diff options
| author | Rob Austein <sra@hactrn.net> | 2020-05-25 19:33:47 -0400 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2020-05-25 19:33:47 -0400 |
| commit | fa3feddf3a25e34db2ac57ff8e962f13db07bf40 (patch) | |
| tree | c001ead2bc727824ad26a1f5493c491eefe77185 /scripts | |
| parent | 5936befa654ce79b2f9ee7cd4f3beb6489bac227 (diff) | |
Untested conversion to support Python 3
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/build-attributes | 526 | ||||
| -rwxr-xr-x | scripts/build-py11-attributes | 8 | ||||
| -rw-r--r-- | scripts/py11-test.py | 193 | ||||
| -rwxr-xr-x | scripts/test-hsmcheck | 202 | ||||
| -rwxr-xr-x | scripts/thready-time-signature.py | 16 | ||||
| -rwxr-xr-x | scripts/time-signature.py | 10 |
6 files changed, 478 insertions, 477 deletions
diff --git a/scripts/build-attributes b/scripts/build-attributes index 7a36bdc..e7c500e 100755 --- a/scripts/build-attributes +++ b/scripts/build-attributes @@ -47,318 +47,318 @@ import argparse def define_flags(flag_names): - """ - Flag definitions. Called later, here at front of program just to - make them easier to find. - """ - - flag_names.create("DEFAULT_VALUE", "Value field contains default") - flag_names.footnote( 1, "REQUIRED_BY_CREATEOBJECT") - flag_names.footnote( 2, "FORBIDDEN_BY_CREATEOBJECT") - flag_names.footnote( 3, "REQUIRED_BY_GENERATE") - flag_names.footnote( 4, "FORBIDDEN_BY_GENERATE") - flag_names.footnote( 5, "REQUIRED_BY_UNWRAP") - flag_names.footnote( 6, "FORBIDDEN_BY_UNWRAP") - flag_names.footnote( 7, "SENSITIVE") - flag_names.footnote( 8, "PERHAPS_MODIFIABLE") - flag_names.footnote( 9, "DEFAULT_IS_TOKEN_SPECIFIC") - flag_names.footnote(10, "ONLY_SO_USER_CAN_SET") - flag_names.footnote(11, "LATCHES_WHEN_TRUE") - flag_names.footnote(12, "LATCHES_WHEN_FALSE") + """ + Flag definitions. Called later, here at front of program just to + make them easier to find. + """ + + flag_names.create("DEFAULT_VALUE", "Value field contains default") + flag_names.footnote( 1, "REQUIRED_BY_CREATEOBJECT") + flag_names.footnote( 2, "FORBIDDEN_BY_CREATEOBJECT") + flag_names.footnote( 3, "REQUIRED_BY_GENERATE") + flag_names.footnote( 4, "FORBIDDEN_BY_GENERATE") + flag_names.footnote( 5, "REQUIRED_BY_UNWRAP") + flag_names.footnote( 6, "FORBIDDEN_BY_UNWRAP") + flag_names.footnote( 7, "SENSITIVE") + flag_names.footnote( 8, "PERHAPS_MODIFIABLE") + flag_names.footnote( 9, "DEFAULT_IS_TOKEN_SPECIFIC") + flag_names.footnote(10, "ONLY_SO_USER_CAN_SET") + flag_names.footnote(11, "LATCHES_WHEN_TRUE") + flag_names.footnote(12, "LATCHES_WHEN_FALSE") class PKCS11ParseError(Exception): - "Failure parsing PCKS #11 object definitions from YAML data." + "Failure parsing PCKS #11 object definitions from YAML data." def write_lines(*lines, **d): - """ - Utility to simplify writing formatted text to the output stream. - """ - - for line in lines: - args.output_file.write((line % d) + "\n") - - -class Flags(object): - """ - Descriptor flag database. - - Many of these are derived from PKCS #11 Table 15 footnotes - """ - - prefix = "P11_DESCRIPTOR_" # Prefix string for all descriptor flags - - def __init__(self): - self.names = [] - self.notes = {} - self.width = 0 - - def create(self, name, comment = None): """ - Create a descriptor flag. + Utility to simplify writing formatted text to the output stream. """ - assert len(self.names) < 32 - name = self.prefix + name - self.names.append((name, comment)) - if len(name) > self.width: - self.width = len(name) - - def footnote(self, number, name): - """ - Create a descriptor flag for a PKCS #11 table 15 footnote. - """ + for line in lines: + args.output_file.write((line % d) + "\n") - assert number not in self.notes - self.create(name, "Section 10.2 table 15 footnote #%2d" % number) - self.notes[number] = self.prefix + name - def write(self): +class Flags(object): """ - Generate the flags, assigning bit positions as we go. + Descriptor flag database. + + Many of these are derived from PKCS #11 Table 15 footnotes """ - assert len(self.names) < 32 - self.width = (((self.width + 4) >> 2) << 2) - 1 - bit = 1 - for name, comment in self.names: - format = "#define %(name)s 0x%(bit)08x" - if comment is not None: - format += " /* %(comment)s */" - write_lines(format, bit = bit, comment = comment, name = "%-*s" % (self.width, name)) - bit <<= 1 + prefix = "P11_DESCRIPTOR_" # Prefix string for all descriptor flags + def __init__(self): + self.names = [] + self.notes = {} + self.width = 0 -class AttributeNumbers(dict): - """ - Attribute names and numbers scraped (yuck) from pkcs11t.h. - """ - - def __init__(self, filename): - with open(filename, "r") as f: - for line in f: - word = line.split() - if len(word) <= 2 or word[0] != "#define" or not word[1].startswith("CKA_"): - continue - if word[2] in self: - continue - if word[2].startswith("(CKF_ARRAY_ATTRIBUTE|"): - word[2] = word[2].translate(None, "()").split("|")[1] - self[word[1]] = int(word[2], 