def connection(self):
connection = PKIConnection(protocol=self.protocol,
hostname=self.hostname,
port=self.port)
connection.set_authentication_cert(self.cert)
client = CertClient(connection)
return client
def __init__(self, conf=CONF):
"""Constructor - create the keyclient"""
pem_path = conf.dogtag_crypto_plugin.pem_path
if pem_path is None:
raise ValueError(_("pem_path is required"))
pem_password = conf.dogtag_crypto_plugin.pem_password
if pem_password is None:
raise ValueError(_("pem_password is required"))
crypto = None
create_nss_db = False
nss_db_path = conf.dogtag_crypto_plugin.nss_db_path
if nss_db_path is not None:
nss_password = conf.dogtag_crypto_plugin.nss_password
if nss_password is None:
raise ValueError(_("nss_password is required"))
if not os.path.exists(nss_db_path):
create_nss_db = True
cryptoutil.NSSCryptoUtil.setup_database(
nss_db_path, nss_password, over_write=True)
crypto = cryptoutil.NSSCryptoUtil(nss_db_path, nss_password)
# set up connection
connection = PKIConnection('https',
conf.dogtag_crypto_plugin.drm_host,
conf.dogtag_crypto_plugin.drm_port,
'kra')
connection.set_authentication_cert(pem_path)
# what happened to the password?
# until we figure out how to pass the password to requests, we'll
# just use -nodes to create the admin cert pem file. Any required
# code will end up being in the DRM python client
#create kraclient
kraclient = KRAClient(connection, crypto)
self.keyclient = kraclient.keys
self.systemcert_client = kraclient.system_certs
if crypto is not None:
if create_nss_db:
# Get transport cert and insert in the certdb
transport_cert = self.systemcert_client.get_transport_cert()
tcert = transport_cert[
len(pki.CERT_HEADER):
len(transport_cert) - len(pki.CERT_FOOTER)]
crypto.import_cert(DogtagCryptoPlugin.TRANSPORT_NICK,
base64.decodestring(tcert), "u,u,u")
crypto.initialize()
self.keyclient.set_transport_cert(
DogtagCryptoPlugin.TRANSPORT_NICK)
def __init__(self, conf=CONF):
"""Constructor - create the keyclient."""
pem_path = conf.dogtag_crypto_plugin.pem_path
if pem_path is None:
raise ValueError(u._("pem_path is required"))
pem_password = conf.dogtag_crypto_plugin.pem_password
if pem_password is None:
raise ValueError(u._("pem_password is required"))
crypto = None
create_nss_db = False
nss_db_path = conf.dogtag_crypto_plugin.nss_db_path
if nss_db_path is not None:
nss_password = conf.dogtag_crypto_plugin.nss_password
if nss_password is None:
raise ValueError(u._("nss_password is required"))
if not os.path.exists(nss_db_path):
create_nss_db = True
cryptoutil.NSSCryptoUtil.setup_database(nss_db_path,
nss_password,
over_write=True)
crypto = cryptoutil.NSSCryptoUtil(nss_db_path, nss_password)
# set up connection
connection = PKIConnection('https', conf.dogtag_crypto_plugin.drm_host,
conf.dogtag_crypto_plugin.drm_port, 'kra')
connection.set_authentication_cert(pem_path)
# what happened to the password?
# until we figure out how to pass the password to requests, we'll
# just use -nodes to create the admin cert pem file. Any required
# code will end up being in the DRM python client
#create kraclient
kraclient = KRAClient(connection, crypto)
self.keyclient = kraclient.keys
self.systemcert_client = kraclient.system_certs
if crypto is not None:
if create_nss_db:
# Get transport cert and insert in the certdb
transport_cert = self.systemcert_client.get_transport_cert()
tcert = transport_cert[len(pki.CERT_HEADER
):len(transport_cert) -
len(pki.CERT_FOOTER)]
crypto.import_cert(DogtagCryptoPlugin.TRANSPORT_NICK,
base64.decodestring(tcert), "u,u,u")
crypto.initialize()
self.keyclient.set_transport_cert(
DogtagCryptoPlugin.TRANSPORT_NICK)
def run_test(protocol, hostname, port, client_cert, certdb_dir,
certdb_password):
""" test code execution """
