mirror of
https://github.com/OpenKMIP/PyKMIP.git
synced 2025-06-27 17:24:24 +02:00
950e98569e
This change fixes how the ProxyKmipClient handles cryptographic usage mask values for the CreateKeyPair operation. Originally, both Encrypt and Decrypt were set by default for both public and private keys. This is incorrect behavior for certain algorithms. Now, only the masks specified by the caller are set on the key pair. Fixes #412
863 lines
36 KiB
Python
863 lines
36 KiB
Python
# Copyright (c) 2015 The Johns Hopkins University/Applied Physics Laboratory
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
import six
|
|
import testtools
|
|
import pytest
|
|
|
|
from kmip.core import enums
|
|
|
|
from kmip.pie import exceptions
|
|
from kmip.pie import factory
|
|
from kmip.pie import objects
|
|
|
|
|
|
@pytest.mark.usefixtures("simple")
|
|
class TestProxyKmipClientIntegration(testtools.TestCase):
|
|
|
|
def setUp(self):
|
|
super(TestProxyKmipClientIntegration, self).setUp()
|
|
self.object_factory = factory.ObjectFactory()
|
|
|
|
def tearDown(self):
|
|
super(TestProxyKmipClientIntegration, self).tearDown()
|
|
|
|
def test_symmetric_key_create_get_destroy(self):
|
|
"""
|
|
Test that the ProxyKmipClient can create, retrieve, and destroy a
|
|
symmetric key.
|
|
"""
|
|
uid = self.client.create(enums.CryptographicAlgorithm.AES, 256)
|
|
self.assertIsInstance(uid, six.string_types)
|
|
|
|
try:
|
|
key = self.client.get(uid)
|
|
self.assertIsInstance(key, objects.SymmetricKey)
|
|
self.assertEqual(
|
|
key.cryptographic_algorithm,
|
|
enums.CryptographicAlgorithm.AES)
|
|
self.assertEqual(key.cryptographic_length, 256)
|
|
finally:
|
|
self.client.destroy(uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.get, uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.destroy, uid)
|
|
|
|
def test_create_get_wrapped_destroy(self):
|
|
"""
|
|
Test that the ProxyKmipClient can create keys, retrieve a wrapped key,
|
|
and then destroy the keys for cleanup.
|
|
"""
|
|
key_id = self.client.create(enums.CryptographicAlgorithm.AES, 256)
|
|
wrapping_id = self.client.create(
|
|
enums.CryptographicAlgorithm.AES,
|
|
256,
|
|
cryptographic_usage_mask=[
|
|
enums.CryptographicUsageMask.WRAP_KEY,
|
|
enums.CryptographicUsageMask.UNWRAP_KEY,
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
|
|
self.client.activate(wrapping_id)
|
|
|
|
unwrapped_key = self.client.get(key_id)
|
|
wrapped_key = self.client.get(
|
|
key_id,
|
|
key_wrapping_specification={
|
|
'wrapping_method': enums.WrappingMethod.ENCRYPT,
|
|
'encryption_key_information': {
|
|
'unique_identifier': wrapping_id,
|
|
'cryptographic_parameters': {
|
|
'block_cipher_mode':
|
|
enums.BlockCipherMode.NIST_KEY_WRAP
|
|
}
|
|
},
|
|
'encoding_option': enums.EncodingOption.NO_ENCODING
|
|
}
|
|
)
|
|
|
|
self.assertNotEqual(unwrapped_key.value, wrapped_key.value)
|
|
|
|
self.client.revoke(
|
|
enums.RevocationReasonCode.CESSATION_OF_OPERATION,
|
|
wrapping_id
|
|
)
|
|
self.client.destroy(key_id)
|
|
self.client.destroy(wrapping_id)
|
|
|
|
def test_symmetric_key_register_get_destroy(self):
|
|
"""
|
|
Test that the ProxyKmipClient can register, retrieve, and destroy a
|
|
symmetric key.
|
|
"""
|
|
# Key encoding obtained from Section 14.2 of the KMIP 1.1 test
|
|
# documentation.
|
|
key = objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E'
|
|
b'\x0F'),
|
|
name="Test Symmetric Key"
|
|
)
|
|
|
|
uid = self.client.register(key)
|
|
self.assertIsInstance(uid, six.string_types)
|
|
|
|
try:
|
|
result = self.client.get(uid)
|
|
self.assertIsInstance(result, objects.SymmetricKey)
|
|
self.assertEqual(
|
|
result, key, "expected {0}\nobserved {1}".format(result, key))
|
|
finally:
|
|
self.client.destroy(uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.get, uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.destroy, uid)
|
|
|
|
def test_register_wrapped_get_destroy(self):
|
|
"""
|
|
Test that a wrapped key can be registered with the server and that its
|
|
metadata is retrieved with the get operation.
|
|
"""
|
|
key = objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
128,
|
|
(b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E'
|
|
b'\x0F'),
|
|
key_wrapping_data={
|
|
'wrapping_method': enums.WrappingMethod.ENCRYPT,
|
|
'encryption_key_information': {
|
|
'unique_identifier': '42',
|
|
'cryptographic_parameters': {
|
|
'block_cipher_mode':
|
|
enums.BlockCipherMode.NIST_KEY_WRAP
|
|
}
|
|
},
|
|
'encoding_option': enums.EncodingOption.NO_ENCODING
|
|
}
|
|
)
|
|
key_id = self.client.register(key)
|
|
|
|
result = self.client.get(key_id)
|
|
key_wrapping_data = result.key_wrapping_data
|
|
self.assertIsInstance(key_wrapping_data, dict)
|
|
self.assertEqual(
|
|
enums.WrappingMethod.ENCRYPT,
|
|
key_wrapping_data.get('wrapping_method')
|
|
)
|
|
eki = key_wrapping_data.get('encryption_key_information')
|
|
self.assertIsInstance(eki, dict)
|
|
self.assertEqual('42', eki.get('unique_identifier'))
|
|
cp = eki.get('cryptographic_parameters')
|
|
self.assertIsInstance(cp, dict)
|
|
self.assertEqual(
|
|
enums.BlockCipherMode.NIST_KEY_WRAP,
|
|
cp.get('block_cipher_mode')
|
|
)
|
|
self.assertEqual(
|
|
enums.EncodingOption.NO_ENCODING,
|
|
key_wrapping_data.get('encoding_option')
|
|
)
|
|
|
|
def test_asymmetric_key_pair_create_get_destroy(self):
|
|
"""
|
|
Test that the ProxyKmipClient can create, retrieve, and destroy an
|
|
asymmetric key pair.