16) + def create(self, name, comment = None): + """ + Create a descriptor flag. + """ + assert len(self.names) < 32 + name = self.prefix + name + self.names.append((name, comment)) + if len(name) > self.width: + self.width = len(name) -class Attribute(object): - """ - Definition of one attribute. - """ - - def __init__(self, name, type = None, footnotes = None, default = None, value = None, unimplemented = False): - assert value is None or default is None - self.name = name - self.type = type - self.footnotes = footnotes - self.default = self.convert_integers(default) - self.value = self.convert_integers(value) - self.unimplemented = unimplemented - - @staticmethod - def convert_integers(val): - """ - Convert a non-negative integer initialization value into a byte array. - """ + def footnote(self, number, name): + """ + Create a descriptor flag for a PKCS #11 table 15 footnote. + """ - if not isinstance(val, (int, long)): - return val - if val < 0: - raise ValueError("Negative integers not legal here: %s" % val) - bytes = [] - while val > 0: - bytes.insert(0, val & 0xFF) - val >>= 8 - return bytes or [0] - - def inherit(self, other): - """ - Merge values from paraent attribute definition, if any. - """ + assert number not in self.notes + self.create(name, "Section 10.2 table 15 footnote #%2d" % number) + self.notes[number] = self.prefix + name - for k in ("type", "footnotes", "default", "value"): - if getattr(self, k) is None: - setattr(self, k, getattr(other, k)) - self.unimplemented = self.unimplemented or other.unimplemented + def write(self): + """ + Generate the flags, assigning bit positions as we go. + """ - def format_flags(self): - """ - Generate the descriptor flags field. - """ + assert len(self.names) < 32 + self.width = (((self.width + 4) >> 2) << 2) - 1 + bit = 1 + for name, comment in self.names: + format = "#define %(name)s 0x%(bit)08x" + if comment is not None: + format += " /* %(comment)s */" + write_lines(format, bit = bit, comment = comment, name = "%-*s" % (self.width, name)) + bit <<= 1 - flags = [] - if self.footnotes: - flags.extend(flag_names.notes[f] for f in self.footnotes) - if self.value is None and self.default is not None: - flags.append("P11_DESCRIPTOR_DEFAULT_VALUE") - flags = " | ".join(flags) - return flags or "0" - def format_size(self): +class AttributeNumbers(dict): """ - Generate the descriptor size field. + Attribute names and numbers scraped (yuck) from pkcs11t.h. """ - if isinstance(self.type, str) and self.type.startswith("CK_"): - return "sizeof(%s)" % self.type - elif self.type in ("rfc2279string", "biginteger", "bytearray"): - return "0" - else: - raise PKCS11ParseError("Unknown meta-type %r" % self.type) - - def format_length(self): - """ - Generate the descriptor length field. - """ + def __init__(self, filename): + with open(filename, "r") as f: + for line in f: + word = line.split() + if len(word) <= 2 or word[0] != "#define" or not word[1].startswith("CKA_"): + continue + if word[2] in self: + continue + if word[2].startswith("(CKF_ARRAY_ATTRIBUTE|"): + word[2] = word[2].translate(None, "()").split("|")[1] + self[word[1]] = int(word[2], 16) - value = self.value or self.default - if isinstance(value, list): - return "sizeof(const_0x%s)" % "".join("%02x" % v for v in value) - elif value and isinstance(self.type, str) and self.type.startswith("CK_"): - return "sizeof(%s)" % self.type - else: - return "0" - def format_value(self): - """ - Generate the descriptor value field. +class Attribute(object): """ + Definition of one attribute. + """ + + def __init__(self, name, type = None, footnotes = None, default = None, value = None, unimplemented = False): + assert value is None or default is None + self.name = name + self.type = type + self.footnotes = footnotes + self.default = self.convert_integers(default) + self.value = self.convert_integers(value) + self.unimplemented = unimplemented + + @staticmethod + def convert_integers(val): + """ + Convert a non-negative integer initialization value into a byte array. + """ + + if not isinstance(val, int): + return val + if val < 0: + raise ValueError("Negative integers not legal here: %s" % val) + bytes = [] + while val > 0: + bytes.insert(0, val & 0xFF) + val >>= 8 + return bytes or [0] + + def inherit(self, other): + """ + Merge values from paraent attribute definition, if any. + """ + + for k in ("type", "footnotes", "default", "value"): + if getattr(self, k) is None: + setattr(self, k, getattr(other, k)) + self.unimplemented = self.unimplemented or other.unimplemented + + def format_flags(self): + """ + Generate the descriptor flags field. + """ + + flags = [] + if self.footnotes: + flags.extend(flag_names.notes[f] for f in self.footnotes) + if self.value is None and self.default is not None: + flags.append("P11_DESCRIPTOR_DEFAULT_VALUE") + flags = " | ".join(flags) + return flags or "0" + + def format_size(self): + """ + Generate the descriptor size field. + """ + + if isinstance(self.type, str) and self.type.startswith("CK_"): + return "sizeof(%s)" % self.type + elif self.type in ("rfc2279string", "biginteger", "bytearray"): + return "0" + else: + raise PKCS11ParseError("Unknown meta-type %r" % self.type) + + def format_length(self): + """ + Generate the descriptor length field. + """ + + value = self.value or self.default + if isinstance(value, list): + return "sizeof(const_0x%s)" % "".join("%02x" % v for v in value) + elif value and isinstance(self.type, str) and self.type.startswith("CK_"): + return "sizeof(%s)" % self.type + else: + return "0" + + def format_value(self): + """ + Generate the descriptor value field. + """ + + value = self.value or self.default + if not value: + return "NULL_PTR" + elif isinstance(value, list): + return "const_0x" + "".join("%02x" % v for v in value) + else: + return "&const_" + value + + def format_constant(self, constants): + """ + Generate constant initializer values. These are merged so that we + only end up declaring one copy of each initializer value no matter + how many attributes use it. + """ + + value = self.value or self.default + if not self.unimplemented and value: + if isinstance(value, list): + constants.add("static const CK_BYTE const_%s[] = { %s };" % ( + "0x" + "".join("%02x" % v for v in value), + ", ".join("0x%02x" % v for v in value))) + else: + constants.add("static const %s const_%s = %s;" % (self.type, value, value)) + + def generate(self): + """ + Generate the descriptor line for this attribute. + """ + + if not self.unimplemented: + args.output_file.write(" { %s, %s, %s, %s, %s },\n" % ( + self.name, self.format_size(), self.format_length(), self.format_value(), self.format_flags())) - value = self.value or self.default - if not value: - return "NULL_PTR" - elif isinstance(value, list): - return "const_0x" + "".join("%02x" % v for v in value) - else: - return "&const_" + value - def format_constant(self, constants): +class Class(object): """ - Generate constant initializer values. These are merged so that we - only end up declaring one copy of each initializer value no matter - how many attributes use it. + A PKCS #11 class. """ - value = self.value or self.default - if not self.unimplemented and value: - if isinstance(value, list): - constants.add("static const CK_BYTE const_%s[] = { %s };" % ( - "0x" + "".join("%02x" % v for v in value), - ", ".join("0x%02x" % v for v in value))) - else: - constants.add("static const %s const_%s = %s;" % (self.type, value, value)) + def __init__(self, db, name, superclass = None, concrete = False, **attrs): + assert all(a.startswith("CKA_") for a in attrs), "Non-attribute: %r" % [a for a in attrs if not a.startswith("CKA_")] + self.attributes = dict((k, Attribute(k, **v)) for k, v in attrs.items()) + self.db = db + self.name = name + self.superclass = superclass + self.concrete = concrete - def generate(self): - """ - Generate the descriptor line for this attribute. - """ + def inherit(self, other): + """ + Inherit attributes from parent type. + """ - if not self.unimplemented: - args.output_file.write(" { %s, %s, %s, %s, %s },\n" % ( - self.name, self.format_size(), self.format_length(), self.format_value(), self.format_flags())) + for k, v in other.attributes.items(): + if k not in self.attributes: + self.attributes[k] = v + else: + self.attributes[k].inherit(v) + def collect_constants(self, constants): + """ + Collect initialization constants for all attributes. + """ -class Class(object): - """ - A PKCS #11 class. - """ - - def __init__(self, db, name, superclass = None, concrete = False, **attrs): - assert all(a.startswith("CKA_") for a in attrs), "Non-attribute: %r" % [a for a in attrs if not a.startswith("CKA_")] - self.attributes = dict((k, Attribute(k, **v)) for k, v in attrs.iteritems()) - self.db = db - self.name = name - self.superclass = superclass - self.concrete = concrete - - def inherit(self, other): - """ - Inherit attributes from parent type. - """ + if self.concrete: + for a in self.attributes.values(): + a.format_constant(constants) - for k, v in other.attributes.iteritems(): - if k not in self.attributes: - self.attributes[k] = v - else: - self.attributes[k].inherit(v) + def generate(self): + """ + Generate a descriptor for this type. + """ - def collect_constants(self, constants): - """ - Collect initialization constants for all attributes. - """ + if self.concrete: - if self.concrete: - for a in self.attributes.itervalues(): - a.format_constant(constants) + write_lines("", + "static const p11_attribute_descriptor_t p11_attribute_descriptor_%(name)s[] = {", + name = self.name) - def generate(self): - """ - Generate a descriptor for this type. - """ + for a in sorted(self.attributes, key = lambda x: attribute_numbers[x]): + self.attributes[a].generate() - if self.concrete: + write_lines("};", + "", + "static