def test_ec_sign_verify(key, algorithm, hash_function):
provider = get_local_cryptography_provider(key.key)
digest = hash_function(b"message").digest()
sign_result = provider.sign(algorithm, digest)
verify_result = provider.verify(sign_result.algorithm, digest,
sign_result.signature)
assert verify_result.is_valid
def test_symmetric_decrypt_local(self, key_client, **kwargs):
"""Encrypt with the service, decrypt locally"""
key_name = self.get_resource_name("symmetric-encrypt")
imported_key = self._import_symmetric_test_key(key_client, key_name)
assert imported_key is not None
crypto_client = self.create_crypto_client(
imported_key, api_version=key_client.api_version)
# Use 256-bit AES-CBCPAD for the 256-bit key (only AES-CBCPAD is implemented locally)
algorithm = EncryptionAlgorithm.a256_cbcpad
crypto_client._initialized = True
crypto_client._local_provider = NoLocalCryptography()
encrypt_result = crypto_client.encrypt(
algorithm,
self.plaintext,
iv=self.iv,
additional_authenticated_data=self.aad)
assert encrypt_result.key_id == imported_key.id
crypto_client._local_provider = get_local_cryptography_provider(
imported_key.key)
decrypt_result = crypto_client.decrypt(
encrypt_result.algorithm,
encrypt_result.ciphertext,
iv=encrypt_result.iv,
additional_authenticated_data=self.aad)
assert decrypt_result.key_id == imported_key.id
assert decrypt_result.algorithm == algorithm
assert decrypt_result.plaintext == self.plaintext
def test_rsa_encrypt_decrypt(key, algorithm):
provider = get_local_cryptography_provider(key.key)
plaintext = b"plaintext"
encrypt_result = provider.encrypt(algorithm, plaintext)
decrypt_result = provider.decrypt(encrypt_result.algorithm,
encrypt_result.ciphertext)
assert decrypt_result.plaintext == plaintext
def test_unsupported_symmetric_operations(algorithm):
"""The crypto provider should raise NotImplementedError when a key doesn't support an operation or algorithm"""
jwk = {
"k": os.urandom(32),
"kty": "oct",
"key_ops": ("unwrapKey", "wrapKey")
}
key = KeyVaultKey(key_id="http://localhost/keys/key/version", jwk=jwk)
provider = get_local_cryptography_provider(key.key)
if isinstance(algorithm, EncryptionAlgorithm):
with pytest.raises(NotImplementedError):
provider.encrypt(algorithm, b"...")
with pytest.raises(NotImplementedError):
provider.decrypt(algorithm, b"...")
if isinstance(algorithm, KeyWrapAlgorithm):
with pytest.raises(NotImplementedError):
provider.wrap_key(algorithm, b"...")
with pytest.raises(NotImplementedError):
provider.unwrap_key(algorithm, b"...")
elif isinstance(algorithm, SignatureAlgorithm):
with pytest.raises(NotImplementedError):
provider.sign(algorithm, b"...")
with pytest.raises(NotImplementedError):
provider.verify(algorithm, b"...", b"...")
def test_symmetric_encrypt_local_mhsm(self, **kwargs):
"""Encrypt locally, decrypt with the service"""
self._skip_if_not_configured(True)
endpoint_url = self.managed_hsm_url
key_client = self.create_key_client(endpoint_url)
key_name = self.get_resource_name("symmetric-encrypt")
imported_key = self._import_symmetric_test_key(key_client, key_name)
assert imported_key is not None
crypto_client = self.create_crypto_client(imported_key)
# Use 256-bit AES-CBCPAD for the 256-bit key (only AES-CBCPAD is implemented locally)
algorithm = EncryptionAlgorithm.a256_cbcpad
crypto_client._local_provider = get_local_cryptography_provider(
imported_key.key)
encrypt_result = crypto_client.encrypt(
algorithm,
self.plaintext,
iv=self.iv,
additional_authenticated_data=self.aad)
assert encrypt_result.key_id == imported_key.id
crypto_client._local_provider = NoLocalCryptography()
decrypt_result = crypto_client.decrypt(
encrypt_result.algorithm,
encrypt_result.ciphertext,
iv=encrypt_result.iv,
additional_authenticated_data=self.aad)
assert decrypt_result.key_id == imported_key.id
assert decrypt_result.algorithm == algorithm
assert decrypt_result.plaintext == self.plaintext
def test_rsa_wrap_unwrap(key, algorithm):
plaintext = b"arbitrary bytes"
provider = get_local_cryptography_provider(key)
wrap_result = provider.wrap_key(algorithm, plaintext)
assert wrap_result.key_id == key.id
unwrap_result = provider.unwrap_key(wrap_result.algorithm,
wrap_result.encrypted_key)
assert unwrap_result.key == plaintext
def test_symmetric_wrap_unwrap(algorithm):
jwk = {
"k": os.urandom(32),
"kty": "oct",
"key_ops": ("unwrapKey", "wrapKey")
}
key = KeyVaultKey(key_id="http://localhost/keys/key/version", jwk=jwk)
provider = get_local_cryptography_provider(key)
key_bytes = os.urandom(32)
wrap_result = provider.wrap_key(algorithm, key_bytes)
assert wrap_result.key_id == key.id
unwrap_result = provider.unwrap_key(wrap_result.algorithm,
wrap_result.encrypted_key)
assert unwrap_result.key == key_bytes
def test_symmetric_encrypt_decrypt(algorithm, key_size):
jwk = {
"k": os.urandom(key_size),
"kid": "http://localhost/keys/key/version",
"kty": "oct-HSM",
"key_ops": ("encrypt", "decrypt")
}
key = KeyVaultKey(key_id="http://localhost/keys/key/version", jwk=jwk)
provider = get_local_cryptography_provider(key.key)
plaintext = b"plaintext"
iv = os.urandom(16)
encrypt_result = provider.encrypt(algorithm, plaintext, iv=iv)
assert encrypt_result.key_id == key.id
decrypt_result = provider.decrypt(encrypt_result.algorithm,
encrypt_result.ciphertext,
iv=encrypt_result.iv)
assert decrypt_result.plaintext == plaintext
def test_unsupported_ec_operations(key, algorithm):
"""The crypto provider should raise NotImplementedError when a key doesn't support an operation or algorithm"""
provider = get_local_cryptography_provider(key.key)
if isinstance(algorithm, EncryptionAlgorithm):
with pytest.raises(NotImplementedError):
provider.encrypt(algorithm, b"...")
with pytest.raises(NotImplementedError):
provider.decrypt(algorithm, b"...")
if isinstance(algorithm, KeyWrapAlgorithm):
with pytest.raises(NotImplementedError):
provider.wrap_key(algorithm, b"...")
with pytest.raises(NotImplementedError):
provider.unwrap_key(algorithm, b"...")
elif isinstance(algorithm, SignatureAlgorithm):
with pytest.raises(NotImplementedError):
provider.sign(algorithm, b"...")
with pytest.raises(NotImplementedError):
provider.verify(algorithm, b"...", b"...")
