def dropSecurityModule(self, hsm_id=None, sessionId=None):
found = None
if hsm_id is None:
hsm_id = self.activeOne
if sessionId is None:
sessionId = str(_thread.get_ident())
if hsm_id not in self.config:
error = ('[SecurityProvider:dropSecurityModule] no config found '
'for hsm with id %r ' % hsm_id)
log.error(error)
raise HSMException(error, id=707)
return None
# find session
try:
pool = self._getHsmPool_(hsm_id)
self.rwLock.acquire_write()
found = self._findHSM4Session(pool, sessionId)
if found is None:
log.info(
'[SecurityProvider:dropSecurityModule] could not bind '
'hsm to session %r ' % hsm_id)
else:
self._freeHSMSession(pool, sessionId)
finally:
self.rwLock.release()
return True
def load_config(self, config):
'''
load the security modules configuration
'''
try:
## load backward compatible defaults
self. __createDefault__(config)
for key in config:
## lookup, which is the active security module
if key == 'linotpActiveSecurityModule':
self.activeOne = config.get(key)
log.debug("[SecurityProvider:load_config] setting active security module: %s" % self.activeOne)
if key.startswith('linotpSecurity'):
entry = key.replace('linotpSecurity.', '')
try:
(id, val) = entry.split('.')
except Exception as e:
error = ('[SecurityProvider:load_config] failed to '
'identify config entry: %s ' % (unicode(key)))
log.exception(error)
raise HSMException(error, id=707)
if self.config.has_key(id):
id_config = self.config.get(id)
id_config[val] = config.get(key)
else:
self.config[id] = {val:config.get(key) }
except Exception as e:
log.exception("[load_config] failed to identify module: %r " % e)
error = "failed to identify module: %s " % unicode(e)
raise HSMException(error, id=707)
## now create for each module a pool of hsm objects
self.rwLock.acquire_write()
try:
for id in self.config:
self.createHSMPool(id)
finally:
self.rwLock.release()
return
def hmac_digest(bkey, data_input, hsm=None, hash_algo=None):
if hsm:
hsm_obj = hsm.get('obj')
else:
if hasattr(c, 'hsm') is False or isinstance(c.hsm, dict) is False:
raise HSMException('no hsm defined in execution context!')
hsm_obj = c.hsm.get('obj')
if hsm_obj is None or hsm_obj.isReady() is False:
raise HSMException('hsm not ready!')
if hash_algo is None:
hash_algo = get_hashalgo_from_description('sha1')
h = hsm_obj.hmac_digest(bkey, data_input, hash_algo)
return h
def hash_digest(val, seed, algo=None, hsm=None):
if hsm:
hsm_obj = hsm.get('obj')
else:
if hasattr(c, 'hsm') is False or isinstance(c.hsm, dict) is False:
raise HSMException('no hsm defined in execution context!')
hsm_obj = c.hsm.get('obj')
if hsm_obj is None or hsm_obj.isReady() is False:
raise HSMException('hsm not ready!')
if algo is None:
algo = get_hashalgo_from_description('sha256')
h = hsm_obj.hash_digest(val.encode('utf-8'), seed, algo)
return h
def _get_hsm_obj_from_context(hsm=None):
"""Get the hsm from LinOTP request context
If no hsm parameter is given, we get the hsm from the LinOTP request context
(var context) which was extended some time ago.
:param hsm: hsm security object instance
:return: return the hsm object
:rtype:
"""
if hsm:
hsm_obj = hsm.get('obj')
else:
hsm_obj = context.get('hsm', {}).get('obj')
if not hsm_obj:
raise HSMException('no hsm defined in execution context!')
if hsm_obj.isReady() is False:
raise HSMException('hsm not ready!')
return hsm_obj
def decrypt(input, iv, id=0):
'''
decrypt a variable from the given input with an initialiation vector
:param input: buffer, which contains the crypted value
:type input: buffer of bytes
:param iv: initilaitation vector
:type iv: buffer (20 bytes random)
:param id: contains the id of which key of the keyset should be used
:type id: int
:return: decryted buffer
'''
log.debug('decrypt()')
if hasattr(c, 'hsm') == False or isinstance(c.hsm, dict) == False:
raise HSMException('no hsm defined in execution context!')
hsm = c.hsm.get('obj')
if hsm is None or hsm.isReady() == False:
raise HSMException('hsm not ready!')
