def test_ec_sign_verify(key, algorithm, hash_function): provider = get_local_cryptography_provider(key.key) digest = hash_function(b"message").digest() sign_result = provider.sign(algorithm, digest) verify_result = provider.verify(sign_result.algorithm, digest, sign_result.signature) assert verify_result.is_valid
def test_symmetric_decrypt_local(self, key_client, **kwargs): """Encrypt with the service, decrypt locally""" key_name = self.get_resource_name("symmetric-encrypt") imported_key = self._import_symmetric_test_key(key_client, key_name) assert imported_key is not None crypto_client = self.create_crypto_client( imported_key, api_version=key_client.api_version) # Use 256-bit AES-CBCPAD for the 256-bit key (only AES-CBCPAD is implemented locally) algorithm = EncryptionAlgorithm.a256_cbcpad crypto_client._initialized = True crypto_client._local_provider = NoLocalCryptography() encrypt_result = crypto_client.encrypt( algorithm, self.plaintext, iv=self.iv, additional_authenticated_data=self.aad) assert encrypt_result.key_id == imported_key.id crypto_client._local_provider = get_local_cryptography_provider( imported_key.key) decrypt_result = crypto_client.decrypt( encrypt_result.algorithm, encrypt_result.ciphertext, iv=encrypt_result.iv, additional_authenticated_data=self.aad) assert decrypt_result.key_id == imported_key.id assert decrypt_result.algorithm == algorithm assert decrypt_result.plaintext == self.plaintext
def test_rsa_encrypt_decrypt(key, algorithm): provider = get_local_cryptography_provider(key.key) plaintext = b"plaintext" encrypt_result = provider.encrypt(algorithm, plaintext) decrypt_result = provider.decrypt(encrypt_result.algorithm, encrypt_result.ciphertext) assert decrypt_result.plaintext == plaintext
def test_unsupported_symmetric_operations(algorithm): """The crypto provider should raise NotImplementedError when a key doesn't support an operation or algorithm""" jwk = { "k": os.urandom(32), "kty": "oct", "key_ops": ("unwrapKey", "wrapKey") } key = KeyVaultKey(key_id="http://localhost/keys/key/version", jwk=jwk) provider = get_local_cryptography_provider(key.key) if isinstance(algorithm, EncryptionAlgorithm): with pytest.raises(NotImplementedError): provider.encrypt(algorithm, b"...") with pytest.raises(NotImplementedError): provider.decrypt(algorithm, b"...") if isinstance(algorithm, KeyWrapAlgorithm): with pytest.raises(NotImplementedError): provider.wrap_key(algorithm, b"...") with pytest.raises(NotImplementedError): provider.unwrap_key(algorithm, b"...") elif isinstance(algorithm, SignatureAlgorithm): with pytest.raises(NotImplementedError): provider.sign(algorithm, b"...") with pytest.raises(NotImplementedError): provider.verify(algorithm, b"...", b"...")
def test_symmetric_encrypt_local_mhsm(self, **kwargs): """Encrypt locally, decrypt with the service""" self._skip_if_not_configured(True) endpoint_url = self.managed_hsm_url key_client = self.create_key_client(endpoint_url) key_name = self.get_resource_name("symmetric-encrypt") imported_key = self._import_symmetric_test_key(key_client, key_name) assert imported_key is not None crypto_client = self.create_crypto_client(imported_key) # Use 256-bit AES-CBCPAD for the 256-bit key (only AES-CBCPAD is implemented locally) algorithm = EncryptionAlgorithm.a256_cbcpad crypto_client._local_provider = get_local_cryptography_provider( imported_key.key) encrypt_result = crypto_client.encrypt( algorithm, self.plaintext, iv=self.iv, additional_authenticated_data=self.aad) assert encrypt_result.key_id == imported_key.id crypto_client._local_provider = NoLocalCryptography() decrypt_result = crypto_client.decrypt( encrypt_result.algorithm, encrypt_result.ciphertext, iv=encrypt_result.iv, additional_authenticated_data=self.aad) assert decrypt_result.key_id == imported_key.id assert decrypt_result.algorithm == algorithm assert decrypt_result.plaintext == self.plaintext
def test_rsa_wrap_unwrap(key, algorithm): plaintext = b"arbitrary bytes" provider = get_local_cryptography_provider(key) wrap_result = provider.wrap_key(algorithm, plaintext) assert wrap_result.key_id == key.id unwrap_result = provider.unwrap_key(wrap_result.algorithm, wrap_result.encrypted_key) assert unwrap_result.key == plaintext
def test_symmetric_wrap_unwrap(algorithm): jwk = { "k": os.urandom(32), "kty": "oct", "key_ops": ("unwrapKey", "wrapKey") } key = KeyVaultKey(key_id="http://localhost/keys/key/version", jwk=jwk) provider = get_local_cryptography_provider(key) key_bytes = os.urandom(32) wrap_result = provider.wrap_key(algorithm, key_bytes) assert wrap_result.key_id == key.id unwrap_result = provider.unwrap_key(wrap_result.algorithm, wrap_result.encrypted_key) assert unwrap_result.key == key_bytes
def test_symmetric_encrypt_decrypt(algorithm, key_size): jwk = { "k": os.urandom(key_size), "kid": "http://localhost/keys/key/version", "kty": "oct-HSM", "key_ops": ("encrypt", "decrypt") } key = KeyVaultKey(key_id="http://localhost/keys/key/version", jwk=jwk) provider = get_local_cryptography_provider(key.key) plaintext = b"plaintext" iv = os.urandom(16) encrypt_result = provider.encrypt(algorithm, plaintext, iv=iv) assert encrypt_result.key_id == key.id decrypt_result = provider.decrypt(encrypt_result.algorithm, encrypt_result.ciphertext, iv=encrypt_result.iv) assert decrypt_result.plaintext == plaintext
def test_unsupported_ec_operations(key, algorithm): """The crypto provider should raise NotImplementedError when a key doesn't support an operation or algorithm""" provider = get_local_cryptography_provider(key.key) if isinstance(algorithm, EncryptionAlgorithm): with pytest.raises(NotImplementedError): provider.encrypt(algorithm, b"...") with pytest.raises(NotImplementedError): provider.decrypt(algorithm, b"...") if isinstance(algorithm, KeyWrapAlgorithm): with pytest.raises(NotImplementedError): provider.wrap_key(algorithm, b"...") with pytest.raises(NotImplementedError): provider.unwrap_key(algorithm, b"...") elif isinstance(algorithm, SignatureAlgorithm): with pytest.raises(NotImplementedError): provider.sign(algorithm, b"...") with pytest.raises(NotImplementedError): provider.verify(algorithm, b"...", b"...")