def test_set_attribute_usage_limit_Assym(self):
"""Test: Verify that user is able to set CKA_USAGE_LIMIT attribute on
an assymetric crypto object
Procedure:
Generate a RSA key pair
Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2 on RSA public key
Use C_getAttributeValue to verify
"""
LOG.info(
"Test: Verify that user is able to set CKA_USAGE_LIMIT attribute on \
an assymetric crypto object")
usage_lim_template = {CKA_USAGE_LIMIT: 2}
h_pbkey, h_prkey = c_generate_key_pair_ex(
self.h_session,
mechanism=CKM_RSA_PKCS_KEY_PAIR_GEN,
pbkey_template=CKM_RSA_PKCS_KEY_PAIR_GEN_PUBTEMP,
prkey_template=CKM_RSA_PKCS_KEY_PAIR_GEN_PRIVTEMP)
LOG.info(
"Called c-generate: Public Key handle: %s Private Key Handle: %s",
h_pbkey, h_prkey)
usage_limit = 2
c_set_attribute_value_ex(self.h_session, h_pbkey, usage_lim_template)
py_template = c_get_attribute_value_ex(
self.h_session, h_pbkey, template={CKA_USAGE_LIMIT: None})
usage_val_out = py_template[CKA_USAGE_LIMIT]
LOG.info("CKA_USAGE_LIMIT reported by C_GetAttributeValue: %s",
usage_val_out)
assert usage_limit == usage_val_out, "reported USAGE LIMIT does not match"
def test_set_attribute_usage_limit_sym(self):
"""Test: Verify that user is able to set CKA_USAGE_LIMIT attribute on
an symmetric crypto object
Procedure:
Generate a DES Key
Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 5
Use C_getAttributeValue to verify
"""
LOG.info(
"Test: Verify that user is able to set CKA_USAGE_LIMIT attribute on \
an symmetric crypto object")
usage_template = {CKA_USAGE_LIMIT: 5}
h_key = c_generate_key_ex(self.h_session,
mechanism=CKM_DES_KEY_GEN,
template=CKM_DES_KEY_GEN_TEMP)
LOG.info("Called c-generate: Key handle -%s", h_key)
usage_limit = 5
c_set_attribute_value_ex(self.h_session, h_key, usage_template)
out_template = c_get_attribute_value_ex(
self.h_session, h_key, template={CKA_USAGE_LIMIT: None})
usage_val_out = out_template[CKA_USAGE_LIMIT]
LOG.info("CKA_USAGE_LIMIT reported by C_GetAttributeValue :%s",
usage_val_out)
assert usage_limit == usage_val_out, "reported USAGE LIMIT does not match"
def asym_key(auth_session, usage_set):
"""
Generate a key pair & set the USAGE limit by some method (on creation or c_setattr, or both)
:return: private key handle
"""
usage_type, limit = usage_set
pubtemp, privtemp = get_default_key_pair_template(
CKM_RSA_PKCS_KEY_PAIR_GEN)
usage_template = {CKA_USAGE_LIMIT: limit}
if usage_type in ("create", "both", "create_then_use"):
privtemp.update(usage_template)
pubkey, privkey = c_generate_key_pair_ex(auth_session,
CKM_RSA_PKCS_KEY_PAIR_GEN,
get_session_template(pubtemp),
get_session_template(privtemp))
try:
if usage_type == "create_then_use":
with open(_get_data_file('sha1pkcs_plain.der'), 'rb') as df:
data = df.read()
c_sign_ex(auth_session, privkey, data, CKM_RSA_PKCS)
if usage_type in ("setattr", "both", "create_then_use"):
c_set_attribute_value_ex(auth_session, privkey, usage_template)
yield privkey
finally:
c_destroy_object(auth_session, pubkey)
c_destroy_object(auth_session, privkey)
def sym_key_params(request, auth_session, usage_set):
"""
Generate a key, setting the usage limit by the method described in
``usage_set``
Return that key handle.
