tem_ruby 0.13.0 → 0.14.0

data/CHANGELOG

@@ -1,3 +1,5 @@
+v0.14.0. Finalized symmetric encryption (fw 1.14).
+
 v0.13.0. Public bits in TEM buffer stats (fw 1.13).
 
 v0.12.0. Direct version checking in the TEM (fw 1.12) and firmware upload files.

data/Manifest

@@ -48,7 +48,6 @@ lib/tem/secpack.rb
 lib/tem/tem.rb
 lib/tem/toolkit.rb
 lib/tem_ruby.rb
-tem_ruby.gemspec
 test/_test_cert.rb
 test/builders/test_abi_builder.rb
 test/firmware/test_uploader.rb
@@ -56,8 +55,8 @@ test/tem_test_case.rb
 test/tem_unit/test_tem_alu.rb
 test/tem_unit/test_tem_bound_secpack.rb
 test/tem_unit/test_tem_branching.rb
-test/tem_unit/test_tem_crypto_asymmetric.rb
 test/tem_unit/test_tem_crypto_hash.rb
+test/tem_unit/test_tem_crypto_keys.rb
 test/tem_unit/test_tem_crypto_pstore.rb
 test/tem_unit/test_tem_crypto_random.rb
 test/tem_unit/test_tem_emit.rb
@@ -66,5 +65,6 @@ test/tem_unit/test_tem_memory_compare.rb
 test/tem_unit/test_tem_output.rb
 test/tem_unit/test_tem_yaml_secpack.rb
 test/test_auto_conf.rb
+test/test_crypto_engine.rb
 test/test_driver.rb
 test/test_exceptions.rb

data/lib/tem/apdus/keys.rb

@@ -8,8 +8,9 @@
 module Tem::Apdus
   
 module Keys
-  def devchip_generate_key_pair
-    response = @transport.iso_apdu! :ins => 0x40
+  def devchip_generate_key_pair(symmetric_key = false)
+    response = @transport.iso_apdu! :ins => 0x40,
+                                    :p1 => (symmetric_key ? 0x80 : 0x00)
     return { :privkey_id => read_tem_byte(response, 0),
              :pubkey_id => read_tem_byte(response, 1) }    
   end

data/lib/tem/builders/crypto.rb

@@ -67,12 +67,12 @@ class Crypto < Abi
         :read => lambda { |k| Tem::Keys::Symmetric.new k },
         :to => lambda { |k| k.ssl_key },
         :new => lambda { |klass|
-      k = cipher_class cipher_name
+      k = cipher_class.new cipher_name
       
       unless k.respond_to? :key
         # Some ciphers don't give back the key that they receive.
         # We need to synthesize that.
-        class << k
+        class <<k
           def key=(new_key)
             super
             @_key = new_key
@@ -82,6 +82,7 @@ class Crypto < Abi
           end
         end
       end
+      k
     }
   end
   

data/lib/tem/definitions/abi.rb

@@ -27,7 +27,7 @@ module Tem::Abi
         [:p, :q, :dmp1, :dmq1, :iqmp], :signed => false, :big_endian => true
     abi.packed_variable_length_numbers :tem_pubrsa_numbers, :tem_ushort,
         [:e, :n], :signed => false, :big_endian => true
-    abi.fixed_length_string :tem_aes_key_string, 16    
+    abi.fixed_length_string :tem_3des_key_string, 16    
   end
   
   Tem::Builders::Crypto.define_crypto self do |crypto|
@@ -52,11 +52,11 @@ module Tem::Abi
       Tem::Keys::Asymmetric.new key
     }
     
-    crypto.symmetric_key :tem_aes_key, OpenSSL::Cipher::AES, 'ECB',
-                         :tem_aes_key_string
+    crypto.symmetric_key :tem_3des_key, OpenSSL::Cipher::DES, 'EDE-CBC',
+                         :tem_3des_key_string
     
     crypto.conditional_wrapper :tem_key, 1,
-        [{:tag => [0x99], :type => :tem_key,
+        [{:tag => [0x99], :type => :tem_3des_key,
           :class => Tem::Keys::Symmetric },
          {:tag => [0xAA], :type => :public_tem_rsa,
           :class => Tem::Keys::Asymmetric,

data/lib/tem/keys/asymmetric.rb

@@ -1,6 +1,13 @@
+# Ruby implementation of the TEM's asymmetric key operations.
+#
+# Author:: Victor Costan
+# Copyright:: Copyright (C) 2007 Massachusetts Institute of Technology
+# License:: MIT
+
 # :nodoc: namespace
 module Tem::Keys
 
+
 # Wraps a TEM asymmetric key, e.g. an RSA key.
 class Asymmetric < Tem::Key  
   def self.new_from_array(array)
@@ -95,22 +102,22 @@ class Asymmetric < Tem::Key
     i = 0
     while i < data.length do
       block_size = (data.length - i < in_size) ? data.length - i : in_size
-      if data.kind_of? String
-        block = data[i...(i+block_size)]
-      else 
+      if data.respond_to? :pack
         block = data[i...(i+block_size)].pack('C*')
+      else 
+        block = data[i...(i+block_size)]
       end
       o_block = yield block
-      if data.kind_of? String
-        output += o_block
-      else
+      if data.respond_to? :pack
         output += o_block.unpack('C*')
+      else
+        output += o_block
       end
       i += block_size
     end
     return output
   end
   private :chug_data
-end
+end  # class Tem::Keys::Asymmetric
 
-end  # namespace Tem::Keys
+end  # namespace Tem::Keys

data/lib/tem/keys/key.rb

@@ -1,3 +1,10 @@
+# Superclass for Ruby implementations of the TEM's key operations.
+#
+# Author:: Victor Costan
+# Copyright:: Copyright (C) 2009 Massachusetts Institute of Technology
+# License:: MIT
+
+
 # Base class for the TEM keys.
 #
 # This class consists of stubs describing the interface implemented by
@@ -39,10 +46,10 @@ class Tem::Key
   def self.new_from_ssl_key(ssl_key)
     if ssl_key.kind_of? OpenSSL::PKey::PKey
       Tem::Keys::Asymmetric.new ssl_key
-    elsif ssl_key.kind_of? OpenSSL::Cipher::Cipher
+    elsif ssl_key.kind_of? OpenSSL::Cipher or ssl_key.kind_of? String
       Tem::Keys::Symmetric.new ssl_key
     else
       raise "Can't handle keys of class #{ssl_key.class}"
     end
   end
-end
+end  # class Tem::Key

data/lib/tem/keys/symmetric.rb

@@ -1,23 +1,55 @@
+# Ruby implementation of the TEM's symmetric key operations.
+#
+# Author:: Victor Costan
+# Copyright:: Copyright (C) 2009 Massachusetts Institute of Technology
+# License:: MIT
+
 # :nodoc: namespace
 module Tem::Keys
 
