def master_keys(self):
"""Get all usable DNSSEC master keys"""
keys = self.find_keys(objclass=_ipap11helper.KEY_CLASS_SECRET_KEY, label=u'dnssec-master', cka_unwrap=True)
for key in keys.values():
prefix = 'dnssec-master'
assert key['ipk11label'] == prefix, \
'secret key ipk11id=0x%s ipk11label="%s" with ipk11UnWrap ' \
'= TRUE does not have "%s" key label' % (
str_hexlify(key['ipk11id']),
str(key['ipk11label']), prefix
)
return keys
def master_keys(self):
"""Get all usable DNSSEC master keys"""
keys = self.find_keys(objclass=_ipap11helper.KEY_CLASS_SECRET_KEY, label=u'dnssec-master', cka_unwrap=True)
for key in keys.values():
prefix = 'dnssec-master'
assert key['ipk11label'] == prefix, \
'secret key ipk11id=0x%s ipk11label="%s" with ipk11UnWrap ' \
'= TRUE does not have "%s" key label' % (
str_hexlify(key['ipk11id']),
str(key['ipk11label']), prefix
)
return keys
def __init__(self, p11, handle):
self.p11 = p11
self.handle = handle
# sanity check CKA_ID and CKA_LABEL
try:
cka_id = self.p11.get_attribute(handle, _ipap11helper.CKA_ID)
assert len(cka_id) != 0, 'ipk11id length should not be 0'
except _ipap11helper.NotFound:
raise _ipap11helper.NotFound('key without ipk11id: handle %s' % handle)
try:
cka_label = self.p11.get_attribute(handle, _ipap11helper.CKA_LABEL)
assert len(cka_label) != 0, 'ipk11label length should not be 0'
except _ipap11helper.NotFound:
raise _ipap11helper.NotFound(
'key without ipk11label: id 0x%s' % str_hexlify(cka_id))
def __init__(self, p11, handle):
self.p11 = p11
self.handle = handle
# sanity check CKA_ID and CKA_LABEL
try:
cka_id = self.p11.get_attribute(handle, _ipap11helper.CKA_ID)
assert len(cka_id) != 0, 'ipk11id length should not be 0'
except _ipap11helper.NotFound:
raise _ipap11helper.NotFound('key without ipk11id: handle %s' % handle)
try:
cka_label = self.p11.get_attribute(handle, _ipap11helper.CKA_LABEL)
assert len(cka_label) != 0, 'ipk11label length should not be 0'
except _ipap11helper.NotFound:
raise _ipap11helper.NotFound(
'key without ipk11label: id 0x%s' % str_hexlify(cka_id))
def find_keys(self, **kwargs):
"""Return dict with Key objects matching given criteria.
CKA_ID is used as key so all matching objects have to have unique ID."""
# this is a hack for old p11-kit URI parser
# see https://bugs.freedesktop.org/show_bug.cgi?id=85057
if 'uri' in kwargs:
kwargs['uri'] = kwargs['uri'].replace('type=', 'object-type=')
handles = self.p11.find_keys(**kwargs)
keys = {}
for h in handles:
key = Key(self.p11, h)
o_id = key['ipk11id']
assert o_id not in keys, 'duplicate ipk11Id = 0x%s; keys = %s' % (
str_hexlify(o_id), keys)
keys[o_id] = key
return keys
def find_keys(self, **kwargs):
"""Return dict with Key objects matching given criteria.
CKA_ID is used as key so all matching objects have to have unique ID."""
# this is a hack for old p11-kit URI parser
# see https://bugs.freedesktop.org/show_bug.cgi?id=85057
if 'uri' in kwargs:
kwargs['uri'] = kwargs['uri'].replace('type=', 'object-type=')
handles = self.p11.find_keys(**kwargs)
keys = {}
for h in handles:
key = Key(self.p11, h)
o_id = key['ipk11id']
assert o_id not in keys, 'duplicate ipk11Id = 0x%s; keys = %s' % (
str_hexlify(o_id), keys)
keys[o_id] = key
return keys
params['unwrapping_key'] = unwrapping_key.handle
h = self.p11.import_wrapped_private_key(**params)
return Key(self.p11, h)
if __name__ == '__main__':
if 'SOFTHSM2_CONF' not in os.environ:
os.environ['SOFTHSM2_CONF'] = paths.DNSSEC_SOFTHSM2_CONF
localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
print('replica public keys: CKA_WRAP = TRUE')
print('====================================')
for pubkey_id, pubkey in localhsm.replica_pubkeys_wrap.items():
print(str_hexlify(pubkey_id))
pprint(pubkey)
print('')
print('replica public keys: all')
print('========================')
for pubkey_id, pubkey in localhsm.replica_pubkeys.items():
print(str_hexlify(pubkey_id))
pprint(pubkey)
print('')
print('master keys')
print('===========')
for mkey_id, mkey in localhsm.master_keys.items():
print(str_hexlify(mkey_id))
pprint(mkey)
params['unwrapping_key'] = unwrapping_key.handle
h = self.p11.import_wrapped_private_key(**params)
return Key(self.p11, h)
if __name__ == '__main__':
if 'SOFTHSM2_CONF' not in os.environ:
os.environ['SOFTHSM2_CONF'] = paths.DNSSEC_SOFTHSM2_CONF
localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
open(paths.DNSSEC_SOFTHSM_PIN).read())
print('replica public keys: CKA_WRAP = TRUE')
print('====================================')
for pubkey_id, pubkey in localhsm.replica_pubkeys_wrap.items():
print(str_hexlify(pubkey_id))
pprint(pubkey)
print('')
print('replica public keys: all')
print('========================')
for pubkey_id, pubkey in localhsm.replica_pubkeys.items():
print(str_hexlify(pubkey_id))
pprint(pubkey)
print('')
print('master keys')
print('===========')
for mkey_id, mkey in localhsm.master_keys.items():
print(str_hexlify(mkey_id))
pprint(mkey)