def generate_symmetric_encryption_key(self, secret, content_type, tenant, kek_repo): """Delegates generating a key to the first supported plugin. Note that this key can be used by clients for their encryption processes. This generated key is then be encrypted via the plug-in key encryption process, and that encrypted datum is then returned from this method. """ encrypting_plugin = \ self._determine_crypto_plugin(secret.algorithm, secret.bit_length, secret.mode) kek_datum, kek_meta_dto = self._find_or_create_kek_objects( encrypting_plugin, tenant, kek_repo) # Create an encrypted datum instance and add the created cypher text. datum = models.EncryptedDatum(secret, kek_datum) datum.content_type = content_type generate_dto = plugin_mod.GenerateDTO(secret.algorithm, secret.bit_length, secret.mode, None) # Create the encrypted meta. response_dto = encrypting_plugin.generate_symmetric( generate_dto, kek_meta_dto, tenant.keystone_id) # Convert binary data into a text-based format. # TODO(jwood) Figure out by storing binary (BYTEA) data in Postgres # isn't working. datum.cypher_text = base64.b64encode(response_dto.cypher_text) datum.kek_meta_extended = response_dto.kek_meta_extended return datum
def test_generate_errors_when_rand_length_is_not_as_requested(self): self.session.generateRandom.return_value = [1, 2, 3, 4, 5, 6, 7] secret = models.Secret() secret.bit_length = 192 secret.algorithm = "AES" generate_dto = plugin_import.GenerateDTO(secret.algorithm, secret.bit_length, None, None) self.assertRaises(p11_crypto.P11CryptoPluginException, self.plugin.generate_symmetric, generate_dto, mock.MagicMock(), mock.MagicMock())
def test_generate_non_supported_algorithm(self): if not imports_ok: self.skipTest("Dogtag imports not available") secret = models.Secret() secret.bit_length = 128 secret.algorithm = "hmacsha256" generate_dto = plugin_import.GenerateDTO( plugin_import.PluginSupportTypes.SYMMETRIC_KEY_GENERATION, secret.algorithm, secret.bit_length, None) self.assertRaises(DogtagPluginAlgorithmException, self.plugin.generate_symmetric, generate_dto, mock.MagicMock(), mock.MagicMock())
def test_generate_calls_generate_random(self): self.session.generateRandom.return_value = [ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 ] secret = models.Secret() secret.bit_length = 128 secret.algorithm = "AES" generate_dto = plugin_import.GenerateDTO(secret.algorithm, secret.bit_length, None, None) self.plugin.generate_symmetric(generate_dto, mock.MagicMock(), mock.MagicMock()) self.session.generateRandom.assert_called_twice_with(16)
def test_generate(self): if not imports_ok: self.skipTest("Dogtag imports not available") secret = models.Secret() secret.bit_length = 128 secret.algorithm = "AES" generate_dto = plugin_import.GenerateDTO(secret.algorithm, secret.bit_length, None, None) self.plugin.generate_symmetric(generate_dto, mock.MagicMock(), mock.MagicMock()) self.keyclient_mock.generate_symmetric_key.assert_called_once_with( mock.ANY, secret.algorithm.upper(), secret.bit_length, mock.ANY)
def generate_asymmetric_encryption_keys(self, meta, content_type, tenant, kek_repo): """Delegates generating a asymmteric keys to the first supported plugin based on `meta`. meta will provide extra information to help key generation. Based on passpharse in meta this method will return a tuple with two/three objects. Note that this key can be used by clients for their encryption processes. This generated key is then be encrypted via the plug-in key encryption process, and that encrypted datum is then returned from this method. """ encrypting_plugin = \ self._determine_crypto_plugin(meta.algorithm, meta.bit_length, meta.passphrase) kek_datum, kek_meta_dto = self._find_or_create_kek_objects( encrypting_plugin, tenant, kek_repo) generate_dto = plugin_mod.GenerateDTO(meta.algorithm, meta.bit_length, None, meta.passphrase) # generate the