roostify_pkcs11_luna 0.2.5

data/lib/pkcs11_luna.rb

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+
+# Extend the search path for Windows binary gem, depending of the current ruby version
+major_minor = RUBY_VERSION[ /^(\d+\.\d+)/ ] or
+  raise "Oops, can't extract the major/minor version from #{RUBY_VERSION.dump}"
+$: << File.join(File.dirname(__FILE__), major_minor)
+
+require 'rubygems'
+require 'pkcs11'
+require 'pkcs11_luna_ext'
+require 'pkcs11_luna/extensions'

data/lib/pkcs11_luna/extensions.rb

@@ -0,0 +1,131 @@
+#!/usr/bin/env ruby
+
+module PKCS11
+module Luna
+  # Derive CK_ATTRIBUTE to get converted attributes.
+  class CK_ATTRIBUTE < PKCS11::CK_ATTRIBUTE
+    
+    ATTRIBUTES = {
+      CKA_CCM_PRIVATE => :bool,
+      CKA_X9_31_GENERATED => :bool,
+      CKA_USAGE_COUNT => :ulong,
+      CKA_USAGE_LIMIT => :ulong
+    }
+
+    def value
+      case ATTRIBUTES[type]
+        when :bool
+          super != "\0"
+        when :ulong
+          super.unpack("L!")[0]
+        else
+          super
+      end
+    end
+  end
+
+  # A Luna::Library instance holds a handle to the opened +cryptoki.dll+ or +cryptoki.so+ file.
+  #
+  # This class is derived from
+  # PKCS11::Library[http://pkcs11.rubyforge.org/pkcs11/PKCS11/Library.html] of pkcs11.gem.
+  class Library < PKCS11::Library
+    MechanismParameters = {
+      CKM_AES_GCM => CK_AES_GCM_PARAMS,
+      CKM_ECIES => CK_ECIES_PARAMS,
+      CKM_XOR_BASE_AND_DATA_W_KDF => CK_XOR_BASE_DATA_KDF_PARAMS,
+      CKM_PRF_KDF => CK_PRF_KDF_PARAMS,
+      CKM_NIST_PRF_KDF => CK_PRF_KDF_PARAMS,
+      CKM_SEED_CTR => CK_AES_CTR_PARAMS,
+      CKM_AES_CTR => CK_AES_CTR_PARAMS,
+      CKM_DES3_CTR => CK_DES_CTR_PARAMS,
+      CKM_AES_GMAC => CK_AES_GCM_PARAMS,
+      CKM_AES_CBC_PAD_EXTRACT => CK_AES_CBC_PAD_EXTRACT_PARAMS,
+      CKM_AES_CBC_PAD_INSERT => CK_AES_CBC_PAD_INSERT_PARAMS,
+      CKM_AES_CBC_PAD_EXTRACT_FLATTENED => CK_AES_CBC_PAD_EXTRACT_PARAMS,
+      CKM_AES_CBC_PAD_INSERT_FLATTENED => CK_AES_CBC_PAD_INSERT_PARAMS,
+      CKM_PKCS5_PBKD2 => Luna::CK_PKCS5_PBKD2_PARAMS
+    }
+
+    # Path and file name of the loaded cryptoki library.
+    attr_reader :so_path
+
+    # Load and initialize a pkcs11 dynamic library with Safenet Luna extensions.
+    #
+    # Set +so_path+ to +:config+, in order to autodetect the .dll or .so or
+    # set it to the full path of the .dll or .so file.
+    #
+    # @param [String, Symbol] so_path  Shortcut-Symbol or path to the *.so or *.dll file to load.
+    # @param [Hash, CK_C_INITIALIZE_ARGS] args  A Hash or CK_C_INITIALIZE_ARGS instance with load params.
+    #
+    # See also PKCS11::Library#initialize[http://pkcs11.rubyforge.org/pkcs11/PKCS11/Library.html#initialize-instance_method] of pkcs11.gem
+    alias unwrapped_initialize initialize 
+    def initialize(so_path = :config, args = {})
+      unwrapped_initialize(so_path, args)
+    end
+
+    def load_library(so_path)
+      @so_path = resolve_so_path(so_path)
+      super(@so_path)
+    end
+    
+    def resolve_so_path(so_path)
+      if so_path == :config
+        if RUBY_PLATFORM =~ /mswin|mingw/
+          config_file = File.join(ENV['ChrystokiConfigurationPath'], 'crystoki.ini')
+          config_content = File.read(config_file)
+          config_content.scan(/\[Chrystoki2\](.*?)\[/m) do |crystoki2|
+            section = $1
+            lib = 'LibNT'
+            section.scan(/#{lib}\s*=\s*(.*)/) do |lib_path|
+              return $1
+            end 
+          end
+          so_path = "C:\\Program Files\\SafeNet\\LunaClient\\win32\\cryptoki.dll"
+        else
+          config_content = File.read('/etc/Chrystoki.conf')
+          config_content.scan(/Chrystoki2.*?\{(.*?)\}/m) do |crystoki2|
+            section = $1
+            lib = if ['a'].pack("p").size == 8 then 'LibUNIX64' else 'LibUNIX' end
+            section.scan(/#{lib}\s*=\s*(.*);/) do |lib_path|
+              return $1
+            end
+          end
+          so_path = '/usr/lib/libCryptoki2_64.so'
+        end
+      end
+      so_path
+    end
+      
+    private :resolve_so_path
+
+   
+    def vendor_const_get(name)
+      return Luna.const_get(name) if Luna.const_defined?(name)
+      super
+    end
+
+    def vendor_all_attribute_names
+      return Luna::ATTRIBUTES.values + super
+    end
+
+    def vendor_mechanism_parameter_struct(mech)
+      MechanismParameters[mech] || super
+    end
+
+    def vendor_raise_on_return_value(rv)
+      if ex=PKCS11::RETURN_VALUES[rv]
+        raise(ex, rv.to_s)
+      end
+      if ex=Luna::RETURN_VALUES[rv]
+        raise(ex, rv.to_s)
+      end
+      super
+    end
+
+    def vendor_class_CK_ATTRIBUTE
+      Luna::CK_ATTRIBUTE
+    end
+  end
+  
+end
+end

