diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1ee02b2..8be6fc6 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -32,7 +32,8 @@ lint: stage: lint interruptible: true script: - - black -l 100 . --check + - black --version + - black -l 100 . --check --diff test: needs: [] diff --git a/docs/conf.py b/docs/conf.py index 30da7fb..4fadba4 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -52,7 +52,7 @@ # General information about the project. project = u"Pycryptoki" -copyright = u"2020, Gemalto" +copyright = u"2020-2021, Gemalto" # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the @@ -61,7 +61,7 @@ # The short X.Y version. version = "2.5" # The full version, including alpha/beta/rc tags. -release = "2.5.18" +release = "2.5.23" # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/pycryptoki/ca_extensions/cpv4.py b/pycryptoki/ca_extensions/cpv4.py new file mode 100644 index 0000000..254303b --- /dev/null +++ b/pycryptoki/ca_extensions/cpv4.py @@ -0,0 +1,59 @@ +""" +cpv4 ca extensions +""" +import logging +from collections import namedtuple +from copy import deepcopy + +from pycryptoki.defines import CKR_OK +from pycryptoki.cryptoki import ( + CA_MigrateKeys, + CK_ULONG, + CK_SESSION_HANDLE, + CK_OBJECT_MIGRATION_DATA, +) +from pycryptoki.exceptions import make_error_handle_function + + +LOG = logging.getLogger(__name__) +MIGRATION_KEYS = ["object_type", "source_handle"] +MIGRATION_DATA = namedtuple("MIGRATION_DATA", deepcopy(MIGRATION_KEYS)) + + +def get_mig_data_c_struct(mig_data_list): + """ + Build an array of :class:`~pycryptoki.cryptoki.CK_OBJECT_MIGRATION_DATA` Structs & return it. + + :return: :class:`~pycryptoki.cryptoki.CK_OBJECT_MIGRATION_DATA` array + """ + ret_struct = (CK_OBJECT_MIGRATION_DATA * len(mig_data_list))() + for index, mig_data in enumerate(mig_data_list): + object_type, source_handle = mig_data + ret_struct[index] = CK_OBJECT_MIGRATION_DATA( + objectType=object_type, sourceHandle=source_handle + ) + return ret_struct + + +def ca_migrate_keys( + source_session, target_session, migration_flags, num_objects, objects_to_migrate +): + """ + Runs CA_MigrateKeys command + + :param objects_to_migrate: a list of tuples (objectType, sourceHandle) or list of MIGRATION_DATA + """ + objects_to_migrate = ( + objects_to_migrate if isinstance(objects_to_migrate, list) else [objects_to_migrate] + ) + c_mig_data = get_mig_data_c_struct(objects_to_migrate) + + ret = CA_MigrateKeys(source_session, target_session, migration_flags, num_objects, c_mig_data) + + if ret != CKR_OK: + return ret, None + + return ret, [(data.rv, data.targetHandle) for data in c_mig_data] + + +ca_migrate_keys_ex = make_error_handle_function(ca_migrate_keys) diff --git a/pycryptoki/cryptoki/__init__.py b/pycryptoki/cryptoki/__init__.py index 2db32f3..7e1c0d5 100644 --- a/pycryptoki/cryptoki/__init__.py +++ b/pycryptoki/cryptoki/__init__.py @@ -138,6 +138,8 @@ "CA_InitSlotRolePIN", "CA_InitializeRemotePEDVector", "CA_Insert", + "CA_MigrateKeys", + "CA_MigrationStartSessionNegotiation", "CA_InsertMaskedObject", "CA_InvokeService", "CA_InvokeServiceAsynch", @@ -472,6 +474,12 @@ "CK_X9_42_MQV_DERIVE_PARAMS_PTR", "CK_XOR_BASE_DATA_KDF_PARAMS", "CK_XOR_BASE_DATA_KDF_PARAMS_PTR", + "CK_CPV4_EXTRACT_PARAMS", + "CK_CPV4_EXTRACT_PARAMS_PTR", + "CK_CPV4_INSERT_PARAMS", + "CK_CPV4_INSERT_PARAMS_PTR", + "CK_OBJECT_MIGRATION_DATA", + "CK_OBJECT_MIGRATION_DATA_PTR", "C_CancelFunction", "C_CloseAllSessions", "C_CloseSession", diff --git a/pycryptoki/cryptoki/ck_defs.py b/pycryptoki/cryptoki/ck_defs.py index 29db196..4178dec 100644 --- a/pycryptoki/cryptoki/ck_defs.py +++ b/pycryptoki/cryptoki/ck_defs.py @@ -1126,6 +1126,69 @@ def __init__(self, aid=None): struct_def(CK_APPLICATION_ID, [("id", CK_BYTE * 16)]) +class CK_OBJECT_MIGRATION_DATA(Structure): + pass + + +struct_def( + CK_OBJECT_MIGRATION_DATA, + [ + ("objectType", CK_ULONG), + ("sourceHandle", CK_OBJECT_HANDLE), + ("targetHandle", CK_OBJECT_HANDLE), + ("rv", CK_RV), + ], +) +CK_OBJECT_MIGRATION_DATA_PTR = POINTER(CK_OBJECT_MIGRATION_DATA) + + +class CK_CPV4_EXTRACT_PARAMS(Structure): + pass + + +struct_def( + CK_CPV4_EXTRACT_PARAMS, + [ + ("inputLength", CK_ULONG), + ("input", CK_BYTE_PTR), + ("sessionOuidLen", CK_ULONG), + ("sessionOuid", CK_BYTE_PTR), + ("extractionFlags", CK_ULONG), + ("numberOfObjects", CK_ULONG), + ("objectType", CK_ULONG_PTR), + ("objectHandle", CK_ULONG_PTR), + ("result", CK_ULONG_PTR), + ("keyBlobLen", CK_ULONG_PTR), + ("keyBlob", POINTER(CK_BYTE_PTR)), + ], +) +CK_CPV4_EXTRACT_PARAMS_PTR = POINTER(CK_CPV4_EXTRACT_PARAMS) + + +class CK_CPV4_INSERT_PARAMS(Structure): + pass + + +struct_def( + CK_CPV4_INSERT_PARAMS, + [ + ("inputLength", CK_ULONG), + ("input", CK_BYTE_PTR), + ("sessionOuidLen", CK_ULONG), + ("sessionOuid", CK_BYTE_PTR), + ("insertionFlags", CK_ULONG), + ("numberOfObjects", CK_ULONG), + ("objectType", CK_ULONG_PTR), + ("storageType", CK_ULONG_PTR), + ("keyBlobLen", CK_ULONG_PTR), + ("keyBlob", POINTER(CK_BYTE_PTR)), + ("result", CK_ULONG_PTR), + ("objectHandle", CK_ULONG_PTR), + ], +) +CK_CPV4_INSERT_PTR = POINTER(CK_CPV4_INSERT_PARAMS) + + class CK_EDDSA_PARAMS(Structure): pass @@ -1183,3 +1246,11 @@ class CK_SHAKE_PARAMS(Structure): struct_def(CK_SHAKE_PARAMS, [("ulOutputLen", CK_ULONG)]) CK_SHAKE_PARAMS_PTR = POINTER(CK_SHAKE_PARAMS) + + +class CK_SHA_HMAC_GENERAL_PARAMS(Structure): + pass + + +struct_def(CK_SHA_HMAC_GENERAL_PARAMS, [("ulOutputLen", CK_ULONG)]) +CK_SHA_HMAC_GENERAL_PARAMS_PTR = POINTER(CK_SHA_HMAC_GENERAL_PARAMS) diff --git a/pycryptoki/cryptoki/func_defs.py b/pycryptoki/cryptoki/func_defs.py index 7dd7cde..7d32ab3 100644 --- a/pycryptoki/cryptoki/func_defs.py +++ b/pycryptoki/cryptoki/func_defs.py @@ -578,6 +578,14 @@ ) CA_Extract = make_late_binding_function("CA_Extract", [CK_SESSION_HANDLE, CK_MECHANISM_PTR]) CA_Insert = make_late_binding_function("CA_Insert", [CK_SESSION_HANDLE, CK_MECHANISM_PTR]) +CA_MigrateKeys = make_late_binding_function( + "CA_MigrateKeys", + [CK_SESSION_HANDLE, CK_SESSION_HANDLE, CK_ULONG, CK_ULONG, CK_OBJECT_MIGRATION_DATA_PTR], +) +CA_MigrationStartSessionNegotiation = make_late_binding_function( + "CA_MigrationStartSessionNegotiation", + [CK_SESSION_HANDLE, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR, CK_ULONG_PTR, CK_BYTE_PTR], +) CA_GetTokenObjectUID = make_late_binding_function( "CA_GetTokenObjectUID", [CK_SLOT_ID, CK_ULONG, CK_ULONG, POINTER(CK_BYTE)] ) diff --git a/pycryptoki/cryptoki/helpers.py b/pycryptoki/cryptoki/helpers.py index 1f4558a..9557729 100644 --- a/pycryptoki/cryptoki/helpers.py +++ b/pycryptoki/cryptoki/helpers.py @@ -10,7 +10,7 @@ from six.moves import configparser -from pycryptoki.cryptoki.ck_defs import CK_RV +from pycryptoki.cryptoki.c_defs import CK_RV from pycryptoki.defaults import CHRYSTOKI_DLL_FILE, CHRYSTOKI_CONFIG_FILE from pycryptoki.exceptions import LunaException @@ -80,9 +80,13 @@ def parse_chrystoki_conf(): ) LOG.debug("Searching %s for Chrystoki DLL path...", conf_path) - - dll_path = _search_for_dll_in_chrystoki_conf(conf_path) - + try: + dll_path = _search_for_dll_in_chrystoki_conf(conf_path) + except FileNotFoundError as e: + LOG.exception( + "Luna /etc/Chrystoki.conf not be found, pycryptoki switched to point to the library of different product" + ) + return None LOG.info("Using DLL at location: %s", dll_path) return dll_path @@ -181,7 +185,8 @@ def __new__(cls, *args, **kwargs): if not cls._instance_map.get(CRYSTOKI_CONF_DLL): new_instance = super(CryptokiDLLSingleton, cls).__new__(cls, *args, **kwargs) - dll_path = parse_chrystoki_conf() + # depends on different product, lib path could be configured by pointing to path, or stored in a file + dll_path = os.environ.get(CRYSTOKI_CONF_DLL, parse_chrystoki_conf()) new_instance.dll_path = dll_path if "win" in sys.platform and IS_64B: import ctypes diff --git a/pycryptoki/daemon/rpyc_pycryptoki.py b/pycryptoki/daemon/rpyc_pycryptoki.py index c96c4a4..0ce7f6d 100755 --- a/pycryptoki/daemon/rpyc_pycryptoki.py +++ b/pycryptoki/daemon/rpyc_pycryptoki.py @@ -187,6 +187,7 @@ ca_get_cv_firmware_version, ca_get_cv_firmware_version_ex, ) +from pycryptoki.ca_extensions.cpv4 import ca_migrate_keys, ca_migrate_keys_ex from pycryptoki.cryptoki import CK_ULONG from pycryptoki.encryption import ( c_encrypt, @@ -754,6 +755,8 @@ def test_attrs(attributes): ca_stc_get_digest_ids_ex = staticmethod(ca_stc_get_digest_ids_ex) ca_stc_get_digest_name_by_id = staticmethod(ca_stc_get_digest_name_by_id) ca_stc_get_digest_name_by_id_ex = staticmethod(ca_stc_get_digest_name_by_id_ex) + ca_migrate_keys = staticmethod(ca_migrate_keys) + ca_migrate_keys_ex = staticmethod(ca_migrate_keys_ex) def server_launch(service, ip, port, config): diff --git a/pycryptoki/default_templates.py b/pycryptoki/default_templates.py index 2e3d497..3403523 100755 --- a/pycryptoki/default_templates.py +++ b/pycryptoki/default_templates.py @@ -21,7 +21,6 @@ CKA_PRIME, CKA_PRIME_BITS, CKA_PRIVATE, - CKA_PUBLIC_EXPONENT, CKA_SENSITIVE, CKA_SIGN, CKA_SUBJECT, @@ -209,6 +208,14 @@ CKM_SHA256_EDDSA, CKM_SHA384_EDDSA, CKM_SHA512_EDDSA, + CKM_SHA3_224_RSA_PKCS_PSS, + CKM_SHA3_256_RSA_PKCS_PSS, + CKM_SHA3_384_RSA_PKCS_PSS, + CKM_SHA3_512_RSA_PKCS_PSS, + CKM_SHA3_224_RSA_PKCS, + CKM_SHA3_256_RSA_PKCS, + CKM_SHA3_384_RSA_PKCS, + CKM_SHA3_512_RSA_PKCS, CKM_EXTRACT_KEY_FROM_KEY, CKM_FASTHASH, CKM_FORTEZZA_TIMESTAMP, @@ -406,6 +413,7 @@ CKO_CERTIFICATE, CKO_DATA, CKO_SECRET_KEY, + CKA_PUBLIC_EXPONENT, ) @@ -519,7 +527,7 @@ CKA_VERIFY: True, CKA_WRAP: True, CKA_MODULUS_BITS: 1024, # long 0 - MAX_RSA_KEY_NBITS - CKA_PUBLIC_EXPONENT: 3, # byte + CKA_PUBLIC_EXPONENT: 0, CKA_LABEL: b"RSA Public Key", } CKM_RSA_PKCS_KEY_PAIR_GEN_PRIVTEMP = { @@ -3375,7 +3383,7 @@ "microsoftPlayReadP160": [ 0x30, 0x81, - 0x95, + 0x98, 0x02, 0x01, 0x01, @@ -3525,6 +3533,9 @@ 0xC2, 0xA6, 0x75, + 0x02, + 0x01, + 0x01, ], } @@ -4501,7 +4512,7 @@ CKA_VERIFY: True, CKA_WRAP: True, CKA_MODULUS_BITS: 1024, # long 1-MAX_RSA_KEY_NBITS - CKA_PUBLIC_EXPONENT: 3, # byte + CKA_PUBLIC_EXPONENT: 0, CKA_LABEL: b"RSA Public Key", } CKM_RSA_X9_31_KEY_PAIR_GEN_PRIVTEMP = { @@ -5028,6 +5039,14 @@ CKM_SHA512_RSA_PKCS_PSS: ("CKM_SHA512_RSA_PKCS_PSS",), CKM_SHA224_RSA_PKCS: ("CKM_SHA224_RSA_PKCS",), CKM_SHA224_RSA_PKCS_PSS: ("CKM_SHA224_RSA_PKCS_PSS",), + CKM_SHA3_224_RSA_PKCS_PSS: ("CKM_SHA3_224_RSA_PKCS_PSS",), + CKM_SHA3_256_RSA_PKCS_PSS: ("CKM_SHA3_256_RSA_PKCS_PSS",), + CKM_SHA3_384_RSA_PKCS_PSS: ("CKM_SHA3_384_RSA_PKCS_PSS",), + CKM_SHA3_512_RSA_PKCS_PSS: ("CKM_SHA3_512_RSA_PKCS_PSS",), + CKM_SHA3_224_RSA_PKCS: ("CKM_SHA3_224_RSA_PKCS",), + CKM_SHA3_256_RSA_PKCS: ("CKM_SHA3_256_RSA_PKCS",), + CKM_SHA3_384_RSA_PKCS: ("CKM_SHA3_384_RSA_PKCS",), + CKM_SHA3_512_RSA_PKCS: ("CKM_SHA3_512_RSA_PKCS",), CKM_RC2_KEY_GEN: ("CKM_RC2_KEY_GEN",), CKM_RC2_ECB: ("CKM_RC2_ECB",), CKM_RC2_CBC: ("CKM_RC2_CBC",), diff --git a/pycryptoki/defines.py b/pycryptoki/defines.py index 9109c68..d3474e7 100755 --- a/pycryptoki/defines.py +++ b/pycryptoki/defines.py @@ -274,6 +274,8 @@ LUNA_MECH_FLAG_EC_UNCOMPRESS = 0x01000000 LUNA_MECH_FLAG_EC_COMPRESS = 0x02000000 LUNA_MECH_FLAG_EXTENSION = 0x80000000 +LUNA_MECH_CPV4_EXTRACT = 0x00009008 +LUNA_MECH_CPV4_INSERT = 0x00009009 LUNA_MGF_MGF1_SHA1 = 0x00000001 LUNA_MGF_MGF1_SHA256 = 0x00000002 LUNA_MGF_MGF1_SHA384 = 0x00000003 @@ -1505,6 +1507,7 @@ CKF_EC_UNCOMPRESS = 0x01000000 CKF_EC_COMPRESS = 0x02000000 CKF_EXTENSION = 0x80000000 +CKF_CPV4_CONTINUE_ON_ERR = 0x01 CKR_ARGUMENTS_BAD = 0x00000007 CKR_ATTRIBUTE_READ_ONLY = 0x00000010 CKR_ATTRIBUTE_SENSITIVE = 0x00000011 @@ -1899,6 +1902,8 @@ CKM_AES_CBC_PAD_INSERT_FLATTENED = CKM_VENDOR_DEFINED + 0x203 CKM_AES_CBC_PAD_EXTRACT_DOMAIN_CTRL = CKM_VENDOR_DEFINED + 0x204 CKM_AES_CBC_PAD_INSERT_DOMAIN_CTRL = CKM_VENDOR_DEFINED + 0x205 +CKM_CPV4_EXTRACT = CKM_VENDOR_DEFINED + 0x208 +CKM_CPV4_INSERT = CKM_VENDOR_DEFINED + 0x209 CKM_PLACE_HOLDER_FOR_ERACOME_DEF_IN_SHIM = CKM_VENDOR_DEFINED + 0x502 CKM_DES2_DUKPT_IPEK = CKM_VENDOR_DEFINED + 0x610 CKM_DES2_DUKPT_PIN = CKM_VENDOR_DEFINED + 0x611 @@ -1981,6 +1986,7 @@ CKR_SP_TIMEOUT = CKR_VENDOR_DEFINED + 0x23 CKR_TIMEOUT = CKR_VENDOR_DEFINED + 0x24 CKR_ECC_UNKNOWN_CURVE = CKR_VENDOR_DEFINED + 0x25 +CKR_ECC_CURVE_NOT_ALLOWED = CKR_VENDOR_DEFINED + 0x105 CKR_MTK_ZEROIZED = CKR_VENDOR_DEFINED + 0x26 CKR_MTK_STATE_INVALID = CKR_VENDOR_DEFINED + 0x27 CKR_INVALID_ENTRY_TYPE = CKR_VENDOR_DEFINED + 0x28 diff --git a/pycryptoki/exceptions.py b/pycryptoki/exceptions.py index 68d70e1..0cd41eb 100644 --- a/pycryptoki/exceptions.py +++ b/pycryptoki/exceptions.py @@ -8,7 +8,7 @@ from six import integer_types from .defines import CKR_OK -from .lookup_dicts import ret_vals_dictionary, ATTR_NAME_LOOKUP +from .lookup_dicts import ret_vals_dictionary LOG = logging.getLogger(__name__) @@ -114,34 +114,13 @@ def check_luna_exception(ret, luna_function, args, kwargs): :param luna_function: pycryptoki function that was called :param args: Arguments passed to the pycryptoki function. """ - from pycryptoki.string_helpers import _coerce_mech_to_str + from pycryptoki.string_helpers import pformat_pyc_args - log_list = [] all_args = inspect.getcallargs(luna_function, *args, **kwargs) - for key, value in all_args.items(): - if "template" in key and isinstance(value, dict): - # Means it's a template, so let's perform a lookup on all of the objects within - # this. - log_list.append("\t\t%s: " % key) - for template_key, template_value in all_args[key].items(): - log_list.append( - "\t\t\t%s: %s" - % (ATTR_NAME_LOOKUP.get(template_key, template_key), template_value) - ) - elif "password" in key: - log_list.append("\t\t%s: *" % key) - elif "mechanism" in key: - log_list.append("\t%s: " % key) - nice_mech = _coerce_mech_to_str(all_args[key]).splitlines() - log_list.extend(["\t\t%s" % x for x in nice_mech]) - else: - if len(str(value)) > 20: - msg = "\t\t%s: %s[...]%s" % (key, str(value)[:10], str(value)[-10:]) - else: - msg = "\t\t%s: %s" % (key, value) - log_list.append(msg) + formatted_args = pformat_pyc_args(all_args) - arg_string = "({})".format("\n".join(log_list)) + # Tab it over one more for exception logging. + arg_string = "\n".join("\t{}".format(x) for x in formatted_args) LOG.debug( "Call to %s returned %s (%s)", luna_function.__name__, diff --git a/pycryptoki/lookup_dicts.py b/pycryptoki/lookup_dicts.py index edd5550..7e645f0 100644 --- a/pycryptoki/lookup_dicts.py +++ b/pycryptoki/lookup_dicts.py @@ -231,6 +231,8 @@ CKR_ASSIGNED_KEY_CANNOT_BE_RESET: "CKR_ASSIGNED_KEY_CANNOT_BE_RESET", CKR_AUTH_DATA_INCORRECT_AND_LIMIT_REACHED: "CKR_AUTH_DATA_INCORRECT_AND_LIMIT_REACHED", CKR_BUSY: "CKR_BUSY", + CKR_ECC_UNKNOWN_CURVE: "CKR_ECC_UNKNOWN_CURVE", + CKR_ECC_CURVE_NOT_ALLOWED: "CKR_ECC_CURVE_NOT_ALLOWED", } #: @@ -673,6 +675,8 @@ (CKM_VENDOR_DEFINED + 0x203): "CKM_AES_CBC_PAD_INSERT_FLATTENED", (CKM_VENDOR_DEFINED + 0x204): "CKM_AES_CBC_PAD_EXTRACT_DOMAIN_CTRL", (CKM_VENDOR_DEFINED + 0x205): "CKM_AES_CBC_PAD_INSERT_DOMAIN_CTRL", + (CKM_VENDOR_DEFINED + 0x208): "CKM_CPV4_EXTRACT", + (CKM_VENDOR_DEFINED + 0x209): "CKM_CPV4_INSERT", (CKM_VENDOR_DEFINED + 0x502): "CKM_PLACE_HOLDER_FOR_ERACOME_DEF_IN_SHIM", (CKM_VENDOR_DEFINED + 0x611): "CKM_DES2_DUKPT_PIN", (CKM_VENDOR_DEFINED + 0x612): "CKM_DES2_DUKPT_MAC", diff --git a/pycryptoki/mechanism/__init__.py b/pycryptoki/mechanism/__init__.py index 8f4d0f2..c7b40d9 100644 --- a/pycryptoki/mechanism/__init__.py +++ b/pycryptoki/mechanism/__init__.py @@ -77,6 +77,7 @@ def to_c_mech(self): from .rsa import RSAPKCSOAEPMechanism, RSAPKCSPSSMechanism from .kdf import PRFKDFDeriveMechanism from .shake import ShakeMechanism +from .sha import ShaHmacGeneralMechanism from ..defines import ( CKM_DES_CBC, CKM_DES3_CBC, @@ -126,6 +127,10 @@ def to_c_mech(self): CKM_SHA3_256_RSA_PKCS_PSS, CKM_SHA3_384_RSA_PKCS_PSS, CKM_SHA3_512_RSA_PKCS_PSS, + CKM_SHA3_512_HMAC_GENERAL, + CKM_SHA3_224_HMAC_GENERAL, + CKM_SHA3_256_HMAC_GENERAL, + CKM_SHA3_384_HMAC_GENERAL, CKM_DES_ECB, CKM_AES_CBC_ENCRYPT_DATA, CKM_AES_ECB_ENCRYPT_DATA, @@ -203,6 +208,10 @@ def to_c_mech(self): CKM_SHA3_256_RSA_PKCS_PSS: RSAPKCSPSSMechanism, CKM_SHA3_384_RSA_PKCS_PSS: RSAPKCSPSSMechanism, CKM_SHA3_512_RSA_PKCS_PSS: RSAPKCSPSSMechanism, + CKM_SHA3_224_HMAC_GENERAL: ShaHmacGeneralMechanism, + CKM_SHA3_256_HMAC_GENERAL: ShaHmacGeneralMechanism, + CKM_SHA3_384_HMAC_GENERAL: ShaHmacGeneralMechanism, + CKM_SHA3_512_HMAC_GENERAL: ShaHmacGeneralMechanism, CKM_DES_ECB: NullMech, CKM_AES_CBC_ENCRYPT_DATA: AESCBCEncryptDataMechanism, CKM_AES_ECB_ENCRYPT_DATA: AESECBEncryptDataMechanism, diff --git a/pycryptoki/mechanism/sha.py b/pycryptoki/mechanism/sha.py new file mode 100644 index 0000000..4023612 --- /dev/null +++ b/pycryptoki/mechanism/sha.py @@ -0,0 +1,31 @@ +""" +Sha Hmac General Mechanism implementations. +""" +from ctypes import c_void_p, cast, pointer, sizeof + +from .helpers import Mechanism +from ..cryptoki import CK_ULONG, CK_SHA_HMAC_GENERAL_PARAMS +from ..defines import * + + +class ShaHmacGeneralMechanism(Mechanism): + """ + Create the required CK_SHA_HMAC_GENERAL_PARAMS param structure & convert python data to + C data. + """ + + REQUIRED_PARAMS = ["outputLen"] + + def to_c_mech(self): + """ + Convert extra parameters to ctypes, then build out the mechanism. + + :return: :class:`~pycryptoki.cryptoki.CK_MECHANISM` + """ + super(ShaHmacGeneralMechanism, self).to_c_mech() + sha_params = CK_SHA_HMAC_GENERAL_PARAMS() + sha_params.ulOutputLen = CK_ULONG(self.params["outputLen"]) + + self.mech.pParameter = cast(pointer(sha_params), c_void_p) + self.mech.usParameterLen = CK_ULONG(sizeof(sha_params)) + return self.mech diff --git a/pycryptoki/ptk_defines.py b/pycryptoki/ptk_defines.py new file mode 100644 index 0000000..8c99ea0 --- /dev/null +++ b/pycryptoki/ptk_defines.py @@ -0,0 +1,952 @@ +# Generated by h2py from ctvdef.h + +# from cryptoki.h +FALSE = 0 +CK_VENDOR_DEFINED = 0x00008000 +CK_VENDOR_DEFINED_V1 = 0x00008000 +CK_VENDOR_DEFINED_V2 = 0x80000000 +CKT_PIN = 0x00000000 +CKP_NUMERIC = 0x00000000 +CKP_UTF8 = 0x00000001 +CKP_BINARY = 0x00000002 +CK_MANUFACTURER_SIZE = 32 +CK_SERIAL_NUMBER_SIZE = 16 +CK_TIME_SIZE = 16 +CK_LIB_DESC_SIZE = 32 +CK_SLOT_DESCRIPTION_SIZE = 64 +CK_SLOT_MANUFACTURER_SIZE = 32 +CK_MAX_PIN_LEN = 38 +CK_MAX_PIN_LEN_LEGACY = 32 +OTP_PIN_LENGTH = 6 +CK_TOKEN_LABEL_SIZE = 32 +CK_TOKEN_MANUFACTURER_SIZE = 32 +CK_TOKEN_MODEL_SIZE = 16 +CK_TOKEN_SERIAL_NUMBER_SIZE = 16 +CK_TOKEN_TIME_SIZE = 16 +CK_MAX_PBE_IV_SIZE = 8 +CK_AES_GCM_MAX_MESSAGE_SIZE = 126 * 1024 +CK_MAX_PAD_SIZE = 16 +CKN_SURRENDER = 0 +CKN_COMPLETE = 1 +CKN_DEVICE_REMOVED = 2 +CK_EFFECTIVELY_INFINITE = 0 +CKU_SO = 0 +CKU_USER = 1 +CKU_AUDIT = 2 +CKS_RO_PUBLIC_SESSION = 0 +CKS_RO_USER_FUNCTIONS = 1 +CKS_RW_PUBLIC_SESSION = 2 +CKS_RW_USER_FUNCTIONS = 3 +CKS_RW_SO_FUNCTIONS = 4 +CKS_AUDIT_FUNCTIONS = 5 +CK_INVALID_HANDLE = 0 +CKF_TOKEN_PRESENT = 0x00000001 +CKF_REMOVABLE_DEVICE = 0x00000002 +CKF_HW_SLOT = 0x00000004 +CKF_RNG = 0x00000001 +CKF_WRITE_PROTECTED = 0x00000002 +CKF_LOGIN_REQUIRED = 0x00000004 +CKF_USER_PIN_INITIALIZED = 0x00000008 +CKF_EXCLUSIVE_EXISTS = 0x00000010 +CKF_RESTORE_KEY_NOT_NEEDED = 0x00000020 +CKF_CLOCK_ON_TOKEN = 0x00000040 +CKF_AUDIT_PIN_INITIALIZED = 0x00000080 +CKF_PROTECTED_AUTHENTICATION_PA = 0x00000100 +CKF_PROTECTED_AUTHENTICATION_PATH = 0x00000100 +CKF_TOKEN_INITIALIZED = 0x00000400 +CKF_DUAL_CRYPTO_OPERATIONS = 0x00000200 +CKF_SECONDARY_AUTHENTICATION = 0x00000800 +CKF_USER_PIN_COUNT_LOW = 0x00010000 +CKF_USER_PIN_FINAL_TRY = 0x00020000 +CKF_USER_PIN_LOCKED = 0x00040000 +CKF_USER_PIN_TO_BE_CHANGED = 0x00080000 +CKF_SO_PIN_COUNT_LOW = 0x00100000 +CKF_SO_PIN_FINAL_TRY = 0x00200000 +CKF_SO_PIN_LOCKED = 0x00400000 +CKF_SO_PIN_TO_BE_CHANGED = 0x00800000 +CKF_EXCLUSIVE_SESSION = 0x00000001 +CKF_RW_SESSION = 0x00000002 +CKF_SERIAL_SESSION = 0x00000004 +CKF_AUDIT_SESSION = 0x00000008 +CKF_HW = 0x00000001 +CKF_EXTENSION = CK_VENDOR_DEFINED +CKF_ENCRYPT = 0x00000100 +CKF_DECRYPT = 0x00000200 +CKF_DIGEST = 0x00000400 +CKF_SIGN = 0x00000800 +CKF_SIGN_RECOVER = 0x00001000 +CKF_VERIFY = 0x00002000 +CKF_VERIFY_RECOVER = 0x00004000 +CKF_GENERATE = 0x00008000 +CKF_GENERATE_KEY_PAIR = 0x00010000 +CKF_WRAP = 0x00020000 +CKF_UNWRAP = 0x00040000 +CKF_DERIVE = 0x00080000 +CKF_EC_F_P = 0x00100000 +CKF_EC_F_2M = 0x00200000 +CKF_EC_ECPARAMETERS = 0x00400000 +CKF_EC_NAMEDCURVE = 0x00800000 +CKF_EC_UNCOMPRESS = 0x01000000 +CKF_EC_COMPRESS = 0x02000000 +CKO_DATA = 0x00000000 +CKO_CERTIFICATE = 0x00000001 +CKO_PUBLIC_KEY = 0x00000002 +CKO_PRIVATE_KEY = 0x00000003 +CKO_SECRET_KEY = 0x00000004 +CKO_HW_FEATURE = 0x00000005 +CKO_DOMAIN_PARAMETERS = 0x00000006 +CKO_VENDOR_DEFINED = CK_VENDOR_DEFINED +CKO_VENDOR_DEFINED_V1 = CK_VENDOR_DEFINED_V1 +CKH_MONOTONIC_COUNTER = 0x00000001 +CKH_CLOCK = 0x00000002 +CKH_VENDOR_DEFINED = 0x80000000 +CKK_RSA = 0x00000000 +CKK_DSA = 0x00000001 +CKK_DH = 0x00000002 +CKK_ECDSA = 0x00000003 +CKK_EC = 0x00000003 +CKK_X9_42_DH = 0x00000004 +CKK_KEA = 0x00000005 +CKK_GENERIC_SECRET = 0x00000010 +CKK_RC2 = 0x00000011 +CKK_RC4 = 0x00000012 +CKK_RC5 = 0x00000019 +CKK_DES = 0x00000013 +CKK_DES2 = 0x00000014 +CKK_DES3 = 0x00000015 +CKK_CAST = 0x00000016 +CKK_CAST3 = 0x00000017 +CKK_CAST5 = 0x00000018 +CKK_CAST128 = 0x00000018 +CKK_IDEA = 0x0000001A +CKK_SKIPJACK = 0x0000001B +CKK_BATON = 0x0000001C +CKK_JUNIPER = 0x0000001D +CKK_CDMF = 0x0000001E +CKK_AES = 0x0000001F +CKK_ARIA = 0x00000026 +CKK_VENDOR_DEFINED = CK_VENDOR_DEFINED +CKC_X_509 = 0x00000000 +CKC_X_509_ATTR_CERT = 0x00000001 +CKC_VENDOR_DEFINED = CK_VENDOR_DEFINED +CKA_CLASS = 0x00000000 +CKA_TOKEN = 0x00000001 +CKA_PRIVATE = 0x00000002 +CKA_LABEL = 0x00000003 +CKA_APPLICATION = 0x00000010 +CKA_VALUE = 0x00000011 +CKA_OBJECT_ID = 0x00000012 +CKA_CERTIFICATE_TYPE = 0x00000080 +CKA_ISSUER = 0x00000081 +CKA_SERIAL_NUMBER = 0x00000082 +CKA_AC_ISSUER = 0x00000083 +CKA_OWNER = 0x00000084 +CKA_ATTR_TYPES = 0x00000085 +CKA_TRUSTED = 0x00000086 +CKA_KEY_TYPE = 0x00000100 +CKA_SUBJECT = 0x00000101 +CKA_ID = 0x00000102 +CKA_SENSITIVE = 0x00000103 +CKA_ENCRYPT = 0x00000104 +CKA_DECRYPT = 0x00000105 +CKA_WRAP = 0x00000106 +CKA_UNWRAP = 0x00000107 +CKA_SIGN = 0x00000108 +CKA_SIGN_RECOVER = 0x00000109 +CKA_VERIFY = 0x0000010A +CKA_VERIFY_RECOVER = 0x0000010B +CKA_DERIVE = 0x0000010C +CKA_START_DATE = 0x00000110 +CKA_END_DATE = 0x00000111 +CKA_MODULUS = 0x00000120 +CKA_MODULUS_BITS = 0x00000121 +CKA_PUBLIC_EXPONENT = 0x00000122 +CKA_PRIVATE_EXPONENT = 0x00000123 +CKA_PRIME_1 = 0x00000124 +CKA_PRIME_2 = 0x00000125 +CKA_EXPONENT_1 = 0x00000126 +CKA_EXPONENT_2 = 0x00000127 +CKA_COEFFICIENT = 0x00000128 +CKA_PRIME = 0x00000130 +CKA_SUBPRIME = 0x00000131 +CKA_BASE = 0x00000132 +CKA_PRIME_BITS = 0x00000133 +CKA_SUB_PRIME_BITS = 0x00000134 +CKA_VALUE_BITS = 0x00000160 +CKA_VALUE_LEN = 0x00000161 +CKA_EXTRACTABLE = 0x00000162 +CKA_LOCAL = 0x00000163 +CKA_NEVER_EXTRACTABLE = 0x00000164 +CKA_ALWAYS_SENSITIVE = 0x00000165 +CKA_KEY_GEN_MECHANISM = 0x00000166 +CKA_MODIFIABLE = 0x00000170 +CKA_ECDSA_PARAMS = 0x00000180 +CKA_EC_PARAMS = 0x00000180 +CKA_EC_POINT = 0x00000181 +CKA_SECONDARY_AUTH = 0x00000200 +CKA_AUTH_PIN_FLAGS = 0x00000201 +CKA_HW_FEATURE_TYPE = 0x00000300 +CKA_RESET_ON_INIT = 0x00000301 +CKA_HAS_RESET = 0x00000302 +CKA_VENDOR_DEFINED = CK_VENDOR_DEFINED +CKA_VENDOR_DEFINED_V1 = CK_VENDOR_DEFINED_V1 +CKM_RSA_PKCS_KEY_PAIR_GEN = 0x00000000 +CKM_RSA_PKCS = 0x00000001 +CKM_RSA_9796 = 0x00000002 +CKM_RSA_X_509 = 0x00000003 +CKM_MD2_RSA_PKCS = 0x00000004 +CKM_MD5_RSA_PKCS = 0x00000005 +CKM_SHA1_RSA_PKCS = 0x00000006 +CKM_RIPEMD128_RSA_PKCS = 0x00000007 +CKM_RIPEMD160_RSA_PKCS = 0x00000008 +CKM_RSA_PKCS_OAEP = 0x00000009 +CKM_RSA_X9_31_KEY_PAIR_GEN = 0x0000000A +CKM_RSA_X9_31 = 0x0000000B +CKM_SHA1_RSA_X9_31 = 0x0000000C +CKM_RSA_PKCS_PSS = 0x0000000D +CKM_SHA1_RSA_PKCS_PSS = 0x0000000E +CKM_DSA_KEY_PAIR_GEN = 0x00000010 +CKM_DSA = 0x00000011 +CKM_DSA_SHA1 = 0x00000012 +CKM_DSA_SHA224 = 0x00000013 +CKM_DSA_SHA256 = 0x00000014 +CKM_DSA_SHA384 = 0x00000015 +CKM_DSA_SHA512 = 0x00000016 +CKM_DH_PKCS_KEY_PAIR_GEN = 0x00000020 +CKM_DH_PKCS_DERIVE = 0x00000021 +CKM_X9_42_DH_KEY_PAIR_GEN = 0x00000030 +CKM_X9_42_DH_DERIVE = 0x00000031 +CKM_X9_42_DH_HYBRID_DERIVE = 0x00000032 +CKM_X9_42_MQV_DERIVE = 0x00000033 +CKM_SHA256_RSA_PKCS = 0x00000040 +CKM_SHA384_RSA_PKCS = 0x00000041 +CKM_SHA512_RSA_PKCS = 0x00000042 +CKM_SHA256_RSA_PKCS_PSS = 0x00000043 +CKM_SHA384_RSA_PKCS_PSS = 0x00000044 +CKM_SHA512_RSA_PKCS_PSS = 0x00000045 +CKM_SHA224_RSA_PKCS = 0x00000046 +CKM_SHA224_RSA_PKCS_PSS = 0x00000047 +CKM_SHA3_256_RSA_PKCS = 0x00000060 +CKM_SHA3_384_RSA_PKCS = 0x00000061 +CKM_SHA3_512_RSA_PKCS = 0x00000062 +CKM_SHA3_256_RSA_PKCS_PSS = 0x00000063 +CKM_SHA3_384_RSA_PKCS_PSS = 0x00000064 +CKM_SHA3_512_RSA_PKCS_PSS = 0x00000065 +CKM_SHA3_224_RSA_PKCS = 0x00000066 +CKM_SHA3_224_RSA_PKCS_PSS = 0x00000067 +CKM_RC2_KEY_GEN = 0x00000100 +CKM_RC2_ECB = 0x00000101 +CKM_RC2_CBC = 0x00000102 +CKM_RC2_MAC = 0x00000103 +CKM_RC2_MAC_GENERAL = 0x00000104 +CKM_RC2_CBC_PAD = 0x00000105 +CKM_RC4_KEY_GEN = 0x00000110 +CKM_RC4 = 0x00000111 +CKM_DES_KEY_GEN = 0x00000120 +CKM_DES_ECB = 0x00000121 +CKM_DES_CBC = 0x00000122 +CKM_DES_MAC = 0x00000123 +CKM_DES_MAC_GENERAL = 0x00000124 +CKM_DES_CBC_PAD = 0x00000125 +CKM_DES2_KEY_GEN = 0x00000130 +CKM_DES3_KEY_GEN = 0x00000131 +CKM_DES3_ECB = 0x00000132 +CKM_DES3_CBC = 0x00000133 +CKM_DES3_MAC = 0x00000134 +CKM_DES3_MAC_GENERAL = 0x00000135 +CKM_DES3_CBC_PAD = 0x00000136 +CKM_DES3_CMAC_GENERAL = 0x00000137 +CKM_DES3_CMAC = 0x00000138 +CKM_CDMF_KEY_GEN = 0x00000140 +CKM_CDMF_ECB = 0x00000141 +CKM_CDMF_CBC = 0x00000142 +CKM_CDMF_MAC = 0x00000143 +CKM_CDMF_MAC_GENERAL = 0x00000144 +CKM_CDMF_CBC_PAD = 0x00000145 +CKM_MD2 = 0x00000200 +CKM_MD2_HMAC = 0x00000201 +CKM_MD2_HMAC_GENERAL = 0x00000202 +CKM_MD5 = 0x00000210 +CKM_MD5_HMAC = 0x00000211 +CKM_MD5_HMAC_GENERAL = 0x00000212 +CKM_SHA_1 = 0x00000220 +CKM_SHA_1_HMAC = 0x00000221 +CKM_SHA_1_HMAC_GENERAL = 0x00000222 +CKM_RIPEMD128 = 0x00000230 +CKM_RIPEMD128_HMAC = 0x00000231 +CKM_RIPEMD128_HMAC_GENERAL = 0x00000232 +CKM_RIPEMD160 = 0x00000240 +CKM_RIPEMD160_HMAC = 0x00000241 +CKM_RIPEMD160_HMAC_GENERAL = 0x00000242 +CKM_SHA256 = 0x00000250 +CKM_SHA256_HMAC = 0x00000251 +CKM_SHA256_HMAC_GENERAL = 0x00000252 +CKM_SHA224 = 0x00000255 +CKM_SHA224_HMAC = 0x00000256 +CKM_SHA224_HMAC_GENERAL = 0x00000257 +CKM_SHA384 = 0x00000260 +CKM_SHA384_HMAC = 0x00000261 +CKM_SHA384_HMAC_GENERAL = 0x00000262 +CKM_SHA512 = 0x00000270 +CKM_SHA512_HMAC = 0x00000271 +CKM_SHA512_HMAC_GENERAL = 0x00000272 +CKM_SHA3_256 = 0x000002B0 +CKM_SHA3_256_HMAC = 0x000002B1 +CKM_SHA3_256_HMAC_GENERAL = 0x000002B2 +CKM_SHA3_224 = 0x000002B5 +CKM_SHA3_224_HMAC = 0x000002B6 +CKM_SHA3_224_HMAC_GENERAL = 0x000002B7 +CKM_SHA3_384 = 0x000002C0 +CKM_SHA3_384_HMAC = 0x000002C1 +CKM_SHA3_384_HMAC_GENERAL = 0x000002C2 +CKM_SHA3_512 = 0x000002D0 +CKM_SHA3_512_HMAC = 0x000002D1 +CKM_SHA3_512_HMAC_GENERAL = 0x000002D2 +CKM_CAST_KEY_GEN = 0x00000300 +CKM_CAST_ECB = 0x00000301 +CKM_CAST_CBC = 0x00000302 +CKM_CAST_MAC = 0x00000303 +CKM_CAST_MAC_GENERAL = 0x00000304 +CKM_CAST_CBC_PAD = 0x00000305 +CKM_CAST3_KEY_GEN = 0x00000310 +CKM_CAST3_ECB = 0x00000311 +CKM_CAST3_CBC = 0x00000312 +CKM_CAST3_MAC = 0x00000313 +CKM_CAST3_MAC_GENERAL = 0x00000314 +CKM_CAST3_CBC_PAD = 0x00000315 +CKM_CAST5_KEY_GEN = 0x00000320 +CKM_CAST5_ECB = 0x00000321 +CKM_CAST5_CBC = 0x00000322 +CKM_CAST5_MAC = 0x00000323 +CKM_CAST5_MAC_GENERAL = 0x00000324 +CKM_CAST5_CBC_PAD = 0x00000325 +CKM_CAST128_KEY_GEN = 