|
|
"""
|
|
public_uid, private_uid = self.client.create_key_pair(
|
|
enums.CryptographicAlgorithm.RSA,
|
|
2048,
|
|
public_usage_mask=[enums.CryptographicUsageMask.ENCRYPT],
|
|
private_usage_mask=[enums.CryptographicUsageMask.DECRYPT]
|
|
)
|
|
self.assertIsInstance(public_uid, six.string_types)
|
|
self.assertIsInstance(private_uid, six.string_types)
|
|
|
|
try:
|
|
public_key = self.client.get(public_uid)
|
|
self.assertIsInstance(public_key, objects.PublicKey)
|
|
self.assertEqual(
|
|
public_key.cryptographic_algorithm,
|
|
enums.CryptographicAlgorithm.RSA)
|
|
self.assertEqual(public_key.cryptographic_length, 2048)
|
|
|
|
private_key = self.client.get(private_uid)
|
|
self.assertIsInstance(private_key, objects.PrivateKey)
|
|
self.assertEqual(
|
|
private_key.cryptographic_algorithm,
|
|
enums.CryptographicAlgorithm.RSA)
|
|
self.assertEqual(private_key.cryptographic_length, 2048)
|
|
finally:
|
|
self.client.destroy(public_uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.get, public_uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.destroy,
|
|
public_uid)
|
|
|
|
self.client.destroy(private_uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.get, private_uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.destroy,
|
|
private_uid)
|
|
|
|
def test_public_key_register_get_destroy(self):
|
|
"""
|
|
Test that the ProxyKmipClient can register, retrieve, and destroy a
|
|
public key.
|
|
"""
|
|
# Key encoding obtained from Section 13.4 of the KMIP 1.1 test
|
|
# documentation.
|
|
key = objects.PublicKey(
|
|
enums.CryptographicAlgorithm.RSA,
|
|
2048,
|
|
(b'\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\x7F\x16\x1C\x00\x42'
|
|
b'\x49\x6C\xCD\x6C\x6D\x4D\xAD\xB9\x19\x97\x34\x35\x35\x77\x76'
|
|
b'\x00\x3A\xCF\x54\xB7\xAF\x1E\x44\x0A\xFB\x80\xB6\x4A\x87\x55'
|
|
b'\xF8\x00\x2C\xFE\xBA\x6B\x18\x45\x40\xA2\xD6\x60\x86\xD7\x46'
|
|
b'\x48\x34\x6D\x75\xB8\xD7\x18\x12\xB2\x05\x38\x7C\x0F\x65\x83'
|
|
b'\xBC\x4D\x7D\xC7\xEC\x11\x4F\x3B\x17\x6B\x79\x57\xC4\x22\xE7'
|
|
b'\xD0\x3F\xC6\x26\x7F\xA2\xA6\xF8\x9B\x9B\xEE\x9E\x60\xA1\xD7'
|
|
b'\xC2\xD8\x33\xE5\xA5\xF4\xBB\x0B\x14\x34\xF4\xE7\x95\xA4\x11'
|
|
b'\x00\xF8\xAA\x21\x49\x00\xDF\x8B\x65\x08\x9F\x98\x13\x5B\x1C'
|
|
b'\x67\xB7\x01\x67\x5A\xBD\xBC\x7D\x57\x21\xAA\xC9\xD1\x4A\x7F'
|
|
b'\x08\x1F\xCE\xC8\x0B\x64\xE8\xA0\xEC\xC8\x29\x53\x53\xC7\x95'
|
|
b'\x32\x8A\xBF\x70\xE1\xB4\x2E\x7B\xB8\xB7\xF4\xE8\xAC\x8C\x81'
|
|
b'\x0C\xDB\x66\xE3\xD2\x11\x26\xEB\xA8\xDA\x7D\x0C\xA3\x41\x42'
|
|
b'\xCB\x76\xF9\x1F\x01\x3D\xA8\x09\xE9\xC1\xB7\xAE\x64\xC5\x41'
|
|
b'\x30\xFB\xC2\x1D\x80\xE9\xC2\xCB\x06\xC5\xC8\xD7\xCC\xE8\x94'
|
|
b'\x6A\x9A\xC9\x9B\x1C\x28\x15\xC3\x61\x2A\x29\xA8\x2D\x73\xA1'
|
|
b'\xF9\x93\x74\xFE\x30\xE5\x49\x51\x66\x2A\x6E\xDA\x29\xC6\xFC'
|
|
b'\x41\x13\x35\xD5\xDC\x74\x26\xB0\xF6\x05\x02\x03\x01\x00\x01'),
|
|
enums.KeyFormatType.PKCS_1)
|
|
|
|
uid = self.client.register(key)
|
|
self.assertIsInstance(uid, six.string_types)
|
|
|
|
try:
|
|
result = self.client.get(uid)
|
|
self.assertIsInstance(result, objects.PublicKey)
|
|
self.assertEqual(
|
|
result, key, "expected {0}\nobserved {1}".format(result, key))
|
|
finally:
|
|
self.client.destroy(uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.get, uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.destroy, uid)
|
|
|
|
def test_private_key_register_get_destroy(self):
|
|
"""
|
|
Test that the ProxyKmipClient can register, retrieve, and destroy a
|
|
private key.