ret = hsm.decrypt(input, iv, id)
return ret
def createHSMPool(self, hsm_id=None, *args, **kw):
"""
setup a pool of security providers
"""
pool = None
# amount has to be taken from the hsm-id config
if hsm_id is None:
provider_ids = self.config
else:
if hsm_id in self.config:
provider_ids = []
provider_ids.append(hsm_id)
else:
error = "[createHSMPool] failed to find hsm_id: %r" % hsm_id
log.error(error)
raise HSMException(error, id=707)
for provider_id in provider_ids:
pool = self._getHsmPool_(provider_id)
log.debug("[createHSMPool] already got this pool: %r", pool)
if pool is None:
# get the number of entries from the hsd (id) config
conf = self.config.get(provider_id)
poolsize = int(conf.get("poolsize", 10))
log.debug(
"[createHSMPool] creating pool for %r with size %r",
provider_id,
poolsize,
)
pool = []
for _i in range(0, poolsize):
error = ""
hsm = None
try:
hsm = self.loadSecurityModule(provider_id)
except FatalHSMException as exx:
log.error("[createHSMPool] %r %r ", provider_id, exx)
if provider_id == self.activeOne:
raise exx
error = "%r: %r" % (provider_id, exx)
except Exception as exx:
log.error("[createHSMPool] %r ", exx)
error = "%r: %r" % (provider_id, exx)
pool.append({"obj": hsm, "session": 0, "error": error})
self.hsmpool[provider_id] = pool
return pool
def geturandom(len=20):
'''
get random - from the security module
:param len: len of the returned bytes - defalt is 20 bytes
:tyrpe len: int
:return: buffer of bytes
'''
if hasattr(c, 'hsm') is False:
ret = os.urandom(len)
return ret
if isinstance(c.hsm, dict) is False:
raise HSMException('hsm not found!')
hsm = c.hsm.get('obj')
if hsm is None or hsm.isReady() is False:
raise HSMException('hsm not ready!')
ret = hsm.random(len)
return ret
def load_config(self, config):
"""
load the security modules configuration
"""
try:
security_provider = config.get("ACTIVE_SECURITY_MODULE", "default")
# self.active one is legacy.. therefore we set it here
self.activeOne = security_provider
log.debug(
"[SecurityProvider:load_config] setting active"
" security module: %s",
self.activeOne,
)
# add active provider config to self.config with the active
# provider as key and the config dict as value
if self.activeOne == "default":
default_security_provider_config = config.get(
"HSM_DEFAULT_CONFIG")
keyFile = config["SECRET_FILE"]
default_security_provider_config["file"] = keyFile
security_provider_config = {
"default": default_security_provider_config
}
self.config.update(security_provider_config)
if self.activeOne == "pkcs11":
security_provider_config = {
"pkcs11": config.get("HSM_PKCS11_CONFIG")
}
self.config.update(security_provider_config)
except Exception as e:
log.error("[load_config] failed to identify module")
error = "failed to identify module: %r " % e
raise HSMException(error, id=707)
# now create a pool of hsm objects for each module
self.rwLock.acquire_write()
try:
for id in self.config:
self.createHSMPool(id)
finally:
self.rwLock.release()
return
def load_config(self, config):
'''
load the security modules configuration
'''
try:
security_provider = config.get('ACTIVE_SECURITY_MODULE', 'default')
self.activeOne = security_provider # self.active one is legacy.. therefore we set it here
log.debug(
"[SecurityProvider:load_config] setting active"
" security module: %s", self.activeOne)
# add active provider config to self.config with the active
# provider as key and the config dict as value
if self.activeOne == 'default':
default_security_provider_config = config.get(
'HSM_DEFAULT_CONFIG')
keyFile = config['SECRET_FILE']
default_security_provider_config['file'] = keyFile
security_provider_config = {
'default': default_security_provider_config
}
self.config.update(security_provider_config)
if self.activeOne == 'pkcs11':
security_provider_config = {
'pkcs11': config.get('HSM_PKCS11_CONFIG')
}
self.config.update(security_provider_config)
except Exception as e:
log.exception("[load_config] failed to identify module")
error = "failed to identify module: %r " % e
raise HSMException(error, id=707)