0x00000320 +CKM_CAST128_ECB = 0x00000321 +CKM_CAST128_CBC = 0x00000322 +CKM_CAST128_MAC = 0x00000323 +CKM_CAST128_MAC_GENERAL = 0x00000324 +CKM_CAST128_CBC_PAD = 0x00000325 +CKM_RC5_KEY_GEN = 0x00000330 +CKM_RC5_ECB = 0x00000331 +CKM_RC5_CBC = 0x00000332 +CKM_RC5_MAC = 0x00000333 +CKM_RC5_MAC_GENERAL = 0x00000334 +CKM_RC5_CBC_PAD = 0x00000335 +CKM_IDEA_KEY_GEN = 0x00000340 +CKM_IDEA_ECB = 0x00000341 +CKM_IDEA_CBC = 0x00000342 +CKM_IDEA_MAC = 0x00000343 +CKM_IDEA_MAC_GENERAL = 0x00000344 +CKM_IDEA_CBC_PAD = 0x00000345 +CKM_GENERIC_SECRET_KEY_GEN = 0x00000350 +CKM_CONCATENATE_BASE_AND_KEY = 0x00000360 +CKM_CONCATENATE_BASE_AND_DATA = 0x00000362 +CKM_CONCATENATE_DATA_AND_BASE = 0x00000363 +CKM_XOR_BASE_AND_DATA = 0x00000364 +CKM_EXTRACT_KEY_FROM_KEY = 0x00000365 +CKM_SSL3_PRE_MASTER_KEY_GEN = 0x00000370 +CKM_SSL3_MASTER_KEY_DERIVE = 0x00000371 +CKM_SSL3_KEY_AND_MAC_DERIVE = 0x00000372 +CKM_SSL3_MASTER_KEY_DERIVE_DH = 0x00000373 +CKM_TLS_PRE_MASTER_KEY_GEN = 0x00000374 +CKM_TLS_MASTER_KEY_DERIVE = 0x00000375 +CKM_TLS_KEY_AND_MAC_DERIVE = 0x00000376 +CKM_TLS_MASTER_KEY_DERIVE_DH = 0x00000377 +CKM_SSL3_MD5_MAC = 0x00000380 +CKM_SSL3_SHA1_MAC = 0x00000381 +CKM_MD5_KEY_DERIVATION = 0x00000390 +CKM_MD2_KEY_DERIVATION = 0x00000391 +CKM_SHA1_KEY_DERIVATION = 0x00000392 +CKM_SHA256_KEY_DERIVATION = 0x00000393 +CKM_SHA384_KEY_DERIVATION = 0x00000394 +CKM_SHA512_KEY_DERIVATION = 0x00000395 +CKM_SHA224_KEY_DERIVATION = 0x00000396 +CKM_SHA3_256_KEY_DERIVE = 0x00000397 +CKM_SHA3_224_KEY_DERIVE = 0x00000398 +CKM_SHA3_384_KEY_DERIVE = 0x00000399 +CKM_SHA3_512_KEY_DERIVE = 0x0000039A +CKM_PBE_MD2_DES_CBC = 0x000003A0 +CKM_PBE_MD5_DES_CBC = 0x000003A1 +CKM_PBE_MD5_CAST_CBC = 0x000003A2 +CKM_PBE_MD5_CAST3_CBC = 0x000003A3 +CKM_PBE_MD5_CAST5_CBC = 0x000003A4 +CKM_PBE_MD5_CAST128_CBC = 0x000003A4 +CKM_PBE_SHA1_CAST5_CBC = 0x000003A5 +CKM_PBE_SHA1_CAST128_CBC = 0x000003A5 +CKM_PBE_SHA1_RC4_128 = 0x000003A6 +CKM_PBE_SHA1_RC4_40 = 0x000003A7 +CKM_PBE_SHA1_DES3_EDE_CBC = 0x000003A8 +CKM_PBE_SHA1_DES2_EDE_CBC = 0x000003A9 +CKM_PBE_SHA1_RC2_128_CBC = 0x000003AA +CKM_PBE_SHA1_RC2_40_CBC = 0x000003AB +CKM_PKCS5_PBKD2 = 0x000003B0 +CKM_PBA_SHA1_WITH_SHA1_HMAC = 0x000003C0 +CKM_KEY_WRAP_LYNKS = 0x00000400 +CKM_KEY_WRAP_SET_OAEP = 0x00000401 +CKM_ARIA_KEY_GEN = 0x00000560 +CKM_ARIA_ECB = 0x00000561 +CKM_ARIA_CBC = 0x00000562 +CKM_ARIA_MAC = 0x00000563 +CKM_ARIA_MAC_GENERAL = 0x00000564 +CKM_ARIA_CBC_PAD = 0x00000565 +CKM_ARIA_ECB_ENCRYPT_DATA = 0x00000566 +CKM_ARIA_CBC_ENCRYPT_DATA = 0x00000567 +CKM_SKIPJACK_KEY_GEN = 0x00001000 +CKM_SKIPJACK_ECB64 = 0x00001001 +CKM_SKIPJACK_CBC64 = 0x00001002 +CKM_SKIPJACK_OFB64 = 0x00001003 +CKM_SKIPJACK_CFB64 = 0x00001004 +CKM_SKIPJACK_CFB32 = 0x00001005 +CKM_SKIPJACK_CFB16 = 0x00001006 +CKM_SKIPJACK_CFB8 = 0x00001007 +CKM_SKIPJACK_WRAP = 0x00001008 +CKM_SKIPJACK_PRIVATE_WRAP = 0x00001009 +CKM_SKIPJACK_RELAYX = 0x0000100A +CKM_KEA_KEY_PAIR_GEN = 0x00001010 +CKM_KEA_KEY_DERIVE = 0x00001011 +CKM_FORTEZZA_TIMESTAMP = 0x00001020 +CKM_BATON_KEY_GEN = 0x00001030 +CKM_BATON_ECB128 = 0x00001031 +CKM_BATON_ECB96 = 0x00001032 +CKM_BATON_CBC128 = 0x00001033 +CKM_BATON_COUNTER = 0x00001034 +CKM_BATON_SHUFFLE = 0x00001035 +CKM_BATON_WRAP = 0x00001036 +CKM_ECDSA_KEY_PAIR_GEN = 0x00001040 +CKM_EC_KEY_PAIR_GEN = 0x00001040 +CKM_ECDSA = 0x00001041 +CKM_ECDSA_SHA1 = 0x00001042 +CKM_ECDH1_DERIVE_OLD = 0x00001043 +CKM_ECDSA_SHA3_224 = 0x00001047 +CKM_ECDSA_SHA3_256 = 0x00001048 +CKM_ECDSA_SHA3_384 = 0x00001049 +CKM_ECDSA_SHA3_512 = 0x0000104A +CKM_ECDH1_DERIVE = 0x00001050 +CKM_ECDH1_COFACTOR_DERIVE = 0x00001051 +CKM_ECMQV_DERIVE = 0x00001052 +CKM_JUNIPER_KEY_GEN = 0x00001060 +CKM_JUNIPER_ECB128 = 0x00001061 +CKM_JUNIPER_CBC128 = 0x00001062 +CKM_JUNIPER_COUNTER = 0x00001063 +CKM_JUNIPER_SHUFFLE = 0x00001064 +CKM_JUNIPER_WRAP = 0x00001065 +CKM_FASTHASH = 0x00001070 +CKM_AES_KEY_GEN = 0x00001080 +CKM_AES_ECB = 0x00001081 +CKM_AES_CBC = 0x00001082 +CKM_AES_MAC = 0x00001083 +CKM_AES_MAC_GENERAL = 0x00001084 +CKM_AES_OFB = 0x00002104 +CKM_AES_CBC_PAD = 0x00001085 +CKM_AES_GCM = 0x00001087 +CKM_AES_CCM = 0x00001088 +CKM_AES_CMAC_GENERAL = 0x00001089 +CKM_AES_CMAC = 0x0000108A +CKM_AES_KEY_WRAP = 0x00001090 +CKM_AES_KEY_WRAP_PAD = 0x00001091 +CKM_DES_ECB_ENCRYPT_DATA = 0x00001100 +CKM_DES_CBC_ENCRYPT_DATA = 0x00001101 +CKM_DES3_ECB_ENCRYPT_DATA = 0x00001102 +CKM_DES3_CBC_ENCRYPT_DATA = 0x00001103 +CKM_AES_ECB_ENCRYPT_DATA = 0x00001104 +CKM_AES_CBC_ENCRYPT_DATA = 0x00001105 +CKM_DSA_PARAMETER_GEN = 0x00002000 +CKM_DH_PKCS_PARAMETER_GEN = 0x00002001 +CKM_X9_42_DH_PARAMETER_GEN = 0x00002002 +CKM_VENDOR_DEFINED = CK_VENDOR_DEFINED +CKM_VENDOR_DEFINED_V1 = CK_VENDOR_DEFINED_V1 +CKG_MGF1_SHA1 = 0x00000001 +CKG_MGF1_SHA224 = 0x00000005 +CKG_MGF1_SHA256 = 0x00000002 +CKG_MGF1_SHA384 = 0x00000003 +CKG_MGF1_SHA512 = 0x00000004 +CKG_MGF1_SHA3_224 = 0x00000006 +CKG_MGF1_SHA3_256 = 0x00000007 +CKG_MGF1_SHA3_384 = 0x00000008 +CKG_MGF1_SHA3_512 = 0x00000009 +CKZ_DATA_SPECIFIED = 0x00000001 +CKD_NULL = 0x00000001 +CKD_SHA1_KDF = 0x00000002 +CKD_SHA224_KDF = 0x80000003 +CKD_SHA256_KDF = 0x80000004 +CKD_SHA384_KDF = 0x80000005 +CKD_SHA512_KDF = 0x80000006 +CKD_RIPEMD160_KDF = 0x80000007 +CKD_SHA1_NIST_KDF = 0x00000012 +CKD_SHA224_NIST_KDF = 0x80000013 +CKD_SHA256_NIST_KDF = 0x80000014 +CKD_SHA384_NIST_KDF = 0x80000015 +CKD_SHA512_NIST_KDF = 0x80000016 +CKD_RIPEMD160_NIST_KDF = 0x80000017 +CKD_SHA1_SES_KDF = 0x82000000 +CKD_SHA224_SES_KDF = 0x83000000 +CKD_SHA256_SES_KDF = 0x84000000 +CKD_SHA384_SES_KDF = 0x85000000 +CKD_SHA512_SES_KDF = 0x86000000 +CKD_RIPEMD160_SES_KDF = 0x87000000 +CKD_SHA1_KDF_ASN1 = 0x80200000 +CKD_SHA224_KDF_ASN1 = 0x80300000 +CKD_SHA256_KDF_ASN1 = 0x80400000 +CKD_SHA384_KDF_ASN1 = 0x80500000 +CKD_SHA512_KDF_ASN1 = 0x80600000 +CKD_SHA1_KDF_CONCATENATE = 0x80700000 +CKD_SHA224_KDF_CONCATENATE = 0x80800000 +CKD_SHA256_KDF_CONCATENATE = 0x80900000 +CKD_SHA384_KDF_CONCATENATE = 0x80A00000 +CKD_SHA512_KDF_CONCATENATE = 0x80B00000 +CKD_SES_MIN_CTR = 0x00000000 +CKD_SES_ENC_CTR = 0x00000001 +CKD_SES_AUTH_CTR = 0x00000002 +CKD_SES_ALT_ENC_CTR = 0x00000003 +CKD_SES_ALT_AUTH_CTR = 0x00000004 +CKD_SES_MAX_CTR = 0x0000FFFF +CKR_OK = 0x00000000 +CKR_CANCEL = 0x00000001 +CKR_HOST_MEMORY = 0x00000002 +CKR_SLOT_ID_INVALID = 0x00000003 +CKR_FLAGS_INVALID = 0x00000004 +CKR_GENERAL_ERROR = 0x00000005 +CKR_FUNCTION_FAILED = 0x00000006 +CKR_ARGUMENTS_BAD = 0x00000007 +CKR_NO_EVENT = 0x00000008 +CKR_NEED_TO_CREATE_THREADS = 0x00000009 +CKR_CANT_LOCK = 0x0000000A +CKR_ATTRIBUTE_READ_ONLY = 0x00000010 +CKR_ATTRIBUTE_SENSITIVE = 0x00000011 +CKR_ATTRIBUTE_TYPE_INVALID = 0x00000012 +CKR_ATTRIBUTE_VALUE_INVALID = 0x00000013 +CKR_DATA_INVALID = 0x00000020 +CKR_DATA_LEN_RANGE = 0x00000021 +CKR_DEVICE_ERROR = 0x00000030 +CKR_DEVICE_MEMORY = 0x00000031 +CKR_DEVICE_REMOVED = 0x00000032 +CKR_ENCRYPTED_DATA_INVALID = 0x00000040 +CKR_ENCRYPTED_DATA_LEN_RANGE = 0x00000041 +CKR_FUNCTION_CANCELED = 0x00000050 +CKR_FUNCTION_NOT_PARALLEL = 0x00000051 +CKR_FUNCTION_PARALLEL = 0x00000052 +CKR_FUNCTION_NOT_SUPPORTED = 0x00000054 +CKR_KEY_HANDLE_INVALID = 0x00000060 +CKR_KEY_SENSITIVE = 0x00000061 +CKR_KEY_SIZE_RANGE = 0x00000062 +CKR_KEY_TYPE_INCONSISTENT = 0x00000063 +CKR_KEY_NOT_NEEDED = 0x00000064 +CKR_KEY_CHANGED = 0x00000065 +CKR_KEY_NEEDED = 0x00000066 +CKR_KEY_INDIGESTABLE = 0x00000067 +CKR_KEY_FUNCTION_NOT_PERMITTED = 0x00000068 +CKR_KEY_NOT_WRAPPABLE = 0x00000069 +CKR_KEY_UNEXTRACTABLE = 0x0000006A +CKR_KEY_PARAMS_INVALID = 0x0000006B +CKR_KEYLEN_INVALID = 0x0000006C +CKR_MECHANISM_INVALID = 0x00000070 +CKR_MECHANISM_PARAM_INVALID = 0x00000071 +CKR_OBJECT_CLASS_INCONSISTENT = 0x00000080 +CKR_OBJECT_CLASS_INVALID = 0x00000081 +CKR_OBJECT_HANDLE_INVALID = 0x00000082 +CKR_OPERATION_ACTIVE = 0x00000090 +CKR_OPERATION_NOT_INITIALIZED = 0x00000091 +CKR_PIN_INCORRECT = 0x000000A0 +CKR_PIN_INVALID = 0x000000A1 +CKR_PIN_LEN_RANGE = 0x000000A2 +CKR_PIN_EXPIRED = 0x000000A3 +CKR_PIN_LOCKED = 0x000000A4 +CKR_SESSION_CLOSED = 0x000000B0 +CKR_SESSION_COUNT = 0x000000B1 +CKR_SESSION_EXCLUSIVE_EXISTS = 0x000000B2 +CKR_SESSION_HANDLE_INVALID = 0x000000B3 +CKR_SESSION_PARALLEL_NOT_SUPPOR = 0x000000B4 +CKR_SESSION_PARALLEL_NOT_SUPPORTED = 0x000000B4 +CKR_SESSION_READ_ONLY = 0x000000B5 +CKR_SESSION_EXISTS = 0x000000B6 +CKR_SESSION_READ_ONLY_EXISTS = 0x000000B7 +CKR_SESSION_READ_WRITE_SO_EXIST = 0x000000B8 +CKR_SESSION_READ_WRITE_SO_EXISTS = 0x000000B8 +CKR_SIGNATURE_INVALID = 0x000000C0 +CKR_SIGNATURE_LEN_RANGE = 0x000000C1 +CKR_TEMPLATE_INCOMPLETE = 0x000000D0 +CKR_TEMPLATE_INCONSISTENT = 0x000000D1 +CKR_TOKEN_NOT_PRESENT = 0x000000E0 +CKR_TOKEN_NOT_RECOGNIZED = 0x000000E1 +CKR_TOKEN_WRITE_PROTECTED = 0x000000E2 +CKR_UNWRAPPING_KEY_HANDLE_INVAL = 0x000000F0 +CKR_UNWRAPPING_KEY_TYPE_INCONSI = 0x000000F2 +CKR_UNWRAPPING_KEY_HANDLE_INVALID = 0x000000F0 +CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT = 0x000000F2 +CKR_UNWRAPPING_KEY_SIZE_RANGE = 0x000000F1 +CKR_USER_ALREADY_LOGGED_IN = 0x00000100 +CKR_USER_NOT_LOGGED_IN = 0x00000101 +CKR_USER_PIN_NOT_INITIALIZED = 0x00000102 +CKR_USER_TYPE_INVALID = 0x00000103 +CKR_USER_ANOTHER_ALREADY_LOGGED = 0x00000104 +CKR_USER_ANOTHER_ALREADY_LOGGED_IN = 0x00000104 +CKR_USER_TOO_MANY_TYPES = 0x00000105 +CKR_WRAPPED_KEY_INVALID = 0x00000110 +CKR_WRAPPED_KEY_LEN_RANGE = 0x00000112 +CKR_WRAPPING_KEY_HANDLE_INVALID = 0x00000113 +CKR_WRAPPING_KEY_SIZE_RANGE = 0x00000114 +CKR_WRAPPING_KEY_TYPE_INCONSIST = 0x00000115 +CKR_CRYPTOKI_ALREADY_INITIALIZE = 0x00000191 +CKR_WRAPPING_KEY_TYPE_INCONSISTENT = 0x00000115 +CKR_CRYPTOKI_ALREADY_INITIALIZED = 0x00000191 +CKR_RANDOM_SEED_NOT_SUPPORTED = 0x00000120 +CKR_RANDOM_NO_RNG = 0x00000121 +CKR_DOMAIN_PARAMS_INVALID = 0x00000130 +CKR_BUFFER_TOO_SMALL = 0x00000150 +CKR_SAVED_STATE_INVALID = 0x00000160 +CKR_INFORMATION_SENSITIVE = 0x00000170 +CKR_STATE_UNSAVEABLE = 0x00000180 +CKR_CRYPTOKI_NOT_INITIALIZED = 0x00000190 +CKR_MUTEX_BAD = 0x000001A0 +CKR_MUTEX_NOT_LOCKED = 0x000001A1 +CKR_VENDOR_DEFINED = CK_VENDOR_DEFINED +CKF_LIBRARY_CANT_CREATE_OS_THRE = 0x00000001 +CKF_LIBRARY_CANT_CREATE_OS_THREADS = 0x00000001 +CKF_OS_LOCKING_OK = 0x00000002 +CKF_DONT_BLOCK = 1 +CK_NEED_ARG_LIST = 1 + + +# FROM ctvdef.h +CK_NO_TRANSPORT_MODE = 0x0000 +CK_SINGLE_TRANSPORT_MODE = 0x0001 +CK_CONTINUOUS_TRANSPORT_MODE = 0x0002 +CK_EVENT_RECORD_LENGTH = 48 +CK_MONOTONIC_COUNTER_SIZE = 20 +CKF_WLD_SLOT = 0x10000000 +CKF_ADMIN_TOKEN = 0x10000000 +CKF_WLD_TOKEN = 0x20000000 +CKF_WLD_SESSION = 0x10000000 +CKF_ENTRUST_READY = 0x00000001 +CKF_NO_CLEAR_PINS = 0x00000002 +CKF_AUTH_PROTECTION = 0x00000004 +CKF_NO_PUBLIC_CRYPTO = 0x00000008 +CKF_TAMPER_BEFORE_UPGRADE = 0x00000010 +CKF_INCREASED_SECURITY = 0x00000020 +CKF_FIPS_ALGORITHMS = 0x00000040 +CKF_FULL_SMS_ENC = 0x00000080 +CKF_FULL_SMS_SIGN = 0x00000100 +CKF_PURE_P11 = 0x00000200 +CKF_DES_EVEN_PARITY_ALLOWED = 0x00000400 +CKF_USER_ECC_DP_ALLOWED = 0x00000800 +CKF_WEAK_PKCS11_MECHANISM = 0x00010000 +CKF_PCI_HSM_AUDIT = 0x00020000 +CKF_MODE_LOCKED = 0x10000000 +CKF_USR_OTP_INITIALIZED = 0x00002000 +CKF_SO_OTP_INITIALIZED = 0x00004000 +CKF_TICKET = CKF_EXTENSION | 0x40000000 +CKH_EVENT_LOG = CKH_VENDOR_DEFINED + 0x0001 +CKO_CERTIFICATE_REQUEST = CKO_VENDOR_DEFINED + 0x0201 +CKO_CRL = CKO_VENDOR_DEFINED + 0x0202 +CKO_ADAPTER = CKO_VENDOR_DEFINED + 0x020A +CKO_SLOT = CKO_VENDOR_DEFINED + 0x020B +CKO_FM = CKO_VENDOR_DEFINED + 0x020C +CKK_RSA_DISCRETE = CKO_VENDOR_DEFINED + 0x0201 +CKK_DSA_DISCRETE = CKO_VENDOR_DEFINED + 0x0202 +CKK_SEED = CKK_VENDOR_DEFINED + 0x203 +CKK_EC_EDWARDS = CKK_VENDOR_DEFINED + 0x0012 +CKK_EC_MONTGOMERY = CKK_VENDOR_DEFINED + 0x0013 +CKK_BIP32 = CKK_VENDOR_DEFINED + 0x0014 +CKA_USAGE_COUNT = CKA_VENDOR_DEFINED + 0x0101 +CKA_TIME_STAMP = CKA_VENDOR_DEFINED + 0x0102 +CKA_CHECK_VALUE = CKA_VENDOR_DEFINED + 0x0103 +CKA_MECHANISM_LIST = CKA_VENDOR_DEFINED + 0x0104 +CKA_SIGN_LOCAL_CERT = CKA_VENDOR_DEFINED + 0x0127 +CKA_EXPORT = CKA_VENDOR_DEFINED + 0x0128 +CKA_EXPORTABLE = CKA_VENDOR_DEFINED + 0x0129 +CKA_DELETABLE = CKA_VENDOR_DEFINED + 0x012A +CKA_IMPORT = CKA_VENDOR_DEFINED + 0x012B +CKA_KEY_SIZE = CKA_VENDOR_DEFINED + 0x012C +CKA_ISSUER_STR = CKA_VENDOR_DEFINED + 0x0130 +CKA_SUBJECT_STR = CKA_VENDOR_DEFINED + 0x0131 +CKA_SERIAL_NUMBER_INT = CKA_VENDOR_DEFINED + 0x0132 +CKA_RECORD_COUNT = CKA_VENDOR_DEFINED + 0x0136 +CKA_RECORD_NUMBER = CKA_VENDOR_DEFINED + 0x0137 +CKA_PURGE = CKA_VENDOR_DEFINED + 0x0139 +CKA_EVENT_LOG_FULL = CKA_VENDOR_DEFINED + 0x013A +CKA_SECURITY_MODE = CKA_VENDOR_DEFINED + 0x0140 +CKA_TRANSPORT_MODE = CKA_VENDOR_DEFINED + 0x0141 +CKA_BATCH = CKA_VENDOR_DEFINED + 0x0142 +CKA_HW_STATUS = CKA_VENDOR_DEFINED + 0x0143 +CKA_FREE_MEM = CKA_VENDOR_DEFINED + 0x0144 +CKA_TAMPER_CMD = CKA_VENDOR_DEFINED + 0x0145 +CKA_DATE_OF_MANUFACTURE = CKA_VENDOR_DEFINED + 0x0146 +CKA_HALT_CMD = CKA_VENDOR_DEFINED + 0x0147 +CKA_APPLICATION_COUNT = CKA_VENDOR_DEFINED + 0x0148 +CKA_FW_VERSION = CKA_VENDOR_DEFINED + 0x0149 +CKA_RESCAN_PERIPHERALS_CMD = CKA_VENDOR_DEFINED + 0x014A +CKA_RTC_AAC_ENABLED = CKA_VENDOR_DEFINED + 0x014B +CKA_RTC_AAC_GUARD_SECONDS = CKA_VENDOR_DEFINED + 0x014C +CKA_RTC_AAC_GUARD_COUNT = CKA_VENDOR_DEFINED + 0x014D +CKA_RTC_AAC_GUARD_DURATION = CKA_VENDOR_DEFINED + 0x014E +CKA_HW_EXT_INFO_STR = CKA_VENDOR_DEFINED + 0x014F +CKA_PERFORMANCE_LEVEL = CKA_VENDOR_DEFINED + 0x0150 +CKA_SLOT_ID = CKA_VENDOR_DEFINED + 0x0151 +CKA_MAX_SESSIONS = CKA_VENDOR_DEFINED + 0x0155 +CKA_MIN_PIN_LEN = CKA_VENDOR_DEFINED + 0x0156 +CKA_MAX_PIN_FAIL = CKA_VENDOR_DEFINED + 0x0158 +CKA_FLAGS = CKA_VENDOR_DEFINED + 0x0159 +CKA_PINPAD_DESC = CKA_VENDOR_DEFINED + 0x015A +CKA_VERIFY_OS = CKA_VENDOR_DEFINED + 0x0170 +CKA_VERSION = CKA_VENDOR_DEFINED + 0x0181 +CKA_MANUFACTURER = CKA_VENDOR_DEFINED + 0x0182 +CKA_BUILD_DATE = CKA_VENDOR_DEFINED + 0x0183 +CKA_FINGERPRINT = CKA_VENDOR_DEFINED + 0x0184 +CKA_ROM_SPACE = CKA_VENDOR_DEFINED + 0x0185 +CKA_RAM_SPACE = CKA_VENDOR_DEFINED + 0x0186 +CKA_FM_STATUS = CKA_VENDOR_DEFINED + 0x0187 +CKA_DELETE_FM = CKA_VENDOR_DEFINED + 0x0188 +CKA_FM_STARTUP_STATUS = CKA_VENDOR_DEFINED + 0x0189 +CKA_FM_ID = CKA_VENDOR_DEFINED + 0x018A +CKA_CERTIFICATE_START_TIME = CKA_VENDOR_DEFINED + 0x0190 +CKA_CERTIFICATE_END_TIME = CKA_VENDOR_DEFINED + 0x0191 +CKA_USAGE_LIMIT = CKA_VENDOR_DEFINED + 0x0200 +CKA_ADMIN_CERT = CKA_VENDOR_DEFINED + 0x0201 +CKA_PKI_ATTRIBUTE_BER_ENCODED = CKA_VENDOR_DEFINED + 0x0230 +CKA_HIFACE_MASTER = CKA_VENDOR_DEFINED + 0x250 +CKA_SEED = CKA_VENDOR_DEFINED + 0x260 +CKA_COUNTER = CKA_VENDOR_DEFINED + 0x261 +CKA_H_VALUE = CKA_VENDOR_DEFINED + 0x262 +CKA_INTERNAL_1 = CKA_VENDOR_DEFINED + 0x270 +CKA_AUTH_CHALLENGE_deprecated = CKA_VENDOR_DEFINED + 0x280 +CKA_TMP_PIN_deprecated = CKA_VENDOR_DEFINED + 0x281 +CKA_BIP32_CHAIN_CODE = CKA_VENDOR_DEFINED + 0x1100 +CKA_BIP32_VERSION_BYTES = CKA_VENDOR_DEFINED + 0x1101 +CKA_BIP32_CHILD_INDEX = CKA_VENDOR_DEFINED + 0x1102 +CKA_BIP32_CHILD_DEPTH = CKA_VENDOR_DEFINED + 0x1103 +CKA_BIP32_ID = CKA_VENDOR_DEFINED + 0x1104 +CKA_BIP32_FINGERPRINT = CKA_VENDOR_DEFINED + 0x1105 +CKA_BIP32_PARENT_FINGERPRINT = CKA_VENDOR_DEFINED + 0x1106 +CKA_LOCAL_IDENTITY_CERT = CKA_VENDOR_DEFINED + 0x290 +CKA_HSM_OWNER_CERT = CKA_VENDOR_DEFINED + 0x291 +CKA_HSM_ROOT_CERT = CKA_VENDOR_DEFINED + 0x292 +CKG_BIP32_VERSION_MAINNET_PUB = 0x0488B21E +CKG_BIP32_VERSION_MAINNET_PRIV = 0x0488ADE4 +CKG_BIP32_VERSION_TESTNET_PUB = 0x043587CF +CKG_BIP32_VERSION_TESTNET_PRIV = 0x04358394 +CKG_BIP44_PURPOSE = 0x0000002C +CKG_BIP44_COIN_TYPE_BTC = 0x00000000 +CKG_BIP44_COIN_TYPE_BTC_TESTNET = 0x00000001 +CKG_BIP32_EXTERNAL_CHAIN = 0x00000000 +CKG_BIP32_INTERNAL_CHAIN = 0x00000001 +CKG_BIP32_MAX_SERIALIZED_LEN = 113 +CKF_BIP32_HARDENED = 0x80000000 +CKA_AUDIT_KEY = CKA_VENDOR_DEFINED + 0x2000 +CKG_BATTERY_LOW = 0x00000001 +CKG_PCB_VERSION = 0x0000000E +CKG_EXTERNAL_PINS = 0x000000F0 +CKG_FPGA_VERSION = 0x00000F00 +CKG_TEMP = 0x000FF000 +CKM_DSA_SHA1_PKCS = CKM_VENDOR_DEFINED + CKM_DSA_SHA1 + 0x1 +CKM_DSA_SHA224_DEPRECATED = CKM_VENDOR_DEFINED + CKM_DSA_SHA1 + 0x20 +CKM_DSA_SHA224_PKCS = CKM_VENDOR_DEFINED + CKM_DSA_SHA1 + 0x21 +CKM_DSA_SHA256_DEPRECATED = CKM_VENDOR_DEFINED + CKM_DSA_SHA1 + 0x22 +CKM_DSA_SHA256_PKCS = CKM_VENDOR_DEFINED + CKM_DSA_SHA1 + 0x23 +CKM_DSA_SHA384_PKCS = CKM_VENDOR_DEFINED + CKM_DSA_SHA1 + 0x24 +CKM_DSA_SHA512_PKCS = CKM_VENDOR_DEFINED + CKM_DSA_SHA1 + 0x25 +CKM_RIPEMD256_RSA_PKCS = CKM_VENDOR_DEFINED + CKM_RIPEMD160_RSA_PKCS + 0x1 +CKM_DES_MDC_2_PAD1 = CKM_VENDOR_DEFINED + 0x200 + 0x0 +CKM_MD4 = CKM_VENDOR_DEFINED + 0x200 + 0x1 +CKM_SHA = CKM_VENDOR_DEFINED + 0x200 + 0x2 +CKM_RIPEMD = CKM_VENDOR_DEFINED + 0x200 + 0x3 +CKM_ARDFP = CKM_VENDOR_DEFINED + 0x200 + 0x4 +CKM_NVB = CKM_VENDOR_DEFINED + 0x200 + 0x5 +CKM_DES_ECB_PAD = CKM_VENDOR_DEFINED + CKM_DES_ECB +CKM_CAST_ECB_PAD = CKM_VENDOR_DEFINED + CKM_CAST_ECB +CKM_CAST3_ECB_PAD = CKM_VENDOR_DEFINED + CKM_CAST3_ECB +CKM_CAST5_ECB_PAD = CKM_VENDOR_DEFINED + CKM_CAST5_ECB +CKM_CAST128_ECB_PAD = CKM_CAST5_ECB_PAD +CKM_DES3_ECB_PAD = CKM_VENDOR_DEFINED + CKM_DES3_ECB +CKM_IDEA_ECB_PAD = CKM_VENDOR_DEFINED + CKM_IDEA_ECB +CKM_RC2_ECB_PAD = CKM_VENDOR_DEFINED + CKM_RC2_ECB +CKM_CDMF_ECB_PAD = CKM_VENDOR_DEFINED + CKM_CDMF_ECB +CKM_RC5_ECB_PAD = CKM_VENDOR_DEFINED + CKM_RC5_ECB +CKM_XOR_BASE_AND_KEY = CKM_VENDOR_DEFINED + 0x364 +CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN = CKM_VENDOR_DEFINED + 0x143 +CKM_RSA_FIPS_186_4_PRIME_KEY_PAIR_GEN = CKM_VENDOR_DEFINED + 0x400 +CKM_DES_DERIVE_ECB = CKM_VENDOR_DEFINED + 0x500 +CKM_DES_DERIVE_CBC = CKM_VENDOR_DEFINED + 0x501 +CKM_DES3_DERIVE_ECB = CKM_VENDOR_DEFINED + 0x502 +CKM_DES3_DERIVE_CBC = CKM_VENDOR_DEFINED + 0x503 +CKM_DES3_RETAIL_CFB_MAC = CKM_VENDOR_DEFINED + 0x510 +CKM_MILENAGE_DERIVE = CKM_VENDOR_DEFINED + 0x511 +CKM_MILENAGE_SIGN = CKM_VENDOR_DEFINED + 0x512 +CKM_TUAK_SIGN = CKM_VENDOR_DEFINED + 0x513 +CKM_TUAK_DERIVE = CKM_VENDOR_DEFINED + 0x514 +CKM_KECCAK_1600 = CKM_VENDOR_DEFINED + 0x515 +CKM_SHA1_RSA_PKCS_TIMESTAMP = CKM_VENDOR_DEFINED + 0x600 +CKM_DES_BCF = CKM_VENDOR_DEFINED + 0x38E +CKM_DES3_BCF = CKM_VENDOR_DEFINED + 0x38F +CKM_DES3_X919_MAC = CKM_VENDOR_DEFINED + CKM_DES3_MAC +CKM_DES3_X919_MAC_GENERAL = CKM_VENDOR_DEFINED + CKM_DES3_MAC_GENERAL +CKM_ENCODE_PKCS_7 = CKM_VENDOR_DEFINED + 0x934 +CKM_DECODE_PKCS_7 = CKM_VENDOR_DEFINED + 0x935 +CKM_RSA_PKCS_7 = CKM_VENDOR_DEFINED + 0x930 +CKM_RSA_PKCS_7_ENC = CKM_VENDOR_DEFINED + 0x931 +CKM_RSA_PKCS_7_SIGN = CKM_VENDOR_DEFINED + 0x932 +CKM_RSA_PKCS_7_SIGN_ENC = CKM_VENDOR_DEFINED + 0x933 +CKM_DES_OFB64 = CKM_VENDOR_DEFINED + 0x940 +CKM_DES3_OFB64 = CKM_VENDOR_DEFINED + 0x941 +CKM_ENCODE_ATTRIBUTES = CKM_VENDOR_DEFINED + 0x950 +CKM_ENCODE_X_509 = CKM_VENDOR_DEFINED + 0x951 +CKM_ENCODE_PKCS_10 = CKM_VENDOR_DEFINED + 0x952 +CKM_DECODE_X_509 = CKM_VENDOR_DEFINED + 0x953 +CKM_ENCODE_PUBLIC_KEY = CKM_VENDOR_DEFINED + 0x954 +CKM_ENCODE_X_509_LOCAL_CERT = CKM_VENDOR_DEFINED + 0x955 +CKM_WRAPKEY_DES3_ECB = CKM_VENDOR_DEFINED + 0x961 +CKM_WRAPKEY_DES3_CBC = CKM_VENDOR_DEFINED + 0x962 +CKM_WRAPKEY_AES_CBC = CKM_VENDOR_DEFINED + 0x963 +CKM_DES3_DDD_CBC = CKM_VENDOR_DEFINED + 0x964 +CKM_WRAPKEYBLOB_AES_CBC = CKM_VENDOR_DEFINED + 0x970 +CKM_WRAPKEYBLOB_DES3_CBC = CKM_VENDOR_DEFINED + 0x971 +CKM_WRAPKEY_AES_KWP = CKM_VENDOR_DEFINED + 0x965 +CKM_AES_KW = CKM_VENDOR_DEFINED + 0x170 +CKM_AES_KWP = CKM_VENDOR_DEFINED + 0x171 +CKM_TDEA_TKW = CKM_VENDOR_DEFINED + 0x172 +CKM_VERIFY_CERTIFICATE = CKM_VENDOR_DEFINED + 0x980 +CKM_KEY_TRANSLATION = CK_VENDOR_DEFINED + 0x1B +CKM_OS_UPGRADE = CKM_VENDOR_DEFINED + 0x990 +CKM_FM_DOWNLOAD = CKM_VENDOR_DEFINED + 0x991 +CKM_OS_UPGRADE_2 = CKM_VENDOR_DEFINED + 0x994 +CKM_FM_DOWNLOAD_2 = CKM_VENDOR_DEFINED + 0x995 +CKM_FW_UPGRADE = CKM_VENDOR_DEFINED + 0x996 +CKM_GEN_PIK_ECC_P521 = CKM_VENDOR_DEFINED + 0x1000 +CKM_GEN_KTK_ECC_P521 = CKM_VENDOR_DEFINED + 0x1001 +CKM_GEN_KDE_ECC_P521_DERIVE_SEND = CKM_VENDOR_DEFINED + 0x1002 +CKM_GEN_KDE_ECC_P521_DERIVE_RECV = CKM_VENDOR_DEFINED + 0x1003 +CKM_TOKEN_WRAP_KTK_ECC_P521 = CKM_VENDOR_DEFINED + 0x1004 +CKM_PP_LOAD_SECRET = CKM_VENDOR_DEFINED + 0x9A0 +CKM_PP_LOAD_SECRET_2 = CKM_VENDOR_DEFINED + 0x9A1 +CKM_VISA_CVV = CKM_VENDOR_DEFINED + 0x9B0 +CKM_ZKA_MDC_2_KEY_DERIVATION = CKM_VENDOR_DEFINED + 0x9C0 +CKM_SEED_KEY_GEN = CKM_VENDOR_DEFINED + 0x9D0 +CKM_SEED_ECB = CKM_VENDOR_DEFINED + 0x9D1 +CKM_SEED_CBC = CKM_VENDOR_DEFINED + 0x9D2 +CKM_SEED_MAC = CKM_VENDOR_DEFINED + 0x9D3 +CKM_SEED_MAC_GENERAL = CKM_VENDOR_DEFINED + 0x9D4 +CKM_SEED_ECB_PAD = CKM_VENDOR_DEFINED + 0x9D5 +CKM_SEED_CBC_PAD = CKM_VENDOR_DEFINED + 0x9D6 +CKM_REPLICATE_TOKEN_RSA_AES = CKM_VENDOR_DEFINED + 0x9E0 +CKM_SECRET_SHARE_WITH_ATTRIBUTES = CKM_VENDOR_DEFINED + 0x9F0 +CKM_SECRET_RECOVER_WITH_ATTRIBUTES = CKM_VENDOR_DEFINED + 0x9F1 +CKM_PKCS12_PBE_EXPORT = CKM_VENDOR_DEFINED + 0x9F2 +CKM_PKCS12_PBE_IMPORT = CKM_VENDOR_DEFINED + 0x9F3 +CKM_ECIES = CKM_VENDOR_DEFINED + 0xA00 +CKM_NIST_PRF_KDF = CKM_VENDOR_DEFINED + 0xA02 +CKM_PRF_KDF = CKM_VENDOR_DEFINED + 0xA03 +CKM_SET_ATTRIBUTES = CKM_VENDOR_DEFINED + 0xA10 +CKM_ECDSA_SHA224 = CKM_VENDOR_DEFINED + 0x122 +CKM_ECDSA_SHA256 = CKM_VENDOR_DEFINED + 0x123 +CKM_ECDSA_SHA384 = CKM_VENDOR_DEFINED + 0x124 +CKM_ECDSA_SHA512 = CKM_VENDOR_DEFINED + 0x125 +CKM_BIP32_MASTER_DERIVE = CKM_VENDOR_DEFINED + 0xE00 +CKM_BIP32_CHILD_DERIVE = CKM_VENDOR_DEFINED + 0xE01 +CKM_ECDSA_GBCS_SHA256 = CKM_VENDOR_DEFINED + 0x161 +CKM_EC_EDWARDS_KEY_PAIR_GEN = CKM_VENDOR_DEFINED + 0x0C01 +CKM_EDDSA = CKM_VENDOR_DEFINED + 0x0C03 +CKM_SHA1_EDDSA = CKM_VENDOR_DEFINED + 0x0C09 +CKM_SHA224_EDDSA = CKM_VENDOR_DEFINED + 0x0C0A +CKM_SHA256_EDDSA = CKM_VENDOR_DEFINED + 0x0C0B +CKM_SHA384_EDDSA = CKM_VENDOR_DEFINED + 0x0C0C +CKM_SHA512_EDDSA = CKM_VENDOR_DEFINED + 0x0C0D +CKM_SHA3_224_EDDSA = CKM_VENDOR_DEFINED + 0x1C0A +CKM_SHA3_256_EDDSA = CKM_VENDOR_DEFINED + 0x1C0B +CKM_SHA3_384_EDDSA = CKM_VENDOR_DEFINED + 0x1C0C +CKM_SHA3_512_EDDSA = CKM_VENDOR_DEFINED + 0x1C0D +CKM_EC_MONTGOMERY_KEY_PAIR_GEN = CKM_VENDOR_DEFINED + 0xD01 +CKA_DES_USAGE_COUNT = CKM_VENDOR_DEFINED + 0x4000 +CKM_FIPS_EVAL_REQUEST = CKR_VENDOR_DEFINED + 0x10000 + 0x00001 +CK_TIMESTAMP_FORMAT_ERACOM = 0x00000001 +CK_TIMESTAMP_FORMAT_PTKC = 0x00000001 +CKF_PKCS_7_INCLUDE_CERTS_AND_CRLS = 0x01 +CKDHP_STANDARD = 0x00000001 +CKDHP_MODIFIED = 0x00000002 +CKES_XOR = 0x00000001 +CKES_DES3_CBC_PAD = 0x00000002 +CKMS_HMAC_SHA1 = 0x00000001 +CKMS_SHA1 = 0x00000002 +CK_NIST_PRF_KDF_DES3_CMAC = 0x00000001 +CK_NIST_PRF_KDF_AES_CMAC = 0x00000002 +CK_PRF_KDF_ARIA_CMAC = 0x00000003 +CK_PRF_KDF_SEED_CMAC = 0x00000004 +LUNA_PRF_KDF_ENCODING_SCHEME_1 = 0x00000000 +LUNA_PRF_KDF_ENCODING_SCHEME_2 = 0x00000001 +CK_KDE_MACTAG_LEN = 512 / 8 +CKR_ERACOM_ERROR = CKR_VENDOR_DEFINED + 0x100 +CKR_TIME_STAMP = CKR_ERACOM_ERROR + 0x01 +CKR_ACCESS_DENIED = CKR_ERACOM_ERROR + 0x02 +CKR_CRYPTOKI_UNUSABLE = CKR_ERACOM_ERROR + 0x03 +CKR_ENCODE_ERROR = CKR_ERACOM_ERROR + 0x04 +CKR_V_CONFIG = CKR_ERACOM_ERROR + 0x05 +CKR_SO_NOT_LOGGED_IN = CKR_ERACOM_ERROR + 0x06 +CKR_CERT_NOT_VALIDATED = CKR_ERACOM_ERROR + 0x07 +CKR_PIN_ALREADY_INITIALIZED = CKR_ERACOM_ERROR + 0x08 +CKR_REMOTE_SERVER_ERROR = CKR_ERACOM_ERROR + 0x0A +CKR_CSA_HW_ERROR = CKR_ERACOM_ERROR + 0x0B +CKR_NO_CHALLENGE = CKR_ERACOM_ERROR + 0x10 +CKR_RESPONSE_INVALID = CKR_ERACOM_ERROR + 0x11 +CKR_EVENT_LOG_NOT_FULL = CKR_ERACOM_ERROR + 0x13 +CKR_OBJECT_READ_ONLY = CKR_ERACOM_ERROR + 0x14 +CKR_TOKEN_READ_ONLY = CKR_ERACOM_ERROR + 0x15 +CKR_TOKEN_NOT_INITIALIZED = CKR_ERACOM_ERROR + 0x16 +CKR_NOT_ADMIN_TOKEN = CKR_ERACOM_ERROR + 0x17 +CKR_CERTIFICATE_NOT_YET_ACTIVE = CKR_ERACOM_ERROR + 0x20 +CKR_CERTIFICATE_EXPIRED = CKR_ERACOM_ERROR + 0x21 +CKR_AUTHENTICATION_REQUIRED = CKR_ERACOM_ERROR + 0x30 +CKR_OPERATION_NOT_PERMITTED = CKR_ERACOM_ERROR + 0x31 +CKR_PKCS12_DECODE = CKR_ERACOM_ERROR + 0x32 +CKR_PKCS12_UNSUPPORTED_SAFEBAG_TYPE = CKR_ERACOM_ERROR + 0x33 +CKR_PKCS12_UNSUPPORTED_PRIVACY_MODE = CKR_ERACOM_ERROR + 0x34 +CKR_PKCS12_UNSUPPORTED_INTEGRITY_MODE = CKR_ERACOM_ERROR + 0x35 +CKR_KEY_NOT_ACTIVE = CKR_ERACOM_ERROR + 0x036 +CKR_ET_NOT_ODD_PARITY = CKR_ERACOM_ERROR + 0x40 +CKR_HOST_ERROR = CKR_VENDOR_DEFINED + 0x1000 +CKR_BAD_REQUEST = CKR_HOST_ERROR + 1 +CKR_BAD_ATTRIBUTE_PACKING = CKR_HOST_ERROR + 2 +CKR_BAD_ATTRIBUTE_COUNT = CKR_HOST_ERROR + 3 +CKR_BAD_PARAM_PACKING = CKR_HOST_ERROR + 4 +CKR_EXTERN_DCP_ERROR = CKR_HOST_ERROR + 0x386 +CKR_MSG_ERROR = CKR_VENDOR_DEFINED + 0x300 +CKR_CANNOT_DERIVE_KEYS = CKR_MSG_ERROR + 0x81 +CKR_BAD_REQ_SIGNATURE = CKR_MSG_ERROR + 0x82 +CKR_BAD_REPLY_SIGNATURE = CKR_MSG_ERROR + 0x83 +CKR_SMS_ERROR = CKR_MSG_ERROR + 0x84 +CKR_BAD_PROTECTION = CKR_MSG_ERROR + 0x85 +CKR_DEVICE_RESET = CKR_MSG_ERROR + 0x86 +CKR_NO_SESSION_KEYS = CKR_MSG_ERROR + 0x87 +CKR_BAD_REPLY = CKR_MSG_ERROR + 0x88 +CKR_KEY_ROLLOVER = CKR_MSG_ERROR + 0x89 +CKR_NEED_IV_UPDATE = CKR_MSG_ERROR + 0x10 +CKR_DUPLICATE_IV_FOUND = CKR_MSG_ERROR + 0x11 +CKR_WLD_ERROR = CKR_VENDOR_DEFINED + 0x2000 +CKR_WLD_CONFIG_NOT_FOUND = (CKR_WLD_ERROR) + 0x01 +CKR_WLD_CONFIG_ITEM_READ_FAILED = (CKR_WLD_ERROR) + 0x02 +CKR_WLD_CONFIG_NO_TOKEN_LABEL = (CKR_WLD_ERROR) + 0x03 +CKR_WLD_CONFIG_TOKEN_LABEL_LEN = (CKR_WLD_ERROR) + 0x04 +CKR_WLD_CONFIG_TOKEN_SERIAL_NUM_LEN = (CKR_WLD_ERROR) + 0x05 +CKR_WLD_CONFIG_SLOT_DESCRIPTION_LEN = (CKR_WLD_ERROR) + 0x06 +CKR_WLD_CONFIG_ITEM_FORMAT_INVALID = (CKR_WLD_ERROR) + 0x07 +CKR_WLD_LOGIN_CACHE_INCONSISTENT = (CKR_WLD_ERROR) + 0x10 +CKR_HA_ERROR = CKR_VENDOR_DEFINED + 0x3000 +CKR_HA_MAX_SLOTS_INVALID_LEN = (CKR_HA_ERROR) + 0x01 +CKR_HA_SESSION_HANDLE_INVALID = (CKR_HA_ERROR) + 0x02 +CKR_HA_SESSION_INVALID = (CKR_HA_ERROR) + 0x03 +CKR_HA_OBJECT_INDEX_INVALID = (CKR_HA_ERROR) + 0x04 +CKR_HA_CANNOT_RECOVER_KEY = (CKR_HA_ERROR) + 0x05 +CKR_HA_NO_HSM = (CKR_HA_ERROR) + 0x06 +CKR_HA_OUT_OF_OBJS = (CKR_HA_ERROR) + 0x07 +CKR_SECURITY_FLAGS_INCOMPATIBLE = CKR_VENDOR_DEFINED + 0x3500 +CKR_FM_ERROR = CKR_VENDOR_DEFINED + 0x4000 +CKR_FM_NOT_REGISTERED = (CKR_FM_ERROR) + 0x01 +CKR_FM_DISPATCH_BLOCKED = (CKR_FM_ERROR) + 0x02 +CKR_BIP32_CHILD_INDEX_INVALID = CKR_VENDOR_DEFINED + 0x7B +CKR_BIP32_INVALID_HARDENED_DERIVATION = CKR_VENDOR_DEFINED + 0x7C +CKR_BIP32_MASTER_SEED_LEN_INVALID = CKR_VENDOR_DEFINED + 0x7D +CKR_BIP32_MASTER_SEED_INVALID = CKR_VENDOR_DEFINED + 0x7E +CKR_BIP32_INVALID_KEY_PATH_LEN = CKR_VENDOR_DEFINED + 0x7F +CKR_OTP_PIN_INCORRECT = CKR_VENDOR_DEFINED + 0x8B +CKR_OTP_PIN_LEN_RANGE = CKR_VENDOR_DEFINED + 0x8C +CKR_OTP_PIN_ALREADY_INITIALIZED = CKR_VENDOR_DEFINED + 0x8D +CKR_OTP_PIN_NOT_INITIALIZED = CKR_VENDOR_DEFINED + 0x8E +CKR_OTP_PIN_REUSED = CKR_VENDOR_DEFINED + 0x8F +CKR_POINT_INVALID = CKR_VENDOR_DEFINED + 0x90 diff --git a/pycryptoki/pycryptoki_client.py b/pycryptoki/pycryptoki_client.py index 12ede97..c3a8f1a 100755 --- a/pycryptoki/pycryptoki_client.py +++ b/pycryptoki/pycryptoki_client.py @@ -3,7 +3,7 @@ from rpyc.utils.classic import SlaveService from six import string_types, binary_type -from pycryptoki.string_helpers import _decode, _coerce_mech_to_str +from pycryptoki.string_helpers import _decode, _coerce_mech_to_str, pformat_pyc_args """ Contains both a local and remote pycryptoki client @@ -106,35 +106,8 @@ def log_args(funcname, arg_dict): log_msg = "Remote pycryptoki command: {}()".format(funcname) if arg_dict: log_msg += " with args:" - log_list = [log_msg] - for key, value in arg_dict.items(): - if "template" in key and isinstance(value, dict): - # Means it's a template, so let's perform a lookup on all of the objects within - # this. - log_list.append("\t%s: " % key) - for template_key, template_value in arg_dict[key].items(): - log_list.append( - "\t\t%s: %s" - % (ATTR_NAME_LOOKUP.get(template_key, template_key), template_value) - ) - elif "password" in key: - log_list.append("\t%s: *" % key) - elif "mechanism" in key: - log_list.append("\t%s: " % key) - nice_mech = _coerce_mech_to_str(arg_dict[key]).splitlines() - log_list.extend(["\t\t%s" % x for x in nice_mech]) - else: - if isinstance(value, binary_type): - log_val = _decode(value) - else: - log_val = value - - if isinstance(log_val, (string_types, binary_type)) and len(log_val) > 40: - msg = "\t%s: %s[...]