|
|
"""
|
|
# Key encoding obtained from Section 13.4 of the KMIP 1.1 test
|
|
# documentation.
|
|
key = objects.PrivateKey(
|
|
enums.CryptographicAlgorithm.RSA,
|
|
2048,
|
|
(b'\x30\x82\x04\xA5\x02\x01\x00\x02\x82\x01\x01\x00\xAB\x7F\x16'
|
|
b'\x1C\x00\x42\x49\x6C\xCD\x6C\x6D\x4D\xAD\xB9\x19\x97\x34\x35'
|
|
b'\x35\x77\x76\x00\x3A\xCF\x54\xB7\xAF\x1E\x44\x0A\xFB\x80\xB6'
|
|
b'\x4A\x87\x55\xF8\x00\x2C\xFE\xBA\x6B\x18\x45\x40\xA2\xD6\x60'
|
|
b'\x86\xD7\x46\x48\x34\x6D\x75\xB8\xD7\x18\x12\xB2\x05\x38\x7C'
|
|
b'\x0F\x65\x83\xBC\x4D\x7D\xC7\xEC\x11\x4F\x3B\x17\x6B\x79\x57'
|
|
b'\xC4\x22\xE7\xD0\x3F\xC6\x26\x7F\xA2\xA6\xF8\x9B\x9B\xEE\x9E'
|
|
b'\x60\xA1\xD7\xC2\xD8\x33\xE5\xA5\xF4\xBB\x0B\x14\x34\xF4\xE7'
|
|
b'\x95\xA4\x11\x00\xF8\xAA\x21\x49\x00\xDF\x8B\x65\x08\x9F\x98'
|
|
b'\x13\x5B\x1C\x67\xB7\x01\x67\x5A\xBD\xBC\x7D\x57\x21\xAA\xC9'
|
|
b'\xD1\x4A\x7F\x08\x1F\xCE\xC8\x0B\x64\xE8\xA0\xEC\xC8\x29\x53'
|
|
b'\x53\xC7\x95\x32\x8A\xBF\x70\xE1\xB4\x2E\x7B\xB8\xB7\xF4\xE8'
|
|
b'\xAC\x8C\x81\x0C\xDB\x66\xE3\xD2\x11\x26\xEB\xA8\xDA\x7D\x0C'
|
|
b'\xA3\x41\x42\xCB\x76\xF9\x1F\x01\x3D\xA8\x09\xE9\xC1\xB7\xAE'
|
|
b'\x64\xC5\x41\x30\xFB\xC2\x1D\x80\xE9\xC2\xCB\x06\xC5\xC8\xD7'
|
|
b'\xCC\xE8\x94\x6A\x9A\xC9\x9B\x1C\x28\x15\xC3\x61\x2A\x29\xA8'
|
|
b'\x2D\x73\xA1\xF9\x93\x74\xFE\x30\xE5\x49\x51\x66\x2A\x6E\xDA'
|
|
b'\x29\xC6\xFC\x41\x13\x35\xD5\xDC\x74\x26\xB0\xF6\x05\x02\x03'
|
|
b'\x01\x00\x01\x02\x82\x01\x00\x3B\x12\x45\x5D\x53\xC1\x81\x65'
|
|
b'\x16\xC5\x18\x49\x3F\x63\x98\xAA\xFA\x72\xB1\x7D\xFA\x89\x4D'
|
|
b'\xB8\x88\xA7\xD4\x8C\x0A\x47\xF6\x25\x79\xA4\xE6\x44\xF8\x6D'
|
|
b'\xA7\x11\xFE\xC8\x50\xCD\xD9\xDB\xBD\x17\xF6\x9A\x44\x3D\x2E'
|
|
b'\xC1\xDD\x60\xD3\xC6\x18\xFA\x74\xCD\xE5\xFD\xAF\xAB\xD6\xBA'
|
|
b'\xA2\x6E\xB0\xA3\xAD\xB4\xDE\xF6\x48\x0F\xB1\x21\x8C\xD3\xB0'
|
|
b'\x83\xE2\x52\xE8\x85\xB6\xF0\x72\x9F\x98\xB2\x14\x4D\x2B\x72'
|
|
b'\x29\x3E\x1B\x11\xD7\x33\x93\xBC\x41\xF7\x5B\x15\xEE\x3D\x75'
|
|
b'\x69\xB4\x99\x5E\xD1\xA1\x44\x25\xDA\x43\x19\xB7\xB2\x6B\x0E'
|
|
b'\x8F\xEF\x17\xC3\x75\x42\xAE\x5C\x6D\x58\x49\xF8\x72\x09\x56'
|
|
b'\x7F\x39\x25\xA4\x7B\x01\x6D\x56\x48\x59\x71\x7B\xC5\x7F\xCB'
|
|
b'\x45\x22\xD0\xAA\x49\xCE\x81\x6E\x5B\xE7\xB3\x08\x81\x93\x23'
|
|
b'\x6E\xC9\xEF\xFF\x14\x08\x58\x04\x5B\x73\xC5\xD7\x9B\xAF\x38'
|
|
b'\xF7\xC6\x7F\x04\xC5\xDC\xF0\xE3\x80\x6A\xD9\x82\xD1\x25\x90'
|
|
b'\x58\xC3\x47\x3E\x84\x71\x79\xA8\x78\xF2\xC6\xB3\xBD\x96\x8F'
|
|
b'\xB9\x9E\xA4\x6E\x91\x85\x89\x2F\x36\x76\xE7\x89\x65\xC2\xAE'
|
|
b'\xD4\x87\x7B\xA3\x91\x7D\xF0\x7C\x5E\x92\x74\x74\xF1\x9E\x76'
|
|
b'\x4B\xA6\x1D\xC3\x8D\x63\xBF\x29\x02\x81\x81\x00\xD5\xC6\x9C'
|
|
b'\x8C\x3C\xDC\x24\x64\x74\x4A\x79\x37\x13\xDA\xFB\x9F\x1D\xBC'
|
|
b'\x79\x9F\xF9\x64\x23\xFE\xCD\x3C\xBA\x79\x42\x86\xBC\xE9\x20'
|
|
b'\xF4\xB5\xC1\x83\xF9\x9E\xE9\x02\x8D\xB6\x21\x2C\x62\x77\xC4'
|
|
b'\xC8\x29\x7F\xCF\xBC\xE7\xF7\xC2\x4C\xA4\xC5\x1F\xC7\x18\x2F'
|
|
b'\xB8\xF4\x01\x9F\xB1\xD5\x65\x96\x74\xC5\xCB\xE6\xD5\xFA\x99'
|
|
b'\x20\x51\x34\x17\x60\xCD\x00\x73\x57\x29\xA0\x70\xA9\xE5\x4D'
|
|
b'\x34\x2B\xEB\xA8\xEF\x47\xEE\x82\xD3\xA0\x1B\x04\xCE\xC4\xA0'
|
|
