Merge pull request #30 from ThalesGroup/merge_2022_05

Merge 2022 05
ThalesGroup · May 19, 2022 · fbc0048 · fbc0048
2 parents a5eee10 + b8762df
commit fbc0048
Show file tree

Hide file tree

Showing 34 changed files with 845 additions and 108 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 # Created by https://www.gitignore.io
 .gitreview
+.hypothesis
 .pytest_cache
 .venv
 _docs

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -1,9 +1,10 @@
-image: otaaplvlp05.gemalto.com:5443/py_tox_tester:latest
+image: aa1569.lab.hsm:5443/py_tox_tester:latest
 
 # Change pip's cache directory to be inside the project directory since we can
 # only cache local items.
 variables:
   PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
+  PYTHON_VERSIONS: "2.7.15 3.6.12 3.7.9 3.8.5 3.9.13 3.10.4"
 
 # Pip's cache doesn't store the python packages
 # https://pip.pypa.io/en/stable/reference/pip_install/#caching
@@ -23,7 +24,7 @@ stages:
 before_script:
   - export PATH="$HOME/.pyenv/bin/:$PATH"
   - eval "$(pyenv init -)"
-  - pyenv global 3.8.5 3.6.12 3.7.9 2.7.15
+  - pyenv global ${PYTHON_VERSIONS[@]}
   - python -V
   - source /.venv/bin/activate
 
@@ -32,6 +33,7 @@ lint:
   stage: lint
   interruptible: true
   script:
+    - pip install black==19.10b0 click==8.0.2
     - black --version
     - black -l 100 . --check --diff
 
@@ -40,7 +42,7 @@ test:
   stage: test
   script:
     - tox -e clean
-    - tox -p -e py27,py36,py37,py38
+    - tox -p -e py27,py36,py37,py38,py39,py310
     - tox -e report
   interruptible: true
   artifacts:
@@ -56,8 +58,12 @@ build:
   stage: build
   interruptible: true
   script:
-    - python2.7 setup.py bdist_wheel
-    - python3.8 setup.py bdist_wheel
+    - |
+      for py in ${PYTHON_VERSIONS}; do
+        bin="python$( echo $py | cut -d'.' -f1-2 )"
+        $bin -m pip install wheel
+        $bin setup.py bdist_wheel
+      done
     
   artifacts:
     paths:
@@ -71,5 +77,8 @@ deploy:
     - build
   only:
     - release
+  before_script:
+    - cp $DEPLOYMENT_PRIVKEY ~/.ssh/id_ecdsa
+    - chmod 600 ~/.ssh/id_ecdsa
   script: /root/deploy.sh
 
diff --git a/docs/conf.py b/docs/conf.py
@@ -52,16 +52,16 @@
 
 # General information about the project.
 project = u"Pycryptoki"
-copyright = u"2020-2021, Gemalto"
+copyright = u"2020-2022, Gemalto"
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
 # built documents.
 #
 # The short X.Y version.
-version = "2.5"
+version = "2.6"
 # The full version, including alpha/beta/rc tags.
-release = "2.5.23"
+release = "2.6.5"
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

diff --git a/docs/getting_started.rst b/docs/getting_started.rst
@@ -10,7 +10,7 @@ Installation
 Pycryptoki can be installed on any machine that has Python installed. Python versions >= 2.7
 are supported.::
 
-    pip install git+https://github.com/gemalto/pycryptoki
+    pip install git+https://github.com/ThalesGroup/pycryptoki
 
 
 Pycryptoki will attempt to auto-locate the SafeNet Cryptoki shared library when pycryptoki

diff --git a/pycryptoki/attributes.py b/pycryptoki/attributes.py
@@ -7,7 +7,6 @@
 import collections
 import datetime
 import logging
-from collections import defaultdict
 from ctypes import (
     cast,
     c_void_p,
@@ -23,7 +22,7 @@
 )
 from functools import wraps
 