%s" % (key, log_val[:20], log_val[-20:]) - else: - msg = "\t%s: %s" % (key, log_val) - log_list.append(msg) - + formatted_args = pformat_pyc_args(arg_dict) + log_list = [log_msg] + ["\t{}".format(x) for x in formatted_args] LOG.debug("\n".join(log_list)) diff --git a/pycryptoki/string_helpers.py b/pycryptoki/string_helpers.py index d8a65a0..e8f416c 100644 --- a/pycryptoki/string_helpers.py +++ b/pycryptoki/string_helpers.py @@ -1,26 +1,29 @@ -from six import integer_types +import binascii +from six import integer_types, binary_type, string_types + +from pycryptoki.lookup_dicts import ATTR_NAME_LOOKUP from .conversions import to_hex, from_bytestring from .cryptoki import CK_MECHANISM +PYC_MAX_ARG_LENGTH = 40 + def _decode(value): """ - Attempts to convert invalid bytestring data to hex while preserving regular text. + Attempt to convert a bytestring into something more readable. Assumes hex first, if that fails and non-standard + characters are in the bytestring ( e.g. ``\x12``), convert to hex. - It does this by attempting to decode the string to unicode (using utf8), and on failure - converting to hex. There are some corner cases where bytestring data is still valid unicode. - - :param value: Bytestring that should be converted to either unicode or hex. - :return: string. + Anything converted to hex will be returned as *unicode*; anything that is left 'as-is', will stay bytestring. """ try: - ret = value.decode("utf-8", "strict") - except UnicodeDecodeError: - ret = to_hex(from_bytestring(value)).decode("utf-8", "backslashreplace") - except Exception: - ret = value - return ret + binascii.unhexlify(value) + # value is already valid hex, return it. + return value.decode("utf-8", "ignore") + except (binascii.Error, TypeError): + if "\\x" in repr(value): + return to_hex(from_bytestring(value)).decode("utf-8", "ignore") + return value def _coerce_mech_to_str(mech): @@ -43,3 +46,59 @@ def _coerce_mech_to_str(mech): pass return str(mech) + + +def _trunc(val): + msg = str(val) + if len(msg) > PYC_MAX_ARG_LENGTH: + msg = "%s[...]%s" % ( + msg[: PYC_MAX_ARG_LENGTH // 2], + msg[-PYC_MAX_ARG_LENGTH // 2 :], + ) + return msg + + +def pformat_pyc_args(func_args): + """ + Convert a dictionary of funcargs: funcvalues into a nicely formatted string. + + This will resolve template dictionary keys to CKA_ names, convert bytestring to + hex, mask passwords, and truncate args over ``PYC_MAX_ARG_LENGTH`` to that size. + + :param func_args: dictionary + :return: formatted string. + """ + log_list = [] + for key, value in func_args.items(): + if "template" in key and isinstance(value, dict): + # Means it's a template, so let's perform a lookup on all of the objects within + # this. + log_list.append("%s: " % key) + # Sorted so we get the same order every time for testing purposes. + for template_key, template_value in sorted(value.items(), key=lambda x: x[0]): + log_list.append( + "\t%s: %s" + % ( + ATTR_NAME_LOOKUP.get(template_key, "0x%08x" % template_key), + _trunc(_decode(template_value)), + ) + ) + elif "password" in key: + log_list.append("%s: *" % key) + elif "mechanism" in key: + log_list.append("%s: " % key) + nice_mech = _coerce_mech_to_str(value).splitlines() + log_list.extend(["\t%s" % x for x in nice_mech]) + else: + log_val = value + if isinstance(value, (binary_type, string_types)): + if isinstance(value, binary_type): + log_val = _decode(value) + else: + log_val = str(value) + + msg = "\t%s: %s" % (key, _trunc(log_val)) + + log_list.append(msg) + + return log_list diff --git a/setup.py b/setup.py index 3ae77a8..1b033ee 100755 --- a/setup.py +++ b/setup.py @@ -13,7 +13,7 @@ description="A python wrapper around the C cryptoki library.", author="Ashley Straw", url="https://github.com/gemalto/pycryptoki", - version="2.5.18", + version="2.5.23", packages=[ "pycryptoki", "pycryptoki.cryptoki", diff --git a/tests/functional/conftest.py b/tests/functional/conftest.py index 78f05e1..783d08f 100644 --- a/tests/functional/conftest.py +++ b/tests/functional/conftest.py @@ -50,6 +50,14 @@ def pytest_addoption(parser): default=os.environ.get("SLOT", 1), dest="test_slot", ) + optiongroup.addoption( + "--clo-slot", + help="Specify the slot as the target cloning slot", + type=int, + default=os.environ.get("CLONE_SLOT", 2), + dest="test_clone_slot", + required=False, + ) optiongroup.addoption( "--reset", help="Reset the HSM back to its default settings with a factory" " reset.", @@ -97,6 +105,7 @@ def pytest_configure(config): logger.setLevel(config.getoption("loglevel").upper()) hsm_config["test_slot"] = config.getoption("test_slot") + hsm_config["test_clone_slot"] = config.getoption("test_clone_slot") hsm_config["user"] = config.getoption("user") hsm_config["reset"] = config.getoption("reset") diff --git a/tests/functional/test_cpv4.py b/tests/functional/test_cpv4.py new file mode 100755 index 0000000..eab47a5 --- /dev/null +++ b/tests/functional/test_cpv4.py @@ -0,0 +1,357 @@ +""" +Testcases for wrapping/unwrapping keys. +""" +import logging +from distutils.version import LooseVersion +from contextlib import contextmanager +import random + +import pytest + +from pycryptoki.session_management import c_open_session_ex, login_ex, c_close_session, c_logout +from pycryptoki.cryptoki import CK_ULONG +from pycryptoki.ca_extensions.cpv4 import ca_migrate_keys, MIGRATION_DATA +from pycryptoki.default_templates import ( + get_default_key_template, + CERTIFICATE_TEMPLATE, + DATA_TEMPLATE, + get_default_key_pair_template, +) +from pycryptoki.defines import ( + CKF_RW_SESSION, + CKF_SERIAL_SESSION, + CKF_CPV4_CONTINUE_ON_ERR, + LUNA_CRYPTOKI_ELEMENT, + CKM_DES_ECB, + CKM_DES_CBC, + CKM_DES_CBC_PAD, + CKM_DES_KEY_GEN, + CKM_DES3_ECB, + CKM_DES3_CBC, + CKM_DES3_CBC_PAD, + CKM_DES3_KEY_GEN, + CKM_AES_ECB, + CKM_AES_CBC, + CKM_AES_CBC_PAD, + CKM_AES_KEY_GEN, + CKM_CAST3_ECB, + CKM_CAST3_CBC, + CKM_CAST3_CBC_PAD, + CKM_CAST3_KEY_GEN, + CKM_CAST5_ECB, + CKM_CAST5_CBC, + CKM_CAST5_CBC_PAD, + CKM_CAST5_KEY_GEN, + CKM_RC4_KEY_GEN, + CKM_RC2_KEY_GEN, + CKM_RSA_PKCS_KEY_PAIR_GEN, + CKM_RSA_X9_31_KEY_PAIR_GEN, + CKM_SEED_ECB, + CKM_SEED_CBC, + CKM_SEED_KEY_GEN, + CKR_OK, + CKA_DECRYPT, + CKA_VERIFY, + CKA_UNWRAP, + CKM_AES_KWP, + CKA_VALUE_LEN, + CKA_EXTRACTABLE, + CKA_OUID, + LUNA_NULL_ELEMENT, + LUNA_PARAM_ELEMENT, + LUNA_CONTAINER_ACTIVATION_ELEMENT, + LUNA_MOFN_ACTIVATION_ELEMENT, + LUNA_CONTAINER_ELEMENT, + LUNA_UNKNOWN_ELEMENT, + CKA_TOKEN, + CKR_INTEGER_OVERFLOW, +) +from pycryptoki.encryption import c_wrap_key, c_unwrap_key, c_encrypt, c_decrypt +from pycryptoki.key_generator import ( + c_destroy_object, + c_generate_key, + c_generate_key_ex, + c_generate_key_pair, +) +from pycryptoki.misc import c_create_object_ex +from pycryptoki.lookup_dicts import ret_vals_dictionary +from pycryptoki.object_attr_lookup import c_get_attribute_value_ex, c_find_objects_ex +from pycryptoki.test_functions import verify_object_attributes +from . import config as hsm_config +from .util import get_session_template + +logger = logging.getLogger(__name__) + +SYM_KEYS = [ + CKM_DES_KEY_GEN, + CKM_DES3_KEY_GEN, + CKM_AES_KEY_GEN, + CKM_CAST3_KEY_GEN, + CKM_CAST5_KEY_GEN, + CKM_SEED_KEY_GEN, + CKM_RC4_KEY_GEN, + CKM_RC2_KEY_GEN, +] +ASYM_KEYS = [CKM_RSA_PKCS_KEY_PAIR_GEN] +SYM = "sym" +ASYM = "asym" +DATA = "data" +CERT_DATA = "cert_data" +USER_TYPE = 1 +SESSION_FLAGS = CKF_SERIAL_SESSION | CKF_RW_SESSION +INVALID_OBJECTS_TYPES = [ + LUNA_NULL_ELEMENT, + LUNA_PARAM_ELEMENT, + LUNA_CONTAINER_ACTIVATION_ELEMENT, + LUNA_MOFN_ACTIVATION_ELEMENT, + LUNA_CONTAINER_ELEMENT, + LUNA_UNKNOWN_ELEMENT, +] + + +@contextmanager +def get_co_auth_session(slot, user_pwd): + """opens a session and logs in as CO""" + h_session = None + try: + h_session = c_open_session_ex(slot, SESSION_FLAGS) + login_ex(h_session, slot, user_pwd, USER_TYPE) + yield h_session + finally: + if h_session: + c_logout(h_session) + c_close_session(slot) + + +@pytest.fixture(scope="class") +def source_session(hsm_configured): + """Opens a session for the source partition and logs in""" + _ = hsm_configured + slot = hsm_config["test_slot"] + with get_co_auth_session(slot, hsm_config["password"]) as session: + yield session + + +@pytest.fixture(scope="class") +def target_session(hsm_configured): + """opens a session for target partition and logs in""" + _ = hsm_configured + slot = hsm_config["test_clone_slot"] + with get_co_auth_session(slot, hsm_config["password"]) as session: + yield session + + +@contextmanager +def gen_sym_keys(source_session, key_type, num_obj=1): + """ Fixture containing keys""" + keys = [] + try: + for _ in range(num_obj): + template = get_default_key_template(key_type) + ret, key_handle = c_generate_key(source_session, key_type, template) + if ret == CKR_OK: + keys.append(key_handle) + else: + logger.info("Failed to generate key: {}\nReturn code: {}".format(key_type, ret)) + yield keys + finally: + destroy_objects(source_session, keys) + + +@contextmanager +def gen_asym_keys(source_session, key_type, num_obj=1): + """ Fixture containing all asym. keys """ + keys = [] + try: + for _ in range(num_obj): + pub_temp, prv_temp = get_default_key_pair_template(key_type) + + ret, pub_key, prv_key = c_generate_key_pair( + source_session, key_type, pub_temp, prv_temp + ) + if ret == CKR_OK: + keys += [pub_key, prv_key] + else: + logger.info("Failed to generate key: %s\nReturn code: %s", key_type, ret) + yield keys + + finally: + destroy_objects(source_session, keys) + + +@contextmanager +def create_data_object(session, data_type, num_obj=1): + template = get_session_template(data_type) + data_objects = [] + try: + for _ in range(num_obj): + h_obj = c_create_object_ex(session, template) + data_objects.append(h_obj) + yield data_objects + finally: + destroy_objects(session, data_objects) + + +OBJ_FUNC_MAP = { + SYM: (gen_sym_keys, SYM_KEYS), + ASYM: (gen_asym_keys, ASYM_KEYS), + DATA: (create_data_object, [DATA_TEMPLATE]), + CERT_DATA: (create_data_object, [CERTIFICATE_TEMPLATE]), +} + + +def destroy_objects(session, obj_list): + """common function to destroy objects""" + for obj in obj_list: + if obj is not None: + c_destroy_object(session, obj) + + +@pytest.fixture(scope="class") +def migration_flags(): + """The value of the migration flag""" + yield CKF_CPV4_CONTINUE_ON_ERR + + +def get_migration_data(objects_to_clone, object_type=LUNA_CRYPTOKI_ELEMENT): + """Prepares the migration data""" + mig_data_list = [] + for obj in objects_to_clone: + mig_data_list.append(MIGRATION_DATA(object_type=object_type, source_handle=obj)) + + return mig_data_list + + +@pytest.fixture(scope="function", params=[CERT_DATA, DATA, SYM, ASYM]) +def one_object(request, source_session): + """generates one object (pair of objects)""" + func, param = OBJ_FUNC_MAP[request.param] + with func(source_session, param[0]) as obj: + yield get_migration_data(obj) + + +@pytest.fixture(scope="function") +def invalid_object_handle(): + """invalid object handle""" + yield [MIGRATION_DATA(object_type=LUNA_CRYPTOKI_ELEMENT, source_handle=11111)] + + +@pytest.fixture(scope="function", params=INVALID_OBJECTS_TYPES) +def invalid_object_type(request, source_session): + """Create invalid object types MIGRATION_DATA""" + with create_data_object(source_session, DATA_TEMPLATE) as data_obj: + yield [MIGRATION_DATA(object_type=request.param, source_handle=data_obj[0])] + + +@pytest.fixture(scope="function") +def hundred_objects(source_session): + """generates 100 token objects""" + with gen_asym_keys(source_session, ASYM_KEYS[0], 30) as asym_keys, gen_sym_keys( + source_session, random.choice(SYM_KEYS), 40 + ) as sym_keys: + yield get_migration_data(asym_keys + sym_keys) + + +@pytest.fixture(scope="function") +def mix_objects(source_session): + """generates a mix of sym/asym keys and data and certificate objects""" + with gen_asym_keys(source_session, ASYM_KEYS[0], 5) as asym_keys, gen_sym_keys( + source_session, random.choice(SYM_KEYS), 20 + ) as sym_keys, create_data_object( + source_session, DATA_TEMPLATE, 20 + ) as data_obj, create_data_object( + source_session, CERTIFICATE_TEMPLATE, 20 + ) as cert_obj: + yield get_migration_data(asym_keys + sym_keys + data_obj + cert_obj) + + +def verify_migrated_objects( + source_session, target_session, source_objs, migrated_objs, expected_retcode=CKR_OK +): + """verifies CA_MigrateKeys result""" + src_ouids = [ + c_get_attribute_value_ex(source_session, obj.source_handle, {CKA_OUID: None})[CKA_OUID] + for obj in source_objs + ] + for rv, obj_h in migrated_objs: + + assert rv == expected_retcode + if expected_retcode == CKR_OK: + target_uid = c_get_attribute_value_ex(target_session, obj_h, {CKA_OUID: None})[CKA_OUID] + assert target_uid in src_ouids + + +@pytest.fixture(scope="function", autouse=True) +def clean_target_partition(target_session): + """finds objects in target partition and cleans them""" + yield + objs = c_find_objects_ex(target_session, {CKA_TOKEN: True}, 100) + destroy_objects(target_session, objs) + + +class TestMigrateKeys(object): + """ + Testcases for migrating keys. + """ + + def test_migrate_one_obj(self, source_session, target_session, migration_flags, one_object): + """ + Test migrating keys + """ + ret, mig_data = ca_migrate_keys( + source_session, target_session, migration_flags, len(one_object), one_object + ) + assert ret == CKR_OK + verify_migrated_objects(source_session, target_session, one_object, mig_data) + + def test_migrate_invalid_obj_handle( + self, source_session, target_session, migration_flags, invalid_object_handle + ): + """ + Test migrating keys + """ + ret, mig_data = ca_migrate_keys( + source_session, + target_session, + migration_flags, + len(invalid_object_handle), + invalid_object_handle, + ) + assert ret == 7 + + def test_migrate_invalid_obj_type( + self, source_session, target_session, migration_flags, invalid_object_type + ): + """ + Test migrating keys + """ + ret, mig_data = ca_migrate_keys( + source_session, + target_session, + migration_flags, + len(invalid_object_type), + invalid_object_type, + ) + assert ret == 5 + + def test_migrate_hundred_obj( + self, source_session, target_session, migration_flags, hundred_objects + ): + """ + Test migrating keys + """ + ret, mig_data = ca_migrate_keys( + source_session, target_session, migration_flags, len(hundred_objects), hundred_objects + ) + assert ret == CKR_OK + verify_migrated_objects(source_session, target_session, hundred_objects, mig_data) + + def test_migrate_mix_obj(self, source_session, target_session, migration_flags, mix_objects): + """ + Test migrating keys + """ + ret, mig_data = ca_migrate_keys( + source_session, target_session, migration_flags, len(mix_objects), mix_objects + ) + assert ret == CKR_OK + verify_migrated_objects(source_session, target_session, mix_objects, mig_data) diff --git a/tests/unittests/test_str_helpers.py b/tests/unittests/test_str_helpers.py index 44c15b6..62c13e1 100644 --- a/tests/unittests/test_str_helpers.py +++ b/tests/unittests/test_str_helpers.py @@ -1,26 +1,46 @@ +# coding=utf-8 """ Testcases for string helpers """ + import pytest -from pycryptoki.mechanism import Mechanism +from hypothesis import given, strategies, example + +from pycryptoki.default_templates import dh_prime +from pycryptoki.mechanism import Mechanism, IvMechanism -from pycryptoki.defines import CKM_DES_ECB, CKM_AES_CBC -from pycryptoki.string_helpers import _decode, _coerce_mech_to_str +from pycryptoki.defines import ( + CKM_DES_ECB, + CKM_AES_CBC, + CKA_DECRYPT, + CKA_OUID, + CKA_PRIME, + CKA_KEY_TYPE, +) +from pycryptoki.string_helpers import _decode, _coerce_mech_to_str, pformat_pyc_args @pytest.mark.parametrize( "value,ret", [ - (b"this is a test string", u"this is a test string"), - (b"\x01\x23\x82\x20\x01\xb6\x09\xd2\xb6|gN\xcc", u"0123822001b609d2b67c674ecc"), + (b"this is a test string", b"this is a test string"), + (b"\x01\x23\x82\x20\x01\xb6\x09\xd2\xb6|gN\xcc", "0123822001b609d2b67c674ecc"), (None, None), - (b"", u""), + (b"", ""), ], ) def test_decode(value, ret): assert _decode(value) == ret +@given(strategies.binary()) +# Explicit example from a failing test in live -- has a unicode character that will fail on a str() call in python2 +@example(u" SxҎTmi".encode("utf-8")) +def test_fuzzed_decoding(bdata): + # raises if we couldn't call str() on the results + pformat_pyc_args({"data": bdata}) + + CBC_OUT = """Iv16Mechanism(mech_type: CKM_AES_CBC, iv: [0, 1, 2, 3, 4, 5, 6, 7])""" @@ -34,3 +54,44 @@ def test_decode(value, ret): ) def test_mech_printing(mech, output): assert _coerce_mech_to_str(mech) == output + + +@pytest.mark.parametrize( + "testargs,expected_result", + [ + ( + {"mechanism": IvMechanism(mech_type=CKM_AES_CBC)}, + "mechanism: \n\tIvMechanism(mech_type: CKM_AES_CBC)", + ), + ( + { + "wrapped_key": b"\n\xd7\x04R\xd5OufU\x15\x19\xf4\x93\x94\x05\xec\xf9b\x92\xb5,\xa75NM\x93\x14\xeb\xdd\x97\xe0\x8a\xe6\x15w\x86\xe9\x12mu\xb5l\x80QG\x852$X!\xf3H\x05+\xff\xc6j\xa7\x14\xf9\xdb\x1b\n\xd3", + }, + "wrapped_key: 0ad70452d54f75665515[...]ffc66aa714f9db1b0ad3", + ), + ( + {"template": {CKA_DECRYPT: True, 0x80000111: True, CKA_KEY_TYPE: 0}}, + "\n\tCKA_DECRYPT: True\n\t0x80000111: True", + ), + ({"password": "badpassword"}, "password: *"), + ( + {"template": {CKA_OUID: b"005211001100000128230900"}}, + "template: \n\tCKA_OUID: 005211001100000128230900", + ), + ( + {"public_template": {CKA_PRIME: dh_prime}}, + "public_template: \n\tCKA_PRIME: [244, 136, 253, 88, [...], 233, 47, 120, 199]", + ), + ], + ids=[ + "Mechanism", + "Invalid UTF8 (binary data)", + "Template", + "password", + "ouid template", + "long template value", + ], +) +def test_arg_formatting(testargs, expected_result): + result = pformat_pyc_args(testargs) + assert expected_result in "\n".join(result)