b'\x0D\x4D\xDB\x41\xE3\x51\x16\xFC\x22\x1E\x85\x4B\x43\xA6\x96'
|
|
b'\xC0\xE6\x41\x9B\x1B\x02\x81\x81\x00\xCD\x5E\xA7\x70\x27\x89'
|
|
b'\x06\x4B\x67\x35\x40\xCB\xFF\x09\x35\x6A\xD8\x0B\xC3\xD5\x92'
|
|
b'\x81\x2E\xBA\x47\x61\x0B\x9F\xAC\x6A\xEC\xEF\xE2\x2A\xCA\xE4'
|
|
b'\x38\x45\x9C\xDA\x74\xE5\x96\x53\xD8\x8C\x04\x18\x9D\x34\x39'
|
|
b'\x9B\xF5\xB1\x4B\x92\x0E\x34\xEF\x38\xA7\xD0\x9F\xE6\x95\x93'
|
|
b'\x39\x6E\x8F\xE7\x35\xE6\xF0\xA6\xAE\x49\x90\x40\x10\x41\xD8'
|
|
b'\xA4\x06\xB6\xFD\x86\xA1\x16\x1E\x45\xF9\x5A\x3E\xAA\x5C\x10'
|
|
b'\x12\xE6\x66\x2E\x44\xF1\x5F\x33\x5A\xC9\x71\xE1\x76\x6B\x2B'
|
|
b'\xB9\xC9\x85\x10\x99\x74\x14\x1B\x44\xD3\x7E\x1E\x31\x98\x20'
|
|
b'\xA5\x5F\x02\x81\x81\x00\xB2\x87\x12\x37\xBF\x9F\xAD\x38\xC3'
|
|
b'\x31\x6A\xB7\x87\x7A\x6A\x86\x80\x63\xE5\x42\xA7\x18\x6D\x43'
|
|
b'\x1E\x8D\x27\xC1\x9A\xC0\x41\x45\x84\x03\x39\x42\xE9\xFF\x6E'
|
|
b'\x29\x73\xBB\x7B\x2D\x8B\x0E\x94\xAD\x1E\xE8\x21\x58\x10\x8F'
|
|
b'\xBC\x86\x64\x51\x7A\x5A\x46\x7F\xB9\x63\x01\x4B\xD5\xDC\xC2'
|
|
b'\xB4\xFB\x08\x7C\x23\x03\x9D\x11\x92\x0D\xBE\x22\xFD\x9F\x16'
|
|
b'\xB4\xD8\x9E\x23\x22\x5C\xD4\x55\xAD\xBA\xF3\x2E\xF4\x3F\x18'
|
|
b'\x58\x64\xA3\x6D\x63\x03\x09\xD6\x85\x3F\x77\x14\xB3\x9A\xAE'
|
|
b'\x1E\xBE\xE3\x93\x8F\x87\xC2\x70\x7E\x17\x8C\x73\x9F\x9F\x02'
|
|
b'\x81\x81\x00\x96\x90\xBE\xD1\x4B\x2A\xFA\xA2\x6D\x98\x6D\x59'
|
|
b'\x22\x31\xEE\x27\xD7\x1D\x49\x06\x5B\xD2\xBA\x1F\x78\x15\x7E'
|
|
b'\x20\x22\x98\x81\xFD\x9D\x23\x22\x7D\x0F\x84\x79\xEA\xEF\xA9'
|
|
b'\x22\xFD\x75\xD5\xB1\x6B\x1A\x56\x1F\xA6\x68\x0B\x04\x0C\xA0'
|
|
b'\xBD\xCE\x65\x0B\x23\xB9\x17\xA4\xB1\xBB\x79\x83\xA7\x4F\xAD'
|
|
b'\x70\xE1\xC3\x05\xCB\xEC\x2B\xFF\x1A\x85\xA7\x26\xA1\xD9\x02'
|
|
b'\x60\xE4\xF1\x08\x4F\x51\x82\x34\xDC\xD3\xFE\x77\x0B\x95\x20'
|
|
b'\x21\x5B\xD5\x43\xBB\x6A\x41\x17\x71\x87\x54\x67\x6A\x34\x17'
|
|
b'\x16\x66\xA7\x9F\x26\xE7\x9C\x14\x9C\x5A\xA1\x02\x81\x81\x00'
|
|
b'\xA0\xC9\x85\xA0\xA0\xA7\x91\xA6\x59\xF9\x97\x31\x13\x4C\x44'
|
|
b'\xF3\x7B\x2E\x52\x0A\x2C\xEA\x35\x80\x0A\xD2\x72\x41\xED\x36'
|
|
b'\x0D\xFD\xE6\xE8\xCA\x61\x4F\x12\x04\x7F\xD0\x8B\x76\xAC\x4D'
|
|
b'\x13\xC0\x56\xA0\x69\x9E\x2F\x98\xA1\xCA\xC9\x10\x11\x29\x4D'
|
|
b'\x71\x20\x8F\x4A\xBA\xB3\x3B\xA8\x7A\xA0\x51\x7F\x41\x5B\xAC'
|
|
b'\xA8\x8D\x6B\xAC\x00\x60\x88\xFA\x60\x1D\x34\x94\x17\xE1\xF0'
|
|
b'\xC9\xB2\x3A\xFF\xA4\xD4\x96\x61\x8D\xBC\x02\x49\x86\xED\x69'
|
|
b'\x0B\xBB\x7B\x02\x57\x68\xFF\x9D\xF8\xAC\x15\x41\x6F\x48\x9F'
|
|
b'\x81\x29\xC3\x23\x41\xA8\xB4\x4F'),
|
|
enums.KeyFormatType.PKCS_8)
|
|
|
|
uid = self.client.register(key)
|
|
self.assertIsInstance(uid, six.string_types)
|
|
|
|
try:
|
|
result = self.client.get(uid)
|
|
self.assertIsInstance(result, objects.PrivateKey)
|
|
self.assertEqual(
|
|
result, key, "expected {0}\nobserved {1}".format(result, key))
|
|
finally:
|
|
self.client.destroy(uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.get, uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.destroy, uid)
|
|
|
|
def test_x509_certificate_register_get_destroy(self):
|
|
"""
|
|
Test that the ProxyKmipClient can register, retrieve, and destroy an
|
|
X.509 certificate.