+
 # Wraps a TEM symmetric key, e.g. an AES key.
 class Symmetric < Tem::Key
-  @@cipher_mode = 'ECB'
+  @@cipher_mode = 'EDE-CBC'
+  @@signature_mode = 'CBC'
   
   # Generates a new symmetric key.
   def self.generate
-    cipher = OpenSSL::Cipher::AES128.new @@cipher_mode
+    cipher = OpenSSL::Cipher::DES.new @@cipher_mode
     key = cipher.random_key
     self.new key
   end
   
   # Creates a new symmetric key based on an OpenSSL Cipher instance, augmented
   # with a key accessor.
-  def initialize(ssl_key)
-    super ssl_key
-    @key = ssl_key.key
-    @cipher_class = ssl_key.class
+  #
+  # Args:
+  #   ssl_key:: the OpenSSL key, or a string containing the raw key
+  #   raw_key:: if the OpenSSL key does not support calls to +key+, the raw key
+  def initialize(ssl_key, raw_key = nil)
+    if ssl_key.kind_of? OpenSSL::Cipher
+      @key = raw_key || ssl_key.key
+      @cipher_class = ssl_key.class
+    else
+      @key = ssl_key
+      @cipher_class = OpenSSL::Cipher::DES
+    end
+    
+    # Create an OpenSSL wrapper for the key we received.
+    cipher = @cipher_class.new @@cipher_mode
+    class <<cipher
+      def key=(new_key)
+        super
+        @_key = new_key
+      end
+      def key
+        @_key
+      end
+    end
+    cipher.key = @key
+    cipher.iv = "\0" * 16
+
+    super cipher
   end
   public_class_method :new
 
@@ -26,22 +58,88 @@ class Symmetric < Tem::Key
     do_encrypt ? cipher.encrypt : cipher.decrypt
     cipher.key = @key
     cipher.iv = "\0" * 16
+    cipher.padding = 0
+
+    pdata = data.respond_to?(:pack) ? data.pack('C*') : data
+    if do_encrypt
+      pdata << "\x80"
+      if pdata.length % cipher.block_size != 0
+        pdata << "\0" * (cipher.block_size - pdata.length % cipher.block_size)
+      end
+    end
+    
+    result = cipher.update pdata
+    result += cipher.final
     
+    unless do_encrypt
+      result_length = result.length
+      loop do
+        result_length -= 1
+        next if result[result_length].ord == 0
+        raise "Invalid padding" unless result[result_length].ord == 0x80
+        break
+      end
+      result = result[0, result_length]
+    end        
+    data.respond_to?(:pack) ? result.unpack('C*') : result
   end
   
   def encrypt(data)
-    cipher.encrypt_or_decrypt data, true
+    encrypt_or_decrypt data, true
   end
 
   def decrypt(data)
-    cipher.encrypt_or_decrypt data, false
+    encrypt_or_decrypt data, false
   end
 
-  def sign(data)
+  def sign(data)    
+    cipher = @cipher_class.new @@cipher_mode
+    cipher.encrypt
+    cipher.key = @key
+    cipher.iv = "\0" * 16
+    cipher.padding = 0
+    
+    pdata = data.respond_to?(:pack) ? data.pack('C*') : data
+    pdata << "\x80"
+    if pdata.length % cipher.block_size != 0
+      pdata << "\0" * (cipher.block_size - pdata.length % cipher.block_size)
+    end
+    
+    result = cipher.update pdata
+    result += cipher.final
+    result = result[-cipher.block_size, cipher.block_size]
+    data.respond_to?(:pack) ? result.unpack('C*') : result
+  end
+
+  def verify(data, signature)
+    hmac = sign(data)
+    hmac = hmac.pack('C*') if hmac.respond_to?(:pack)
+    signature = signature.pack('C*') if signature.respond_to?(:pack)
+    hmac == signature
   end
 
-  def verify(data)
+  def self.new_from_array(array)    
+    cipher_class = array[0].split('::').inject(Kernel) do |scope, name|
+      scope.const_get name
+    end
+    
+    # Cipher instance used solely to point to the right class.
+    cipher = cipher_class.new @@cipher_mode
+    self.new cipher, array[1]      
+  end
+  
+  def self.new_from_yaml_str(yaml_str)
+    array = YAML.load yaml_str
+    new_from_array array
+  end
+
+  def to_array
+    [@cipher_class.name, @key]
+  end
+  
+  def to_yaml_str
+    self.to_array.to_yaml.to_s
   end
-end
+end  # class Tem::Keys::Symmetric
 
 end  # namespace Tem::Keys

data/lib/tem/secpack.rb

@@ -109,6 +109,7 @@ class Tem::SecPack
     @labels.to_a.reverse_each do |info|
       return info.reverse if addr >= info[1]
     end
+    return [0, :__start]
   end
   
   # Methods for interacting with the plaintext content of a SECpack.

data/lib/tem/toolkit.rb

@@ -4,7 +4,7 @@ module Tem::Toolkit
       s.ldbc authz.nil? ? 24 : 4
       s.outnew
       if authz.nil?
-        # no authorization given, must generate one
+        # No authorization given, must generate one.
         s.ldbc 20
         s.ldwc :key_auth
         s.dupn :n => 2
@@ -12,10 +12,12 @@ module Tem::Toolkit
         s.outvb
       end
       s.genkp :type => (type == :asymmetric) ? 0x00 : 0x80
-      s.authk :auth => :key_auth 
-      s.outw
-      s.authk :auth => :key_auth 
+      s.authk :auth => :key_auth
       s.outw
+      if type == :asymmetric
+        s.authk :auth => :key_auth 
+        s.outw
+      end
       s.halt
       s.label :key_auth
       if authz.nil?
@@ -28,14 +30,14 @@ module Tem::Toolkit
     
