Merge pull request #24 from ThalesGroup/merge_21_06

Merge 21 06

.gitlab-ci.yml

@@ -32,7 +32,8 @@ lint:
   stage: lint
   interruptible: true
   script:
-    - black -l 100 . --check
+    - black --version
+    - black -l 100 . --check --diff
 
 test:
   needs: []

docs/conf.py

@@ -52,7 +52,7 @@
 
 # General information about the project.
 project = u"Pycryptoki"
-copyright = u"2020, Gemalto"
+copyright = u"2020-2021, Gemalto"
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
@@ -61,7 +61,7 @@
 # The short X.Y version.
 version = "2.5"
 # The full version, including alpha/beta/rc tags.
-release = "2.5.18"
+release = "2.5.23"
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

pycryptoki/ca_extensions/cpv4.py

@@ -0,0 +1,59 @@
+"""
+cpv4 ca extensions
+"""
+import logging
+from collections import namedtuple
+from copy import deepcopy
+
+from pycryptoki.defines import CKR_OK
+from pycryptoki.cryptoki import (
+    CA_MigrateKeys,
+    CK_ULONG,
+    CK_SESSION_HANDLE,
+    CK_OBJECT_MIGRATION_DATA,
+)
+from pycryptoki.exceptions import make_error_handle_function
+
+
+LOG = logging.getLogger(__name__)
+MIGRATION_KEYS = ["object_type", "source_handle"]
+MIGRATION_DATA = namedtuple("MIGRATION_DATA", deepcopy(MIGRATION_KEYS))
+
+
+def get_mig_data_c_struct(mig_data_list):
+    """
+    Build an array of :class:`~pycryptoki.cryptoki.CK_OBJECT_MIGRATION_DATA` Structs & return it.
+
+    :return: :class:`~pycryptoki.cryptoki.CK_OBJECT_MIGRATION_DATA` array
+    """
+    ret_struct = (CK_OBJECT_MIGRATION_DATA * len(mig_data_list))()
+    for index, mig_data in enumerate(mig_data_list):
+        object_type, source_handle = mig_data
+        ret_struct[index] = CK_OBJECT_MIGRATION_DATA(
+            objectType=object_type, sourceHandle=source_handle
+        )
+    return ret_struct
+
+
+def ca_migrate_keys(
+    source_session, target_session, migration_flags, num_objects, objects_to_migrate
+):
+    """
+    Runs CA_MigrateKeys command
+
+    :param objects_to_migrate: a list of tuples (objectType, sourceHandle) or list of MIGRATION_DATA
+    """
+    objects_to_migrate = (
+        objects_to_migrate if isinstance(objects_to_migrate, list) else [objects_to_migrate]
+    )
+    c_mig_data = get_mig_data_c_struct(objects_to_migrate)
+
+    ret = CA_MigrateKeys(source_session, target_session, migration_flags, num_objects, c_mig_data)
+
+    if ret != CKR_OK:
+        return ret, None
+
+    return ret, [(data.rv, data.targetHandle) for data in c_mig_data]
+
+
+ca_migrate_keys_ex = make_error_handle_function(ca_migrate_keys)

pycryptoki/cryptoki/__init__.py

@@ -138,6 +138,8 @@
     "CA_InitSlotRolePIN",
     "CA_InitializeRemotePEDVector",
     "CA_Insert",
+    "CA_MigrateKeys",
+    "CA_MigrationStartSessionNegotiation",
     "CA_InsertMaskedObject",
     "CA_InvokeService",
     "CA_InvokeServiceAsynch",
@@ -472,6 +474,12 @@
     "CK_X9_42_MQV_DERIVE_PARAMS_PTR",
     "CK_XOR_BASE_DATA_KDF_PARAMS",
     "CK_XOR_BASE_DATA_KDF_PARAMS_PTR",
+    "CK_CPV4_EXTRACT_PARAMS",
+    "CK_CPV4_EXTRACT_PARAMS_PTR",
+    "CK_CPV4_INSERT_PARAMS",
+    "CK_CPV4_INSERT_PARAMS_PTR",
+    "CK_OBJECT_MIGRATION_DATA",
+    "CK_OBJECT_MIGRATION_DATA_PTR",
     "C_CancelFunction",
     "C_CloseAllSessions",
     "C_CloseSession",

pycryptoki/cryptoki/ck_defs.py

@@ -1126,6 +1126,69 @@ def __init__(self, aid=None):
 struct_def(CK_APPLICATION_ID, [("id", CK_BYTE * 16)])
 
