First draft for key loading

cryptography_keys_tests/test_base.py

@@ -13,8 +13,8 @@ def test_labels(self):
 
     def test_change_pin(self):
         from pkcs11_cryptography_keys import (
-            list_token_labels,
             PKCS11SlotAdminSession,
+            list_token_labels,
         )
 
         for label in list_token_labels(_pkcs11lib):
@@ -34,8 +34,8 @@ def test_change_pin(self):
 
     def test_rsa_key_creation(self):
         from pkcs11_cryptography_keys import (
-            PKCS11KeyUsageAllNoDerive,
             KeyTypes,
+            PKCS11KeyUsageAllNoDerive,
             list_token_admins,
         )
 
@@ -53,12 +53,13 @@ def test_rsa_key_creation(self):
                 assert r
 
     def test_ec_key_creation(self):
+        from cryptography.hazmat.primitives.asymmetric.ec import SECP384R1
+
         from pkcs11_cryptography_keys import (
-            PKCS11KeyUsageAll,
             KeyTypes,
+            PKCS11KeyUsageAll,
             list_token_admins,
         )
-        from cryptography.hazmat.primitives.asymmetric.ec import SECP384R1
 
         for admin in list_token_admins(_pkcs11lib, "1234", True):
             with admin as current_admin:
@@ -74,14 +75,15 @@ def test_ec_key_creation(self):
                 assert r
 
     def test_rsa_encryption_PKCS1v15(self):
+        from cryptography.hazmat.primitives.asymmetric import padding
+
         from pkcs11_cryptography_keys import (
-            list_token_labels,
+            KeyTypes,
             PKCS11AdminSession,
             PKCS11KeySession,
             PKCS11KeyUsageAllNoDerive,
-            KeyTypes,
+            list_token_labels,
         )
-        from cryptography.hazmat.primitives.asymmetric import padding
 
         data = b"How to encode this sentence"
         for label in list_token_labels(_pkcs11lib):
@@ -147,15 +149,16 @@ def test_rsa_encryption_PKCS1v15(self):
     #             assert r
 
     def test_rsa_encryption_OAEP(self):
+        from cryptography.hazmat.primitives import hashes
+        from cryptography.hazmat.primitives.asymmetric import padding
+
         from pkcs11_cryptography_keys import (
-            list_token_labels,
+            KeyTypes,
             PKCS11AdminSession,
             PKCS11KeySession,
             PKCS11KeyUsageAllNoDerive,
-            KeyTypes,
+            list_token_labels,
         )
-        from cryptography.hazmat.primitives import hashes
-        from cryptography.hazmat.primitives.asymmetric import padding
 
         message = b"encrypted data"
         for label in list_token_labels(_pkcs11lib):
@@ -189,15 +192,16 @@ def test_rsa_encryption_OAEP(self):
                 assert r
 
     def test_rsa_sign_verify_PKCS1(self):
+        from cryptography.hazmat.primitives import hashes
+        from cryptography.hazmat.primitives.asymmetric import padding
+
         from pkcs11_cryptography_keys import (
-            list_token_labels,
+            KeyTypes,
             PKCS11AdminSession,
             PKCS11KeySession,
             PKCS11KeyUsageAllNoDerive,
-            KeyTypes,
+            list_token_labels,
         )
-        from cryptography.hazmat.primitives import hashes
-        from cryptography.hazmat.primitives.asymmetric import padding
 
         data = b"How to encode this sentence"
         for label in list_token_labels(_pkcs11lib):
@@ -221,15 +225,16 @@ def test_rsa_sign_verify_PKCS1(self):
                 assert r
 
     def test_rsa_sign_verify_PSS_digest_length(self):
+        from cryptography.hazmat.primitives import hashes
+        from cryptography.hazmat.primitives.asymmetric import padding
+
         from pkcs11_cryptography_keys import (
-            list_token_labels,
+            KeyTypes,
             PKCS11AdminSession,
             PKCS11KeySession,
             PKCS11KeyUsageAllNoDerive,
-            KeyTypes,
+            list_token_labels,
         )
-        from cryptography.hazmat.primitives import hashes
-        from cryptography.hazmat.primitives.asymmetric import padding
 
         message = b"A message I want to sign"
         for label in list_token_labels(_pkcs11lib):
@@ -266,15 +271,16 @@ def test_rsa_sign_verify_PSS_digest_length(self):
                 assert r
 
     def test_rsa_sign_verify_PSS_max_length(self):
+        from cryptography.hazmat.primitives import hashes
+        from cryptography.hazmat.primitives.asymmetric import padding
+
         from pkcs11_cryptography_keys import (
-            list_token_labels,
+            KeyTypes,
             PKCS11AdminSession,
             PKCS11KeySession,
             PKCS11KeyUsageAllNoDerive,
-            KeyTypes,
+            list_token_labels,
         )
-        from cryptography.hazmat.primitives import hashes
-        from cryptography.hazmat.primitives.asymmetric import padding
 
