diff --git a/python/README.md b/python/README.md new file mode 100644 index 0000000..6851032 --- /dev/null +++ b/python/README.md @@ -0,0 +1,78 @@ +# Overview + +1. Install the following two python packages: `asn1` and `grpcio-tools` + +``` +$ pip3 install asn1 grpcio-tools +``` + +2. Update the following information in the [examples/server.py](examples/server.py#L14) file. + + *NOTE: This information can obtained by logging in to your IBM Cloud account and viewing your Hyper Protect Crypto Serverices (HPCS) instance and IAM information. See the [GREP11 API documentation](https://cloud.ibm.com/docs/services/hs-crypto?topic=hs-crypto-grep11-api-ref) for more information about GREP11*. + + ```Python + # The following IBM Cloud items need to be changed prior to running the sample program + address = ":" + + credentials = { + 'APIKey': "", + 'Endpoint': "", + 'Instance': "" + } + ``` +3. Go to `ibm-cloud-hyperprotectcrypto/python/examples` + +4. Execute the following command to generate python bindings to access a grep11 server. + +``` +$ python3 -m grpc_tools.protoc ../grpc/common/protos/*.proto \ + ../grpc/generated/protos/*.proto \ + ../grpc/vendor/github.com/gogo/protobuf/gogoproto/*.proto \ + ../grpc/vendor/github.com/gogo/googleapis/google/api/*.proto \ + -I../grpc/common/protos -I../grpc/generated/protos \ + -I../grpc/vendor/github.com/gogo/protobuf/gogoproto \ + -I../grpc/vendor/github.com/gogo/googleapis \ + --python_out=. --grpc_python_out=. +``` + +5. Execute the examples by issuing the command: `python3 -m unittest -b -v` +6. The sample program produces output similar to the following: + +``` +$ python3 -m unittest -b -v +test_0_getMechanismInfo (test_server.ServerTestCase) ... ok +test_1_encryptAndDecrypt (test_server.ServerTestCase) ... ok +test_2_digest (test_server.ServerTestCase) ... ok +test_3_signAndVerifyUsingRSAKeyPair (test_server.ServerTestCase) ... ok +test_4_signAndVerifyUsingECDSAKeyPair (test_server.ServerTestCase) ... ok +test_5_signAndVerifyToTestErrorHandling (test_server.ServerTestCase) ... expected failure +test_6_wrapAndUnwrapKey (test_server.ServerTestCase) ... ok +test_7_deriveKey (test_server.ServerTestCase) ... ok + +---------------------------------------------------------------------- +Ran 8 tests in 14.944s + +OK (expected failures=1) +``` + +## General Function Call Workflow + +GREP11 can perform encrypt, decrypt, digest, sign and verify operations. For each operation, there are a series of sub-operations or functions. + +For example, the *Encrypt* operation consists of *EncryptInit()*, *Encrypt()*, *EncryptUpdate()*, *EncryptFinal()* and *EncryptSingle()* sub-operations. + +#### GREP11 sub-operations for Encrypt: + +- *Encrypt***Init()** is used to initialize an operation + +- *Encrypt()* is used to encrypt data without the need to perform *EncryptUpdate()* or *EncryptFinal()* sub-operations. *EncryptInit()* must be run prior to the *Encrypt()* call + +- *Encrypt***Update()** is used to perform update operations as part of a multi-part operation + +- *Encrypt***Final()** is used to perform final operations as part of a multi-part operation + +- *Encrypt***Single()** is an IBM EP11 extension to the standard PKCS#11 specification and used to perform a single call without the need to use the **Init**, **Update**, and **Final** sub-operations + +The following diagram shows the three calling sequence flows that can be used for *Encrypt*, *Decrypt*, *Digest*, *Sign* and *Verify* operations: + +![function work flow](../golang/func_workflow.svg) \ No newline at end of file diff --git a/python/ep11/grep11consts.py b/python/ep11/grep11consts.py new file mode 100644 index 0000000..e8244cc --- /dev/null +++ b/python/ep11/grep11consts.py @@ -0,0 +1,873 @@ +# Code generated by constgen. DO NOT EDIT. + +# Copyright IBM Corp. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +XCP_ADM_ADMIN_LOGIN = 0x00000001 +XCP_ADM_DOM_ADMIN_LOGIN = 0x00000002 +XCP_ADM_ADMIN_LOGOUT = 0x00000003 +XCP_ADM_DOM_ADMIN_LOGOUT = 0x00000004 +XCP_ADM_ADMIN_REPLACE = 0x00000005 +XCP_ADM_DOM_ADMIN_REPLACE = 0x00000006 +XCP_ADM_SET_ATTR = 0x00000007 +XCP_ADM_DOM_SET_ATTR = 0x00000008 +XCP_ADM_GEN_DOM_IMPORTER = 0x00000009 +XCP_ADM_GEN_WK = 0x0000000a +XCP_ADM_EXPORT_WK = 0x0000000b +XCP_ADM_IMPORT_WK = 0x0000000c +XCP_ADM_COMMIT_WK = 0x0000000d +XCP_ADM_FINALIZE_WK = 0x0000000e +XCP_ADM_ZEROIZE = 0x0000000f +XCP_ADM_DOM_ZEROIZE = 0x00000010 +XCP_ADM_DOM_CTRLPOINT_SET = 0x00000011 +XCP_ADM_DOM_CTRLPOINT_ADD = 0x00000012 +XCP_ADM_DOM_CTRLPOINT_DEL = 0x00000013 +XCP_ADM_SET_CLOCK = 0x00000014 +XCP_ADM_SET_FCV = 0x00000015 +XCP_ADM_CTRLPOINT_SET = 0x00000016 +XCP_ADM_CTRLPOINT_ADD = 0x00000017 +XCP_ADM_CTRLPOINT_DEL = 0x00000018 +XCP_ADM_REENCRYPT = 0x00000019 +XCP_ADM_RK_REMOVE = 0x0000001a +XCP_ADM_CLEAR_WK = 0x0000001b +XCP_ADM_CLEAR_NEXT_WK = 0x0000001c +XCP_ADM_SYSTEM_ZEROIZE = 0x0000001d +XCP_ADM_EXPORT_STATE = 0x0000001e +XCP_ADM_IMPORT_STATE = 0x0000001f +XCP_ADM_COMMIT_STATE = 0x00000020 +XCP_ADM_REMOVE_STATE = 0x00000021 +XCP_ADM_GEN_MODULE_IMPORTER = 0x00000022 +XCP_ADM_SET_TRUSTED = 0x00000023 +XCP_ADM_DOMAINS_ZEROIZE = 0x00000024 +XCP_ADMQ_ADMIN = 0x00010001 +XCP_ADMQ_DOMADMIN = 0x00010002 +XCP_ADMQ_DEVICE_CERT = 0x00010003 +XCP_ADMQ_DOM_IMPORTER_CERT = 0x00010004 +XCP_ADMQ_CTRLPOINTS = 0x00010005 +XCP_ADMQ_DOM_CTRLPOINTS = 0x00010006 +XCP_ADMQ_WK = 0x00010007 +XCP_ADMQ_NEXT_WK = 0x00010008 +XCP_ADMQ_ATTRS = 0x00010009 +XCP_ADMQ_DOM_ATTRS = 0x0001000a +XCP_ADMQ_FCV = 0x0001000b +XCP_ADMQ_WK_ORIGINS = 0x0001000c +XCP_ADMQ_RKLIST = 0x0001000d +XCP_ADMQ_INTERNAL_STATE = 0x0001000e +XCP_ADMQ_IMPORTER_CERT = 0x0001000f +XCP_ADMQ_AUDIT_STATE = 0x00010010 + + +CKA_CLASS = 0x00000000 +CKA_TOKEN = 0x00000001 +CKA_PRIVATE = 0x00000002 +CKA_LABEL = 0x00000003 +CKA_APPLICATION = 0x00000010 +CKA_VALUE = 0x00000011 +CKA_OBJECT_ID = 0x00000012 +CKA_CERTIFICATE_TYPE = 0x00000080 +CKA_ISSUER = 0x00000081 +CKA_SERIAL_NUMBER = 0x00000082 +CKA_AC_ISSUER = 0x00000083 +CKA_OWNER = 0x00000084 +CKA_ATTR_TYPES = 0x00000085 +CKA_TRUSTED = 0x00000086 +CKA_CERTIFICATE_CATEGORY = 0x00000087 +CKA_JAVA_MIDP_SECURITY_DOMAIN = 0x00000088 +CKA_URL = 0x00000089 +CKA_HASH_OF_SUBJECT_PUBLIC_KEY = 0x0000008a +CKA_HASH_OF_ISSUER_PUBLIC_KEY = 0x0000008b +CKA_NAME_HASH_ALGORITHM = 0x0000008c +CKA_CHECK_VALUE = 0x00000090 +CKA_KEY_TYPE = 0x00000100 +CKA_SUBJECT = 0x00000101 +CKA_ID = 0x00000102 +CKA_SENSITIVE = 0x00000103 +CKA_ENCRYPT = 0x00000104 +CKA_DECRYPT = 0x00000105 +CKA_WRAP = 0x00000106 +CKA_UNWRAP = 0x00000107 +CKA_SIGN = 0x00000108 +CKA_SIGN_RECOVER = 0x00000109 +CKA_VERIFY = 0x0000010a +CKA_VERIFY_RECOVER = 0x0000010b +CKA_DERIVE = 0x0000010c +CKA_START_DATE = 0x00000110 +CKA_END_DATE = 0x00000111 +CKA_MODULUS = 0x00000120 +CKA_MODULUS_BITS = 0x00000121 +CKA_PUBLIC_EXPONENT = 0x00000122 +CKA_PRIVATE_EXPONENT = 0x00000123 +CKA_PRIME_1 = 0x00000124 +CKA_PRIME_2 = 0x00000125 +CKA_EXPONENT_1 = 0x00000126 +CKA_EXPONENT_2 = 0x00000127 +CKA_COEFFICIENT = 0x00000128 +CKA_PUBLIC_KEY_INFO = 0x00000129 +CKA_PRIME = 0x00000130 +CKA_SUBPRIME = 0x00000131 +CKA_BASE = 0x00000132 +CKA_PRIME_BITS = 0x00000133 +CKA_SUBPRIME_BITS = 0x00000134 +CKA_SUB_PRIME_BITS = 0x00000134 +CKA_VALUE_BITS = 0x00000160 +CKA_VALUE_LEN = 0x00000161 +CKA_EXTRACTABLE = 0x00000162 +CKA_LOCAL = 0x00000163 +CKA_NEVER_EXTRACTABLE = 0x00000164 +CKA_ALWAYS_SENSITIVE = 0x00000165 +CKA_KEY_GEN_MECHANISM = 0x00000166 +CKA_MODIFIABLE = 0x00000170 +CKA_COPYABLE = 0x00000171 +CKA_DESTROYABLE = 0x00000172 +CKA_ECDSA_PARAMS = 0x00000180 +CKA_EC_PARAMS = 0x00000180 +CKA_EC_POINT = 0x00000181 +CKA_SECONDARY_AUTH = 0x00000200 +CKA_AUTH_PIN_FLAGS = 0x00000201 +CKA_ALWAYS_AUTHENTICATE = 0x00000202 +CKA_WRAP_WITH_TRUSTED = 0x00000210 +CKA_OTP_FORMAT = 0x00000220 +CKA_OTP_LENGTH = 0x00000221 +CKA_OTP_TIME_INTERVAL = 0x00000222 +CKA_OTP_USER_FRIENDLY_MODE = 0x00000223 +CKA_OTP_CHALLENGE_REQUIREMENT = 0x00000224 +CKA_OTP_TIME_REQUIREMENT = 0x00000225 +CKA_OTP_COUNTER_REQUIREMENT = 0x00000226 +CKA_OTP_PIN_REQUIREMENT = 0x00000227 +CKA_OTP_USER_IDENTIFIER = 0x0000022a +CKA_OTP_SERVICE_IDENTIFIER = 0x0000022b +CKA_OTP_SERVICE_LOGO = 0x0000022c +CKA_OTP_SERVICE_LOGO_TYPE = 0x0000022d +CKA_OTP_COUNTER = 0x0000022e +CKA_OTP_TIME = 0x0000022f +CKA_GOSTR3410_PARAMS = 0x00000250 +CKA_GOSTR3411_PARAMS = 0x00000251 +CKA_GOST28147_PARAMS = 0x00000252 +CKA_HW_FEATURE_TYPE = 0x00000300 +CKA_RESET_ON_INIT = 0x00000301 +CKA_HAS_RESET = 0x00000302 +CKA_PIXEL_X = 0x00000400 +CKA_PIXEL_Y = 0x00000401 +CKA_RESOLUTION = 0x00000402 +CKA_CHAR_ROWS = 0x00000403 +CKA_CHAR_COLUMNS = 0x00000404 +CKA_COLOR = 0x00000405 +CKA_BITS_PER_PIXEL = 0x00000406 +CKA_CHAR_SETS = 0x00000480 +CKA_ENCODING_METHODS = 0x00000481 +CKA_MIME_TYPES = 0x00000482 +CKA_MECHANISM_TYPE = 0x00000500 +CKA_REQUIRED_CMS_ATTRIBUTES = 0x00000501 +CKA_DEFAULT_CMS_ATTRIBUTES = 0x00000502 +CKA_SUPPORTED_CMS_ATTRIBUTES = 0x00000503 +CKA_WRAP_TEMPLATE = 0x40000211 +CKA_UNWRAP_TEMPLATE = 0x40000212 +CKA_ALLOWED_MECHANISMS = 0x40000600 +CKA_VENDOR_DEFINED = 0x80000000 +CKA_IBM_RESTRICTABLE = CKA_VENDOR_DEFINED+0x10001 +CKA_IBM_NEVER_MODIFIABLE = CKA_VENDOR_DEFINED+0x10002 +CKA_IBM_RETAINKEY = CKA_VENDOR_DEFINED+0x10003 +CKA_IBM_ATTRBOUND = CKA_VENDOR_DEFINED+0x10004 +CKA_IBM_KEYTYPE = CKA_VENDOR_DEFINED+0x10005 +CKA_IBM_CV = CKA_VENDOR_DEFINED+0x10006 +CKA_IBM_MACKEY = CKA_VENDOR_DEFINED+0x10007 +CKA_IBM_USE_AS_DATA = CKA_VENDOR_DEFINED+0x10008 +CKA_IBM_STRUCT_PARAMS = CKA_VENDOR_DEFINED+0x10009 +CKA_IBM_STD_COMPLIANCE1 = CKA_VENDOR_DEFINED+0x1000a +CKA_IBM_PROTKEY_EXTRACTABLE = CKA_VENDOR_DEFINED+0x1000c +CKA_IBM_PROTKEY_NEVER_EXTRACTABLE = CKA_VENDOR_DEFINED+0x1000d +CKA_IBM_WIRETEST = CKA_VENDOR_DEFINED+0x20001 +CKA_VENDOR_DEFINED_GREP11 = CKA_VENDOR_DEFINED+0x40000 +CKA_GREP11_RAW_KEYBLOB = CKA_VENDOR_DEFINED_GREP11+0x1 + + +XCP_ADMP_WK_IMPORT = 0x00000001 +XCP_ADMP_WK_EXPORT = 0x00000002 +XCP_ADMP_WK_1PART = 0x00000004 +XCP_ADMP_WK_RANDOM = 0x00000008 +XCP_ADMP_1SIGN = 0x00000010 +XCP_ADMP_CP_1SIGN = 0x00000020 +XCP_ADMP_ZERO_1SIGN = 0x00000040 +XCP_ADMP_NO_DOMAIN_IMPRINT = 0x00000080 +XCP_ADMP_STATE_IMPORT = 0x00000100 +XCP_ADMP_STATE_EXPORT = 0x00000200 +XCP_ADMP_STATE_1PART = 0x00000400 +XCP_ADMP_CHG_WK_IMPORT = 0x00010000 +XCP_ADMP_CHG_WK_EXPORT = 0x00020000 +XCP_ADMP_CHG_WK_1PART = 0x00040000 +XCP_ADMP_CHG_WK_RANDOM = 0x00080000 +XCP_ADMP_CHG_SIGN_THR = 0x00100000 +XCP_ADMP_CHG_REVOKE_THR = 0x00200000 +XCP_ADMP_CHG_1SIGN = 0x00400000 +XCP_ADMP_CHG_CP_1SIGN = 0x00800000 +XCP_ADMP_CHG_ZERO_1SIGN = 0x01000000 +XCP_ADMP_CHG_ST_IMPORT = 0x02000000 +XCP_ADMP_CHG_ST_EXPORT = 0x04000000 +XCP_ADMP_CHG_ST_1PART = 0x08000000 +XCP_ADMP__CHGBITS = 0x0fff0000 +XCP_ADMP__DEFAULT = 0x0fff0011 + + +XCP_ADMINT_SIGN_THR = 0x00000001 +XCP_ADMINT_REVOKE_THR = 0x00000002 +XCP_ADMINT_PERMS = 0x00000003 +XCP_ADMINT_MODE = 0x00000004 +XCP_ADMINT_STD = 0x00000005 + + +FNID_Login = 0x00000001 +FNID_Logout = 0x00000002 +FNID_SeedRandom = 0x00000003 +FNID_GenerateRandom = 0x00000004 +FNID_DigestInit = 0x00000005 +FNID_DigestUpdate = 0x00000006 +FNID_DigestKey = 0x00000007 +FNID_DigestFinal = 0x00000008 +FNID_Digest = 0x00000009 +FNID_DigestSingle = 0x0000000a +FNID_EncryptInit = 0x0000000b +FNID_DecryptInit = 0x0000000c +FNID_EncryptUpdate = 0x0000000d +FNID_DecryptUpdate = 0x0000000e +FNID_EncryptFinal = 0x0000000f +FNID_DecryptFinal = 0x00000010 +FNID_Encrypt = 0x00000011 +FNID_Decrypt = 0x00000012 +FNID_EncryptSingle = 0x00000013 +FNID_DecryptSingle = 0x00000014 +FNID_GenerateKey = 0x00000015 +FNID_GenerateKeyPair = 0x00000016 +FNID_SignInit = 0x00000017 +FNID_SignUpdate = 0x00000018 +FNID_SignFinal = 0x00000019 +FNID_Sign = 0x0000001a +FNID_VerifyInit = 0x0000001b +FNID_VerifyUpdate = 0x0000001c +FNID_VerifyFinal = 0x0000001d +FNID_Verify = 0x0000001e +FNID_SignSingle = 0x0000001f +FNID_VerifySingle = 0x00000020 +FNID_WrapKey = 0x00000021 +FNID_UnwrapKey = 0x00000022 +FNID_DeriveKey = 0x00000023 +FNID_GetMechanismList = 0x00000024 +FNID_GetMechanismInfo = 0x00000025 +FNID_get_xcp_info = 0x00000026 +FNID_GetAttributeValue = 0x00000027 +FNID_SetAttributeValue = 0x00000028 +FNID_admin = 0x00000029 +FNID_ReencryptSingle = 0x0000002a +FNID_NEXT_AVAILABLE = 0x0000002b + + +XCP_IMPRKEY_RSA_2048 = 0x00000000 +XCP_IMPRKEY_RSA_4096 = 0x00000001 +XCP_IMPRKEY_EC_P256 = 0x00000002 +XCP_IMPRKEY_EC_P521 = 0x00000003 +XCP_IMPRKEY_RSA_3072 = 0x00000007 + + +CKK_RSA = 0x00000000 +CKK_DSA = 0x00000001 +CKK_DH = 0x00000002 +CKK_EC = 0x00000003 +CKK_ECDSA = 0x00000003 +CKK_X9_42_DH = 0x00000004 +CKK_KEA = 0x00000005 +CKK_GENERIC_SECRET = 0x00000010 +CKK_RC2 = 0x00000011 +CKK_RC4 = 0x00000012 +CKK_DES = 0x00000013 +CKK_DES2 = 0x00000014 +CKK_DES3 = 0x00000015 +CKK_CAST = 0x00000016 +CKK_CAST3 = 0x00000017 +CKK_CAST128 = 0x00000018 +CKK_CAST5 = 0x00000018 +CKK_RC5 = 0x00000019 +CKK_IDEA = 0x0000001a +CKK_SKIPJACK = 0x0000001b +CKK_BATON = 0x0000001c +CKK_JUNIPER = 0x0000001d +CKK_CDMF = 0x0000001e +CKK_AES = 0x0000001f +CKK_BLOWFISH = 0x00000020 +CKK_TWOFISH = 0x00000021 +CKK_SECURID = 0x00000022 +CKK_HOTP = 0x00000023 +CKK_ACTI = 0x00000024 +CKK_CAMELLIA = 0x00000025 +CKK_ARIA = 0x00000026 +CKK_SHA512_224_HMAC = 0x00000027 +CKK_SHA512_256_HMAC = 0x00000028 +CKK_SHA512_T_HMAC = 0x00000029 +CKK_SHA_1_HMAC = 0x00000040 +CKK_SHA224_HMAC = 0x00000041 +CKK_SHA256_HMAC = 0x00000042 +CKK_SHA384_HMAC = 0x00000043 +CKK_SHA512_HMAC = 0x00000044 +CKK_SEED = 0x00000050 +CKK_GOSTR3410 = 0x00000060 +CKK_GOSTR3411 = 0x00000061 +CKK_GOST28147 = 0x00000062 +CKK_VENDOR_DEFINED = 0x80000000 + + +CKM_RSA_PKCS_KEY_PAIR_GEN = 0x00000000 +CKM_RSA_PKCS = 0x00000001 +CKM_RSA_9796 = 0x00000002 +CKM_RSA_X_509 = 0x00000003 +CKM_MD2_RSA_PKCS = 0x00000004 +CKM_MD5_RSA_PKCS = 0x00000005 +CKM_SHA1_RSA_PKCS = 0x00000006 +CKM_RIPEMD128_RSA_PKCS = 0x00000007 +CKM_RIPEMD160_RSA_PKCS = 0x00000008 +CKM_RSA_PKCS_OAEP = 0x00000009 +CKM_RSA_X9_31_KEY_PAIR_GEN = 0x0000000a +CKM_RSA_X9_31 = 0x0000000b +CKM_SHA1_RSA_X9_31 = 0x0000000c +CKM_RSA_PKCS_PSS = 0x0000000d +CKM_SHA1_RSA_PKCS_PSS = 0x0000000e +CKM_DSA_KEY_PAIR_GEN = 0x00000010 +CKM_DSA = 0x00000011 +CKM_DSA_SHA1 = 0x00000012 +CKM_DSA_FIPS_G_GEN = 0x00000013 +CKM_DSA_SHA224 = 0x00000014 +CKM_DSA_SHA256 = 0x00000015 +CKM_DSA_SHA384 = 0x00000016 +CKM_DSA_SHA512 = 0x00000017 +CKM_DH_PKCS_KEY_PAIR_GEN = 0x00000020 +CKM_DH_PKCS_DERIVE = 0x00000021 +CKM_X9_42_DH_KEY_PAIR_GEN = 0x00000030 +CKM_X9_42_DH_DERIVE = 0x00000031 +CKM_X9_42_DH_HYBRID_DERIVE = 0x00000032 +CKM_X9_42_MQV_DERIVE = 0x00000033 +CKM_SHA256_RSA_PKCS = 0x00000040 +CKM_SHA384_RSA_PKCS = 0x00000041 +CKM_SHA512_RSA_PKCS = 0x00000042 +CKM_SHA256_RSA_PKCS_PSS = 0x00000043 +CKM_SHA384_RSA_PKCS_PSS = 0x00000044 +CKM_SHA512_RSA_PKCS_PSS = 0x00000045 +CKM_SHA224_RSA_PKCS = 0x00000046 +CKM_SHA224_RSA_PKCS_PSS = 0x00000047 +CKM_SHA512_224 = 0x00000048 +CKM_SHA512_224_HMAC = 0x00000049 +CKM_SHA512_224_HMAC_GENERAL = 0x0000004a +CKM_SHA512_224_KEY_DERIVATION = 0x0000004b +CKM_SHA512_256 = 0x0000004c +CKM_SHA512_256_HMAC = 0x0000004d +CKM_SHA512_256_HMAC_GENERAL = 0x0000004e +CKM_SHA512_256_KEY_DERIVATION = 0x0000004f +CKM_SHA512_T = 0x00000050 +CKM_SHA512_T_HMAC = 0x00000051 +CKM_SHA512_T_HMAC_GENERAL = 0x00000052 +CKM_SHA512_T_KEY_DERIVATION = 0x00000053 +CKM_RC2_KEY_GEN = 0x00000100 +CKM_RC2_ECB = 0x00000101 +CKM_RC2_CBC = 0x00000102 +CKM_RC2_MAC = 0x00000103 +CKM_RC2_MAC_GENERAL = 0x00000104 +CKM_RC2_CBC_PAD = 0x00000105 +CKM_RC4_KEY_GEN = 0x00000110 +CKM_RC4 = 0x00000111 +CKM_DES_KEY_GEN = 0x00000120 +CKM_DES_ECB = 0x00000121 +CKM_DES_CBC = 0x00000122 +CKM_DES_MAC = 0x00000123 +CKM_DES_MAC_GENERAL = 0x00000124 +CKM_DES_CBC_PAD = 0x00000125 +CKM_DES2_KEY_GEN = 0x00000130 +CKM_DES3_KEY_GEN = 0x00000131 +CKM_DES3_ECB = 0x00000132 +CKM_DES3_CBC = 0x00000133 +CKM_DES3_MAC = 0x00000134 +CKM_DES3_MAC_GENERAL = 0x00000135 +CKM_DES3_CBC_PAD = 0x00000136 +CKM_DES3_CMAC_GENERAL = 0x00000137 +CKM_DES3_CMAC = 0x00000138 +CKM_CDMF_KEY_GEN = 0x00000140 +CKM_CDMF_ECB = 0x00000141 +CKM_CDMF_CBC = 0x00000142 +CKM_CDMF_MAC = 0x00000143 +CKM_CDMF_MAC_GENERAL = 0x00000144 +CKM_CDMF_CBC_PAD = 0x00000145 +CKM_DES_OFB64 = 0x00000150 +CKM_DES_OFB8 = 0x00000151 +CKM_DES_CFB64 = 0x00000152 +CKM_DES_CFB8 = 0x00000153 +CKM_MD2 = 0x00000200 +CKM_MD2_HMAC = 0x00000201 +CKM_MD2_HMAC_GENERAL = 0x00000202 +CKM_MD5 = 0x00000210 +CKM_MD5_HMAC = 0x00000211 +CKM_MD5_HMAC_GENERAL = 0x00000212 +CKM_SHA_1 = 0x00000220 +CKM_SHA_1_HMAC = 0x00000221 +CKM_SHA_1_HMAC_GENERAL = 0x00000222 +CKM_RIPEMD128 = 0x00000230 +CKM_RIPEMD128_HMAC = 0x00000231 +CKM_RIPEMD128_HMAC_GENERAL = 0x00000232 +CKM_RIPEMD160 = 0x00000240 +CKM_RIPEMD160_HMAC = 0x00000241 +CKM_RIPEMD160_HMAC_GENERAL = 0x00000242 +CKM_SHA256 = 0x00000250 +CKM_SHA256_HMAC = 0x00000251 +CKM_SHA256_HMAC_GENERAL = 0x00000252 +CKM_SHA224 = 0x00000255 +CKM_SHA224_HMAC = 0x00000256 +CKM_SHA224_HMAC_GENERAL = 0x00000257 +CKM_SHA384 = 0x00000260 +CKM_SHA384_HMAC = 0x00000261 +CKM_SHA384_HMAC_GENERAL = 0x00000262 +CKM_SHA512 = 0x00000270 +CKM_SHA512_HMAC = 0x00000271 +CKM_SHA512_HMAC_GENERAL = 0x00000272 +CKM_SECURID_KEY_GEN = 0x00000280 +CKM_SECURID = 0x00000282 +CKM_HOTP_KEY_GEN = 0x00000290 +CKM_HOTP = 0x00000291 +CKM_ACTI = 0x000002a0 +CKM_ACTI_KEY_GEN = 0x000002a1 +CKM_CAST_KEY_GEN = 0x00000300 +CKM_CAST_ECB = 0x00000301 +CKM_CAST_CBC = 0x00000302 +CKM_CAST_MAC = 0x00000303 +CKM_CAST_MAC_GENERAL = 0x00000304 +CKM_CAST_CBC_PAD = 0x00000305 +CKM_CAST3_KEY_GEN = 0x00000310 +CKM_CAST3_ECB = 0x00000311 +CKM_CAST3_CBC = 0x00000312 +CKM_CAST3_MAC = 0x00000313 +CKM_CAST3_MAC_GENERAL = 0x00000314 +CKM_CAST3_CBC_PAD = 0x00000315 +CKM_CAST128_KEY_GEN = 0x00000320 +CKM_CAST5_KEY_GEN = 0x00000320 +CKM_CAST128_ECB = 0x00000321 +CKM_CAST5_ECB = 0x00000321 +CKM_CAST128_CBC = 0x00000322 +CKM_CAST5_CBC = 0x00000322 +CKM_CAST128_MAC = 0x00000323 +CKM_CAST5_MAC = 0x00000323 +CKM_CAST128_MAC_GENERAL = 0x00000324 +CKM_CAST5_MAC_GENERAL = 0x00000324 +CKM_CAST128_CBC_PAD = 0x00000325 +CKM_CAST5_CBC_PAD = 0x00000325 +CKM_RC5_KEY_GEN = 0x00000330 +CKM_RC5_ECB = 0x00000331 +CKM_RC5_CBC = 0x00000332 +CKM_RC5_MAC = 0x00000333 +CKM_RC5_MAC_GENERAL = 0x00000334 +CKM_RC5_CBC_PAD = 0x00000335 +CKM_IDEA_KEY_GEN = 0x00000340 +CKM_IDEA_ECB = 0x00000341 +CKM_IDEA_CBC = 0x00000342 +CKM_IDEA_MAC = 0x00000343 +CKM_IDEA_MAC_GENERAL = 0x00000344 +CKM_IDEA_CBC_PAD = 0x00000345 +CKM_GENERIC_SECRET_KEY_GEN = 0x00000350 +CKM_CONCATENATE_BASE_AND_KEY = 0x00000360 +CKM_CONCATENATE_BASE_AND_DATA = 0x00000362 +CKM_CONCATENATE_DATA_AND_BASE = 0x00000363 +CKM_XOR_BASE_AND_DATA = 0x00000364 +CKM_EXTRACT_KEY_FROM_KEY = 0x00000365 +CKM_SSL3_PRE_MASTER_KEY_GEN = 0x00000370 +CKM_SSL3_MASTER_KEY_DERIVE = 0x00000371 +CKM_SSL3_KEY_AND_MAC_DERIVE = 0x00000372 +CKM_SSL3_MASTER_KEY_DERIVE_DH = 0x00000373 +CKM_TLS_PRE_MASTER_KEY_GEN = 0x00000374 +CKM_TLS_MASTER_KEY_DERIVE = 0x00000375 +CKM_TLS_KEY_AND_MAC_DERIVE = 0x00000376 +CKM_TLS_MASTER_KEY_DERIVE_DH = 0x00000377 +CKM_TLS_PRF = 0x00000378 +CKM_SSL3_MD5_MAC = 0x00000380 +CKM_SSL3_SHA1_MAC = 0x00000381 +CKM_MD5_KEY_DERIVATION = 0x00000390 +CKM_MD2_KEY_DERIVATION = 0x00000391 +CKM_SHA1_KEY_DERIVATION = 0x00000392 +CKM_SHA256_KEY_DERIVATION = 0x00000393 +CKM_SHA384_KEY_DERIVATION = 0x00000394 +CKM_SHA512_KEY_DERIVATION = 0x00000395 +CKM_SHA224_KEY_DERIVATION = 0x00000396 +CKM_PBE_MD2_DES_CBC = 0x000003a0 +CKM_PBE_MD5_DES_CBC = 0x000003a1 +CKM_PBE_MD5_CAST_CBC = 0x000003a2 +CKM_PBE_MD5_CAST3_CBC = 0x000003a3 +CKM_PBE_MD5_CAST128_CBC = 0x000003a4 +CKM_PBE_MD5_CAST5_CBC = 0x000003a4 +CKM_PBE_SHA1_CAST128_CBC = 0x000003a5 +CKM_PBE_SHA1_CAST5_CBC = 0x000003a5 +CKM_PBE_SHA1_RC4_128 = 0x000003a6 +CKM_PBE_SHA1_RC4_40 = 0x000003a7 +CKM_PBE_SHA1_DES3_EDE_CBC = 0x000003a8 +CKM_PBE_SHA1_DES2_EDE_CBC = 0x000003a9 +CKM_PBE_SHA1_RC2_128_CBC = 0x000003aa +CKM_PBE_SHA1_RC2_40_CBC = 0x000003ab +CKM_PKCS5_PBKD2 = 0x000003b0 +CKM_PBA_SHA1_WITH_SHA1_HMAC = 0x000003c0 +CKM_WTLS_PRE_MASTER_KEY_GEN = 0x000003d0 +CKM_WTLS_MASTER_KEY_DERIVE = 0x000003d1 +CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC = 0x000003d2 +CKM_WTLS_PRF = 0x000003d3 +CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE = 0x000003d4 +CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE = 0x000003d5 +CKM_TLS10_MAC_SERVER = 0x000003d6 +CKM_TLS10_MAC_CLIENT = 0x000003d7 +CKM_TLS12_MAC = 0x000003d8 +CKM_TLS12_KDF = 0x000003d9 +CKM_TLS12_MASTER_KEY_DERIVE = 0x000003e0 +CKM_TLS12_KEY_AND_MAC_DERIVE = 0x000003e1 +CKM_TLS12_MASTER_KEY_DERIVE_DH = 0x000003e2 +CKM_TLS12_KEY_SAFE_DERIVE = 0x000003e3 +CKM_TLS_MAC = 0x000003e4 +CKM_TLS_KDF = 0x000003e5 +CKM_KEY_WRAP_LYNKS = 0x00000400 +CKM_KEY_WRAP_SET_OAEP = 0x00000401 +CKM_CMS_SIG = 0x00000500 +CKM_KIP_DERIVE = 0x00000510 +CKM_KIP_WRAP = 0x00000511 +CKM_KIP_MAC = 0x00000512 +CKM_CAMELLIA_KEY_GEN = 0x00000550 +CKM_CAMELLIA_ECB = 0x00000551 +CKM_CAMELLIA_CBC = 0x00000552 +CKM_CAMELLIA_MAC = 0x00000553 +CKM_CAMELLIA_MAC_GENERAL = 0x00000554 +CKM_CAMELLIA_CBC_PAD = 0x00000555 +CKM_CAMELLIA_ECB_ENCRYPT_DATA = 0x00000556 +CKM_CAMELLIA_CBC_ENCRYPT_DATA = 0x00000557 +CKM_CAMELLIA_CTR = 0x00000558 +CKM_ARIA_KEY_GEN = 0x00000560 +CKM_ARIA_ECB = 0x00000561 +CKM_ARIA_CBC = 0x00000562 +CKM_ARIA_MAC = 0x00000563 +CKM_ARIA_MAC_GENERAL = 0x00000564 +CKM_ARIA_CBC_PAD = 0x00000565 +CKM_ARIA_ECB_ENCRYPT_DATA = 0x00000566 +CKM_ARIA_CBC_ENCRYPT_DATA = 0x00000567 +CKM_SEED_KEY_GEN = 0x00000650 +CKM_SEED_ECB = 0x00000651 +CKM_SEED_CBC = 0x00000652 +CKM_SEED_MAC = 0x00000653 +CKM_SEED_MAC_GENERAL = 0x00000654 +CKM_SEED_CBC_PAD = 0x00000655 +CKM_SEED_ECB_ENCRYPT_DATA = 0x00000656 +CKM_SEED_CBC_ENCRYPT_DATA = 0x00000657 +CKM_SKIPJACK_KEY_GEN = 0x00001000 +CKM_SKIPJACK_ECB64 = 0x00001001 +CKM_SKIPJACK_CBC64 = 0x00001002 +CKM_SKIPJACK_OFB64 = 0x00001003 +CKM_SKIPJACK_CFB64 = 0x00001004 +CKM_SKIPJACK_CFB32 = 0x00001005 +CKM_SKIPJACK_CFB16 = 0x00001006 +CKM_SKIPJACK_CFB8 = 0x00001007 +CKM_SKIPJACK_WRAP = 0x00001008 +CKM_SKIPJACK_PRIVATE_WRAP = 0x00001009 +CKM_SKIPJACK_RELAYX = 0x0000100a +CKM_KEA_KEY_PAIR_GEN = 0x00001010 +CKM_KEA_KEY_DERIVE = 0x00001011 +CKM_KEA_DERIVE = 0x00001012 +CKM_FORTEZZA_TIMESTAMP = 0x00001020 +CKM_BATON_KEY_GEN = 0x00001030 +CKM_BATON_ECB128 = 0x00001031 +CKM_BATON_ECB96 = 0x00001032 +CKM_BATON_CBC128 = 0x00001033 +CKM_BATON_COUNTER = 0x00001034 +CKM_BATON_SHUFFLE = 0x00001035 +CKM_BATON_WRAP = 0x00001036 +CKM_ECDSA_KEY_PAIR_GEN = 0x00001040 +CKM_EC_KEY_PAIR_GEN = 0x00001040 +CKM_ECDSA = 0x00001041 +CKM_ECDSA_SHA1 = 0x00001042 +CKM_ECDH1_DERIVE = 0x00001050 +CKM_ECDH1_COFACTOR_DERIVE = 0x00001051 +CKM_ECMQV_DERIVE = 0x00001052 +CKM_ECDH_AES_KEY_WRAP = 0x00001053 +CKM_RSA_AES_KEY_WRAP = 0x00001054 +CKM_JUNIPER_KEY_GEN = 0x00001060 +CKM_JUNIPER_ECB128 = 0x00001061 +CKM_JUNIPER_CBC128 = 0x00001062 +CKM_JUNIPER_COUNTER = 0x00001063 +CKM_JUNIPER_SHUFFLE = 0x00001064 +CKM_JUNIPER_WRAP = 0x00001065 +CKM_FASTHASH = 0x00001070 +CKM_AES_KEY_GEN = 0x00001080 +CKM_AES_ECB = 0x00001081 +CKM_AES_CBC = 0x00001082 +CKM_AES_MAC = 0x00001083 +CKM_AES_MAC_GENERAL = 0x00001084 +CKM_AES_CBC_PAD = 0x00001085 +CKM_AES_CTR = 0x00001086 +CKM_AES_GCM = 0x00001087 +CKM_AES_CCM = 0x00001088 +CKM_AES_CMAC_GENERAL = 0x00001089 +CKM_AES_CMAC = 0x0000108a +CKM_AES_CTS = 0x0000108b +CKM_AES_XCBC_MAC = 0x0000108c +CKM_AES_XCBC_MAC_96 = 0x0000108d +CKM_AES_GMAC = 0x0000108e +CKM_BLOWFISH_KEY_GEN = 0x00001090 +CKM_BLOWFISH_CBC = 0x00001091 +CKM_TWOFISH_KEY_GEN = 0x00001092 +CKM_TWOFISH_CBC = 0x00001093 +CKM_BLOWFISH_CBC_PAD = 0x00001094 +CKM_TWOFISH_CBC_PAD = 0x00001095 +CKM_DES_ECB_ENCRYPT_DATA = 0x00001100 +CKM_DES_CBC_ENCRYPT_DATA = 0x00001101 +CKM_DES3_ECB_ENCRYPT_DATA = 0x00001102 +CKM_DES3_CBC_ENCRYPT_DATA = 0x00001103 +CKM_AES_ECB_ENCRYPT_DATA = 0x00001104 +CKM_AES_CBC_ENCRYPT_DATA = 0x00001105 +CKM_GOSTR3410_KEY_PAIR_GEN = 0x00001200 +CKM_GOSTR3410 = 0x00001201 +CKM_GOSTR3410_WITH_GOSTR3411 = 0x00001202 +CKM_GOSTR3410_KEY_WRAP = 0x00001203 +CKM_GOSTR3410_DERIVE = 0x00001204 +CKM_GOSTR3411 = 0x00001210 +CKM_GOSTR3411_HMAC = 0x00001211 +CKM_GOST28147_KEY_GEN = 0x00001220 +CKM_GOST28147_ECB = 0x00001221 +CKM_GOST28147 = 0x00001222 +CKM_GOST28147_MAC = 0x00001223 +CKM_GOST28147_KEY_WRAP = 0x00001224 +CKM_DSA_PARAMETER_GEN = 0x00002000 +CKM_DH_PKCS_PARAMETER_GEN = 0x00002001 +CKM_X9_42_DH_PARAMETER_GEN = 0x00002002 +CKM_DSA_PROBABLISTIC_PARAMETER_GEN = 0x00002003 +CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN = 0x00002004 +CKM_AES_OFB = 0x00002104 +CKM_AES_CFB64 = 0x00002105 +CKM_AES_CFB8 = 0x00002106 +CKM_AES_CFB128 = 0x00002107 +CKM_AES_CFB1 = 0x00002108 +CKM_AES_KEY_WRAP = 0x00002109 +CKM_AES_KEY_WRAP_PAD = 0x0000210a +CKM_RSA_PKCS_TPM_1_1 = 0x00004001 +CKM_RSA_PKCS_OAEP_TPM_1_1 = 0x00004002 +CKM_VENDOR_DEFINED = 0x80000000 +CKM_IBM_CMAC = CKM_VENDOR_DEFINED+0x10007 +CKM_IBM_ECDSA_SHA224 = CKM_VENDOR_DEFINED+0x10008 +CKM_IBM_ECDSA_SHA256 = CKM_VENDOR_DEFINED+0x10009 +CKM_IBM_ECDSA_SHA384 = CKM_VENDOR_DEFINED+0x1000a +CKM_IBM_ECDSA_SHA512 = CKM_VENDOR_DEFINED+0x1000b +CKM_IBM_EC_MULTIPLY = CKM_VENDOR_DEFINED+0x1000c +CKM_IBM_EAC = CKM_VENDOR_DEFINED+0x1000d +CKM_IBM_TESTCODE = CKM_VENDOR_DEFINED+0x1000e +CKM_IBM_SHA512_256 = CKM_VENDOR_DEFINED+0x10012 +CKM_IBM_SHA512_224 = CKM_VENDOR_DEFINED+0x10013 +CKM_IBM_SHA512_256_HMAC = CKM_VENDOR_DEFINED+0x10014 +CKM_IBM_SHA512_224_HMAC = CKM_VENDOR_DEFINED+0x10015 +CKM_IBM_SIPHASH = CKM_VENDOR_DEFINED+0x10021 +CKM_IBM_CLEARKEY_TRANSPORT = CKM_VENDOR_DEFINED+0x20001 +CKM_IBM_ATTRIBUTEBOUND_WRAP = CKM_VENDOR_DEFINED+0x20004 +CKM_IBM_TRANSPORTKEY = CKM_VENDOR_DEFINED+0x20005 +CKM_IBM_DH_PKCS_DERIVE_RAW = CKM_VENDOR_DEFINED+0x20006 +CKM_IBM_ECDH1_DERIVE_RAW = CKM_VENDOR_DEFINED+0x20007 +CKM_IBM_WIRETEST = CKM_VENDOR_DEFINED+0x30004 +CKM_IBM_RETAINKEY = CKM_VENDOR_DEFINED+0x40001 + + +CKF_DONT_BLOCK = 0x00000001 +CKF_HW = 0x00000001 +CKF_LIBRARY_CANT_CREATE_OS_THREADS = 0x00000001 +CKF_NEXT_OTP = 0x00000001 +CKF_RNG = 0x00000001 +CKF_TOKEN_PRESENT = 0x00000001 +CKF_EXCLUDE_TIME = 0x00000002 +CKF_OS_LOCKING_OK = 0x00000002 +CKF_REMOVABLE_DEVICE = 0x00000002 +CKF_RW_SESSION = 0x00000002 +CKF_WRITE_PROTECTED = 0x00000002 +CKF_EXCLUDE_COUNTER = 0x00000004 +CKF_HW_SLOT = 0x00000004 +CKF_LOGIN_REQUIRED = 0x00000004 +CKF_SERIAL_SESSION = 0x00000004 +CKF_EXCLUDE_CHALLENGE = 0x00000008 +CKF_USER_PIN_INITIALIZED = 0x00000008 +CKF_EXCLUDE_PIN = 0x00000010 +CKF_RESTORE_KEY_NOT_NEEDED = 0x00000020 +CKF_USER_FRIENDLY_OTP = 0x00000020 +CKF_CLOCK_ON_TOKEN = 0x00000040 +CKF_ENCRYPT = 0x00000100 +CKF_PROTECTED_AUTHENTICATION_PATH = 0x00000100 +CKF_DECRYPT = 0x00000200 +CKF_DUAL_CRYPTO_OPERATIONS = 0x00000200 +CKF_DIGEST = 0x00000400 +CKF_TOKEN_INITIALIZED = 0x00000400 +CKF_SECONDARY_AUTHENTICATION = 0x00000800 +CKF_SIGN = 0x00000800 +CKF_SIGN_RECOVER = 0x00001000 +CKF_VERIFY = 0x00002000 +CKF_VERIFY_RECOVER = 0x00004000 +CKF_GENERATE = 0x00008000 +CKF_GENERATE_KEY_PAIR = 0x00010000 +CKF_USER_PIN_COUNT_LOW = 0x00010000 +CKF_USER_PIN_FINAL_TRY = 0x00020000 +CKF_WRAP = 0x00020000 +CKF_UNWRAP = 0x00040000 +CKF_USER_PIN_LOCKED = 0x00040000 +CKF_DERIVE = 0x00080000 +CKF_USER_PIN_TO_BE_CHANGED = 0x00080000 +CKF_EC_F_P = 0x00100000 +CKF_SO_PIN_COUNT_LOW = 0x00100000 +CKF_EC_F_2M = 0x00200000 +CKF_SO_PIN_FINAL_TRY = 0x00200000 +CKF_EC_ECPARAMETERS = 0x00400000 +CKF_SO_PIN_LOCKED = 0x00400000 +CKF_EC_NAMEDCURVE = 0x00800000 +CKF_SO_PIN_TO_BE_CHANGED = 0x00800000 +CKF_EC_UNCOMPRESS = 0x01000000 +CKF_ERROR_STATE = 0x01000000 +CKF_EC_COMPRESS = 0x02000000 +CKF_ARRAY_ATTRIBUTE = 0x40000000 +CKF_EXTENSION = 0x80000000 + + +CKO_DATA = 0x00000000 +CKO_CERTIFICATE = 0x00000001 +CKO_PUBLIC_KEY = 0x00000002 +CKO_PRIVATE_KEY = 0x00000003 +CKO_SECRET_KEY = 0x00000004 +CKO_HW_FEATURE = 0x00000005 +CKO_DOMAIN_PARAMETERS = 0x00000006 +CKO_MECHANISM = 0x00000007 +CKO_OTP_KEY = 0x00000008 +CKO_VENDOR_DEFINED = 0x80000000 + + +CKR_OK = 0x00000000 +CKR_CANCEL = 0x00000001 +CKR_HOST_MEMORY = 0x00000002 +CKR_SLOT_ID_INVALID = 0x00000003 +CKR_GENERAL_ERROR = 0x00000005 +CKR_FUNCTION_FAILED = 0x00000006 +CKR_ARGUMENTS_BAD = 0x00000007 +CKR_NO_EVENT = 0x00000008 +CKR_NEED_TO_CREATE_THREADS = 0x00000009 +CKR_CANT_LOCK = 0x0000000a +CKR_ATTRIBUTE_READ_ONLY = 0x00000010 +CKR_ATTRIBUTE_SENSITIVE = 0x00000011 +CKR_ATTRIBUTE_TYPE_INVALID = 0x00000012 +CKR_ATTRIBUTE_VALUE_INVALID = 0x00000013 +CKR_ACTION_PROHIBITED = 0x0000001b +CKR_DATA_INVALID = 0x00000020 +CKR_DATA_LEN_RANGE = 0x00000021 +CKR_DEVICE_ERROR = 0x00000030 +CKR_DEVICE_MEMORY = 0x00000031 +CKR_DEVICE_REMOVED = 0x00000032 +CKR_ENCRYPTED_DATA_INVALID = 0x00000040 +CKR_ENCRYPTED_DATA_LEN_RANGE = 0x00000041 +CKR_FUNCTION_CANCELED = 0x00000050 +CKR_FUNCTION_NOT_PARALLEL = 0x00000051 +CKR_FUNCTION_NOT_SUPPORTED = 0x00000054 +CKR_KEY_HANDLE_INVALID = 0x00000060 +CKR_KEY_SIZE_RANGE = 0x00000062 +CKR_KEY_TYPE_INCONSISTENT = 0x00000063 +CKR_KEY_NOT_NEEDED = 0x00000064 +CKR_KEY_CHANGED = 0x00000065 +CKR_KEY_NEEDED = 0x00000066 +CKR_KEY_INDIGESTIBLE = 0x00000067 +CKR_KEY_FUNCTION_NOT_PERMITTED = 0x00000068 +CKR_KEY_NOT_WRAPPABLE = 0x00000069 +CKR_KEY_UNEXTRACTABLE = 0x0000006a +CKR_MECHANISM_INVALID = 0x00000070 +CKR_MECHANISM_PARAM_INVALID = 0x00000071 +CKR_OBJECT_HANDLE_INVALID = 0x00000082 +CKR_OPERATION_ACTIVE = 0x00000090 +CKR_OPERATION_NOT_INITIALIZED = 0x00000091 +CKR_PIN_INCORRECT = 0x000000a0 +CKR_PIN_INVALID = 0x000000a1 +CKR_PIN_LEN_RANGE = 0x000000a2 +CKR_PIN_EXPIRED = 0x000000a3 +CKR_PIN_LOCKED = 0x000000a4 +CKR_SESSION_CLOSED = 0x000000b0 +CKR_SESSION_COUNT = 0x000000b1 +CKR_SESSION_HANDLE_INVALID = 0x000000b3 +CKR_SESSION_PARALLEL_NOT_SUPPORTED = 0x000000b4 +CKR_SESSION_READ_ONLY = 0x000000b5 +CKR_SESSION_EXISTS = 0x000000b6 +CKR_SESSION_READ_ONLY_EXISTS = 0x000000b7 +CKR_SESSION_READ_WRITE_SO_EXISTS = 0x000000b8 +CKR_SIGNATURE_INVALID = 0x000000c0 +CKR_SIGNATURE_LEN_RANGE = 0x000000c1 +CKR_TEMPLATE_INCOMPLETE = 0x000000d0 +CKR_TEMPLATE_INCONSISTENT = 0x000000d1 +CKR_TOKEN_NOT_PRESENT = 0x000000e0 +CKR_TOKEN_NOT_RECOGNIZED = 0x000000e1 +CKR_TOKEN_WRITE_PROTECTED = 0x000000e2 +CKR_UNWRAPPING_KEY_HANDLE_INVALID = 0x000000f0 +CKR_UNWRAPPING_KEY_SIZE_RANGE = 0x000000f1 +CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT = 0x000000f2 +CKR_USER_ALREADY_LOGGED_IN = 0x00000100 +CKR_USER_NOT_LOGGED_IN = 0x00000101 +CKR_USER_PIN_NOT_INITIALIZED = 0x00000102 +CKR_USER_TYPE_INVALID = 0x00000103 +CKR_USER_ANOTHER_ALREADY_LOGGED_IN = 0x00000104 +CKR_USER_TOO_MANY_TYPES = 0x00000105 +CKR_WRAPPED_KEY_INVALID = 0x00000110 +CKR_WRAPPED_KEY_LEN_RANGE = 0x00000112 +CKR_WRAPPING_KEY_HANDLE_INVALID = 0x00000113 +CKR_WRAPPING_KEY_SIZE_RANGE = 0x00000114 +CKR_WRAPPING_KEY_TYPE_INCONSISTENT = 0x00000115 +CKR_RANDOM_SEED_NOT_SUPPORTED = 0x00000120 +CKR_RANDOM_NO_RNG = 0x00000121 +CKR_DOMAIN_PARAMS_INVALID = 0x00000130 +CKR_CURVE_NOT_SUPPORTED = 0x00000140 +CKR_BUFFER_TOO_SMALL = 0x00000150 +CKR_SAVED_STATE_INVALID = 0x00000160 +CKR_INFORMATION_SENSITIVE = 0x00000170 +CKR_STATE_UNSAVEABLE = 0x00000180 +CKR_CRYPTOKI_NOT_INITIALIZED = 0x00000190 +CKR_CRYPTOKI_ALREADY_INITIALIZED = 0x00000191 +CKR_MUTEX_BAD = 0x000001a0 +CKR_MUTEX_NOT_LOCKED = 0x000001a1 +CKR_NEW_PIN_MODE = 0x000001b0 +CKR_NEXT_OTP = 0x000001b1 +CKR_EXCEEDED_MAX_ITERATIONS = 0x000001c0 +CKR_FIPS_SELF_TEST_FAILED = 0x000001c1 +CKR_LIBRARY_LOAD_FAILED = 0x000001c2 +CKR_PIN_TOO_WEAK = 0x000001c3 +CKR_PUBLIC_KEY_INVALID = 0x000001c4 +CKR_FUNCTION_REJECTED = 0x00000200 +CKR_VENDOR_DEFINED = 0x80000000 +CKR_IBM_TARGET_INVALID = CKR_VENDOR_DEFINED+0x1003 +CKR_IBM_WKID_MISMATCH = CKR_VENDOR_DEFINED+0x10001 +CKR_IBM_INTERNAL_ERROR = CKR_VENDOR_DEFINED+0x10002 +CKR_IBM_TRANSPORT_ERROR = CKR_VENDOR_DEFINED+0x10003 +CKR_IBM_BLOB_ERROR = CKR_VENDOR_DEFINED+0x10004 +CKR_IBM_BLOBKEY_CONFLICT = CKR_VENDOR_DEFINED+0x10005 +CKR_IBM_MODE_CONFLICT = CKR_VENDOR_DEFINED+0x10006 +CKR_IBM_NONCRT_KEY_SIZE = CKR_VENDOR_DEFINED+0x10008 +CKR_IBM_WK_NOT_INITIALIZED = CKR_VENDOR_DEFINED+0x10009 +CKR_IBM_OA_API_ERROR = CKR_VENDOR_DEFINED+0x1000a +CKR_IBM_REQ_TIMEOUT = CKR_VENDOR_DEFINED+0x1000b +CKR_IBM_READONLY = CKR_VENDOR_DEFINED+0x1000c +CKR_IBM_STATIC_POLICY = CKR_VENDOR_DEFINED+0x1000d +CKR_IBM_TRANSPORT_LIMIT = CKR_VENDOR_DEFINED+0x10010 +CKR_IBM_FCV_NOT_SET = CKR_VENDOR_DEFINED+0x10011 +CKR_IBM_PERF_CATEGORY_INVALID = CKR_VENDOR_DEFINED+0x10012 +CKR_VENDOR_DEFINED_GREP11 = CKR_VENDOR_DEFINED+0x40000 +CKR_IBM_GREP11_NOT_AUTHENTICATED = CKR_VENDOR_DEFINED_GREP11+0x1 +CKR_IBM_GREP11_CANNOT_UNMARSHAL = CKR_VENDOR_DEFINED_GREP11+0x2 +CKR_IBM_GREP11_CANNOT_MARSHAL = CKR_VENDOR_DEFINED_GREP11+0x3 +CKR_IBM_GREP11_CONFLICT = CKR_VENDOR_DEFINED_GREP11+0x4 +CKR_IBM_GREP11_DBINTERNAL = CKR_VENDOR_DEFINED_GREP11+0x5 +CKR_IBM_GREP11_SERVER_INTERNAL = CKR_VENDOR_DEFINED_GREP11+0x6 + + +# Maximum Key Size +MAX_BLOB_SIZE = 8192 +MAX_CSUMSIZE = 64 + +# Max block size of block ciphers +MAX_BLOCK_SIZE = 256 / 8 +AES_BLOCK_SIZE = 16 +DES_BLOCK_SIZE = 8 + +# Max digest output bytes +MAX_DIGEST_BYTES = 512 / 8 + +# MAX_DIGEST_STATE_BYTES is the maximum size of wrapped digest state blobs +# -- Section 10.1 Function descriptions, EP11 design Document +MAX_DIGEST_STATE_BYTES = 1024 +MAX_CRYPT_STATE_BYTES = 8192 + +CK_UNAVAILABLE_INFORMATION = 0xFFFFFFFFFFFFFFFF diff --git a/python/examples/server.py b/python/examples/server.py new file mode 100755 index 0000000..a0b1e4e --- /dev/null +++ b/python/examples/server.py @@ -0,0 +1,687 @@ +#!