAVzryPnMCeCXenpTvFKjfOXdr5Sy2w
ZSYGJXcUm82G0XRB+WWyTtFvPUYCt7gJ3ncqrVSAa2LhgWowk0CpyOtm6isrRWrh
3wXj4mRzZuIe0XNnS/4gb/1+8I826r4CwOWrxUASP8bYTLB9nkglK/kCgYEA8TzR
np/2lyJVbuqAMOymel0ZUEh+yWEOif5nQGely6QVmUmAuCH+pP8pmCCreAuu/mQ9
U1obXMmr5D0rH7jA4z8DAeGXSvPVN7MJlpS1HoPGzDnKuuDad8/rJUXyKOACYXw5
xeXtQnf+5AHC0G8IFmru1G4C6UsyRkG/gpVPUGECgYEA7OxeXQZKTh8Ea2mhpI4C
Np5ZTkU1b4bKvG0vOsZu0ypvAWHrJyjEUwc4rHAJgh4MTTDH9U70n3Lw7v8Z3nzj
6VHMS4efunNiZjVRByiBm2Y0/c2uehYvMxQuKMMRfeL7IAkoTnjUYm6VK7HFqjaJ
F6ZCqLtoHAkcXT7Sd6J0BekCgYEAy1Lshprils2MXljtxM6hHj87p6wCmK7iNzKi
SelSF0psHe+Sux+D5gNeRmc6vopyat2HxqoKp/EenNdlcm4gvSgN29cM0lKjYjfX
nAAoi9ibhOQs18fOuu8WjSrgCM2NlCbE9uRtTfmfbwOA9HawxVxJgehbMdB8RjUC
OgioeeECgYBpGDz7CkblZQl8YXcOqFh9Y40ePG467gIaEesbiOIUVsN/J9Vkdy/U
qMS+DogAW9kGj5MA/L1EQxpsZDRZSH15AM1FXeX5cjItOWkg5LzfTwqA29xaIC97
4ddiJOH50Tqy7YRs40IxF+995AgMq4PvP1K+SlV4hQ6W17JsT2UsBg==
-----END RSA PRIVATE KEY-----
"""
key = serialization.load_pem_private_key(rsapem,
password=None,
backend=default_backend())
asymkey = AsymmetricKey.put(self.session, 0, "OAEP RSA Decrypt",
0xFFFF, CAPABILITY.ALL, key)
plain = key.decrypt(
ciphertext,
padding.OAEP(mgf=padding.MGF1(algorithm=h),
algorithm=h,
label=None),
)
self.assertEqual(plain, data)
dec = asymkey.decrypt_oaep(ciphertext, hash=h, mgf_hash=h)
self.assertEqual(dec, data)
asymkey.delete()
def test_vectors(self):
for v in self.vectors:
key = load_ed25519_private_key(v['key'])
k = AsymmetricKey.put(self.session, 0, 'Test Ed25519', 0xffff,
CAPABILITY.SIGN_EDDSA, key)
self.assertEqual(serialize_ed25519_public_key(k.get_public_key()),
v['pubkey'])
self.assertEqual(k.sign_eddsa(v['msg']), v['sig'])
k.delete()
def test_generate_sign_long(self):
key = AsymmetricKey.generate(self.session, 0, 'Test Ed25519', 0xffff,
CAPABILITY.SIGN_EDDSA,
ALGORITHM.EC_ED25519)
pubkey = key.get_public_key()
data = os.urandom(2019)
sig = key.sign_eddsa(data)
v_key = ed25519.VerifyingKey(serialize_ed25519_public_key(pubkey))
v_key.verify(sig, data)
key.delete()
def test_asymmetric_key(hsm, session):
obj = AsymmetricKey.put(
session,
0,
"Test delete asym",
0xFFFF,
CAPABILITY.SIGN_ECDSA,
ec.generate_private_key(ec.SECP384R1(), backend=default_backend()),
)
_test_delete(hsm, session, obj, CAPABILITY.DELETE_ASYMMETRIC_KEY)
def test_export_wrap(self):
w_id = random.randint(1, 0xfffe)
wrapkey = WrapKey.put(
self.session, w_id, 'Test Export Wrap 0x%04x' % w_id, 1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
os.urandom(24))
eckey = ec.generate_private_key(ec.SECP384R1(),
backend=default_backend())
a_id = random.randint(1, 0xfffe)
asymkey = AsymmetricKey.put(
self.session, a_id, 'Test Export Wrap 0x%04x' % a_id, 0xffff,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP, eckey)
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data, hash=hashes.SHA384())
eckey.public_key().verify(resp, data, ec.ECDSA(hashes.SHA384()))
wrapped = wrapkey.export_wrapped(asymkey)
