def dropSecurityModule(self, hsm_id=None, sessionId=None): found = None if hsm_id is None: hsm_id = self.activeOne if sessionId is None: sessionId = str(_thread.get_ident()) if hsm_id not in self.config: error = ('[SecurityProvider:dropSecurityModule] no config found ' 'for hsm with id %r ' % hsm_id) log.error(error) raise HSMException(error, id=707) return None # find session try: pool = self._getHsmPool_(hsm_id) self.rwLock.acquire_write() found = self._findHSM4Session(pool, sessionId) if found is None: log.info( '[SecurityProvider:dropSecurityModule] could not bind ' 'hsm to session %r ' % hsm_id) else: self._freeHSMSession(pool, sessionId) finally: self.rwLock.release() return True
def load_config(self, config): ''' load the security modules configuration ''' try: ## load backward compatible defaults self. __createDefault__(config) for key in config: ## lookup, which is the active security module if key == 'linotpActiveSecurityModule': self.activeOne = config.get(key) log.debug("[SecurityProvider:load_config] setting active security module: %s" % self.activeOne) if key.startswith('linotpSecurity'): entry = key.replace('linotpSecurity.', '') try: (id, val) = entry.split('.') except Exception as e: error = ('[SecurityProvider:load_config] failed to ' 'identify config entry: %s ' % (unicode(key))) log.exception(error) raise HSMException(error, id=707) if self.config.has_key(id): id_config = self.config.get(id) id_config[val] = config.get(key) else: self.config[id] = {val:config.get(key) } except Exception as e: log.exception("[load_config] failed to identify module: %r " % e) error = "failed to identify module: %s " % unicode(e) raise HSMException(error, id=707) ## now create for each module a pool of hsm objects self.rwLock.acquire_write() try: for id in self.config: self.createHSMPool(id) finally: self.rwLock.release() return
def hmac_digest(bkey, data_input, hsm=None, hash_algo=None): if hsm: hsm_obj = hsm.get('obj') else: if hasattr(c, 'hsm') is False or isinstance(c.hsm, dict) is False: raise HSMException('no hsm defined in execution context!') hsm_obj = c.hsm.get('obj') if hsm_obj is None or hsm_obj.isReady() is False: raise HSMException('hsm not ready!') if hash_algo is None: hash_algo = get_hashalgo_from_description('sha1') h = hsm_obj.hmac_digest(bkey, data_input, hash_algo) return h
def hash_digest(val, seed, algo=None, hsm=None): if hsm: hsm_obj = hsm.get('obj') else: if hasattr(c, 'hsm') is False or isinstance(c.hsm, dict) is False: raise HSMException('no hsm defined in execution context!') hsm_obj = c.hsm.get('obj') if hsm_obj is None or hsm_obj.isReady() is False: raise HSMException('hsm not ready!') if algo is None: algo = get_hashalgo_from_description('sha256') h = hsm_obj.hash_digest(val.encode('utf-8'), seed, algo) return h
def _get_hsm_obj_from_context(hsm=None): """Get the hsm from LinOTP request context If no hsm parameter is given, we get the hsm from the LinOTP request context (var context) which was extended some time ago. :param hsm: hsm security object instance :return: return the hsm object :rtype: """ if hsm: hsm_obj = hsm.get('obj') else: hsm_obj = context.get('hsm', {}).get('obj') if not hsm_obj: raise HSMException('no hsm defined in execution context!') if hsm_obj.isReady() is False: raise HSMException('hsm not ready!') return hsm_obj
def decrypt(input, iv, id=0): ''' decrypt a variable from the given input with an initialiation vector :param input: buffer, which contains the crypted value :type input: buffer of bytes :param iv: initilaitation vector :type iv: buffer (20 bytes random) :param id: contains the id of which key of the keyset should be used :type id: int :return: decryted buffer ''' log.debug('decrypt()') if hasattr(c, 'hsm') == False or isinstance(c.hsm, dict) == False: raise HSMException('no hsm defined in execution context!') hsm = c.hsm.get('obj') if hsm is None or hsm.isReady() == False: raise HSMException('hsm not ready!') ret = hsm.decrypt(input, iv, id) return ret
