aboutsummaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2020-05-25 19:33:47 -0400
committerRob Austein <sra@hactrn.net>2020-05-25 19:33:47 -0400
commitfa3feddf3a25e34db2ac57ff8e962f13db07bf40 (patch)
treec001ead2bc727824ad26a1f5493c491eefe77185 /scripts
parent5936befa654ce79b2f9ee7cd4f3beb6489bac227 (diff)
Untested conversion to support Python 3
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/build-attributes526
-rwxr-xr-xscripts/build-py11-attributes8
-rw-r--r--scripts/py11-test.py193
-rwxr-xr-xscripts/test-hsmcheck202
-rwxr-xr-xscripts/thready-time-signature.py16
-rwxr-xr-xscripts/time-signature.py10
6 files changed, 478 insertions, 477 deletions
diff --git a/scripts/build-attributes b/scripts/build-attributes
index 7a36bdc..e7c500e 100755
--- a/scripts/build-attributes
+++ b/scripts/build-attributes
@@ -47,318 +47,318 @@ import argparse
def define_flags(flag_names):
- """
- Flag definitions. Called later, here at front of program just to
- make them easier to find.
- """
-
- flag_names.create("DEFAULT_VALUE", "Value field contains default")
- flag_names.footnote( 1, "REQUIRED_BY_CREATEOBJECT")
- flag_names.footnote( 2, "FORBIDDEN_BY_CREATEOBJECT")
- flag_names.footnote( 3, "REQUIRED_BY_GENERATE")
- flag_names.footnote( 4, "FORBIDDEN_BY_GENERATE")
- flag_names.footnote( 5, "REQUIRED_BY_UNWRAP")
- flag_names.footnote( 6, "FORBIDDEN_BY_UNWRAP")
- flag_names.footnote( 7, "SENSITIVE")
- flag_names.footnote( 8, "PERHAPS_MODIFIABLE")
- flag_names.footnote( 9, "DEFAULT_IS_TOKEN_SPECIFIC")
- flag_names.footnote(10, "ONLY_SO_USER_CAN_SET")
- flag_names.footnote(11, "LATCHES_WHEN_TRUE")
- flag_names.footnote(12, "LATCHES_WHEN_FALSE")
+ """
+ Flag definitions. Called later, here at front of program just to
+ make them easier to find.
+ """
+
+ flag_names.create("DEFAULT_VALUE", "Value field contains default")
+ flag_names.footnote( 1, "REQUIRED_BY_CREATEOBJECT")
+ flag_names.footnote( 2, "FORBIDDEN_BY_CREATEOBJECT")
+ flag_names.footnote( 3, "REQUIRED_BY_GENERATE")
+ flag_names.footnote( 4, "FORBIDDEN_BY_GENERATE")
+ flag_names.footnote( 5, "REQUIRED_BY_UNWRAP")
+ flag_names.footnote( 6, "FORBIDDEN_BY_UNWRAP")
+ flag_names.footnote( 7, "SENSITIVE")
+ flag_names.footnote( 8, "PERHAPS_MODIFIABLE")
+ flag_names.footnote( 9, "DEFAULT_IS_TOKEN_SPECIFIC")
+ flag_names.footnote(10, "ONLY_SO_USER_CAN_SET")
+ flag_names.footnote(11, "LATCHES_WHEN_TRUE")
+ flag_names.footnote(12, "LATCHES_WHEN_FALSE")
class PKCS11ParseError(Exception):
- "Failure parsing PCKS #11 object definitions from YAML data."
+ "Failure parsing PCKS #11 object definitions from YAML data."
def write_lines(*lines, **d):
- """
- Utility to simplify writing formatted text to the output stream.
- """
-
- for line in lines:
- args.output_file.write((line % d) + "\n")
-
-
-class Flags(object):
- """
- Descriptor flag database.
-
- Many of these are derived from PKCS #11 Table 15 footnotes
- """
-
- prefix = "P11_DESCRIPTOR_" # Prefix string for all descriptor flags
-
- def __init__(self):
- self.names = []
- self.notes = {}
- self.width = 0
-
- def create(self, name, comment = None):
"""
- Create a descriptor flag.
+ Utility to simplify writing formatted text to the output stream.
"""
- assert len(self.names) < 32
- name = self.prefix + name
- self.names.append((name, comment))
- if len(name) > self.width:
- self.width = len(name)
-
- def footnote(self, number, name):
- """
- Create a descriptor flag for a PKCS #11 table 15 footnote.
- """
+ for line in lines:
+ args.output_file.write((line % d) + "\n")
- assert number not in self.notes
- self.create(name, "Section 10.2 table 15 footnote #%2d" % number)
- self.notes[number] = self.prefix + name
- def write(self):
+class Flags(object):
"""
- Generate the flags, assigning bit positions as we go.
+ Descriptor flag database.
+
+ Many of these are derived from PKCS #11 Table 15 footnotes
"""
- assert len(self.names) < 32
- self.width = (((self.width + 4) >> 2) << 2) - 1
- bit = 1
- for name, comment in self.names:
- format = "#define %(name)s 0x%(bit)08x"
- if comment is not None:
- format += " /* %(comment)s */"
- write_lines(format, bit = bit, comment = comment, name = "%-*s" % (self.width, name))
- bit <<= 1
+ prefix = "P11_DESCRIPTOR_" # Prefix string for all descriptor flags
+ def __init__(self):
+ self.names = []
+ self.notes = {}
+ self.width = 0
-class AttributeNumbers(dict):
- """
- Attribute names and numbers scraped (yuck) from pkcs11t.h.
- """
-
- def __init__(self, filename):
- with open(filename, "r") as f:
- for line in f:
- word = line.split()
- if len(word) <= 2 or word[0] != "#define" or not word[1].startswith("CKA_"):
- continue
- if word[2] in self:
- continue
- if word[2].startswith("(CKF_ARRAY_ATTRIBUTE|"):
- word[2] = word[2].translate(None, "()").split("|")[1]
- self[word[1]] = int(word[2], 16)
+ def create(self, name, comment = None):
+ """
+ Create a descriptor flag.