     kp_buffer = execute gen_sec
     keys_offset = authz.nil? ? 20 : 0
-    k1id = read_tem_ushort kp_buffer, keys_offset
-    k2id = read_tem_ushort kp_buffer, keys_offset + 2
+    k1id = read_tem_ushort kp_buffer, keys_offset    
+    k2id = read_tem_ushort kp_buffer, keys_offset + 2 if type == :asymmetric
     if type == :asymmetric 
       return_val = { :pubk_id => k1id, :privk_id => k2id }
     else
       return_val = { :key_id => k1id }
     end
-    return { :authz => authz.nil? ? kp_buffer[0...20] : authz }.merge!(return_val)
+    return { :authz => authz || kp_buffer[0...20] }.merge!(return_val)
   end
   
   def tk_read_key(key_id, authz)

data/tem_ruby.gemspec

@@ -2,23 +2,23 @@
 
 Gem::Specification.new do |s|
   s.name = %q{tem_ruby}
-  s.version = "0.13.0"
+  s.version = "0.14.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Victor Costan"]
-  s.date = %q{2009-11-11}
+  s.date = %q{2009-11-12}
   s.description = %q{TEM (Trusted Execution Module) driver, written in and for ruby.}
   s.email = %q{victor@costan.us}
   s.executables = ["tem_bench", "tem_ca", "tem_irb", "tem_proxy", "tem_stat", "tem_upload_fw"]
   s.extra_rdoc_files = ["CHANGELOG", "LICENSE", "README", "bin/tem_bench", "bin/tem_ca", "bin/tem_irb", "bin/tem_proxy", "bin/tem_stat", "bin/tem_upload_fw", "lib/tem/_cert.rb", "lib/tem/apdus/buffers.rb", "lib/tem/apdus/keys.rb", "lib/tem/apdus/lifecycle.rb", "lib/tem/apdus/tag.rb", "lib/tem/auto_conf.rb", "lib/tem/benchmarks/benchmarks.rb", "lib/tem/benchmarks/blank_bound_secpack.rb", "lib/tem/benchmarks/blank_sec.rb", "lib/tem/benchmarks/devchip_decrypt.rb", "lib/tem/benchmarks/post_buffer.rb", "lib/tem/benchmarks/simple_apdu.rb", "lib/tem/benchmarks/vm_perf.rb", "lib/tem/benchmarks/vm_perf_bound.rb", "lib/tem/builders/abi.rb", "lib/tem/builders/assembler.rb", "lib/tem/builders/crypto.rb", "lib/tem/builders/isa.rb", "lib/tem/ca.rb", "lib/tem/definitions/abi.rb", "lib/tem/definitions/assembler.rb", "lib/tem/definitions/isa.rb", "lib/tem/ecert.rb", "lib/tem/firmware/tc.cap", "lib/tem/firmware/uploader.rb", "lib/tem/hive.rb", "lib/tem/keys/asymmetric.rb", "lib/tem/keys/key.rb", "lib/tem/keys/symmetric.rb", "lib/tem/sec_exec_error.rb", "lib/tem/seclosures.rb", "lib/tem/secpack.rb", "lib/tem/tem.rb", "lib/tem/toolkit.rb", "lib/tem_ruby.rb"]
-  s.files = ["CHANGELOG", "LICENSE", "Manifest", "README", "Rakefile", "bin/tem_bench", "bin/tem_ca", "bin/tem_irb", "bin/tem_proxy", "bin/tem_stat", "bin/tem_upload_fw", "dev_ca/ca_cert.cer", "dev_ca/ca_cert.pem", "dev_ca/ca_key.pem", "dev_ca/config.yml", "lib/tem/_cert.rb", "lib/tem/apdus/buffers.rb", "lib/tem/apdus/keys.rb", "lib/tem/apdus/lifecycle.rb", "lib/tem/apdus/tag.rb", "lib/tem/auto_conf.rb", "lib/tem/benchmarks/benchmarks.rb", "lib/tem/benchmarks/blank_bound_secpack.rb", "lib/tem/benchmarks/blank_sec.rb", "lib/tem/benchmarks/devchip_decrypt.rb", "lib/tem/benchmarks/post_buffer.rb", "lib/tem/benchmarks/simple_apdu.rb", "lib/tem/benchmarks/vm_perf.rb", "lib/tem/benchmarks/vm_perf_bound.rb", "lib/tem/builders/abi.rb", "lib/tem/builders/assembler.rb", "lib/tem/builders/crypto.rb", "lib/tem/builders/isa.rb", "lib/tem/ca.rb", "lib/tem/definitions/abi.rb", "lib/tem/definitions/assembler.rb", "lib/tem/definitions/isa.rb", "lib/tem/ecert.rb", "lib/tem/firmware/tc.cap", "lib/tem/firmware/uploader.rb", "lib/tem/hive.rb", "lib/tem/keys/asymmetric.rb", "lib/tem/keys/key.rb", "lib/tem/keys/symmetric.rb", "lib/tem/sec_exec_error.rb", "lib/tem/seclosures.rb", "lib/tem/secpack.rb", "lib/tem/tem.rb", "lib/tem/toolkit.rb", "lib/tem_ruby.rb", "tem_ruby.gemspec", "test/_test_cert.rb", "test/builders/test_abi_builder.rb", "test/firmware/test_uploader.rb", "test/tem_test_case.rb", "test/tem_unit/test_tem_alu.rb", "test/tem_unit/test_tem_bound_secpack.rb", "test/tem_unit/test_tem_branching.rb", "test/tem_unit/test_tem_crypto_asymmetric.rb", "test/tem_unit/test_tem_crypto_hash.rb", "test/tem_unit/test_tem_crypto_pstore.rb", "test/tem_unit/test_tem_crypto_random.rb", "test/tem_unit/test_tem_emit.rb", "test/tem_unit/test_tem_memory.rb", "test/tem_unit/test_tem_memory_compare.rb", "test/tem_unit/test_tem_output.rb", "test/tem_unit/test_tem_yaml_secpack.rb", "test/test_auto_conf.rb", "test/test_driver.rb", "test/test_exceptions.rb"]
