def test_decrypt_bad_session(self): self.pkcs11.get_session.return_value = mock.DEFAULT self.pkcs11.get_session.side_effect = ex.P11CryptoPluginException( 'Testing error handling' ) ct = b'ctct' kek_meta_extended = '{"iv":"AAAA"}' decrypt_dto = plugin_import.DecryptDTO(ct) kek_meta = mock.MagicMock() kek_meta.kek_label = 'pkek' kek_meta.plugin_meta = ('{"iv": "iv==",' '"hmac": "hmac",' '"wrapped_key": "wrappedkey==",' '"mkek_label": "mkek_label",' '"hmac_label": "hmac_label"}') self.assertRaises(ex.P11CryptoPluginException, self.plugin._decrypt, decrypt_dto, kek_meta, kek_meta_extended, mock.MagicMock()) self.assertEqual(2, self.pkcs11.get_key_handle.call_count) self.assertEqual(2, self.pkcs11.get_session.call_count) self.assertEqual(1, self.pkcs11.verify_hmac.call_count) self.assertEqual(1, self.pkcs11.unwrap_key.call_count) self.assertEqual(0, self.pkcs11.decrypt.call_count) self.assertEqual(0, self.pkcs11.return_session.call_count)
def test_encrypt_bad_session(self): self.pkcs11.get_session.return_value = mock.DEFAULT self.pkcs11.get_session.side_effect = ex.P11CryptoPluginException( 'Testing error handling' ) payload = b'test payload' encrypt_dto = plugin_import.EncryptDTO(payload) kek_meta = mock.MagicMock() kek_meta.kek_label = 'pkek' kek_meta.plugin_meta = ('{"iv": "iv==",' '"hmac": "hmac",' '"wrapped_key": "wrappedkey==",' '"mkek_label": "mkek_label",' '"hmac_label": "hmac_label"}') self.assertRaises(ex.P11CryptoPluginException, self.plugin._encrypt, encrypt_dto, kek_meta, mock.MagicMock()) self.assertEqual(self.pkcs11.get_key_handle.call_count, 2) self.assertEqual(self.pkcs11.get_session.call_count, 2) self.assertEqual(self.pkcs11.verify_hmac.call_count, 1) self.assertEqual(self.pkcs11.unwrap_key.call_count, 1) self.assertEqual(self.pkcs11.encrypt.call_count, 0) self.assertEqual(self.pkcs11.return_session.call_count, 0)
def _check_error(self, value): if value != CKR_OK: code = ERROR_CODES.get(value, 'CKR_????') hex_code = "{hex} {code}".format(hex=hex(value), code=code) if code == 'CKR_TOKEN_NOT_PRESENT': raise exception.P11CryptoTokenException(slot_id=self.slot_id) raise exception.P11CryptoPluginException(u._( "HSM returned response code: {code}").format(code=hex_code))
def generate_key(self, key_type, key_length, mechanism, session, key_label=None, master_key=False, encrypt=False, sign=False, wrap=False): if not any((encrypt, sign, wrap)): raise exception.P11CryptoPluginException() if master_key and not key_label: raise ValueError(u._("key_label must be set for master_keys")) token = master_key extractable = not master_key # in some HSMs extractable keys cannot be marked sensitive sensitive = self.always_set_cka_sensitive or not extractable ck_attributes = [ Attribute(CKA_CLASS, CKO_SECRET_KEY), Attribute(CKA_KEY_TYPE, _KEY_TYPES[key_type]), Attribute(CKA_VALUE_LEN, key_length), Attribute(CKA_TOKEN, token), Attribute(CKA_PRIVATE, True), Attribute(CKA_SENSITIVE, sensitive), Attribute(CKA_ENCRYPT, encrypt), Attribute(CKA_DECRYPT, encrypt), Attribute(CKA_SIGN, sign), Attribute(CKA_VERIFY, sign), Attribute(CKA_WRAP, wrap), Attribute(CKA_UNWRAP, wrap), Attribute(CKA_EXTRACTABLE, extractable) ] if master_key: ck_attributes.append(Attribute(CKA_LABEL, key_label)) ck_attributes = self._build_attributes(ck_attributes) mech = self.ffi.new("CK_MECHANISM *") mech.mechanism = _KEY_GEN_MECHANISMS[mechanism] obj_handle_ptr = self.ffi.new("CK_OBJECT_HANDLE *") rv = self.lib.C_GenerateKey(session, mech, ck_attributes.template, len(ck_attributes.template), obj_handle_ptr) self._check_error(rv) return obj_handle_ptr[0]
def _check_error(self, value): if value != CKR_OK and value != CKR_CRYPTOKI_ALREADY_INITIALIZED: code = ERROR_CODES.get(value, 'CKR_????') hex_code = "{hex} {code}".format(hex=hex(value), code=code) if code == 'CKR_TOKEN_NOT_PRESENT': raise exception.P11CryptoTokenException(slot_id=self.slot_id) if code == 'EHOSTUNREACH': raise exception.TrustwayProteccioException( "Trustway Proteccio Error: {code}".format(code=hex_code)) raise exception.P11CryptoPluginException( u._("HSM returned response code: {code}").format( code=hex_code))
def generate_key(self, key_length, session, key_label=None, encrypt=False, sign=False, wrap=False, master_key=False): if not encrypt and not sign and not wrap: raise exception.P11CryptoPluginException() if master_key and not key_label: raise ValueError(u._("key_label must be set for master_keys")) token = True if master_key else False extractable = False if master_key else True ck_attributes = [ Attribute(CKA_CLASS, CKO_SECRET_KEY), Attribute(CKA_KEY_TYPE, CKK_AES), Attribute(CKA_VALUE_LEN, key_length), Attribute(CKA_TOKEN, token), Attribute(CKA_PRIVATE, True), Attribute(CKA_SENSITIVE, True), Attribute(CKA_ENCRYPT, encrypt), Attribute(CKA_DECRYPT, encrypt), Attribute(CKA_SIGN, sign), Attribute(CKA_VERIFY, sign), Attribute(CKA_WRAP, wrap), Attribute(CKA_UNWRAP, wrap), Attribute(CKA_EXTRACTABLE, extractable) ] if master_key: ck_attributes.append(Attribute(CKA_LABEL, key_label)) ck_attributes = self._build_attributes(ck_attributes) mech = self.ffi.new("CK_MECHANISM *") mech.mechanism = CKM_AES_KEY_GEN obj_handle_ptr = self.ffi.new("CK_OBJECT_HANDLE *") rv = self.lib.C_GenerateKey(session, mech, ck_attributes.template, len(ck_attributes.template), obj_handle_ptr) self._check_error(rv) return obj_handle_ptr[0]
def _rng_self_test(self, session): test_random = self.generate_random(100, session) if test_random == b'\x00' * 100: raise exception.P11CryptoPluginException( u._("Apparent RNG self-test failure."))