Add AES Key Derivation Support (ECB,CBC Encrypt)

Akshitij Malik · Akshitij Malik · commit 84d28f26748f · 2020-10-26T11:05:42.000Z
Additional Information:

1. Added AES Key Derivation mechanisms described in
   PKCS11 v2.4.0 Section 2.15:
  - CKM_AES_ECB_ENCRYPT_DATA
  - CKM_AES_CBC_ENCRYPT_DATA

2. Incorporated code-review comments:
  - directly sliced the IV data to extract mechanism_params for CBC_ENCRYPT,
  - added Unit Tests for ECB_ENCRYPT
    - test_derive_ecb_encrypt
  - added Unit Tests for CBC_ENCRYPT
    - test_derive_cbc_encrypt
  - updated dev-requirements
  - split the Unit Tests into 2 phases:
    - key-derivation tests
    - data encrypyion/decryption tests

Sanity Testing:

1. Build Validation:
python setup.py build_ext --inplace

2. AES Testing:
export PKCS11_MODULE=XXX
export PKCS11_TOKEN_LABEL=XXX
export PKCS11_TOKEN_PIN=XXX
export PKCS11_TOKEN_SO_PIN=XXX
pytest ./tests/test_aes.py

Signed-off-by: Akshitij Malik
diff --git a/dev-requirements.in b/dev-requirements.in
@@ -4,6 +4,7 @@ setuptools_scm
 # Used for tests
 oscrypto
 cryptography
+parameterized
 
 sphinx
 sphinx-rtd-theme
diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -22,6 +22,7 @@ markupsafe==1.1.1         # via jinja2
 mccabe==0.6.1             # via flake8
 oscrypto==1.2.0           # via -r dev-requirements.in
 packaging==20.1           # via sphinx
+parameterized==0.7.4      # via -r dev-requirements.in
 pycodestyle==2.5.0        # via flake8
 pycparser==2.19           # via cffi
 pyflakes==2.1.1           # via flake8
diff --git a/tests/test_aes.py b/tests/test_aes.py
@@ -135,9 +135,8 @@ def test_wrap(self):
     ])
     @requires(Mechanism.AES_ECB_ENCRYPT_DATA)
     @FIXME.opencryptoki  # can't set key attributes
-    def test_derive_ecb_encrypt(self, test_type, test_key_length, iv_length):
-        """
-        Function to test AES Key Derivation using the ECB_ENCRYPT Mechanism.
+    def test_derive_using_ecb_encrypt(self, test_type, test_key_length, iv_length):
+        """Function to test AES Key Derivation using the ECB_ENCRYPT Mechanism.
 
         Refer to Section 2.15 of http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/errata01/os/pkcs11-curr-v2.40-errata01-os-complete.html#_Toc441850521
         """
@@ -175,14 +174,59 @@ def test_derive_ecb_encrypt(self, test_type, test_key_length, iv_length):
         else:
             self.assertTrue(derived_key is not None, f"Failed to derive {test_key_length}-bit Derived Key")
 
-            # Test capability of Key to Encrypt/Decrypt data
-            data = b'HELLO WORLD' * 1024
+    @parameterized.expand([
+        ("POSITIVE_128_BIT",            128, 16),
+        ("POSITIVE_256_BIT_LONG_IV",    256, 32),
+    ])
+    @requires(Mechanism.AES_ECB_ENCRYPT_DATA)
+    @FIXME.opencryptoki  # can't set key attributes
+    def test_encrypt_with_key_derived_using_ecb_encrypt(self, test_type, test_key_length, iv_length):
+        """Function to test Data Encryption/Decryption using a Derived AES Key.
+
+        Function to test Data Encryption/Decryption using an AES Key
+        Derived by the ECB_ENCRYPT Mechanism.
+
+        Refer to Section 2.15 of http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/errata01/os/pkcs11-curr-v2.40-errata01-os-complete.html#_Toc441850521
+        """
 
-            iv = self.session.generate_random(128)
-            crypttext = self.key.encrypt(data, mechanism_param=iv)
-            text = self.key.decrypt(crypttext, mechanism_param=iv)
+        # Create the Master Key
+        capabilities = pkcs11.defaults.DEFAULT_KEY_CAPABILITIES[pkcs11.KeyType.AES]
+        capabilities |= pkcs11.MechanismFlag.DERIVE
+        key = self.session.generate_key(pkcs11.KeyType.AES, key_length=test_key_length,
+                                        capabilities=capabilities,
+                                        template={
+                                            pkcs11.Attribute.EXTRACTABLE: True,
+                                            pkcs11.Attribute.DERIVE: True,
+                                            pkcs11.Attribute.SENSITIVE: False,
+                                        })
 
