def __init__(self, conf=CONF):
"""Initializes KMIPSecretStore
Creates a dictionary of mappings between SecretStore enum values
and pyKMIP enum values. Initializes the KMIP client with credentials
needed to connect to the KMIP server.
"""
super(KMIPSecretStore, self).__init__()
self.valid_alg_dict = {
ss.KeyAlgorithm.AES: {
KMIPSecretStore.VALID_BIT_LENGTHS: [128, 192, 256],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.AES},
ss.KeyAlgorithm.DES: {
KMIPSecretStore.VALID_BIT_LENGTHS: [56],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.DES},
ss.KeyAlgorithm.DESEDE: {
KMIPSecretStore.VALID_BIT_LENGTHS:
[56, 64, 112, 128, 168, 192],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.TRIPLE_DES}
}
if conf.kmip_plugin.keyfile is not None:
self._validate_keyfile_permissions(conf.kmip_plugin.keyfile)
credential_type = credentials.CredentialType.USERNAME_AND_PASSWORD
credential_value = {'Username': conf.kmip_plugin.username,
'Password': conf.kmip_plugin.password}
self.credential = credentials.CredentialFactory().create_credential(
credential_type,
credential_value)
self.client = kmip_client.KMIPProxy(
host=conf.kmip_plugin.host,
port=int(conf.kmip_plugin.port),
ssl_version=conf.kmip_plugin.ssl_version,
ca_certs=conf.kmip_plugin.ca_certs,
certfile=conf.kmip_plugin.certfile,
keyfile=conf.kmip_plugin.keyfile,
username=conf.kmip_plugin.username,
password=conf.kmip_plugin.password)
def __init__(self, conf=CONF):
"""Initializes KMIPSecretStore
Creates a dictionary of mappings between SecretStore enum values
and pyKMIP enum values. Initializes the KMIP client with credentials
needed to connect to the KMIP server.
"""
super(KMIPSecretStore, self).__init__()
self.valid_alg_dict = {
ss.KeyAlgorithm.AES: {
KMIPSecretStore.VALID_BIT_LENGTHS: [128, 192, 256],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.AES
},
ss.KeyAlgorithm.DES: {
KMIPSecretStore.VALID_BIT_LENGTHS: [56],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.DES
},
ss.KeyAlgorithm.DESEDE: {
KMIPSecretStore.VALID_BIT_LENGTHS:
[56, 64, 112, 128, 168, 192],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.TRIPLE_DES
},
ss.KeyAlgorithm.DSA: {
KMIPSecretStore.VALID_BIT_LENGTHS: [1024, 2048, 3072],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.DSA
},
ss.KeyAlgorithm.HMACSHA1: {
KMIPSecretStore.VALID_BIT_LENGTHS: [],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA1
},
ss.KeyAlgorithm.HMACSHA256: {
KMIPSecretStore.VALID_BIT_LENGTHS: [],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA256
},
ss.KeyAlgorithm.HMACSHA384: {
KMIPSecretStore.VALID_BIT_LENGTHS: [],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA384
},
ss.KeyAlgorithm.HMACSHA512: {
KMIPSecretStore.VALID_BIT_LENGTHS: [],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.HMAC_SHA512
},
ss.KeyAlgorithm.RSA: {
KMIPSecretStore.VALID_BIT_LENGTHS: [1024, 2048, 3072, 4096],
KMIPSecretStore.KMIP_ALGORITHM_ENUM:
enums.CryptographicAlgorithm.RSA
},
}
self.pkcs1_only = conf.kmip_plugin.pkcs1_only
if self.pkcs1_only:
LOG.debug("KMIP secret store only supports PKCS#1")
del self.valid_alg_dict[ss.KeyAlgorithm.DSA]
self.kmip_barbican_alg_map = {
enums.CryptographicAlgorithm.AES: ss.KeyAlgorithm.AES,
enums.CryptographicAlgorithm.DES: ss.KeyAlgorithm.DES,
enums.CryptographicAlgorithm.TRIPLE_DES: ss.KeyAlgorithm.DESEDE,
enums.CryptographicAlgorithm.DSA: ss.KeyAlgorithm.DSA,
enums.CryptographicAlgorithm.HMAC_SHA1: ss.KeyAlgorithm.HMACSHA1,
enums.CryptographicAlgorithm.HMAC_SHA256:
ss.KeyAlgorithm.HMACSHA256,
enums.CryptographicAlgorithm.HMAC_SHA384:
ss.KeyAlgorithm.HMACSHA384,
enums.CryptographicAlgorithm.HMAC_SHA512:
ss.KeyAlgorithm.HMACSHA512,
enums.CryptographicAlgorithm.RSA: ss.KeyAlgorithm.RSA
}
if conf.kmip_plugin.keyfile is not None:
self._validate_keyfile_permissions(conf.kmip_plugin.keyfile)
if (conf.kmip_plugin.username is None) and (conf.kmip_plugin.password
is None):
self.credential = None
else:
credential_type = credentials.CredentialType.USERNAME_AND_PASSWORD
credential_value = {
'Username': conf.kmip_plugin.username,
'Password': conf.kmip_plugin.password
}
self.credential = (
credentials.CredentialFactory().create_credential(
credential_type, credential_value))
config = conf.kmip_plugin
self.client = client.ProxyKmipClient(hostname=config.host,
port=config.port,
cert=config.certfile,
key=config.keyfile,
ca=config.ca_certs,
ssl_version=config.ssl_version,
username=config.username,
password=config.password)