+  s.files = ["CHANGELOG", "LICENSE", "Manifest", "README", "Rakefile", "bin/tem_bench", "bin/tem_ca", "bin/tem_irb", "bin/tem_proxy", "bin/tem_stat", "bin/tem_upload_fw", "dev_ca/ca_cert.cer", "dev_ca/ca_cert.pem", "dev_ca/ca_key.pem", "dev_ca/config.yml", "lib/tem/_cert.rb", "lib/tem/apdus/buffers.rb", "lib/tem/apdus/keys.rb", "lib/tem/apdus/lifecycle.rb", "lib/tem/apdus/tag.rb", "lib/tem/auto_conf.rb", "lib/tem/benchmarks/benchmarks.rb", "lib/tem/benchmarks/blank_bound_secpack.rb", "lib/tem/benchmarks/blank_sec.rb", "lib/tem/benchmarks/devchip_decrypt.rb", "lib/tem/benchmarks/post_buffer.rb", "lib/tem/benchmarks/simple_apdu.rb", "lib/tem/benchmarks/vm_perf.rb", "lib/tem/benchmarks/vm_perf_bound.rb", "lib/tem/builders/abi.rb", "lib/tem/builders/assembler.rb", "lib/tem/builders/crypto.rb", "lib/tem/builders/isa.rb", "lib/tem/ca.rb", "lib/tem/definitions/abi.rb", "lib/tem/definitions/assembler.rb", "lib/tem/definitions/isa.rb", "lib/tem/ecert.rb", "lib/tem/firmware/tc.cap", "lib/tem/firmware/uploader.rb", "lib/tem/hive.rb", "lib/tem/keys/asymmetric.rb", "lib/tem/keys/key.rb", "lib/tem/keys/symmetric.rb", "lib/tem/sec_exec_error.rb", "lib/tem/seclosures.rb", "lib/tem/secpack.rb", "lib/tem/tem.rb", "lib/tem/toolkit.rb", "lib/tem_ruby.rb", "test/_test_cert.rb", "test/builders/test_abi_builder.rb", "test/firmware/test_uploader.rb", "test/tem_test_case.rb", "test/tem_unit/test_tem_alu.rb", "test/tem_unit/test_tem_bound_secpack.rb", "test/tem_unit/test_tem_branching.rb", "test/tem_unit/test_tem_crypto_hash.rb", "test/tem_unit/test_tem_crypto_keys.rb", "test/tem_unit/test_tem_crypto_pstore.rb", "test/tem_unit/test_tem_crypto_random.rb", "test/tem_unit/test_tem_emit.rb", "test/tem_unit/test_tem_memory.rb", "test/tem_unit/test_tem_memory_compare.rb", "test/tem_unit/test_tem_output.rb", "test/tem_unit/test_tem_yaml_secpack.rb", "test/test_auto_conf.rb", "test/test_crypto_engine.rb", "test/test_driver.rb", "test/test_exceptions.rb", "tem_ruby.gemspec"]
   s.homepage = %q{http://tem.rubyforge.org}
   s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Tem_ruby", "--main", "README"]
   s.require_paths = ["lib"]
   s.rubyforge_project = %q{tem}
   s.rubygems_version = %q{1.3.5}
   s.summary = %q{TEM (Trusted Execution Module) driver, written in and for ruby.}
-  s.test_files = ["test/test_driver.rb", "test/firmware/test_uploader.rb", "test/test_auto_conf.rb", "test/builders/test_abi_builder.rb", "test/tem_unit/test_tem_emit.rb", "test/tem_unit/test_tem_crypto_asymmetric.rb", "test/tem_unit/test_tem_yaml_secpack.rb", "test/tem_unit/test_tem_alu.rb", "test/tem_unit/test_tem_crypto_hash.rb", "test/tem_unit/test_tem_bound_secpack.rb", "test/tem_unit/test_tem_memory_compare.rb", "test/tem_unit/test_tem_output.rb", "test/tem_unit/test_tem_crypto_random.rb", "test/tem_unit/test_tem_memory.rb", "test/tem_unit/test_tem_branching.rb", "test/tem_unit/test_tem_crypto_pstore.rb", "test/test_exceptions.rb"]
+  s.test_files = ["test/builders/test_abi_builder.rb", "test/firmware/test_uploader.rb", "test/tem_unit/test_tem_alu.rb", "test/tem_unit/test_tem_bound_secpack.rb", "test/tem_unit/test_tem_branching.rb", "test/tem_unit/test_tem_crypto_hash.rb", "test/tem_unit/test_tem_crypto_keys.rb", "test/tem_unit/test_tem_crypto_pstore.rb", "test/tem_unit/test_tem_crypto_random.rb", "test/tem_unit/test_tem_emit.rb", "test/tem_unit/test_tem_memory.rb", "test/tem_unit/test_tem_memory_compare.rb", "test/tem_unit/test_tem_output.rb", "test/tem_unit/test_tem_yaml_secpack.rb", "test/test_auto_conf.rb", "test/test_crypto_engine.rb", "test/test_driver.rb", "test/test_exceptions.rb"]
 
