Simplified device selection of yhsm.

setup.cfg

@@ -0,0 +1,2 @@
+[nosetests]
+attr=!hsm

setup.py

@@ -33,7 +33,7 @@
 import os
 
 #Don't load custom settings when running tests
-if 'test' in sys.argv:
+if 'test' in sys.argv or 'nosetests' in sys.argv:
     os.environ['YUBIAUTH_SETTINGS'] = '/dev/null'
 
 setup(
@@ -46,7 +46,8 @@
     url='https://github.com/Yubico/yubiauth',
     license='BSD 2 clause',
     packages=['yubiauth'],
-    install_requires=['sqlalchemy', 'webob', 'passlib', 'yubico', 'pyhsm'],
+    setup_requires=['nose>=1.0'],
+    install_requires=['sqlalchemy', 'webob', 'passlib', 'yubico'],
     test_suite="nose.collector",
-    tests_require=['Nose', 'WebTest'],
+    tests_require=['WebTest', 'pyhsm'],
 )

tests/test_yhsm.py

@@ -0,0 +1,46 @@
+from passlib.context import CryptContext
+from passlib.registry import register_crypt_handler_path
+
+register_crypt_handler_path('yhsm_pbkdf2_sha1', 'yubiauth.yhsm')
+register_crypt_handler_path('yhsm_pbkdf2_sha256', 'yubiauth.yhsm')
+register_crypt_handler_path('yhsm_pbkdf2_sha512', 'yubiauth.yhsm')
+
+from nose.plugins.attrib import attr
+
+PASSWORDS = [
+    'foobar',
+    '',
+    '1234567890',
+    '!"#%&/()=?',
+    chr(150) + chr(200) + chr(255)
+]
+
+context = CryptContext(
+    schemes=['yhsm_pbkdf2_sha1', 'yhsm_pbkdf2_sha256', 'yhsm_pbkdf2_sha512'],
+    default='yhsm_pbkdf2_sha1',
+    all__key_handle=1,
+    all__rounds=10
+)
+
+
+def _algorithm_test(scheme):
+    for pwd in PASSWORDS:
+        res = context.encrypt(pwd, scheme=scheme)
+        assert context.identify(res) == scheme
+        assert context.verify(pwd, res)
+        assert res != context.encrypt(pwd, scheme=scheme)
+
+
+@attr(hsm=True)
+def test_yhsm_pbkdf2_sha1():
+    _algorithm_test('yhsm_pbkdf2_sha1')
+
+
+@attr(hsm=True)
+def test_yhsm_pbkdf2_sha256():
+    _algorithm_test('yhsm_pbkdf2_sha256')
+
+
+@attr(hsm=True)
+def test_yhsm_pbkdf2_sha512():
+    _algorithm_test('yhsm_pbkdf2_sha512')

yubiauth/config.py

@@ -45,7 +45,7 @@
 VALUES = {
     'DATABASE_CONFIGURATION': 'db',
     'YKVAL_SERVERS': 'ykval',
-    'YHSM_DEVICES': 'yhsm_devices',
+    'YHSM_DEVICE': 'yhsm_device',
     'CRYPT_CONTEXT': 'crypt_context',
 }
 
@@ -70,5 +70,5 @@ def parse(conf, settings={}):
 
 #TODO: Parse dbconfig-common generated database configuration
 
-if isinstance(settings['yhsm_devices'], basestring):
-    settings['yhsm_devices'] = {'main': settings['yhsm_devices']}
+if not 'YHSM_DEVICE' in os.environ and 'yhsm_device' in settings:
+    os.environ['YHSM_DEVICE'] = settings['yhsm_device']

yubiauth/default_settings.py

@@ -16,7 +16,6 @@
     #'default': 'yhsm_pbkdf2_sha1',
     'schemes': ['sha512_crypt', 'sha256_crypt'],
     'default': 'sha256_crypt',
-    'yhsm_pbkdf2_sha1__hsm': 'main',
     'yhsm_pbkdf2_sha1__key_handle': 1,
     'all__vary_rounds': 0.1,
     'sha512_crypt__min_rounds': 60000,
@@ -25,5 +24,6 @@
     'admin__sha256_crypt__min_rounds': 160000
 }
 