         message = b"A message I want to sign"
         for label in list_token_labels(_pkcs11lib):
@@ -311,15 +317,16 @@ def test_rsa_sign_verify_PSS_max_length(self):
                 assert r
 
     def test_rsa_sign_verify_PSS_message_length(self):
+        from cryptography.hazmat.primitives import hashes
+        from cryptography.hazmat.primitives.asymmetric import padding
+
         from pkcs11_cryptography_keys import (
-            list_token_labels,
+            KeyTypes,
             PKCS11AdminSession,
             PKCS11KeySession,
             PKCS11KeyUsageAllNoDerive,
-            KeyTypes,
+            list_token_labels,
         )
-        from cryptography.hazmat.primitives import hashes
-        from cryptography.hazmat.primitives.asymmetric import padding
 
         message = b"A message I want to sign"
         for label in list_token_labels(_pkcs11lib):
@@ -356,17 +363,18 @@ def test_rsa_sign_verify_PSS_message_length(self):
                 assert r
 
     def test_rsa_sign_verify_PSS_auto(self):
+        import pytest
+        from cryptography.exceptions import UnsupportedAlgorithm
+        from cryptography.hazmat.primitives import hashes
+        from cryptography.hazmat.primitives.asymmetric import padding
+
         from pkcs11_cryptography_keys import (
-            list_token_labels,
+            KeyTypes,
             PKCS11AdminSession,
             PKCS11KeySession,
             PKCS11KeyUsageAllNoDerive,
-            KeyTypes,
+            list_token_labels,
         )
-        from cryptography.hazmat.primitives import hashes
-        from cryptography.hazmat.primitives.asymmetric import padding
-        from cryptography.exceptions import UnsupportedAlgorithm
-        import pytest
 
         message = b"A message I want to sign"
         for label in list_token_labels(_pkcs11lib):
@@ -398,20 +406,21 @@ def test_rsa_sign_verify_PSS_auto(self):
 
     # only prehashed supported for EC in softhsm2
     def test_ec_sign_verify(self):
-        from pkcs11_cryptography_keys import (
-            list_token_labels,
-            PKCS11AdminSession,
-            PKCS11KeySession,
-        )
         from cryptography.hazmat.primitives import hashes
+        from cryptography.hazmat.primitives.asymmetric import utils
         from cryptography.hazmat.primitives.asymmetric.ec import (
             ECDSA,
             SECP384R1,
         )
-        from cryptography.hazmat.primitives.asymmetric import utils
+
+        from pkcs11_cryptography_keys import (
+            PKCS11AdminSession,
+            PKCS11KeySession,
+            list_token_labels,
+        )
         from pkcs11_cryptography_keys.card_token.PKCS11_key_definition import (
-            PKCS11KeyUsageAll,
             KeyTypes,
+            PKCS11KeyUsageAll,
         )
 
         data = b"How to encode this sentence"

cryptography_keys_tests/test_certs.py

@@ -6,19 +6,21 @@ class TestCertificates:
     def test_create_cert(self):
 
         import datetime
+
         from cryptography import x509
+        from cryptography.hazmat.backends import default_backend
         from cryptography.hazmat.primitives import hashes
-        from cryptography.x509.oid import ExtendedKeyUsageOID, NameOID
         from cryptography.hazmat.primitives.asymmetric.rsa import (
             RSAPublicNumbers,
         )
-        from cryptography.hazmat.backends import default_backend
+        from cryptography.x509.oid import ExtendedKeyUsageOID, NameOID
+
         from pkcs11_cryptography_keys import (
+            KeyTypes,
             PKCS11AdminSession,
             PKCS11KeySession,
-            PKCS11SlotSession,
             PKCS11KeyUsageAllNoDerive,
-            KeyTypes,
+            PKCS11SlotSession,
             list_token_labels,
         )
 

cryptography_keys_tests/test_ec_key_exchange.py

@@ -4,15 +4,15 @@
 class TestECKeyExchange:
 
     def test_ec_key_exchange(self):
-        from cryptography.hazmat.primitives.asymmetric.ec import ECDH
-        from cryptography.hazmat.primitives.asymmetric.ec import SECP384R1
+        from cryptography.hazmat.primitives.asymmetric.ec import ECDH, SECP384R1
+
         from pkcs11_cryptography_keys import (
+            KeyTypes,
             PKCS11AdminSession,
             PKCS11KeySession,
             PKCS11KeyUsageAll,
-            KeyTypes,
+            list_token_labels,
         )
-        from pkcs11_cryptography_keys import list_token_labels
 
