From 0b38c44e80ef00ed0c8921c24c044af92c19b14a Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Fri, 13 May 2016 20:18:11 -0400 Subject: Rework unit_test framework to use argparse and to run RPC server automatically if present. --- unit_tests.py | 563 +++++++++++++++++++++++++++++++--------------------------- 1 file changed, 306 insertions(+), 257 deletions(-) diff --git a/unit_tests.py b/unit_tests.py index 75f2602..9220609 100644 --- a/unit_tests.py +++ b/unit_tests.py @@ -1,280 +1,329 @@ #!/usr/bin/env python +""" +PKCS #11 unit tests, using Py11 and the Python unit_test framework. +""" + import unittest from py11 import * from py11.mutex import MutexDB -p11 = None -so_pin = "fnord" -user_pin = "fnord" -only_slot = 0 -verbose = True -class TestInit(unittest.TestCase): - """ - Test all the flavors of C_Initialize(). - """ +class Defaults: + so_pin = "fnord" + user_pin = "fnord" + only_slot = 0 + verbose = False + p11util = "./libpkcs11.so" + dbname = "unit_tests.db" + server = "../libhal/tests/test-rpc_server" + +args = Defaults +p11 = None +rpc = None + +def main(): + from argparse import ArgumentParser + parser = ArgumentParser(__doc__) + parser.add_argument("--verbose", action = "store_true") + parser.add_argument("--so-pin") + parser.add_argument("--user-pin") + parser.add_argument("--only-slot", type = int) + parser.add_argument("--p11util") + parser.add_argument("--dbname") + parser.add_argument("--server") + parser.set_defaults(**vars(Defaults)) + global args + args = parser.parse_args() + unittest.main(verbosity = 2 if args.verbose else 1) - def test_mutex_none(self): - p11.C_Initialize() +def setUpModule(): + global p11 + p11 = PKCS11(args.p11util) + + from subprocess import Popen, PIPE + from os import unlink, environ, geteuid + from os.path import abspath, isfile + + if args.verbose: + print "Initializing database" + db = abspath(args.dbname) + if isfile(db): + unlink(db) + environ["PKCS11_DATABASE"] = db + Popen((args.p11util, "-sup"), stdin = PIPE).communicate( + "{args.so_pin}\n{args.user_pin}\n".format(args = args)) + + if isfile(args.server): + if args.verbose: + print "Starting RPC server" + cmd = [args.server] + if geteuid() != 0: + cmd.insert(0, "sudo") + global rpc + rpc = Popen(cmd) + + if args.verbose: + print "Setup complete" - def test_mutex_os(self): - p11.C_Initialize(CKF_OS_LOCKING_OK) +def tearDownModule(): + from os import unlink + unlink(args.dbname) + global rpc + if rpc is not None: + if geteuid() == 0: + rpc.terminate() + else: + from subprocess import check_call + check_call(("sudo", "kill", str(rpc.pid))) - def test_mutex_user(self): - mdb = MutexDB() - p11.C_Initialize(0, mdb.create, mdb.destroy, mdb.lock, mdb.unlock) - def test_mutex_both(self): - mdb = MutexDB() - p11.C_Initialize(CKF_OS_LOCKING_OK, mdb.create, mdb.destroy, mdb.lock, mdb.unlock) +class TestInit(unittest.TestCase): + """ + Test all the flavors of C_Initialize(). + """ - def tearDown(self): - p11.C_Finalize() + def test_mutex_none(self): + p11.C_Initialize() -class TestDevice(unittest.TestCase): - """ - Test basic device stuff like C_GetSlotList(), C_OpenSession(), and C_Login(). - """ - - @classmethod - def setUpClass(cls): - p11.C_Initialize() - - @classmethod - def tearDownClass(cls): - p11.C_Finalize() - - def tearDown(self): - p11.C_CloseAllSessions(only_slot) - - def test_getSlots(self): - self.assertEqual(p11.C_GetSlotList(), (only_slot,)) - - def test_getTokenInfo(self): - token_info = p11.C_GetTokenInfo(only_slot) - self.assertIsInstance(token_info, CK_TOKEN_INFO) - self.assertEqual(token_info.label.rstrip(), "Cryptech Token") - - def test_sessions_serial(self): - rw_session = p11.C_OpenSession(only_slot, CKF_RW_SESSION | CKF_SERIAL_SESSION) - ro_session = p11.C_OpenSession(only_slot, CKF_SERIAL_SESSION) - - def test_sessions_parallel(self): - # Cooked API doesn't allow this mistake, must use raw API to test - from ctypes import byref - handle = CK_SESSION_HANDLE() - notify = CK_NOTIFY() - with self.assertRaises(CKR_SESSION_PARALLEL_NOT_SUPPORTED): - p11.so.C_OpenSession(only_slot, CKF_RW_SESSION, None, notify, byref(handle)) - with self.assertRaises(CKR_SESSION_PARALLEL_NOT_SUPPORTED): - p11.so.C_OpenSession(only_slot, 0, None, notify, byref(handle)) - - def test_login_user(self): - rw_session = p11.C_OpenSession(only_slot, CKF_RW_SESSION | CKF_SERIAL_SESSION) - ro_session = p11.C_OpenSession(only_slot, CKF_SERIAL_SESSION) - p11.C_Login(ro_session, CKU_USER, user_pin) - p11.C_Logout(ro_session) - - def test_login_so(self): - rw_session = p11.C_OpenSession(only_slot, CKF_RW_SESSION | CKF_SERIAL_SESSION) - ro_session = p11.C_OpenSession(only_slot, CKF_SERIAL_SESSION) - self.assertRaises(CKR_SESSION_READ_ONLY_EXISTS, p11.C_Login, ro_session, CKU_SO, so_pin) - p11.C_CloseSession(ro_session) - p11.C_Login(rw_session, CKU_SO, so_pin) - self.assertRaises(CKR_SESSION_READ_WRITE_SO_EXISTS, p11.C_OpenSession, only_slot, CKF_SERIAL_SESSION) - p11.C_Logout(rw_session) - - def test_random(self): - # Testing that what this produces really is random seems beyond - # the scope of a unit test. - session = p11.C_OpenSession(only_slot) - n = 17 - random = p11.C_GenerateRandom(session, n) - self.assertIsInstance(random, str) - self.assertEqual(len(random), n) - - def test_findObjects(self): - session = p11.C_OpenSession(only_slot) - p11.C_FindObjectsInit(session, CKA_CLASS = CKO_PUBLIC_KEY) - with self.assertRaises(CKR_OPERATION_ACTIVE): - p11.C_FindObjectsInit(session, CKA_CLASS = CKO_PRIVATE_KEY) - for handle in p11.C_FindObjects(session): - self.assertIsInstance(handle, (int, long)) - p11.C_FindObjectsFinal(session) + def test_mutex_os(self): + p11.C_Initialize(CKF_OS_LOCKING_OK) + def test_mutex_user(self): + mdb = MutexDB() + p11.C_Initialize(0, mdb.create, mdb.destroy, mdb.lock, mdb.unlock) -class TestKeys(unittest.TestCase): - """ - Tests involving keys. - """ - - oid_p256 = "".join(chr(i) for i in (0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07)) - oid_p384 = "".join(chr(i) for i in (0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22)) - oid_p521 = "".join(chr(i) for i in (0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23)) - - @classmethod - def setUpClass(cls): - p11.C_Initialize() - - @classmethod - def tearDownClass(cls): - p11.C_Finalize() - - def setUp(self): - self.session = p11.C_OpenSession(only_slot) - p11.C_Login(self.session, CKU_USER, user_pin) - - def