/usr/bin/env python3 + +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +import sys +sys.path.extend(['../ep11', '../util']) + +import uuid, grep11consts as ep11, server_pb2 as pb, server_pb2_grpc, pkcs11_pb2, grpc +import hashlib, asn1, util + +# The following IBM Cloud items need to be changed prior to running the sample program +address = ":" + +credentials = { + 'APIKey': "", + 'Endpoint': "", + 'Instance': "" +} + +# Example_getMechanismInfo retrieves a mechanism list and retrieves detailed information for the CKM_RSA_PKCS mechanism +# Flow: connect, get mechanism list, get mechanism info +def Example_getMechanismInfo(): + with util.Channel(credentials).get_channel(address) as channel: + try: + cryptoClient = server_pb2_grpc.CryptoStub(channel) + + mechanismListRequest = pb.GetMechanismListRequest() + mechanismListResponse = cryptoClient.GetMechanismList(mechanismListRequest) + + print("Got mechanism list:\n{} ...\n".format(mechanismListResponse.Mechs[:1])) + + mechanismInfoRequest = pb.GetMechanismInfoRequest(Mech=ep11.CKM_RSA_PKCS) + mechanismInfoResponse = cryptoClient.GetMechanismInfo(mechanismInfoRequest) + + except grpc.RpcError as rpc_error: + print('grpc error details=' + str(rpc_error.details())) + raise Exception(rpc_error) + + except Exception as e: + print(e) + import traceback + traceback.print_exc() + raise Exception(e) + + # Output: + # Got mechanism list: + # [CKM_RSA_PKCS] ... + +# Example_encryptAndDecrypt encrypts and decrypts plain text +# Flow: connect, generate AES key, generate IV, encrypt multi-part data, decrypt multi-part data +def Example_encryptAndDecrypt(): + with util.Channel(credentials).get_channel(address) as channel: + try: + cryptoClient = server_pb2_grpc.CryptoStub(channel) + + keyLen = 128 + template = util.ep11attributes({ + ep11.CKA_VALUE_LEN: int(keyLen/8), + ep11.CKA_WRAP: False, + ep11.CKA_UNWRAP: False, + ep11.CKA_ENCRYPT: True, + ep11.CKA_DECRYPT: True, + ep11.CKA_EXTRACTABLE: False, # set to false! + ep11.CKA_TOKEN: False # ignored by EP11 + }) + + r = pb.GenerateKeyRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_AES_KEY_GEN), + Template=template, + # KeyId=str(uuid.uuid4()) # optional + ) + + generateKeyStatus = cryptoClient.GenerateKey(r) + + print("Generated AES Key") + + rngTemplate = pb.GenerateRandomRequest( + Len=(ep11.AES_BLOCK_SIZE) + ) + + rng = cryptoClient.GenerateRandom(rngTemplate) + + iv = rng.Rnd[:ep11.AES_BLOCK_SIZE] + + print("Generated IV") + + encipherInitInfo = pb.EncryptInitRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_AES_CBC_PAD, Parameter=iv), + Key=generateKeyStatus.Key # you may want to store this + ) + cipherStateInit = cryptoClient.EncryptInit(encipherInitInfo) + + plain = b'Hello, this is a very long and creative message without any imagination' + + encipherDataUpdate = pb.EncryptUpdateRequest( + State=cipherStateInit.State, + Plain=plain[:20] + ) + encipherStateUpdate = cryptoClient.EncryptUpdate(encipherDataUpdate) + + ciphertext = encipherStateUpdate.Ciphered + encipherDataUpdate = pb.EncryptUpdateRequest( + State=encipherStateUpdate.State, + Plain=plain[20:] + ) + encipherStateUpdate = cryptoClient.EncryptUpdate(encipherDataUpdate) + + ciphertext = ciphertext + encipherStateUpdate.Ciphered + encipherDataFinal = pb.EncryptFinalRequest( + State=encipherStateUpdate.State + ) + encipherStateFinal = cryptoClient.EncryptFinal(encipherDataFinal) + + ciphertext = ciphertext + encipherStateFinal.Ciphered + print("Encrypted message") + + decipherInitInfo = pb.DecryptInitRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_AES_CBC_PAD, Parameter=iv), + Key=generateKeyStatus.Key # you may want to store this + ) + decipherStateInit = cryptoClient.DecryptInit(decipherInitInfo) + + decipherDataUpdate = pb.DecryptUpdateRequest( + State=decipherStateInit.State, + Ciphered=ciphertext[:16] + ) + decipherStateUpdate = cryptoClient.DecryptUpdate(decipherDataUpdate) + + plaintext = decipherStateUpdate.Plain[:] + decipherDataUpdate = pb.DecryptUpdateRequest( + State=decipherStateUpdate.State, + Ciphered=ciphertext[16:] + ) + decipherStateUpdate = cryptoClient.DecryptUpdate(decipherDataUpdate) + + plaintext = plaintext + decipherStateUpdate.Plain + + decipherDataFinal = pb.DecryptFinalRequest( + State=decipherStateUpdate.State + ) + decipherStateFinal = cryptoClient.DecryptFinal(decipherDataFinal) + + plaintext = plaintext + decipherStateFinal.Plain + + if plain != plaintext: + print("Failed comparing plain text of cipher single") + + print("Decrypted message\n{}\n".format(plaintext)) + + except grpc.RpcError as rpc_error: + print('grpc error details=' + str(rpc_error.details())) + raise Exception(rpc_error) + + except Exception as e: + print(e) + import traceback + traceback.print_exc() + raise Exception(e) + + # Output: + # Generated AES Key + # Generated IV + # Encrypted message + # Decrypted message + # Hello, this is a very long and creative message without any imagination + +# Example_digest calculates the digest of some plain text +# Flow: connect, digest single-part data, digest multi-part data +def Example_digest(): + with util.Channel(credentials).get_channel(address) as channel: + try: + cryptoClient = server_pb2_grpc.CryptoStub(channel) + + digestData = b'This is the data longer than 64 bytes This is the data longer than 64 bytes' + digestInitRequest = pb.DigestInitRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_SHA256) + ) + digestInitResponse = cryptoClient.DigestInit(digestInitRequest) + + digestRequest = pb.DigestRequest( + State=digestInitResponse.State, + Data=digestData + ) + digestResponse = cryptoClient.Digest(digestRequest) + + print("Digest data using a single digest operation: {}\n".format(digestResponse.Digest.hex())) + + # Digest using mutiple operations + digestInitResponse = cryptoClient.DigestInit(digestInitRequest) + + digestUpdateRequest = pb.DigestUpdateRequest( + State=digestInitResponse.State, + Data=digestData[:64] + ) + digestUpdateResponse = cryptoClient.DigestUpdate(digestUpdateRequest) + + digestUpdateRequest = pb.DigestUpdateRequest( + State=digestUpdateResponse.State, + Data=digestData[64:] + ) + digestUpdateResponse = cryptoClient.DigestUpdate(digestUpdateRequest) + + digestFinalRequestInfo = pb.DigestFinalRequest( + State=digestUpdateResponse.State + ) + digestFinalResponse = cryptoClient.DigestFinal(digestFinalRequestInfo) + + print("Digest data using multiple operations: {}\n".format(digestFinalResponse.Digest.hex())) + + except grpc.RpcError as rpc_error: + print('grpc error details=' + str(rpc_error.details())) + raise Exception(rpc_error) + + except Exception as e: + print(e) + import traceback + traceback.print_exc() + raise Exception(e) + + # Output: + # Digest data using a single digest operation: ad4e0b6e309d192862ec6db692d17072ddd3a98ccd37afe642a04f7ca554c94c + # Digest data using multiple operations: ad4e0b6e309d192862ec6db692d17072ddd3a98ccd37afe642a04f7ca554c94c + + +# Example_signAndVerifyUsingRSAKeyPair signs some data and verifies it +# Flow: connect, generate RSA key pair, sign single-part data, verify single-part data +def Example_signAndVerifyUsingRSAKeyPair(): + with util.Channel(credentials).get_channel(address) as channel: + try: + cryptoClient = server_pb2_grpc.CryptoStub(channel) + + # Generate RSA key pairs + publicExponent = b'\x11' + publicKeyTemplate=util.ep11attributes({ + ep11.CKA_ENCRYPT: True, + ep11.CKA_VERIFY: True, # to verify a signature + ep11.CKA_MODULUS_BITS: 2048, + ep11.CKA_PUBLIC_EXPONENT: publicExponent, + ep11.CKA_EXTRACTABLE: False + }) + privateKeyTemplate=util.ep11attributes({ + ep11.CKA_PRIVATE: True, + ep11.CKA_SENSITIVE: True, + ep11.CKA_DECRYPT: True, + ep11.CKA_SIGN: True, # to generate a signature + ep11.CKA_EXTRACTABLE: False + }) + generateKeypairRequest = pb.GenerateKeyPairRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_RSA_PKCS_KEY_PAIR_GEN), + PubKeyTemplate=publicKeyTemplate, + PrivKeyTemplate=privateKeyTemplate, + #PrivKeyId=str(uuid.uuid4()), + #PubKeyId=str(uuid.uuid4()) + ) + generateKeyPairStatus = cryptoClient.GenerateKeyPair(generateKeypairRequest) + + print("Generated RSA PKCS key pair") + + # Sign data + signInitRequest = pb.SignInitRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_SHA1_RSA_PKCS), + PrivKey=generateKeyPairStatus.PrivKey + ) + signInitResponse = cryptoClient.SignInit(signInitRequest) + + signData = hashlib.sha256(b'This data needs to be signed').digest() + signRequest = pb.SignRequest( + State=signInitResponse.State, + Data=signData + ) + SignResponse = cryptoClient.Sign(signRequest) + + print("Data signed") + + verifyInitRequest = pb.VerifyInitRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_SHA1_RSA_PKCS), + PubKey=generateKeyPairStatus.PubKey + ) + verifyInitResponse = cryptoClient.VerifyInit(verifyInitRequest) + + verifyRequest = pb.VerifyRequest( + State=verifyInitResponse.State, + Data=signData, + Signature=SignResponse.Signature + ) + cryptoClient.Verify(verifyRequest) + print("Verified") + + except grpc.RpcError as rpc_error: + print('grpc error details=' + str(rpc_error.details())) + raise Exception(rpc_error) + + except Exception as e: + print(e) + import traceback + traceback.print_exc() + raise Exception(e) + + # Output: + # Generated RSA PKCS key pair + # Data signed + # Verified + + +# Example_signAndVerifyUsingECDSAKeyPair generates an ECDSA key pair and uses the key pair to sign and verify data +# Flow: connect, generate ECDSA key pair, sign single-part data, verify single-part data +def Example_signAndVerifyUsingECDSAKeyPair(): + with util.Channel(credentials).get_channel(address) as channel: + try: + cryptoClient = server_pb2_grpc.CryptoStub(channel) + + encoder = asn1.Encoder() + encoder.start() + encoder.write('1.2.840.10045.3.1.7', asn1.Numbers.ObjectIdentifier) + ecParameters = encoder.output() + + if not ecParameters: + raise Exception("Unable to encode parameter OID") + + publicKeyECTemplate = util.ep11attributes({ + ep11.CKA_EC_PARAMS: ecParameters, + ep11.CKA_VERIFY: True, + ep11.CKA_EXTRACTABLE: False + }) + privateKeyECTemplate = util.ep11attributes({ + ep11.CKA_SIGN: True, + ep11.CKA_EXTRACTABLE: False + }) + generateECKeypairRequest = pb.GenerateKeyPairRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_EC_KEY_PAIR_GEN), + PubKeyTemplate=publicKeyECTemplate, + PrivKeyTemplate=privateKeyECTemplate + ) + generateKeyPairStatus = cryptoClient.GenerateKeyPair(generateECKeypairRequest) + + print("Generated ECDSA PKCS key pair") + + # Sign data + signInitRequest = pb.SignInitRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_ECDSA), + PrivKey=generateKeyPairStatus.PrivKey + ) + signInitResponse = cryptoClient.SignInit(signInitRequest) + + signData = hashlib.sha256(b'This data needs to be signed').digest() + signRequest = pb.SignRequest( + State=signInitResponse.State, + Data=signData + ) + SignResponse = cryptoClient.Sign(signRequest) + + print("Data signed") + + verifyInitRequest = pb.VerifyInitRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_ECDSA), + PubKey=generateKeyPairStatus.PubKey + ) + verifyInitResponse = cryptoClient.VerifyInit(verifyInitRequest) + + verifyRequest = pb.VerifyRequest( + State=verifyInitResponse.State, + Data=signData, + Signature=SignResponse.Signature + ) + cryptoClient.Verify(verifyRequest) + print("Verified") + + except grpc.RpcError as rpc_error: + print('grpc error details=' + str(rpc_error.details())) + raise Exception(rpc_error) + + except Exception as e: + print(e) + import traceback + traceback.print_exc() + raise Exception(e) + + # Output: + # Generated ECDSA PKCS key pair + # Data signed + # Verified + +# Example_signAndVerifyToTestErrorHandling signs some data, modifies the signature and verifies the expected returned error code +# Flow: connect, generate ECDSA key pair, sign single-part data, modify signature to force verify error, +# verify single-part data, ensure proper error is returned +def Example_signAndVerifyToTestErrorHandling(): + with util.Channel(credentials).get_channel(address) as channel: + try: + cryptoClient = server_pb2_grpc.CryptoStub(channel) + + encoder = asn1.Encoder() + encoder.start() + encoder.write('1.2.840.10045.3.1.7', asn1.Numbers.ObjectIdentifier) + ecParameters = encoder.output() + + if not ecParameters: + raise Exception("Unable to encode parameter OID") + + publicKeyECTemplate = util.ep11attributes({ + ep11.CKA_EC_PARAMS: ecParameters, + ep11.CKA_VERIFY: True, + ep11.CKA_EXTRACTABLE: False + }) + privateKeyECTemplate = util.ep11attributes({ + ep11.CKA_SIGN: True, + ep11.CKA_EXTRACTABLE: False + }) + generateECKeypairRequest = pb.GenerateKeyPairRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_EC_KEY_PAIR_GEN), + PubKeyTemplate=publicKeyECTemplate, + PrivKeyTemplate=privateKeyECTemplate + ) + generateKeyPairStatus = cryptoClient.GenerateKeyPair(generateECKeypairRequest) + + print("Generated ECDSA PKCS key pair") + + # Sign data + signInitRequest = pb.SignInitRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_ECDSA), + PrivKey=generateKeyPairStatus.PrivKey + ) + signInitResponse = cryptoClient.SignInit(signInitRequest) + + signData = hashlib.sha256(b'This data needs to be signed').digest() + signRequest = pb.SignRequest( + State=signInitResponse.State, + Data=signData + ) + SignResponse = cryptoClient.Sign(signRequest) + + print("Data signed") + + # Modify signature to force returned error code + signature = SignResponse.Signature + badsig = bytearray(signature) + badsig[0] = 255 + badsig = bytes(badsig) + signature = badsig + + verifyInitRequest = pb.VerifyInitRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_ECDSA), + PubKey=generateKeyPairStatus.PubKey + ) + verifyInitResponse = cryptoClient.VerifyInit(verifyInitRequest) + + verifyRequest = pb.VerifyRequest( + State=verifyInitResponse.State, + Data=signData, + Signature=signature + ) + cryptoClient.Verify(verifyRequest) + print("Verified") + + except grpc.RpcError as rpc_error: + if rpc_error.details() == 'CKR_SIGNATURE_INVALID': + print('Successfully detected an invalid signature.') + print('grpc error details=' + str(rpc_error.details())) + raise Exception(rpc_error) + + except Exception as e: + print(e) + import traceback + traceback.print_exc() + raise Exception(e) + + # Output: + # Generated ECDSA PKCS key pair + # Data signed + # Invalid signature + +# Example_wrapAndUnWrapKey wraps an AES key with a RSA public key and then unwraps it with the private key +# Flow: connect, generate AES key, generate RSA key pair, wrap/unwrap AES key with RSA key pair +def Example_wrapAndUnwrapKey(): + with util.Channel(credentials).get_channel(address) as channel: + try: + cryptoClient = server_pb2_grpc.CryptoStub(channel) + + # Generate a AES key + destKeyTemplate = util.ep11attributes({ + ep11.CKA_VALUE_LEN: 16, # 128 bits + ep11.CKA_ENCRYPT: True, + ep11.CKA_DECRYPT: True, + ep11.CKA_EXTRACTABLE: True # must be true to be wrapped + }) + generateKeyRequest = pb.GenerateKeyRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_AES_KEY_GEN), + Template=destKeyTemplate, + # KeyId=str(uuid.uuid4()) # optional + ) + generateNewKeyStatus = cryptoClient.GenerateKey(generateKeyRequest) + + print("Generated AES key") + + # Generate RSA key pairs + publicExponent = b'\x11' + publicKeyTemplate = util.ep11attributes({ + ep11.CKA_ENCRYPT: True, + ep11.CKA_WRAP: True, # to wrap a key + ep11.CKA_MODULUS_BITS: 2048, + ep11.CKA_PUBLIC_EXPONENT: publicExponent, + ep11.CKA_EXTRACTABLE: False + }) + privateKeyTemplate = util.ep11attributes({ + ep11.CKA_PRIVATE: True, + ep11.CKA_SENSITIVE: True, + ep11.CKA_DECRYPT: True, + ep11.CKA_UNWRAP: True, # to unwrap a key + ep11.CKA_EXTRACTABLE: False + }) + generateKeypairRequest = pb.GenerateKeyPairRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_RSA_PKCS_KEY_PAIR_GEN), + PubKeyTemplate=publicKeyTemplate, + PrivKeyTemplate=privateKeyTemplate, + # PrivKeyId=str(uuid.uuid4()), + # PubKeyId=str(uuid.uuid4()) + ) + generateKeyPairStatus = cryptoClient.GenerateKeyPair(generateKeypairRequest) + + print("Generated PKCS key pair") + + wrapKeyRequest = pb.WrapKeyRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_RSA_PKCS), + KeK=generateKeyPairStatus.PubKey, + Key=generateNewKeyStatus.Key + ) + wrapKeyResponse = cryptoClient.WrapKey(wrapKeyRequest) + + print("Wraped AES key") + + desUnwrapKeyTemplate = util.ep11attributes({ + ep11.CKA_CLASS: ep11.CKO_SECRET_KEY, + ep11.CKA_KEY_TYPE: ep11.CKK_AES, + ep11.CKA_VALUE_LEN: int(128/8), + ep11.CKA_ENCRYPT: True, + ep11.CKA_DECRYPT: True, + ep11.CKA_EXTRACTABLE: True # must be true to be wrapped + }) + unwrapRequest = pb.UnwrapKeyRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_RSA_PKCS), + KeK=generateKeyPairStatus.PrivKey, + Wrapped=wrapKeyResponse.Wrapped, + Template=desUnwrapKeyTemplate + ) + unWrappedResponse = cryptoClient.UnwrapKey(unwrapRequest) + + if generateNewKeyStatus.CheckSum[:3] != unWrappedResponse.CheckSum[:3]: + raise Exception("Unwrap AES key has a different checksum than the original key") + else: + print("Unwraped AES key") + + except grpc.RpcError as rpc_error: + print('grpc error details=' + str(rpc_error.details())) + raise Exception(rpc_error) + + except Exception as e: + print(e) + import traceback + traceback.print_exc() + raise Exception(e) + + # Output: + # Generated AES key + # Generated PKCS key pair + # Wraped AES key + # Unwraped AES key + +# Example_deriveKey generates ECDHE key pairs for Bob and Alice and then generates AES keys for both of them. +# The names Alice and Bob are described in https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange. +# Flow: connect, generate key pairs, derive AES key for Bob, derive AES key for Alice, encrypt with Alice's AES key and decrypt with Bob's AES key +def Example_deriveKey(): + with util.Channel(credentials).get_channel(address) as channel: + try: + cryptoClient = server_pb2_grpc.CryptoStub(channel) + + # Generate ECDH key pairs for Alice and Bob + encoder = asn1.Encoder() + encoder.start() + encoder.write('1.2.840.10045.3.1.7', asn1.Numbers.ObjectIdentifier) + ecParameters = encoder.output() + + if not ecParameters: + raise Exception("Unable to encode parameter OID") + + publicKeyECTemplate = util.ep11attributes({ + ep11.CKA_EC_PARAMS: ecParameters, + ep11.CKA_EXTRACTABLE: False + }) + privateKeyECTemplate = util.ep11attributes({ + ep11.CKA_DERIVE: True, + ep11.CKA_EXTRACTABLE: False + }) + generateECKeypairRequest = pb.GenerateKeyPairRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_EC_KEY_PAIR_GEN), + PubKeyTemplate=publicKeyECTemplate, + PrivKeyTemplate=privateKeyECTemplate + ) + aliceECKeypairResponse = cryptoClient.GenerateKeyPair(generateECKeypairRequest) + + print("Generated Alice EC key pair") + + bobECKeypairResponse = cryptoClient.GenerateKeyPair(generateECKeypairRequest) + + print("Generated Bob EC key pair") + + # Derive AES key for Alice + deriveKeyTemplate = util.ep11attributes({ + ep11.CKA_CLASS: ep11.CKO_SECRET_KEY, + ep11.CKA_KEY_TYPE: ep11.CKK_AES, + ep11.CKA_VALUE_LEN: int(128/8), + ep11.CKA_ENCRYPT: True, + ep11.CKA_DECRYPT: True, + }) + combinedCoordinates = util.GetPubkeyBytesFromSPKI(bobECKeypairResponse.PubKey) + if not combinedCoordinates: + raise Exception("Bob's EC key cannot obtain coordinates") + aliceDerivekeyRequest = pb.DeriveKeyRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_ECDH1_DERIVE, Parameter=combinedCoordinates), + Template=deriveKeyTemplate, + BaseKey=aliceECKeypairResponse.PrivKey + ) + aliceDerivekeyResponse = cryptoClient.DeriveKey(aliceDerivekeyRequest) + + # Derive AES key for Bob + combinedCoordinates = util.GetPubkeyBytesFromSPKI(aliceECKeypairResponse.PubKey) + if not combinedCoordinates: + raise Exception("Alice's EC key cannot obtain coordinates") + bobDerivekeyRequest = pb.DeriveKeyRequest( + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_ECDH1_DERIVE, Parameter=combinedCoordinates), + Template=deriveKeyTemplate, + BaseKey=bobECKeypairResponse.PrivKey + ) + bobDerivekeyResponse = cryptoClient.DeriveKey(bobDerivekeyRequest) + + # Encrypt with Alice's key and decrypt with Bob's key + msg = b'hello world!' + rngTemplate = pb.GenerateRandomRequest( + Len=int(ep11.AES_BLOCK_SIZE) + ) + rng = cryptoClient.GenerateRandom(rngTemplate) + + iv = rng.Rnd[:ep11.AES_BLOCK_SIZE] + + encryptRequest = pb.EncryptSingleRequest( + Key=aliceDerivekeyResponse.NewKey, + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_AES_CBC_PAD, Parameter=iv), + Plain=msg + ) + encryptResponse = cryptoClient.EncryptSingle(encryptRequest) + + decryptRequest = pb.DecryptSingleRequest( + Key=bobDerivekeyResponse.NewKey, + Mech=pkcs11_pb2.Mechanism(Mechanism=ep11.CKM_AES_CBC_PAD, Parameter=iv), + Ciphered=encryptResponse.Ciphered + ) + decryptResponse = cryptoClient.DecryptSingle(decryptRequest) + + if decryptResponse.Plain != msg: + raise Exception("Decrypted message{} is different from the original message: {}".format(decryptResponse.Plain, msg)) + else: + print("Alice and Bob get the same derived key") + + except grpc.RpcError as rpc_error: + print('grpc error details=' + str(rpc_error.details())) + raise Exception(rpc_error) + + except Exception as e: + print(e) + import traceback + traceback.print_exc() + raise Exception(e) + + # Output: + # Generated Alice EC key pair + # Generated Bob EC key pair + # Alice and Bob get the same derived key + +if __name__ == '__main__': + Example_getMechanismInfo() + Example_encryptAndDecrypt() + Example_digest() + Example_signAndVerifyUsingRSAKeyPair() + Example_signAndVerifyUsingECDSAKeyPair() + Example_signAndVerifyToTestErrorHandling() + Example_wrapAndUnwrapKey() + Example_deriveKey() diff --git a/python/examples/test_server.py b/python/examples/test_server.py new file mode 100644 index 0000000..1cf561c --- /dev/null +++ b/python/examples/test_server.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python3 + +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +import unittest +import server + +class ServerTestCase(unittest.TestCase): + def test_0_getMechanismInfo(self): + server.Example_getMechanismInfo() + + def test_1_encryptAndDecrypt(self): + server.Example_encryptAndDecrypt() + + def test_2_digest(self): + server.Example_digest() + + def test_3_signAndVerifyUsingRSAKeyPair(self): + server.Example_signAndVerifyUsingRSAKeyPair() + + def test_4_signAndVerifyUsingECDSAKeyPair(self): + server.Example_signAndVerifyUsingECDSAKeyPair() + + @unittest.expectedFailure + def test_5_signAndVerifyToTestErrorHandling(self): + server.Example_signAndVerifyToTestErrorHandling() + + def test_6_wrapAndUnwrapKey(self): + server.Example_wrapAndUnwrapKey() + + def test_7_deriveKey(self): + server.Example_deriveKey() diff --git a/python/grpc/common/protos/annotations.proto b/python/grpc/common/protos/annotations.proto new file mode 100644 index 0000000..22cca04 --- /dev/null +++ b/python/grpc/common/protos/annotations.proto @@ -0,0 +1,50 @@ +/* +Copyright IBM Corp. 2016 All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +syntax = "proto3"; + +package grep11; +import "google/protobuf/descriptor.proto"; + +extend google.protobuf.MethodOptions { + EP11MethodOption ep11 = 11001; + PKCS11MethodOption pkcs11 = 11002; +} + +extend google.protobuf.FieldOptions { + EP11FieldOption ep111 = 11011; + PKCS11FieldOption pkcs111 = 11012; +} + +message EP11MethodOption { + string call = 1; + string postcall = 2; +} + +message PKCS11MethodOption { + +} + +message EP11FieldOption { + string init = 1; // For output byte arrays, specify the array initialization length + string stream = 2; // For arrays that get updated (i.e. streamed) like DigestUpdate.state + string create = 3; // For keyblobs + bool rewrite = 4; // For keyblobs + bool allownil = 5; // For byte array parameters that are allowed be nil, so no nil-check required +} + +message PKCS11FieldOption { + +} diff --git a/python/grpc/common/protos/discovery.proto b/python/grpc/common/protos/discovery.proto new file mode 100644 index 0000000..c423153 --- /dev/null +++ b/python/grpc/common/protos/discovery.proto @@ -0,0 +1,23 @@ +/* +Copyright IBM Corp. 2016 All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +syntax = "proto3"; + +package grep11; + +message GetServerListRequest{} +message GetServerListResponse{ + repeated string Address = 1; +} diff --git a/python/grpc/common/protos/grep11.proto b/python/grpc/common/protos/grep11.proto new file mode 100644 index 0000000..db5164b --- /dev/null +++ b/python/grpc/common/protos/grep11.proto @@ -0,0 +1,95 @@ +/* +Copyright IBM Corp. 2018 All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +syntax = "proto3"; + +package grep11; + +import "manager.proto"; +import "discovery.proto"; +import "keystore.proto"; +import "user.proto"; +import "annotations.proto"; +import "google/api/annotations.proto"; + +service KeyStore { + // Get keystore info (PKCS11 token label) + rpc GetStoreInfo(GetStoreInfoRequest) returns (GetStoreResponse) {} + + rpc GetObjects(GetObjectsRequest) returns (GetObjectsResponse) {} + rpc DeleteObject(DeleteObjectRequest) returns (DeleteObjectResponse) {} + rpc StoreObject(StoreObjectRequest) returns (StoreObjectResponse) {} +} + +service UserManagement { + rpc ChangeUser(ChangeUserRequest) returns (ChangeUserResponse) {} + + rpc GetToken(GetTokenRequest) returns (GetTokenResponse) { + option (google.api.http) = { + get: "/v1/keystore/gettoken" + }; + } + rpc ReturnToken(ReturnTokenRequest) returns (ReturnTokenResponse) {} +} + +// TODO: Should this be replaced? +// By service LoadBalancer from "google.golang.org/grpc/grpclb/grpc_lb_v1/service" +service Discovery { + rpc GetServerList(GetServerListRequest) returns (GetServerListResponse) {} +} + +/*** DEPRECATED ***/ +/******* Deprecated ***********/ +// Original GREP11, just for ECC p256 +message GenerateInfo { + bytes oid = 1; +} + +message GenerateStatus { + bytes privKey = 1; + bytes pubKey = 2; + string error = 3; +} + +message SignInfo { + bytes privKey = 1; + bytes data = 2; +} + +message SignStatus { + bytes sig = 1; + string error = 2; +} + +message VerifyInfo { + bytes pubKey = 1; + bytes data = 2; + bytes sig = 3; +} + +message VerifyStatus { + bool valid = 1; + string error = 2; +} + +service Grep11Manager { + rpc Load(LoadInfo) returns (LoadStatus) {} +} + +service Grep11 { + rpc GenerateECKey(GenerateInfo) returns (GenerateStatus) {} + rpc SignP11ECDSA(SignInfo) returns (SignStatus) {} + rpc VerifyP11ECDSA(VerifyInfo) returns (VerifyStatus) {} +} diff --git a/python/grpc/common/protos/keystore.proto b/python/grpc/common/protos/keystore.proto new file mode 100644 index 0000000..1f09ec4 --- /dev/null +++ b/python/grpc/common/protos/keystore.proto @@ -0,0 +1,65 @@ +/* +Copyright IBM Corp. 2016 All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +syntax = "proto3"; + +import "pkcs11.proto"; +import "gogo.proto"; + +package grep11; + +message CreateStoreRequest { + string Name = 2; +} + +message CreateStoreResponse {} + +message ChangeStoreRequest { + string StoreName = 1; + string WriterName = 2; +} +message ChangeStoreResponse {} + +message DeleteStoreRequest { + string Name = 1; +} + +message DeleteStoreResponse {} + +message GetStoreInfoRequest {} +message GetStoreResponse {} + +message GetObjectsRequest { + map Template = 1 [(gogoproto.castkey) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Attribute"]; + uint64 Count = 2; + uint64 From = 3; +} + +message GetObjectsResponse { + repeated bytes Handle = 1; +} + +message DeleteObjectRequest { + repeated bytes Handle = 1; +} + +message DeleteObjectResponse {} + +message StoreObjectRequest { + bytes blob = 1; + map Template = 2 [(gogoproto.castkey) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Attribute"]; +} + +message StoreObjectResponse {} diff --git a/python/grpc/common/protos/manager.proto b/python/grpc/common/protos/manager.proto new file mode 100644 index 0000000..bbcb64a --- /dev/null +++ b/python/grpc/common/protos/manager.proto @@ -0,0 +1,29 @@ +/* +Copyright IBM Corp. 2016 All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +syntax = "proto3"; + +package grep11; + +message LoadInfo { + bytes pin = 1; + bytes nonce = 2; +} + +message LoadStatus { + string address = 1; + bool session = 2; + string error = 3; +} diff --git a/python/grpc/common/protos/pkcs11.proto b/python/grpc/common/protos/pkcs11.proto new file mode 100644 index 0000000..94ce4be --- /dev/null +++ b/python/grpc/common/protos/pkcs11.proto @@ -0,0 +1,31 @@ +/* +Copyright IBM Corp. 2016 All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +syntax = "proto3"; + +package grep11; + +import "gogo.proto"; + +message Mechanism { + uint64 Mechanism = 1 [(gogoproto.casttype) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Mechanism"]; + bytes Parameter = 2; //optional +} + +message MechanismInfo { + uint64 MinKeySize = 1; + uint64 MaxKeySize = 2; + uint64 Flags = 3; +} diff --git a/python/grpc/common/protos/user.proto b/python/grpc/common/protos/user.proto new file mode 100644 index 0000000..73dae16 --- /dev/null +++ b/python/grpc/common/protos/user.proto @@ -0,0 +1,71 @@ +/* +Copyright IBM Corp. 2016 All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +syntax = "proto3"; + +package grep11; + +// Authentication: TLS (TODO: Add/Check limits on creating Admin users i.e. one per LDAP dn) +message AddAdminRequest { + string Name = 1; + string Password = 2; + string BootstrapAuth = 3; +} + +message AddAdminResponse {} + +// Authentication: TLS (use EP11server user to 'bind' search. No different then linux login propmt) +message CheckUserRequest { + string Name = 1; + string Password = 2; +} + +message CheckUserResponse {} + +message AddUserRequest { + string BindName = 1; + string BindPassword = 2; + string NewName = 3; + string NewPassword = 4; +} +message AddUserResponse {} + +message ChangeUserRequest { + string Name = 1; + string OldPassword = 2; + string NewPassword = 4; +} +message ChangeUserResponse {} + +message DeleteUserRequest { + string BindName = 1; + string BindPassword = 2; + string Name = 3; +} +message DeleteUserResponse {} + +message GetTokenRequest { + string Name = 1; + string Password = 2; +} + +message GetTokenResponse { + string Token = 1; +} + +message ReturnTokenRequest { + string Token = 1; +} +message ReturnTokenResponse {} diff --git a/python/grpc/generated/protos/server.proto b/python/grpc/generated/protos/server.proto new file mode 100644 index 0000000..4edf08a --- /dev/null +++ b/python/grpc/generated/protos/server.proto @@ -0,0 +1,870 @@ +/* +Copyright IBM Corp. 2018 All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +syntax = "proto3"; + +package grep11; + +import "gogo.proto"; +import "annotations.proto"; +import "google/api/annotations.proto"; +import "pkcs11.proto"; + +message GenerateRandomRequest { + uint64 Len = 1; +} + +message GenerateRandomResponse { + bytes Rnd = 1 [(grep11.ep111) = {init : "in.Len"}]; +} + +message DigestInitRequest { + Mechanism Mech = 2; +} + +message DigestInitResponse { + bytes State = 1 [(grep11.ep111) = {init : "ep11.MAX_DIGEST_STATE_BYTES"}]; +} + +message DigestRequest { + bytes State = 1; + bytes Data = 2; +} + +message DigestResponse { + bytes Digest = 3 [(grep11.ep111) = {init : "ep11.MAX_DIGEST_BYTES"}]; +} + +message DigestUpdateRequest { + bytes State = 1; + bytes Data = 2; +} + +message DigestUpdateResponse { + bytes State = 1 [(grep11.ep111) = {stream : "State"}]; +} + +message DigestKeyRequest { + bytes State = 1; + bytes Key = 2 [(grep11.ep111) = {rewrite: true}]; +} + +message DigestKeyResponse { + bytes State = 1 [(grep11.ep111) = {stream : "State"}]; +} + +message DigestFinalRequest { + bytes State = 1; +} + +message DigestFinalResponse { + bytes Digest = 2 [(grep11.ep111) = {init : "ep11.MAX_DIGEST_BYTES"}]; +} + +message DigestSingleRequest { + Mechanism Mech = 1; + bytes Data = 2; +} + +message DigestSingleResponse { + bytes Digest = 3 [(grep11.ep111) = {init : "ep11.MAX_DIGEST_BYTES"}]; +} + +message EncryptInitRequest { + Mechanism Mech = 2; + bytes Key = 3 [(grep11.ep111) = {rewrite: true}]; +} + +message EncryptInitResponse { + bytes State = 1 [(grep11.ep111) = {init : "ep11.MAX_CRYPT_STATE_BYTES"}]; +} + +message DecryptInitRequest { + Mechanism Mech = 2; + bytes Key = 3 [(grep11.ep111) = {rewrite: true}]; +} + +message DecryptInitResponse { + bytes State = 1 [(grep11.ep111) = {init : "ep11.MAX_CRYPT_STATE_BYTES"}]; +} + +message EncryptUpdateRequest { + bytes State = 1; + bytes Plain = 2; +} + +message EncryptUpdateResponse { + bytes State = 1 [(grep11.ep111) = {stream : "State"}]; + bytes Ciphered = 3 [(grep11.ep111) = {init : "len(in.Plain) + ep11.MAX_BLOCK_SIZE"}]; +} + +message DecryptUpdateRequest { + bytes State = 1; + bytes Ciphered = 2; +} + +message DecryptUpdateResponse { + bytes State = 1 [(grep11.ep111) = {stream : "State"}]; + bytes Plain = 3 [(grep11.ep111) = {init : "len(in.Ciphered) + ep11.MAX_BLOCK_SIZE"}]; +} + +message EncryptRequest { + bytes State = 1; + bytes Plain = 2; +} + +message EncryptResponse { + bytes Ciphered = 3 [(grep11.ep111) = {init : "len(in.Plain) + ep11.MAX_BLOCK_SIZE"}]; +} + +message DecryptRequest { + bytes State = 1; + bytes Ciphered = 2; +} + +message DecryptResponse { + bytes Plain = 3 [(grep11.ep111) = {init : "len(in.Ciphered) + ep11.MAX_BLOCK_SIZE"}]; +} + +message EncryptFinalRequest { + bytes State = 1; +} + +message EncryptFinalResponse { + bytes Ciphered = 2 [(grep11.ep111) = {init : "ep11.MAX_BLOCK_SIZE"}]; +} + +message DecryptFinalRequest { + bytes State = 1; +} + +message DecryptFinalResponse { + bytes Plain = 2 [(grep11.ep111) = {init : "ep11.MAX_BLOCK_SIZE"}]; +} + +message EncryptSingleRequest { + bytes Key = 1 [(grep11.ep111) = {rewrite: true}]; + Mechanism Mech = 2; + bytes Plain = 3; +} + +message EncryptSingleResponse { + bytes Ciphered = 4 [(grep11.ep111) = {init : "len(in.Plain) + ep11.MAX_BLOCK_SIZE"}]; +} + +message DecryptSingleRequest { + bytes Key = 1 [(grep11.ep111) = {rewrite: true}]; + Mechanism Mech = 2; + bytes Ciphered = 3; +} + +message DecryptSingleResponse { + bytes Plain = 4 [(grep11.ep111) = {init : "len(in.Ciphered) + ep11.MAX_BLOCK_SIZE"}]; +} + +message SignInitRequest { + Mechanism Mech = 2; + bytes PrivKey = 3 [(grep11.ep111) = {rewrite: true}]; +} + +message SignInitResponse { + bytes State = 1 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE"}]; +} + +message VerifyInitRequest { + Mechanism Mech = 2; + bytes PubKey = 3 [(grep11.ep111) = {rewrite: true}]; +} + +message VerifyInitResponse { + bytes State = 1 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE"}]; +} + +message SignUpdateRequest { + bytes State = 1; + bytes Data = 2; +} + +message SignUpdateResponse { + bytes State = 1 [(grep11.ep111) = {stream : "State"}]; +} + +message VerifyUpdateRequest { + bytes State = 1; + bytes Data = 2; +} + +message VerifyUpdateResponse { + bytes State = 1 [(grep11.ep111) = {stream : "State"}]; +} + +message SignFinalRequest { + bytes State = 1; +} + +message SignFinalResponse { + bytes Signature = 2 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE"}]; +} + +message VerifyFinalRequest { + bytes State = 1; + bytes Signature = 2; +} + +message VerifyFinalResponse { +} + +message SignRequest { + bytes State = 1; + bytes Data = 2; +} + +message SignResponse { + bytes Signature = 3 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE"}]; +} + +message VerifyRequest { + bytes State = 1; + bytes Data = 2; + bytes Signature = 3; +} + +message VerifyResponse { +} + +message SignSingleRequest { + bytes PrivKey = 1 [(grep11.ep111) = {rewrite: true}]; + Mechanism Mech = 2; + bytes Data = 3; +} + +message SignSingleResponse { + bytes Signature = 4 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE"}]; +} + +message VerifySingleRequest { + bytes PubKey = 1 [(grep11.ep111) = {rewrite: true}]; + Mechanism Mech = 2; + bytes Data = 3; + bytes Signature = 4; +} + +message VerifySingleResponse { +} + +message GenerateKeyRequest { + Mechanism Mech = 1; + map Template = 2 [(gogoproto.castkey) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Attribute"]; +} + +message GenerateKeyResponse { + bytes Key = 4 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE", rewrite: true}]; + bytes CheckSum = 5 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE"}]; +} + +message GenerateKeyPairRequest { + Mechanism Mech = 1; + map PubKeyTemplate = 2 [(gogoproto.castkey) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Attribute"]; + map PrivKeyTemplate = 3 [(gogoproto.castkey) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Attribute"]; +} + +message GenerateKeyPairResponse { + bytes PrivKey = 5 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE", create: "in.PrivKeyTemplate"}]; + bytes PubKey = 6 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE", create: "in.PubKeyTemplate"}]; +} + +message WrapKeyRequest { + bytes Key = 1 [(grep11.ep111) = {rewrite: true}]; + bytes KeK = 2 [(grep11.ep111) = {rewrite: true}]; + bytes MacKey = 3 [(grep11.ep111) = {rewrite: true, allownil: true}]; + Mechanism Mech = 4; +} + +message WrapKeyResponse { + bytes Wrapped = 5 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE"}]; +} + +message UnwrapKeyRequest { + bytes Wrapped = 1; + bytes KeK = 2 [(grep11.ep111) = {rewrite: true}]; + bytes MacKey = 3 [(grep11.ep111) = {rewrite: true, allownil: true}]; + Mechanism Mech = 5; + map Template = 6 [(gogoproto.castkey) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Attribute"]; +} + +message UnwrapKeyResponse { + bytes Unwrapped = 7 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE", rewrite: true}]; + bytes CheckSum = 8 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE"}]; +} + +message DeriveKeyRequest { + Mechanism Mech = 1; + map Template = 2 [(gogoproto.castkey) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Attribute"]; + bytes BaseKey = 3 [(grep11.ep111) = {rewrite: true}]; + bytes Data = 4 [(grep11.ep111) = {allownil: true}]; +} + +message DeriveKeyResponse { + bytes NewKey = 6 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE", rewrite: true}]; + bytes CheckSum = 7 [(grep11.ep111) = {init : "ep11.MAX_BLOB_SIZE"}]; +} + +message GetMechanismListRequest { +} + +message GetMechanismListResponse { + repeated uint64 Mechs = 2 [(gogoproto.casttype) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Mechanism", (grep11.ep111) = {init : "ep11.MAX_MECHANISM_COUNT"}]; +} + +message GetMechanismInfoRequest { + uint64 Mech = 1 [(gogoproto.casttype) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Mechanism"]; +} + +message GetMechanismInfoResponse { + MechanismInfo MechInfo = 3; +} + +message GetAttributeValueRequest { + bytes Object = 1; + map Attributes = 2 [(gogoproto.castkey) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Attribute"]; +} + +message GetAttributeValueResponse { + map Attributes = 2 [(gogoproto.castkey) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Attribute", (grep11.ep111) = {stream : "Attributes"}]; +} + +message SetAttributeValueRequest { + bytes Object = 1; + map Attributes = 2 [(gogoproto.castkey) = "github.ibm.com/IBM-Blockchain/grep11/generated/ep11.Attribute"]; +} + +message SetAttributeValueResponse { + bytes Object = 1 [(grep11.ep111) = {stream : "Object"}]; +} + +service Crypto { +// See https://www-03.ibm.com/security/cryptocards/pciecc/pdf/ep11-structure.pdf for +// further documentation + // CK_RV m_GenerateRandom ( + // CK_BYTE_PTR rnd, CK_ULONG rndlen, + // target_t target) ; + rpc GenerateRandom(GenerateRandomRequest) returns (GenerateRandomResponse) { + option (google.api.http) = { + post: "/v1/crypto/GenerateRandom" + }; + option (grep11.ep11) = { + call: "m_GenerateRandom(rndC, rndLenC, s.targetC)" + }; + } + + // CK_RV m_DigestInit ( + // unsigned char *state, size_t *statelen, + // const CK_MECHANISM_PTR mech, + // target_t target) ; + rpc DigestInit(DigestInitRequest) returns (DigestInitResponse) { + option (google.api.http) = { + post: "/v1/crypto/DigestInit" + }; + option (grep11.ep11) = { + call: "m_DigestInit(stateC, &stateLenC, mechC, s.targetC)" + }; + } + + // CK_RV m_Digest ( + // const unsigned char *state, size_t statelen, + // CK_BYTE_PTR data, CK_ULONG datalen, + // CK_BYTE_PTR digest, CK_ULONG_PTR digestlen, + // target_t target) ; + rpc Digest(DigestRequest) returns (DigestResponse) { + option (google.api.http) = { + post: "/v1/crypto/Digest" + }; + option (grep11.ep11) = { + call: "m_Digest(stateC, stateLenC, dataC, dataLenC, digestC, &digestLenC, s.targetC)" + }; + } + + // CK_RV m_DigestUpdate ( + // unsigned char *state, size_t statelen, + // CK_BYTE_PTR data, CK_ULONG datalen, + // target_t target) ; + rpc DigestUpdate(DigestUpdateRequest) returns (DigestUpdateResponse) { + option (google.api.http) = { + post: "/v1/crypto/DigestUpdate" + }; + option (grep11.ep11) = { + call: "m_DigestUpdate(stateC, stateLenC, dataC, dataLenC, s.targetC)" + }; + } + + // CK_RV m_DigestKey ( + // unsigned char *state, size_t statelen, + // const unsigned char *key, size_t keylen, + // target_t target) ; + rpc DigestKey(DigestKeyRequest) returns (DigestKeyResponse) { + option (google.api.http) = { + post: "/v1/crypto/DigestKey" + }; + option (grep11.ep11) = { + call: "m_DigestKey(stateC, stateLenC, keyC, keyLenC, s.targetC)" + }; + } + + // CK_RV m_DigestFinal ( + // const unsigned char *state, size_t statelen, + // CK_BYTE_PTR digest, CK_ULONG_PTR digestlen, + // target_t target) ; + rpc DigestFinal(DigestFinalRequest) returns (DigestFinalResponse) { + option (google.api.http) = { + post: "/v1/crypto/DigestFinal" + }; + option (grep11.ep11) = { + call: "m_DigestFinal(stateC, stateLenC, digestC, &digestLenC, s.targetC)" + }; + } + + // CK_RV m_DigestSingle ( + // CK_MECHANISM_PTR mech, + // CK_BYTE_PTR data, CK_ULONG datalen, + // CK_BYTE_PTR digest, CK_ULONG_PTR digestlen, + // target_t target) ; + rpc DigestSingle(DigestSingleRequest) returns (DigestSingleResponse) { + option (google.api.http) = { + post: "/v1/crypto/DigestSingle" + }; + option (grep11.ep11) = { + call: "m_DigestSingle(mechC, dataC, dataLenC, digestC, &digestLenC, s.targetC)" + }; + } + + // CK_RV m_EncryptInit ( + // unsigned char *state, size_t *statelen, + // CK_MECHANISM_PTR mech, + // const unsigned char *key, size_t keylen, + // target_t target) ; + rpc EncryptInit(EncryptInitRequest) returns (EncryptInitResponse) { + option (google.api.http) = { + post: "/v1/crypto/EncryptInit" + }; + option (grep11.ep11) = { + call: "m_EncryptInit(stateC, &stateLenC, mechC, keyC, keyLenC, s.targetC)" + }; + } + + // CK_RV m_DecryptInit ( + // unsigned char *state, size_t *statelen, + // CK_MECHANISM_PTR mech, + // const unsigned char *key, size_t keylen, + // target_t target) ; + rpc DecryptInit(DecryptInitRequest) returns (DecryptInitResponse) { + option (google.api.http) = { + post: "/v1/crypto/DecryptInit" + }; + option (grep11.ep11) = { + call: "m_DecryptInit(stateC, &stateLenC, mechC, keyC, keyLenC, s.targetC)" + }; + } + + // CK_RV m_EncryptUpdate ( + // unsigned char *state, size_t statelen, + // CK_BYTE_PTR plain, CK_ULONG plainlen, + // CK_BYTE_PTR ciphered, CK_ULONG_PTR cipheredlen, + // target_t target) ; + rpc EncryptUpdate(EncryptUpdateRequest) returns (EncryptUpdateResponse) { + option (google.api.http) = { + post: "/v1/crypto/EncryptUpdate" + }; + option (grep11.ep11) = { + call: "m_EncryptUpdate(stateC, stateLenC, plainC, plainLenC, cipheredC, &cipheredLenC, s.targetC)" + }; + } + + // CK_RV m_DecryptUpdate ( + // unsigned char *state, size_t statelen, + // CK_BYTE_PTR ciphered, CK_ULONG cipheredlen, + // CK_BYTE_PTR plain, CK_ULONG_PTR plainlen, + // target_t target) ; + rpc DecryptUpdate(DecryptUpdateRequest) returns (DecryptUpdateResponse) { + option (google.api.http) = { + post: "/v1/crypto/DecryptUpdate" + }; + option (grep11.ep11) = { + call: "m_DecryptUpdate(stateC, stateLenC, cipheredC, cipheredLenC, plainC, &plainLenC, s.targetC)" + }; + } + + // CK_RV m_Encrypt ( + // const unsigned char *state, size_t statelen, + // CK_BYTE_PTR plain, CK_ULONG plainlen, + // CK_BYTE_PTR ciphered, CK_ULONG_PTR cipheredlen, + // target_t target) ; + rpc Encrypt(EncryptRequest) returns (EncryptResponse) { + option (google.api.http) = { + post: "/v1/crypto/Encrypt" + }; + option (grep11.ep11) = { + call: "m_Encrypt(stateC, stateLenC, plainC, plainLenC, cipheredC, &cipheredLenC, s.targetC)" + }; + } + + // CK_RV m_Decrypt ( + // const unsigned char *state, size_t statelen, + // CK_BYTE_PTR ciphered, CK_ULONG cipheredlen, + // CK_BYTE_PTR plain, CK_ULONG_PTR plainlen, + // target_t target) ; + rpc Decrypt(DecryptRequest) returns (DecryptResponse) { + option (google.api.http) = { + post: "/v1/crypto/Decrypt" + }; + option (grep11.ep11) = { + call: "m_Decrypt(stateC, stateLenC, cipheredC, cipheredLenC, plainC, &plainLenC, s.targetC)" + }; + } + + // CK_RV m_EncryptFinal ( + // const unsigned char *state, size_t statelen, + // CK_BYTE_PTR ciphered, CK_ULONG_PTR cipheredlen, + // target_t target) ; + rpc EncryptFinal(EncryptFinalRequest) returns (EncryptFinalResponse) { + option (google.api.http) = { + post: "/v1/crypto/EncryptFinal" + }; + option (grep11.ep11) = { + call: "m_EncryptFinal(stateC, stateLenC, cipheredC, &cipheredLenC, s.targetC)" + }; + } + + // CK_RV m_DecryptFinal ( + // const unsigned char *state, size_t statelen, + // CK_BYTE_PTR plain, CK_ULONG_PTR plainlen, + // target_t target) ; + rpc DecryptFinal(DecryptFinalRequest) returns (DecryptFinalResponse) { + option (google.api.http) = { + post: "/v1/crypto/DecryptFinal" + }; + option (grep11.ep11) = { + call: "m_DecryptFinal(stateC, stateLenC, plainC, &plainLenC, s.targetC)" + }; + } + + // CK_RV m_EncryptSingle ( + // const unsigned char *key, size_t keylen, + // CK_MECHANISM_PTR mech, + // CK_BYTE_PTR plain, CK_ULONG plainlen, + // CK_BYTE_PTR ciphered, CK_ULONG_PTR cipheredlen, + // target_t target) ; + rpc EncryptSingle(EncryptSingleRequest) returns (EncryptSingleResponse) { + option (google.api.http) = { + post: "/v1/crypto/EncryptSingle" + }; + option (grep11.ep11) = { + call: "m_EncryptSingle(keyC, keyLenC, mechC, plainC, plainLenC, cipheredC, &cipheredLenC, s.targetC)" + }; + } + + // CK_RV m_DecryptSingle ( + // const unsigned char *key, size_t keylen, + // CK_MECHANISM_PTR mech, + // CK_BYTE_PTR ciphered, CK_ULONG cipheredlen, + // CK_BYTE_PTR plain, CK_ULONG_PTR plainlen, + // target_t target) ; + rpc DecryptSingle(DecryptSingleRequest) returns (DecryptSingleResponse) { + option (google.api.http) = { + post: "/v1/crypto/DecryptSingle" + }; + option (grep11.ep11) = { + call: "m_DecryptSingle(keyC, keyLenC, mechC, cipheredC, cipheredLenC, plainC, &plainLenC, s.targetC)" + }; + } + + // CK_RV m_SignInit ( + // unsigned char *state, size_t *statelen, + // CK_MECHANISM_PTR mech, + // const unsigned char *privKey, size_t privKeylen, + // target_t target) ; + rpc SignInit(SignInitRequest) returns (SignInitResponse) { + option (google.api.http) = { + post: "/v1/crypto/SignInit" + }; + option (grep11.ep11) = { + call: "m_SignInit(stateC, &stateLenC, mechC, privKeyC, privKeyLenC, s.targetC)" + }; + } + + // CK_RV m_VerifyInit ( + // unsigned char *state, size_t *statelen, + // CK_MECHANISM_PTR mech, + // const unsigned char *pubKey, size_t pubKeylen, + // target_t target) ; + rpc VerifyInit(VerifyInitRequest) returns (VerifyInitResponse) { + option (google.api.http) = { + post: "/v1/crypto/VerifyInit" + }; + option (grep11.ep11) = { + call: "m_VerifyInit(stateC, &stateLenC, mechC, pubKeyC, pubKeyLenC, s.targetC)" + }; + } + + // CK_RV m_SignUpdate ( + // unsigned char *state, size_t statelen, + // CK_BYTE_PTR data, CK_ULONG datalen, + // target_t target) ; + rpc SignUpdate(SignUpdateRequest) returns (SignUpdateResponse) { + option (google.api.http) = { + post: "/v1/crypto/SignUpdate" + }; + option (grep11.ep11) = { + call: "m_SignUpdate(stateC, stateLenC, dataC, dataLenC, s.targetC)" + }; + } + + // CK_RV m_VerifyUpdate ( + // unsigned char *state, size_t statelen, + // CK_BYTE_PTR data, CK_ULONG datalen, + // target_t target) ; + rpc VerifyUpdate(VerifyUpdateRequest) returns (VerifyUpdateResponse) { + option (google.api.http) = { + post: "/v1/crypto/VerifyUpdate" + }; + option (grep11.ep11) = { + call: "m_VerifyUpdate(stateC, stateLenC, dataC, dataLenC, s.targetC)" + }; + } + + // CK_RV m_SignFinal ( + // const unsigned char *state, size_t statelen, + // CK_BYTE_PTR signature, CK_ULONG_PTR signaturelen, + // target_t target) ; + rpc SignFinal(SignFinalRequest) returns (SignFinalResponse) { + option (google.api.http) = { + post: "/v1/crypto/SignFinal" + }; + option (grep11.ep11) = { + call: "m_SignFinal(stateC, stateLenC, signatureC, &signatureLenC, s.targetC)" + }; + } + + // CK_RV m_VerifyFinal ( + // const unsigned char *state, size_t statelen, + // CK_BYTE_PTR signature, CK_ULONG signaturelen, + // target_t target) ; + rpc VerifyFinal(VerifyFinalRequest) returns (VerifyFinalResponse) { + option (google.api.http) = { + post: "/v1/crypto/VerifyFinal" + }; + option (grep11.ep11) = { + call: "m_VerifyFinal(stateC, stateLenC, signatureC, signatureLenC, s.targetC)" + }; + } + + // CK_RV m_Sign ( + // const unsigned char *state, size_t statelen, + // CK_BYTE_PTR data, CK_ULONG datalen, + // CK_BYTE_PTR signature, CK_ULONG_PTR signaturelen, + // target_t target) ; + rpc Sign(SignRequest) returns (SignResponse) { + option (google.api.http) = { + post: "/v1/crypto/Sign" + }; + option (grep11.ep11) = { + call: "m_Sign(stateC, stateLenC, dataC, dataLenC, signatureC, &signatureLenC, s.targetC)" + }; + } + + // CK_RV m_Verify ( + // const unsigned char *state, size_t statelen, + // CK_BYTE_PTR data, CK_ULONG datalen, + // CK_BYTE_PTR signature, CK_ULONG signaturelen, + // target_t target) ; + rpc Verify(VerifyRequest) returns (VerifyResponse) { + option (google.api.http) = { + post: "/v1/crypto/Verify" + }; + option (grep11.ep11) = { + call: "m_Verify(stateC, stateLenC, dataC, dataLenC, signatureC, signatureLenC, s.targetC)" + }; + } + + // CK_RV m_SignSingle ( + // const unsigned char *privKey, size_t privKeylen, + // CK_MECHANISM_PTR mech, + // CK_BYTE_PTR data, CK_ULONG datalen, + // CK_BYTE_PTR signature, CK_ULONG_PTR signaturelen, + // target_t target) ; + rpc SignSingle(SignSingleRequest) returns (SignSingleResponse) { + option (google.api.http) = { + post: "/v1/crypto/SignSingle" + }; + option (grep11.ep11) = { + call: "m_SignSingle(privKeyC, privKeyLenC, mechC, dataC, dataLenC, signatureC, &signatureLenC, s.targetC)" + }; + } + + // CK_RV m_VerifySingle ( + // const unsigned char *pubKey, size_t pubKeylen, + // CK_MECHANISM_PTR mech, + // CK_BYTE_PTR data, CK_ULONG datalen, + // CK_BYTE_PTR signature, CK_ULONG signaturelen, + // target_t target) ; + rpc VerifySingle(VerifySingleRequest) returns (VerifySingleResponse) { + option (google.api.http) = { + post: "/v1/crypto/VerifySingle" + }; + option (grep11.ep11) = { + call: "m_VerifySingle(pubKeyC, pubKeyLenC, mechC, dataC, dataLenC, signatureC, signatureLenC, s.targetC)" + }; + } + + // CK_RV m_GenerateKey ( + // CK_MECHANISM_PTR mech, + // CK_ATTRIBUTE_PTR template, CK_ULONG templatelen, + // const unsigned char *pin, size_t pinlen, + // unsigned char *key, size_t *keylen, + // unsigned char *checkSum, size_t *checkSumlen, + // target_t target) ; + rpc GenerateKey(GenerateKeyRequest) returns (GenerateKeyResponse) { + option (google.api.http) = { + post: "/v1/crypto/GenerateKey" + }; + option (grep11.ep11) = { + call: "m_GenerateKey(mechC, templateC, templateLenC, s.pinblobC, s.pinbloblen, keyC, &keyLenC, checkSumC, &checkSumLenC, s.targetC)" + }; + } + + // CK_RV m_GenerateKeyPair ( + // CK_MECHANISM_PTR mech, + // CK_ATTRIBUTE_PTR pubKeyTemplate, CK_ULONG pubKeyTemplatelen, + // CK_ATTRIBUTE_PTR privKeyTemplate, CK_ULONG privKeyTemplatelen, + // const unsigned char *pin, size_t pinlen, + // unsigned char *privKey, size_t *privKeylen, + // unsigned char *pubKey, size_t *pubKeylen, + // target_t target) ; + rpc GenerateKeyPair(GenerateKeyPairRequest) returns (GenerateKeyPairResponse) { + option (google.api.http) = { + post: "/v1/crypto/GenerateKeyPair" + }; + option (grep11.ep11) = { + call: "m_GenerateKeyPair(mechC, pubKeyTemplateC, pubKeyTemplateLenC, privKeyTemplateC, privKeyTemplateLenC, s.pinblobC, s.pinbloblen, privKeyC, &privKeyLenC, pubKeyC, &pubKeyLenC, s.targetC)" + postcall: "rc.PrivKey, rc.PubKey, err = s.Rewriter.FixupPair(c, in.Mech.Mechanism, in.PrivKeyTemplate, rc.PrivKey, in.PubKeyTemplate, rc.PubKey)" + }; + } + + // CK_RV m_WrapKey ( + // const unsigned char *key, size_t keylen, + // const unsigned char *keK, size_t keKlen, + // const unsigned char *macKey, size_t macKeylen, + // const CK_MECHANISM_PTR mech, + // CK_BYTE_PTR wrapped, CK_ULONG_PTR wrappedlen, + // target_t target) ; + rpc WrapKey(WrapKeyRequest) returns (WrapKeyResponse) { + option (google.api.http) = { + post: "/v1/crypto/WrapKey" + }; + option (grep11.ep11) = { + call: "m_WrapKey(keyC, keyLenC, keKC, keKLenC, macKeyC, macKeyLenC, mechC, wrappedC, &wrappedLenC, s.targetC)" + }; + } + + // CK_RV m_UnwrapKey ( + // const CK_BYTE_PTR wrapped, CK_ULONG wrappedlen, + // const unsigned char *keK, size_t keKlen, + // const unsigned char *macKey, size_t macKeylen, + // const unsigned char *pin, size_t pinlen, + // const CK_MECHANISM_PTR mech, + // const CK_ATTRIBUTE_PTR template, CK_ULONG templatelen, + // unsigned char *unwrapped, size_t *unwrappedlen, + // CK_BYTE_PTR checkSum, CK_ULONG *checkSumlen, + // target_t target) ; + rpc UnwrapKey(UnwrapKeyRequest) returns (UnwrapKeyResponse) { + option (google.api.http) = { + post: "/v1/crypto/UnwrapKey" + }; + option (grep11.ep11) = { + call: "m_UnwrapKey(wrappedC, wrappedLenC, keKC, keKLenC, macKeyC, macKeyLenC, s.pinblobC, s.pinbloblen, mechC, templateC, templateLenC, unwrappedC, &unwrappedLenC, checkSumC, &checkSumLenC, s.targetC)" + }; + } + + // CK_RV m_DeriveKey ( + // CK_MECHANISM_PTR mech, + // CK_ATTRIBUTE_PTR template, CK_ULONG templatelen, + // const unsigned char *baseKey, size_t baseKeylen, + // const unsigned char *data, size_t datalen, + // const unsigned char *pin, size_t pinlen, + // unsigned char *newKey, size_t *newKeylen, + // unsigned char *checkSum, size_t *checkSumlen, + // target_t target) ; + rpc DeriveKey(DeriveKeyRequest) returns (DeriveKeyResponse) { + option (google.api.http) = { + post: "/v1/crypto/DeriveKey" + }; + option (grep11.ep11) = { + call: "m_DeriveKey(mechC, templateC, templateLenC, baseKeyC, baseKeyLenC, dataC, dataLenC, s.pinblobC, s.pinbloblen, newKeyC, &newKeyLenC, checkSumC, &checkSumLenC, s.targetC)" + }; + } + + // CK_RV m_GetMechanismList ( + // CK_SLOT_ID slot, + // CK_MECHANISM_TYPE_PTR mechs, CK_ULONG_PTR mechslen, + // target_t target) ; + rpc GetMechanismList(GetMechanismListRequest) returns (GetMechanismListResponse) { + option (google.api.http) = { + post: "/v1/crypto/GetMechanismList" + }; + option (grep11.ep11) = { + call: "m_GetMechanismList(C.CK_SLOT_ID(0), mechsC, &mechsLenC, s.targetC)" + }; + } + + // CK_RV m_GetMechanismInfo ( + // CK_SLOT_ID slot, + // CK_MECHANISM_TYPE mech, + // CK_MECHANISM_INFO_PTR mechInfo, + // target_t target) ; + rpc GetMechanismInfo(GetMechanismInfoRequest) returns (GetMechanismInfoResponse) { + option (google.api.http) = { + post: "/v1/crypto/GetMechanismInfo" + }; + option (grep11.ep11) = { + call: "m_GetMechanismInfo(C.CK_SLOT_ID(0), mechC, mechInfoC, s.targetC)" + }; + } + + // CK_RV m_GetAttributeValue ( + // const unsigned char *object, size_t objectlen, + // CK_ATTRIBUTE_PTR attributes, CK_ULONG attributeslen, + // target_t target) ; + rpc GetAttributeValue(GetAttributeValueRequest) returns (GetAttributeValueResponse) { + option (google.api.http) = { + post: "/v1/crypto/GetAttributeValue" + }; + option (grep11.ep11) = { + call: "m_GetAttributeValue(objectC, objectLenC, attributesC, attributesLenC, s.targetC)" + }; + } + + // CK_RV m_SetAttributeValue ( + // unsigned char *object, size_t objectlen, + // CK_ATTRIBUTE_PTR attributes, CK_ULONG attributeslen, + // target_t target) ; + rpc SetAttributeValue(SetAttributeValueRequest) returns (SetAttributeValueResponse) { + option (google.api.http) = { + post: "/v1/crypto/SetAttributeValue" + }; + option (grep11.ep11) = { + call: "m_SetAttributeValue(objectC, objectLenC, attributesC, attributesLenC, s.targetC)" + }; + } + +} diff --git a/python/grpc/generated/python_grpc/.keep b/python/grpc/generated/python_grpc/.keep new file mode 100644 index 0000000..e69de29 diff --git a/python/grpc/vendor/github.com/gogo/googleapis/LICENSE b/python/grpc/vendor/github.com/gogo/googleapis/LICENSE new file mode 100644 index 0000000..d6f85b1 --- /dev/null +++ b/python/grpc/vendor/github.com/gogo/googleapis/LICENSE @@ -0,0 +1,203 @@ +Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2015, Google Inc + Copyright 2018, GoGo Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/python/grpc/vendor/github.com/gogo/googleapis/google/api/annotations.proto b/python/grpc/vendor/github.com/gogo/googleapis/google/api/annotations.proto new file mode 100644 index 0000000..9daedc9 --- /dev/null +++ b/python/grpc/vendor/github.com/gogo/googleapis/google/api/annotations.proto @@ -0,0 +1,31 @@ +// Copyright (c) 2015, Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.api; + +import "google/api/http.proto"; +import "google/protobuf/descriptor.proto"; + +option go_package = "api"; +option java_multiple_files = true; +option java_outer_classname = "AnnotationsProto"; +option java_package = "com.google.api"; +option objc_class_prefix = "GAPI"; + +extend google.protobuf.MethodOptions { + // See `HttpRule`. + HttpRule http = 72295728; +} diff --git a/python/grpc/vendor/github.com/gogo/googleapis/google/api/http.proto b/python/grpc/vendor/github.com/gogo/googleapis/google/api/http.proto new file mode 100644 index 0000000..7c7d01a --- /dev/null +++ b/python/grpc/vendor/github.com/gogo/googleapis/google/api/http.proto @@ -0,0 +1,313 @@ +// Copyright 2018 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.api; + +option cc_enable_arenas = true; +option go_package = "api"; +option java_multiple_files = true; +option java_outer_classname = "HttpProto"; +option java_package = "com.google.api"; +option objc_class_prefix = "GAPI"; + + +// Defines the HTTP configuration for an API service. It contains a list of +// [HttpRule][google.api.HttpRule], each specifying the mapping of an RPC method +// to one or more HTTP REST API methods. +message Http { + // A list of HTTP configuration rules that apply to individual API methods. + // + // **NOTE:** All service configuration rules follow "last one wins" order. + repeated HttpRule rules = 1; + + // When set to true, URL path parmeters will be fully URI-decoded except in + // cases of single segment matches in reserved expansion, where "%2F" will be + // left encoded. + // + // The default behavior is to not decode RFC 6570 reserved characters in multi + // segment matches. + bool fully_decode_reserved_expansion = 2; +} + +// `HttpRule` defines the mapping of an RPC method to one or more HTTP +// REST API methods. The mapping specifies how different portions of the RPC +// request message are mapped to URL path, URL query parameters, and +// HTTP request body. The mapping is typically specified as an +// `google.api.http` annotation on the RPC method, +// see "google/api/annotations.proto" for details. +// +// The mapping consists of a field specifying the path template and +// method kind. The path template can refer to fields in the request +// message, as in the example below which describes a REST GET +// operation on a resource collection of messages: +// +// +// service Messaging { +// rpc GetMessage(GetMessageRequest) returns (Message) { +// option (google.api.http).get = "/v1/messages/{message_id}/{sub.subfield}"; +// } +// } +// message GetMessageRequest { +// message SubMessage { +// string subfield = 1; +// } +// string message_id = 1; // mapped to the URL +// SubMessage sub = 2; // `sub.subfield` is url-mapped +// } +// message Message { +// string text = 1; // content of the resource +// } +// +// The same http annotation can alternatively be expressed inside the +// `GRPC API Configuration` YAML file. +// +// http: +// rules: +// - selector: .Messaging.GetMessage +// get: /v1/messages/{message_id}/{sub.subfield} +// +// This definition enables an automatic, bidrectional mapping of HTTP +// JSON to RPC. Example: +// +// HTTP | RPC +// -----|----- +// `GET /v1/messages/123456/foo` | `GetMessage(message_id: "123456" sub: SubMessage(subfield: "foo"))` +// +// In general, not only fields but also field paths can be referenced +// from a path pattern. Fields mapped to the path pattern cannot be +// repeated and must have a primitive (non-message) type. +// +// Any fields in the request message which are not bound by the path +// pattern automatically become (optional) HTTP query +// parameters. Assume the following definition of the request message: +// +// +// service Messaging { +// rpc GetMessage(GetMessageRequest) returns (Message) { +// option (google.api.http).get = "/v1/messages/{message_id}"; +// } +// } +// message GetMessageRequest { +// message SubMessage { +// string subfield = 1; +// } +// string message_id = 1; // mapped to the URL +// int64 revision = 2; // becomes a parameter +// SubMessage sub = 3; // `sub.subfield` becomes a parameter +// } +// +// +// This enables a HTTP JSON to RPC mapping as below: +// +// HTTP | RPC +// -----|----- +// `GET /v1/messages/123456?revision=2&sub.subfield=foo` | `GetMessage(message_id: "123456" revision: 2 sub: SubMessage(subfield: "foo"))` +// +// Note that fields which are mapped to HTTP parameters must have a +// primitive type or a repeated primitive type. Message types are not +// allowed. In the case of a repeated type, the parameter can be +// repeated in the URL, as in `...?param=A¶m=B`. +// +// For HTTP method kinds which allow a request body, the `body` field +// specifies the mapping. Consider a REST update method on the +// message resource collection: +// +// +// service Messaging { +// rpc UpdateMessage(UpdateMessageRequest) returns (Message) { +// option (google.api.http) = { +// put: "/v1/messages/{message_id}" +// body: "message" +// }; +// } +// } +// message UpdateMessageRequest { +// string message_id = 1; // mapped to the URL +// Message message = 2; // mapped to the body +// } +// +// +// The following HTTP JSON to RPC mapping is enabled, where the +// representation of the JSON in the request body is determined by +// protos JSON encoding: +// +// HTTP | RPC +// -----|----- +// `PUT /v1/messages/123456 { "text": "Hi!" }` | `UpdateMessage(message_id: "123456" message { text: "Hi!" })` +// +// The special name `*` can be used in the body mapping to define that +// every field not bound by the path template should be mapped to the +// request body. This enables the following alternative definition of +// the update method: +// +// service Messaging { +// rpc UpdateMessage(Message) returns (Message) { +// option (google.api.http) = { +// put: "/v1/messages/{message_id}" +// body: "*" +// }; +// } +// } +// message Message { +// string message_id = 1; +// string text = 2; +// } +// +// +// The following HTTP JSON to RPC mapping is enabled: +// +// HTTP | RPC +// -----|----- +// `PUT /v1/messages/123456 { "text": "Hi!" }` | `UpdateMessage(message_id: "123456" text: "Hi!")