 
+class CK_OBJECT_MIGRATION_DATA(Structure):
+    pass
+
+
+struct_def(
+    CK_OBJECT_MIGRATION_DATA,
+    [
+        ("objectType", CK_ULONG),
+        ("sourceHandle", CK_OBJECT_HANDLE),
+        ("targetHandle", CK_OBJECT_HANDLE),
+        ("rv", CK_RV),
+    ],
+)
+CK_OBJECT_MIGRATION_DATA_PTR = POINTER(CK_OBJECT_MIGRATION_DATA)
+
+
+class CK_CPV4_EXTRACT_PARAMS(Structure):
+    pass
+
+
+struct_def(
+    CK_CPV4_EXTRACT_PARAMS,
+    [
+        ("inputLength", CK_ULONG),
+        ("input", CK_BYTE_PTR),
+        ("sessionOuidLen", CK_ULONG),
+        ("sessionOuid", CK_BYTE_PTR),
+        ("extractionFlags", CK_ULONG),
+        ("numberOfObjects", CK_ULONG),
+        ("objectType", CK_ULONG_PTR),
+        ("objectHandle", CK_ULONG_PTR),
+        ("result", CK_ULONG_PTR),
+        ("keyBlobLen", CK_ULONG_PTR),
+        ("keyBlob", POINTER(CK_BYTE_PTR)),
+    ],
+)
+CK_CPV4_EXTRACT_PARAMS_PTR = POINTER(CK_CPV4_EXTRACT_PARAMS)
+
+
+class CK_CPV4_INSERT_PARAMS(Structure):
+    pass
+
+
+struct_def(
+    CK_CPV4_INSERT_PARAMS,
+    [
+        ("inputLength", CK_ULONG),
+        ("input", CK_BYTE_PTR),
+        ("sessionOuidLen", CK_ULONG),
+        ("sessionOuid", CK_BYTE_PTR),
+        ("insertionFlags", CK_ULONG),
+        ("numberOfObjects", CK_ULONG),
+        ("objectType", CK_ULONG_PTR),
+        ("storageType", CK_ULONG_PTR),
+        ("keyBlobLen", CK_ULONG_PTR),
+        ("keyBlob", POINTER(CK_BYTE_PTR)),
+        ("result", CK_ULONG_PTR),
+        ("objectHandle", CK_ULONG_PTR),
+    ],
+)
+CK_CPV4_INSERT_PTR = POINTER(CK_CPV4_INSERT_PARAMS)
+
+
 class CK_EDDSA_PARAMS(Structure):
     pass
 
@@ -1183,3 +1246,11 @@ class CK_SHAKE_PARAMS(Structure):
 
 struct_def(CK_SHAKE_PARAMS, [("ulOutputLen", CK_ULONG)])
 CK_SHAKE_PARAMS_PTR = POINTER(CK_SHAKE_PARAMS)
+
+
+class CK_SHA_HMAC_GENERAL_PARAMS(Structure):
+    pass
+
+
+struct_def(CK_SHA_HMAC_GENERAL_PARAMS, [("ulOutputLen", CK_ULONG)])
+CK_SHA_HMAC_GENERAL_PARAMS_PTR = POINTER(CK_SHA_HMAC_GENERAL_PARAMS)

pycryptoki/cryptoki/func_defs.py

@@ -578,6 +578,14 @@
 )
 CA_Extract = make_late_binding_function("CA_Extract", [CK_SESSION_HANDLE, CK_MECHANISM_PTR])
 CA_Insert = make_late_binding_function("CA_Insert", [CK_SESSION_HANDLE, CK_MECHANISM_PTR])
+CA_MigrateKeys = make_late_binding_function(
+    "CA_MigrateKeys",
+    [CK_SESSION_HANDLE, CK_SESSION_HANDLE, CK_ULONG, CK_ULONG, CK_OBJECT_MIGRATION_DATA_PTR],
+)
+CA_MigrationStartSessionNegotiation = make_late_binding_function(
+    "CA_MigrationStartSessionNegotiation",
+    [CK_SESSION_HANDLE, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR, CK_ULONG_PTR, CK_BYTE_PTR],
+)
 CA_GetTokenObjectUID = make_late_binding_function(
     "CA_GetTokenObjectUID", [CK_SLOT_ID, CK_ULONG, CK_ULONG, POINTER(CK_BYTE)]
 )

pycryptoki/cryptoki/helpers.py

@@ -10,7 +10,7 @@
 
 from six.moves import configparser
 
-from pycryptoki.cryptoki.ck_defs import CK_RV
+from pycryptoki.cryptoki.c_defs import CK_RV
 from pycryptoki.defaults import CHRYSTOKI_DLL_FILE, CHRYSTOKI_CONFIG_FILE
 from pycryptoki.exceptions import LunaException
 
@@ -80,9 +80,13 @@ def parse_chrystoki_conf():
         )
 
