def generate_symmetric_encryption_key(self, secret, content_type, tenant,
kek_repo):
"""Delegates generating a key to the first supported plugin.
Note that this key can be used by clients for their encryption
processes. This generated key is then be encrypted via
the plug-in key encryption process, and that encrypted datum
is then returned from this method.
"""
encrypting_plugin = \
self._determine_crypto_plugin(secret.algorithm,
secret.bit_length,
secret.mode)
kek_datum, kek_meta_dto = self._find_or_create_kek_objects(
encrypting_plugin, tenant, kek_repo)
# Create an encrypted datum instance and add the created cypher text.
datum = models.EncryptedDatum(secret, kek_datum)
datum.content_type = content_type
generate_dto = plugin_mod.GenerateDTO(secret.algorithm,
secret.bit_length, secret.mode,
None)
# Create the encrypted meta.
response_dto = encrypting_plugin.generate_symmetric(
generate_dto, kek_meta_dto, tenant.keystone_id)
# Convert binary data into a text-based format.
# TODO(jwood) Figure out by storing binary (BYTEA) data in Postgres
# isn't working.
datum.cypher_text = base64.b64encode(response_dto.cypher_text)
datum.kek_meta_extended = response_dto.kek_meta_extended
return datum
def test_generate_errors_when_rand_length_is_not_as_requested(self):
self.session.generateRandom.return_value = [1, 2, 3, 4, 5, 6, 7]
secret = models.Secret()
secret.bit_length = 192
secret.algorithm = "AES"
generate_dto = plugin_import.GenerateDTO(secret.algorithm,
secret.bit_length, None, None)
self.assertRaises(p11_crypto.P11CryptoPluginException,
self.plugin.generate_symmetric, generate_dto,
mock.MagicMock(), mock.MagicMock())
def test_generate_non_supported_algorithm(self):
if not imports_ok:
self.skipTest("Dogtag imports not available")
secret = models.Secret()
secret.bit_length = 128
secret.algorithm = "hmacsha256"
generate_dto = plugin_import.GenerateDTO(
plugin_import.PluginSupportTypes.SYMMETRIC_KEY_GENERATION,
secret.algorithm, secret.bit_length, None)
self.assertRaises(DogtagPluginAlgorithmException,
self.plugin.generate_symmetric, generate_dto,
mock.MagicMock(), mock.MagicMock())
def test_generate_calls_generate_random(self):
self.session.generateRandom.return_value = [
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16
]
secret = models.Secret()
secret.bit_length = 128
secret.algorithm = "AES"
generate_dto = plugin_import.GenerateDTO(secret.algorithm,
secret.bit_length, None, None)
self.plugin.generate_symmetric(generate_dto, mock.MagicMock(),
mock.MagicMock())
self.session.generateRandom.assert_called_twice_with(16)
def test_generate(self):
if not imports_ok:
self.skipTest("Dogtag imports not available")
secret = models.Secret()
secret.bit_length = 128
secret.algorithm = "AES"
generate_dto = plugin_import.GenerateDTO(secret.algorithm,
secret.bit_length, None, None)
self.plugin.generate_symmetric(generate_dto, mock.MagicMock(),
mock.MagicMock())
self.keyclient_mock.generate_symmetric_key.assert_called_once_with(
mock.ANY, secret.algorithm.upper(), secret.bit_length, mock.ANY)
def generate_asymmetric_encryption_keys(self, meta, content_type, tenant,
kek_repo):
"""Delegates generating a asymmteric keys to the first
supported plugin based on `meta`. meta will provide extra
information to help key generation.
Based on passpharse in meta this method will return a tuple
with two/three objects.
Note that this key can be used by clients for their encryption
processes. This generated key is then be encrypted via
the plug-in key encryption process, and that encrypted datum
is then returned from this method.