tearDown(self): - for handle in p11.FindObjects(self.session): - p11.C_DestroyObject(self.session, handle) - p11.C_CloseAllSessions(only_slot) - del self.session - - def assertIsKeypair(self, public_handle, private_handle = None): - if isinstance(public_handle, tuple) and private_handle is None: - public_handle, private_handle = public_handle - self.assertEqual(p11.C_GetAttributeValue(self.session, public_handle, CKA_CLASS), {CKA_CLASS: CKO_PUBLIC_KEY}) - self.assertEqual(p11.C_GetAttributeValue(self.session, private_handle, CKA_CLASS), {CKA_CLASS: CKO_PRIVATE_KEY}) - - def test_keygen_token_vs_session(self): - self.assertIsKeypair( - p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False, - CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, - CKA_SIGN = True, CKA_VERIFY = True)) - self.assertIsKeypair( - p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = True, - CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, - CKA_SIGN = True, CKA_VERIFY = True)) - self.assertIsKeypair( - p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, - public_CKA_TOKEN = False, private_CKA_TOKEN = True, - CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, - CKA_SIGN = True, CKA_VERIFY = True)) - self.assertIsKeypair( - p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, - public_CKA_TOKEN = True, private_CKA_TOKEN = False, - CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, - CKA_SIGN = True, CKA_VERIFY = True)) - - def test_gen_sign_verify_ecdsa_p256_sha256(self): - public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, - CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, - CKA_SIGN = True, CKA_VERIFY = True) - self.assertIsKeypair(public_key, private_key) - hamster = "Your mother was a hamster" - p11.C_SignInit(self.session, CKM_ECDSA_SHA256, private_key) - sig = p11.C_Sign(self.session, hamster) - self.assertIsInstance(sig, str) - p11.C_VerifyInit(self.session, CKM_ECDSA_SHA256, public_key) - p11.C_Verify(self.session, hamster, sig) - - @unittest.skip("SHA-384 not available in current build") - def test_gen_sign_verify_ecdsa_p384_sha384(self): - public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, - CKA_ID = "EC-P384", CKA_EC_PARAMS = self.oid_p384, - CKA_SIGN = True, CKA_VERIFY = True) - self.assertIsKeypair(public_key, private_key) - hamster = "Your mother was a hamster" - p11.C_SignInit(self.session, CKM_ECDSA_SHA384, private_key) - sig = p11.C_Sign(self.session, hamster) - self.assertIsInstance(sig, str) - p11.C_VerifyInit(self.session, CKM_ECDSA_SHA384, public_key) - p11.C_Verify(self.session, hamster, sig) - - @unittest.skip("SHA-512 not available in current build") - def test_gen_sign_verify_ecdsa_p521_sha512(self): - public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, - CKA_ID = "EC-P521", CKA_EC_PARAMS = self.oid_p521, - CKA_SIGN = True, CKA_VERIFY = True) - self.assertIsKeypair(public_key, private_key) - hamster = "Your mother was a hamster" - p11.C_SignInit(self.session, CKM_ECDSA_SHA512, private_key) - sig = p11.C_Sign(self.session, hamster) - self.assertIsInstance(sig, str) - p11.C_VerifyInit(self.session, CKM_ECDSA_SHA512, public_key) - p11.C_Verify(self.session, hamster, sig) - - def