def test_generate_1024_bit_RSA_key_in_pem(self): generate_dto = plugin.GenerateDTO('rsa', 1024, None, 'changeme') kek_meta_dto = self._get_mocked_kek_meta_dto() private_dto, public_dto, passwd_dto = self.plugin.generate_asymmetric( generate_dto, kek_meta_dto, mock.MagicMock()) decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text) private_dto = self.plugin.decrypt(decrypt_dto, kek_meta_dto, private_dto.kek_meta_extended, mock.MagicMock()) private_dto = RSA.importKey(private_dto, 'changeme') self.assertTrue(private_dto.has_private())
def test_generate_asymmetric_1024_bit_key(self): generate_dto = plugin.GenerateDTO('rsa', 1024, None, None) kek_meta_dto = self._get_mocked_kek_meta_dto() private_dto, public_dto, passwd_dto = self.plugin.generate_asymmetric( generate_dto, kek_meta_dto, mock.MagicMock()) decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text) private_dto = self.plugin.decrypt(decrypt_dto, kek_meta_dto, private_dto.kek_meta_extended, mock.MagicMock()) decrypt_dto = plugin.DecryptDTO(public_dto.cypher_text) public_dto = self.plugin.decrypt(decrypt_dto, kek_meta_dto, public_dto.kek_meta_extended, mock.MagicMock()) public_dto = RSA.importKey(public_dto) private_dto = RSA.importKey(private_dto) self.assertEqual(1023, public_dto.size()) self.assertEqual(1023, private_dto.size()) self.assertTrue(private_dto.has_private)
def test_generate_128_bit_hmac_key(self): secret = models.Secret() secret.bit_length = 128 secret.algorithm = "hmacsha256" kek_meta_dto = self._get_mocked_kek_meta_dto() generate_dto = plugin.GenerateDTO(secret.algorithm, secret.bit_length, None, None) response_dto = self.plugin.generate_symmetric(generate_dto, kek_meta_dto, mock.MagicMock()) decrypt_dto = plugin.DecryptDTO(response_dto.cypher_text) key = self.plugin.decrypt(decrypt_dto, kek_meta_dto, response_dto.kek_meta_extended, mock.MagicMock()) self.assertEqual(16, len(key))
def test_decrypt(self): def c_decrypt(session, ct, ctlen, pt, ptlen): pt[ptlen[0] - 1] = 1 return p11_crypto.CKR_OK self.lib.C_Decrypt.side_effect = c_decrypt self.lib.C_DecryptInit.return_value = p11_crypto.CKR_OK ct = b"somedatasomedatasomedatasomedata" kek_meta_extended = '{"iv": "AQIDBAUGBwgJCgsMDQ4PEA=="}' decrypt_dto = plugin_import.DecryptDTO(ct) with mock.patch.object(self.plugin, '_unwrap_key') as unwrap_key_mock: unwrap_key_mock.return_value = 'unwrapped_key' self.plugin.decrypt(decrypt_dto, mock.MagicMock(), kek_meta_extended, mock.MagicMock()) self.assertEqual(self.lib.C_Decrypt.call_count, 1)
def test_generate_1024_DSA_key_in_pem_and_reconstruct_key_der(self): generate_dto = plugin.GenerateDTO('dsa', 1024, None, None) kek_meta_dto = self._get_mocked_kek_meta_dto() private_dto, public_dto, passwd_dto = self.plugin.generate_asymmetric( generate_dto, kek_meta_dto, mock.MagicMock()) decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text) private_dto = self.plugin.decrypt(decrypt_dto, kek_meta_dto, private_dto.kek_meta_extended, mock.MagicMock()) prv_seq = asn1.DerSequence() prv_seq.decode(private_dto) p, q, g, y, x = prv_seq[1:] private_dto = DSA.construct((y, g, p, q, x)) self.assertTrue(private_dto.has_private())