+ """
+ assert len(self.names) < 32
+ name = self.prefix + name
+ self.names.append((name, comment))
+ if len(name) > self.width:
+ self.width = len(name)
-class Attribute(object):
- """
- Definition of one attribute.
- """
-
- def __init__(self, name, type = None, footnotes = None, default = None, value = None, unimplemented = False):
- assert value is None or default is None
- self.name = name
- self.type = type
- self.footnotes = footnotes
- self.default = self.convert_integers(default)
- self.value = self.convert_integers(value)
- self.unimplemented = unimplemented
-
- @staticmethod
- def convert_integers(val):
- """
- Convert a non-negative integer initialization value into a byte array.
- """
+ def footnote(self, number, name):
+ """
+ Create a descriptor flag for a PKCS #11 table 15 footnote.
+ """
- if not isinstance(val, (int, long)):
- return val
- if val < 0:
- raise ValueError("Negative integers not legal here: %s" % val)
- bytes = []
- while val > 0:
- bytes.insert(0, val & 0xFF)
- val >>= 8
- return bytes or [0]
-
- def inherit(self, other):
- """
- Merge values from paraent attribute definition, if any.
- """
+ assert number not in self.notes
+ self.create(name, "Section 10.2 table 15 footnote #%2d" % number)
+ self.notes[number] = self.prefix + name
- for k in ("type", "footnotes", "default", "value"):
- if getattr(self, k) is None:
- setattr(self, k, getattr(other, k))
- self.unimplemented = self.unimplemented or other.unimplemented
+ def write(self):
+ """
+ Generate the flags, assigning bit positions as we go.
+ """
- def format_flags(self):
- """
- Generate the descriptor flags field.
- """
+ assert len(self.names) < 32
+ self.width = (((self.width + 4) >> 2) << 2) - 1
+ bit = 1
+ for name, comment in self.names:
+ format = "#define %(name)s 0x%(bit)08x"
+ if comment is not None:
+ format += " /* %(comment)s */"
+ write_lines(format, bit = bit, comment = comment, name = "%-*s" % (self.width, name))
+ bit <<= 1
- flags = []
- if self.footnotes:
- flags.extend(flag_names.notes[f] for f in self.footnotes)
- if self.value is None and self.default is not None:
- flags.append("P11_DESCRIPTOR_DEFAULT_VALUE")
- flags = " | ".join(flags)
- return flags or "0"
- def format_size(self):
+class AttributeNumbers(dict):
"""
- Generate the descriptor size field.
+ Attribute names and numbers scraped (yuck) from pkcs11t.h.
"""
- if isinstance(self.type, str) and self.type.startswith("CK_"):
- return "sizeof(%s)" % self.type
- elif self.type in ("rfc2279string", "biginteger", "bytearray"):
- return "0"
- else:
- raise PKCS11ParseError("Unknown meta-type %r" % self.type)
-
- def format_length(self):
- """
- Generate the descriptor length field.
- """
+ def __init__(self, filename):
+ with open(filename, "r") as f:
+ for line in f:
+ word = line.split()
+ if len(word) <= 2 or word[0] != "#define" or not word[1].startswith("CKA_"):
+ continue
+ if word[2] in self:
+ continue
+ if word[2].startswith("(CKF_ARRAY_ATTRIBUTE|"):
+ word[2] = word[2].translate(None, "()").split("|")[1]
+ self[word[1]] = int(word[2], 16)
- value = self.value or self.default
- if isinstance(value, list):
- return "sizeof(const_0x%s)" % "".join("%02x" % v for v in value)
- elif value and isinstance(self.type, str) and self.type.startswith("CK_"):
- return "sizeof(%s)" % self.type
- else:
- return "0"
- def format_value(self):
- """
- Generate the descriptor value field.
+class Attribute(object):
"""
+ Definition of one attribute.
+ """
+
+ def __init__(self, name, type = None, footnotes = None, default = None, value = None, unimplemented = False):
+ assert value is None or default is None
+ self.name = name
+ self.type = type
+ self.footnotes = footnotes
+ self.default = self.convert_integers(default)
+ self.value = self.convert_integers(value)
+ self.unimplemented = unimplemented
+
+ @staticmethod
+ def convert_integers(val):
+ """
+ Convert a non-negative integer initialization value into a byte array.
+ """
+
+ if not isinstance(val, int):
+ return val
+ if val < 0:
+ raise ValueError("Negative integers not legal here: %s" % val)
+ bytes = []
+ while val > 0:
+ bytes.insert(0, val & 0xFF)
+ val >>= 8
+ return bytes or [0]
+
+ def inherit(self, other):
+ """
+ Merge values from paraent attribute definition, if any.
+ """
+
+ for k in ("type", "footnotes", "default", "value"):
+ if getattr(self, k) is None:
+ setattr(self, k, getattr(other, k))
+ self.unimplemented = self.unimplemented or other.unimplemented
+
+ def format_flags(self):
+ """
+ Generate the descriptor flags field.
+ """
+
+ flags = []
+ if self.footnotes:
+ flags.extend(flag_names.notes[f] for f in self.footnotes)
+ if self.value is None and self.default is not None:
+ flags.append("P11_DESCRIPTOR_DEFAULT_VALUE")
+ flags = " | ".join(flags)
+ return flags or "0"
+
+ def format_size(self):
+ """
+ Generate the descriptor size field.
+ """
+
+ if isinstance(self.type, str) and self.type.startswith("CK_"):
+ return "sizeof(%s)" % self.type
+ elif self.type in ("rfc2279string", "biginteger", "bytearray"):
+ return "0"
+ else:
+ raise PKCS11ParseError("Unknown meta-type %r" % self.type)
+
+ def format_length(self):
+ """
+ Generate the descriptor length field.