"""
encrypting_plugin = \
self._determine_crypto_plugin(meta.algorithm,
meta.bit_length,
meta.passphrase)
kek_datum, kek_meta_dto = self._find_or_create_kek_objects(
encrypting_plugin, tenant, kek_repo)
generate_dto = plugin_mod.GenerateDTO(meta.algorithm, meta.bit_length,
None, meta.passphrase)
# generate the secret.
private_key_dto, public_key_dto, passwd_dto = \
encrypting_plugin.generate_asymmetric(
generate_dto,
kek_meta_dto,
tenant.keystone_id)
# Create an encrypted datum instances for each secret type
# and add the created cypher text.
priv_datum = models.EncryptedDatum(None, kek_datum)
priv_datum.content_type = content_type
priv_datum.cypher_text = base64.b64encode(private_key_dto.cypher_text)
priv_datum.kek_meta_extended = private_key_dto.kek_meta_extended
public_datum = models.EncryptedDatum(None, kek_datum)
public_datum.content_type = content_type
public_datum.cypher_text = base64.b64encode(public_key_dto.cypher_text)
public_datum.kek_meta_extended = public_key_dto.kek_meta_extended
passwd_datum = None
if passwd_dto:
passwd_datum = models.EncryptedDatum(None, kek_datum)
passwd_datum.content_type = content_type
passwd_datum.cypher_text = base64.b64encode(passwd_dto.cypher_text)
passwd_datum.kek_meta_extended = \
passwd_dto.kek_meta_extended
return (priv_datum, public_datum, passwd_datum)
def test_generate_128_bit_hmac_key(self):
secret = models.Secret()
secret.bit_length = 128
secret.algorithm = "hmacsha256"
generate_dto = plugin.GenerateDTO(secret.algorithm, secret.bit_length,
None, None)
response_dto = self.plugin.generate_symmetric(generate_dto,
mock.MagicMock(),
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(response_dto.cypher_text)
key = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
response_dto.kek_meta_extended,
mock.MagicMock())
self.assertEqual(len(key), 16)
def test_generate_1024_bit_RSA_key_in_pem(self):
generate_dto = plugin.GenerateDTO('rsa', 1024, None, 'changeme')
private_dto, public_dto, passwd_dto = \
self.plugin.generate_asymmetric(generate_dto,
mock.MagicMock(),
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text)
private_dto = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
private_dto.kek_meta_extended,
mock.MagicMock())
private_dto = RSA.importKey(private_dto, 'changeme')
self.assertTrue(private_dto.has_private())
def test_generate_1024_DSA_key_in_pem_and_reconstruct_key_der(self):
generate_dto = plugin.GenerateDTO('dsa', 1024, None, None)
private_dto, public_dto, passwd_dto = \
self.plugin.generate_asymmetric(generate_dto,
mock.MagicMock(),
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text)
private_dto = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
private_dto.kek_meta_extended,
mock.MagicMock())
prv_seq = asn1.DerSequence()
data = "\n".join(
private_dto.strip().split("\n")[1:-1]).decode("base64")
prv_seq.decode(data)
p, q, g, y, x = prv_seq[1:]
private_dto = DSA.construct((y, g, p, q, x))
self.assertTrue(private_dto.has_private())
def test_generate_asymmetric_1024_bit_key(self):
generate_dto = plugin.GenerateDTO('rsa', 1024, None, None)
private_dto, public_dto, passwd_dto = self.plugin.generate_asymmetric(
generate_dto, mock.MagicMock(), mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text)
private_dto = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
private_dto.kek_meta_extended,
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(public_dto.cypher_text)
public_dto = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
public_dto.kek_meta_extended,
mock.MagicMock())
public_dto = RSA.importKey(public_dto)
private_dto = RSA.importKey(private_dto)
self.assertEqual(public_dto.size(), 1023)
self.assertEqual(private_dto.size(), 1023)
self.assertTrue(private_dto.has_private)
def test_generate_2048_bit_DSA_key_with_passphrase(self):
generate_dto = plugin.GenerateDTO('dsa', 2048, None, 'Passphrase')
self.assertRaises(ValueError, self.plugin.generate_asymmetric,
generate_dto, mock.MagicMock(), mock.MagicMock())
def test_generate_512_bit_RSA_key(self):
generate_dto = plugin.GenerateDTO('rsa', 512, None, None)
self.assertRaises(ValueError, self.plugin.generate_asymmetric,
generate_dto, mock.MagicMock(), mock.MagicMock())