"""
usage_type, limit = usage_set
key_gen, mechanism = request.param
key_template = get_session_template(get_default_key_template(key_gen))
usage_template = {CKA_USAGE_LIMIT: limit}
if usage_type in ("create", "both", "create_then_use"):
key_template.update(usage_template)
h_key = c_generate_key_ex(auth_session,
mechanism=key_gen,
template=key_template)
try:
if usage_type in ("create_then_use", ):
c_encrypt_ex(auth_session,
h_key,
b'a' * 2048,
mechanism={"mech_type": mechanism})
if usage_type in ("setattr", "both", "create_then_use"):
c_set_attribute_value_ex(auth_session, h_key, usage_template)
yield SymParams(h_key, mechanism)
finally:
c_destroy_object(auth_session, h_key)
def test_usagelimit_exceed_sym(self, auth_session, sym_key_params):
"""Test that changing the usage limit works as expected
Gen key w/ limit = 5
Set limit = 2
Use key 2x
Verify next usage returns CKR_KEY_NOT_ACTIVE
"""
LOG.info(
"Verify that crypto operation returns error CKR_KEY_NOT_ACTIVE \
if user try to use crypto object more than limit set on CKA_USAGE_LIMIT"
)
usage_lim_template = {CKA_USAGE_LIMIT: 2}
key, mechanism = sym_key_params
c_set_attribute_value_ex(auth_session, key, usage_lim_template)
c_encrypt_ex(auth_session, key, b'a' * 2048, mechanism=mechanism)
c_encrypt_ex(auth_session, key, b'a' * 2048, mechanism=mechanism)
return_val, data = c_encrypt(auth_session,
key,
b'a' * 2048,
mechanism=mechanism)
py_template = c_get_attribute_value_ex(
auth_session, key, template={CKA_USAGE_COUNT: None})
usage_val_out = py_template[CKA_USAGE_COUNT]
LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s",
usage_val_out)
assert return_val == CKR_KEY_NOT_ACTIVE, "Key should be inactive -- exceeded usage count!"
def test_set_attribute_usage_count_check_error_CKR_KEY_NOT_ACTIVE_3des(
self):
"""Test: Verify that crypto operation returns error CKR_KEY_NOT_ACTIVE
if user try to use crypto object more than limit set on CKA_USAGE_LIMIT
Procedure:
Generate a 3DES key
Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2
Use RSA public key 3 times for encryption
"""
LOG.info(
"Verify that crypto operation returns error CKR_KEY_NOT_ACTIVE \
if user try to use crypto object more than limit set on CKA_USAGE_LIMIT"
)
usage_lim_template = {CKA_USAGE_LIMIT: 2}
h_key = c_generate_key_ex(self.h_session,
mechanism=CKM_DES3_KEY_GEN,
template=CKM_DES3_KEY_GEN_TEMP)
LOG.info("Called c-generate: Key handle -" + str(h_key))
c_set_attribute_value_ex(self.h_session, h_key, usage_lim_template)
c_encrypt_ex(self.h_session,
h_key,
b'a' * 2048,
mechanism={"mech_type": CKM_DES3_ECB})
c_encrypt_ex(self.h_session,
h_key,
b'a' * 2048,
mechanism={"mech_type": CKM_DES3_ECB})
return_val, data = c_encrypt(self.h_session,
h_key,
b'a' * 2048,
mechanism={"mech_type": CKM_DES3_ECB})
LOG.info("Called C_Encrypt, return code: %s", return_val)
py_template = c_get_attribute_value_ex(
self.h_session, h_key, template={CKA_USAGE_COUNT: None})
usage_val_out = py_template[CKA_USAGE_COUNT]
LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s",
usage_val_out)
assert return_val == CKR_KEY_NOT_ACTIVE, "reported error code does not match"
def test_usage_limit_attribute_check_Assym(self):
"""Test: Verify that CKA_USAGE_COUNT attribute increments as user
use the assymetric crypto object
Procedure:
Generate a RSA Key pair
Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2
Use RSA public key twice for encryption
Use C_getAttributeValue to verify that CKA_USAGE_COUNT is 2
"""
LOG.info(
"Test: Verify that CKA_USAGE_COUNT attribute increments as user \
use the assymetric crypto object")
usage_lim_template = {CKA_USAGE_LIMIT: 2}
usage_count = 2
h_pbkey, h_prkey = c_generate_key_pair_ex(
self.h_session,
mechanism=CKM_RSA_PKCS_KEY_PAIR_GEN,
pbkey_template=CKM_RSA_PKCS_KEY_PAIR_GEN_PUBTEMP,
prkey_template=CKM_RSA_PKCS_KEY_PAIR_GEN_PRIVTEMP)
LOG.info(
"Called c-generate: Public Key handle -%s Private Key Handle -%s",
h_pbkey, h_prkey)