test_gen_rsa_1024(self): - self.assertIsKeypair( - p11.C_GenerateKeyPair(self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 1024, - CKA_ID = "RSA-1024", CKA_SIGN = True, CKA_VERIFY = True)) - - @unittest.skip("RSA key generation is still painfully slow") - def test_gen_rsa_2048(self): - self.assertIsKeypair( - p11.C_GenerateKeyPair(self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 2048, - CKA_ID = "RSA-1024", CKA_SIGN = True, CKA_VERIFY = True)) - - @staticmethod - def _build_ecpoint(x, y): - bytes_per_coordinate = (max(x.bit_length(), y.bit_length()) + 15) / 16 - value = chr(0x04) + ("%0*x%0*x" % (bytes_per_coordinate, x, bytes_per_coordinate, y)).decode("hex") - if len(value) < 128: - length = chr(len(value)) - else: - n = len(value).bit_length() - length = chr((n + 7) / 8) + ("%0*x" % ((n + 15) / 16, len(value))).decode("hex") - tag = chr(0x04) - return tag + length + value - - def test_canned_ecdsa_p256_verify(self): - Q = self._build_ecpoint(0x8101ece47464a6ead70cf69a6e2bd3d88691a3262d22cba4f7635eaff26680a8, - 0xd8a12ba61d599235f67d9cb4d58f1783d3ca43e78f0a5abaa624079936c0c3a9) - H = "7c3e883ddc8bd688f96eac5e9324222c8f30f9d6bb59e9c5f020bd39ba2b8377".decode("hex") - r = "7214bc9647160bbd39ff2f80533f5dc6ddd70ddf86bb815661e805d5d4e6f27c".decode("hex") - s = "7d1ff961980f961bdaa3233b6209f4013317d3e3f9e1493592dbeaa1af2bc367".decode("hex") - handle = p11.C_CreateObject( - session = self.session, - CKA_CLASS = CKO_PUBLIC_KEY, - CKA_KEY_TYPE = CKK_EC, - CKA_LABEL = "EC-P-256 test case from \"Suite B Implementer's Guide to FIPS 186-3\"", - CKA_ID = "EC-P-256", - CKA_VERIFY = True, - CKA_EC_POINT = Q, - CKA_EC_PARAMS = self.oid_p256) - p11.C_VerifyInit(self.session, CKM_ECDSA, handle) - p11.C_Verify(self.session, H, r + s) - - def test_canned_ecdsa_p384_verify(self): - Q = self._build_ecpoint(0x1fbac8eebd0cbf35640b39efe0808dd774debff20a2a329e91713baf7d7f3c3e81546d883730bee7e48678f857b02ca0, - 0xeb213103bd68ce343365a8a4c3d4555fa385f5330203bdd76ffad1f3affb95751c132007e1b240353cb0a4cf1693bdf9) - H = "b9210c9d7e20897ab86597266a9d5077e8db1b06f7220ed6ee75bd8b45db37891f8ba5550304004159f4453dc5b3f5a1".decode("hex") - r = "a0c27ec893092dea1e1bd2ccfed3cf945c8134ed0c9f81311a0f4a05942db8dbed8dd59f267471d5462aa14fe72de856".decode("hex") - s = "20ab3f45b74f10b6e11f96a2c8eb694d206b9dda86d3c7e331c26b22c987b7537726577667adadf168ebbe803794a402".decode("hex") - handle = p11.C_CreateObject( - session = self.session, - CKA_CLASS = CKO_PUBLIC_KEY, - CKA_KEY_TYPE = CKK_EC, - CKA_LABEL = "EC-P-384 test case from \"Suite B Implementer's Guide to FIPS 186-3\"", - CKA_ID = "EC-P-384", - CKA_VERIFY = True, - CKA_EC_POINT = Q, - CKA_EC_PARAMS = self.oid_p384) - p11.C_VerifyInit(self.session, CKM_ECDSA, handle) - p11.C_Verify(self.session, H, r + s) + def test_mutex_both(self): + mdb = MutexDB() + p11.C_Initialize(CKF_OS_LOCKING_OK, mdb.create, mdb.destroy, mdb.lock, mdb.unlock) + def tearDown(self): + p11.C_Finalize() +class TestDevice(unittest.TestCase): + """ + Test basic device stuff like C_GetSlotList(), C_OpenSession(), and C_Login(). + """ + + @classmethod + def setUpClass(cls): + p11.C_Initialize() + + @classmethod + def tearDownClass(cls): + p11.C_Finalize() + + def