const p11_descriptor_t p11_descriptor_%(name)s = {", + " p11_attribute_descriptor_%(name)s,", + " sizeof(p11_attribute_descriptor_%(name)s)/sizeof(p11_attribute_descriptor_t)", + "};", + name = self.name) - write_lines("", - "static const p11_attribute_descriptor_t p11_attribute_descriptor_%(name)s[] = {", - name = self.name) + def keyclassmap(self): + """ + Generate a keyclass map entry if this is a concrete key type. + """ - for a in sorted(self.attributes, key = lambda x: attribute_numbers[x]): - self.attributes[a].generate() - - write_lines("};", - "", - "static const p11_descriptor_t p11_descriptor_%(name)s = {", - " p11_attribute_descriptor_%(name)s,", - " sizeof(p11_attribute_descriptor_%(name)s)/sizeof(p11_attribute_descriptor_t)", - "};", - name = self.name) - - def keyclassmap(self): - """ - Generate a keyclass map entry if this is a concrete key type. - """ - - if self.concrete and all(k in self.attributes and self.attributes[k].value for k in ("CKA_CLASS", "CKA_KEY_TYPE")): - write_lines(" { %s, %s, &p11_descriptor_%s }," % ( - self.attributes["CKA_CLASS"].value, self.attributes["CKA_KEY_TYPE"].value, self.name)) + if self.concrete and all(k in self.attributes and self.attributes[k].value for k in ("CKA_CLASS", "CKA_KEY_TYPE")): + write_lines(" { %s, %s, &p11_descriptor_%s }," % ( + self.attributes["CKA_CLASS"].value, self.attributes["CKA_KEY_TYPE"].value, self.name)) class DB(object): - """ - Object type database parsed from YAML - """ - - def __init__(self, y): - self.ordered = [Class(self, **y) for y in y] - self.named = dict((c.name, c) for c in self.ordered) - for c in self.ordered: - if c.superclass is not None: - c.inherit(self.named[c.superclass]) - - def generate(self): """ - Generate output for everything in the database. - """ - - constants = set() - for c in self.ordered: - c.collect_constants(constants) - for constant in sorted(constants): - write_lines(constant) - for c in self.ordered: - c.generate() - write_lines("", - "static const p11_descriptor_keyclass_map_t p11_descriptor_keyclass_map[] = {") - for c in self.ordered: - c.keyclassmap() - write_lines("};") + Object type database parsed from YAML + """ + + def __init__(self, y): + self.ordered = [Class(self, **y) for y in y] + self.named = dict((c.name, c) for c in self.ordered) + for c in self.ordered: + if c.superclass is not None: + c.inherit(self.named[c.superclass]) + + def generate(self): + """ + Generate output for everything in the database. + """ + + constants = set() + for c in self.ordered: + c.collect_constants(constants) + for constant in sorted(constants): + write_lines(constant) + for c in self.ordered: + c.generate() + write_lines("", + "static const p11_descriptor_keyclass_map_t p11_descriptor_keyclass_map[] = {") + for c in self.ordered: + c.keyclassmap() + write_lines("};") # Main program diff --git a/scripts/build-py11-attributes b/scripts/build-py11-attributes index cacb63a..107d33b 100755 --- a/scripts/build-py11-attributes +++ b/scripts/build-py11-attributes @@ -54,10 +54,10 @@ parser.add_argument("output_file", help = "Output .py file", nargs = "?", typ args = parser.parse_args() attribute_map = dict( - (k, v["type"]) - for y in yaml.safe_load(args.yaml_file) - for k, v in y.iteritems() - if k.startswith("CKA_") and "type" in v) + (k, v["type"]) + for y in yaml.safe_load(args.yaml_file) + for k, v in y.items() + if k.startswith("CKA_") and "type" in v) args.output_file.write('''\ # This file was generated automatically from %(input)s by %(script)s. Do not edit this file directly. diff --git a/scripts/py11-test.py b/scripts/py11-test.py index 7a0e1d8..cf633a3 100644 --- a/scripts/py11-test.py +++ b/scripts/py11-test.py @@ -3,149 +3,150 @@ from cryptech.py11 import * from struct import pack, unpack +from binascii import hexlify, unhexlify def show_token(i, t, strip = True): - print "Token in slot #%d:" % i - fw = max(len(fn) for fn, ft in t.__class__._fields_) - for fn, ft in t.__class__._fields_: - fv = getattr(t, fn) - fn = "%-*s :" % (fw, fn) - if isinstance(fv, CK_VERSION): - print " ", fn, "%d.%d" % (fv.major, fv.minor) - elif isinstance(fv, (int, long)): - print " ", fn, fv - else: - print " ", fn, repr(str(fv).rstrip(" ") if strip else str(fv)) + print("Token in slot #%d:" % i) + fw = max(len(fn) for fn, ft in t.__class__._fields_) + for fn, ft in t.__class__._fields_: + fv = getattr(t, fn) + fn = "%-*s :" % (fw, fn) + if isinstance(fv, CK_VERSION): + print(" ", fn, "%d.