def test_derive_key_using_hmac(self):
"""
Test that the ProxyKmipClient can derive a new key using HMAC.
"""
base_id = self.client.register(
objects.SecretData(
(b'\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'
b'\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'
b'\x0c\x0c\x0c\x0c\x0c\x0c'),
enums.SecretDataType.SEED,
masks=[enums.CryptographicUsageMask.DERIVE_KEY]))
secret_id = self.client.derive_key(
enums.ObjectType.SECRET_DATA, [base_id],
enums.DerivationMethod.HMAC, {
'cryptographic_parameters': {
'hashing_algorithm': enums.HashingAlgorithm.SHA_1
},
'derivation_data': b'',
'salt': b''
},
cryptographic_length=336)
secret = self.client.get(secret_id)
self.assertEqual((b'\x2c\x91\x11\x72\x04\xd7\x45\xf3'
b'\x50\x0d\x63\x6a\x62\xf6\x4f\x0a'
b'\xb3\xba\xe5\x48\xaa\x53\xd4\x23'
b'\xb0\xd1\xf2\x7e\xbb\xa6\xf5\xe5'
b'\x67\x3a\x08\x1d\x70\xcc\xe7\xac'
b'\xfc\x48'), secret.value)
def test_secret_data_register_get_destroy(self):
"""
Test that the ProxyKmipClient can register, retrieve, and destroy a
secret.
"""
# Secret encoding obtained from Section 3.1.5 of the KMIP 1.1 test
# documentation.
secret = objects.SecretData(
(b'\x53\x65\x63\x72\x65\x74\x50\x61\x73\x73\x77\x6F\x72\x64'),
enums.SecretDataType.PASSWORD)
uid = self.client.register(secret)
self.assertIsInstance(uid, six.string_types)
try:
result = self.client.get(uid)
self.assertIsInstance(result, objects.SecretData)
self.assertEqual(
result, secret,
"expected {0}\nobserved {1}".format(result, secret))
finally:
self.client.destroy(uid)
self.assertRaises(exceptions.KmipOperationFailure, self.client.get,
uid)
self.assertRaises(exceptions.KmipOperationFailure,
self.client.destroy, uid)
def test_store_passphrase_secret_assert_called(self):
key_spec = secret_store.KeySpec(None, None, None)
passphrase = base64.b64encode(b"supersecretpassphrase")
secret_dto = secret_store.SecretDTO(secret_store.SecretType.PASSPHRASE,
passphrase,
key_spec,
'content_type',
transport_key=None)
self.secret_store.store_secret(secret_dto)
self.secret_store.client.register.assert_called_once_with(
objects.SecretData(base64.b64decode(passphrase),
enums.SecretDataType.PASSWORD))
def test_derive_key_using_pbkdf2(self):
"""
Test that the ProxyKmipClient can derive a new key using PBKDF2.
"""
password_id = self.client.register(
objects.SecretData(b'password',
enums.SecretDataType.PASSWORD,
masks=[enums.CryptographicUsageMask.DERIVE_KEY
]))
key_id = self.client.derive_key(
enums.ObjectType.SYMMETRIC_KEY, [password_id],
enums.DerivationMethod.PBKDF2, {
'cryptographic_parameters': {
'hashing_algorithm': enums.HashingAlgorithm.SHA_1
},
'salt': b'salt',
'iteration_count': 4096
},
cryptographic_length=160,
cryptographic_algorithm=enums.CryptographicAlgorithm.AES)
key = self.client.get(key_id)
self.assertEqual((b'\x4b\x00\x79\x01\xb7\x65\x48\x9a'
b'\xbe\xad\x49\xd9\x26\xf7\x21\xd0'
b'\x65\xa4\x29\xc1'), key.value)
attribute_list = self.client.get_attribute_list(key_id)
self.assertIn('Cryptographic Algorithm', attribute_list)
self.assertIn('Cryptographic Length', attribute_list)
result_id, attribute_list = self.client.get_attributes(
uid=key_id,
attribute_names=[
'Cryptographic Algorithm', 'Cryptographic Length'
])
self.assertEqual(key_id, result_id)
self.assertEqual(2, len(attribute_list))
attribute = attribute_list[0]
self.assertEqual('Cryptographic Algorithm',
attribute.attribute_name.value)
self.assertEqual(enums.CryptographicAlgorithm.AES,
attribute.attribute_value.value)
attribute = attribute_list[1]