   if s.respond_to? :specification_version then
     current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION

data/test/firmware/test_uploader.rb

@@ -18,7 +18,7 @@ class UploaderTest < Test::Unit::TestCase
   end
   
   def test_fw_version
-    assert_equal({:major => 1, :minor => 12}, Uploader.fw_version)
+    assert_equal({:major => 1, :minor => 14}, Uploader.fw_version)
   end
   
   def test_upload

data/test/tem_unit/test_tem_crypto_keys.rb

@@ -0,0 +1,189 @@
+require 'test/tem_test_case.rb'
+
+class TemCryptoKeysTest < TemTestCase
+  def i_crypt(data, key_id, authz, mode = :encrypt, direct_io = true,
+              symmetric = false)
+    if symmetric
+      max_output = case mode
+      when :encrypt
+        ((data.length + 8) / 8) * 8
+      when :decrypt
+        data.length
+      when :sign
+        8
+      end
+    else
+      max_output = case mode
+      when :encrypt
+        ((data.length + 239) / 240) * 256
+      when :decrypt
+        data.length
+      when :sign
+        256
+      end
+    end
+    
+    crypt_opcode =
+        {:encrypt => :kefxb, :decrypt => :kdfxb, :sign => :ksfxb}[mode]
+    ex_sec = @tem.assemble { |s|
+      s.ldwc :const => max_output
+      s.outnew
+      s.ldbc :const => key_id
+      s.authk :auth => :key_auth
+      s.send crypt_opcode, :from => :data, :size => data.length,
+                           :to => (direct_io ? 0xFFFF : :outdata) 
+      s.outvlb :from => :outdata unless direct_io
+      s.halt
+      
+      s.label :key_auth
+      s.data :tem_ubyte, authz
+      s.label :data
+      s.data :tem_ubyte, data
+      unless direct_io
+        s.label :outdata
+        s.zeros :tem_ubyte, max_output
+      end
+      s.stack 5
+    }
+    return @tem.execute(ex_sec)
+  end
+  
+  def i_verify(data, signature, key_id, authz)
+    sign_sec = @tem.assemble { |s|
+      s.ldbc :const => 1
+      s.outnew
+      s.ldbc :const => key_id
+      s.authk :auth => :key_auth
+      s.kvsfxb :from => :data, :size => data.length, :signature => :signature 
+      s.outb
+      s.halt
+      
+      s.label :key_auth
+      s.data :tem_ubyte, authz
+      s.label :data
+      s.data :tem_ubyte, data
+      s.label :signature
+      s.data :tem_ubyte, signature
+      s.stack 5
+    }
+    return @tem.execute(sign_sec)[0] == 1
+  end
+  
+  def i_test_crypto_pks_ops(pubk_id, privk_id, pubk, privk, authz)
+    garbage = (0...569).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
+
+    # SEC/priv-sign + CPU/pub-verify, direct IO.
+    signed_garbage = i_crypt garbage, privk_id, authz, :sign, true
+    assert privk.verify(garbage, signed_garbage),
+           'SEC priv-signing + CPU pub-verify failed on good data'
+
+    # SEC/priv-sign + CPU/pub-verify, indirect IO.
+    signed_garbage = i_crypt garbage, privk_id, authz, :sign, false
+    assert privk.verify(garbage, signed_garbage),
+           'SEC priv-signing + CPU pub-verify failed on good data'
+
+    # CPU/priv-sign + SEC/pub-verify.
+    signed_garbage = privk.sign garbage 
+    assert i_verify(garbage, signed_garbage, pubk_id, authz),
+           'CPU priv-signing + SEC pub-verify failed on good data'
+
+    # CPU/priv-encrypt + SEC/pub-decrypt, indirect IO.
+    encrypted_garbage = privk.encrypt garbage 
+    decrypted_garbage = i_crypt encrypted_garbage, pubk_id, authz, :decrypt,
+                                false
+    assert_equal garbage, decrypted_garbage,
+                 'CPU priv-encryption + SEC pub-decryption/i messed up the data'  
+
+    # SEC/pub-encrypt + CPU/priv-decrypt, indirect IO.
+    encrypted_garbage = i_crypt garbage, pubk_id, authz, :encrypt, false
+    decrypted_garbage = privk.decrypt encrypted_garbage
+    assert_equal garbage, decrypted_garbage,
+                 'SEC pub-encryption/i + CPU priv-decryption messed up the data'  
+    
+    # CPU/pub-encrypt + SEC/priv-decrypt, direct-IO.
+    encrypted_garbage = pubk.encrypt garbage 
+    decrypted_garbage = i_crypt encrypted_garbage, privk_id, authz, :decrypt,
+                                true
+    assert_equal garbage, decrypted_garbage,
+                 'CPU pub-encryption + SEC priv-decryption messed up the data' 
+
+    # SEC/priv-encrypt + CPU/pub-decrypt, direct-IO.
+    encrypted_garbage = i_crypt garbage, privk_id, authz, :encrypt, true
+    decrypted_garbage = pubk.decrypt encrypted_garbage
+    assert_equal garbage, decrypted_garbage,
+                 'SEC priv-encryption + CPU pub-decryption messed up the data'    
+  end
+  
+  def test_crypto_asymmetric
+    # Crypto run with an internally generated key.
+    keyd = @tem.tk_gen_key :asymmetric
+    pubk = @tem.tk_read_key keyd[:pubk_id], keyd[:authz]
+    privk = @tem.tk_read_key keyd[:privk_id], keyd[:authz]
+    i_test_crypto_pks_ops keyd[:pubk_id], keyd[:privk_id], pubk, privk,
+                          keyd[:authz]
+    
+    # Crypto run with an externally generated key.
+    ekey = OpenSSL::PKey::RSA.generate(2048, 65537)
+    pubk = Tem::Key.new_from_ssl_key ekey.public_key
+    privk = Tem::Key.new_from_ssl_key ekey
+    pubk_id = @tem.tk_post_key pubk, keyd[:authz] 
+    privk_id = @tem.tk_post_key privk, keyd[:authz]
+    i_test_crypto_pks_ops pubk_id, privk_id, pubk, privk, keyd[:authz]
+  end
+  
+  def i_test_crypto_sks_ops(skey_id, skey, authz)
+    garbage = (0...569).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
+
+    # SEC/sign + CPU/verify, direct IO.
+    signed_garbage = i_crypt garbage, skey_id, authz, :sign, true, true
+    assert skey.verify(garbage, signed_garbage),
+           'SEC signing + CPU verify failed on good data'
+
+    # SEC/sign + CPU/verify, indirect IO.
+    signed_garbage = i_crypt garbage, skey_id, authz, :sign, false, true
+    assert skey.verify(garbage, signed_garbage),
+           'SEC signing + CPU verify failed on good data'
+
+    # CPU/sign + SEC/verify.
+    signed_garbage = skey.sign garbage 
+    assert i_verify(garbage, signed_garbage, skey_id, authz),
+           'CPU signing + SEC verify failed on good data'
+
+    # CPU/encrypt + SEC/decrypt, indirect IO.
+    encrypted_garbage = skey.encrypt garbage
+    decrypted_garbage = i_crypt encrypted_garbage, skey_id, authz, :decrypt,
+                                false, true
+    assert_equal garbage, decrypted_garbage,
+                 'CPU encryption + SEC decryption/i messed up the data'  
+
+    # SEC/encrypt + CPU/decrypt, indirect IO.
+    encrypted_garbage = i_crypt garbage, skey_id, authz, :encrypt, false, true
+    decrypted_garbage = skey.decrypt encrypted_garbage
+    assert_equal garbage, decrypted_garbage,
+                 'SEC encryption/i + CPU decryption messed up the data'  
+    
+    # CPU/encrypt + SEC/decrypt, direct IO.
+    encrypted_garbage = skey.encrypt garbage
+    decrypted_garbage = i_crypt encrypted_garbage, skey_id, authz, :decrypt,
+                                true, true
+    assert_equal garbage, decrypted_garbage,
+                 'CPU encryption + SEC decryption messed up the data'  
+
+    # SEC/encrypt + CPU/decrypt, direct IO.
+    encrypted_garbage = i_crypt garbage, skey_id, authz, :encrypt, true, true
+    decrypted_garbage = skey.decrypt encrypted_garbage
+    assert_equal garbage, decrypted_garbage,
+                 'SEC encryption + CPU decryption messed up the data'  
+  end
+  
+  def test_crypto_symmetric
+    keyd = @tem.tk_gen_key :symmetric
+    skey = @tem.tk_read_key keyd[:key_id], keyd[:authz]
+    i_test_crypto_sks_ops keyd[:key_id], skey, keyd[:authz]
+
+    ekey = OpenSSL::Cipher::Cipher.new('DES-EDE-CBC').random_key
+    skey = Tem::Key.new_from_ssl_key ekey
+    skey_id = @tem.tk_post_key skey, keyd[:authz]
+    i_test_crypto_sks_ops skey_id, skey, keyd[:authz]
+  end
+end