def createHSMPool(self, hsm_id=None, *args, **kw): """ setup a pool of security providers """ pool = None # amount has to be taken from the hsm-id config if hsm_id is None: provider_ids = self.config else: if hsm_id in self.config: provider_ids = [] provider_ids.append(hsm_id) else: error = "[createHSMPool] failed to find hsm_id: %r" % hsm_id log.error(error) raise HSMException(error, id=707) for provider_id in provider_ids: pool = self._getHsmPool_(provider_id) log.debug("[createHSMPool] already got this pool: %r", pool) if pool is None: # get the number of entries from the hsd (id) config conf = self.config.get(provider_id) poolsize = int(conf.get("poolsize", 10)) log.debug( "[createHSMPool] creating pool for %r with size %r", provider_id, poolsize, ) pool = [] for _i in range(0, poolsize): error = "" hsm = None try: hsm = self.loadSecurityModule(provider_id) except FatalHSMException as exx: log.error("[createHSMPool] %r %r ", provider_id, exx) if provider_id == self.activeOne: raise exx error = "%r: %r" % (provider_id, exx) except Exception as exx: log.error("[createHSMPool] %r ", exx) error = "%r: %r" % (provider_id, exx) pool.append({"obj": hsm, "session": 0, "error": error}) self.hsmpool[provider_id] = pool return pool
def geturandom(len=20): ''' get random - from the security module :param len: len of the returned bytes - defalt is 20 bytes :tyrpe len: int :return: buffer of bytes ''' if hasattr(c, 'hsm') is False: ret = os.urandom(len) return ret if isinstance(c.hsm, dict) is False: raise HSMException('hsm not found!') hsm = c.hsm.get('obj') if hsm is None or hsm.isReady() is False: raise HSMException('hsm not ready!') ret = hsm.random(len) return ret
def load_config(self, config): """ load the security modules configuration """ try: security_provider = config.get("ACTIVE_SECURITY_MODULE", "default") # self.active one is legacy.. therefore we set it here self.activeOne = security_provider log.debug( "[SecurityProvider:load_config] setting active" " security module: %s", self.activeOne, ) # add active provider config to self.config with the active # provider as key and the config dict as value if self.activeOne == "default": default_security_provider_config = config.get( "HSM_DEFAULT_CONFIG") keyFile = config["SECRET_FILE"] default_security_provider_config["file"] = keyFile security_provider_config = { "default": default_security_provider_config } self.config.update(security_provider_config) if self.activeOne == "pkcs11": security_provider_config = { "pkcs11": config.get("HSM_PKCS11_CONFIG") } self.config.update(security_provider_config) except Exception as e: log.error("[load_config] failed to identify module") error = "failed to identify module: %r " % e raise HSMException(error, id=707) # now create a pool of hsm objects for each module self.rwLock.acquire_write() try: for id in self.config: self.createHSMPool(id) finally: self.rwLock.release() return
def load_config(self, config): ''' load the security modules configuration ''' try: security_provider = config.get('ACTIVE_SECURITY_MODULE', 'default') self.activeOne = security_provider # self.active one is legacy.. therefore we set it here log.debug( "[SecurityProvider:load_config] setting active" " security module: %s", self.activeOne) # add active provider config to self.config with the active # provider as key and the config dict as value if self.activeOne == 'default': default_security_provider_config = config.get( 'HSM_DEFAULT_CONFIG') keyFile = config['SECRET_FILE'] default_security_provider_config['file'] = keyFile security_provider_config = { 'default': default_security_provider_config } self.config.update(security_provider_config) if self.activeOne == 'pkcs11': security_provider_config = { 'pkcs11': config.get('HSM_PKCS11_CONFIG') } self.config.update(security_provider_config) except Exception as e: log.exception("[load_config] failed to identify module") error = "failed to identify module: %r " % e raise HSMException(error, id=707) # now create a pool of hsm objects for each module self.rwLock.acquire_write() try: for id in self.config: self.createHSMPool(id) finally: self.rwLock.release() return