         # pkcs11-tool --modul /usr/lib/softhsm/libsofthsm2.so --login -p "123456" --login-type user --keypairgen --id 1 --label "bob" --key-type EC:prime256v1
         # pkcs11-tool --modul /usr/lib/softhsm/libsofthsm2.so --login -p "123456" --login-type user --keypairgen --id 2 --label "alice" --key-type EC:prime256v1
@@ -72,20 +72,21 @@ def test_ec_key_exchange(self):
                 assert r
 
     def test_simple_exchange(self):
+        from cryptography.hazmat.primitives import hashes
         from cryptography.hazmat.primitives.asymmetric.ec import (
             ECDH,
-            generate_private_key,
             SECP384R1,
+            generate_private_key,
         )
         from cryptography.hazmat.primitives.kdf.hkdf import HKDF
-        from cryptography.hazmat.primitives import hashes
+
         from pkcs11_cryptography_keys import (
+            KeyTypes,
             PKCS11AdminSession,
             PKCS11KeySession,
             PKCS11KeyUsageAll,
-            KeyTypes,
+            list_token_labels,
         )
-        from pkcs11_cryptography_keys import list_token_labels
 
         # Generate a private key for use in the exchange.
         for label in list_token_labels(_pkcs11lib):

pkcs11_cryptography_keys/card_token/EC_key_definition.py

@@ -1,5 +1,11 @@
 import PyKCS11
 from asn1crypto.keys import ECDomainParameters, NamedCurve
+from cryptography.hazmat.primitives.serialization import (
+    Encoding,
+    NoEncryption,
+    PrivateFormat,
+    PublicFormat,
+)
 
 from pkcs11_cryptography_keys.card_token.PKCS11_key_definition import (
     KeyObjectTypes,
@@ -13,27 +19,77 @@
 
 def get_params(**kwargs) -> dict:
     params = {}
+    if "EC_curve" in kwargs and "EC_private_key" in kwargs:
+        raise Exception(
+            "Only one parameter is allowed. EC_private_key for loading or EC_curve for generating"
+        )
     params.update(kwargs)
     return params
 
 
 def prep_key(template: list, tag: KeyObjectTypes, **kwargs) -> None:
-    if "EC_curve" in kwargs:
-        curve = kwargs["EC_curve"]
-        # Setup the domain parameters, unicode conversion needed for the curve string
-        domain_params = ECDomainParameters(
-            name="named", value=NamedCurve(curve.name)
-        )
-        ec_params = domain_params.dump()
+    if "EC_curve" in kwargs or "EC_private_key" in kwargs:
         if tag in [KeyObjectTypes.private, KeyObjectTypes.public]:
             template.extend(
                 [
                     (PyKCS11.CKA_KEY_TYPE, PyKCS11.CKK_ECDSA),
                 ]
             )
-            if tag == KeyObjectTypes.public:
+            if tag == KeyObjectTypes.public and "EC_curve" in kwargs:
+                curve = kwargs["EC_curve"]
+                # Setup the domain parameters, unicode conversion needed for the curve string
+                domain_params = ECDomainParameters(
+                    name="named", value=NamedCurve(curve.name)
+                )
+                ec_params = domain_params.dump()
                 template.extend(
                     [
                         (PyKCS11.CKA_EC_PARAMS, ec_params),
                     ]
                 )
+
+
+def load_key(template: list, tag: KeyObjectTypes, **kwargs) -> bool:
+    ret = False
+    if "EC_private_key" in kwargs:
+        private = kwargs["EC_private_key"]
+        key_val = private.private_bytes(
+            Encoding.DER, PrivateFormat.PKCS8, NoEncryption()
+        )
+        point = private.public_key().public_bytes(
+            Encoding.DER, PublicFormat.UncompressedPoint
+        )
+        if tag in [KeyObjectTypes.private, KeyObjectTypes.public]:
+            domain_params = ECDomainParameters(
+                name="named", value=NamedCurve(private.curve.name)
+            )
+            ec_params = domain_params.dump()
+            template.extend(
+                [
+                    (PyKCS11.CKA_EC_PARAMS, ec_params),
+                ]
+            )
+            if tag == KeyObjectTypes.private:
+                template.extend(
+                    [
+                        (PyKCS11.CKA_VALUE, key_val),
+                    ]
+                )
+            if tag == KeyObjectTypes.public:
+                template.extend(
+                    [
+                        (PyKCS11.CKA_EC_POINT, point),
+                    ]
+                )
+    return ret
+
+
+# PRIVATE
+# CKA_EC_PARAMS Byte array DER-encoding of an ANSI X9.62
+# Parameters value
+# CKA_VALUE Big integer ANSI X9.62 private value d
+
+# PUBLIC
+# CKA_EC_PARAMS Byte array DER-encoding of an ANSI X9.62 Parameters
+# value
+# CKA_EC_POINT Byte array DER-encoding of ANSI X9.62 ECPoint value Q

pkcs11_cryptography_keys/card_token/PKCS11_key_definition.py

@@ -60,6 +60,12 @@ class OperationTypes(Enum):
 }
 
 
+def to_biginteger_bytes(value: int) -> bytes:
+    value = int(value)
+    bit_length = value.bit_length() + 7
+    return value.to_bytes(bit_length // 8, byteorder="big")
+
+
 class PKCS11KeyUsage(object):
     def __init__(
         self,