# set up the connection to the DRM, including authentication credentials
connection = PKIConnection(protocol, hostname, port, 'kra')
connection.set_authentication_cert(client_cert)
# create kraclient
crypto = pki.crypto.NSSCryptoProvider(certdb_dir, certdb_password)
kraclient = KRAClient(connection, crypto)
keyclient = kraclient.keys
# Get transport cert and insert in the certdb
transport_nick = "kra transport cert"
transport_cert = kraclient.system_certs.get_transport_cert()
print("Subject DN: " + transport_cert.subject_dn)
print(transport_cert.encoded)
crypto.import_cert(transport_nick, transport_cert)
# initialize the certdb for crypto operations
# for NSS db, this must be done after importing the transport cert
crypto.initialize()
# set transport cert into keyclient
keyclient.set_transport_cert(transport_nick)
# Test 2: Get key request info
print("Now getting key request")
try:
key_request = keyclient.get_request_info('2')
print_key_request(key_request)
except pki.RequestNotFoundException:
pass
# Test 3: List requests
print("Now listing some requests")
keyrequests = keyclient.list_requests('complete', 'securityDataRecovery')
print(keyrequests.key_requests)
for request in keyrequests.key_requests:
print_key_request(request)
# Test 4: generate symkey -- same as barbican_encode()
print("Now generating symkey on KRA")
client_key_id = "Vek #1" + time.strftime('%c')
algorithm = "AES"
key_size = 128
usages = [
key.SymKeyGenerationRequest.DECRYPT_USAGE,
key.SymKeyGenerationRequest.ENCRYPT_USAGE
]
response = keyclient.generate_symmetric_key(client_key_id,
algorithm=algorithm,
size=key_size,
usages=usages)
print_key_request(response.request_info)
print("Request ID is " + response.request_info.get_request_id())
key_id = response.get_key_id()
# Test 5: Confirm the key_id matches
print("Now getting key ID for clientKeyID=\"" + client_key_id + "\"")
key_infos = keyclient.list_keys(client_key_id=client_key_id,
status=keyclient.KEY_STATUS_ACTIVE)
key_id2 = None
for key_info in key_infos.key_infos:
print_key_info(key_info)
key_id2 = key_info.get_key_id()
if key_id == key_id2:
print("Success! The keys from generation and search match.")
else:
print("Failure - key_ids for generation do not match!")
# Test 6: Barbican_decode() - Retrieve while providing
# trans_wrapped_session_key
session_key = crypto.generate_session_key()
wrapped_session_key = crypto.asymmetric_wrap(session_key,
keyclient.transport_cert)
print("My key id is " + str(key_id))
key_data = keyclient.retrieve_key(
key_id, trans_wrapped_session_key=wrapped_session_key)
print_key_data(key_data)
unwrapped_key = crypto.symmetric_unwrap(key_data.encrypted_data,
session_key,
nonce_iv=key_data.nonce_data)
key1 = b64encode(unwrapped_key)
# Test 7: Recover key without providing trans_wrapped_session_key
key_data = keyclient.retrieve_key(key_id)
print_key_data(key_data)
key2 = b64encode(key_data.data)
# Test 8 - Confirm that keys returned are the same
if key1 == key2:
print("Success: The keys returned match! Key = " + str(key1))
else:
print("Failure: The returned keys do not match!")
print("key1: " + key1)
print("key2: " + key2)
# Test 10 = test BadRequestException on create()
print("Trying to generate a new symkey with the same client ID")
try:
keyclient.generate_symmetric_key(client_key_id,
algorithm=algorithm,
size=key_size,
usages=usages)
except pki.BadRequestException as exc:
print("BadRequestException thrown - Code:" + exc.code + " Message: " +
exc.message)
# Test 11 - Test RequestNotFoundException on get_request_info
print("Try to list a nonexistent request")
try:
keyclient.get_request_info('200000034')
except pki.RequestNotFoundException as exc:
print("RequestNotFoundException thrown - Code:" + exc.code +
" Message: " + exc.message)