-from six import b, string_types, integer_types, binary_type
+from six import b, string_types, integer_types, binary_type, moves
 from pycryptoki.conversions import from_bytestring, from_hex, to_bytestring
 from .cryptoki import (
     CK_ATTRIBUTE,
@@ -286,7 +285,7 @@ def to_byte_array(val, reverse=False):
         LOG.debug("Final hex data: %s", fin)
         return fin
 
-    if not isinstance(val, (binary_type, collections.Iterable, integer_types)):
+    if not isinstance(val, (binary_type, moves.collections_abc.Iterable, integer_types)):
         raise TypeError("Unknown conversion to byte array for type {}".format(type(val)))
 
     if isinstance(val, binary_type):
@@ -304,7 +303,7 @@ def to_byte_array(val, reverse=False):
         # Hex string: '01af'
         else:
             val = int(val, 16)
-    elif isinstance(val, collections.Iterable):
+    elif isinstance(val, moves.collections_abc.Iterable):
         py_bytes = bytearray(val)
         byte_array = (CK_BYTE * len(py_bytes))(*py_bytes)
 
@@ -340,11 +339,11 @@ def to_sub_attributes(val, reverse=False):
 
     attrs = Attributes(val).get_c_struct()
 
-    return cast(pointer(attrs), c_void_p), CK_ULONG(len(attrs))
+    return cast(pointer(attrs), c_void_p), CK_ULONG(len(attrs) * sizeof(CK_ATTRIBUTE))
 
 
 # Default any unset transform to :func:`to_byte_array`
-KEY_TRANSFORMS = defaultdict(lambda: to_byte_array)
+KEY_TRANSFORMS = collections.defaultdict(lambda: to_byte_array)
 
 KEY_TRANSFORMS.update(
     {

diff --git a/pycryptoki/ca_extensions/cpv4.py b/pycryptoki/ca_extensions/cpv4.py
@@ -4,20 +4,31 @@
 import logging
 from collections import namedtuple
 from copy import deepcopy
+from ctypes import c_uint32, byref, create_string_buffer, c_ubyte, pointer, c_uint, cast, string_at
+from _ctypes import POINTER
 
+from pycryptoki.conversions import from_bytestring
 from pycryptoki.defines import CKR_OK
 from pycryptoki.cryptoki import (
     CA_MigrateKeys,
+    CA_MigrationStartSessionNegotiation,
+    CA_MigrationContinueSessionNegotiation,
+    CA_MigrationCloseSession,
     CK_ULONG,
+    CK_BYTE_PTR,
     CK_SESSION_HANDLE,
     CK_OBJECT_MIGRATION_DATA,
 )
+
+from pycryptoki.attributes import to_byte_array
+
 from pycryptoki.exceptions import make_error_handle_function
 
 
 LOG = logging.getLogger(__name__)
 MIGRATION_KEYS = ["object_type", "source_handle"]
 MIGRATION_DATA = namedtuple("MIGRATION_DATA", deepcopy(MIGRATION_KEYS))
+PCPROT_MAX_BUFFER_SIZE = 64000
 
 
 def get_mig_data_c_struct(mig_data_list):
@@ -41,7 +52,12 @@ def ca_migrate_keys(
     """
     Runs CA_MigrateKeys command
 
-    :param objects_to_migrate: a list of tuples (objectType, sourceHandle) or list of MIGRATION_DATA
+    :param int source_session: session opened on Source partition
+    :param int target_session: session opened on Target partition
+    :param int migration_flags: Flags
+    :param int num_objects: Number of objects to migrate.
+    :param objects_to_migrate: a list of tuples (objectType, sourceHandle) or list of
+    `~pycryptoki.ca_extensions.cpv4.MIGRATION_DATA` namedtuples
     """
     objects_to_migrate = (
         objects_to_migrate if isinstance(objects_to_migrate, list) else [objects_to_migrate]
@@ -50,10 +66,130 @@ def ca_migrate_keys(
 
     ret = CA_MigrateKeys(source_session, target_session, migration_flags, num_objects, c_mig_data)
 
