def _setup_nss_db_services(conf): """Sets up NSS Crypto functions This sets up the NSSCryptoProvider and the database it needs for it to store certificates. If the path specified in the configuration is already existent, it will assume that the database is already setup. This will also import the transport cert needed by the KRA if the NSS DB was created. """ nss_db_path, nss_password = (conf.dogtag_plugin.nss_db_path, conf.dogtag_plugin.nss_password) if nss_db_path is None: LOG.warning(u._LW("nss_db_path was not provided so the crypto " "provider functions were not initialized.")) return None if nss_password is None: raise ValueError(u._("nss_password is required")) nss_db_created = _create_nss_db_if_needed(nss_db_path, nss_password) crypto = cryptoutil.NSSCryptoProvider(nss_db_path, nss_password) if nss_db_created: _import_kra_transport_cert_to_nss_db(conf, crypto) return crypto
def _call_pkcs11(self, func, *args, **kwargs): # Wrap pkcs11 calls to enable a single retry when exceptions are raised # that can be fixed by reinitializing the pkcs11 library try: return func(*args, **kwargs) except (exception.PKCS11Exception) as pe: LOG.warning(u._LW("Reinitializing PKCS#11 library: %s"), pe) self._reinitialize_pkcs11() return func(*args, **kwargs)
def on_get(self, external_project_id, **kwargs): if controllers.is_json_request_accept(pecan.request): resp = self._on_get_secret_metadata(self.secret, **kwargs) LOG.info(u._LI('Retrieved secret metadata for project: %s'), external_project_id) return resp else: LOG.warning( u._LW('Decrypted secret %s requested using deprecated ' 'API call.'), self.secret.id) return self._on_get_secret_payload(self.secret, external_project_id, **kwargs)
def on_get(self, external_project_id, **kwargs): if controllers.is_json_request_accept(pecan.request): resp = self._on_get_secret_metadata(self.secret, **kwargs) LOG.info(u._LI('Retrieved secret metadata for project: %s'), external_project_id) return resp else: LOG.warning(u._LW('Decrypted secret %s requested using deprecated ' 'API call.'), self.secret.id) return self._on_get_secret_payload(self.secret, external_project_id, **kwargs)
def _wrap(*args, **kwargs): try: return f(*args, **kwargs) except sqlalchemy.exc.OperationalError as e: if not is_db_connection_error(e.args[0]): raise remaining_attempts = CONF.sql_max_retries while True: LOG.warning(u._LW('SQL connection failed. %d attempts left.'), remaining_attempts) remaining_attempts -= 1 time.sleep(CONF.sql_retry_interval) try: return f(*args, **kwargs) except sqlalchemy.exc.OperationalError as e: if (remaining_attempts <= 0 or not is_db_connection_error(e.args[0])): raise except sqlalchemy.exc.DBAPIError: raise except sqlalchemy.exc.DBAPIError: raise