def test_decrypt(self): def c_decrypt(session, ct, ctlen, pt, ptlen): pt[ptlen[0] - 1] = 1 return pkcs11.CKR_OK self.lib.C_Decrypt.side_effect = c_decrypt self.lib.C_DecryptInit.return_value = pkcs11.CKR_OK ct = b"somedatasomedatasomedatasomedata" kek_meta_extended = '{"iv": "AQIDBAUGBwgJCgsMDQ4PEA=="}' decrypt_dto = plugin_import.DecryptDTO(ct) kek_meta = mock.MagicMock() kek_meta.plugin_meta = ('{"iv":123,' '"hmac": "hmac",' '"wrapped_key": "wrapped_key",' '"mkek_label": "mkek_label",' '"hmac_label": "hmac_label"}') with mock.patch.object(self.plugin.pkcs11, 'unwrap_key') as key_mock: key_mock.return_value = 'unwrapped_key' self.plugin.decrypt(decrypt_dto, kek_meta, kek_meta_extended, mock.MagicMock()) self.assertEqual(self.lib.C_Decrypt.call_count, 1)
def test_decrypt(self): ct = b'ctct' kek_meta_extended = '{"iv":"AAAA"}' decrypt_dto = plugin_import.DecryptDTO(ct) kek_meta = mock.MagicMock() kek_meta.kek_label = 'pkek' kek_meta.plugin_meta = ('{"iv": "iv==",' '"hmac": "hmac",' '"wrapped_key": "wrappedkey==",' '"mkek_label": "mkek_label",' '"hmac_label": "hmac_label"}') pt = self.plugin.decrypt(decrypt_dto, kek_meta, kek_meta_extended, mock.MagicMock()) self.assertEqual(b'0', pt) self.assertEqual(2, self.pkcs11.get_key_handle.call_count) self.assertEqual(2, self.pkcs11.get_session.call_count) self.assertEqual(1, self.pkcs11.verify_hmac.call_count) self.assertEqual(1, self.pkcs11.unwrap_key.call_count) self.assertEqual(1, self.pkcs11.decrypt.call_count) self.assertEqual(1, self.pkcs11.return_session.call_count)
def get_secret(self, secret_type, metadata, context): """Retrieve a secret. :param secret_type: secret type :param metadata: secret metadata :param context: StoreCryptoContext for secret :returns: SecretDTO that contains secret """ if (not context.secret_model or not context.secret_model.encrypted_data): raise sstore.SecretNotFoundException() # TODO(john-wood-w) Need to revisit 1 to many datum relationship. datum_model = context.secret_model.encrypted_data[0] # Find HSM-style 'crypto' plugin. decrypting_plugin = manager.get_manager().get_plugin_retrieve( datum_model.kek_meta_project.plugin_name) # wrap the KEKDatum instance in our DTO kek_meta_dto = crypto.KEKMetaDTO(datum_model.kek_meta_project) # Convert from text-based storage format to binary. encrypted = base64.b64decode(datum_model.cypher_text) decrypt_dto = crypto.DecryptDTO(encrypted) # Decrypt the secret. secret = decrypting_plugin.decrypt(decrypt_dto, kek_meta_dto, datum_model.kek_meta_extended, context.project_model.external_id) secret = base64.b64encode(secret) key_spec = sstore.KeySpec(alg=context.secret_model.algorithm, bit_length=context.secret_model.bit_length, mode=context.secret_model.mode) return sstore.SecretDTO(secret_type, secret, key_spec, datum_model.content_type)
def test_decrypt_bad_session(self): self.pkcs11.get_session.return_value = mock.DEFAULT self.pkcs11.get_session.side_effect = ex.P11CryptoPluginException( 'Testing error handling') ct = b'ctct' kek_meta_extended = '{"iv":"AAAA"}' decrypt_dto = plugin_import.DecryptDTO(ct) kek_meta = mock.MagicMock() kek_meta.kek_label = 'pkek' kek_meta.plugin_meta = ('{"iv": "iv==",' '"hmac": "hmac",' '"wrapped_key": "wrappedkey==",' '"mkek_label": "mkek_label",' '"hmac_label": "hmac_label"}') self.assertRaises(ex.P11CryptoPluginException, self.plugin._decrypt, decrypt_dto, kek_meta, kek_meta_extended, mock.MagicMock()) self.assertEqual(2, self.pkcs11.get_key_handle.call_count) self.assertEqual(2, self.pkcs11.get_session.call_count) self.assertEqual(1, self.pkcs11.verify_hmac.call_count) self.assertEqual(1, self.pkcs11.unwrap_key.call_count) self.assertEqual(0, self.pkcs11.decrypt.call_count) self.assertEqual(0, self.pkcs11.return_session.call_count)