` +// +// Note that when using `*` in the body mapping, it is not possible to +// have HTTP parameters, as all fields not bound by the path end in +// the body. This makes this option more rarely used in practice of +// defining REST APIs. The common usage of `*` is in custom methods +// which don't use the URL at all for transferring data. +// +// It is possible to define multiple HTTP methods for one RPC by using +// the `additional_bindings` option. Example: +// +// service Messaging { +// rpc GetMessage(GetMessageRequest) returns (Message) { +// option (google.api.http) = { +// get: "/v1/messages/{message_id}" +// additional_bindings { +// get: "/v1/users/{user_id}/messages/{message_id}" +// } +// }; +// } +// } +// message GetMessageRequest { +// string message_id = 1; +// string user_id = 2; +// } +// +// +// This enables the following two alternative HTTP JSON to RPC +// mappings: +// +// HTTP | RPC +// -----|----- +// `GET /v1/messages/123456` | `GetMessage(message_id: "123456")` +// `GET /v1/users/me/messages/123456` | `GetMessage(user_id: "me" message_id: "123456")` +// +// # Rules for HTTP mapping +// +// The rules for mapping HTTP path, query parameters, and body fields +// to the request message are as follows: +// +// 1. The `body` field specifies either `*` or a field path, or is +// omitted. If omitted, it indicates there is no HTTP request body. +// 2. Leaf fields (recursive expansion of nested messages in the +// request) can be classified into three types: +// (a) Matched in the URL template. +// (b) Covered by body (if body is `*`, everything except (a) fields; +// else everything under the body field) +// (c) All other fields. +// 3. URL query parameters found in the HTTP request are mapped to (c) fields. +// 4. Any body sent with an HTTP request can contain only (b) fields. +// +// The syntax of the path template is as follows: +// +// Template = "/" Segments [ Verb ] ; +// Segments = Segment { "/" Segment } ; +// Segment = "*" | "**" | LITERAL | Variable ; +// Variable = "{" FieldPath [ "=" Segments ] "}" ; +// FieldPath = IDENT { "." IDENT } ; +// Verb = ":" LITERAL ; +// +// The syntax `*` matches a single path segment. The syntax `**` matches zero +// or more path segments, which must be the last part of the path except the +// `Verb`. The syntax `LITERAL` matches literal text in the path. +// +// The syntax `Variable` matches part of the URL path as specified by its +// template. A variable template must not contain other variables. If a variable +// matches a single path segment, its template may be omitted, e.g. `{var}` +// is equivalent to `{var=*}`. +// +// If a variable contains exactly one path segment, such as `"{var}"` or +// `"{var=*}"`, when such a variable is expanded into a URL path, all characters +// except `[-_.~0-9a-zA-Z]` are percent-encoded. Such variables show up in the +// Discovery Document as `{var}`. +// +// If a variable contains one or more path segments, such as `"{var=foo/*}"` +// or `"{var=**}"`, when such a variable is expanded into a URL path, all +// characters except `[-_.~/0-9a-zA-Z]` are percent-encoded. Such variables +// show up in the Discovery Document as `{+var}`. +// +// NOTE: While the single segment variable matches the semantics of +// [RFC 6570](https://tools.ietf.org/html/rfc6570) Section 3.2.2 +// Simple String Expansion, the multi segment variable **does not** match +// RFC 6570 Reserved Expansion. The reason is that the Reserved Expansion +// does not expand special characters like `?` and `#`, which would lead +// to invalid URLs. +// +// NOTE: the field paths in variables and in the `body` must not refer to +// repeated fields or map fields. +message HttpRule { + // Selects methods to which this rule applies. + // + // Refer to [selector][google.api.DocumentationRule.selector] for syntax details. + string selector = 1; + + // Determines the URL pattern is matched by this rules. This pattern can be + // used with any of the {get|put|post|delete|patch} methods. A custom method + // can be defined using the 'custom' field. + oneof pattern { + // Used for listing and getting information about resources. + string get = 2; + + // Used for updating a resource. + string put = 3; + + // Used for creating a resource. + string post = 4; + + // Used for deleting a resource. + string delete = 5; + + // Used for updating a resource. + string patch = 6; + + // The custom pattern is used for specifying an HTTP method that is not + // included in the `pattern` field, such as HEAD, or "*" to leave the + // HTTP method unspecified for this rule. The wild-card rule is useful + // for services that provide content to Web (HTML) clients. + CustomHttpPattern custom = 8; + } + + // The name of the request field whose value is mapped to the HTTP body, or + // `*` for mapping all fields not captured by the path pattern to the HTTP + // body. NOTE: the referred field must not be a repeated field and must be + // present at the top-level of request message type. + string body = 7; + + // Additional HTTP bindings for the selector. Nested bindings must + // not contain an `additional_bindings` field themselves (that is, + // the nesting may only be one level deep). + repeated HttpRule additional_bindings = 11; +} + +// A custom pattern is used for defining custom HTTP verb. +message CustomHttpPattern { + // The name of this custom HTTP verb. + string kind = 1; + + // The path matched by this custom verb. + string path = 2; +} diff --git a/python/grpc/vendor/github.com/gogo/googleapis/google/rpc/code.proto b/python/grpc/vendor/github.com/gogo/googleapis/google/rpc/code.proto new file mode 100644 index 0000000..d832de1 --- /dev/null +++ b/python/grpc/vendor/github.com/gogo/googleapis/google/rpc/code.proto @@ -0,0 +1,186 @@ +// Copyright 2017 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.rpc; + +option go_package = "rpc"; +option java_multiple_files = true; +option java_outer_classname = "CodeProto"; +option java_package = "com.google.rpc"; +option objc_class_prefix = "RPC"; + + +// The canonical error codes for Google APIs. +// +// +// Sometimes multiple error codes may apply. Services should return +// the most specific error code that applies. For example, prefer +// `OUT_OF_RANGE` over `FAILED_PRECONDITION` if both codes apply. +// Similarly prefer `NOT_FOUND` or `ALREADY_EXISTS` over `FAILED_PRECONDITION`. +enum Code { + // Not an error; returned on success + // + // HTTP Mapping: 200 OK + OK = 0; + + // The operation was cancelled, typically by the caller. + // + // HTTP Mapping: 499 Client Closed Request + CANCELLED = 1; + + // Unknown error. For example, this error may be returned when + // a `Status` value received from another address space belongs to + // an error space that is not known in this address space. Also + // errors raised by APIs that do not return enough error information + // may be converted to this error. + // + // HTTP Mapping: 500 Internal Server Error + UNKNOWN = 2; + + // The client specified an invalid argument. Note that this differs + // from `FAILED_PRECONDITION`. `INVALID_ARGUMENT` indicates arguments + // that are problematic regardless of the state of the system + // (e.g., a malformed file name). + // + // HTTP Mapping: 400 Bad Request + INVALID_ARGUMENT = 3; + + // The deadline expired before the operation could complete. For operations + // that change the state of the system, this error may be returned + // even if the operation has completed successfully. For example, a + // successful response from a server could have been delayed long + // enough for the deadline to expire. + // + // HTTP Mapping: 504 Gateway Timeout + DEADLINE_EXCEEDED = 4; + + // Some requested entity (e.g., file or directory) was not found. + // + // Note to server developers: if a request is denied for an entire class + // of users, such as gradual feature rollout or undocumented whitelist, + // `NOT_FOUND` may be used. If a request is denied for some users within + // a class of users, such as user-based access control, `PERMISSION_DENIED` + // must be used. + // + // HTTP Mapping: 404 Not Found + NOT_FOUND = 5; + + // The entity that a client attempted to create (e.g., file or directory) + // already exists. + // + // HTTP Mapping: 409 Conflict + ALREADY_EXISTS = 6; + + // The caller does not have permission to execute the specified + // operation. `PERMISSION_DENIED` must not be used for rejections + // caused by exhausting some resource (use `RESOURCE_EXHAUSTED` + // instead for those errors). `PERMISSION_DENIED` must not be + // used if the caller can not be identified (use `UNAUTHENTICATED` + // instead for those errors). This error code does not imply the + // request is valid or the requested entity exists or satisfies + // other pre-conditions. + // + // HTTP Mapping: 403 Forbidden + PERMISSION_DENIED = 7; + + // The request does not have valid authentication credentials for the + // operation. + // + // HTTP Mapping: 401 Unauthorized + UNAUTHENTICATED = 16; + + // Some resource has been exhausted, perhaps a per-user quota, or + // perhaps the entire file system is out of space. + // + // HTTP Mapping: 429 Too Many Requests + RESOURCE_EXHAUSTED = 8; + + // The operation was rejected because the system is not in a state + // required for the operation's execution. For example, the directory + // to be deleted is non-empty, an rmdir operation is applied to + // a non-directory, etc. + // + // Service implementors can use the following guidelines to decide + // between `FAILED_PRECONDITION`, `ABORTED`, and `UNAVAILABLE`: + // (a) Use `UNAVAILABLE` if the client can retry just the failing call. + // (b) Use `ABORTED` if the client should retry at a higher level + // (e.g., when a client-specified test-and-set fails, indicating the + // client should restart a read-modify-write sequence). + // (c) Use `FAILED_PRECONDITION` if the client should not retry until + // the system state has been explicitly fixed. E.g., if an "rmdir" + // fails because the directory is non-empty, `FAILED_PRECONDITION` + // should be returned since the client should not retry unless + // the files are deleted from the directory. + // + // HTTP Mapping: 400 Bad Request + FAILED_PRECONDITION = 9; + + // The operation was aborted, typically due to a concurrency issue such as + // a sequencer check failure or transaction abort. + // + // See the guidelines above for deciding between `FAILED_PRECONDITION`, + // `ABORTED`, and `UNAVAILABLE`. + // + // HTTP Mapping: 409 Conflict + ABORTED = 10; + + // The operation was attempted past the valid range. E.g., seeking or + // reading past end-of-file. + // + // Unlike `INVALID_ARGUMENT`, this error indicates a problem that may + // be fixed if the system state changes. For example, a 32-bit file + // system will generate `INVALID_ARGUMENT` if asked to read at an + // offset that is not in the range [0,2^32-1], but it will generate + // `OUT_OF_RANGE` if asked to read from an offset past the current + // file size. + // + // There is a fair bit of overlap between `FAILED_PRECONDITION` and + // `OUT_OF_RANGE`. We recommend using `OUT_OF_RANGE` (the more specific + // error) when it applies so that callers who are iterating through + // a space can easily look for an `OUT_OF_RANGE` error to detect when + // they are done. + // + // HTTP Mapping: 400 Bad Request + OUT_OF_RANGE = 11; + + // The operation is not implemented or is not supported/enabled in this + // service. + // + // HTTP Mapping: 501 Not Implemented + UNIMPLEMENTED = 12; + + // Internal errors. This means that some invariants expected by the + // underlying system have been broken. This error code is reserved + // for serious errors. + // + // HTTP Mapping: 500 Internal Server Error + INTERNAL = 13; + + // The service is currently unavailable. This is most likely a + // transient condition, which can be corrected by retrying with + // a backoff. + // + // See the guidelines above for deciding between `FAILED_PRECONDITION`, + // `ABORTED`, and `UNAVAILABLE`. + // + // HTTP Mapping: 503 Service Unavailable + UNAVAILABLE = 14; + + // Unrecoverable data loss or corruption. + // + // HTTP Mapping: 500 Internal Server Error + DATA_LOSS = 15; +} diff --git a/python/grpc/vendor/github.com/gogo/googleapis/google/rpc/error_details.proto b/python/grpc/vendor/github.com/gogo/googleapis/google/rpc/error_details.proto new file mode 100644 index 0000000..a62078b --- /dev/null +++ b/python/grpc/vendor/github.com/gogo/googleapis/google/rpc/error_details.proto @@ -0,0 +1,200 @@ +// Copyright 2017 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.rpc; + +import "google/protobuf/duration.proto"; + +option go_package = "rpc"; +option java_multiple_files = true; +option java_outer_classname = "ErrorDetailsProto"; +option java_package = "com.google.rpc"; +option objc_class_prefix = "RPC"; + + +// Describes when the clients can retry a failed request. Clients could ignore +// the recommendation here or retry when this information is missing from error +// responses. +// +// It's always recommended that clients should use exponential backoff when +// retrying. +// +// Clients should wait until `retry_delay` amount of time has passed since +// receiving the error response before retrying. If retrying requests also +// fail, clients should use an exponential backoff scheme to gradually increase +// the delay between retries based on `retry_delay`, until either a maximum +// number of retires have been reached or a maximum retry delay cap has been +// reached. +message RetryInfo { + // Clients should wait at least this long between retrying the same request. + google.protobuf.Duration retry_delay = 1; +} + +// Describes additional debugging info. +message DebugInfo { + // The stack trace entries indicating where the error occurred. + repeated string stack_entries = 1; + + // Additional debugging information provided by the server. + string detail = 2; +} + +// Describes how a quota check failed. +// +// For example if a daily limit was exceeded for the calling project, +// a service could respond with a QuotaFailure detail containing the project +// id and the description of the quota limit that was exceeded. If the +// calling project hasn't enabled the service in the developer console, then +// a service could respond with the project id and set `service_disabled` +// to true. +// +// Also see RetryDetail and Help types for other details about handling a +// quota failure. +message QuotaFailure { + // A message type used to describe a single quota violation. For example, a + // daily quota or a custom quota that was exceeded. + message Violation { + // The subject on which the quota check failed. + // For example, "clientip:" or "project:". + string subject = 1; + + // A description of how the quota check failed. Clients can use this + // description