data/test/app_id_helper.rb

@@ -0,0 +1,29 @@
+require "rubygems"
+require "pkcs11_luna"
+
+include PKCS11
+
+slot_id = ARGV[0]
+
+pkcs11 = Luna::Library.new
+slot = Luna::Slot.new(pkcs11, slot_id.to_i)
+session = slot.open(PKCS11::CKF_RW_SESSION | PKCS11::CKF_SERIAL_SESSION)
+
+if session.info.state == CKS_RW_USER_FUNCTIONS
+  raise "Session info state had CKS_RW_USER_FUNCTIONS when not logged in!"
+end
+
+session.close
+pkcs11.close
+
+pkcs11 = Luna::Library.new
+pkcs11.set_application_id(10, 10)
+slot = Luna::Slot.new(pkcs11, slot_id.to_i)
+session = slot.open(PKCS11::CKF_RW_SESSION | PKCS11::CKF_SERIAL_SESSION)
+if session.info.state != CKS_RW_USER_FUNCTIONS
+  raise "Session info state was not CKS_RW_USER_FUNCTIONS when application id set."
+end
+session.close
+pkcs11.close
+
+exit(true)

data/test/luna_helper.rb

@@ -0,0 +1,57 @@
+begin
+  require 'io/console'
+rescue LoadError
+end
+
+class LunaHelper
+    
+  @@slot = nil  
+  @@password = nil
+  
+  def self.get_password(prompt)
+    password = ""
+    if STDIN.respond_to?(:echo=) and STDIN.respond_to?(:getch)
+      print prompt
+      STDIN.echo = false
+      while true       
+        c = STDIN.getch 
+        if c.ord == 3
+          STDIN.echo = true
+          exit!
+        end
+        if [10, 13].include?(c.ord)
+          print "\n"
+          break
+        end       
+        if [8, 127].include?(c.ord)
+          if password.length >= 1
+            print 8.chr          
+            print 32.chr
+            print 8.chr
+            password = password[0..-2]
+          end
+        else
+          password << c
+          print '*'
+        end 
+      end
+      STDIN.echo = true 
+    else      
+      password = `read -s -p "#{prompt}" password; echo $password`.chomp
+    end     
+    password
+  end
+  
+  
+  def self.get_slot_password()
+    if @@slot.nil?
+      print "Enter slot id: "
+      @@slot = gets
+    end
+    if @@password.nil?
+      @@password = get_password("Enter user PIN : ")
+    end
+    return @@slot.to_i, @@password
+  end
+  
+end