# NOTE: the code below works to decrypt a wrapped object, but relies on
# understanding the internal object representation which we don't feel
# like doing here.
# nonce = wrapped[:13]
# data = wrapped[13:-8]
# nonce = '\x01' + nonce + '\x00\x01'
# decryptor = Cipher(algorithms.AES(wrapkey.key),
# mode=modes.CTR(nonce),
# backend=default_backend()).decryptor()
# dec = decryptor.update(data)
# numbers = eckey.private_numbers()
# serialized = int_from_bytes(numbers.private_value, 'big')
# self.assertEqual(serialized, dec[-len(serialized):])
asymkey.delete()
asymkey = wrapkey.import_wrapped(wrapped)
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data, hash=hashes.SHA384())
eckey.public_key().verify(resp, data, ec.ECDSA(hashes.SHA384()))
asymkey.delete()
asymkey = wrapkey.import_wrapped(wrapped)
self.assertIsInstance(asymkey, AsymmetricKey)
def test_rsa_oaep_vectors(session, vector):
asymkey = AsymmetricKey.put(
session, 0, "OAEP Vectors", 0xFFFF, CAPABILITY.DECRYPT_OAEP, OAEP_VECTOR_KEY
)
dec = asymkey.decrypt_oaep(
vector["enc"], hash=hashes.SHA1(), mgf_hash=hashes.SHA1()
)
assert vector["msg"] == dec
asymkey.delete()
def generate_rsa_sign(self, algo):
asymkey = AsymmetricKey.generate(self.session, 0, "Generate RSA Sign",
0xFFFF, CAPABILITY.SIGN_PKCS, algo)
pub = asymkey.get_public_key()
data = os.urandom(64)
resp = asymkey.sign_pkcs1v1_5(data)
pub.verify(resp, data, padding.PKCS1v15(), hashes.SHA256())
asymkey.delete()
def test_generate_wrap(session):
w_id = random.randint(1, 0xFFFE)
a_id = random.randint(1, 0xFFFE)
wrapkey = WrapKey.generate(
session,
w_id,
"Generate Wrap 0x%04x" % w_id,
1,
CAPABILITY.EXPORT_WRAPPED | CAPABILITY.IMPORT_WRAPPED,
ALGORITHM.AES192_CCM_WRAP,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
)
asymkey = AsymmetricKey.generate(
session,
a_id,
"Generate Wrap 0x%04x" % a_id,
0xFFFF,
CAPABILITY.SIGN_ECDSA | CAPABILITY.EXPORTABLE_UNDER_WRAP,
ALGORITHM.EC_P256,
)
origin = asymkey.get_info().origin
assert origin == ORIGIN.GENERATED
pub = asymkey.get_public_key()
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data)
pub.verify(resp, data, ec.ECDSA(hashes.SHA256()))
wrapped = wrapkey.export_wrapped(asymkey)
wrapped2 = wrapkey.export_wrapped(asymkey)
assert wrapped != wrapped2
asymkey.delete()
pytest.raises(YubiHsmDeviceError, asymkey.get_public_key)
asymkey = wrapkey.import_wrapped(wrapped)
origin = asymkey.get_info().origin
assert origin == ORIGIN.IMPORTED_WRAPPED | ORIGIN.GENERATED
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data)
assert resp is not None
pub.verify(resp, data, ec.ECDSA(hashes.SHA256()))
wrapkey.delete()
def bp_r1_ecdsa_sign(self, curve, hashtype):
key = ec.generate_private_key(curve, backend=default_backend())
asymkey = AsymmetricKey.put(self.session, 0, "BP R1 ECDSA Sign",
0xFFFF, CAPABILITY.SIGN_ECDSA, key)
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data, hash=hashtype)
key.public_key().verify(resp, data, ec.ECDSA(hashtype))
asymkey.delete()
def generated_key(request, session):
algorithm = request.param
key = AsymmetricKey.generate(
session,
0,
"Test Attestation %x" % algorithm,
0xFFFF,
CAPABILITY.NONE,
algorithm,
)
yield key
key.delete()
def secp_ecdsa_sign(self, curve, hashtype, length=0):
key = ec.generate_private_key(curve, backend=default_backend())
asymkey = AsymmetricKey.put(self.session, 0, 'SECP ECDSA Sign Sign',
0xffff, CAPABILITY.SIGN_ECDSA, key)
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data, hash=hashtype, length=length)
key.public_key().verify(resp, data, ec.ECDSA(hashtype))
asymkey.delete()
def test_import_sign(self):
s_key, v_key = ed25519.create_keypair()
key = AsymmetricKey.put(self.session, 0, 'Test Ed25519', 0xffff,
CAPABILITY.SIGN_EDDSA,
load_ed25519_private_key(s_key.to_seed()))
data = os.urandom(129)
sig = key.sign_eddsa(data)
v_key.verify(sig, data)
self.assertEqual(sig, s_key.sign(data))
pub = key.get_public_key()
self.assertEqual(v_key.to_bytes(), serialize_ed25519_public_key(pub))
key.delete()
def generate_secp_sign(self, curve, hashtype, length=0):
asymkey = AsymmetricKey.generate(self.session, 0, 'Generate SECP Sign',
0xffff, CAPABILITY.SIGN_ECDSA, curve)
pub = asymkey.get_public_key()