to find more about the quota configuration in the service's + // public documentation, or find the relevant quota limit to adjust through + // developer console. + // + // For example: "Service disabled" or "Daily Limit for read operations + // exceeded". + string description = 2; + } + + // Describes all quota violations. + repeated Violation violations = 1; +} + +// Describes what preconditions have failed. +// +// For example, if an RPC failed because it required the Terms of Service to be +// acknowledged, it could list the terms of service violation in the +// PreconditionFailure message. +message PreconditionFailure { + // A message type used to describe a single precondition failure. + message Violation { + // The type of PreconditionFailure. We recommend using a service-specific + // enum type to define the supported precondition violation types. For + // example, "TOS" for "Terms of Service violation". + string type = 1; + + // The subject, relative to the type, that failed. + // For example, "google.com/cloud" relative to the "TOS" type would + // indicate which terms of service is being referenced. + string subject = 2; + + // A description of how the precondition failed. Developers can use this + // description to understand how to fix the failure. + // + // For example: "Terms of service not accepted". + string description = 3; + } + + // Describes all precondition violations. + repeated Violation violations = 1; +} + +// Describes violations in a client request. This error type focuses on the +// syntactic aspects of the request. +message BadRequest { + // A message type used to describe a single bad request field. + message FieldViolation { + // A path leading to a field in the request body. The value will be a + // sequence of dot-separated identifiers that identify a protocol buffer + // field. E.g., "field_violations.field" would identify this field. + string field = 1; + + // A description of why the request element is bad. + string description = 2; + } + + // Describes all violations in a client request. + repeated FieldViolation field_violations = 1; +} + +// Contains metadata about the request that clients can attach when filing a bug +// or providing other forms of feedback. +message RequestInfo { + // An opaque string that should only be interpreted by the service generating + // it. For example, it can be used to identify requests in the service's logs. + string request_id = 1; + + // Any data that was used to serve this request. For example, an encrypted + // stack trace that can be sent back to the service provider for debugging. + string serving_data = 2; +} + +// Describes the resource that is being accessed. +message ResourceInfo { + // A name for the type of resource being accessed, e.g. "sql table", + // "cloud storage bucket", "file", "Google calendar"; or the type URL + // of the resource: e.g. "type.googleapis.com/google.pubsub.v1.Topic". + string resource_type = 1; + + // The name of the resource being accessed. For example, a shared calendar + // name: "example.com_4fghdhgsrgh@group.calendar.google.com", if the current + // error is [google.rpc.Code.PERMISSION_DENIED][google.rpc.Code.PERMISSION_DENIED]. + string resource_name = 2; + + // The owner of the resource (optional). + // For example, "user:" or "project:". + string owner = 3; + + // Describes what error is encountered when accessing this resource. + // For example, updating a cloud project may require the `writer` permission + // on the developer console project. + string description = 4; +} + +// Provides links to documentation or for performing an out of band action. +// +// For example, if a quota check failed with an error indicating the calling +// project hasn't enabled the accessed service, this can contain a URL pointing +// directly to the right place in the developer console to flip the bit. +message Help { + // Describes a URL link. + message Link { + // Describes what the link offers. + string description = 1; + + // The URL of the link. + string url = 2; + } + + // URL(s) pointing to additional information on handling the current error. + repeated Link links = 1; +} + +// Provides a localized error message that is safe to return to the user +// which can be attached to an RPC error. +message LocalizedMessage { + // The locale used following the specification defined at + // http://www.rfc-editor.org/rfc/bcp/bcp47.txt. + // Examples are: "en-US", "fr-CH", "es-MX" + string locale = 1; + + // The localized error message in the above locale. + string message = 2; +} diff --git a/python/grpc/vendor/github.com/gogo/googleapis/google/rpc/status.proto b/python/grpc/vendor/github.com/gogo/googleapis/google/rpc/status.proto new file mode 100644 index 0000000..db3226e --- /dev/null +++ b/python/grpc/vendor/github.com/gogo/googleapis/google/rpc/status.proto @@ -0,0 +1,92 @@ +// Copyright 2017 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package google.rpc; + +import "google/protobuf/any.proto"; + +option go_package = "rpc"; +option java_multiple_files = true; +option java_outer_classname = "StatusProto"; +option java_package = "com.google.rpc"; +option objc_class_prefix = "RPC"; + + +// The `Status` type defines a logical error model that is suitable for different +// programming environments, including REST APIs and RPC APIs. It is used by +// [gRPC](https://github.com/grpc). The error model is designed to be: +// +// - Simple to use and understand for most users +// - Flexible enough to meet unexpected needs +// +// # Overview +// +// The `Status` message contains three pieces of data: error code, error message, +// and error details. The error code should be an enum value of +// [google.rpc.Code][google.rpc.Code], but it may accept additional error codes if needed. The +// error message should be a developer-facing English message that helps +// developers *understand* and *resolve* the error. If a localized user-facing +// error message is needed, put the localized message in the error details or +// localize it in the client. The optional error details may contain arbitrary +// information about the error. There is a predefined set of error detail types +// in the package `google.rpc` that can be used for common error conditions. +// +// # Language mapping +// +// The `Status` message is the logical representation of the error model, but it +// is not necessarily the actual wire format. When the `Status` message is +// exposed in different client libraries and different wire protocols, it can be +// mapped differently. For example, it will likely be mapped to some exceptions +// in Java, but more likely mapped to some error codes in C. +// +// # Other uses +// +// The error model and the `Status` message can be used in a variety of +// environments, either with or without APIs, to provide a +// consistent developer experience across different environments. +// +// Example uses of this error model include: +// +// - Partial errors. If a service needs to return partial errors to the client, +// it may embed the `Status` in the normal response to indicate the partial +// errors. +// +// - Workflow errors. A typical workflow has multiple steps. Each step may +// have a `Status` message for error reporting. +// +// - Batch operations. If a client uses batch request and batch response, the +// `Status` message should be used directly inside batch response, one for +// each error sub-response. +// +// - Asynchronous operations. If an API call embeds asynchronous operation +// results in its response, the status of those operations should be +// represented directly using the `Status` message. +// +// - Logging. If some API errors are stored in logs, the message `Status` could +// be used directly after any stripping needed for security/privacy reasons. +message Status { + // The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code]. + int32 code = 1; + + // A developer-facing error message, which should be in English. Any + // user-facing error message should be localized and sent in the + // [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client. + string message = 2; + + // A list of messages that carry the error details. There is a common set of + // message types for APIs to use. + repeated google.protobuf.Any details = 3; +} diff --git a/python/grpc/vendor/github.com/gogo/protobuf/LICENSE b/python/grpc/vendor/github.com/gogo/protobuf/LICENSE new file mode 100644 index 0000000..7be0cc7 --- /dev/null +++ b/python/grpc/vendor/github.com/gogo/protobuf/LICENSE @@ -0,0 +1,36 @@ +Protocol Buffers for Go with Gadgets + +Copyright (c) 2013, The GoGo Authors. All rights reserved. +http://github.com/gogo/protobuf + +Go support for Protocol Buffers - Google's data interchange format + +Copyright 2010 The Go Authors. All rights reserved. +https://github.com/golang/protobuf + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + diff --git a/python/grpc/vendor/github.com/gogo/protobuf/gogoproto/gogo.proto b/python/grpc/vendor/github.com/gogo/protobuf/gogoproto/gogo.proto new file mode 100644 index 0000000..bc8d889 --- /dev/null +++ b/python/grpc/vendor/github.com/gogo/protobuf/gogoproto/gogo.proto @@ -0,0 +1,136 @@ +// Protocol Buffers for Go with Gadgets +// +// Copyright (c) 2013, The GoGo Authors. All rights reserved. +// http://github.com/gogo/protobuf +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +syntax = "proto2"; +package gogoproto; + +import "google/protobuf/descriptor.proto"; + +option java_package = "com.google.protobuf"; +option java_outer_classname = "GoGoProtos"; +option go_package = "github.com/gogo/protobuf/gogoproto"; + +extend google.protobuf.EnumOptions { + optional bool goproto_enum_prefix = 62001; + optional bool goproto_enum_stringer = 62021; + optional bool enum_stringer = 62022; + optional string enum_customname = 62023; + optional bool enumdecl = 62024; +} + +extend google.protobuf.EnumValueOptions { + optional string enumvalue_customname = 66001; +} + +extend google.protobuf.FileOptions { + optional bool goproto_getters_all = 63001; + optional bool goproto_enum_prefix_all = 63002; + optional bool goproto_stringer_all = 63003; + optional bool verbose_equal_all = 63004; + optional bool face_all = 63005; + optional bool gostring_all = 63006; + optional bool populate_all = 63007; + optional bool stringer_all = 63008; + optional bool onlyone_all = 63009; + + optional bool equal_all = 63013; + optional bool description_all = 63014; + optional bool testgen_all = 63015; + optional bool benchgen_all = 63016; + optional bool marshaler_all = 63017; + optional bool unmarshaler_all = 63018; + optional bool stable_marshaler_all = 63019; + + optional bool sizer_all = 63020; + + optional bool goproto_enum_stringer_all = 63021; + optional bool enum_stringer_all = 63022; + + optional bool unsafe_marshaler_all = 63023; + optional bool unsafe_unmarshaler_all = 63024; + + optional bool goproto_extensions_map_all = 63025; + optional bool goproto_unrecognized_all = 63026; + optional bool gogoproto_import = 63027; + optional bool protosizer_all = 63028; + optional bool compare_all = 63029; + optional bool typedecl_all = 63030; + optional bool enumdecl_all = 63031; + + optional bool goproto_registration = 63032; + optional bool messagename_all = 63033; +} + +extend google.protobuf.MessageOptions { + optional bool goproto_getters = 64001; + optional bool goproto_stringer = 64003; + optional bool verbose_equal = 64004; + optional bool face = 64005; + optional bool gostring = 64006; + optional bool populate = 64007; + optional bool stringer = 67008; + optional bool onlyone = 64009; + + optional bool equal = 64013; + optional bool description = 64014; + optional bool testgen = 64015; + optional bool benchgen = 64016; + optional bool marshaler = 64017; + optional bool unmarshaler = 64018; + optional bool stable_marshaler = 64019; + + optional bool sizer = 64020; + + optional bool unsafe_marshaler = 64023; + optional bool unsafe_unmarshaler = 64024; + + optional bool goproto_extensions_map = 64025; + optional bool goproto_unrecognized = 64026; + + optional bool protosizer = 64028; + optional bool compare = 64029; + + optional bool typedecl = 64030; + + optional bool messagename = 64033; +} + +extend google.protobuf.FieldOptions { + optional bool nullable = 65001; + optional bool embed = 65002; + optional string customtype = 65003; + optional string customname = 65004; + optional string jsontag = 65005; + optional string moretags = 65006; + optional string casttype = 65007; + optional string castkey = 65008; + optional string castvalue = 65009; + + optional bool stdtime = 65010; + optional bool stdduration = 65011; +} diff --git a/python/util/util.py b/python/util/util.py new file mode 100644 index 0000000..1bd40bd --- /dev/null +++ b/python/util/util.py @@ -0,0 +1,99 @@ +#!/usr/bin/env python3 + +# Copyright IBM Corp. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +import time, json, asn1 +import grpc +from subprocess import check_output + +def to_big_bytes(value, length=8): + if type(value) is bool: + return value.to_bytes(1, byteorder='big') + if type(value) is bytes: + return value + if type(value) is str: + return value.encode('utf-8') + return value.to_bytes(length, byteorder='big') + +def ep11attributes(kv_pairs): + attributes = {} + for k in kv_pairs.keys(): + attributes[k] = to_big_bytes(kv_pairs[k]) + return attributes + +# GetPubkeyBytesFromSPKI extracts a coordinate bit array from the public key in SPKI format +def GetPubkeyBytesFromSPKI(spki): + decoder = asn1.Decoder() + try: + decoder.start(spki) + decoder.enter() + decoder.read() # read the initial sequence + tag, pubkey = decoder.read() + pubkey_bytearray = bytearray(pubkey) + pubkey = bytes(pubkey_bytearray[1:]) # drop the first byte + return pubkey + except Exception as e: + print(e) + return None + +class Channel: + + def __init__(self, credentials): + self._authPlugin = self.AuthPlugin(credentials) + + def get_channel(self, address): + call_credentials = grpc.metadata_call_credentials(self._authPlugin) + channel_credential = grpc.ssl_channel_credentials() + composite_credentials = grpc.composite_channel_credentials(channel_credential, call_credentials) + channel = grpc.secure_channel(address, composite_credentials) + return channel + + class AuthPlugin(grpc.AuthMetadataPlugin): + + def __init__(self, credentials): + self._credentials = credentials + self._access_token = '' + self._expiration = int(time.time()) + + def __call__(self, context, callback): + #print('__call__ context=' + str(context)) + current = int(time.time()) + expiration = int(self._expiration) - 60 # set the expiration 60 sec before the actual one + if expiration < current: + self.get_access_token() + + metadata = (('authorization', 'Bearer {}'.format(self._access_token)),('bluemix-instance', '{}'.format(self._credentials['Instance'])),) + callback(metadata, None) + + def get_access_token(self): + apikey = self._credentials['APIKey'] + endpoint = self._credentials['Endpoint'] + cmd = 'curl -sS -k -X POST --header "Content-Type: application/x-www-form-urlencoded" --header "Accept: application/json" --data-urlencode "grant_type=urn:ibm:params:oauth:grant-type:apikey" --data-urlencode "apikey=' + apikey + '" "' + endpoint + '/identity/token"' + + try: + resp_str = check_output(cmd, shell=True).rstrip().decode('utf8') + except Exception as e: + print('an unexpected response from IAM_ENDPOINT=' + endpoint) + print(e) + import traceback + traceback.print_exc() + return None + + try: + resp = json.loads(resp_str) + self._expiration = resp['expiration'] + self._access_token = resp['access_token'] + return self._access_token + + except Exception as e: + print('an unexpected response from IAM_ENDPOINT=' + self._endpoint) + print('response=' + str(resp_str)) + print(e) + import traceback + traceback.print_exc() + return None + + +