|
|
"""
|
|
# Certificate encoding obtained from Section 13.2 of the KMIP 1.1 test
|
|
# documentation.
|
|
cert = objects.X509Certificate(
|
|
(b'\x30\x82\x03\x12\x30\x82\x01\xFA\xA0\x03\x02\x01\x02\x02\x01'
|
|
b'\x01\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05'
|
|
b'\x00\x30\x3B\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55'
|
|
b'\x53\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x13\x04\x54\x45\x53'
|
|
b'\x54\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05\x4F\x41\x53'
|
|
b'\x49\x53\x31\x0D\x30\x0B\x06\x03\x55\x04\x03\x13\x04\x4B\x4D'
|
|
b'\x49\x50\x30\x1E\x17\x0D\x31\x30\x31\x31\x30\x31\x32\x33\x35'
|
|
b'\x39\x35\x39\x5A\x17\x0D\x32\x30\x31\x31\x30\x31\x32\x33\x35'
|
|
b'\x39\x35\x39\x5A\x30\x3B\x31\x0B\x30\x09\x06\x03\x55\x04\x06'
|
|
b'\x13\x02\x55\x53\x31\x0D\x30\x0B\x06\x03\x55\x04\x0A\x13\x04'
|
|
b'\x54\x45\x53\x54\x31\x0E\x30\x0C\x06\x03\x55\x04\x0B\x13\x05'
|
|
b'\x4F\x41\x53\x49\x53\x31\x0D\x30\x0B\x06\x03\x55\x04\x03\x13'
|
|
b'\x04\x4B\x4D\x49\x50\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86'
|
|
b'\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30'
|
|
b'\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\x7F\x16\x1C\x00\x42\x49'
|
|
b'\x6C\xCD\x6C\x6D\x4D\xAD\xB9\x19\x97\x34\x35\x35\x77\x76\x00'
|
|
b'\x3A\xCF\x54\xB7\xAF\x1E\x44\x0A\xFB\x80\xB6\x4A\x87\x55\xF8'
|
|
b'\x00\x2C\xFE\xBA\x6B\x18\x45\x40\xA2\xD6\x60\x86\xD7\x46\x48'
|
|
b'\x34\x6D\x75\xB8\xD7\x18\x12\xB2\x05\x38\x7C\x0F\x65\x83\xBC'
|
|
b'\x4D\x7D\xC7\xEC\x11\x4F\x3B\x17\x6B\x79\x57\xC4\x22\xE7\xD0'
|
|
b'\x3F\xC6\x26\x7F\xA2\xA6\xF8\x9B\x9B\xEE\x9E\x60\xA1\xD7\xC2'
|
|
b'\xD8\x33\xE5\xA5\xF4\xBB\x0B\x14\x34\xF4\xE7\x95\xA4\x11\x00'
|
|
b'\xF8\xAA\x21\x49\x00\xDF\x8B\x65\x08\x9F\x98\x13\x5B\x1C\x67'
|
|
b'\xB7\x01\x67\x5A\xBD\xBC\x7D\x57\x21\xAA\xC9\xD1\x4A\x7F\x08'
|
|
b'\x1F\xCE\xC8\x0B\x64\xE8\xA0\xEC\xC8\x29\x53\x53\xC7\x95\x32'
|
|
b'\x8A\xBF\x70\xE1\xB4\x2E\x7B\xB8\xB7\xF4\xE8\xAC\x8C\x81\x0C'
|
|
b'\xDB\x66\xE3\xD2\x11\x26\xEB\xA8\xDA\x7D\x0C\xA3\x41\x42\xCB'
|
|
b'\x76\xF9\x1F\x01\x3D\xA8\x09\xE9\xC1\xB7\xAE\x64\xC5\x41\x30'
|
|
b'\xFB\xC2\x1D\x80\xE9\xC2\xCB\x06\xC5\xC8\xD7\xCC\xE8\x94\x6A'
|
|
b'\x9A\xC9\x9B\x1C\x28\x15\xC3\x61\x2A\x29\xA8\x2D\x73\xA1\xF9'
|
|
b'\x93\x74\xFE\x30\xE5\x49\x51\x66\x2A\x6E\xDA\x29\xC6\xFC\x41'
|
|
b'\x13\x35\xD5\xDC\x74\x26\xB0\xF6\x05\x02\x03\x01\x00\x01\xA3'
|
|
b'\x21\x30\x1F\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\x04'
|
|
b'\xE5\x7B\xD2\xC4\x31\xB2\xE8\x16\xE1\x80\xA1\x98\x23\xFA\xC8'
|
|
b'\x58\x27\x3F\x6B\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01'
|
|
b'\x01\x05\x05\x00\x03\x82\x01\x01\x00\xA8\x76\xAD\xBC\x6C\x8E'
|
|
b'\x0F\xF0\x17\x21\x6E\x19\x5F\xEA\x76\xBF\xF6\x1A\x56\x7C\x9A'
|
|
b'\x13\xDC\x50\xD1\x3F\xEC\x12\xA4\x27\x3C\x44\x15\x47\xCF\xAB'
|
|
b'\xCB\x5D\x61\xD9\x91\xE9\x66\x31\x9D\xF7\x2C\x0D\x41\xBA\x82'
|
|
b'\x6A\x45\x11\x2F\xF2\x60\x89\xA2\x34\x4F\x4D\x71\xCF\x7C\x92'
|
|
b'\x1B\x4B\xDF\xAE\xF1\x60\x0D\x1B\xAA\xA1\x53\x36\x05\x7E\x01'
|
|
b'\x4B\x8B\x49\x6D\x4F\xAE\x9E\x8A\x6C\x1D\xA9\xAE\xB6\xCB\xC9'
|
|
b'\x60\xCB\xF2\xFA\xE7\x7F\x58\x7E\xC4\xBB\x28\x20\x45\x33\x88'
|
|
b'\x45\xB8\x8D\xD9\xAE\xEA\x53\xE4\x82\xA3\x6E\x73\x4E\x4F\x5F'
|
|
b'\x03\xB9\xD0\xDF\xC4\xCA\xFC\x6B\xB3\x4E\xA9\x05\x3E\x52\xBD'
|
|
b'\x60\x9E\xE0\x1E\x86\xD9\xB0\x9F\xB5\x11\x20\xC1\x98\x34\xA9'
|
|
b'\x97\xB0\x9C\xE0\x8D\x79\xE8\x13\x11\x76\x2F\x97\x4B\xB1\xC8'
|
|
b'\xC0\x91\x86\xC4\xD7\x89\x33\xE0\xDB\x38\xE9\x05\x08\x48\x77'
|
|
b'\xE1\x47\xC7\x8A\xF5\x2F\xAE\x07\x19\x2F\xF1\x66\xD1\x9F\xA9'
|
|
b'\x4A\x11\xCC\x11\xB2\x7E\xD0\x50\xF7\xA2\x7F\xAE\x13\xB2\x05'
|
|
b'\xA5\x74\xC4\xEE\x00\xAA\x8B\xD6\x5D\x0D\x70\x57\xC9\x85\xC8'
|
|
b'\x39\xEF\x33\x6A\x44\x1E\xD5\x3A\x53\xC6\xB6\xB6\x96\xF1\xBD'
|
|
b'\xEB\x5F\x7E\xA8\x11\xEB\xB2\x5A\x7F\x86'))
|
|
|
|
uid = self.client.register(cert)
|
|
self.assertIsInstance(uid, six.string_types)
|
|
|
|
try:
|
|
result = self.client.get(uid)
|
|
self.assertIsInstance(result, objects.X509Certificate)
|
|
self.assertEqual(
|
|
result, cert, "expected {0}\nobserved {1}".format(
|
|
result, cert))
|
|
finally:
|
|
self.client.destroy(uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.get, uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.destroy, uid)
|
|
|
|
def test_secret_data_register_get_destroy(self):
|
|
"""
|
|
Test that the ProxyKmipClient can register, retrieve, and destroy a
|
|
secret.