+ """
+
+ value = self.value or self.default
+ if isinstance(value, list):
+ return "sizeof(const_0x%s)" % "".join("%02x" % v for v in value)
+ elif value and isinstance(self.type, str) and self.type.startswith("CK_"):
+ return "sizeof(%s)" % self.type
+ else:
+ return "0"
+
+ def format_value(self):
+ """
+ Generate the descriptor value field.
+ """
+
+ value = self.value or self.default
+ if not value:
+ return "NULL_PTR"
+ elif isinstance(value, list):
+ return "const_0x" + "".join("%02x" % v for v in value)
+ else:
+ return "&const_" + value
+
+ def format_constant(self, constants):
+ """
+ Generate constant initializer values. These are merged so that we
+ only end up declaring one copy of each initializer value no matter
+ how many attributes use it.
+ """
+
+ value = self.value or self.default
+ if not self.unimplemented and value:
+ if isinstance(value, list):
+ constants.add("static const CK_BYTE const_%s[] = { %s };" % (
+ "0x" + "".join("%02x" % v for v in value),
+ ", ".join("0x%02x" % v for v in value)))
+ else:
+ constants.add("static const %s const_%s = %s;" % (self.type, value, value))
+
+ def generate(self):
+ """
+ Generate the descriptor line for this attribute.
+ """
+
+ if not self.unimplemented:
+ args.output_file.write(" { %s, %s, %s, %s, %s },\n" % (
+ self.name, self.format_size(), self.format_length(), self.format_value(), self.format_flags()))
- value = self.value or self.default
- if not value:
- return "NULL_PTR"
- elif isinstance(value, list):
- return "const_0x" + "".join("%02x" % v for v in value)
- else:
- return "&const_" + value
- def format_constant(self, constants):
+class Class(object):
"""
- Generate constant initializer values. These are merged so that we
- only end up declaring one copy of each initializer value no matter
- how many attributes use it.
+ A PKCS #11 class.
"""
- value = self.value or self.default
- if not self.unimplemented and value:
- if isinstance(value, list):
- constants.add("static const CK_BYTE const_%s[] = { %s };" % (
- "0x" + "".join("%02x" % v for v in value),
- ", ".join("0x%02x" % v for v in value)))
- else:
- constants.add("static const %s const_%s = %s;" % (self.type, value, value))
+ def __init__(self, db, name, superclass = None, concrete = False, **attrs):
+ assert all(a.startswith("CKA_") for a in attrs), "Non-attribute: %r" % [a for a in attrs if not a.startswith("CKA_")]
+ self.attributes = dict((k, Attribute(k, **v)) for k, v in attrs.items())
+ self.db = db
+ self.name = name
+ self.superclass = superclass
+ self.concrete = concrete
- def generate(self):
- """
- Generate the descriptor line for this attribute.
- """
+ def inherit(self, other):
+ """
+ Inherit attributes from parent type.
+ """
- if not self.unimplemented:
- args.output_file.write(" { %s, %s, %s, %s, %s },\n" % (
- self.name, self.format_size(), self.format_length(), self.format_value(), self.format_flags()))
+ for k, v in other.attributes.items():
+ if k not in self.attributes:
+ self.attributes[k] = v
+ else:
+ self.attributes[k].inherit(v)
+ def collect_constants(self, constants):
+ """
+ Collect initialization constants for all attributes.
+ """
-class Class(object):
- """
- A PKCS #11 class.
- """
-
- def __init__(self, db, name, superclass = None, concrete = False, **attrs):
- assert all(a.startswith("CKA_") for a in attrs), "Non-attribute: %r" % [a for a in attrs if not a.startswith("CKA_")]
- self.attributes = dict((k, Attribute(k, **v)) for k, v in attrs.iteritems())
- self.db = db
- self.name = name
- self.superclass = superclass
- self.concrete = concrete
-
- def inherit(self, other):
- """
- Inherit attributes from parent type.
- """
+ if self.concrete:
+ for a in self.attributes.values():
+ a.format_constant(constants)
- for k, v in other.attributes.iteritems():
- if k not in self.attributes:
- self.attributes[k] = v
- else:
- self.attributes[k].inherit(v)
+ def generate(self):
+ """
+ Generate a descriptor for this type.
+ """
- def collect_constants(self, constants):
- """
- Collect initialization constants for all attributes.
- """
+ if self.concrete:
- if self.concrete:
- for a in self.attributes.itervalues():
- a.format_constant(constants)
+ write_lines("",
+ "static const p11_attribute_descriptor_t p11_attribute_descriptor_%(name)s[] = {",
+ name = self.name)
- def generate(self):
- """
- Generate a descriptor for this type.
- """
+ for a in sorted(self.attributes, key = lambda x: attribute_numbers[x]):
+ self.attributes[a].generate()
- if self.concrete:
+ write_lines("};",
+ "",
+ "static const p11_descriptor_t p11_descriptor_%(name)s = {",
+ " p11_attribute_descriptor_%(name)s,",
+ " sizeof(p11_attribute_descriptor_%(name)s)/sizeof(p11_attribute_descriptor_t)",
+ "};",
+ name = self.name)
- write_lines("",
- "static const p11_attribute_descriptor_t p11_attribute_descriptor_%(name)s[] = {",
- name = self.name)
+ def keyclassmap(self):
+ """
+ Generate a keyclass map entry if this is a concrete key type.
+ """
- for a in sorted(self.attributes, key = lambda x: attribute_numbers[x]):
- self.attributes[a].generate()
-
- write_lines("};",
- "",
- "static const p11_descriptor_t p11_descriptor_%(name)s = {",
- " p11_attribute_descriptor_%(name)s,",
- " sizeof(p11_attribute_descriptor_%(name)s)/sizeof(p11_attribute_descriptor_t)",
- "};",
- name = self.name)
-
- def keyclassmap(self):
- """
- Generate a keyclass map entry if this is a concrete key type.