data/test/test_pkcs11_luna.rb

@@ -0,0 +1,112 @@
+require "minitest/autorun"
+require "pkcs11_luna"
+require "test/luna_helper"
+
+class TestPkcs11Luna < Minitest::Test
+  include PKCS11
+  
+  RUBY = File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name'])
+  FILE = File.dirname(__FILE__)
+  
+  @slot = LunaHelper.get_slot_password()
+  
+  def get_password
+    STDIN.echo = false
+    while ((c = STDIN.getch) != '\n')
+      print c
+    end
+    STDIN.echo = true
+  end
+  
+  def setup
+    @pk = Luna::Library.new
+    @slot, @password = LunaHelper.get_slot_password()
+  end
+  
+  def teardown
+    @pk.close
+  end
+
+=begin 
+  def test_slots_are_luna
+    pkcs11 = @pk
+    pkcs11.slots.each do |slot|
+      assert_equal(slot.class.to_s, "PKCS11::Luna::Slot")
+    end
+  end
+
+
+  MAJOR = 10
+  MINOR = 10
+  def test_application_id 
+    pkcs11 = @pk
+    pkcs11.set_application_id(MAJOR, MINOR)
+    slot = Luna::Slot.new(pkcs11, @slot)
+    begin
+      slot.open_application_id(MAJOR, MINOR)
+    rescue CKR_DATA_INVALID
+      slot.close_application_id(MAJOR, MINOR)
+    end
+    session = slot.open(CKF_RW_SESSION | CKF_SERIAL_SESSION)
+    session.login(:USER, @password)
+    file = File.join(FILE, 'app_id_helper.rb')
+    cmd = "#{RUBY} #{file} #{@slot}"  
+    IO.popen(cmd, 'r') do |p|
+       p.read
+    end
+    assert $?.success?, "The subprocess did not return successfully."
+    
+    
+    session.logout
+    session.close
+    slot.close_application_id(MAJOR, MINOR)
+  end
+=end
+  
+  def test_mechanisms_list
+    pkcs11 = @pk
+    slot = Slot.new(pkcs11, @slot)
+    mechanisms = slot.mechanisms
+    mechanisms.each do |mech_id|
+      assert(Luna::MECHANISMS.key?(mech_id))
+    end
+  end
+  
+  def test_init_token
+    pkcs11 = @pk
+    slot = Slot.new(pkcs11, @slot)
+    
+    assert_raises(Luna::CKR_OPERATION_NOT_ALLOWED, CKR_USER_TYPE_INVALID) {
+      slot.init_token("anypin", "new_label")
+    }   
+  end
+  
+  def test_init_pin
+    pkcs11 = @pk
+    slot = Slot.new(pkcs11, @slot)
+    session = slot.open(CKF_RW_SESSION | CKF_SERIAL_SESSION)
+    session.login(:USER, @password)
+    assert_raises(Luna::CKR_OPERATION_NOT_ALLOWED, CKR_FUNCTION_NOT_SUPPORTED) {
+      session.init_pin("anypin")
+    }
+    session.logout
+    session.close
+  end
+  
+  def test_set_pin
+    pkcs11 = @pk
+    slot = Slot.new(pkcs11, @slot)
+    session = slot.open(CKF_RW_SESSION | CKF_SERIAL_SESSION)
+    session.login(:USER, @password)
+    session.set_pin(@password, @password)
+    session.logout
+    session.close
+  end
+  
+  def test_wait_for_slot_event
+    assert_raises(Luna::CKR_OPERATION_NOT_ALLOWED, CKR_FUNCTION_NOT_SUPPORTED) {
+      @pk.wait_for_slot_event
+    }
+  end
+  
+end