# Test 12 - Test exception on retrieve_key.
print("Try to retrieve an invalid key")
try:
keyclient.retrieve_key('2000003434')
except pki.KeyNotFoundException as exc:
print("KeyNotFoundException thrown - Code:" + exc.code + " Message: " +
exc.message)
# Test 13 = getKeyInfo
print("Get key info for existing key")
key_info = keyclient.get_key_info(key_id)
print_key_info(key_info)
# Test 14: get the active key
print("Get the active key for client id: " + client_key_id)
key_info = keyclient.get_active_key_info(client_key_id)
print_key_info(key_info)
# Test 15: change the key status
print("Change the key status")
keyclient.modify_key_status(key_id, keyclient.KEY_STATUS_INACTIVE)
print_key_info(keyclient.get_key_info(key_id))
# Test 16: Get key info for non-existent key
print("Get key info for non-existent key")
try:
keyclient.get_key_info('200004556')
except pki.KeyNotFoundException as exc:
print("KeyNotFoundException thrown - Code:" + exc.code + " Message: " +
exc.message)
# Test 17: Get key info for non-existent active key
print("Get non-existent active key")
try:
key_info = keyclient.get_active_key_info(client_key_id)
print_key_info(key_info)
except pki.ResourceNotFoundException as exc:
print("ResourceNotFoundException thrown - Code: " + exc.code +
"Message: " + exc.message)
# Test 18: Generate a symmetric key with default parameters
client_key_id = "Vek #3" + time.strftime('%c')
response = keyclient.generate_symmetric_key(client_key_id)
print_key_request(response.request_info)
# Test 19: Try to archive key
print("try to archive key")
print("key to archive: " + key1)
client_key_id = "Vek #4" + time.strftime('%c')
response = keyclient.archive_key(client_key_id,
keyclient.SYMMETRIC_KEY_TYPE,
b64decode(key1),
key_algorithm=keyclient.AES_ALGORITHM,
key_size=128)
print_key_request(response.request_info)
# Test 20: Lets get it back
key_info = keyclient.get_active_key_info(client_key_id)
print_key_info(key_info)
key_data = keyclient.retrieve_key(key_info.get_key_id())
print_key_data(key_data)
key2 = b64encode(key_data.data)
if key1 == key2:
print("Success: archived and recovered keys match")
else:
print("Error: archived and recovered keys do not match")
print()
# Test 20: Generating asymmetric keys
print("Generating asymmetric keys")
try:
response = keyclient.generate_asymmetric_key("Vek #5" +
time.strftime('%c'),
algorithm="RSA",
key_size=1024,
usages=None)
print_key_request(response.request_info)
except pki.BadRequestException as exc:
print("BadRequestException thrown - Code:" + exc.code + " Message: " +
exc.message)
# Test 21: Get key information of the newly generated asymmetric keys
print("Retrieving key information")
key_info = keyclient.get_key_info(response.request_info.get_key_id())
print_key_info(key_info)
parser.add_argument("--number-of-clients", help="Number of thread", type=int)
parser.add_argument("--number-of-tests-per-client", help="Number of test per thread", type=int)
parser.add_argument("--ca-cert-path", help="path for CA signing certifcate")
log = logging.getLogger()
logging.basicConfig(stream=sys.stdout, level=logging.INFO)
args = parser.parse_args()
# Create a PKIConnection object that stores the details of the CA.
connection = PKIConnection('https', args.hostname, args.port, cert_paths=args.ca_cert_path)
# The pem file used for authentication. Created from a p12 file using the
# command -
# openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes
connection.set_authentication_cert(args.client_cert)
# Instantiate the CertClient
cert_client = CertClient(connection)
class cert_enroll(object):
"""
#This class will enroll the certificate.
"""
def __init__(self, sn_uid):
"""
Constructor
"""
# Enrolling an user certificate
def run_test(protocol, hostname, port, client_cert, certdb_dir,
certdb_password):
""" test code execution """
# set up the connection to the DRM, including authentication credentials
connection = PKIConnection(protocol, hostname, port, 'kra')
connection.set_authentication_cert(client_cert)
# create kraclient
crypto = pki.crypto.NSSCryptoProvider(certdb_dir, certdb_password)
kraclient = KRAClient(connection, crypto)
keyclient = kraclient.keys
# Get transport cert and insert in the certdb
transport_nick = "kra transport cert"
transport_cert = kraclient.system_certs.get_transport_cert()
print("Subject DN: " + transport_cert.subject_dn)
print(transport_cert.encoded)
crypto.import_cert(transport_nick, transport_cert)
# initialize the certdb for crypto operations
# for NSS db, this must be done after importing the transport cert
crypto.initialize()
# set transport cert into keyclient
keyclient.set_transport_cert(transport_nick)
# Test 2: Get key request info
print("Now getting key request")
try:
key_request = keyclient.get_request_info('2')
print_key_request(key_request)
except pki.RequestNotFoundException:
pass
# Test 3: List requests
print("Now listing some requests")
keyrequests = keyclient.list_requests('complete', 'securityDataRecovery')
print(keyrequests.key_requests)
for request in keyrequests.key_requests:
print_key_request(request)
# Test 4: generate symkey -- same as barbican_encode()
print("Now generating symkey on KRA")
client_key_id = "Vek #1" + time.strftime('%c')
algorithm = "AES"
key_size = 128
usages = [key.SymKeyGenerationRequest.DECRYPT_USAGE,
key.SymKeyGenerationRequest.ENCRYPT_USAGE]
response = keyclient.generate_symmetric_key(client_key_id,
algorithm=algorithm,
size=key_size,
usages=usages)
print_key_request(response.request_info)
print("Request ID is " + response.request_info.get_request_id())
key_id = response.get_key_id()
# Test 5: Confirm the key_id matches
print("Now getting key ID for clientKeyID=\"" + client_key_id + "\"")
key_infos = keyclient.list_keys(client_key_id=client_key_id,
status=keyclient.KEY_STATUS_ACTIVE)
key_id2 = None
for key_info in key_infos.key_infos:
print_key_info(key_info)
key_id2 = key_info.get_key_id()
if key_id == key_id2:
print("Success! The keys from generation and search match.")
else:
print("Failure - key_ids for generation do not match!")