data/test/test_crypto_engine.rb

@@ -0,0 +1,116 @@
+require 'test/tem_test_case.rb'
+
+
+class CryptoEngineTest < TemTestCase
+  def test_crypto_pks
+    garbage = (0...415).map { |i| (i * i * 217 + i * 661 + 393) % 256 } 
+    key_pair = @tem.devchip_generate_key_pair
+    pubkey = @tem.devchip_save_key key_pair[:pubkey_id]
+    
+    encrypted_garbage = @tem.devchip_encrypt garbage, key_pair[:privkey_id]
+    decrypted_garbage = pubkey.decrypt encrypted_garbage
+    assert_equal garbage, decrypted_garbage,
+                 'Onchip-encryption + offchip-decryption messed up the data.' 
+  
+    encrypted_garbage = pubkey.encrypt garbage
+    decrypted_garbage = @tem.devchip_decrypt encrypted_garbage,
+                                             key_pair[:privkey_id]  
+    assert_equal garbage, decrypted_garbage,
+                 'Offchip-encryption + onchip-decryption messed up the data.'
+    
+    key_stat = @tem.stat_keys
+    assert key_stat[:keys], 'Key stat does not contain key information.'
+    assert_equal :public, key_stat[:keys][key_pair[:pubkey_id]][:type],
+                 'Key stat reports wrong type for public key.'
+    assert_equal :private, key_stat[:keys][key_pair[:privkey_id]][:type],
+                 'Key stat reports wrong type for private key.'
+    assert_in_delta 2, 2048, key_stat[:keys][key_pair[:pubkey_id]][:bits],
+                    'Key stat reports wrong size for public key.'
+    assert_in_delta 2, 2048, key_stat[:keys][key_pair[:privkey_id]][:bits],
+                    'Key stat reports wrong size for private key.'
+    
+    [:pubkey_id, :privkey_id].each do |key|
+      @tem.devchip_release_key key_pair[key]
+    end
+  end
+  
+  def test_crypto_symmetric
+    garbage = (0...415).map { |i| (i * i * 217 + i * 661 + 393) % 256 } 
+    key_pair = @tem.devchip_generate_key_pair true
+    assert_equal(-1, key_pair[:pubkey_id],
+                 'Key generation should yield INVALID_KEY for the public key')
+    key = @tem.devchip_save_key key_pair[:privkey_id]
+    
+    encrypted_garbage = @tem.devchip_encrypt garbage, key_pair[:privkey_id]
+    decrypted_garbage = key.decrypt encrypted_garbage
+    assert_equal garbage, decrypted_garbage,
+                 'Onchip-encryption + offchip-decryption messed up the data' 
+
+    encrypted_garbage = key.encrypt garbage
+    decrypted_garbage = @tem.devchip_decrypt encrypted_garbage,
+                                             key_pair[:privkey_id]
+    assert_equal garbage, decrypted_garbage,
+                 'Offchip-encryption + onchip-decryption messed up the data.'
+
+    key_stat = @tem.stat_keys
+    assert key_stat[:keys], 'Key stat does not contain key information.'
+    assert_equal :symmetric, key_stat[:keys][key_pair[:privkey_id]][:type],
+                 'Key stat reports wrong type for symmetric key.'
+    assert_equal 128, key_stat[:keys][key_pair[:privkey_id]][:bits],
+                 'Key stat reports wrong size for symmetric key.'
+    
+    @tem.devchip_release_key key_pair[:privkey_id]
+  end
+  
+  def test_crypto_abi
+    ekey = OpenSSL::PKey::RSA.generate(2048, 65537)
+    pubk = Tem::Key.new_from_ssl_key ekey.public_key
+    privk = Tem::Key.new_from_ssl_key ekey
+    
+    skey = OpenSSL::Cipher::Cipher.new('DES-EDE-CBC').random_key
+    symk = Tem::Key.new_from_ssl_key skey
+    
+    # Array and string encryption/decryption.
+    garbage = (1...569).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
+    [garbage, garbage.pack('C*')].each do |g|
+      encrypted_garbage = pubk.encrypt g
+      decrypted_garbage = privk.decrypt encrypted_garbage
+      assert_equal g, decrypted_garbage,
+                   'Pub-encryption + priv-decryption messed up the data'
+      encrypted_garbage = privk.encrypt g
+      decrypted_garbage = pubk.decrypt encrypted_garbage
+      assert_equal g, decrypted_garbage,
+                   'Priv-encryption + pub-decryption messed up the data'
+
+      encrypted_garbage = symk.encrypt g[0, 560]
+      decrypted_garbage = symk.decrypt encrypted_garbage
+      assert_equal g[0, 560], decrypted_garbage,
+                   'Symmetric encryption + decryption messed up the data'
+    end
+    
+    # Test key serialization/deserialization through encryption/decryption.
+    pubk_ys = pubk.to_yaml_str
+    pubk2 = Tem::Keys::Asymmetric.new_from_yaml_str pubk_ys
+    privk_ys = privk.to_yaml_str
+    privk2 = Tem::Keys::Asymmetric.new_from_yaml_str privk_ys
+    encrypted_garbage = pubk.encrypt garbage
+    decrypted_garbage = privk2.decrypt encrypted_garbage
+    assert_equal garbage, decrypted_garbage,
+                 'YAML pub-encryption + priv-decryption messed up the data.'
+    encrypted_garbage = privk.encrypt garbage
+    decrypted_garbage = pubk2.decrypt encrypted_garbage
+    assert_equal garbage, decrypted_garbage,
+                 'YAML priv-encryption + pub-decryption messed up the data.'
+
+    symk_ys = symk.to_yaml_str
+    symk2 = Tem::Keys::Symmetric.new_from_yaml_str symk_ys
+    encrypted_garbage = symk.encrypt garbage[0, 560]
+    decrypted_garbage = symk2.decrypt encrypted_garbage
+    assert_equal garbage[0, 560], decrypted_garbage,
+                 'Symmetric encryption + YAML decryption messed up the data'
+    encrypted_garbage = symk2.encrypt garbage[0, 560]
+    decrypted_garbage = symk.decrypt encrypted_garbage
+    assert_equal garbage[0, 560], decrypted_garbage,
+                 'YAML symmetric encryption + decryption messed up the data'
+  end
+end