-    if ret != CKR_OK:
-        return ret, None
-
     return ret, [(data.rv, data.targetHandle) for data in c_mig_data]
 
 
 ca_migrate_keys_ex = make_error_handle_function(ca_migrate_keys)
+
+
+def ca_migration_start_session_negotiation(target_session, input_data=None):
+    """
+    Runs CA_MigrationStartSessionNegotiation command
+
+    :param int target_session: target slot session
+    :param bytes input_data: Input data for negotiating Migration
+    """
+    output_data = (c_ubyte * PCPROT_MAX_BUFFER_SIZE)()
+    output_data_len = CK_ULONG(PCPROT_MAX_BUFFER_SIZE)
+    out_step = CK_ULONG()
+
+    if input_data is None:
+        input_data_len = 0
+    else:
+        input_data, input_data_len = to_byte_array(from_bytestring(input_data))
+        input_data = cast(input_data, POINTER(c_ubyte))
+
+    ret = CA_MigrationStartSessionNegotiation(
+        target_session,
+        input_data_len,
+        input_data,
+        byref(out_step),
+        byref(output_data_len),
+        output_data,
+    )
+
+    if ret != CKR_OK:
+        return ret, {}
+
+    return ret, {"output": string_at(output_data, output_data_len.value), "step": out_step.value}
+
+
+ca_migration_start_session_negotiation_ex = make_error_handle_function(
+    ca_migration_start_session_negotiation
+)
+
+
+def ca_migration_continue_session_negotiation(
+    target_session, input_step, input_data, input_session_ouid=None
+):
+    """
+    Runs CA_MigrationContinueSessionNegotiation
+
+    :param int target_session: Session handle
+    :param int input_step: TBD
+    :param bytes input_data: TBD
+    :param bytes session_ouid: Session OUID.
+    :return: Retcode, Dictionary.
+    """
+    output_step = CK_ULONG()
+    output_data = (c_ubyte * PCPROT_MAX_BUFFER_SIZE)()
+    output_data_len = CK_ULONG(PCPROT_MAX_BUFFER_SIZE)
+    status = CK_ULONG()
+    output_session_ouid = None
+    output_session_ouid_len = None
+    input_session_ouid_len = CK_ULONG()
+
+    if input_session_ouid is None:
+        output_session_ouid = (c_ubyte * PCPROT_MAX_BUFFER_SIZE)()
+        output_session_ouid_len = CK_ULONG(PCPROT_MAX_BUFFER_SIZE)
+        output_session_ouid_len = pointer(output_session_ouid_len)
+    else:
+        input_session_ouid, input_session_ouid_len = to_byte_array(
+            from_bytestring(input_session_ouid)
+        )
+        input_session_ouid = cast(input_session_ouid, POINTER(c_ubyte))
+
+    input_data, input_len = to_byte_array(from_bytestring(input_data))
+    input_data = cast(input_data, POINTER(c_ubyte))
+
+    ret = CA_MigrationContinueSessionNegotiation(
+        target_session,
+        input_step,
+        input_len,
+        input_data,
+        input_session_ouid_len,
+        input_session_ouid,
+        byref(output_step),
+        byref(output_data_len),
+        output_data,
+        byref(status),
+        output_session_ouid_len,
+        output_session_ouid,
+    )
+    if ret != CKR_OK:
+        return ret, {}
+
+    ret_dict = {
+        "output": string_at(output_data, output_data_len.value),
+        "step": output_step.value,
+        "status": status.value,
+    }
+
+    if input_session_ouid is None:
+        ret_dict["session_ouid"] = string_at(
+            output_session_ouid, output_session_ouid_len.contents.value
+        )
+
+    return (ret, ret_dict)
+
+
+ca_migration_continue_session_negotiation_ex = make_error_handle_function(
+    ca_migration_continue_session_negotiation
+)
+
+
+def ca_migration_close_session(target_session, session_ouid):
+    """
+    Runs CA_MigrationCloseSession
+
+    :param int target_session: Session handle
+    :param bytes session_ouid: Session OUID (in bytestring, not hex).
+    :return: Retcode
+    """
+    session_ouid, session_ouid_len = to_byte_array(from_bytestring(session_ouid))
+    session_ouid = cast(session_ouid, POINTER(c_ubyte))
+
+    return CA_MigrationCloseSession(target_session, session_ouid_len, session_ouid)
+
+
+ca_migration_close_session_ex = make_error_handle_function(ca_migration_close_session)
diff --git a/pycryptoki/ca_extensions/per_key_auth.py b/pycryptoki/ca_extensions/per_key_auth.py
@@ -10,6 +10,7 @@
     CA_AuthorizeKey,
     CA_AssignKey,
     CA_IncrementFailedAuthCount,
+    CK_ULONG,
 )
 from pycryptoki.cryptoki import CK_SESSION_HANDLE, CK_OBJECT_HANDLE, CK_UTF8CHAR
 from pycryptoki.exceptions import make_error_handle_function
@@ -94,8 +95,12 @@ def ca_authorize_key(h_session, h_object, auth_data):
     :param auth_data: authorization byte list, e.g. [11, 12, 13, ..]
     :return: Ret code
     """
-    auth_data_ptr, auth_data_length = to_byte_array(auth_data)
-    auth_data_ptr = cast(auth_data_ptr, POINTER(CK_UTF8CHAR))
+    if auth_data is not None:
+        auth_data_ptr, auth_data_length = to_byte_array(auth_data)
+        auth_data_ptr = cast(auth_data_ptr, POINTER(CK_UTF8CHAR))
+    else:
+        auth_data_ptr = None
+        auth_data_length = CK_ULONG(0)
 