-#YubiHSM, only needed if you have a YubiHSM
-YHSM_DEVICES = {'main': '/dev/ttyACM0'}
+#YubiHSM, only needed if you have a YubiHSM.
+#Setting the 'YHSM_DEVICE' environment variable will override this.
+YHSM_DEVICE = '/dev/ttyACM0'

yubiauth/yhsm.py

@@ -33,27 +33,23 @@
     'yhsm_pbkdf2_sha512'
 ]
 
+import os
 from passlib.utils import (to_hash_str, to_unicode, adapted_b64_decode,
                            adapted_b64_encode)
 from passlib.hash import pbkdf2_sha1, pbkdf2_sha256, pbkdf2_sha512
 
 from pyhsm.base import YHSM
 from pyhsm.util import key_handle_to_int
 
-from config import settings
-
 _UDOLLAR = u'$'
-_UHSM = u'hsm='
 _UKH = u'kh='
-_UDEFAULT_HSM = u'main'
 _UDEFAULT_KH = u'1'
-_UDEFAULT_DEVICE = u'/dev/ttyACM0'
+
+DEFAULT_DEVICE = '/dev/ttyACM0'
 
 
-def _yhsm__init__(base, self, hsm=_UDEFAULT_HSM,
-                  key_handle=_UDEFAULT_KH, **kwds):
+def _yhsm__init__(base, self, key_handle=_UDEFAULT_KH, **kwds):
     super(base, self).__init__(**kwds)
-    self.hsm = hsm
     self.key_handle = key_handle
 
 
@@ -67,12 +63,6 @@ def _yhsmfrom_string(base, cls, hash):
 
     hash = hash[len(cls.ident):]
 
-    if hash.startswith(_UHSM):
-        part, hash = hash.split(_UDOLLAR, 1)
-        hsm = part[len(_UHSM):]
-    else:
-        hsm = _UDEFAULT_HSM
-
     if hash.startswith(_UKH):
         part, hash = hash.split(_UDOLLAR, 1)
         key_handle = part[len(_UKH):]
@@ -88,7 +78,6 @@ def _yhsmfrom_string(base, cls, hash):
             params[kwd] = inner.__getattribute__(kwd)
         except AttributeError:
             pass
-    params['hsm'] = hsm
     params['key_handle'] = key_handle
     params['checksum'] = adapted_b64_decode(chk.encode('ascii'))
 
@@ -98,12 +87,7 @@ def _yhsmfrom_string(base, cls, hash):
 def _yhsmto_string(base, self):
     hash = self.ident
 
-    if self.hsm != _UDEFAULT_HSM:
-        hash += "%s%s$" % (_UHSM, self.hsm)
-
     inner_str = super(base, self).to_string()
-    print inner_str
-
     inner_str = inner_str[len(self.ident):].rsplit('$', 1)[0]
 
     chk = adapted_b64_encode(self.checksum).decode('ascii')
@@ -120,7 +104,12 @@ def _yhsmto_string(base, self):
 
 def _yhsmcalc_checksum(base, self, secret):
     base_chk = super(base, self).calc_checksum(secret)
-    hsm = YHSM(device=settings['yhsm_devices'][self.hsm])
+
+    device = DEFAULT_DEVICE
+    if 'YHSM_DEVICE' in os.environ:
+        device = os.environ['YHSM_DEVICE']
+
+    hsm = YHSM(device=device)
     result = hsm.hmac_sha1(key_handle_to_int(self.key_handle), base_chk)
 
     return result.result.hash_result
@@ -132,7 +121,7 @@ def _make_yhsm_handler(base, base_name):
     return type(name, (base,), dict(
         name=name,
         ident=ident,
-        setting_kwds=('hsm', 'key_handle') + base.setting_kwds,
+        setting_kwds=('key_handle',) + base.setting_kwds,
         checksum_size=20,
         __init__=lambda *args, **kwargs: _yhsm__init__(base, *args, **kwargs),
         from_string=classmethod(lambda *args, **kwargs: _yhsmfrom_string(