data/test/test_driver.rb

@@ -61,56 +61,4 @@ class DriverTest < TemTestCase
     @tem.set_tag garbage
     assert_equal garbage, @tem.get_tag, 'error in posted tag data'    
   end
-
-  def test_crypto
-    garbage = (1...415).map { |i| (i * i * 217 + i * 661 + 393) % 256 } 
-    key_pair = @tem.devchip_generate_key_pair
-    pubkey = @tem.devchip_save_key key_pair[:pubkey_id]
-    
-    encrypted_garbage = @tem.devchip_encrypt garbage, key_pair[:privkey_id]
-    decrypted_garbage = pubkey.decrypt encrypted_garbage
-    assert_equal garbage, decrypted_garbage, 'priv-encryption+pub-decryption messed up the data' 
-  
-    encrypted_garbage = pubkey.encrypt garbage
-    decrypted_garbage = @tem.devchip_decrypt encrypted_garbage, key_pair[:privkey_id]  
-    assert_equal garbage, decrypted_garbage, 'pub-encryption+priv-decryption messed up the data'
-    
-    key_stat = @tem.stat_keys
-    assert key_stat[:keys], 'key stat does not contain key information'
-    assert_equal :public, key_stat[:keys][key_pair[:pubkey_id]][:type], 'key stat reports wrong type for public key'
-    assert_equal :private, key_stat[:keys][key_pair[:privkey_id]][:type], 'key stat reports wrong type for private key'
-    assert_in_delta 2, 2048, key_stat[:keys][key_pair[:pubkey_id]][:bits], 'key stat reports wrong size for public key'
-    assert_in_delta 2, 2048, key_stat[:keys][key_pair[:privkey_id]][:bits], 'key stat reports wrong size for private key'
-    
-    [:pubkey_id, :privkey_id].each { |ki| @tem.devchip_release_key key_pair[ki] }
-  end
-  
-  def test_crypto_abi
-    ekey = OpenSSL::PKey::RSA.generate(2048, 65537)
-    pubk = Tem::Key.new_from_ssl_key ekey.public_key
-    privk = Tem::Key.new_from_ssl_key ekey
-    
-    # array and string encryption/decryption
-    garbage = (1...569).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
-    [garbage, garbage.pack('C*')].each do |g|
-      encrypted_garbage = pubk.encrypt g
-      decrypted_garbage = privk.decrypt encrypted_garbage
-      assert_equal g, decrypted_garbage, 'pub-encryption+priv-decryption messed up the data'
-      encrypted_garbage = privk.encrypt g
-      decrypted_garbage = pubk.decrypt encrypted_garbage
-      assert_equal g, decrypted_garbage, 'priv-encryption+pub-decryption messed up the data'
-    end
-    
-    # test key serialization/deserialization through encryption/decryption
-    pubk_ys = pubk.to_yaml_str
-    pubk2 = Tem::Keys::Asymmetric.new_from_yaml_str(pubk_ys)
-    privk_ys = privk.to_yaml_str
-    privk2 = Tem::Keys::Asymmetric.new_from_yaml_str(privk_ys)
-    encrypted_garbage = pubk.encrypt garbage
-    decrypted_garbage = privk2.decrypt encrypted_garbage
-    assert_equal garbage, decrypted_garbage, 'pub-encryption+priv-decryption messed up the data'
-    encrypted_garbage = privk.encrypt garbage
-    decrypted_garbage = pubk2.decrypt encrypted_garbage
-    assert_equal garbage, decrypted_garbage, 'priv-encryption+pub-decryption messed up the data'
-  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: tem_ruby
 version: !ruby/object:Gem::Version 
-  version: 0.13.0
+  version: 0.14.0
 platform: ruby
 authors: 
 - Victor Costan
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-11-11 00:00:00 -05:00
+date: 2009-11-12 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -149,7 +149,6 @@ files:
 - lib/tem/tem.rb
 - lib/tem/toolkit.rb
 - lib/tem_ruby.rb
-- tem_ruby.gemspec
 - test/_test_cert.rb
 - test/builders/test_abi_builder.rb
 - test/firmware/test_uploader.rb
@@ -157,8 +156,8 @@ files:
 - test/tem_unit/test_tem_alu.rb
 - test/tem_unit/test_tem_bound_secpack.rb
 - test/tem_unit/test_tem_branching.rb
-- test/tem_unit/test_tem_crypto_asymmetric.rb
 - test/tem_unit/test_tem_crypto_hash.rb
+- test/tem_unit/test_tem_crypto_keys.rb
 - test/tem_unit/test_tem_crypto_pstore.rb
 - test/tem_unit/test_tem_crypto_random.rb
 - test/tem_unit/test_tem_emit.rb
@@ -167,8 +166,10 @@ files:
 - test/tem_unit/test_tem_output.rb
 - test/tem_unit/test_tem_yaml_secpack.rb
 - test/test_auto_conf.rb
+- test/test_crypto_engine.rb
 - test/test_driver.rb
 - test/test_exceptions.rb
+- tem_ruby.gemspec
 has_rdoc: true
 homepage: http://tem.rubyforge.org
 licenses: []
@@ -203,20 +204,21 @@ signing_key:
 specification_version: 3
 summary: TEM (Trusted Execution Module) driver, written in and for ruby.
 test_files: 
-- test/test_driver.rb
-- test/firmware/test_uploader.rb
-- test/test_auto_conf.rb
 - test/builders/test_abi_builder.rb
-- test/tem_unit/test_tem_emit.rb
-- test/tem_unit/test_tem_crypto_asymmetric.rb
-- test/tem_unit/test_tem_yaml_secpack.rb
+- test/firmware/test_uploader.rb
 - test/tem_unit/test_tem_alu.rb
-- test/tem_unit/test_tem_crypto_hash.rb
 - test/tem_unit/test_tem_bound_secpack.rb
-- test/tem_unit/test_tem_memory_compare.rb
-- test/tem_unit/test_tem_output.rb
-- test/tem_unit/test_tem_crypto_random.rb
-- test/tem_unit/test_tem_memory.rb
 - test/tem_unit/test_tem_branching.rb
+- test/tem_unit/test_tem_crypto_hash.rb
+- test/tem_unit/test_tem_crypto_keys.rb
 - test/tem_unit/test_tem_crypto_pstore.rb
+- test/tem_unit/test_tem_crypto_random.rb
+- test/tem_unit/test_tem_emit.rb
+- test/tem_unit/test_tem_memory.rb
+- test/tem_unit/test_tem_memory_compare.rb
+- test/tem_unit/test_tem_output.rb
+- test/tem_unit/test_tem_yaml_secpack.rb
+- test/test_auto_conf.rb
+- test/test_crypto_engine.rb
+- test/test_driver.rb
 - test/test_exceptions.rb

