def decrypt(self, content_type, secret, tenant):
"""Delegates decryption to active plugins."""
if not secret or not secret.encrypted_data:
raise CryptoNoSecretOrDataFoundException(secret.id)
analyze_before_decryption(content_type)
for ext in self.extensions:
decrypting_plugin = ext.obj
for datum in secret.encrypted_data:
if self._plugin_supports(decrypting_plugin,
datum.kek_meta_tenant):
# wrap the KEKDatum instance in our DTO
kek_meta_dto = plugin_mod.KEKMetaDTO(datum.kek_meta_tenant)
# Convert from text-based storage format to binary.
#TODO(jwood) Figure out by storing binary (BYTEA) data in
# Postgres isn't working.
encrypted = base64.b64decode(datum.cypher_text)
decrypt_dto = plugin_mod.DecryptDTO(encrypted)
# Decrypt the secret.
unencrypted = decrypting_plugin \
.decrypt(decrypt_dto,
kek_meta_dto,
datum.kek_meta_extended,
tenant.keystone_id)
# Denormalize the decrypted info per request.
return denormalize_after_decryption(
unencrypted, content_type)
else:
raise CryptoPluginNotFound()
def test_decrypt(self):
if not imports_ok:
self.skipTest("Dogtag imports not available")
key_id = 'key1'
decrypt_dto = plugin_import.DecryptDTO(key_id)
self.plugin.decrypt(decrypt_dto, mock.MagicMock(), mock.MagicMock(),
mock.MagicMock())
self.keyclient_mock.retrieve_key.assert_called_once_with(key_id)
def test_byte_string_encryption(self):
unencrypted = b'some_secret'
encrypt_dto = plugin.EncryptDTO(unencrypted)
response_dto = self.plugin.encrypt(encrypt_dto, mock.MagicMock(),
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(response_dto.cypher_text)
decrypted = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
response_dto.kek_meta_extended,
mock.MagicMock())
self.assertEqual(unencrypted, decrypted)
def test_random_bytes_encryption(self):
unencrypted = os.urandom(10)
encrypt_dto = plugin.EncryptDTO(unencrypted)
response_dto = self.plugin.encrypt(encrypt_dto, mock.MagicMock(),
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(response_dto.cypher_text)
decrypted = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
response_dto.kek_meta_extended,
mock.MagicMock())
self.assertEqual(unencrypted, decrypted)
def test_generate_asymmetric_1024_bit_key(self):
generate_dto = plugin.GenerateDTO('rsa', 1024, None, None)
private_dto, public_dto, passwd_dto = self.plugin.generate_asymmetric(
generate_dto, mock.MagicMock(), mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text)
private_dto = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
private_dto.kek_meta_extended,
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(public_dto.cypher_text)
public_dto = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
public_dto.kek_meta_extended,
mock.MagicMock())
public_dto = RSA.importKey(public_dto)
private_dto = RSA.importKey(private_dto)
self.assertEqual(public_dto.size(), 1023)
self.assertEqual(private_dto.size(), 1023)
self.assertTrue(private_dto.has_private)
def test_generate_128_bit_hmac_key(self):
secret = models.Secret()
secret.bit_length = 128
secret.algorithm = "hmacsha256"
generate_dto = plugin.GenerateDTO(secret.algorithm, secret.bit_length,
None, None)
response_dto = self.plugin.generate_symmetric(generate_dto,
mock.MagicMock(),
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(response_dto.cypher_text)
key = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
response_dto.kek_meta_extended,
mock.MagicMock())
self.assertEqual(len(key), 16)
def test_generate_1024_bit_RSA_key_in_pem(self):
generate_dto = plugin.GenerateDTO('rsa', 1024, None, 'changeme')
private_dto, public_dto, passwd_dto = \
self.plugin.generate_asymmetric(generate_dto,
mock.MagicMock(),
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text)
private_dto = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
private_dto.kek_meta_extended,
mock.MagicMock())
private_dto = RSA.importKey(private_dto, 'changeme')
self.assertTrue(private_dto.has_private())
def test_decrypt(self):
key = 'key1'
ct = mock.MagicMock()
self.session.findObjects.return_value = [key]
self.session.decrypt.return_value = [100, 101, 102, 103]
mech = mock.MagicMock()
self.p11_mock.Mechanism.return_value = mech
kek_meta_extended = '{"iv": "AQIDBAUGBwgJCgsMDQ4PEA=="}'
decrypt_dto = plugin_import.DecryptDTO(ct)
payload = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
kek_meta_extended, mock.MagicMock())
self.assertTrue(self.p11_mock.Mechanism.called)
self.session.decrypt.assert_called_once_with(key, ct, mech)
self.assertEqual(b'defg', payload)
def test_generate_1024_DSA_key_in_pem_and_reconstruct_key_der(self):
generate_dto = plugin.GenerateDTO('dsa', 1024, None, None)
private_dto, public_dto, passwd_dto = \
self.plugin.generate_asymmetric(generate_dto,
mock.MagicMock(),
mock.MagicMock())
decrypt_dto = plugin.DecryptDTO(private_dto.cypher_text)
private_dto = self.plugin.decrypt(decrypt_dto, mock.MagicMock(),
private_dto.kek_meta_extended,
mock.MagicMock())
prv_seq = asn1.DerSequence()
data = "\n".join(
private_dto.strip().split("\n")[1:-1]).decode("base64")
prv_seq.decode(data)
p, q, g, y, x = prv_seq[1:]
private_dto = DSA.construct((y, g, p, q, x))
self.assertTrue(private_dto.has_private())