%d" % (fv.major, fv.minor)) + elif isinstance(fv, int): + print(" ", fn, fv) + else: + print(" ", fn, repr(str(fv).rstrip(" ") if strip else str(fv))) def genkeypair_templates(name = "foo", **kwargs): - label_id = ((CKA_LABEL, name), (CKA_ID, name)) - return ( - # Public template - label_id + tuple(kwargs.iteritems()) + - ((CKA_VERIFY, True), - (CKA_ENCRYPT, False), - (CKA_WRAP, False), - (CKA_TOKEN, False)), - # Private template - label_id + - ((CKA_SIGN, True), - (CKA_DECRYPT, False), - (CKA_UNWRAP, False), - (CKA_SENSITIVE, True), - (CKA_TOKEN, False), - (CKA_PRIVATE, True), - (CKA_EXTRACTABLE, False))) + label_id = ((CKA_LABEL, name), (CKA_ID, name)) + return ( + # Public template + label_id + tuple(kwargs.items()) + + ((CKA_VERIFY, True), + (CKA_ENCRYPT, False), + (CKA_WRAP, False), + (CKA_TOKEN, False)), + # Private template + label_id + + ((CKA_SIGN, True), + (CKA_DECRYPT, False), + (CKA_UNWRAP, False), + (CKA_SENSITIVE, True), + (CKA_TOKEN, False), + (CKA_PRIVATE, True), + (CKA_EXTRACTABLE, False))) def show_keys(session, key_class, *attributes): - p11.C_FindObjectsInit(session, {CKA_CLASS: key_class}) - for o in p11.C_FindObjects(session): - a = p11.C_GetAttributeValue(session, o, attributes + (CKA_CLASS, CKA_KEY_TYPE, CKA_LABEL, CKA_ID, CKA_TOKEN, - CKA_PRIVATE, CKA_LOCAL, CKA_KEY_GEN_MECHANISM)) - w = max(len(p11.adb.attribute_name(k)) for k in a) - print "Object:", o - for k, v in a.iteritems(): - print " %*s (0x%08x): %r" % (w, p11.adb.attribute_name(k), k, v) - p11.C_FindObjectsFinal(session) + p11.C_FindObjectsInit(session, {CKA_CLASS: key_class}) + for o in p11.C_FindObjects(session): + a = p11.C_GetAttributeValue(session, o, attributes + (CKA_CLASS, CKA_KEY_TYPE, CKA_LABEL, CKA_ID, CKA_TOKEN, + CKA_PRIVATE, CKA_LOCAL, CKA_KEY_GEN_MECHANISM)) + w = max(len(p11.adb.attribute_name(k)) for k in a) + print("Object:", o) + for k, v in a.items(): + print(" %*s (0x%08x): %r" % (w, p11.adb.attribute_name(k), k, v)) + p11.C_FindObjectsFinal(session) def build_ecpoint(x, y): - h = (max(x.bit_length(), y.bit_length()) + 15) / 16 - d = chr(0x04) + ("%0*x%0*x" % (h, x, h, y)).decode("hex") - if len(d) < 128: - h = "%c%c" % (0x04, len(d)) - else: - n = len(d).bit_length() - h = ("%c%c" % (0x04, (n + 7) / 8)) + ("%0*x" % ((n + 15) / 16, len(d))).decode("hex") - return h + d + h = (max(x.bit_length(), y.bit_length()) + 15) / 16 + d = b"\04" + unhexlify("%0*x%0*x" % (h, x, h, y)) + if len(d) < 128: + h = b"%c%c" % (0x04, len(d)) + else: + n = len(d).bit_length() + h = (b"%c%c" % (0x04, (n + 7) / 8)) + unhexlify("%0*x" % ((n + 15) / 16, len(d))) + return h + d -ec_curve_oid_p256 = "".join(chr(i) for i in (0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07)) -ec_curve_oid_p384 = "".join(chr(i) for i in (0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22)) -ec_curve_oid_p521 = "".join(chr(i) for i in (0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23)) +ec_curve_oid_p256 = b"\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07" +ec_curve_oid_p384 = b"\x06\x05\x2b\x81\x04\x00\x22" +ec_curve_oid_p521 = b"\x06\x05\x2b\x81\x04\x00\x23" p11 = PKCS11("./libcryptech-pkcs11.so") if False: - print "Not using MUTEXes at all" - p11.C_Initialize() + print("Not using MUTEXes at all") + p11.C_Initialize() elif False: - print "Using OS MUTEXes" - p11.C_Initialize(CKF_OS_LOCKING_OK) + print("Using OS MUTEXes") + p11.C_Initialize(CKF_OS_LOCKING_OK) else: - print "Using our own pseudo-MUTEXes" - from cryptech.py11.mutex import MutexDB - mdb = MutexDB() - p11.C_Initialize(0, mdb.create, mdb.destroy, mdb.lock, mdb.unlock) + print("Using our own pseudo-MUTEXes") + from cryptech.py11.mutex import MutexDB + mdb = MutexDB() + p11.C_Initialize(0, mdb.create, mdb.destroy, mdb.lock, mdb.unlock) slots = p11.C_GetSlotList() -print -print "Listing slots and tokens" +print() +print("Listing slots and tokens") for i in slots: - show_token(i, p11.C_GetTokenInfo(i)) + show_token(i, p11.C_GetTokenInfo(i)) slot = slots[0] -print -print "Generating some random data" +print() +print("Generating some random data") session = p11.C_OpenSession(slot) random = p11.C_GenerateRandom(session, 33) -print len(random), "".join("%02x" % ord(i) for i in random) +print(len(random), hexlify(random)) -print -print "Logging in" +print() +print("Logging in") p11.C_Login(session, CKU_USER, "fnord") if False: - print - print "Generating RSA keypair" - rsa_templates = genkeypair_templates("RSA", CKA_MODULUS_BITS = 1024) - rsa_keypair = p11.C_GenerateKeyPair(session, CKM_RSA_PKCS_KEY_PAIR_GEN, rsa_templates[0], rsa_templates[1]) - print rsa_keypair - -print -print "Generating EC P256 keypair" + print() + print("Generating RSA keypair") + rsa_templates = genkeypair_templates("RSA", CKA_MODULUS_BITS = 1024) + rsa_keypair = p11.C_GenerateKeyPair(session, CKM_RSA_PKCS_KEY_PAIR_GEN, rsa_templates[0], rsa_templates[1]) + print(rsa_keypair) + +print() +print("Generating EC P256 keypair") ec_templates = genkeypair_templates("EC-P256", CKA_EC_PARAMS = ec_curve_oid_p256) ec_p256_keypair = p11.C_GenerateKeyPair(session, CKM_EC_KEY_PAIR_GEN, ec_templates[0], ec_templates[1]) -print ec_p256_keypair +print(ec_p256_keypair) -print -print "Generating EC P384 keypair" +print() +print("Generating EC P384 keypair") ec_templates = genkeypair_templates("EC-P384", CKA_EC_PARAMS = ec_curve_oid_p384) ec_p384_keypair = p11.C_GenerateKeyPair(session, CKM_EC_KEY_PAIR_GEN, ec_templates[0], ec_templates[1]) -print ec_p384_keypair +print(ec_p384_keypair) -print -print "Generating EC P521 keypair" +print() +print("Generating EC P521 keypair") ec_templates = genkeypair_templates("EC-P521", CKA_EC_PARAMS = ec_curve_oid_p521) ec_p521_keypair = p11.C_GenerateKeyPair(session, CKM_EC_KEY_PAIR_GEN, ec_templates[0], ec_templates[1]) -print ec_p521_keypair +print(ec_p521_keypair) -print -print "Listing keys" +print() +print("Listing keys") show_keys(session, CKO_PUBLIC_KEY, CKA_VERIFY, CKA_ENCRYPT, CKA_WRAP) show_keys(session, CKO_PRIVATE_KEY, CKA_SIGN, CKA_DECRYPT, CKA_UNWRAP) hamster = "Your mother was a hamster" -print -print "Testing P-256 signature" +print() +print("Testing P-256 signature") p11.C_SignInit(session, CKM_ECDSA_SHA256, ec_p256_keypair[1]) sig_p256 = p11.C_Sign(session, hamster) -print "Signature:", sig_p256.encode("hex") +print("Signature:", hexlify(sig_p256.encode)) -print -print "Testing P256 verification" +print() +print("Testing P256 verification") p11.C_VerifyInit(session, CKM_ECDSA_SHA256, ec_p256_keypair[0]) p11.C_Verify(session, hamster, sig_p256) -print "OK" # Verification failure throws an exception +print("OK") # Verification failure throws an exception -print -print "Testing C_CreateObject()" +print() +print("Testing C_CreateObject()") handle = p11.C_CreateObject(session, dict( CKA_CLASS = CKO_PUBLIC_KEY, CKA_KEY_TYPE = CKK_EC, @@ -158,16 +159,16 @@ handle = p11.C_CreateObject(session, dict( CKA_EC_POINT = build_ecpoint(0x8101ece47464a6ead70cf69a6e2bd3d88691a3262d22cba4f7635eaff26680a8, 0xd8a12ba61d599235f67d9cb4d58f1783d3ca43e78f0a5abaa624079936c0c3a9), CKA_EC_PARAMS = ec_curve_oid_p256)) -print handle +print(handle) -print -print "Verifying canned signature with public key installed via C_CreateObject()" +print() +print("Verifying canned signature with public key installed via C_CreateObject()") p11.C_VerifyInit(session, CKM_ECDSA, handle) p11.C_Verify(session, - "7c3e883ddc8bd688f96eac5e9324222c8f30f9d6bb59e9c5f020bd39ba2b8377".decode("hex"), - "7214bc9647160bbd39ff2f80533f5dc6ddd70ddf86bb815661e805d5d4e6f27c".decode("hex") + - "7d1ff961980f961bdaa3233b6209f4013317d3e3f9e1493592dbeaa1af2bc367".decode("hex")) -print "OK" + unhexlify("7c3e883ddc8bd688f96eac5e9324222c8f30f9d6bb59e9c5f020bd39ba2b8377"), + unhexlify("7214bc9647160bbd39ff2f80533f5dc6ddd70ddf86bb815661e805d5d4e6f27c") + + unhexlify("7d1ff961980f961bdaa3233b6209f4013317d3e3f9e1493592dbeaa1af2bc367")) +print("OK") p11.C_CloseAllSessions(slot) p11.C_Finalize() diff --git a/scripts/test-hsmcheck b/scripts/test-hsmcheck index b28d578..cb2efce 100755 --- a/scripts/test-hsmcheck +++ b/scripts/test-hsmcheck @@ -49,134 +49,134 @@ from xml.etree.ElementTree import ElementTree, Element, SubElement def write_config(): - """ - Write hsmcheck configuration file. - """ + """ + Write hsmcheck configuration file. + """ - e = Element("Configuration") - r = SubElement(e, "RepositoryList") - r = SubElement(r, "Repository", name = "default") - SubElement(r, "Module").text = args.driver - SubElement(r, "TokenLabel").text = args.token_label - SubElement(r, "PIN").text = args.pin - ElementTree(e).write(args.write_config) - args.write_config.flush() + e = Element("Configuration") + r = SubElement(e, "RepositoryList") + r = SubElement(r, "Repository", name = "default") + SubElement(r, "Module").text = args.driver + SubElement(r, "TokenLabel").text = args.token_label + SubElement(r, "PIN").text = args.pin + ElementTree(e).write(args.write_config) + args.write_config.flush() def hsmcheck(flag): - """ - Run hsmcheck program with appropriate options and verbosity. - """ - - assert flag in "rgsd" - cmd = (args.hsmcheck_binary, "-c", args.write_config.name, "-" + flag) - if args.verbose: - sys.stdout.write("Running: %s\n" % " ".join(cmd)) - if flag == "s": - text = check_output(cmd) - sys.stdout.write(text) - if not args.no_dnssec: - check_dnssec(text) - else: - check_call(cmd) + """ + Run hsmcheck program with appropriate options and verbosity. + """ + + assert flag in "rgsd" + cmd = (args.hsmcheck_binary, "-c", args.write_config.name, "-" + flag) + if args.verbose: + sys.stdout.write("Running: %s\n" % " ".join(cmd)) + if flag == "s": + text = check_output(cmd) + sys.stdout.write(text) + if not args.no_dnssec: + check_dnssec(text) + else: + check_call(cmd) def check_dnssec(text): - """ - Use DNSPython to attempt DNSSEC validation on "hsmcheck -s" output. + """ + Use DNSPython to attempt DNSSEC validation on "hsmcheck -s" output. - This requires the DNSPython toolkit, which in turn requires - PyCrypto; ECDSA support (not yet tested) requires a third package. - On Debian-family Linux, you can install these with: + This requires the DNSPython toolkit, which in turn requires + PyCrypto; ECDSA support (not yet tested) requires a third package. + On Debian-family Linux, you can install these