secret. private_key_dto, public_key_dto, passwd_dto = \ encrypting_plugin.generate_asymmetric( generate_dto, kek_meta_dto, tenant.keystone_id) # Create an encrypted datum instances for each secret type # and add the created cypher text. priv_datum = models.EncryptedDatum(None, kek_datum) priv_datum.content_type = content_type priv_datum.cypher_text = base64.b64encode(private_key_dto.cypher_text) priv_datum.kek_meta_extended = private_key_dto.kek_meta_extended public_datum = models.EncryptedDatum(None, kek_datum) public_datum.content_type = content_type public_datum.cypher_text = base64.b64encode(public_key_dto.cypher_text) public_datum.kek_meta_extended = public_key_dto.kek_meta_extended passwd_datum = None if passwd_dto: passwd_datum = models.EncryptedDatum(None, kek_datum) passwd_datum.content_type = content_type passwd_datum.cypher_text = base64.b64encode(passwd_dto.cypher_text) passwd_datum.kek_meta_extended = \ passwd_dto.kek_meta_extended return (priv_datum, public_datum, passwd_datum)
def test_generate_128_bit_hmac_key(self): secret = models.Secret() secret.bit_length = 128 secret.algorithm = "hmacsha256" generate_dto = plugin.GenerateDTO(secret.algorithm, secret.bit_length, None, None) response_dto = self.plugin.generate_symmetric(generate_dto, mock.MagicMock(), mock.MagicMock()) decrypt_dto = plugin.DecryptDTO(response_dto.cypher_text) key = self.plugin.decrypt(decrypt_dto, mock.MagicMock(), response_dto.kek_meta_extended, mock.MagicMock()) self.assertEqual(len(key), 16)
def test_generate_1024_bit_RSA_key_in_pem(self): generate_dto = plugin.GenerateDTO('rsa', 1024, None, 'changeme') private_dto, public_dto, passwd_dto = \ self.plugin.generate_asymmetric(generate_dto, mock.MagicMock(), mock.MagicMock()) decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text) private_dto = self.plugin.decrypt(decrypt_dto, mock.MagicMock(), private_dto.kek_meta_extended, mock.MagicMock()) private_dto = RSA.importKey(private_dto, 'changeme') self.assertTrue(private_dto.has_private())
def test_generate_1024_DSA_key_in_pem_and_reconstruct_key_der(self): generate_dto = plugin.GenerateDTO('dsa', 1024, None, None) private_dto, public_dto, passwd_dto = \ self.plugin.generate_asymmetric(generate_dto, mock.MagicMock(), mock.MagicMock()) decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text) private_dto = self.plugin.decrypt(decrypt_dto, mock.MagicMock(), private_dto.kek_meta_extended, mock.MagicMock()) prv_seq = asn1.DerSequence() data = "\n".join( private_dto.strip().split("\n")[1:-1]).decode("base64") prv_seq.decode(data) p, q, g, y, x = prv_seq[1:] private_dto = DSA.construct((y, g, p, q, x)) self.assertTrue(private_dto.has_private())
def test_generate_asymmetric_1024_bit_key(self): generate_dto = plugin.GenerateDTO('rsa', 1024, None, None) private_dto, public_dto, passwd_dto = self.plugin.generate_asymmetric( generate_dto, mock.MagicMock(), mock.MagicMock()) decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text) private_dto = self.plugin.decrypt(decrypt_dto, mock.MagicMock(), private_dto.kek_meta_extended, mock.MagicMock()) decrypt_dto = plugin.DecryptDTO(public_dto.cypher_text) public_dto = self.plugin.decrypt(decrypt_dto, mock.MagicMock(), public_dto.kek_meta_extended, mock.MagicMock()) public_dto = RSA.importKey(public_dto) private_dto = RSA.importKey(private_dto) self.assertEqual(public_dto.size(), 1023) self.assertEqual(private_dto.size(), 1023) self.assertTrue(private_dto.has_private)
def test_generate_2048_bit_DSA_key_with_passphrase(self): generate_dto = plugin.GenerateDTO('dsa', 2048, None, 'Passphrase') self.assertRaises(ValueError, self.plugin.generate_asymmetric, generate_dto, mock.MagicMock(), mock.MagicMock())
def test_generate_512_bit_RSA_key(self): generate_dto = plugin.GenerateDTO('rsa', 512, None, None) self.assertRaises(ValueError, self.plugin.generate_asymmetric, generate_dto, mock.MagicMock(), mock.MagicMock())