def generate_symmetric(self, generate_dto, kek_meta_dto, keystone_id):
"""Generate a symmetric key
This calls generate_symmetric_key() on the DRM passing in the
algorithm, bit_length and id (used as the client_key_id) from
the secret. The remaining parameters are not used.
Returns a keyId which will be stored in an EncryptedDatum
table for later retrieval.
"""
usages = [
key.SymKeyGenerationRequest.DECRYPT_USAGE,
key.SymKeyGenerationRequest.ENCRYPT_USAGE
]
client_key_id = uuid.uuid4().hex
algorithm = self._map_algorithm(generate_dto.algorithm.lower())
if algorithm is None:
raise DogtagPluginAlgorithmException
response = self.keyclient.generate_symmetric_key(
client_key_id, algorithm, generate_dto.bit_length, usages)
return plugin.ResponseDTO(response.get_key_id(), None)
def encrypt(self, encrypt_dto, kek_meta_dto, keystone_id):
key = self._get_key_by_label(kek_meta_dto.kek_label)
iv = self._generate_iv()
gcm = self._build_gcm_params(iv)
mech = PyKCS11.Mechanism(self.algorithm, gcm)
encrypted = self.session.encrypt(key, encrypt_dto.unencrypted, mech)
cyphertext = b''.join(chr(i) for i in encrypted)
kek_meta_extended = json.dumps({
'iv': base64.b64encode(iv)
})
return plugin.ResponseDTO(cyphertext, kek_meta_extended)
def encrypt(self, encrypt_dto, kek_meta_dto, keystone_id):
"""Store a secret in the DRM
This will likely require another parameter which includes the wrapped
session key to be passed. Until that is added, we will call
archive_key() which relies on the DRM python client to create the
session keys.
We may also be able to be more specific in terms of the data_type
if we know that the data being stored is a symmetric key. Until
then, we need to assume that the secret is pass_phrase_type.
"""
data_type = key.KeyClient.PASS_PHRASE_TYPE
client_key_id = uuid.uuid4().hex
response = self.keyclient.archive_key(client_key_id,
data_type,
encrypt_dto.unencrypted,
key_algorithm=None,
key_size=None)
return plugin.ResponseDTO(response.get_key_id(), None)
def generate_asymmetric(self, generate_dto, kek_meta_dto, keystone_id):
return (plugin.ResponseDTO('insecure_private_key', None),
plugin.ResponseDTO('insecure_public_key', None), None)
def generate_symmetric(self, generate_dto, kek_meta_dto, keystone_id):
return plugin.ResponseDTO("encrypted insecure key", None)
def encrypt(self, encrypt_dto, kek_meta_dto, keystone_id):
cypher_text = b'cypher_text'
return plugin.ResponseDTO(cypher_text, None)