data/test/test_pkcs11_luna_crypt.rb

@@ -0,0 +1,260 @@
+require "minitest/autorun"
+require "pkcs11_luna"
+require "test/luna_helper"
+
+class TestPkcs11LunaCrypt < Minitest::Test
+  include PKCS11
+  
+  def setup
+    @pk = Luna::Library.new
+    slot_id, password = LunaHelper.get_slot_password()
+    @slot = Slot.new(@pk, slot_id)    
+    @session = @slot.open(PKCS11::CKF_RW_SESSION | PKCS11::CKF_SERIAL_SESSION)
+    @session.login(:USER, password)
+  end
+  
+  def teardown
+    @session.logout
+    @session.close
+    @pk.close
+  end
+  
+  def destroy_object(session, label)
+    session.find_objects(:LABEL=>label) do |obj|
+      obj.destroy
+    end
+  end
+
+  
+  def test_ec_pair_gen_derive_aes
+    pub_label = "EC Public Key"
+    priv_label = "EC Private Key"
+    derived_label = "EC Derived Key "
+    destroy_object(@session, pub_label)
+    destroy_object(@session, priv_label)
+    destroy_object(@session, derived_label + '1')
+    destroy_object(@session, derived_label + '2')
+        
+    #DER encoding of OID 1.3.132.0.10 secp256k1
+    curve_oid_der = [0x06, 0x05, 0x2B, 0x81, 0x04, 0x00, 0x0A].pack("C*")
+        
+    attributes_public = {:TOKEN=>true, :ENCRYPT=>true, :VERIFY=>true, :WRAP=>true,
+      :EC_PARAMS=>curve_oid_der, :LABEL=>pub_label}
+    attributes_private = {:TOKEN=>true, :DECRYPT=>true, :SIGN=>true, 
+      :DERIVE=>true, :UNWRAP=>true, :SENSITIVE=>true, :LABEL=>priv_label}
+                             
+    pub_key1, priv_key1 = @session.generate_key_pair(:EC_KEY_PAIR_GEN, attributes_public, attributes_private)    
+    pub_key2, priv_key2 = @session.generate_key_pair(:EC_KEY_PAIR_GEN, attributes_public, attributes_private)
+    
+    shared_data = "SHARED DATA"
+    
+    ec_point1 = pub_key1.attributes(:EC_POINT)[0].value
+    ec_point2 = pub_key2.attributes(:EC_POINT)[0].value
+    mechanism = {:ECDH1_DERIVE=>{:kdf=>Luna::CKD_SHA512_KDF, :pSharedData=>shared_data}}
+      
+    derive_attributes = {:CLASS=>CKO_SECRET_KEY, :KEY_TYPE=>CKK_AES, :TOKEN=>true, :SENSITIVE=>true, :PRIVATE=>true,
+    :ENCRYPT=>true, :DECRYPT=>true, :SIGN=>true, :VERIFY=>true, :VALUE_LEN=>32, :LABEL=>derived_label+'1'}
+    
+    assert_raises(Luna::CKR_ECC_POINT_INVALID) do
+      @session.derive_key(mechanism, priv_key1, derive_attributes)
+    end
+    
+    mechanism[:ECDH1_DERIVE][:pPublicData] = ec_point2     
+    derived_key1 = @session.derive_key(mechanism, priv_key1, derive_attributes)
+    mechanism[:ECDH1_DERIVE][:pPublicData] = ec_point1
+    derive_attributes[:LABEL] = derived_label + '2'
+    derived_key2 = @session.derive_key(mechanism, priv_key2, derive_attributes)
+    
+    iv = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16].pack('C*')
+    message = "Text to encrypt"
+    cipher_text = @session.encrypt({:AES_CBC_PAD=>iv}, derived_key1, message)
+    decrypted = @session.decrypt({:AES_CBC_PAD=>iv}, derived_key2, cipher_text)
+    assert_equal(decrypted, message)    
+  end
+  
+  def test_encrypt_decrypt_aes
+    label = "Test AES Key"
+    destroy_object(@session, label)
+    key = @session.generate_key(:AES_KEY_GEN,