     LOG.debug("Searching %s for Chrystoki DLL path...", conf_path)
-
-    dll_path = _search_for_dll_in_chrystoki_conf(conf_path)
-
+    try:
+        dll_path = _search_for_dll_in_chrystoki_conf(conf_path)
+    except FileNotFoundError as e:
+        LOG.exception(
+            "Luna /etc/Chrystoki.conf not be found, pycryptoki switched to point to the library of different product"
+        )
+        return None
     LOG.info("Using DLL at location: %s", dll_path)
 
     return dll_path
@@ -181,7 +185,8 @@ def __new__(cls, *args, **kwargs):
         if not cls._instance_map.get(CRYSTOKI_CONF_DLL):
             new_instance = super(CryptokiDLLSingleton, cls).__new__(cls, *args, **kwargs)
 
-            dll_path = parse_chrystoki_conf()
+            #  depends on different product, lib path could be configured by pointing to path, or stored in a file
+            dll_path = os.environ.get(CRYSTOKI_CONF_DLL, parse_chrystoki_conf())
             new_instance.dll_path = dll_path
             if "win" in sys.platform and IS_64B:
                 import ctypes

pycryptoki/daemon/rpyc_pycryptoki.py

@@ -187,6 +187,7 @@
     ca_get_cv_firmware_version,
     ca_get_cv_firmware_version_ex,
 )
+from pycryptoki.ca_extensions.cpv4 import ca_migrate_keys, ca_migrate_keys_ex
 from pycryptoki.cryptoki import CK_ULONG
 from pycryptoki.encryption import (
     c_encrypt,
@@ -754,6 +755,8 @@ def test_attrs(attributes):
     ca_stc_get_digest_ids_ex = staticmethod(ca_stc_get_digest_ids_ex)
     ca_stc_get_digest_name_by_id = staticmethod(ca_stc_get_digest_name_by_id)
     ca_stc_get_digest_name_by_id_ex = staticmethod(ca_stc_get_digest_name_by_id_ex)
+    ca_migrate_keys = staticmethod(ca_migrate_keys)
+    ca_migrate_keys_ex = staticmethod(ca_migrate_keys_ex)
 
 
 def server_launch(service, ip, port, config):

pycryptoki/default_templates.py

@@ -21,7 +21,6 @@
     CKA_PRIME,
     CKA_PRIME_BITS,
     CKA_PRIVATE,
-    CKA_PUBLIC_EXPONENT,
     CKA_SENSITIVE,
     CKA_SIGN,
     CKA_SUBJECT,
@@ -209,6 +208,14 @@
     CKM_SHA256_EDDSA,
     CKM_SHA384_EDDSA,
     CKM_SHA512_EDDSA,
+    CKM_SHA3_224_RSA_PKCS_PSS,
+    CKM_SHA3_256_RSA_PKCS_PSS,
+    CKM_SHA3_384_RSA_PKCS_PSS,
+    CKM_SHA3_512_RSA_PKCS_PSS,
+    CKM_SHA3_224_RSA_PKCS,
+    CKM_SHA3_256_RSA_PKCS,
+    CKM_SHA3_384_RSA_PKCS,
+    CKM_SHA3_512_RSA_PKCS,
     CKM_EXTRACT_KEY_FROM_KEY,
     CKM_FASTHASH,
     CKM_FORTEZZA_TIMESTAMP,
@@ -406,6 +413,7 @@
     CKO_CERTIFICATE,
     CKO_DATA,
     CKO_SECRET_KEY,
+    CKA_PUBLIC_EXPONENT,
 )
 
 
@@ -519,7 +527,7 @@
     CKA_VERIFY: True,
     CKA_WRAP: True,
     CKA_MODULUS_BITS: 1024,  # long 0 - MAX_RSA_KEY_NBITS
-    CKA_PUBLIC_EXPONENT: 3,  # byte
+    CKA_PUBLIC_EXPONENT: 0,
     CKA_LABEL: b"RSA Public Key",
 }
 CKM_RSA_PKCS_KEY_PAIR_GEN_PRIVTEMP = {
@@ -3375,7 +3383,7 @@
     "microsoftPlayReadP160": [
         0x30,
         0x81,
-        0x95,
+        0x98,
         0x02,
         0x01,
         0x01,
@@ -3525,6 +3533,9 @@
         0xC2,
         0xA6,
         0x75,
+        0x02,
+        0x01,
+        0x01,
     ],
 }
 