c_set_attribute_value_ex(self.h_session, h_pbkey, usage_lim_template)
c_encrypt_ex(self.h_session,
h_pbkey,
b'a' * 20,
mechanism={"mech_type": CKM_RSA_PKCS})
c_encrypt_ex(self.h_session,
h_pbkey,
b'a' * 20,
mechanism={"mech_type": CKM_RSA_PKCS})
py_template = c_get_attribute_value_ex(
self.h_session, h_pbkey, template={CKA_USAGE_COUNT: None})
usage_val_out = py_template[CKA_USAGE_COUNT]
LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s",
usage_val_out)
assert usage_count == usage_val_out, "reported USAGE LIMIT does not match"
def test_set_attribute_usage_count_check_error_CKR_KEY_NOT_ACTIVE_rsa(
self):
"""Test: Verify that crypto operation returns error CKR_KEY_NOT_ACTIVE
if user try to use crypto object more than limit set on CKA_USAGE_LIMIT
Procedure:
Generate a RSA Key pair
Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2
Use RSA public key 3 times for encryption
"""
usage_lim_template = {CKA_USAGE_LIMIT: 2}
h_pbkey, h_prkey = c_generate_key_pair_ex(
self.h_session,
mechanism=CKM_RSA_PKCS_KEY_PAIR_GEN,
pbkey_template=CKM_RSA_PKCS_KEY_PAIR_GEN_PUBTEMP,
prkey_template=CKM_RSA_PKCS_KEY_PAIR_GEN_PRIVTEMP)
LOG.info(
"Called c-generate: Public Key handle -%s Private Key Handle - %s",
h_pbkey, h_prkey)
c_set_attribute_value_ex(self.h_session, h_pbkey, usage_lim_template)
c_encrypt_ex(self.h_session,
h_pbkey,
b'a' * 20,
mechanism={"mech_type": CKM_RSA_PKCS})
c_encrypt_ex(self.h_session,
h_pbkey,
b'a' * 20,
mechanism={"mech_type": CKM_RSA_PKCS})
return_val, data = c_encrypt(self.h_session,
h_pbkey,
b'a' * 20,
mechanism={"mech_type": CKM_RSA_PKCS})
LOG.info("Called C_Encrypt, return code: %s", return_val)
py_template = c_get_attribute_value_ex(
self.h_session, h_pbkey, template={CKA_USAGE_COUNT: None})
usage_val_out = py_template[CKA_USAGE_COUNT]
assert return_val == CKR_KEY_NOT_ACTIVE, "reported error code does not match"
def test_usage_limit_attribute_check_sym_des(self):
"""Test: Verify that CKA_USAGE_COUNT attribute increments as user
use the symmetric crypto object
Procedure:
Generate a DES Key
Use C_SetAttributeValue to set CKA_USAGE_LIMIT to 2
Use des key twice for encryption
Use C_getAttributeValue to verify that CKA_USAGE_COUNT is 2
"""
LOG.info(
"Test: Verify that CKA_USAGE_COUNT attribute increments as user \
use the symmetric crypto object")
usage_lim_template = {CKA_USAGE_LIMIT: 2}
usage_count = 2
h_key = c_generate_key_ex(self.h_session,
mechanism=CKM_DES_KEY_GEN,
template=CKM_DES_KEY_GEN_TEMP)
LOG.info("Called c-generate: Key handle -%s", h_key)
c_set_attribute_value_ex(self.h_session, h_key, usage_lim_template)
c_encrypt_ex(self.h_session,
h_key,
b'a' * 2048,
mechanism={"mech_type": CKM_DES_ECB})
c_encrypt_ex(self.h_session,
h_key,
b'a' * 2048,
mechanism={"mech_type": CKM_DES_ECB})
py_template = c_get_attribute_value_ex(
self.h_session, h_key, template={CKA_USAGE_COUNT: None})
usage_val_out = py_template[CKA_USAGE_COUNT]
LOG.info("CKA_USAGE_COUNT reported by C_GetAttributeValue: %s",
usage_val_out)
assert usage_count == usage_val_out, "reported USAGE LIMIT does not match"
print('Uncompressed public key:')
print(pub_key)
# TODO: Convert the uncompressed public key to compressed public key
# TODO: Convert the public key to address
address = b'1BTC'
# Optional: Update the label for both the public and private key:
search_template = {
CKA_EC_POINT: result_pub[CKA_EC_POINT]
} # Will find exactly two keys: the private and the public key
keys = c_find_objects_ex(auth_session, search_template, 2)
for key in keys:
attribute_template = {
CKA_CLASS: None
}
result = c_get_attribute_value_ex(auth_session, key, attribute_template)
# Change labels:
if result[CKA_CLASS] == CKO_PRIVATE_KEY:
# Private key:
c_set_attribute_value_ex(auth_session, key, {CKA_LABEL: address + b' Private'})
elif result[CKA_CLASS] == CKO_PUBLIC_KEY:
# Public key:
c_set_attribute_value_ex(auth_session, key, {CKA_LABEL: address + b' Public'})
c_logout_ex(auth_session)
c_close_session_ex(auth_session)
c_finalize_ex()