+      :CLASS=>CKO_SECRET_KEY, :ENCRYPT=>true, :DECRYPT=>true, :SENSITIVE=>true, 
+      :TOKEN=>true, :VALUE_LEN=>32, :LABEL=>label)
+      
+    assert key[Luna::CKA_FINGERPRINT_SHA256].size == 32
+      
+    message = "Text to encrypt"
+    iv = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16].pack('C*')
+    cipher_text = @session.encrypt({:AES_CBC_PAD=>iv}, key, message)
+    decrypted_text = @session.decrypt({:AES_CBC_PAD=>iv}, key, cipher_text)
+    assert_equal(message, decrypted_text)
+  end
+  
+  def test_generate_rsa_key_pair
+    pub_label = "Test RSA public key"
+    priv_label = "Test RSA private key"
+    destroy_object(@session, pub_label)
+    destroy_object(@session, priv_label)
+    
+    pub_attr = {:ENCRYPT=>true, :VERIFY=>true, 
+      :MODULUS_BITS=>2048, :TOKEN=>true, :WRAP=>true, :LABEL=>pub_label}
+    priv_attr = {:DECRYPT=>true, :SIGN=>true, :SENSITIVE=>true, :PRIVATE=>true, 
+          :TOKEN=>true, :UNWRAP=>true, :LABEL=>priv_label}
+    
+    pub_key, priv_key = @session.generate_key_pair(:RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN, pub_attr, priv_attr)    
+  end
+  
+  def test_encrypt_decrypt_rsa
+    pub_key, priv_key = test_generate_rsa_key_pair
+    message = "Text to encrypt using RSA keys"
+    encrypted = @session.encrypt(:RSA_PKCS, pub_key, message)
+    decrypted = @session.decrypt(:RSA_PKCS, priv_key, encrypted)
+    assert_equal(message, decrypted)    
+  end
+  
+  def test_sign_verify_rsa
+    pub_key, priv_key = test_generate_rsa_key_pair
+    data = "Text to sign/verify using RSA keys"
+    signature = @session.sign(:SHA512_RSA_PKCS, priv_key, data)
+    @session.verify(:SHA512_RSA_PKCS, pub_key, signature, data)
+  end
+  
+  def generate_aes_key(label)
+    label = "Ruby AES Key"
+    destroy_object(@session, label)
+    key = @session.generate_key(:AES_KEY_GEN,
+      :CLASS=>CKO_SECRET_KEY, :ENCRYPT=>true, :DECRYPT=>true, :SENSITIVE=>true, 
+      :TOKEN=>true, :EXTRACTABLE=>true, :VALUE_LEN=>32, :LABEL=>label)
+    
+    return key
+  end
+  
+  def test_wrap_unwrap
+    pub_key, priv_key = test_generate_rsa_key_pair
+        
+    aes_key = generate_aes_key("Wrapped AES Key")
+        
+    wrapped = @session.wrap_key(:RSA_PKCS, pub_key, aes_key)
+    
+    label = "Unwrapped AES Key"
+    destroy_object(@session, label)
+    
+    attributes = {:CLASS=>CKO_SECRET_KEY, :KEY_TYPE=>CKK_AES, :ENCRYPT=>true, :DECRYPT=>true, :SENSITIVE=>true, 
+    :TOKEN=>true, :VALUE_LEN=>32, :LABEL=>label}
+    
+    unwrapped_key = @session.unwrap_key(:RSA_PKCS, priv_key, wrapped, attributes)
+    
+    message = "Encrypt/Decrypt with a wrapped and unwrapped key"
+    iv = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16].pack('C*')
+    cipher_text = @session.encrypt({:AES_CBC_PAD=>iv}, aes_key, message)
+    decrypted_text = @session.decrypt({:AES_CBC_PAD=>iv}, unwrapped_key, cipher_text)
+    assert_equal(message, decrypted_text)
+  end
+  
+  def test_digest
+    data = "Data to digest."
+    digest = @session.digest(:SHA512, data)
+    hex = digest.bytes.map { |b| sprintf("%02X",b) }.join