# now create a pool of hsm objects for each module
self.rwLock.acquire_write()
try:
for id in self.config:
self.createHSMPool(id)
finally:
self.rwLock.release()
return
def createHSMPool(self, hsm_id=None, *args, **kw):
'''
setup a pool of secutity provider
'''
pool = None
## amount has to be taken from the hsm-id config
if hsm_id == None:
ids = self.config
else:
if self.config.has_key(hsm_id):
ids = []
ids.append(hsm_id)
else:
error = "[createHSMPool] failed to find hsm_id: %s" % (
unicode(hsm_id))
log.error(error)
raise HSMException(error, id=707)
for id in ids:
pool = self._getHsmPool_(id)
log.debug("[createHSMPool] already got this pool: %r" % pool)
if pool is None:
## get the number of entries from the hsd (id) config
conf = self.config.get(id)
amount = int(conf.get('poolsize', 10))
log.debug("[createHSMPool] creating pool for %r with size %r" %
(id, amount))
pool = []
for i in range(0, amount):
error = ''
hsm = None
try:
hsm = self.loadSecurityModule(id)
except Exception as e:
error = u"%r" % e
log.error("[createHSMPool] %r " % (e))
log.error("[createHSMPool] %s" %
traceback.format_exc())
pool.append({'obj': hsm, 'session': 0, 'error': error})
self.hsmpool[id] = pool
return pool
def getSecurityModule(self, hsm_id=None, sessionId=None):
found = None
if hsm_id is None:
hsm_id = self.activeOne
if sessionId is None:
sessionId = unicode(thread.get_ident())
if hsm_id not in self.config:
error = (
'[SecurityProvider:getSecurityModule] no config found for '
'hsm with id %s ' % (unicode(hsm_id)))
log.error(error)
raise HSMException(error, id=707)
retry = True
tries = 0
locked = False
while retry is True:
try:
pool = self._getHsmPool_(hsm_id)
self.rwLock.acquire_write()
locked = True
## find session
found = self._findHSM4Session(pool, sessionId)
if found is not None:
## if session is ok - return
self.rwLock.release()
locked = False
retry = False
log.debug(
"[getSecurityModule] using existing pool session %s" %
found)
return found.get('obj')
else:
## create new entry
log.debug("[getSecurityModule] getting new Session (%s) "
"from pool %s" % (sessionId, pool))
found = self._createHSM4Session(pool, sessionId)
self.rwLock.release()
locked = False
if found is None:
tries += 1
log.warning('try %d: could not bind hsm to session - '
'going to sleep for %r' %
(tries, 10 * tries))
time.sleep(10 * tries)
if tries >= self.max_retry:
error = ('[SecurityProvider:getSecurityModule] '
'max_retry %d: could not bind hsm to '
'session - going to sleep for %r' %
(tries, 10 * tries))
log.error(error)
raise Exception(error)
retry = True
else:
retry = False
finally:
if locked is True:
self.rwLock.release()
return found
def getSecurityModule(self, hsm_id=None, sessionId=None):
found = None
if hsm_id is None:
hsm_id = self.activeOne
if sessionId is None:
sessionId = str(_thread.get_ident())
if hsm_id not in self.config:
error = (
"[SecurityProvider:getSecurityModule] no config found for "
"hsm with id %r " % hsm_id)
log.error(error)
raise HSMException(error, id=707)
retry = True
tries = 0
locked = False
while retry is True:
try:
pool = self._getHsmPool_(hsm_id)
self.rwLock.acquire_write()
locked = True
# find session
found = self._findHSM4Session(pool, sessionId)
if found is not None:
# if session is ok - return
self.rwLock.release()
locked = False
retry = False
log.debug(
"[getSecurityModule] using existing pool session %s",
found,
)
return found
else:
# create new entry
log.debug(
"[getSecurityModule] getting new Session (%s) "
"from pool %s",
sessionId,
pool,
)
found = self._createHSM4Session(pool, sessionId)
self.rwLock.release()
locked = False
if found is None:
tries += 1
delay = 1 + int(0.2 * tries)
log.warning(
"try %d: could not bind hsm to session - "
"going to sleep for %r",
tries,
delay,
)
time.sleep(delay)
if tries >= self.max_retry:
error = ("[SecurityProvider:getSecurityModule] "
"%d retries: could not bind hsm to "
"session for %d seconds" % (tries, delay))
log.error(error)
raise Exception(error)
retry = True
else:
retry = False
finally:
if locked is True:
self.rwLock.release()
return found