def __init__(self, conf=CONF): """Initializes KMIPSecretStore Creates a dictionary of mappings between SecretStore enum values and pyKMIP enum values. Initializes the KMIP client with credentials needed to connect to the KMIP server. """ super(KMIPSecretStore, self).__init__() self.valid_alg_dict = { ss.KeyAlgorithm.AES: { KMIPSecretStore.VALID_BIT_LENGTHS: [128, 192, 256], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.AES }, ss.KeyAlgorithm.DES: { KMIPSecretStore.VALID_BIT_LENGTHS: [56], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.DES }, ss.KeyAlgorithm.DESEDE: { KMIPSecretStore.VALID_BIT_LENGTHS: [56, 64, 112, 128, 168, 192], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.TRIPLE_DES }, ss.KeyAlgorithm.DSA: { KMIPSecretStore.VALID_BIT_LENGTHS: [1024, 2048, 3072], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.DSA }, ss.KeyAlgorithm.HMACSHA1: { KMIPSecretStore.VALID_BIT_LENGTHS: [], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.HMAC_SHA1 }, ss.KeyAlgorithm.HMACSHA256: { KMIPSecretStore.VALID_BIT_LENGTHS: [], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.HMAC_SHA256 }, ss.KeyAlgorithm.HMACSHA384: { KMIPSecretStore.VALID_BIT_LENGTHS: [], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.HMAC_SHA384 }, ss.KeyAlgorithm.HMACSHA512: { KMIPSecretStore.VALID_BIT_LENGTHS: [], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.HMAC_SHA512 }, ss.KeyAlgorithm.RSA: { KMIPSecretStore.VALID_BIT_LENGTHS: [1024, 2048, 3072, 4096], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.RSA }, } self.pkcs1_only = conf.kmip_plugin.pkcs1_only if self.pkcs1_only: LOG.debug("KMIP secret store only supports PKCS#1") del self.valid_alg_dict[ss.KeyAlgorithm.DSA] self.kmip_barbican_alg_map = { enums.CryptographicAlgorithm.AES: ss.KeyAlgorithm.AES, enums.CryptographicAlgorithm.DES: ss.KeyAlgorithm.DES, enums.CryptographicAlgorithm.TRIPLE_DES: ss.KeyAlgorithm.DESEDE, enums.CryptographicAlgorithm.DSA: ss.KeyAlgorithm.DSA, enums.CryptographicAlgorithm.HMAC_SHA1: ss.KeyAlgorithm.HMACSHA1, enums.CryptographicAlgorithm.HMAC_SHA256: ss.KeyAlgorithm.HMACSHA256, enums.CryptographicAlgorithm.HMAC_SHA384: ss.KeyAlgorithm.HMACSHA384, enums.CryptographicAlgorithm.HMAC_SHA512: ss.KeyAlgorithm.HMACSHA512, enums.CryptographicAlgorithm.RSA: ss.KeyAlgorithm.RSA } self.plugin_name = conf.kmip_plugin.plugin_name if conf.kmip_plugin.keyfile is not None: self._validate_keyfile_permissions(conf.kmip_plugin.keyfile) if (conf.kmip_plugin.username is None) and (conf.kmip_plugin.password is None): self.credential = None else: credential_type = credentials.CredentialType.USERNAME_AND_PASSWORD credential_value = { 'Username': conf.kmip_plugin.username, 'Password': conf.kmip_plugin.password } self.credential = ( credentials.CredentialFactory().create_credential( credential_type, credential_value)) config = conf.kmip_plugin # Use TLSv1_2, if present tlsv12 = getattr(ssl, "PROTOCOL_TLSv1_2", None) if tlsv12: config.ssl_version = 'PROTOCOL_TLSv1_2' LOG.info(u._LI('Going to use TLS1.2...')) else: LOG.warning(u._LW('TLSv1_2 is not present on the System')) self.client = client.ProxyKmipClient(hostname=config.host, port=config.port, cert=config.certfile, key=config.keyfile, ca=config.ca_certs, ssl_version=config.ssl_version, username=config.username, password=config.password)
def __init__(self, conf=CONF): self.master_kek = conf.simple_crypto_plugin.kek LOG.warning(u._LW("This plugin is NOT meant for a production " "environment. This is meant just for development " "and testing purposes. Please use another plugin " "for production."))