+    assert_equal(hex, "B22A958E549B113FEC7FE2FBDE766A88D44E34FA47F3EED9DCBA9294AC46DA0CB2511F38943D1F1A533EB25C177F0FC38F2EFC87215D9043F67A103E849A2605")    
+  end
+  
+  def test_des3_cmac_general
+    label = "DES Key"
+    destroy_object(@session, label)
+    des_key = @session.generate_key(:DES3_KEY_GEN,
+          :CLASS=>CKO_SECRET_KEY, :SIGN=>true, :VERIFY=>true, :ENCRYPT=>true, :DECRYPT=>true, :SENSITIVE=>true, 
+          :TOKEN=>true, :EXTRACTABLE=>true, :LABEL=>label)
+          
+    data = "Data to be signed."
+    signature = @session.sign({:DES3_CMAC_GENERAL=>8}, des_key, data)
+    @session.verify({:DES3_CMAC_GENERAL=>8}, des_key, signature, data)      
+  end
+  
+  def get_data
+    plaintext = ""
+    (0..10000).each do |i|
+      plaintext << (i%26+65).chr
+    end
+    plaintext
+  end
+  
+  def test_encrypt_decrypt_multipart
+    key = generate_aes_key("Ruby AES Key")
+    
+    iv = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16].pack('C*')
+    mechanism = {:AES_CBC_PAD=>iv}
+    
+    chunk_size = 1024
+    plaintext = get_data
+    
+    encrypted = ""
+    index = 0
+    encrypted << @session.encrypt(mechanism, key) do |cipher|
+      while index < plaintext.size
+        s = plaintext.slice(index, chunk_size)
+        encrypted << cipher.update(s)
+        index += chunk_size
+      end
+    end
+    
+    decrypted = ""
+    index = 0
+    decrypted << @session.decrypt(mechanism, key) do |cipher|
+      while index < encrypted.size
+        s = encrypted.slice(index, chunk_size)
+        decrypted << cipher.update(s) 
+        index += chunk_size
+      end
+    end
+    assert plaintext == decrypted    
+  end
+  
+  def test_sign_verify
+    pub_key, priv_key = test_generate_rsa_key_pair
+    
+    plaintext = get_data    
+    
+    signature = @session.sign(:SHA512_RSA_PKCS, priv_key) {|c|
+      index = 0
+      while index < plaintext.size
+        c.update(plaintext.slice(index, 256))
+        index += 256
+      end
+    }
+    
+    @session.verify(:SHA512_RSA_PKCS, pub_key, signature) {|c|
+      index = 0
+      while index < plaintext.size
+        c.update(plaintext.slice(index, 256))
+        index += 256
+      end
+    }    
+  end
+  
+  def test_digest_encrypt_decrypt_update
+    assert_raises(CKR_FUNCTION_NOT_SUPPORTED) {
+      @session.C_DigestEncryptUpdate("Not supported")
+    }
+    assert_raises(CKR_FUNCTION_NOT_SUPPORTED) {
+      @session.C_DecryptDigestUpdate("Not supported")
+    }
+  end
+  
+  def test_verify_recover
+    pub_key, priv_key = test_generate_rsa_key_pair
+    assert_raises(CKR_FUNCTION_NOT_SUPPORTED) {
+      @session.C_VerifyRecoverInit(:SHA512_RSA_PKCS, pub_key)
+    }
+    assert_raises(CKR_FUNCTION_NOT_SUPPORTED) {
+      @session.C_VerifyRecover("Not supported")
+    }
+  end
+  
+  def test_sign_verify_encrypt_decrypt_update
+    assert_raises(CKR_FUNCTION_NOT_SUPPORTED) {
+      @session.C_SignEncryptUpdate("Not supported")
+    }
+    assert_raises(CKR_FUNCTION_NOT_SUPPORTED) {
+      @session.C_DecryptVerifyUpdate("Not supported")
+    }
+  end
+  
+end