- """
-
- if self.concrete and all(k in self.attributes and self.attributes[k].value for k in ("CKA_CLASS", "CKA_KEY_TYPE")):
- write_lines(" { %s, %s, &p11_descriptor_%s }," % (
- self.attributes["CKA_CLASS"].value, self.attributes["CKA_KEY_TYPE"].value, self.name))
+ if self.concrete and all(k in self.attributes and self.attributes[k].value for k in ("CKA_CLASS", "CKA_KEY_TYPE")):
+ write_lines(" { %s, %s, &p11_descriptor_%s }," % (
+ self.attributes["CKA_CLASS"].value, self.attributes["CKA_KEY_TYPE"].value, self.name))
class DB(object):
- """
- Object type database parsed from YAML
- """
-
- def __init__(self, y):
- self.ordered = [Class(self, **y) for y in y]
- self.named = dict((c.name, c) for c in self.ordered)
- for c in self.ordered:
- if c.superclass is not None:
- c.inherit(self.named[c.superclass])
-
- def generate(self):
"""
- Generate output for everything in the database.
- """
-
- constants = set()
- for c in self.ordered:
- c.collect_constants(constants)
- for constant in sorted(constants):
- write_lines(constant)
- for c in self.ordered:
- c.generate()
- write_lines("",
- "static const p11_descriptor_keyclass_map_t p11_descriptor_keyclass_map[] = {")
- for c in self.ordered:
- c.keyclassmap()
- write_lines("};")
+ Object type database parsed from YAML
+ """
+
+ def __init__(self, y):
+ self.ordered = [Class(self, **y) for y in y]
+ self.named = dict((c.name, c) for c in self.ordered)
+ for c in self.ordered:
+ if c.superclass is not None:
+ c.inherit(self.named[c.superclass])
+
+ def generate(self):
+ """
+ Generate output for everything in the database.
+ """
+
+ constants = set()
+ for c in self.ordered:
+ c.collect_constants(constants)
+ for constant in sorted(constants):
+ write_lines(constant)
+ for c in self.ordered:
+ c.generate()
+ write_lines("",
+ "static const p11_descriptor_keyclass_map_t p11_descriptor_keyclass_map[] = {")
+ for c in self.ordered:
+ c.keyclassmap()
+ write_lines("};")
# Main program
diff --git a/scripts/build-py11-attributes b/scripts/build-py11-attributes
index cacb63a..107d33b 100755
--- a/scripts/build-py11-attributes
+++ b/scripts/build-py11-attributes
@@ -54,10 +54,10 @@ parser.add_argument("output_file", help = "Output .py file", nargs = "?", typ
args = parser.parse_args()
attribute_map = dict(
- (k, v["type"])
- for y in yaml.safe_load(args.yaml_file)
- for k, v in y.iteritems()
- if k.startswith("CKA_") and "type" in v)
+ (k, v["type"])
+ for y in yaml.safe_load(args.yaml_file)
+ for k, v in y.items()
+ if k.startswith("CKA_") and "type" in v)
args.output_file.write('''\
# This file was generated automatically from %(input)s by %(script)s. Do not edit this file directly.
diff --git a/scripts/py11-test.py b/scripts/py11-test.py
index 7a0e1d8..cf633a3 100644
--- a/scripts/py11-test.py
+++ b/scripts/py11-test.py
@@ -3,149 +3,150 @@
from cryptech.py11 import *
from struct import pack, unpack
+from binascii import hexlify, unhexlify
def show_token(i, t, strip = True):
- print "Token in slot #%d:" % i
- fw = max(len(fn) for fn, ft in t.__class__._fields_)
- for fn, ft in t.__class__._fields_:
- fv = getattr(t, fn)
- fn = "%-*s :" % (fw, fn)
- if isinstance(fv, CK_VERSION):
- print " ", fn, "%d.%d" % (fv.major, fv.minor)
- elif isinstance(fv, (int, long)):
- print " ", fn, fv
- else:
- print " ", fn, repr(str(fv).rstrip(" ") if strip else str(fv))
+ print("Token in slot #%d:" % i)
+ fw = max(len(fn) for fn, ft in t.__class__._fields_)
+ for fn, ft in t.__class__._fields_:
+ fv = getattr(t, fn)
+ fn = "%-*s :" % (fw, fn)
+ if isinstance(fv, CK_VERSION):
+ print(" ", fn, "%d.%d" % (fv.major, fv.minor))
+ elif isinstance(fv, int):
+ print(" ", fn, fv)
+ else:
+ print(" ", fn, repr(str(fv).rstrip(" ") if strip else str(fv)))
def genkeypair_templates(name = "foo", **kwargs):
- label_id = ((CKA_LABEL, name), (CKA_ID, name))
- return (
- # Public template
- label_id + tuple(kwargs.iteritems()) +
- ((CKA_VERIFY, True),
- (CKA_ENCRYPT, False),
- (CKA_WRAP, False),
- (CKA_TOKEN, False)),
- # Private template
- label_id +
- ((CKA_SIGN, True),
- (CKA_DECRYPT, False),
- (CKA_UNWRAP, False),
- (CKA_SENSITIVE, True),
- (CKA_TOKEN, False),
- (CKA_PRIVATE, True),
- (CKA_EXTRACTABLE, False)))
+ label_id = ((CKA_LABEL, name), (CKA_ID, name))
+ return (
+ # Public template
+ label_id + tuple(kwargs.items()) +
+ ((CKA_VERIFY, True),
+ (CKA_ENCRYPT, False),
+ (CKA_WRAP, False),
+ (CKA_TOKEN, False)),
+ # Private template
+ label_id +
+ ((CKA_SIGN, True),
+ (CKA_DECRYPT, False),