self.assertEqual('Cryptographic Length',
attribute.attribute_name.value)
self.assertEqual(160, attribute.attribute_value.value)
def _get_kmip_secret(self, secret_dto):
"""Builds a KMIP object from a SecretDTO
This is needed for register calls. The Barbican object needs to be
converted to KMIP object before it can be stored
:param secret_dto: SecretDTO of secret to be stored
:returns: KMIP object
"""
secret_type = secret_dto.type
key_spec = secret_dto.key_spec
object_type, key_format_type = (
self._map_type_ss_to_kmip(secret_type))
normalized_secret = self._normalize_secret(secret_dto.secret,
secret_type)
kmip_object = None
if object_type == enums.ObjectType.CERTIFICATE:
kmip_object = objects.X509Certificate(normalized_secret)
elif object_type == enums.ObjectType.OPAQUE_DATA:
opaque_type = enums.OpaqueDataType.NONE
kmip_object = objects.OpaqueObject(normalized_secret,
opaque_type)
elif object_type == enums.ObjectType.PRIVATE_KEY:
algorithm = self._get_kmip_algorithm(key_spec.alg)
length = key_spec.bit_length
format_type = enums.KeyFormatType.PKCS_8
kmip_object = objects.PrivateKey(
algorithm, length, normalized_secret, format_type)
elif object_type == enums.ObjectType.PUBLIC_KEY:
algorithm = self._get_kmip_algorithm(key_spec.alg)
length = key_spec.bit_length
format_type = enums.KeyFormatType.X_509
kmip_object = objects.PublicKey(
algorithm, length, normalized_secret, format_type)
elif object_type == enums.ObjectType.SYMMETRIC_KEY:
algorithm = self._get_kmip_algorithm(key_spec.alg)
length = key_spec.bit_length
kmip_object = objects.SymmetricKey(algorithm, length,
normalized_secret)
elif object_type == enums.ObjectType.SECRET_DATA:
data_type = enums.SecretDataType.PASSWORD
kmip_object = objects.SecretData(normalized_secret, data_type)
return kmip_object
def test_convert_secret_data_pie_to_core(self):
"""
Test that a Pie secret data object can be converted into a core secret
data object.
"""
pie_secret = pobjects.SecretData(self.secret_bytes,
enums.SecretDataType.PASSWORD)
core_secret = self.factory.convert(pie_secret)
self.assertIsInstance(core_secret, secrets.SecretData)
data_type = core_secret.secret_data_type.value
self.assertEqual(enums.SecretDataType.PASSWORD, data_type)
key_block = core_secret.key_block
self.assertIsInstance(key_block, cobjects.KeyBlock)
key_value = key_block.key_value
self.assertIsInstance(key_value, cobjects.KeyValue)
key_material = key_value.key_material
self.assertIsInstance(key_material, cobjects.KeyMaterial)
self.assertEqual(self.secret_bytes, key_material.value)
def _build_pie_secret_data(self, secret):
secret_data_type = secret.secret_data_type.value
value = secret.key_block.key_value.key_material.value
return pobjects.SecretData(value, secret_data_type)
from kmip.core import enums
from kmip.demos import utils
from kmip.pie import client
from kmip.pie import objects
if __name__ == '__main__':
logger = utils.build_console_logger(logging.INFO)
parser = utils.build_cli_parser()
opts, args = parser.parse_args(sys.argv[1:])
config = opts.config
value = (b'\x53\x65\x63\x72\x65\x74\x50\x61\x73\x73\x77\x6F\x72\x64')
data_type = enums.SecretDataType.PASSWORD
usage_mask = [enums.CryptographicUsageMask.VERIFY]
name = 'Demo Secret Data'
secret = objects.SecretData(value, data_type, usage_mask, name)
# Build the client and connect to the server
with client.ProxyKmipClient(config=config) as client:
try:
uid = client.register(secret)
logger.info(
"Successfully registered secret data with ID: {0}".format(uid))
except Exception as e:
logger.error(e)
