def build_key(logger, object_type, key_format_type):
key_value = build_secret_value(logger, object_type)
cryptographic_algorithm = build_cryptographic_algorithm(
logger, object_type)
cryptographic_length = build_cryptographic_length(logger, object_type)
key_block = build_key_block(
key_format_type,
key_value,
cryptographic_algorithm,
cryptographic_length)
if object_type == ObjectType.SYMMETRIC_KEY:
return SymmetricKey(key_block)
elif object_type == ObjectType.PUBLIC_KEY:
return PublicKey(key_block)
elif object_type == ObjectType.PRIVATE_KEY:
return PrivateKey(key_block)
elif object_type == ObjectType.SECRET_DATA:
kind = SecretData.SecretDataType(SecretDataType.PASSWORD)
return SecretData(secret_data_type=kind,
key_block=key_block)
else:
logger.error("Unrecognized object type, could not build key")
sys.exit()
def _get_kmip_secret(self, secret_dto):
"""Builds a KMIP object from a SecretDTO
This is needed for register calls. The Barbican object needs to be
converted to KMIP object before it can be stored
:param secret_dto: SecretDTO of secret to be stored
:returns: KMIP object
"""
secret_type = secret_dto.type
object_type, key_format_type = (self._map_type_ss_to_kmip(secret_type))
normalized_secret = self._normalize_secret(secret_dto.secret,
secret_type)
kmip_object = None
if object_type == enums.ObjectType.CERTIFICATE:
kmip_object = Certificate(
certificate_type=enums.CertificateTypeEnum.X_509,
certificate_value=normalized_secret)
elif object_type == enums.ObjectType.OPAQUE_DATA:
opaque_type = Opaque.OpaqueDataType(enums.OpaqueDataType.NONE)
opaque_value = Opaque.OpaqueDataValue(normalized_secret)
kmip_object = Opaque(opaque_type, opaque_value)
elif (object_type == enums.ObjectType.SYMMETRIC_KEY
or object_type == enums.ObjectType.SECRET_DATA
or object_type == enums.ObjectType.PRIVATE_KEY
or object_type == enums.ObjectType.PUBLIC_KEY):
key_material = KeyMaterial(normalized_secret)
key_value = KeyValue(key_material)
key_spec = secret_dto.key_spec
algorithm = None
if key_spec.alg is not None:
algorithm_name = self._map_algorithm_ss_to_kmip(
key_spec.alg.lower())
algorithm = CryptographicAlgorithm(algorithm_name)
bit_length = None
if key_spec.bit_length is not None:
bit_length = CryptographicLength(key_spec.bit_length)
key_block = KeyBlock(
key_format_type=misc.KeyFormatType(key_format_type),
key_compression_type=None,
key_value=key_value,
cryptographic_algorithm=algorithm,
cryptographic_length=bit_length,
key_wrapping_data=None)
if object_type == enums.ObjectType.SYMMETRIC_KEY:
kmip_object = SymmetricKey(key_block)
elif object_type == enums.ObjectType.PRIVATE_KEY:
kmip_object = PrivateKey(key_block)
elif object_type == enums.ObjectType.PUBLIC_KEY:
kmip_object = PublicKey(key_block)
elif object_type == enums.ObjectType.SECRET_DATA:
kind = SecretData.SecretDataType(enums.SecretDataType.PASSWORD)
return SecretData(secret_data_type=kind, key_block=key_block)
return kmip_object
def _gen_symmetric_key(self, bit_length, crypto_alg):
key_format_type = KeyFormatType(KeyFormatTypeEnum.RAW)
key_material = KeyMaterial(os.urandom(int(bit_length/8)))
key_value = KeyValue(key_material)
crypto_length = CryptographicLength(bit_length)
key_block = KeyBlock(key_format_type, None, key_value, crypto_alg,
crypto_length, None)
return SymmetricKey(key_block)
def _get_symmetric_key(self):
# only need usage attribute
attrs = [self._get_attrs()[1]]
key_format_type = KeyFormatType(KeyFormatTypeEnum.RAW)
key_material = KeyMaterial(self.key)
key_value = KeyValue(key_material, attrs)
crypto_alg = CryptographicAlgorithm(self.algorithm_name)
crypto_length = CryptographicLength(self.key_length)
usage = CryptographicUsageMask(self.usage_mask)
key_block = KeyBlock(key_format_type, None, key_value, crypto_alg,
crypto_length, usage)
return SymmetricKey(key_block)
def test_symmetric_key_register_get_destroy(self):
"""
Tests that symmetric keys are properly registered, retrieved,
and destroyed.