from barbican import api from barbican.api import controllers from barbican.common import hrefs from barbican.common import quota from barbican.common import resources as res from barbican.common import utils from barbican.common import validators from barbican import i18n as u from barbican.model import models from barbican.model import repositories as repo from barbican.queue import client as async_client LOG = utils.getLogger(__name__) _DEPRECATION_MSG = u._LW('%s has been deprecated in the Newton release. It ' 'will be removed in the Pike release.') def _order_not_found(): """Throw exception indicating order not found.""" pecan.abort( 404, u._('Not Found. Sorry but your order is in ' 'another castle.')) def _secret_not_in_order(): """Throw exception that secret info is not available in the order.""" pecan.abort(400, u._("Secret metadata expected but not received.")) def _order_update_not_supported():
def __init__(self, conf=CONF): """Initializes KMIPSecretStore Creates a dictionary of mappings between SecretStore enum values and pyKMIP enum values. Initializes the KMIP client with credentials needed to connect to the KMIP server. """ super(KMIPSecretStore, self).__init__() self.valid_alg_dict = { ss.KeyAlgorithm.AES: { KMIPSecretStore.VALID_BIT_LENGTHS: [128, 192, 256], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.AES}, ss.KeyAlgorithm.DES: { KMIPSecretStore.VALID_BIT_LENGTHS: [56], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.DES}, ss.KeyAlgorithm.DESEDE: { KMIPSecretStore.VALID_BIT_LENGTHS: [56, 64, 112, 128, 168, 192], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.TRIPLE_DES}, ss.KeyAlgorithm.DSA: { KMIPSecretStore.VALID_BIT_LENGTHS: [1024, 2048, 3072], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.DSA}, ss.KeyAlgorithm.HMACSHA1: { KMIPSecretStore.VALID_BIT_LENGTHS: [], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.HMAC_SHA1}, ss.KeyAlgorithm.HMACSHA256: { KMIPSecretStore.VALID_BIT_LENGTHS: [], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.HMAC_SHA256}, ss.KeyAlgorithm.HMACSHA384: { KMIPSecretStore.VALID_BIT_LENGTHS: [], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.HMAC_SHA384}, ss.KeyAlgorithm.HMACSHA512: { KMIPSecretStore.VALID_BIT_LENGTHS: [], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.HMAC_SHA512}, ss.KeyAlgorithm.RSA: { KMIPSecretStore.VALID_BIT_LENGTHS: [1024, 2048, 3072, 4096], KMIPSecretStore.KMIP_ALGORITHM_ENUM: enums.CryptographicAlgorithm.RSA}, } self.pkcs1_only = conf.kmip_plugin.pkcs1_only if self.pkcs1_only: LOG.debug("KMIP secret store only supports PKCS#1") del self.valid_alg_dict[ss.KeyAlgorithm.DSA] self.kmip_barbican_alg_map = { enums.CryptographicAlgorithm.AES: ss.KeyAlgorithm.AES, enums.CryptographicAlgorithm.DES: ss.KeyAlgorithm.DES, enums.CryptographicAlgorithm.TRIPLE_DES: ss.KeyAlgorithm.DESEDE, enums.CryptographicAlgorithm.DSA: ss.KeyAlgorithm.DSA, enums.CryptographicAlgorithm.HMAC_SHA1: ss.KeyAlgorithm.HMACSHA1, enums.CryptographicAlgorithm.HMAC_SHA256: ss.KeyAlgorithm.HMACSHA256, enums.CryptographicAlgorithm.HMAC_SHA384: ss.KeyAlgorithm.HMACSHA384, enums.CryptographicAlgorithm.HMAC_SHA512: ss.KeyAlgorithm.HMACSHA512, enums.CryptographicAlgorithm.RSA: ss.KeyAlgorithm.RSA } if conf.kmip_plugin.keyfile is not None: self._validate_keyfile_permissions(conf.kmip_plugin.keyfile) if (conf.kmip_plugin.username is None) and ( conf.kmip_plugin.password is None): self.credential = None else: credential_type = credentials.CredentialType.USERNAME_AND_PASSWORD credential_value = {'Username': conf.kmip_plugin.username, 'Password': conf.kmip_plugin.password} self.credential = ( credentials.CredentialFactory().create_credential( credential_type, credential_value)) config = conf.kmip_plugin # Use TLSv1_2, if present tlsv12 = getattr(ssl, "PROTOCOL_TLSv1_2", None) if tlsv12: config.ssl_version = 'PROTOCOL_TLSv1_2' LOG.info(u._LI('Going to use TLS1.2...')) else: LOG.warning(u._LW('TLSv1_2 is not present on the System')) self.client = client.ProxyKmipClient( hostname=config.host, port=config.port, cert=config.certfile, key=config.keyfile, ca=config.ca_certs, ssl_version=config.ssl_version, username=config.username, password=config.password)