|
|
"""
|
|
# Secret encoding obtained from Section 3.1.5 of the KMIP 1.1 test
|
|
# documentation.
|
|
secret = objects.SecretData(
|
|
(b'\x53\x65\x63\x72\x65\x74\x50\x61\x73\x73\x77\x6F\x72\x64'),
|
|
enums.SecretDataType.PASSWORD)
|
|
|
|
uid = self.client.register(secret)
|
|
self.assertIsInstance(uid, six.string_types)
|
|
|
|
try:
|
|
result = self.client.get(uid)
|
|
self.assertIsInstance(result, objects.SecretData)
|
|
self.assertEqual(
|
|
result, secret, "expected {0}\nobserved {1}".format(
|
|
result, secret))
|
|
finally:
|
|
self.client.destroy(uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.get, uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.destroy, uid)
|
|
|
|
def test_opaque_object_register_get_destroy(self):
|
|
"""
|
|
Test that the ProxyKmipClient can register, retrieve, and destroy an
|
|
opaque object.
|
|
"""
|
|
# Object encoding obtained from Section 3.1.5 of the KMIP 1.1 test
|
|
# documentation.
|
|
obj = objects.OpaqueObject(
|
|
b'\x53\x65\x63\x72\x65\x74\x50\x61\x73\x73\x77\x6F\x72\x64',
|
|
enums.OpaqueDataType.NONE)
|
|
uid = self.client.register(obj)
|
|
self.assertIsInstance(uid, six.string_types)
|
|
|
|
try:
|
|
result = self.client.get(uid)
|
|
self.assertIsInstance(result, objects.OpaqueObject)
|
|
self.assertEqual(
|
|
result, obj, "expected {0}\nobserved {1}".format(result, obj))
|
|
finally:
|
|
self.client.destroy(uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.get, uid)
|
|
self.assertRaises(
|
|
exceptions.KmipOperationFailure, self.client.destroy, uid)
|
|
|
|
def test_derive_key_using_pbkdf2(self):
|
|
"""
|
|
Test that the ProxyKmipClient can derive a new key using PBKDF2.
|
|
"""
|
|
password_id = self.client.register(
|
|
objects.SecretData(
|
|
b'password',
|
|
enums.SecretDataType.PASSWORD,
|
|
masks=[enums.CryptographicUsageMask.DERIVE_KEY]
|
|
)
|
|
)
|
|
key_id = self.client.derive_key(
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
[password_id],
|
|
enums.DerivationMethod.PBKDF2,
|
|
{
|
|
'cryptographic_parameters': {
|
|
'hashing_algorithm': enums.HashingAlgorithm.SHA_1
|
|
},
|
|
'salt': b'salt',
|
|
'iteration_count': 4096
|
|
},
|
|
cryptographic_length=160,
|
|
cryptographic_algorithm=enums.CryptographicAlgorithm.AES
|
|
)
|
|
|
|
key = self.client.get(key_id)
|
|
self.assertEqual(
|
|
(
|
|
b'\x4b\x00\x79\x01\xb7\x65\x48\x9a'
|
|
b'\xbe\xad\x49\xd9\x26\xf7\x21\xd0'
|
|
b'\x65\xa4\x29\xc1'
|
|
),
|
|
key.value
|
|
)
|
|
|
|
attribute_list = self.client.get_attribute_list(key_id)
|
|
self.assertIn('Cryptographic Algorithm', attribute_list)
|
|
self.assertIn('Cryptographic Length', attribute_list)
|
|
|
|
result_id, attribute_list = self.client.get_attributes(
|
|
uid=key_id,
|
|
attribute_names=['Cryptographic Algorithm', 'Cryptographic Length']
|
|
)
|
|
self.assertEqual(key_id, result_id)
|
|
self.assertEqual(2, len(attribute_list))
|
|
|
|
attribute = attribute_list[0]
|
|
self.assertEqual(
|
|
'Cryptographic Algorithm',
|
|
attribute.attribute_name.value
|
|
)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.AES,
|
|
attribute.attribute_value.value
|
|
)
|
|
|
|
attribute = attribute_list[1]
|
|
self.assertEqual(
|
|
'Cryptographic Length',
|
|
attribute.attribute_name.value
|
|
)
|
|
self.assertEqual(160, attribute.attribute_value.value)
|
|
|
|
def test_derive_key_using_encryption(self):
|
|
"""
|
|
Test that the ProxyKmipClient can derive a new key using encryption.