-            self.assertEqual(text, data)
+        self.assertTrue(key is not None, f"Failed to create {test_key_length}-bit Master Key")
+
+        # Derive a Key from the Master Key
+        iv = b'0' * iv_length
+        try:
+            derived_key = key.derive_key(pkcs11.KeyType.AES, key_length=test_key_length,
+                                         capabilities=capabilities,
+                                         mechanism=Mechanism.AES_ECB_ENCRYPT_DATA,
+                                         mechanism_param=iv,
+                                         template={
+                                             pkcs11.Attribute.EXTRACTABLE: True,
+                                             pkcs11.Attribute.SENSITIVE: False,
+                                         })
+        except (pkcs11.exceptions.MechanismParamInvalid,
+                pkcs11.exceptions.FunctionFailed) as e:
+            derived_key = None
+
+        self.assertTrue(derived_key is not None, f"Failed to derive {test_key_length}-bit Derived Key")
+
+        # Test capability of Key to Encrypt/Decrypt data
+        data = b'HELLO WORLD' * 1024
+
+        iv = self.session.generate_random(128)
+        crypttext = self.key.encrypt(data, mechanism_param=iv)
+        text = self.key.decrypt(crypttext, mechanism_param=iv)
+
+        self.assertEqual(text, data)
 
     @parameterized.expand([
         ("POSITIVE_128_BIT",            128, 16, 16),
@@ -197,9 +241,8 @@ def test_derive_ecb_encrypt(self, test_type, test_key_length, iv_length):
     ])
     @requires(Mechanism.AES_CBC_ENCRYPT_DATA)
     @FIXME.opencryptoki  # can't set key attributes
-    def test_derive_cbc_encrypt(self, test_type, test_key_length, iv_length, data_length):
-        """
-        Function to test AES Key Derivation using the CBC_ENCRYPT Mechanism.
+    def test_derive_using_cbc_encrypt(self, test_type, test_key_length, iv_length, data_length):
+        """Function to test AES Key Derivation using the CBC_ENCRYPT Mechanism.
 
         Refer to Section 2.15 of http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/errata01/os/pkcs11-curr-v2.40-errata01-os-complete.html#_Toc441850521
         """
@@ -239,12 +282,59 @@ def test_derive_cbc_encrypt(self, test_type, test_key_length, iv_length, data_le
         else:
             self.assertTrue(derived_key is not None, f"Failed to derive {test_key_length}-bit Derived Key")
 
-            # Test capability of Key to Encrypt/Decrypt data
-            data = b'HELLO WORLD' * 1024
+    @parameterized.expand([
+        ("POSITIVE_128_BIT",            128, 16, 16),
+        ("POSITIVE_256_BIT",            256, 16, 32),
+        ("POSITIVE_256_BIT_LONG_DATA",  256, 16, 64),
+    ])
+    @requires(Mechanism.AES_CBC_ENCRYPT_DATA)
+    @FIXME.opencryptoki  # can't set key attributes
+    def test_encrypt_with_key_derived_using_cbc_encrypt(self, test_type, test_key_length, iv_length, data_length):
+        """Function to test Data Encryption/Decryption using a Derived AES Key.
+
+        Function to test Data Encryption/Decryption using an AES Key
+        Derived by the CBC_ENCRYPT Mechanism.
+
+        Refer to Section 2.15 of http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/errata01/os/pkcs11-curr-v2.40-errata01-os-complete.html#_Toc441850521
+        """
 
-            iv = self.session.generate_random(128)
-            crypttext = self.key.encrypt(data, mechanism_param=iv)
-            text = self.key.decrypt(crypttext, mechanism_param=iv)
+        # Create the Master Key
+        capabilities = pkcs11.defaults.DEFAULT_KEY_CAPABILITIES[pkcs11.KeyType.AES]
+        capabilities |= pkcs11.MechanismFlag.DERIVE
+        key = self.session.generate_key(pkcs11.KeyType.AES, key_length=test_key_length,
+                                        capabilities=capabilities,
+                                        template={
+                                            pkcs11.Attribute.EXTRACTABLE: True,
+                                            pkcs11.Attribute.DERIVE: True,
+                                            pkcs11.Attribute.SENSITIVE: False,
+                                        })
 
-            self.assertEqual(text, data)
+        self.assertTrue(key is not None, f"Failed to create {test_key_length}-bit Master Key")
 
+        # Derive a Key from the Master Key
+        iv = b'0' * iv_length
+        data = b'1' * data_length
+        try:
+            derived_key = key.derive_key(pkcs11.KeyType.AES, key_length=test_key_length,
+                                         capabilities=capabilities,
+                                         mechanism=Mechanism.AES_CBC_ENCRYPT_DATA,
+                                         mechanism_param=(iv, data),
+                                         template={
+                                             pkcs11.Attribute.EXTRACTABLE: True,
+                                             pkcs11.Attribute.SENSITIVE: False,
+                                         })
+        except (pkcs11.exceptions.MechanismParamInvalid,
+                pkcs11.exceptions.FunctionFailed,
+                IndexError) as e:
+            derived_key = None
+
+        self.assertTrue(derived_key is not None, f"Failed to derive {test_key_length}-bit Derived Key")
+
+        # Test capability of Key to Encrypt/Decrypt data
+        data = b'HELLO WORLD' * 1024
+
+        iv = self.session.generate_random(128)
+        crypttext = self.key.encrypt(data, mechanism_param=iv)
+        text = self.key.decrypt(crypttext, mechanism_param=iv)
+
+        self.assertEqual(text, data)