data/test/tem_unit/test_tem_crypto_asymmetric.rb

@@ -1,123 +0,0 @@
-require 'test/tem_test_case.rb'
-
-class TemCryptoAsymmetricTest < TemTestCase
-  def i_crypt(data, key_id, authz, mode = :encrypt, direct_io = true, max_output = nil)
-    if max_output.nil?
-      max_output = case mode
-      when :encrypt
-        ((data.length + 239) / 240) * 256
-      when :decrypt
-        data.length
-      when :sign
-        256
-      end
-    end
-    
-    crypt_opcode = {:encrypt => :kefxb, :decrypt => :kdfxb, :sign => :ksfxb}[mode]
-    ex_sec = @tem.assemble { |s|
-      # buffer
-      s.ldwc :const => max_output
-      s.outnew
-      s.ldbc :const => key_id
-      s.authk :auth => :key_auth
-      s.send crypt_opcode, :from => :data, :size => data.length, :to => (direct_io ? 0xFFFF : :outdata) 
-      s.outvlb :from => :outdata unless direct_io
-      s.halt
-      
-      s.label :key_auth
-      s.data :tem_ubyte, authz
-      s.label :data
-      s.data :tem_ubyte, data
-      unless direct_io
-        s.label :outdata
-        s.zeros :tem_ubyte, max_output
-      end
-      s.stack 5
-    }
-    return @tem.execute(ex_sec)    
-  end
-  
-  def i_verify(data, signature, key_id, authz)
-    sign_sec = @tem.assemble { |s|
-      # buffer
-      s.ldbc :const => 1
-      s.outnew
-      s.ldbc :const => key_id
-      s.authk :auth => :key_auth
-      s.kvsfxb :from => :data, :size => data.length, :signature => :signature 
-      s.outb
-      s.halt
-      
-      s.label :key_auth
-      s.data :tem_ubyte, authz
-      s.label :data
-      s.data :tem_ubyte, data
-      s.label :signature
-      s.data :tem_ubyte, signature
-      s.stack 5
-    }
-    return @tem.execute(sign_sec)[0] == 1    
-  end
-  
-  def i_test_crypto_pki_ops(pubk_id, privk_id, pubk, privk, authz)
-    garbage = (1...569).map { |i| (i * i * 217 + i * 661 + 393) % 256 }
-
-    # SEC/priv-sign + CPU/pub-verify, direct IO
-    signed_garbage = i_crypt garbage, privk_id, authz, :sign, true
-    assert privk.verify(garbage, signed_garbage),
-           'SEC priv-signing + CPU pub-verify failed on good data'
-
-    # SEC/priv-sign + CPU/pub-verify, indirect IO
-    signed_garbage = i_crypt garbage, privk_id, authz, :sign, false
-    assert privk.verify(garbage, signed_garbage),
-           'SEC priv-signing + CPU pub-verify failed on good data'
-
-    # CPU/priv-sign + SEC/pub-verify
-    signed_garbage = privk.sign garbage 
-    assert i_verify(garbage, signed_garbage, pubk_id, authz),
-           'CPU priv-signing + SEC pub-verify failed on good data'
-
-    # CPU/priv-encrypt + SEC/pub-decrypt, indirect IO
-    encrypted_garbage = privk.encrypt garbage 
-    decrypted_garbage = i_crypt encrypted_garbage, pubk_id, authz, :decrypt,
-                                false
-    assert_equal garbage, decrypted_garbage,
-                 'SEC priv-encryption + CPU pub-decryption messed up the data'  
-
-    # SEC/pub-encrypt + CPU/priv-decrypt, indirect IO
-    encrypted_garbage = i_crypt garbage, pubk_id, authz, :encrypt, false
-    decrypted_garbage = privk.decrypt encrypted_garbage
-    assert_equal garbage, decrypted_garbage,
-                 'SEC priv-encryption + CPU pub-decryption messed up the data'  
-    
-    # CPU/pub-encrypt + SEC/priv-decrypt, direct-IO
-    encrypted_garbage = pubk.encrypt garbage 
-    decrypted_garbage = i_crypt encrypted_garbage, privk_id, authz, :decrypt,
-                                true
-    assert_equal garbage, decrypted_garbage,
-                 'CPU pub-encryption + SEC priv-decryption messed up the data' 
-
-    # SEC/priv-encrypt + CPU/pub-decrypt, direct-IO
-    encrypted_garbage = i_crypt garbage, privk_id, authz, :encrypt, true
-    decrypted_garbage = pubk.decrypt encrypted_garbage
-    assert_equal garbage, decrypted_garbage,
-                 'SEC priv-encryption + CPU pub-decryption messed up the data'    
-  end
-  
-  def test_crypto_asymmetric
-    # crypto run with an internally generated key
-    keyd = @tem.tk_gen_key :asymmetric
-    pubk = @tem.tk_read_key keyd[:pubk_id], keyd[:authz]
-    privk = @tem.tk_read_key keyd[:privk_id], keyd[:authz]
-    i_test_crypto_pki_ops keyd[:pubk_id], keyd[:privk_id], pubk, privk,
-                          keyd[:authz]
-    
-    # crypto run with an externally generated key
-    ekey = OpenSSL::PKey::RSA.generate(2048, 65537)
-    pubk = Tem::Key.new_from_ssl_key ekey.public_key
-    privk = Tem::Key.new_from_ssl_key ekey
-    pubk_id = @tem.tk_post_key pubk, keyd[:authz] 
-    privk_id = @tem.tk_post_key privk, keyd[:authz]
-    i_test_crypto_pki_ops pubk_id, privk_id, pubk, privk, keyd[:authz]
-  end  
-end