+ (CKA_UNWRAP, False),
+ (CKA_SENSITIVE, True),
+ (CKA_TOKEN, False),
+ (CKA_PRIVATE, True),
+ (CKA_EXTRACTABLE, False)))
def show_keys(session, key_class, *attributes):
- p11.C_FindObjectsInit(session, {CKA_CLASS: key_class})
- for o in p11.C_FindObjects(session):
- a = p11.C_GetAttributeValue(session, o, attributes + (CKA_CLASS, CKA_KEY_TYPE, CKA_LABEL, CKA_ID, CKA_TOKEN,
- CKA_PRIVATE, CKA_LOCAL, CKA_KEY_GEN_MECHANISM))
- w = max(len(p11.adb.attribute_name(k)) for k in a)
- print "Object:", o
- for k, v in a.iteritems():
- print " %*s (0x%08x): %r" % (w, p11.adb.attribute_name(k), k, v)
- p11.C_FindObjectsFinal(session)
+ p11.C_FindObjectsInit(session, {CKA_CLASS: key_class})
+ for o in p11.C_FindObjects(session):
+ a = p11.C_GetAttributeValue(session, o, attributes + (CKA_CLASS, CKA_KEY_TYPE, CKA_LABEL, CKA_ID, CKA_TOKEN,
+ CKA_PRIVATE, CKA_LOCAL, CKA_KEY_GEN_MECHANISM))
+ w = max(len(p11.adb.attribute_name(k)) for k in a)
+ print("Object:", o)
+ for k, v in a.items():
+ print(" %*s (0x%08x): %r" % (w, p11.adb.attribute_name(k), k, v))
+ p11.C_FindObjectsFinal(session)
def build_ecpoint(x, y):
- h = (max(x.bit_length(), y.bit_length()) + 15) / 16
- d = chr(0x04) + ("%0*x%0*x" % (h, x, h, y)).decode("hex")
- if len(d) < 128:
- h = "%c%c" % (0x04, len(d))
- else:
- n = len(d).bit_length()
- h = ("%c%c" % (0x04, (n + 7) / 8)) + ("%0*x" % ((n + 15) / 16, len(d))).decode("hex")
- return h + d
+ h = (max(x.bit_length(), y.bit_length()) + 15) / 16
+ d = b"\04" + unhexlify("%0*x%0*x" % (h, x, h, y))
+ if len(d) < 128:
+ h = b"%c%c" % (0x04, len(d))
+ else:
+ n = len(d).bit_length()
+ h = (b"%c%c" % (0x04, (n + 7) / 8)) + unhexlify("%0*x" % ((n + 15) / 16, len(d)))
+ return h + d
-ec_curve_oid_p256 = "".join(chr(i) for i in (0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07))
-ec_curve_oid_p384 = "".join(chr(i) for i in (0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22))
-ec_curve_oid_p521 = "".join(chr(i) for i in (0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23))
+ec_curve_oid_p256 = b"\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07"
+ec_curve_oid_p384 = b"\x06\x05\x2b\x81\x04\x00\x22"
+ec_curve_oid_p521 = b"\x06\x05\x2b\x81\x04\x00\x23"
p11 = PKCS11("./libcryptech-pkcs11.so")
if False:
- print "Not using MUTEXes at all"
- p11.C_Initialize()
+ print("Not using MUTEXes at all")
+ p11.C_Initialize()
elif False:
- print "Using OS MUTEXes"
- p11.C_Initialize(CKF_OS_LOCKING_OK)
+ print("Using OS MUTEXes")
+ p11.C_Initialize(CKF_OS_LOCKING_OK)
else:
- print "Using our own pseudo-MUTEXes"
- from cryptech.py11.mutex import MutexDB
- mdb = MutexDB()
- p11.C_Initialize(0, mdb.create, mdb.destroy, mdb.lock, mdb.unlock)
+ print("Using our own pseudo-MUTEXes")
+ from cryptech.py11.mutex import MutexDB
+ mdb = MutexDB()
+ p11.C_Initialize(0, mdb.create, mdb.destroy, mdb.lock, mdb.unlock)
slots = p11.C_GetSlotList()
-print
-print "Listing slots and tokens"
+print()
+print("Listing slots and tokens")
for i in slots:
- show_token(i, p11.C_GetTokenInfo(i))
+ show_token(i, p11.C_GetTokenInfo(i))
slot = slots[0]
-print
-print "Generating some random data"
+print()
+print("Generating some random data")
session = p11.C_OpenSession(slot)
random = p11.C_GenerateRandom(session, 33)
-print len(random), "".join("%02x" % ord(i) for i in random)
+print(len(random), hexlify(random))
-print
-print "Logging in"
+print()
+print("Logging in")
p11.C_Login(session, CKU_USER, "fnord")
if False:
- print
- print "Generating RSA keypair"
- rsa_templates = genkeypair_templates("RSA", CKA_MODULUS_BITS = 1024)
- rsa_keypair = p11.C_GenerateKeyPair(session, CKM_RSA_PKCS_KEY_PAIR_GEN, rsa_templates[0], rsa_templates[1])
- print rsa_keypair
-
-print
-print "Generating EC P256 keypair"
+ print()
+ print("Generating RSA keypair")
+ rsa_templates = genkeypair_templates("RSA", CKA_MODULUS_BITS = 1024)
+ rsa_keypair = p11.C_GenerateKeyPair(session, CKM_RSA_PKCS_KEY_PAIR_GEN, rsa_templates[0], rsa_templates[1])
+ print(rsa_keypair)
+
+print()
+print("Generating EC P256 keypair")
ec_templates = genkeypair_templates("EC-P256", CKA_EC_PARAMS = ec_curve_oid_p256)
ec_p256_keypair = p11.C_GenerateKeyPair(session, CKM_EC_KEY_PAIR_GEN, ec_templates[0], ec_templates[1])
-print ec_p256_keypair
+print(ec_p256_keypair)
-print
-print "Generating EC P384 keypair"
+print()
+print("Generating EC P384 keypair")
ec_templates = genkeypair_templates("EC-P384", CKA_EC_PARAMS = ec_curve_oid_p384)
ec_p384_keypair = p11.C_GenerateKeyPair(session, CKM_EC_KEY_PAIR_GEN, ec_templates[0], ec_templates[1])
