def test_derive_key_using_hmac(self): """ Test that the ProxyKmipClient can derive a new key using HMAC. """ base_id = self.client.register( objects.SecretData( (b'\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c' b'\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c' b'\x0c\x0c\x0c\x0c\x0c\x0c'), enums.SecretDataType.SEED, masks=[enums.CryptographicUsageMask.DERIVE_KEY])) secret_id = self.client.derive_key( enums.ObjectType.SECRET_DATA, [base_id], enums.DerivationMethod.HMAC, { 'cryptographic_parameters': { 'hashing_algorithm': enums.HashingAlgorithm.SHA_1 }, 'derivation_data': b'', 'salt': b'' }, cryptographic_length=336) secret = self.client.get(secret_id) self.assertEqual((b'\x2c\x91\x11\x72\x04\xd7\x45\xf3' b'\x50\x0d\x63\x6a\x62\xf6\x4f\x0a' b'\xb3\xba\xe5\x48\xaa\x53\xd4\x23' b'\xb0\xd1\xf2\x7e\xbb\xa6\xf5\xe5' b'\x67\x3a\x08\x1d\x70\xcc\xe7\xac' b'\xfc\x48'), secret.value)
def test_secret_data_register_get_destroy(self): """ Test that the ProxyKmipClient can register, retrieve, and destroy a secret. """ # Secret encoding obtained from Section 3.1.5 of the KMIP 1.1 test # documentation. secret = objects.SecretData( (b'\x53\x65\x63\x72\x65\x74\x50\x61\x73\x73\x77\x6F\x72\x64'), enums.SecretDataType.PASSWORD) uid = self.client.register(secret) self.assertIsInstance(uid, six.string_types) try: result = self.client.get(uid) self.assertIsInstance(result, objects.SecretData) self.assertEqual( result, secret, "expected {0}\nobserved {1}".format(result, secret)) finally: self.client.destroy(uid) self.assertRaises(exceptions.KmipOperationFailure, self.client.get, uid) self.assertRaises(exceptions.KmipOperationFailure, self.client.destroy, uid)
def test_store_passphrase_secret_assert_called(self): key_spec = secret_store.KeySpec(None, None, None) passphrase = base64.b64encode(b"supersecretpassphrase") secret_dto = secret_store.SecretDTO(secret_store.SecretType.PASSPHRASE, passphrase, key_spec, 'content_type', transport_key=None) self.secret_store.store_secret(secret_dto) self.secret_store.client.register.assert_called_once_with( objects.SecretData(base64.b64decode(passphrase), enums.SecretDataType.PASSWORD))
def test_derive_key_using_pbkdf2(self): """ Test that the ProxyKmipClient can derive a new key using PBKDF2. """ password_id = self.client.register( objects.SecretData(b'password', enums.SecretDataType.PASSWORD, masks=[enums.CryptographicUsageMask.DERIVE_KEY ])) key_id = self.client.derive_key( enums.ObjectType.SYMMETRIC_KEY, [password_id], enums.DerivationMethod.PBKDF2, { 'cryptographic_parameters': { 'hashing_algorithm': enums.HashingAlgorithm.SHA_1 }, 'salt': b'salt', 'iteration_count': 4096 }, cryptographic_length=160, cryptographic_algorithm=enums.CryptographicAlgorithm.AES) key = self.client.get(key_id) self.assertEqual((b'\x4b\x00\x79\x01\xb7\x65\x48\x9a' b'\xbe\xad\x49\xd9\x26\xf7\x21\xd0' b'\x65\xa4\x29\xc1'), key.value) attribute_list = self.client.get_attribute_list(key_id) self.assertIn('Cryptographic Algorithm', attribute_list) self.assertIn('Cryptographic Length', attribute_list) result_id, attribute_list = self.client.get_attributes( uid=key_id, attribute_names=[ 'Cryptographic Algorithm', 'Cryptographic Length' ]) self.assertEqual(key_id, result_id) self.assertEqual(2, len(attribute_list)) attribute = attribute_list[0] self.assertEqual('Cryptographic Algorithm', attribute.attribute_name.value) self.assertEqual(enums.CryptographicAlgorithm.AES, attribute.attribute_value.value) attribute = attribute_list[1] self.assertEqual('Cryptographic Length', attribute.attribute_name.value) self.assertEqual(160, attribute.attribute_value.value)