# Test 6: Barbican_decode() - Retrieve while providing
# trans_wrapped_session_key
session_key = crypto.generate_session_key()
wrapped_session_key = crypto.asymmetric_wrap(session_key,
keyclient.transport_cert)
print("My key id is " + str(key_id))
key_data = keyclient.retrieve_key(
key_id, trans_wrapped_session_key=wrapped_session_key)
print_key_data(key_data)
unwrapped_key = crypto.symmetric_unwrap(key_data.encrypted_data,
session_key,
nonce_iv=key_data.nonce_data)
key1 = b64encode(unwrapped_key)
# Test 7: Recover key without providing trans_wrapped_session_key
key_data = keyclient.retrieve_key(key_id)
print_key_data(key_data)
key2 = b64encode(key_data.data)
# Test 8 - Confirm that keys returned are the same
if key1 == key2:
print("Success: The keys returned match! Key = " + str(key1))
else:
print("Failure: The returned keys do not match!")
print("key1: " + key1)
print("key2: " + key2)
# Test 10 = test BadRequestException on create()
print("Trying to generate a new symkey with the same client ID")
try:
keyclient.generate_symmetric_key(client_key_id,
algorithm=algorithm,
size=key_size,
usages=usages)
except pki.BadRequestException as exc:
print("BadRequestException thrown - Code:" + exc.code +
" Message: " + exc.message)
# Test 11 - Test RequestNotFoundException on get_request_info
print("Try to list a nonexistent request")
try:
keyclient.get_request_info('200000034')
except pki.RequestNotFoundException as exc:
print("RequestNotFoundException thrown - Code:" + exc.code +
" Message: " + exc.message)
# Test 12 - Test exception on retrieve_key.
print("Try to retrieve an invalid key")
try:
keyclient.retrieve_key('2000003434')
except pki.KeyNotFoundException as exc:
print("KeyNotFoundException thrown - Code:" + exc.code +
" Message: " + exc.message)
# Test 13 = getKeyInfo
print("Get key info for existing key")
key_info = keyclient.get_key_info(key_id)
print_key_info(key_info)
# Test 14: get the active key
print("Get the active key for client id: " + client_key_id)
key_info = keyclient.get_active_key_info(client_key_id)
print_key_info(key_info)
# Test 15: change the key status
print("Change the key status")
keyclient.modify_key_status(key_id, keyclient.KEY_STATUS_INACTIVE)
print_key_info(keyclient.get_key_info(key_id))
# Test 16: Get key info for non-existent key
print("Get key info for non-existent key")
try:
keyclient.get_key_info('200004556')
except pki.KeyNotFoundException as exc:
print("KeyNotFoundException thrown - Code:" + exc.code +
" Message: " + exc.message)
# Test 17: Get key info for non-existent active key
print("Get non-existent active key")
try:
key_info = keyclient.get_active_key_info(client_key_id)
print_key_info(key_info)
except pki.ResourceNotFoundException as exc:
print("ResourceNotFoundException thrown - Code: " + exc.code +
"Message: " + exc.message)
# Test 18: Generate a symmetric key with default parameters
client_key_id = "Vek #3" + time.strftime('%c')
response = keyclient.generate_symmetric_key(client_key_id)
print_key_request(response.request_info)
# Test 19: Try to archive key
print("try to archive key")
print("key to archive: " + key1)
client_key_id = "Vek #4" + time.strftime('%c')
response = keyclient.archive_key(client_key_id,
keyclient.SYMMETRIC_KEY_TYPE,
b64decode(key1),
key_algorithm=keyclient.AES_ALGORITHM,
key_size=128)
print_key_request(response.request_info)
# Test 20: Lets get it back
key_info = keyclient.get_active_key_info(client_key_id)
print_key_info(key_info)
key_data = keyclient.retrieve_key(key_info.get_key_id())
print_key_data(key_data)
key2 = b64encode(key_data.data)
if key1 == key2:
print("Success: archived and recovered keys match")
else:
print("Error: archived and recovered keys do not match")
print()
# Test 20: Generating asymmetric keys
print("Generating asymmetric keys")
try:
response = keyclient.generate_asymmetric_key(
"Vek #5" + time.strftime('%c'),
algorithm="RSA",
key_size=1024,
usages=None
)
print_key_request(response.request_info)
except pki.BadRequestException as exc:
print("BadRequestException thrown - Code:" + exc.code +
" Message: " + exc.message)
# Test 21: Get key information of the newly generated asymmetric keys
print("Retrieving key information")
key_info = keyclient.get_key_info(response.request_info.get_key_id())
print_key_info(key_info)