def createHSMPool(self, hsm_id=None, *args, **kw): ''' setup a pool of secutity provider ''' pool = None ## amount has to be taken from the hsm-id config if hsm_id == None: ids = self.config else: if self.config.has_key(hsm_id): ids = [] ids.append(hsm_id) else: error = "[createHSMPool] failed to find hsm_id: %s" % ( unicode(hsm_id)) log.error(error) raise HSMException(error, id=707) for id in ids: pool = self._getHsmPool_(id) log.debug("[createHSMPool] already got this pool: %r" % pool) if pool is None: ## get the number of entries from the hsd (id) config conf = self.config.get(id) amount = int(conf.get('poolsize', 10)) log.debug("[createHSMPool] creating pool for %r with size %r" % (id, amount)) pool = [] for i in range(0, amount): error = '' hsm = None try: hsm = self.loadSecurityModule(id) except Exception as e: error = u"%r" % e log.error("[createHSMPool] %r " % (e)) log.error("[createHSMPool] %s" % traceback.format_exc()) pool.append({'obj': hsm, 'session': 0, 'error': error}) self.hsmpool[id] = pool return pool
def getSecurityModule(self, hsm_id=None, sessionId=None): found = None if hsm_id is None: hsm_id = self.activeOne if sessionId is None: sessionId = unicode(thread.get_ident()) if hsm_id not in self.config: error = ( '[SecurityProvider:getSecurityModule] no config found for ' 'hsm with id %s ' % (unicode(hsm_id))) log.error(error) raise HSMException(error, id=707) retry = True tries = 0 locked = False while retry is True: try: pool = self._getHsmPool_(hsm_id) self.rwLock.acquire_write() locked = True ## find session found = self._findHSM4Session(pool, sessionId) if found is not None: ## if session is ok - return self.rwLock.release() locked = False retry = False log.debug( "[getSecurityModule] using existing pool session %s" % found) return found.get('obj') else: ## create new entry log.debug("[getSecurityModule] getting new Session (%s) " "from pool %s" % (sessionId, pool)) found = self._createHSM4Session(pool, sessionId) self.rwLock.release() locked = False if found is None: tries += 1 log.warning('try %d: could not bind hsm to session - ' 'going to sleep for %r' % (tries, 10 * tries)) time.sleep(10 * tries) if tries >= self.max_retry: error = ('[SecurityProvider:getSecurityModule] ' 'max_retry %d: could not bind hsm to ' 'session - going to sleep for %r' % (tries, 10 * tries)) log.error(error) raise Exception(error) retry = True else: retry = False finally: if locked is True: self.rwLock.release() return found
def getSecurityModule(self, hsm_id=None, sessionId=None): found = None if hsm_id is None: hsm_id = self.activeOne if sessionId is None: sessionId = str(_thread.get_ident()) if hsm_id not in self.config: error = ( "[SecurityProvider:getSecurityModule] no config found for " "hsm with id %r " % hsm_id) log.error(error) raise HSMException(error, id=707) retry = True tries = 0 locked = False while retry is True: try: pool = self._getHsmPool_(hsm_id) self.rwLock.acquire_write() locked = True # find session found = self._findHSM4Session(pool, sessionId) if found is not None: # if session is ok - return self.rwLock.release() locked = False retry = False log.debug( "[getSecurityModule] using existing pool session %s", found, ) return found else: # create new entry log.debug( "[getSecurityModule] getting new Session (%s) " "from pool %s", sessionId, pool, ) found = self._createHSM4Session(pool, sessionId) self.rwLock.release() locked = False if found is None: tries += 1 delay = 1 + int(0.2 * tries) log.warning( "try %d: could not bind hsm to session - " "going to sleep for %r", tries, delay, ) time.sleep(delay) if tries >= self.max_retry: error = ("[SecurityProvider:getSecurityModule] " "%d retries: could not bind hsm to " "session for %d seconds" % (tries, delay)) log.error(error) raise Exception(error) retry = True else: retry = False finally: if locked is True: self.rwLock.release() return found