def get_status(self, host, port, path): self.instance.export_ca_cert() connection = PKIConnection(protocol='https', hostname=host, port=port, cert_paths=self.instance.ca_cert) response = connection.get(path) content_type = response.headers['Content-Type'] content = response.text logger.info('Content:\n%s', content) # https://github.com/dogtagpki/pki/wiki/GetStatus-Service if content_type == 'application/json': json_response = json.loads(content) status = json_response['Response']['Status'] elif content_type == 'application/xml': root = ET.fromstring(content) status = root.findtext('Status') else: raise Exception('Unsupported content-type: %s' % content_type) logger.info('Status: %s', status) return status
def connection(self): connection = PKIConnection(protocol=self.protocol, hostname=self.hostname, port=self.port) connection.set_authentication_cert(self.cert) client = CertClient(connection) return client
def __init__(self, conf=CONF): """Constructor - create the keyclient""" pem_path = conf.dogtag_crypto_plugin.pem_path if pem_path is None: raise ValueError(_("pem_path is required")) pem_password = conf.dogtag_crypto_plugin.pem_password if pem_password is None: raise ValueError(_("pem_password is required")) crypto = None create_nss_db = False nss_db_path = conf.dogtag_crypto_plugin.nss_db_path if nss_db_path is not None: nss_password = conf.dogtag_crypto_plugin.nss_password if nss_password is None: raise ValueError(_("nss_password is required")) if not os.path.exists(nss_db_path): create_nss_db = True cryptoutil.NSSCryptoUtil.setup_database( nss_db_path, nss_password, over_write=True) crypto = cryptoutil.NSSCryptoUtil(nss_db_path, nss_password) # set up connection connection = PKIConnection('https', conf.dogtag_crypto_plugin.drm_host, conf.dogtag_crypto_plugin.drm_port, 'kra') connection.set_authentication_cert(pem_path) # what happened to the password? # until we figure out how to pass the password to requests, we'll # just use -nodes to create the admin cert pem file. Any required # code will end up being in the DRM python client #create kraclient kraclient = KRAClient(connection, crypto) self.keyclient = kraclient.keys self.systemcert_client = kraclient.system_certs if crypto is not None: if create_nss_db: # Get transport cert and insert in the certdb transport_cert = self.systemcert_client.get_transport_cert() tcert = transport_cert[ len(pki.CERT_HEADER): len(transport_cert) - len(pki.CERT_FOOTER)] crypto.import_cert(DogtagCryptoPlugin.TRANSPORT_NICK, base64.decodestring(tcert), "u,u,u") crypto.initialize() self.keyclient.set_transport_cert( DogtagCryptoPlugin.TRANSPORT_NICK)
def __init__(self, conf=CONF): """Constructor - create the keyclient.""" pem_path = conf.dogtag_crypto_plugin.pem_path if pem_path is None: raise ValueError(u._("pem_path is required")) pem_password = conf.dogtag_crypto_plugin.pem_password if pem_password is None: raise ValueError(u._("pem_password is required")) crypto = None create_nss_db = False nss_db_path = conf.dogtag_crypto_plugin.nss_db_path if nss_db_path is not None: nss_password = conf.dogtag_crypto_plugin.nss_password if nss_password is None: raise ValueError(u._("nss_password is required")) if not os.path.exists(nss_db_path): create_nss_db = True cryptoutil.NSSCryptoUtil.setup_database(nss_db_path, nss_password, over_write=True) crypto = cryptoutil.NSSCryptoUtil(nss_db_path, nss_password) # set up connection connection = PKIConnection('https', conf.dogtag_crypto_plugin.drm_host, conf.dogtag_crypto_plugin.drm_port, 'kra') connection.set_authentication_cert(pem_path) # what happened to the password? # until we figure out how to pass the password to requests, we'll # just use -nodes to create the admin cert pem file. Any required # code will end up being in the DRM python client #create kraclient kraclient = KRAClient(connection, crypto) self.keyclient = kraclient.keys self.systemcert_client = kraclient.system_certs if crypto is not None: if create_nss_db: # Get transport cert and insert in the certdb transport_cert = self.systemcert_client.get_transport_cert() tcert = transport_cert[len(pki.CERT_HEADER ):len(transport_cert) - len(pki.CERT_FOOTER)] crypto.import_cert(DogtagCryptoPlugin.TRANSPORT_NICK, base64.decodestring(tcert), "u,u,u") crypto.initialize() self.keyclient.set_transport_cert( DogtagCryptoPlugin.TRANSPORT_NICK)