|
|
"""
|
|
key_id = self.client.register(
|
|
objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.BLOWFISH,
|
|
128,
|
|
(
|
|
b'\x01\x23\x45\x67\x89\xAB\xCD\xEF'
|
|
b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87'
|
|
),
|
|
masks=[enums.CryptographicUsageMask.DERIVE_KEY]
|
|
)
|
|
)
|
|
secret_id = self.client.derive_key(
|
|
enums.ObjectType.SECRET_DATA,
|
|
[key_id],
|
|
enums.DerivationMethod.ENCRYPT,
|
|
{
|
|
'cryptographic_parameters': {
|
|
'block_cipher_mode': enums.BlockCipherMode.CBC,
|
|
'padding_method': enums.PaddingMethod.PKCS5,
|
|
'cryptographic_algorithm':
|
|
enums.CryptographicAlgorithm.BLOWFISH
|
|
},
|
|
'initialization_vector': b'\xFE\xDC\xBA\x98\x76\x54\x32\x10',
|
|
'derivation_data': (
|
|
b'\x37\x36\x35\x34\x33\x32\x31\x20'
|
|
b'\x4E\x6F\x77\x20\x69\x73\x20\x74'
|
|
b'\x68\x65\x20\x74\x69\x6D\x65\x20'
|
|
b'\x66\x6F\x72\x20\x00'
|
|
)
|
|
},
|
|
cryptographic_length=256
|
|
)
|
|
|
|
secret = self.client.get(secret_id)
|
|
self.assertEqual(
|
|
(
|
|
b'\x6B\x77\xB4\xD6\x30\x06\xDE\xE6'
|
|
b'\x05\xB1\x56\xE2\x74\x03\x97\x93'
|
|
b'\x58\xDE\xB9\xE7\x15\x46\x16\xD9'
|
|
b'\x74\x9D\xEC\xBE\xC0\x5D\x26\x4B'
|
|
),
|
|
secret.value
|
|
)
|
|
|
|
def test_derive_key_using_nist_800_108c(self):
|
|
"""
|
|
Test that the ProxyKmipClient can derive a new key using
|
|
NIST 800 108-C.
|
|
"""
|
|
base_id = self.client.register(
|
|
objects.SymmetricKey(
|
|
enums.CryptographicAlgorithm.AES,
|
|
512,
|
|
(
|
|
b'\xdd\x5d\xbd\x45\x59\x3e\xe2\xac'
|
|
b'\x13\x97\x48\xe7\x64\x5b\x45\x0f'
|
|
b'\x22\x3d\x2f\xf2\x97\xb7\x3f\xd7'
|
|
b'\x1c\xbc\xeb\xe7\x1d\x41\x65\x3c'
|
|
b'\x95\x0b\x88\x50\x0d\xe5\x32\x2d'
|
|
b'\x99\xef\x18\xdf\xdd\x30\x42\x82'
|
|
b'\x94\xc4\xb3\x09\x4f\x4c\x95\x43'
|
|
b'\x34\xe5\x93\xbd\x98\x2e\xc6\x14'
|
|
),
|
|
masks=[enums.CryptographicUsageMask.DERIVE_KEY]
|
|
)
|
|
)
|
|
key_id = self.client.derive_key(
|
|
enums.ObjectType.SYMMETRIC_KEY,
|
|
[base_id],
|
|
enums.DerivationMethod.NIST800_108_C,
|
|
{
|
|
'cryptographic_parameters': {
|
|
'hashing_algorithm': enums.HashingAlgorithm.SHA_512
|
|
},
|
|
'derivation_data': (
|
|
b'\xb5\x0b\x0c\x96\x3c\x6b\x30\x34'
|
|
b'\xb8\xcf\x19\xcd\x3f\x5c\x4e\xbe'
|
|
b'\x4f\x49\x85\xaf\x0c\x03\xe5\x75'
|
|
b'\xdb\x62\xe6\xfd\xf1\xec\xfe\x4f'
|
|
b'\x28\xb9\x5d\x7c\xe1\x6d\xf8\x58'
|
|
b'\x43\x24\x6e\x15\x57\xce\x95\xbb'
|
|
b'\x26\xcc\x9a\x21\x97\x4b\xbd\x2e'
|
|
b'\xb6\x9e\x83\x55'
|
|
)
|
|
},
|
|
cryptographic_length=128,
|
|
cryptographic_algorithm=enums.CryptographicAlgorithm.AES
|
|
)
|
|
|
|
key = self.client.get(key_id)
|
|
self.assertEqual(
|
|
(
|
|
b'\xe5\x99\x3b\xf9\xbd\x2a\xa1\xc4'
|
|
b'\x57\x46\x04\x2e\x12\x59\x81\x55'
|
|
),
|
|
key.value
|
|
)
|
|
|
|
attribute_list = self.client.get_attribute_list(key_id)
|
|
self.assertIn('Cryptographic Algorithm', attribute_list)
|
|
self.assertIn('Cryptographic Length', attribute_list)
|
|
|
|
result_id, attribute_list = self.client.get_attributes(
|
|
uid=key_id,
|
|
attribute_names=['Cryptographic Algorithm', 'Cryptographic Length']
|
|
)
|
|
self.assertEqual(key_id, result_id)
|
|
self.assertEqual(2, len(attribute_list))
|
|
|
|
attribute = attribute_list[0]
|
|
self.assertEqual(
|
|
'Cryptographic Algorithm',
|
|
attribute.attribute_name.value
|
|
)
|
|
self.assertEqual(
|
|
enums.CryptographicAlgorithm.AES,
|
|
attribute.attribute_value.value
|
|
)
|
|
|
|
attribute = attribute_list[1]
|
|
self.assertEqual(
|
|
'Cryptographic Length',
|
|
attribute.attribute_name.value
|
|
)
|
|
self.assertEqual(128, attribute.attribute_value.value)
|
|
|
|
def test_derive_key_using_hmac(self):
|
|
"""
|
|
Test that the ProxyKmipClient can derive a new key using HMAC.