def _get_kmip_secret(self, secret_dto): """Builds a KMIP object from a SecretDTO This is needed for register calls. The Barbican object needs to be converted to KMIP object before it can be stored :param secret_dto: SecretDTO of secret to be stored :returns: KMIP object """ secret_type = secret_dto.type key_spec = secret_dto.key_spec object_type, key_format_type = ( self._map_type_ss_to_kmip(secret_type)) normalized_secret = self._normalize_secret(secret_dto.secret, secret_type) kmip_object = None if object_type == enums.ObjectType.CERTIFICATE: kmip_object = objects.X509Certificate(normalized_secret) elif object_type == enums.ObjectType.OPAQUE_DATA: opaque_type = enums.OpaqueDataType.NONE kmip_object = objects.OpaqueObject(normalized_secret, opaque_type) elif object_type == enums.ObjectType.PRIVATE_KEY: algorithm = self._get_kmip_algorithm(key_spec.alg) length = key_spec.bit_length format_type = enums.KeyFormatType.PKCS_8 kmip_object = objects.PrivateKey( algorithm, length, normalized_secret, format_type) elif object_type == enums.ObjectType.PUBLIC_KEY: algorithm = self._get_kmip_algorithm(key_spec.alg) length = key_spec.bit_length format_type = enums.KeyFormatType.X_509 kmip_object = objects.PublicKey( algorithm, length, normalized_secret, format_type) elif object_type == enums.ObjectType.SYMMETRIC_KEY: algorithm = self._get_kmip_algorithm(key_spec.alg) length = key_spec.bit_length kmip_object = objects.SymmetricKey(algorithm, length, normalized_secret) elif object_type == enums.ObjectType.SECRET_DATA: data_type = enums.SecretDataType.PASSWORD kmip_object = objects.SecretData(normalized_secret, data_type) return kmip_object
def test_convert_secret_data_pie_to_core(self): """ Test that a Pie secret data object can be converted into a core secret data object. """ pie_secret = pobjects.SecretData(self.secret_bytes, enums.SecretDataType.PASSWORD) core_secret = self.factory.convert(pie_secret) self.assertIsInstance(core_secret, secrets.SecretData) data_type = core_secret.secret_data_type.value self.assertEqual(enums.SecretDataType.PASSWORD, data_type) key_block = core_secret.key_block self.assertIsInstance(key_block, cobjects.KeyBlock) key_value = key_block.key_value self.assertIsInstance(key_value, cobjects.KeyValue) key_material = key_value.key_material self.assertIsInstance(key_material, cobjects.KeyMaterial) self.assertEqual(self.secret_bytes, key_material.value)
def _build_pie_secret_data(self, secret): secret_data_type = secret.secret_data_type.value value = secret.key_block.key_value.key_material.value return pobjects.SecretData(value, secret_data_type)
from kmip.core import enums from kmip.demos import utils from kmip.pie import client from kmip.pie import objects if __name__ == '__main__': logger = utils.build_console_logger(logging.INFO) parser = utils.build_cli_parser() opts, args = parser.parse_args(sys.argv[1:]) config = opts.config value = (b'\x53\x65\x63\x72\x65\x74\x50\x61\x73\x73\x77\x6F\x72\x64') data_type = enums.SecretDataType.PASSWORD usage_mask = [enums.CryptographicUsageMask.VERIFY] name = 'Demo Secret Data' secret = objects.SecretData(value, data_type, usage_mask, name) # Build the client and connect to the server with client.ProxyKmipClient(config=config) as client: try: uid = client.register(secret) logger.info( "Successfully registered secret data with ID: {0}".format(uid)) except Exception as e: logger.error(e)