Merge "Generate IV on HSM device for encrypt operations"
This commit is contained in:
commit
306b2ac592
@ -391,20 +391,20 @@ class PKCS11(object):
|
||||
return key
|
||||
|
||||
def encrypt(self, key, pt_data, session):
|
||||
iv = self._generate_random(self.noncesize, session)
|
||||
ck_mechanism = self._build_gcm_mechanism(iv)
|
||||
ck_mechanism = self._build_gcm_mechanism()
|
||||
rv = self.lib.C_EncryptInit(session, ck_mechanism.mech, key)
|
||||
self._check_error(rv)
|
||||
|
||||
pt_len = len(pt_data)
|
||||
ct_len = self.ffi.new("CK_ULONG *", pt_len + self.gcmtagsize)
|
||||
ct_len = self.ffi.new("CK_ULONG *", pt_len + self.gcmtagsize * 2)
|
||||
ct = self.ffi.new("CK_BYTE[{0}]".format(ct_len[0]))
|
||||
rv = self.lib.C_Encrypt(session, pt_data, pt_len, ct, ct_len)
|
||||
self._check_error(rv)
|
||||
|
||||
# HSM-generated IVs are appended to the end of the ciphertext
|
||||
return {
|
||||
"iv": self.ffi.buffer(iv)[:],
|
||||
"ct": self.ffi.buffer(ct, ct_len[0])[:]
|
||||
"iv": self.ffi.buffer(ct, ct_len[0])[-self.gcmtagsize:],
|
||||
"ct": self.ffi.buffer(ct, ct_len[0])[:-self.gcmtagsize]
|
||||
}
|
||||
|
||||
def decrypt(self, key, iv, ct_data, session):
|
||||
@ -644,14 +644,17 @@ class PKCS11(object):
|
||||
raise exception.P11CryptoPluginException(
|
||||
u._("Apparent RNG self-test failure."))
|
||||
|
||||
def _build_gcm_mechanism(self, iv):
|
||||
iv_len = len(iv)
|
||||
def _build_gcm_mechanism(self, iv=None):
|
||||
mech = self.ffi.new("CK_MECHANISM *")
|
||||
mech.mechanism = self.algorithm
|
||||
gcm = self.ffi.new("CK_AES_GCM_PARAMS *")
|
||||
gcm.pIv = iv
|
||||
gcm.ulIvLen = iv_len
|
||||
gcm.ulIvBits = iv_len * 8
|
||||
|
||||
if iv:
|
||||
iv_len = len(iv)
|
||||
gcm.pIv = iv
|
||||
gcm.ulIvLen = iv_len
|
||||
gcm.ulIvBits = iv_len * 8
|
||||
|
||||
gcm.ulTagBits = self.gcmtagsize * 8
|
||||
mech.parameter = gcm
|
||||
mech.parameter_len = 48
|
||||
|
@ -108,7 +108,7 @@ class WhenTestingPKCS11(utils.BaseTestCase):
|
||||
return pkcs11.CKR_OK
|
||||
|
||||
def _encrypt(self, session, pt, pt_len, ct, ct_len):
|
||||
self.ffi.buffer(ct)[:] = pt[::-1] + b'0' * self.pkcs11.gcmtagsize
|
||||
self.ffi.buffer(ct)[:] = pt[::-1] + b'0' * (self.pkcs11.gcmtagsize * 2)
|
||||
return pkcs11.CKR_OK
|
||||
|
||||
def _decrypt(self, session, ct, ct_len, pt, pt_len):
|
||||
@ -239,7 +239,7 @@ class WhenTestingPKCS11(utils.BaseTestCase):
|
||||
self.assertEqual(ct['ct'][:len(pt)], pt[::-1])
|
||||
self.assertGreater(len(ct['iv']), 0)
|
||||
|
||||
self.assertEqual(self.lib.C_GenerateRandom.call_count, 2)
|
||||
self.assertEqual(self.lib.C_GenerateRandom.call_count, 1)
|
||||
self.assertEqual(self.lib.C_EncryptInit.call_count, 1)
|
||||
self.assertEqual(self.lib.C_Encrypt.call_count, 1)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user