def check_ca_clones(self): for host in self.clone_cas: cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort # Reach out and get some certs, to serve as a data and connectivity check try: connection = PKIConnection(protocol='https', hostname=host.Hostname, port=host.SecurePort, verify=False) cert_client = CertClient(connection) # get the first 3 in case we cant to make a sanity check of replicated data certs = cert_client.list_certs(size=3) if certs is not None and len(certs.cert_data_info_list) == 3: logger.info('Cert data successfully obtained from clone.') else: raise BaseException('CA clone problem reading data.' + cur_clone_msg) except BaseException as e: logger.error("Internal server error %s", e) raise BaseException('Internal error testing CA clone.' + cur_clone_msg) return
def get_security_domain(): """ Get the security domain from the REST interface on the local Dogtag CA This function will succeed if the local dogtag CA is up. """ connection = PKIConnection() domain_client = pki.system.SecurityDomainClient(connection) info = domain_client.get_security_domain_info() return info
def get_security_domain(): """ Get the security domain from the REST interface on the local Dogtag CA This function will succeed if the local dogtag CA is up. """ connection = PKIConnection(protocol='https', hostname=api.env.ca_host, port='8443') domain_client = pki.system.SecurityDomainClient(connection) info = domain_client.get_security_domain_info() return info
def get_security_domain_data(self, host, port): domain_data = None try: connection = PKIConnection(protocol='http', hostname=host, port=port, verify=False) securityDomainClient = SecurityDomainClient(connection) domain_data = securityDomainClient.get_domain_info() except BaseException as e: logger.error("Internal server error %s", e) return domain_data systems = domain_data.subsystems for s in systems.values(): for h in s.hosts.values(): if s.id == 'CA': if h.Clone == 'TRUE': self.clone_cas.append(h) else: self.master_cas.append(h) elif s.id == 'KRA': if h.Clone == 'TRUE': self.clone_kras.append(h) else: self.master_kras.append(h) elif s.id == 'OCSP': if h.Clone == 'TRUE': self.clone_ocsps.append(h) else: self.master_ocsps.append(h) elif s.id == 'TPS': if h.Clone == 'TRUE': self.clone_tpss.append(h) else: self.master_tpss.append(h) elif s.id == 'TKS': if h.Clone == 'TRUE': self.clone_tkss.append(h) else: self.master_tkss.append(h) return domain_data
def run_test(protocol, hostname, port, client_cert, certdb_dir, certdb_password): """ test code execution """ # set up the connection to the DRM, including authentication credentials connection = PKIConnection(protocol, hostname, port, 'kra') connection.set_authentication_cert(client_cert) # create kraclient crypto = pki.crypto.NSSCryptoProvider(certdb_dir, certdb_password) kraclient = KRAClient(connection, crypto) keyclient = kraclient.keys # Get transport cert and insert in the certdb transport_nick = "kra transport cert" transport_cert = kraclient.system_certs.get_transport_cert() print("Subject DN: " + transport_cert.subject_dn) print(transport_cert.encoded) crypto.import_cert(transport_nick, transport_cert) # initialize the certdb for crypto operations # for NSS db, this must be done after importing the transport cert crypto.initialize() # set transport cert into keyclient keyclient.set_transport_cert(transport_nick) # Test 2: Get key request info print("Now getting key request") try: key_request = keyclient.get_request_info('2') print_key_request(key_request) except pki.RequestNotFoundException: pass # Test 3: List requests print("Now listing some requests") keyrequests = keyclient.list_requests('complete', 'securityDataRecovery') print(keyrequests.key_requests) for request in keyrequests.key_requests: print_key_request(request) # Test 4: generate symkey -- same as barbican_encode() print("Now generating symkey on KRA") client_key_id = "Vek #1" + time.strftime('%c') algorithm = "AES" key_size = 128 usages = [ key.SymKeyGenerationRequest.DECRYPT_USAGE, key.SymKeyGenerationRequest.ENCRYPT_USAGE ] response = keyclient.generate_symmetric_key(client_key_id, algorithm=algorithm, size=key_size, usages=usages) print_key_request(response.request_info) print("Request ID is " + response.request_info.get_request_id()) key_id = response.get_key_id() # Test 5: Confirm the key_id matches print("Now getting key ID for clientKeyID=\"" + client_key_id + "\"") key_infos = keyclient.list_keys(client_key_id=client_key_id, status=keyclient.KEY_STATUS_ACTIVE) key_id2 = None for key_info in key_infos.key_infos: print_key_info(key_info) key_id2 = key_info.get_key_id() if key_id == key_id2: print("Success! The keys from generation and search match.") else: print("Failure - key_ids for generation do not match!") # Test 6: Barbican_decode() - Retrieve while providing # trans_wrapped_session_key session_key = crypto.generate_session_key() wrapped_session_key = crypto.asymmetric_wrap(session_key, keyclient.transport_cert) print("My key id is " + str(key_id)) key_data = keyclient.retrieve_key( key_id, trans_wrapped_session_key=wrapped_session_key) print_key_data(key_data) unwrapped_key = crypto.symmetric_unwrap(key_data.encrypted_data, session_key, nonce_iv=key_data.nonce_data) key1 = b64encode(unwrapped_key) # Test 7: Recover key without providing trans_wrapped_session_key key_data = keyclient.retrieve_key(key_id) print_key_data(key_data) key2 = b64encode(key_data.data) # Test 8 - Confirm that keys returned are the same if key1 == key2: print("Success: The keys returned match! Key = " + str(key1)) else: print("Failure: The returned keys do not match!") print("key1: " + key1) print("key2: " + key2) # Test 10 = test BadRequestException on create() print("Trying to generate a new symkey with the same client ID") try: keyclient.generate_symmetric_key(client_key_id, algorithm=algorithm, size=key_size, usages=usages) except pki.BadRequestException as exc: print("BadRequestException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 11 - Test RequestNotFoundException on get_request_info print("Try to list a nonexistent request") try: keyclient.get_request_info('200000034') except pki.RequestNotFoundException as exc: print("RequestNotFoundException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 12 - Test exception on retrieve_key. print("Try to retrieve an invalid key") try: keyclient.retrieve_key('2000003434') except pki.KeyNotFoundException as exc: print("KeyNotFoundException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 13 = getKeyInfo print("Get key info for existing key") key_info = keyclient.get_key_info(key_id) print_key_info(key_info) # Test 14: get the active key print("Get the active key for client id: " + client_key_id) key_info = keyclient.get_active_key_info(client_key_id) print_key_info(key_info) # Test 15: change the key status print("Change the key status") keyclient.modify_key_status(key_id, keyclient.KEY_STATUS_INACTIVE) print_key_info(keyclient.get_key_info(key_id)) # Test 16: Get key info for non-existent key print("Get key info for non-existent key") try: keyclient.get_key_info('200004556') except pki.KeyNotFoundException as exc: print("KeyNotFoundException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 17: Get key info for non-existent active key print("Get non-existent active key") try: key_info = keyclient.get_active_key_info(client_key_id) print_key_info(key_info) except pki.ResourceNotFoundException as exc: print("ResourceNotFoundException thrown - Code: " + exc.code + "Message: " + exc.message) # Test 18: Generate a symmetric key with default parameters client_key_id = "Vek #3" + time.strftime('%c') response = keyclient.generate_symmetric_key(client_key_id) print_key_request(response.request_info) # Test 19: Try to archive key print("try to archive key") print("key to archive: " + key1) client_key_id = "Vek #4" + time.strftime('%c') response = keyclient.archive_key(client_key_id, keyclient.SYMMETRIC_KEY_TYPE, b64decode(key1), key_algorithm=keyclient.AES_ALGORITHM, key_size=128) print_key_request(response.request_info) # Test 20: Lets get it back key_info = keyclient.get_active_key_info(client_key_id) print_key_info(key_info) key_data = keyclient.retrieve_key(key_info.get_key_id()) print_key_data(key_data) key2 = b64encode(key_data.data) if key1 == key2: print("Success: archived and recovered keys match") else: print("Error: archived and recovered keys do not match") print() # Test 20: Generating asymmetric keys print("Generating asymmetric keys") try: response = keyclient.generate_asymmetric_key("Vek #5" + time.strftime('%c'), algorithm="RSA", key_size=1024, usages=None) print_key_request(response.request_info) except pki.BadRequestException as exc: print("BadRequestException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 21: Get key information of the newly generated asymmetric keys print("Retrieving key information") key_info = keyclient.get_key_info(response.request_info.get_key_id()) print_key_info(key_info)
parser = argparse.ArgumentParser() parser.add_argument("--hostname", help="<CA hostname>") parser.add_argument("--port", help="<CA Port Number>") parser.add_argument("--client-cert", help="path for admin.pem certificate") parser.add_argument("--number-of-clients", help="Number of thread", type=int) parser.add_argument("--number-of-tests-per-client", help="Number of test per thread", type=int) parser.add_argument("--ca-cert-path", help="path for CA signing certifcate") log = logging.getLogger() logging.basicConfig(stream=sys.stdout, level=logging.INFO) args = parser.parse_args() # Create a PKIConnection object that stores the details of the CA. connection = PKIConnection('https', args.hostname, args.port, cert_paths=args.ca_cert_path) # The pem file used for authentication. Created from a p12 file using the # command - # openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes connection.set_authentication_cert(args.client_cert) # Instantiate the CertClient cert_client = CertClient(connection) class cert_enroll(object): """ #This class will enroll the certificate. """
def run_test(protocol, hostname, port, client_cert, certdb_dir, certdb_password): """ test code execution """ # set up the connection to the DRM, including authentication credentials connection = PKIConnection(protocol, hostname, port, 'kra') connection.set_authentication_cert(client_cert) # create kraclient crypto = pki.crypto.NSSCryptoProvider(certdb_dir, certdb_password) kraclient = KRAClient(connection, crypto) keyclient = kraclient.keys # Get transport cert and insert in the certdb transport_nick = "kra transport cert" transport_cert = kraclient.system_certs.get_transport_cert() print("Subject DN: " + transport_cert.subject_dn) print(transport_cert.encoded) crypto.import_cert(transport_nick, transport_cert) # initialize the certdb for crypto operations # for NSS db, this must be done after importing the transport cert crypto.initialize() # set transport cert into keyclient keyclient.set_transport_cert(transport_nick) # Test 2: Get key request info print("Now getting key request") try: key_request = keyclient.get_request_info('2') print_key_request(key_request) except pki.RequestNotFoundException: pass # Test 3: List requests print("Now listing some requests") keyrequests = keyclient.list_requests('complete', 'securityDataRecovery') print(keyrequests.key_requests) for request in keyrequests.key_requests: print_key_request(request) # Test 4: generate symkey -- same as barbican_encode() print("Now generating symkey on KRA") client_key_id = "Vek #1" + time.strftime('%c') algorithm = "AES" key_size = 128 usages = [key.SymKeyGenerationRequest.DECRYPT_USAGE, key.SymKeyGenerationRequest.ENCRYPT_USAGE] response = keyclient.generate_symmetric_key(client_key_id, algorithm=algorithm, size=key_size, usages=usages) print_key_request(response.request_info) print("Request ID is " + response.request_info.get_request_id()) key_id = response.get_key_id() # Test 5: Confirm the key_id matches print("Now getting key ID for clientKeyID=\"" + client_key_id + "\"") key_infos = keyclient.list_keys(client_key_id=client_key_id, status=keyclient.KEY_STATUS_ACTIVE) key_id2 = None for key_info in key_infos.key_infos: print_key_info(key_info) key_id2 = key_info.get_key_id() if key_id == key_id2: print("Success! The keys from generation and search match.") else: print("Failure - key_ids