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data, hash=hashtype, length=length)
pub.verify(resp, data, ec.ECDSA(hashtype))
asymkey.delete()
def key_in_list(self, keytype, algorithm=None):
dom = None
cap = 0
key_label = "%s%s" % (str(
uuid.uuid4()), b"\xf0\x9f\x98\x83".decode("utf8"))
if keytype == OBJECT.ASYMMETRIC_KEY:
dom = 0xFFFF
key = AsymmetricKey.generate(self.session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.WRAP_KEY:
dom = 0x01
key = WrapKey.generate(self.session, 0, key_label, dom, cap,
algorithm, cap)
elif keytype == OBJECT.HMAC_KEY:
dom = 0x01
key = HmacKey.generate(self.session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.AUTHENTICATION_KEY:
dom = 0x01
key = AuthenticationKey.put_derived(
self.session,
0,
key_label,
dom,
cap,
0,
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
b"\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
)
objlist = self.session.list_objects(object_id=key.id,
object_type=key.object_type)
self.assertEqual(objlist[0].id, key.id)
self.assertEqual(objlist[0].object_type, key.object_type)
objinfo = objlist[0].get_info()
self.assertEqual(objinfo.id, key.id)
self.assertEqual(objinfo.object_type, key.object_type)
self.assertEqual(objinfo.domains, dom)
self.assertEqual(objinfo.capabilities, cap)
if algorithm:
self.assertEqual(objinfo.algorithm, algorithm)
if key.object_type == OBJECT.AUTHENTICATION_KEY:
self.assertEqual(objinfo.origin, ORIGIN.IMPORTED)
else:
self.assertEqual(objinfo.origin, ORIGIN.GENERATED)
self.assertEqual(objinfo.label, key_label)
key.delete()
def secp_derive_ecdh(self, curve):
devkey = ec.generate_private_key(curve, backend=default_backend())
asymkey = AsymmetricKey.put(self.session, 0, 'SECP ECDSA Decrypt',
0xffff, CAPABILITY.DERIVE_ECDH, devkey)
ekey = ec.generate_private_key(curve, backend=default_backend())
secret = ekey.exchange(ec.ECDH(), devkey.public_key())
resp = asymkey.derive_ecdh(ekey.public_key())
self.assertEqual(secret, resp)
asymkey.delete()
def generate_bp_r1_sign(self, curve, hashtype):
asymkey = AsymmetricKey.generate(self.session, 0,
"Generate BP R1 Sign", 0xFFFF,
CAPABILITY.SIGN_ECDSA, curve)
pub = asymkey.get_public_key()
data = os.urandom(64)
resp = asymkey.sign_ecdsa(data, hashtype)
pub.verify(resp, data, ec.ECDSA(hashtype))
asymkey.delete()
def test_generate_sign_long(self):
key = AsymmetricKey.generate(
self.session,
0,
"Test Ed25519",
0xFFFF,
CAPABILITY.SIGN_EDDSA,
ALGORITHM.EC_ED25519,
)
pubkey = key.get_public_key()
data = os.urandom(2019)
sig = key.sign_eddsa(data)
pubkey.verify(sig, data)
key.delete()
def key_in_list(self, session, keytype, algorithm=None):
dom = None
cap = CAPABILITY.NONE
key_label = "%s%s" % (str(uuid.uuid4()), b"\xf0\x9f\x98\x83".decode())
key: YhsmObject
if keytype == OBJECT.ASYMMETRIC_KEY:
dom = 0xFFFF
key = AsymmetricKey.generate(session, 0, key_label, dom, cap,
algorithm)
elif keytype == OBJECT.WRAP_KEY:
dom = 0x01
key = WrapKey.generate(session, 0, key_label, dom, cap, algorithm,
cap)
elif keytype == OBJECT.HMAC_KEY:
dom = 0x01
key = HmacKey.generate(session, 0, key_label, dom, cap, algorithm)
elif keytype == OBJECT.AUTHENTICATION_KEY:
dom = 0x01
key = AuthenticationKey.put_derived(
session,
0,
key_label,
dom,
cap,
cap,
"password",
)
objlist = session.list_objects(object_id=key.id,
object_type=key.object_type)
assert objlist[0].id == key.id
assert objlist[0].object_type == key.object_type
objinfo = objlist[0].get_info()
assert objinfo.id == key.id
assert objinfo.object_type == key.object_type
assert objinfo.domains == dom
assert objinfo.capabilities == cap
if algorithm:
assert objinfo.algorithm == algorithm
if key.object_type == OBJECT.AUTHENTICATION_KEY:
assert objinfo.origin == ORIGIN.IMPORTED
else:
assert objinfo.origin == ORIGIN.GENERATED
assert objinfo.label == key_label
key.delete()
def rsa_pkcs1v1_5_sign(self, keysize, hashtype):
key = rsa.generate_private_key(public_exponent=0x10001,
key_size=keysize,
backend=default_backend())
asymkey = AsymmetricKey.put(self.session, 0, "RSA PKCS#1v1.5 Sign",
0xFFFF, CAPABILITY.SIGN_PKCS, key)
data = os.urandom(64)
resp = asymkey.sign_pkcs1v1_5(data, hash=hashtype)
key.public_key().verify(resp, data, padding.PKCS1v15(), hashtype)
asymkey.delete()