-print ec_p384_keypair
+print(ec_p384_keypair)
-print
-print "Generating EC P521 keypair"
+print()
+print("Generating EC P521 keypair")
ec_templates = genkeypair_templates("EC-P521", CKA_EC_PARAMS = ec_curve_oid_p521)
ec_p521_keypair = p11.C_GenerateKeyPair(session, CKM_EC_KEY_PAIR_GEN, ec_templates[0], ec_templates[1])
-print ec_p521_keypair
+print(ec_p521_keypair)
-print
-print "Listing keys"
+print()
+print("Listing keys")
show_keys(session, CKO_PUBLIC_KEY, CKA_VERIFY, CKA_ENCRYPT, CKA_WRAP)
show_keys(session, CKO_PRIVATE_KEY, CKA_SIGN, CKA_DECRYPT, CKA_UNWRAP)
hamster = "Your mother was a hamster"
-print
-print "Testing P-256 signature"
+print()
+print("Testing P-256 signature")
p11.C_SignInit(session, CKM_ECDSA_SHA256, ec_p256_keypair[1])
sig_p256 = p11.C_Sign(session, hamster)
-print "Signature:", sig_p256.encode("hex")
+print("Signature:", hexlify(sig_p256.encode))
-print
-print "Testing P256 verification"
+print()
+print("Testing P256 verification")
p11.C_VerifyInit(session, CKM_ECDSA_SHA256, ec_p256_keypair[0])
p11.C_Verify(session, hamster, sig_p256)
-print "OK" # Verification failure throws an exception
+print("OK") # Verification failure throws an exception
-print
-print "Testing C_CreateObject()"
+print()
+print("Testing C_CreateObject()")
handle = p11.C_CreateObject(session, dict(
CKA_CLASS = CKO_PUBLIC_KEY,
CKA_KEY_TYPE = CKK_EC,
@@ -158,16 +159,16 @@ handle = p11.C_CreateObject(session, dict(
CKA_EC_POINT = build_ecpoint(0x8101ece47464a6ead70cf69a6e2bd3d88691a3262d22cba4f7635eaff26680a8,
0xd8a12ba61d599235f67d9cb4d58f1783d3ca43e78f0a5abaa624079936c0c3a9),
CKA_EC_PARAMS = ec_curve_oid_p256))
-print handle
+print(handle)
-print
-print "Verifying canned signature with public key installed via C_CreateObject()"
+print()
+print("Verifying canned signature with public key installed via C_CreateObject()")
p11.C_VerifyInit(session, CKM_ECDSA, handle)
p11.C_Verify(session,
- "7c3e883ddc8bd688f96eac5e9324222c8f30f9d6bb59e9c5f020bd39ba2b8377".decode("hex"),
- "7214bc9647160bbd39ff2f80533f5dc6ddd70ddf86bb815661e805d5d4e6f27c".decode("hex") +
- "7d1ff961980f961bdaa3233b6209f4013317d3e3f9e1493592dbeaa1af2bc367".decode("hex"))
-print "OK"
+ unhexlify("7c3e883ddc8bd688f96eac5e9324222c8f30f9d6bb59e9c5f020bd39ba2b8377"),
+ unhexlify("7214bc9647160bbd39ff2f80533f5dc6ddd70ddf86bb815661e805d5d4e6f27c") +
+ unhexlify("7d1ff961980f961bdaa3233b6209f4013317d3e3f9e1493592dbeaa1af2bc367"))
+print("OK")
p11.C_CloseAllSessions(slot)
p11.C_Finalize()
diff --git a/scripts/test-hsmcheck b/scripts/test-hsmcheck
index b28d578..cb2efce 100755
--- a/scripts/test-hsmcheck
+++ b/scripts/test-hsmcheck
@@ -49,134 +49,134 @@ from xml.etree.ElementTree import ElementTree, Element, SubElement
def write_config():
- """
- Write hsmcheck configuration file.
- """
+ """
+ Write hsmcheck configuration file.
+ """
- e = Element("Configuration")
- r = SubElement(e, "RepositoryList")
- r = SubElement(r, "Repository", name = "default")
- SubElement(r, "Module").text = args.driver
- SubElement(r, "TokenLabel").text = args.token_label
- SubElement(r, "PIN").text = args.pin
- ElementTree(e).write(args.write_config)
- args.write_config.flush()
+ e = Element("Configuration")
+ r = SubElement(e, "RepositoryList")
+ r = SubElement(r, "Repository", name = "default")
+ SubElement(r, "Module").text = args.driver
+ SubElement(r, "TokenLabel").text = args.token_label
+ SubElement(r, "PIN").text = args.pin
+ ElementTree(e).write(args.write_config)
+ args.write_config.flush()
def hsmcheck(flag):
- """
- Run hsmcheck program with appropriate options and verbosity.
- """
-
- assert flag in "rgsd"
- cmd = (args.hsmcheck_binary, "-c", args.write_config.name, "-" + flag)
- if args.verbose:
- sys.stdout.write("Running: %s\n" % " ".join(cmd))
- if flag == "s":
- text = check_output(cmd)
- sys.stdout.write(text)
- if not args.no_dnssec:
- check_dnssec(text)
- else:
- check_call(cmd)
+ """
+ Run hsmcheck program with appropriate options and verbosity.
+ """
+
+ assert flag in "rgsd"
+ cmd = (args.hsmcheck_binary, "-c", args.write_config.name, "-" + flag)
+ if args.verbose:
+ sys.stdout.write("Running: %s\n" % " ".join(cmd))
+ if flag == "s":
+ text = check_output(cmd)
+ sys.stdout.write(text)
+ if not args.no_dnssec:
+ check_dnssec(text)
+ else:
+ check_call(cmd)
def check_dnssec(text):
- """
- Use DNSPython to attempt DNSSEC validation on "hsmcheck -s" output.
+ """
+ Use DNSPython to attempt DNSSEC validation on "hsmcheck -s" output.