     h_object = CK_OBJECT_HANDLE(h_object)
     h_session = CK_SESSION_HANDLE(h_session)

diff --git a/pycryptoki/cryptoki/ck_defs.py b/pycryptoki/cryptoki/ck_defs.py
@@ -315,6 +315,7 @@ class CK_AES_CBC_PAD_INSERT_PARAMS(Structure):
         ("pedId", CK_ULONG),
         ("pbFileName", CK_BYTE_PTR),
         ("ctxID", CK_ULONG),
+        ("ulContainerNumber", CK_ULONG),
     ],
 )
 CK_AES_CBC_PAD_INSERT_PARAMS_PTR = POINTER(CK_AES_CBC_PAD_INSERT_PARAMS)
@@ -1186,7 +1187,8 @@ class CK_CPV4_INSERT_PARAMS(Structure):
         ("objectHandle", CK_ULONG_PTR),
     ],
 )
-CK_CPV4_INSERT_PTR = POINTER(CK_CPV4_INSERT_PARAMS)
+
+CK_CPV4_INSERT_PARAMS_PTR = POINTER(CK_CPV4_EXTRACT_PARAMS)
 
 
 class CK_EDDSA_PARAMS(Structure):

diff --git a/pycryptoki/cryptoki/func_defs.py b/pycryptoki/cryptoki/func_defs.py
@@ -586,6 +586,29 @@
     "CA_MigrationStartSessionNegotiation",
     [CK_SESSION_HANDLE, CK_ULONG, CK_BYTE_PTR, CK_ULONG_PTR, CK_ULONG_PTR, CK_BYTE_PTR],
 )
+
+CA_MigrationContinueSessionNegotiation = make_late_binding_function(
+    "CA_MigrationContinueSessionNegotiation",
+    [
+        CK_SESSION_HANDLE,
+        CK_ULONG,
+        CK_ULONG,
+        CK_BYTE_PTR,
+        CK_ULONG,
+        CK_BYTE_PTR,
+        CK_ULONG_PTR,
+        CK_ULONG_PTR,
+        CK_BYTE_PTR,
+        CK_ULONG_PTR,
+        CK_ULONG_PTR,
+        CK_BYTE_PTR,
+    ],
+)
+
+CA_MigrationCloseSession = make_late_binding_function(
+    "CA_MigrationCloseSession", [CK_SESSION_HANDLE, CK_ULONG, CK_BYTE_PTR]
+)
+
 CA_GetTokenObjectUID = make_late_binding_function(
     "CA_GetTokenObjectUID", [CK_SLOT_ID, CK_ULONG, CK_ULONG, POINTER(CK_BYTE)]
 )