@@ -4501,7 +4512,7 @@
     CKA_VERIFY: True,
     CKA_WRAP: True,
     CKA_MODULUS_BITS: 1024,  # long 1-MAX_RSA_KEY_NBITS
-    CKA_PUBLIC_EXPONENT: 3,  # byte
+    CKA_PUBLIC_EXPONENT: 0,
     CKA_LABEL: b"RSA Public Key",
 }
 CKM_RSA_X9_31_KEY_PAIR_GEN_PRIVTEMP = {
@@ -5028,6 +5039,14 @@
     CKM_SHA512_RSA_PKCS_PSS: ("CKM_SHA512_RSA_PKCS_PSS",),
     CKM_SHA224_RSA_PKCS: ("CKM_SHA224_RSA_PKCS",),
     CKM_SHA224_RSA_PKCS_PSS: ("CKM_SHA224_RSA_PKCS_PSS",),
+    CKM_SHA3_224_RSA_PKCS_PSS: ("CKM_SHA3_224_RSA_PKCS_PSS",),
+    CKM_SHA3_256_RSA_PKCS_PSS: ("CKM_SHA3_256_RSA_PKCS_PSS",),
+    CKM_SHA3_384_RSA_PKCS_PSS: ("CKM_SHA3_384_RSA_PKCS_PSS",),
+    CKM_SHA3_512_RSA_PKCS_PSS: ("CKM_SHA3_512_RSA_PKCS_PSS",),
+    CKM_SHA3_224_RSA_PKCS: ("CKM_SHA3_224_RSA_PKCS",),
+    CKM_SHA3_256_RSA_PKCS: ("CKM_SHA3_256_RSA_PKCS",),
+    CKM_SHA3_384_RSA_PKCS: ("CKM_SHA3_384_RSA_PKCS",),
+    CKM_SHA3_512_RSA_PKCS: ("CKM_SHA3_512_RSA_PKCS",),
     CKM_RC2_KEY_GEN: ("CKM_RC2_KEY_GEN",),
     CKM_RC2_ECB: ("CKM_RC2_ECB",),
     CKM_RC2_CBC: ("CKM_RC2_CBC",),

pycryptoki/defines.py

@@ -274,6 +274,8 @@
 LUNA_MECH_FLAG_EC_UNCOMPRESS = 0x01000000
 LUNA_MECH_FLAG_EC_COMPRESS = 0x02000000
 LUNA_MECH_FLAG_EXTENSION = 0x80000000
+LUNA_MECH_CPV4_EXTRACT = 0x00009008
+LUNA_MECH_CPV4_INSERT = 0x00009009
 LUNA_MGF_MGF1_SHA1 = 0x00000001
 LUNA_MGF_MGF1_SHA256 = 0x00000002
 LUNA_MGF_MGF1_SHA384 = 0x00000003
@@ -1505,6 +1507,7 @@
 CKF_EC_UNCOMPRESS = 0x01000000
 CKF_EC_COMPRESS = 0x02000000
 CKF_EXTENSION = 0x80000000
+CKF_CPV4_CONTINUE_ON_ERR = 0x01
 CKR_ARGUMENTS_BAD = 0x00000007
 CKR_ATTRIBUTE_READ_ONLY = 0x00000010
 CKR_ATTRIBUTE_SENSITIVE = 0x00000011
@@ -1899,6 +1902,8 @@
 CKM_AES_CBC_PAD_INSERT_FLATTENED = CKM_VENDOR_DEFINED + 0x203
 CKM_AES_CBC_PAD_EXTRACT_DOMAIN_CTRL = CKM_VENDOR_DEFINED + 0x204
 CKM_AES_CBC_PAD_INSERT_DOMAIN_CTRL = CKM_VENDOR_DEFINED + 0x205
+CKM_CPV4_EXTRACT = CKM_VENDOR_DEFINED + 0x208
+CKM_CPV4_INSERT = CKM_VENDOR_DEFINED + 0x209
 CKM_PLACE_HOLDER_FOR_ERACOME_DEF_IN_SHIM = CKM_VENDOR_DEFINED + 0x502
 CKM_DES2_DUKPT_IPEK = CKM_VENDOR_DEFINED + 0x610
 CKM_DES2_DUKPT_PIN = CKM_VENDOR_DEFINED + 0x611
@@ -1981,6 +1986,7 @@
 CKR_SP_TIMEOUT = CKR_VENDOR_DEFINED + 0x23
 CKR_TIMEOUT = CKR_VENDOR_DEFINED + 0x24
 CKR_ECC_UNKNOWN_CURVE = CKR_VENDOR_DEFINED + 0x25
+CKR_ECC_CURVE_NOT_ALLOWED = CKR_VENDOR_DEFINED + 0x105
 CKR_MTK_ZEROIZED = CKR_VENDOR_DEFINED + 0x26
 CKR_MTK_STATE_INVALID = CKR_VENDOR_DEFINED + 0x27
 CKR_INVALID_ENTRY_TYPE = CKR_VENDOR_DEFINED + 0x28