- This requires the DNSPython toolkit, which in turn requires
- PyCrypto; ECDSA support (not yet tested) requires a third package.
- On Debian-family Linux, you can install these with:
+ This requires the DNSPython toolkit, which in turn requires
+ PyCrypto; ECDSA support (not yet tested) requires a third package.
+ On Debian-family Linux, you can install these with:
- sudo apt-get install python-dnspython python-crypto python-ecdsa
+ sudo apt-get install python-dnspython python-crypto python-ecdsa
- Equivalent packages exist for other platforms.
- """
+ Equivalent packages exist for other platforms.
+ """
- try:
- from dns.exception import DNSException
- import dns.dnssec
- import dns.rrset
- import Crypto.PublicKey.RSA
- #import ecdsa.ecdsa
- except ImportError:
- sys.exit("Problem importing DNSPython or supporting crypto packages, are they installed?")
+ try:
+ from dns.exception import DNSException
+ import dns.dnssec
+ import dns.rrset
+ import Crypto.PublicKey.RSA
+ #import ecdsa.ecdsa
+ except ImportError:
+ sys.exit("Problem importing DNSPython or supporting crypto packages, are they installed?")
- wired_ttl = "3600"
- wired_rdclass = "IN"
+ wired_ttl = "3600"
+ wired_rdclass = "IN"
- rrs = {}
+ rrs = {}
- for line in text.splitlines():
+ for line in text.splitlines():
- try:
- name, ttl, rdclass, rdtype, rdata = line.split(None, 4)
- except ValueError:
- continue
+ try:
+ name, ttl, rdclass, rdtype, rdata = line.split(None, 4)
+ except ValueError:
+ continue
- if ttl != wired_ttl or rdclass != wired_rdclass:
- continue
+ if ttl != wired_ttl or rdclass != wired_rdclass:
+ continue
- try:
- rrs[name, rdtype].append(rdata)
- except KeyError:
- rrs[name, rdtype] = [rdata]
+ try:
+ rrs[name, rdtype].append(rdata)
+ except KeyError:
+ rrs[name, rdtype] = [rdata]
- # Done parsing. We expect to have seen an A RRset, an RRSIG of that
- # A RRset, and the DNSKEY that we'll need to verify the RRSIG.
+ # Done parsing. We expect to have seen an A RRset, an RRSIG of that
+ # A RRset, and the DNSKEY that we'll need to verify the RRSIG.
- if len(rrs) != 3:
- sys.exit("Expected two RRsets and an RRSIG, got %r" % rrs)
+ if len(rrs) != 3:
+ sys.exit("Expected two RRsets and an RRSIG, got %r" % rrs)
- rrs = dict((rdtype, dns.rrset.from_text_list(name, int(wired_ttl), wired_rdclass, rdtype, rrs[name, rdtype]))
- for name, rdtype in rrs)
+ rrs = dict((rdtype, dns.rrset.from_text_list(name, int(wired_ttl), wired_rdclass, rdtype, rrs[name, rdtype]))
+ for name, rdtype in rrs)
- try:
- dns.dnssec.validate(rrs["A"], rrs["RRSIG"], { rrs["DNSKEY"].name : rrs["DNSKEY"] })
- except DNSException, e:
- sys.exit("DNSSEC verification failed: %s" % e)
+ try:
+ dns.dnssec.validate(rrs["A"], rrs["RRSIG"], { rrs["DNSKEY"].name : rrs["DNSKEY"] })
+ except DNSException as e:
+ sys.exit("DNSSEC verification failed: %s" % e)
- sys.stdout.write("\nDNSSEC verification successful!\n\n")
+ sys.stdout.write("\nDNSSEC verification successful!\n\n")
# Main program.
try:
- default_config = NamedTemporaryFile()
- default_hsmcheck = os.getenv("HSMCHECK", "hsmcheck")
- default_driver = os.getenv("PKCS11_DRIVER",
- os.path.realpath(os.path.join(os.path.dirname(sys.argv[0]), "..", "libpkcs11.so")))
-
- parser = ArgumentParser(description = __doc__, formatter_class = ArgumentDefaultsHelpFormatter)
- one_of = parser.add_mutually_exclusive_group()
- one_of.add_argument("-a", "--all", "--rgsd", const = "rgsd", dest = "test", action = "store_const", help = "run all tests")
- one_of.add_argument("-r", "--random", const = "r", dest = "test", action = "store_const", help = "just test random numbers")
- one_of.add_argument("-g", "--generate", const = "g", dest = "test", action = "store_const", help = "just test key generation")
- one_of.add_argument("-s", "--sign", const = "s", dest = "test", action = "store_const", help = "just test DNSSEC-signature")
- one_of.add_argument("-d", "--delete", const = "d", dest = "test", action = "store_const", help = "just delete key")
- parser.add_argument("-b", "--hsmcheck-binary", default = default_hsmcheck, help = "location of hsmcheck program")
- parser.add_argument("-p", "--pin", default = "12345", help = "HSM PIN to use for tests")
- parser.add_argument("-t", "--token-label", default = "Cryptech Token", help = "PKCS #11 label of Cryptech token")
- parser.add_argument("-n", "--no-dnssec", action = "store_true", help = "do not attempt DNSSEC validation")
- parser.add_argument("-v", "--verbose", action = "store_true", help = "bark more")
- parser.add_argument("-D", "--driver", default = default_driver, help = "location of PKCS #11 driver")
- parser.add_argument("-w", "--write-config", default = default_config, help = "write generated configuration to this file",
- type = ArgumentFileType("w"))
- parser.add_argument("--debug", action = "store_true", help = "debug this script")
- parser.set_defaults(test = "rgsd")
- args = parser.parse_args()
-
- try:
- write_config()
- for flag in args.test:
- hsmcheck(flag)
-
- except Exception as e:
- if args.debug:
- raise
- sys.exit("Failed: %s" % e)
+ default_config = NamedTemporaryFile()