with: - sudo apt-get install python-dnspython python-crypto python-ecdsa + sudo apt-get install python-dnspython python-crypto python-ecdsa - Equivalent packages exist for other platforms. - """ + Equivalent packages exist for other platforms. + """ - try: - from dns.exception import DNSException - import dns.dnssec - import dns.rrset - import Crypto.PublicKey.RSA - #import ecdsa.ecdsa - except ImportError: - sys.exit("Problem importing DNSPython or supporting crypto packages, are they installed?") + try: + from dns.exception import DNSException + import dns.dnssec + import dns.rrset + import Crypto.PublicKey.RSA + #import ecdsa.ecdsa + except ImportError: + sys.exit("Problem importing DNSPython or supporting crypto packages, are they installed?") - wired_ttl = "3600" - wired_rdclass = "IN" + wired_ttl = "3600" + wired_rdclass = "IN" - rrs = {} + rrs = {} - for line in text.splitlines(): + for line in text.splitlines(): - try: - name, ttl, rdclass, rdtype, rdata = line.split(None, 4) - except ValueError: - continue + try: + name, ttl, rdclass, rdtype, rdata = line.split(None, 4) + except ValueError: + continue - if ttl != wired_ttl or rdclass != wired_rdclass: - continue + if ttl != wired_ttl or rdclass != wired_rdclass: + continue - try: - rrs[name, rdtype].append(rdata) - except KeyError: - rrs[name, rdtype] = [rdata] + try: + rrs[name, rdtype].append(rdata) + except KeyError: + rrs[name, rdtype] = [rdata] - # Done parsing. We expect to have seen an A RRset, an RRSIG of that - # A RRset, and the DNSKEY that we'll need to verify the RRSIG. + # Done parsing. We expect to have seen an A RRset, an RRSIG of that + # A RRset, and the DNSKEY that we'll need to verify the RRSIG. - if len(rrs) != 3: - sys.exit("Expected two RRsets and an RRSIG, got %r" % rrs) + if len(rrs) != 3: + sys.exit("Expected two RRsets and an RRSIG, got %r" % rrs) - rrs = dict((rdtype, dns.rrset.from_text_list(name, int(wired_ttl), wired_rdclass, rdtype, rrs[name, rdtype])) - for name, rdtype in rrs) + rrs = dict((rdtype, dns.rrset.from_text_list(name, int(wired_ttl), wired_rdclass, rdtype, rrs[name, rdtype])) + for name, rdtype in rrs) - try: - dns.dnssec.validate(rrs["A"], rrs["RRSIG"], { rrs["DNSKEY"].name : rrs["DNSKEY"] }) - except DNSException, e: - sys.exit("DNSSEC verification failed: %s" % e) + try: + dns.dnssec.validate(rrs["A"], rrs["RRSIG"], { rrs["DNSKEY"].name : rrs["DNSKEY"] }) + except DNSException as e: + sys.exit("DNSSEC verification failed: %s" % e) - sys.stdout.write("\nDNSSEC verification successful!\n\n") + sys.stdout.write("\nDNSSEC verification successful!\n\n") # Main program. try: - default_config = NamedTemporaryFile() - default_hsmcheck = os.getenv("HSMCHECK", "hsmcheck") - default_driver = os.getenv("PKCS11_DRIVER", - os.path.realpath(os.path.join(os.path.dirname(sys.argv[0]), "..", "libpkcs11.so"))) - - parser = ArgumentParser(description = __doc__, formatter_class = ArgumentDefaultsHelpFormatter) - one_of = parser.add_mutually_exclusive_group() - one_of.add_argument("-a", "--all", "--rgsd", const = "rgsd", dest = "test", action = "store_const", help = "run all tests") - one_of.add_argument("-r", "--random", const = "r", dest = "test", action = "store_const", help = "just test random numbers") - one_of.add_argument("-g", "--generate", const = "g", dest = "test", action = "store_const", help = "just test key generation") - one_of.add_argument("-s", "--sign", const = "s", dest = "test", action = "store_const", help = "just test DNSSEC-signature") - one_of.add_argument("-d", "--delete", const = "d", dest = "test", action = "store_const", help = "just delete key") - parser.add_argument("-b", "--hsmcheck-binary", default = default_hsmcheck, help = "location of hsmcheck program") - parser.add_argument("-p", "--pin", default = "12345", help = "HSM PIN to use for tests") - parser.add_argument("-t", "--token-label", default = "Cryptech Token", help = "PKCS #11 label of Cryptech token") - parser.add_argument("-n", "--no-dnssec", action = "store_true", help = "do not attempt DNSSEC validation") - parser.add_argument("-v", "--verbose", action = "store_true", help = "bark more") - parser.add_argument("-D", "--driver", default = default_driver, help = "location of PKCS #11 driver") - parser.add_argument("-w", "--write-config", default = default_config, help = "write generated configuration to this file", - type = ArgumentFileType("w")) - parser.add_argument("--debug", action = "store_true", help = "debug this script") - parser.set_defaults(test = "rgsd") - args = parser.parse_args() - - try: - write_config() - for flag in args.test: - hsmcheck(flag) - - except Exception as e: - if args.debug: - raise - sys.exit("Failed: %s" % e) + default_config = NamedTemporaryFile() + default_hsmcheck = os.getenv("HSMCHECK", "hsmcheck") + default_driver = os.getenv("PKCS11_DRIVER", + os.path.realpath(os.path.join(os.path.dirname(sys.argv[0]), "..", "libpkcs11.so"))) + + parser = ArgumentParser(description = __doc__, formatter_class = ArgumentDefaultsHelpFormatter) + one_of = parser.add_mutually_exclusive_group() + one_of.add_argument("-a", "--all", "--rgsd", const = "rgsd", dest = "test", action = "store_const", help = "run all tests") + one_of.add_argument("-r", "--random", const = "r", dest = "test", action = "store_const", help = "just test random numbers") + one_of.add_argument("-g", "--generate", const = "g", dest = "test", action = "store_const", help = "just test key generation") + one_of.add_argument("-s", "--sign", const = "s", dest = "test", action = "store_const", help = "just test DNSSEC-signature") + one_of.add_argument("-d", "--delete", const = "d", dest = "test", action = "store_const", help = "just delete key") + parser.add_argument("-b", "--hsmcheck-binary", default = default_hsmcheck, help = "location of hsmcheck program") + parser.add_argument("-p", "--pin", default = "12345", help = "HSM PIN to use for tests") + parser.add_argument("-t", "--token-label", default = "Cryptech Token", help = "PKCS #11 label of Cryptech token") + parser.add_argument("-n", "--no-dnssec", action = "store_true", help = "do not attempt DNSSEC validation") + parser.add_argument("-v", "--verbose", action = "store_true", help = "bark more") + parser.add_argument("-D", "--driver", default = default_driver, help = "location of PKCS #11 driver") + parser.add_argument("-w", "--write-config", default = default_config, help = "write generated configuration to this file", + type = ArgumentFileType("w")) + parser.add_argument("--debug", action = "store_true", help = "debug this script") + parser.set_defaults(test = "rgsd") + args = parser.parse_args() + + try: + write_config() + for flag in args.test: + hsmcheck(flag) + + except Exception as e: + if args.debug: + raise + sys.exit("Failed: %s" % e) finally: - default_config.close() + default_config.close() diff --git a/scripts/thready-time-signature.py b/scripts/thready-time-signature.py index fb84c1e..e3bd0bf 100755 --- a/scripts/thready-time-signature.py +++ b/scripts/thready-time-signature.py @@ -8,7 +8,7 @@ import collections import threading import argparse import datetime -import Queue +import queue import sys from Crypto.Hash.SHA256 import SHA256Hash as SHA256 @@ -101,7 +101,7 @@ class Results(object): self.sum += t1 - t0 self.n += 1 if not args.quiet: - print "{:4d} {}".format(self.n, delta) + print("{:4d} {}".format(self.n, delta)) @property def mean(self): @@ -119,7 +119,7 @@ class Results(object): with self.lock: if self.t1 is None: self.t1 = datetime.datetime.now() - print "{0.name} sigs/second {0.sigs_per_second} mean {0.mean} throughput {0.throughput} (n {0.n}, t0 {0.t0}, t1 {0.t1})".format(self) + print("{0.name} sigs/second {0.sigs_per_second} mean {0.mean} throughput {0.throughput} (n {0.n}, t0 {0.t0}, t1 {0.t1})".format(self)) class Worker(threading.Thread): @@ -158,19 +158,19 @@ def main(): args = parser.parse_args() global q - q = Queue.Queue() + q = queue.Queue() global p11 p11 = PKCS11(args.libpkcs11) if not args.quiet: - print "Initializing" + print("Initializing") p11.C_Initialize(CKF_OS_LOCKING_OK) session = p11.C_OpenSession(args.slot) p11.C_Login(session, CKU_USER, args.pin) - for i in xrange(args.threads): + for i in range(args.threads): w = Worker() w.setDaemon(True) w.start() @@ -178,7 +178,7 @@ def main(): for name in args.keys: if not args.quiet: - print "Starting test with key {}, {} iterations".format(name, args.iterations) + print("Starting test with key {}, {} iterations".format(name, args.iterations)) k = key_table[name] @@ -187,7 +187,7 @@ def main(): global results results = Results(name) - for i in xrange(args.iterations): + for i in range(args.iterations): q.put(k) q.join() diff --git a/scripts/time-signature.py b/scripts/time-signature.py index 732eaa4..5c816ee 100755 --- a/scripts/time-signature.py +++ b/scripts/time-signature.py @@ -99,7 +99,7 @@ def main(): p11 = PKCS11(args.libpkcs11) if not args.quiet: - print "Initializing" + print("Initializing") p11.C_Initialize() session = p11.C_OpenSession(args.slot) @@ -107,25 +107,25 @@ def main(): for name in args.keys: - print "Starting test with key {}, {} iterations".format(name, args.iterations) + print("Starting test with key {}, {} iterations".format(name, args.iterations)) k = key_table[name] k.create(args, p11, session, "Your mother was a hamster") mean = datetime.timedelta(seconds = 0) - for i in xrange(args.iterations): + for i in range(args.iterations): t0 = datetime.datetime.now() p11.C_SignInit(session, k.ckm, k.handle) sig = p11.C_Sign(session, k.tbs) t1 = datetime.datetime.now() k.verify(sig) if not args.quiet: - print "{:4d} {}".format(i, t1 - t0) + print("{:4d} {}".format(i, t1 - t0)) mean += t1 - t0 mean /= args.iterations - print "mean {}".format(mean) + print("mean {}".format(mean)) p11.C_DestroyObject(session, k.handle) |