for generation do not match!") # Test 6: Barbican_decode() - Retrieve while providing # trans_wrapped_session_key session_key = crypto.generate_session_key() wrapped_session_key = crypto.asymmetric_wrap(session_key, keyclient.transport_cert) print("My key id is " + str(key_id)) key_data = keyclient.retrieve_key( key_id, trans_wrapped_session_key=wrapped_session_key) print_key_data(key_data) unwrapped_key = crypto.symmetric_unwrap(key_data.encrypted_data, session_key, nonce_iv=key_data.nonce_data) key1 = b64encode(unwrapped_key) # Test 7: Recover key without providing trans_wrapped_session_key key_data = keyclient.retrieve_key(key_id) print_key_data(key_data) key2 = b64encode(key_data.data) # Test 8 - Confirm that keys returned are the same if key1 == key2: print("Success: The keys returned match! Key = " + str(key1)) else: print("Failure: The returned keys do not match!") print("key1: " + key1) print("key2: " + key2) # Test 10 = test BadRequestException on create() print("Trying to generate a new symkey with the same client ID") try: keyclient.generate_symmetric_key(client_key_id, algorithm=algorithm, size=key_size, usages=usages) except pki.BadRequestException as exc: print("BadRequestException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 11 - Test RequestNotFoundException on get_request_info print("Try to list a nonexistent request") try: keyclient.get_request_info('200000034') except pki.RequestNotFoundException as exc: print("RequestNotFoundException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 12 - Test exception on retrieve_key. print("Try to retrieve an invalid key") try: keyclient.retrieve_key('2000003434') except pki.KeyNotFoundException as exc: print("KeyNotFoundException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 13 = getKeyInfo print("Get key info for existing key") key_info = keyclient.get_key_info(key_id) print_key_info(key_info) # Test 14: get the active key print("Get the active key for client id: " + client_key_id) key_info = keyclient.get_active_key_info(client_key_id) print_key_info(key_info) # Test 15: change the key status print("Change the key status") keyclient.modify_key_status(key_id, keyclient.KEY_STATUS_INACTIVE) print_key_info(keyclient.get_key_info(key_id)) # Test 16: Get key info for non-existent key print("Get key info for non-existent key") try: keyclient.get_key_info('200004556') except pki.KeyNotFoundException as exc: print("KeyNotFoundException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 17: Get key info for non-existent active key print("Get non-existent active key") try: key_info = keyclient.get_active_key_info(client_key_id) print_key_info(key_info) except pki.ResourceNotFoundException as exc: print("ResourceNotFoundException thrown - Code: " + exc.code + "Message: " + exc.message) # Test 18: Generate a symmetric key with default parameters client_key_id = "Vek #3" + time.strftime('%c') response = keyclient.generate_symmetric_key(client_key_id) print_key_request(response.request_info) # Test 19: Try to archive key print("try to archive key") print("key to archive: " + key1) client_key_id = "Vek #4" + time.strftime('%c') response = keyclient.archive_key(client_key_id, keyclient.SYMMETRIC_KEY_TYPE, b64decode(key1), key_algorithm=keyclient.AES_ALGORITHM, key_size=128) print_key_request(response.request_info) # Test 20: Lets get it back key_info = keyclient.get_active_key_info(client_key_id) print_key_info(key_info) key_data = keyclient.retrieve_key(key_info.get_key_id()) print_key_data(key_data) key2 = b64encode(key_data.data) if key1 == key2: print("Success: archived and recovered keys match") else: print("Error: archived and recovered keys do not match") print() # Test 20: Generating asymmetric keys print("Generating asymmetric keys") try: response = keyclient.generate_asymmetric_key( "Vek #5" + time.strftime('%c'), algorithm="RSA", key_size=1024, usages=None ) print_key_request(response.request_info) except pki.BadRequestException as exc: print("BadRequestException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 21: Get key information of the newly generated asymmetric keys print("Retrieving key information") key_info = keyclient.get_key_info(response.request_info.get_key_id()) print_key_info(key_info)