+ default_hsmcheck = os.getenv("HSMCHECK", "hsmcheck")
+ default_driver = os.getenv("PKCS11_DRIVER",
+ os.path.realpath(os.path.join(os.path.dirname(sys.argv[0]), "..", "libpkcs11.so")))
+
+ parser = ArgumentParser(description = __doc__, formatter_class = ArgumentDefaultsHelpFormatter)
+ one_of = parser.add_mutually_exclusive_group()
+ one_of.add_argument("-a", "--all", "--rgsd", const = "rgsd", dest = "test", action = "store_const", help = "run all tests")
+ one_of.add_argument("-r", "--random", const = "r", dest = "test", action = "store_const", help = "just test random numbers")
+ one_of.add_argument("-g", "--generate", const = "g", dest = "test", action = "store_const", help = "just test key generation")
+ one_of.add_argument("-s", "--sign", const = "s", dest = "test", action = "store_const", help = "just test DNSSEC-signature")
+ one_of.add_argument("-d", "--delete", const = "d", dest = "test", action = "store_const", help = "just delete key")
+ parser.add_argument("-b", "--hsmcheck-binary", default = default_hsmcheck, help = "location of hsmcheck program")
+ parser.add_argument("-p", "--pin", default = "12345", help = "HSM PIN to use for tests")
+ parser.add_argument("-t", "--token-label", default = "Cryptech Token", help = "PKCS #11 label of Cryptech token")
+ parser.add_argument("-n", "--no-dnssec", action = "store_true", help = "do not attempt DNSSEC validation")
+ parser.add_argument("-v", "--verbose", action = "store_true", help = "bark more")
+ parser.add_argument("-D", "--driver", default = default_driver, help = "location of PKCS #11 driver")
+ parser.add_argument("-w", "--write-config", default = default_config, help = "write generated configuration to this file",
+ type = ArgumentFileType("w"))
+ parser.add_argument("--debug", action = "store_true", help = "debug this script")
+ parser.set_defaults(test = "rgsd")
+ args = parser.parse_args()
+
+ try:
+ write_config()
+ for flag in args.test:
+ hsmcheck(flag)
+
+ except Exception as e:
+ if args.debug:
+ raise
+ sys.exit("Failed: %s" % e)
finally:
- default_config.close()
+ default_config.close()
diff --git a/scripts/thready-time-signature.py b/scripts/thready-time-signature.py
index fb84c1e..e3bd0bf 100755
--- a/scripts/thready-time-signature.py
+++ b/scripts/thready-time-signature.py
@@ -8,7 +8,7 @@ import collections
import threading
import argparse
import datetime
-import Queue
+import queue
import sys
from Crypto.Hash.SHA256 import SHA256Hash as SHA256
@@ -101,7 +101,7 @@ class Results(object):
self.sum += t1 - t0
self.n += 1
if not args.quiet:
- print "{:4d} {}".format(self.n, delta)
+ print("{:4d} {}".format(self.n, delta))
@property
def mean(self):
@@ -119,7 +119,7 @@ class Results(object):
with self.lock:
if self.t1 is None:
self.t1 = datetime.datetime.now()
- print "{0.name} sigs/second {0.sigs_per_second} mean {0.mean} throughput {0.throughput} (n {0.n}, t0 {0.t0}, t1 {0.t1})".format(self)
+ print("{0.name} sigs/second {0.sigs_per_second} mean {0.mean} throughput {0.throughput} (n {0.n}, t0 {0.t0}, t1 {0.t1})".format(self))
class Worker(threading.Thread):
@@ -158,19 +158,19 @@ def main():
args = parser.parse_args()
global q
- q = Queue.Queue()
+ q = queue.Queue()
global p11
p11 = PKCS11(args.libpkcs11)
if not args.quiet:
- print "Initializing"
+ print("Initializing")
p11.C_Initialize(CKF_OS_LOCKING_OK)
session = p11.C_OpenSession(args.slot)
p11.C_Login(session, CKU_USER, args.pin)
- for i in xrange(args.threads):
+ for i in range(args.threads):
w = Worker()
w.setDaemon(True)
w.start()
@@ -178,7 +178,7 @@ def main():
for name in args.keys:
if not args.quiet:
- print "Starting test with key {}, {} iterations".format(name, args.iterations)
+ print("Starting test with key {}, {} iterations".format(name, args.iterations))
k = key_table[name]
@@ -187,7 +187,7 @@ def main():
global results
results = Results(name)
- for i in xrange(args.iterations):
+ for i in range(args.iterations):
q.put(k)
q.join()
diff --git a/scripts/time-signature.py b/scripts/time-signature.py
index 732eaa4..5c816ee 100755
--- a/scripts/time-signature.py
+++ b/scripts/time-signature.py
@@ -99,7 +99,7 @@ def main():
p11 = PKCS11(args.libpkcs11)
if not args.quiet:
- print "Initializing"
+ print("Initializing")
p11.C_Initialize()
session = p11.C_OpenSession(args.slot)
@@ -107,25 +107,25 @@ def main():
for name in args.keys:
- print "Starting test with key {}, {} iterations".format(name, args.iterations)
+ print("Starting test with key {}, {} iterations".format(name, args.iterations))
k = key_table[name]
k.create(args, p11, session, "Your mother was a hamster")
mean = datetime.timedelta(seconds = 0)
- for i in xrange(args.iterations):
+ for i in range(args.iterations):
t0 = datetime.datetime.now()
p11.C_SignInit(session, k.ckm, k.handle)
sig = p11.C_Sign(session, k.tbs)
t1 = datetime.datetime.now()
k.verify(sig)
if not args.quiet:
- print "{:4d} {}".format(i, t1 - t0)
+ print("{:4d} {}".format(i, t1 - t0))
mean += t1 - t0
mean /= args.iterations
- print "mean {}".format(mean)
+ print("mean {}".format(mean))
p11.C_DestroyObject(session, k.handle)