|
|
"""
|
|
base_id = self.client.register(
|
|
objects.SecretData(
|
|
(
|
|
b'\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'
|
|
b'\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'
|
|
b'\x0c\x0c\x0c\x0c\x0c\x0c'
|
|
),
|
|
enums.SecretDataType.SEED,
|
|
masks=[enums.CryptographicUsageMask.DERIVE_KEY]
|
|
)
|
|
)
|
|
secret_id = self.client.derive_key(
|
|
enums.ObjectType.SECRET_DATA,
|
|
[base_id],
|
|
enums.DerivationMethod.HMAC,
|
|
{
|
|
'cryptographic_parameters': {
|
|
'hashing_algorithm': enums.HashingAlgorithm.SHA_1
|
|
},
|
|
'derivation_data': b'',
|
|
'salt': b''
|
|
},
|
|
cryptographic_length=336
|
|
)
|
|
|
|
secret = self.client.get(secret_id)
|
|
self.assertEqual(
|
|
(
|
|
b'\x2c\x91\x11\x72\x04\xd7\x45\xf3'
|
|
b'\x50\x0d\x63\x6a\x62\xf6\x4f\x0a'
|
|
b'\xb3\xba\xe5\x48\xaa\x53\xd4\x23'
|
|
b'\xb0\xd1\xf2\x7e\xbb\xa6\xf5\xe5'
|
|
b'\x67\x3a\x08\x1d\x70\xcc\xe7\xac'
|
|
b'\xfc\x48'
|
|
),
|
|
secret.value
|
|
)
|
|
|
|
def test_encrypt_decrypt(self):
|
|
"""
|
|
Test that the ProxyKmipClient can create an encryption key, encrypt
|
|
plain text with it, and then decrypt the cipher text, retrieving the
|
|
original plain text.
|
|
"""
|
|
# Create an encryption key.
|
|
key_id = self.client.create(
|
|
enums.CryptographicAlgorithm.AES,
|
|
256,
|
|
cryptographic_usage_mask=[
|
|
enums.CryptographicUsageMask.ENCRYPT,
|
|
enums.CryptographicUsageMask.DECRYPT
|
|
]
|
|
)
|
|
|
|
# Activate the encryption key.
|
|
self.client.activate(key_id)
|
|
|
|
# Encrypt some plain text.
|
|
plain_text = b'This is a secret message.'
|
|
cipher_text, iv = self.client.encrypt(
|
|
plain_text,
|
|
uid=key_id,
|
|
cryptographic_parameters={
|
|
'cryptographic_algorithm': enums.CryptographicAlgorithm.AES,
|
|
'block_cipher_mode': enums.BlockCipherMode.CBC,
|
|
'padding_method': enums.PaddingMethod.PKCS5
|
|
},
|
|
iv_counter_nonce=(
|
|
b'\x85\x1e\x87\x64\x77\x6e\x67\x96'
|
|
b'\xaa\xb7\x22\xdb\xb6\x44\xac\xe8'
|
|
)
|
|
)
|
|
|
|
self.assertEqual(None, iv)
|
|
|
|
# Decrypt the cipher text.
|
|
result = self.client.decrypt(
|
|
cipher_text,
|
|
uid=key_id,
|
|
cryptographic_parameters={
|
|
'cryptographic_algorithm': enums.CryptographicAlgorithm.AES,
|
|
'block_cipher_mode': enums.BlockCipherMode.CBC,
|
|
'padding_method': enums.PaddingMethod.PKCS5
|
|
},
|
|
iv_counter_nonce=(
|
|
b'\x85\x1e\x87\x64\x77\x6e\x67\x96'
|
|
b'\xaa\xb7\x22\xdb\xb6\x44\xac\xe8'
|
|
)
|
|
)
|
|
|
|
self.assertEqual(plain_text, result)
|
|
|
|
# Clean up.
|
|
self.client.revoke(
|
|
enums.RevocationReasonCode.CESSATION_OF_OPERATION,
|
|
key_id
|
|
)
|
|
self.client.destroy(key_id)
|
|
|
|
def test_create_key_pair_sign_signature_verify(self):
|
|
"""
|
|
Test that the ProxyKmipClient can create an asymmetric key pair and
|
|
then use that key pair (1) to sign data and (2) verify the signature
|
|
on the data.
|
|
"""
|
|
# Create a public/private key pair.
|
|
public_key_id, private_key_id = self.client.create_key_pair(
|
|
enums.CryptographicAlgorithm.RSA,
|
|
2048,
|
|
public_usage_mask=[
|
|
enums.CryptographicUsageMask.VERIFY
|
|
],
|
|
private_usage_mask=[
|
|
enums.CryptographicUsageMask.SIGN
|
|
]
|
|
)
|
|
|
|
self.assertIsInstance(public_key_id, str)
|
|
self.assertIsInstance(private_key_id, str)
|
|
|
|
# Activate the signing key and the signature verification key.
|
|
self.client.activate(private_key_id)
|
|
self.client.activate(public_key_id)
|
|
|
|
# Sign a message.
|
|
signature = self.client.sign(
|
|
b'This is a signed message.',
|
|
uid=private_key_id,
|
|
cryptographic_parameters={
|
|
'padding_method': enums.PaddingMethod.PSS,
|
|
'cryptographic_algorithm': enums.CryptographicAlgorithm.RSA,
|
|
'hashing_algorithm': enums.HashingAlgorithm.SHA_256
|
|
}
|
|
)
|
|
|
|
self.assertIsInstance(signature, six.binary_type)
|
|
|
|
# Verify the message signature.
|
|
result = self.client.signature_verify(
|
|
b'This is a signed message.',
|
|
signature,
|
|
uid=public_key_id,
|
|
cryptographic_parameters={
|
|
'padding_method': enums.PaddingMethod.PSS,
|
|
'cryptographic_algorithm': enums.CryptographicAlgorithm.RSA,
|
|
'hashing_algorithm': enums.HashingAlgorithm.SHA_256
|
|
}
|
|
)
|
|
|
|
self.assertEqual(result, enums.ValidityIndicator.VALID)
|
|
|
|
# Clean up.
|
|
self.client.revoke(
|
|
enums.RevocationReasonCode.CESSATION_OF_OPERATION,
|
|
public_key_id
|
|
)
|
|
self.client.revoke(
|
|
enums.RevocationReasonCode.CESSATION_OF_OPERATION,
|
|
private_key_id
|
|
)
|
|
self.client.destroy(public_key_id)
|
|
self.client.destroy(private_key_id)
|