tearDown(self): + p11.C_CloseAllSessions(args.only_slot) + + def test_getSlots(self): + self.assertEqual(p11.C_GetSlotList(), (args.only_slot,)) + + def test_getTokenInfo(self): + token_info = p11.C_GetTokenInfo(args.only_slot) + self.assertIsInstance(token_info, CK_TOKEN_INFO) + self.assertEqual(token_info.label.rstrip(), "Cryptech Token") + + def test_sessions_serial(self): + rw_session = p11.C_OpenSession(args.only_slot, CKF_RW_SESSION | CKF_SERIAL_SESSION) + ro_session = p11.C_OpenSession(args.only_slot, CKF_SERIAL_SESSION) + + def test_sessions_parallel(self): + # Cooked API doesn't allow this mistake, must use raw API to test + from ctypes import byref + handle = CK_SESSION_HANDLE() + notify = CK_NOTIFY() + with self.assertRaises(CKR_SESSION_PARALLEL_NOT_SUPPORTED): + p11.so.C_OpenSession(args.only_slot, CKF_RW_SESSION, None, notify, byref(handle)) + with self.assertRaises(CKR_SESSION_PARALLEL_NOT_SUPPORTED): + p11.so.C_OpenSession(args.only_slot, 0, None, notify, byref(handle)) + + def test_login_user(self): + rw_session = p11.C_OpenSession(args.only_slot, CKF_RW_SESSION | CKF_SERIAL_SESSION) + ro_session = p11.C_OpenSession(args.only_slot, CKF_SERIAL_SESSION) + p11.C_Login(ro_session, CKU_USER, args.user_pin) + p11.C_Logout(ro_session) + + def test_login_so(self): + rw_session = p11.C_OpenSession(args.only_slot, CKF_RW_SESSION | CKF_SERIAL_SESSION) + ro_session = p11.C_OpenSession(args.only_slot, CKF_SERIAL_SESSION) + self.assertRaises(CKR_SESSION_READ_ONLY_EXISTS, p11.C_Login, ro_session, CKU_SO, args.so_pin) + p11.C_CloseSession(ro_session) + p11.C_Login(rw_session, CKU_SO, args.so_pin) + self.assertRaises(CKR_SESSION_READ_WRITE_SO_EXISTS, p11.C_OpenSession, args.only_slot, CKF_SERIAL_SESSION) + p11.C_Logout(rw_session) + + def test_random(self): + # Testing that what this produces really is random seems beyond + # the scope of a unit test. + session = p11.C_OpenSession(args.only_slot) + n = 17 + random = p11.C_GenerateRandom(session, n) + self.assertIsInstance(random, str) + self.assertEqual(len(random), n) + + def test_findObjects(self): + session = p11.C_OpenSession(args.only_slot) + p11.C_FindObjectsInit(session, CKA_CLASS = CKO_PUBLIC_KEY) + with self.assertRaises(CKR_OPERATION_ACTIVE): + p11.C_FindObjectsInit(session, CKA_CLASS = CKO_PRIVATE_KEY) + for handle in p11.C_FindObjects(session): + self.assertIsInstance(handle, (int, long)) + p11.C_FindObjectsFinal(session) -def setUpModule(): - global p11 - p11 = PKCS11("./libpkcs11.so") - import os, subprocess - if verbose: - print "Initializing database" - db = os.path.abspath("unit_tests.db") - if os.path.exists(db): - os.unlink(db) - os.environ["PKCS11_DATABASE"] = db - subprocess.Popen(("./p11util", "-sup"), stdin = subprocess.PIPE).communicate("%s\n%s\n" % (so_pin, user_pin)) - if verbose: - print "Setup complete" -def tearDownModule(): - import os - os.unlink(os.environ["PKCS11_DATABASE"]) +class TestKeys(unittest.TestCase): + """ + Tests involving keys. + """ + + oid_p256 = "".join(chr(i) for i in (0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07)) + oid_p384 = "".join(chr(i) for i in (0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22)) + oid_p521 = "".join(chr(i) for i in (0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23)) + + @classmethod + def setUpClass(cls): + p11.C_Initialize() + + @classmethod + def tearDownClass(cls): + p11.C_Finalize() + + def setUp(self): + self.session = p11.C_OpenSession(args.only_slot) + p11.C_Login(self.session, CKU_USER, args.user_pin) + + def tearDown(self): + for handle in p11.FindObjects(self.session): + p11.C_DestroyObject(self.session, handle) + p11.C_CloseAllSessions(args.only_slot) + del self.session + + def assertIsKeypair(self, public_handle, private_handle = None): + if isinstance(public_handle, tuple) and private_handle is None: + public_handle, private_handle = public_handle + self.assertEqual(p11.C_GetAttributeValue(self.session, public_handle, CKA_CLASS), {CKA_CLASS: CKO_PUBLIC_KEY}) + self.assertEqual(p11.C_GetAttributeValue(self.session, private_handle, CKA_CLASS), {CKA_CLASS: CKO_PRIVATE_KEY}) + + def test_keygen_token_vs_session(self): + self.assertIsKeypair( + p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = False, + CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, + CKA_SIGN = True, CKA_VERIFY = True)) + self.assertIsKeypair( + p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, CKA_TOKEN = True, + CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, + CKA_SIGN = True, CKA_VERIFY = True)) + self.assertIsKeypair( + p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, + public_CKA_TOKEN = False, private_CKA_TOKEN = True, + CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, + CKA_SIGN = True, CKA_VERIFY = True)) + self.assertIsKeypair( + p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, + public_CKA_TOKEN = True, private_CKA_TOKEN = False, + CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, + CKA_SIGN = True, CKA_VERIFY = True)) + + def test_gen_sign_verify_ecdsa_p256_sha256(self): + public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, + CKA_ID = "EC-P256", CKA_EC_PARAMS = self.oid_p256, + CKA_SIGN = True, CKA_VERIFY = True) + self.assertIsKeypair(public_key, private_key) + hamster = "Your mother was a hamster" + p11.C_SignInit(self.session, CKM_ECDSA_SHA256, private_key) + sig = p11.C_Sign(self.session, hamster) + self.assertIsInstance(sig, str) + p11.C_VerifyInit(self.session, CKM_ECDSA_SHA256, public_key) + p11.C_Verify(self.session, hamster, sig) + + @unittest.skip("SHA-384 not available in current build") + def test_gen_sign_verify_ecdsa_p384_sha384(self): + public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, + CKA_ID = "EC-P384", CKA_EC_PARAMS = self.oid_p384, + CKA_SIGN = True, CKA_VERIFY = True) + self.assertIsKeypair(public_key, private_key) + hamster = "Your mother was a hamster" + p11.C_SignInit(self.session, CKM_ECDSA_SHA384, private_key) + sig = p11.C_Sign(self.session, hamster) + self.assertIsInstance(sig, str) + p11.C_VerifyInit(self.session, CKM_ECDSA_SHA384, public_key) + p11.C_Verify(self.session, hamster, sig) + + @unittest.skip("SHA-512 not available in current build") + def test_gen_sign_verify_ecdsa_p521_sha512(self): + public_key, private_key = p11.C_GenerateKeyPair(self.session, CKM_EC_KEY_PAIR_GEN, + CKA_ID = "EC-P521", CKA_EC_PARAMS = self.oid_p521, + CKA_SIGN = True, CKA_VERIFY = True) + self.assertIsKeypair(public_key, private_key) + hamster = "Your mother was a hamster" + p11.C_SignInit(self.session, CKM_ECDSA_SHA512, private_key) + sig = p11.C_Sign(self.session, hamster) + self.assertIsInstance(sig, str) + p11.C_VerifyInit(self.session, CKM_ECDSA_SHA512, public_key) + p11.C_Verify(self.session, hamster, sig) + + def test_gen_rsa_1024(self): + self.assertIsKeypair( + p11.C_GenerateKeyPair(self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 1024, + CKA_ID = "RSA-1024", CKA_SIGN = True, CKA_VERIFY = True)) + + @unittest.skip("RSA key generation is still painfully slow") + def test_gen_rsa_2048(self): + self.assertIsKeypair( + p11.C_GenerateKeyPair(self.session, CKM_RSA_PKCS_KEY_PAIR_GEN, CKA_MODULUS_BITS = 2048, + CKA_ID = "RSA-1024", CKA_SIGN = True, CKA_VERIFY = True)) + + @staticmethod + def _build_ecpoint(x, y): + bytes_per_coordinate = (max(x.bit_length(), y.bit_length()) + 15) / 16 + value = chr(0x04) + ("%0*x%0*x" % (bytes_per_coordinate, x, bytes_per_coordinate, y)).decode("hex") + if len(value) < 128: + length = chr(len(value)) + else: + n = len(value).bit_length() + length = chr((n + 7) / 8) + ("%0*x" % ((n + 15) / 16, len(value))).decode("hex") + tag = chr(0x04) + return tag + length + value + + def test_canned_ecdsa_p256_verify(self): + Q = self._build_ecpoint(0x8101ece47464a6ead70cf69a6e2bd3d88691a3262d22cba4f7635eaff26680a8, + 0xd8a12ba61d599235f67d9cb4d58f1783d3ca43e78f0a5abaa624079936c0c3a9) + H = "7c3e883ddc8bd688f96eac5e9324222c8f30f9d6bb59e9c5f020bd39ba2b8377".decode("hex") + r = "7214bc9647160bbd39ff2f80533f5dc6ddd70ddf86bb815661e805d5d4e6f27c".decode("hex") + s = "7d1ff961980f961bdaa3233b6209f4013317d3e3f9e1493592dbeaa1af2bc367".decode("hex") + handle = p11.C_CreateObject( + session = self.session, + CKA_CLASS = CKO_PUBLIC_KEY, + CKA_KEY_TYPE = CKK_EC, + CKA_LABEL = "EC-P-256 test case from \"Suite B Implementer's Guide to FIPS 186-3\"", + CKA_ID = "EC-P-256", + CKA_VERIFY = True, + CKA_EC_POINT = Q, + CKA_EC_PARAMS = self.oid_p256) + p11.C_VerifyInit(self.session, CKM_ECDSA, handle) + p11.C_Verify(self.session, H, r + s) + + def test_canned_ecdsa_p384_verify(self): + Q = self._build_ecpoint(0x1fbac8eebd0cbf35640b39efe0808dd774debff20a2a329e91713baf7d7f3c3e81546d883730bee7e48678f857b02ca0, + 0xeb213103bd68ce343365a8a4c3d4555fa385f5330203bdd76ffad1f3affb95751c132007e1b240353cb0a4cf1693bdf9) + H = "b9210c9d7e20897ab86597266a9d5077e8db1b06f7220ed6ee75bd8b45db37891f8ba5550304004159f4453dc5b3f5a1".decode("hex") + r = "a0c27ec893092dea1e1bd2ccfed3cf945c8134ed0c9f81311a0f4a05942db8dbed8dd59f267471d5462aa14fe72de856".decode("hex") + s = "20ab3f45b74f10b6e11f96a2c8eb694d206b9dda86d3c7e331c26b22c987b7537726577667adadf168ebbe803794a402".decode("hex") + handle = p11.C_CreateObject( + session = self.session, + CKA_CLASS = CKO_PUBLIC_KEY, + CKA_KEY_TYPE = CKK_EC, + CKA_LABEL = "EC-P-384 test case from \"Suite B Implementer's Guide to FIPS 186-3\"", + CKA_ID = "EC-P-384", + CKA_VERIFY = True, + CKA_EC_POINT = Q, + CKA_EC_PARAMS = self.oid_p384) + p11.C_VerifyInit(self.session, CKM_ECDSA, handle) + p11.C_Verify(self.session, H, r + s) + if __name__ == "__main__": - unittest.main(verbosity = 2 if verbose else 1) + main() -- cgit v1.2.3