def check(self): if not self.instance.exists(): logger.debug('Invalid instance: %s', self.instance.name) yield Result(self, constants.CRITICAL, msg='Invalid PKI instance: %s' % self.instance.name) return self.instance.load() ca = self.instance.get_subsystem('ca') if not ca: logger.info( "No CA configured, skipping dogtag CA connectivity check") return try: # Make a plain HTTP GET request to /ca/admin/ca/getStatus REST api end point # and check if the CA is ready if ca.is_ready(): logger.debug("CA instance is running") # Make a plain HTTPS GET to "find" one certificate, to test that # the server is up AND is able to respond back connection = PKIConnection(protocol='https', hostname='localhost', port='8443', verify=False) cert_client = CertClient(connection) cert = cert_client.list_certs(size=1) cert_info = cert.cert_data_info_list[0] if cert_info: # All we care is whether the serial_number is not NONE if cert_info.serial_number: logger.info("Serial number of retrieved cert: %s", cert_info.serial_number) yield Result(self, constants.SUCCESS, serial_number=cert_info.serial_number, subject_dn=cert_info.subject_dn) else: logger.info( "Serial number cannot retrieved for cert: %s", cert_info) yield Result( self, constants.ERROR, msg= "Unable to read serial number from retrieved cert", cert_info=cert_info, serverURI=connection.serverURI, cert_url=cert_client.cert_url) else: logger.info( "Request was made but none of the certs were retrieved" ) yield Result( self, constants.ERROR, msg= "PKI server is up. But, unable to retrieve any certs", serverURI=connection.serverURI, rest_path=cert_client.cert_url) else: yield Result(self, constants.CRITICAL, msg='CA subsystem is down') except BaseException as e: logger.error("Internal server error %s", e) yield Result(self, constants.CRITICAL, msg="Internal server error. Is your CA subsystem and " "LDAP database up?", instance_name=self.instance.name, exception="%s" % e)
def check(self): if not self.instance.exists(): logger.debug('Invalid instance: %s', self.instance.name) yield Result(self, constants.CRITICAL, msg='Invalid PKI instance: %s' % self.instance.name) return self.instance.load() kra = self.instance.get_subsystem('kra') if not kra: logger.info( "No KRA configured, skipping dogtag KRA connectivity check") return try: # Make a plain HTTP GET request to /kra/admin/kra/getStatus REST api end point # and check if the KRA is up if kra.is_ready(): logger.info("KRA instance is running.") # Make a plain HTTPS GET to retrieve KRA transport cert, to test that # the server is up AND is able to respond back connection = PKIConnection(protocol='https', hostname='localhost', port='8443', verify=False) system_cert_client = SystemCertClient(connection) # This gets the KRA cert from CS.cfg via REST API. In future, the system # certs will be moved into LDAP. This means that even if LDAP is down # there will be a SUCCESSFUL response if KRA is running. transport_cert = system_cert_client.get_transport_cert() if transport_cert: if transport_cert.serial_number: logger.info( "Serial number of retrieved transport cert: %s", transport_cert.serial_number) yield Result( self, constants.SUCCESS, serial_number=transport_cert.serial_number, subject_dn=transport_cert.subject_dn) else: logger.info( "Serial number cannot retrieved for transport cert: %s", transport_cert) yield Result( self, constants.ERROR, msg= "Unable to read serial number from retrieved cert", cert_info=transport_cert, serverURI=connection.serverURI, rest_path=system_cert_client.cert_url) else: logger.info( "Request was made but the transport cert cannot be retrieved" ) yield Result( self, constants.ERROR, msg= "KRA server is up. But, unable to retrieve transport cert", serverURI=connection.serverURI, rest_path=system_cert_client.cert_url) else: yield Result(self, constants.CRITICAL, msg='KRA subsystem is down') except BaseException as e: logger.error("Internal server error %s", e) yield Result( self, constants.CRITICAL, msg="Internal server error. Is your KRA subsystem and " "LDAP database up?", instance_name=self.instance.name, exception="%s" % e)