def generate_asymmetric(self, generate_dto, kek_meta_dto, project_id):
"""Generate asymmetric keys based on below rules:
- RSA, with passphrase (supported)
- RSA, without passphrase (supported)
- DSA, without passphrase (supported)
- DSA, with passphrase (supported)
"""
if (generate_dto.algorithm is None
or generate_dto.algorithm.lower() == 'rsa'):
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=generate_dto.bit_length,
backend=default_backend())
elif generate_dto.algorithm.lower() == 'dsa':
private_key = dsa.generate_private_key(
key_size=generate_dto.bit_length, backend=default_backend())
else:
raise c.CryptoPrivateKeyFailureException()
public_key = private_key.public_key()
if generate_dto.algorithm.lower() == 'rsa':
private_key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=self._get_encryption_algorithm(
generate_dto.passphrase))
public_key = public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
if generate_dto.algorithm.lower() == 'dsa':
private_key = private_key.private_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=self._get_encryption_algorithm(
generate_dto.passphrase))
public_key = public_key.public_bytes(
encoding=serialization.Encoding.DER,
format=serialization.PublicFormat.SubjectPublicKeyInfo)
private_dto = self.encrypt(c.EncryptDTO(private_key), kek_meta_dto,
project_id)
public_dto = self.encrypt(c.EncryptDTO(public_key), kek_meta_dto,
project_id)
passphrase_dto = None
if generate_dto.passphrase:
if isinstance(generate_dto.passphrase, six.text_type):
generate_dto.passphrase = generate_dto.passphrase.encode(
'utf-8')
passphrase_dto = self.encrypt(
c.EncryptDTO(generate_dto.passphrase), kek_meta_dto,
project_id)
return private_dto, public_dto, passphrase_dto
def generate_asymmetric(self, generate_dto, kek_meta_dto, project_id):
"""Generate asymmetric keys based on below rules:
- RSA, with passphrase (supported)
- RSA, without passphrase (supported)
- DSA, without passphrase (supported)
- DSA, with passphrase (not supported)
Note: PyCrypto is not capable of serializing DSA
keys and DER formatted keys. Such keys will be
serialized to Base64 PEM to store in DB.
TODO (atiwari/reaperhulk): PyCrypto is not capable to serialize
DSA keys and DER formatted keys, later we need to pick better
crypto lib.
"""
if (generate_dto.algorithm is None
or generate_dto.algorithm.lower() == 'rsa'):
private_key = RSA.generate(generate_dto.bit_length, None, None,
65537)
elif generate_dto.algorithm.lower() == 'dsa':
private_key = DSA.generate(generate_dto.bit_length, None, None)
else:
raise c.CryptoPrivateKeyFailureException()
public_key = private_key.publickey()
# Note (atiwari): key wrapping format PEM only supported
if generate_dto.algorithm.lower() == 'rsa':
public_key, private_key = self._wrap_key(public_key, private_key,
generate_dto.passphrase)
if generate_dto.algorithm.lower() == 'dsa':
if generate_dto.passphrase:
raise ValueError(u._('Passphrase not supported for DSA key'))
public_key, private_key = self._serialize_dsa_key(
public_key, private_key)
private_dto = self.encrypt(c.EncryptDTO(private_key), kek_meta_dto,
project_id)
public_dto = self.encrypt(c.EncryptDTO(public_key), kek_meta_dto,
project_id)
passphrase_dto = None
if generate_dto.passphrase:
if isinstance(generate_dto.passphrase, six.text_type):
generate_dto.passphrase = generate_dto.passphrase.encode(
'utf-8')
passphrase_dto = self.encrypt(
c.EncryptDTO(generate_dto.passphrase), kek_meta_dto,
project_id)
return private_dto, public_dto, passphrase_dto