"""
object_type = ObjectType.SYMMETRIC_KEY
algorithm_value = CryptoAlgorithmEnum.AES
mask_flags = [
CryptographicUsageMask.ENCRYPT, CryptographicUsageMask.DECRYPT
]
attribute_type = AttributeType.CRYPTOGRAPHIC_USAGE_MASK
usage_mask = self.attr_factory.create_attribute(
attribute_type, mask_flags)
name = Attribute.AttributeName('Name')
key_name = 'Integration Test - Register-Get-Destroy Key'
name_value = Name.NameValue(key_name)
name_type = Name.NameType(NameType.UNINTERPRETED_TEXT_STRING)
value = Name(name_value=name_value, name_type=name_type)
name = Attribute(attribute_name=name, attribute_value=value)
attributes = [usage_mask, name]
template_attribute = TemplateAttribute(attributes=attributes)
key_format_type = KeyFormatType(KeyFormatTypeEnum.RAW)
key_data = (
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
b'\x00')
key_material = KeyMaterial(key_data)
key_value = KeyValue(key_material)
cryptographic_algorithm = CryptographicAlgorithm(algorithm_value)
cryptographic_length = CryptographicLength(128)
key_block = KeyBlock(key_format_type=key_format_type,
key_compression_type=None,
key_value=key_value,
cryptographic_algorithm=cryptographic_algorithm,
cryptographic_length=cryptographic_length,
key_wrapping_data=None)
secret = SymmetricKey(key_block)
result = self.client.register(object_type,
template_attribute,
secret,
credential=None)
self._check_result_status(result, ResultStatus, ResultStatus.SUCCESS)
self._check_uuid(result.uuid.value, str)
# Check that the returned key bytes match what was provided
uuid = result.uuid.value
result = self.client.get(uuid=uuid, credential=None)
self._check_result_status(result, ResultStatus, ResultStatus.SUCCESS)
self._check_object_type(result.object_type.value, ObjectType,
ObjectType.SYMMETRIC_KEY)
self._check_uuid(result.uuid.value, str)
# Check the secret type
secret = result.secret
expected = SymmetricKey
self.assertIsInstance(secret, expected)
key_block = result.secret.key_block
key_value = key_block.key_value
key_material = key_value.key_material
expected = key_data
observed = key_material.value
self.assertEqual(expected, observed)
self.logger.debug('Destroying key: ' + key_name + '\nWith UUID: ' +
result.uuid.value)
result = self.client.destroy(result.uuid.value)
self._check_result_status(result, ResultStatus, ResultStatus.SUCCESS)
self._check_uuid(result.uuid.value, str)
# Verify the secret was destroyed
result = self.client.get(uuid=uuid, credential=None)
self._check_result_status(result, ResultStatus,
ResultStatus.OPERATION_FAILED)
expected = ResultReason
observed = type(result.result_reason.value)
self.assertEqual(expected, observed)
expected = ResultReason.ITEM_NOT_FOUND
observed = result.result_reason.value
self.assertEqual(expected, observed)
def _create_symmetric_key(self, value):
if value is None:
return SymmetricKey()
else:
key_block = self._build_key_block(value)
return SymmetricKey(key_block)
def test_register(self):
credential_type = CredentialType.USERNAME_AND_PASSWORD
credential_value = {'Username': '******', 'Password': '******'}
credential = self.cred_factory.create_credential(
credential_type, credential_value)
object_type = ObjectType.SYMMETRIC_KEY
algorithm_value = CryptoAlgorithmEnum.AES
mask_flags = [
CryptographicUsageMask.ENCRYPT, CryptographicUsageMask.DECRYPT
]
attribute_type = AttributeType.CRYPTOGRAPHIC_USAGE_MASK
usage_mask = self.attr_factory.create_attribute(
attribute_type, mask_flags)
attributes = [usage_mask]
template_attribute = TemplateAttribute(attributes=attributes)
key_format_type = KeyFormatType(KeyFormatTypeEnum.RAW)
key_data = (
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
b'\x00')
key_material = KeyMaterial(key_data)
key_value = KeyValue(key_material)
cryptographic_algorithm = CryptographicAlgorithm(algorithm_value)
cryptographic_length = CryptographicLength(128)
key_block = KeyBlock(key_format_type=key_format_type,
key_compression_type=None,
key_value=key_value,
cryptographic_algorithm=cryptographic_algorithm,
cryptographic_length=cryptographic_length,
key_wrapping_data=None)
secret = SymmetricKey(key_block)
result = self.client.register(object_type, template_attribute, secret,
credential)
self._check_result_status(result.result_status.value, ResultStatus,
ResultStatus.SUCCESS)
self._check_uuid(result.uuid.value, str)
# Check the template attribute type
self._check_template_attribute(result.template_attribute,
TemplateAttribute, 1,
[[str, 'Unique Identifier', str, None]])
# Check that the returned key bytes match what was provided
uuid = result.uuid.value
result = self.client.get(uuid=uuid, credential=credential)
self._check_result_status(result.result_status.value, ResultStatus,
ResultStatus.SUCCESS)
self._check_object_type(result.object_type.value, ObjectType,
ObjectType.SYMMETRIC_KEY)
self._check_uuid(result.uuid.value, str)
# Check the secret type
secret = result.secret
expected = SymmetricKey
message = utils.build_er_error(result.__class__, 'type', expected,
secret, 'secret')
self.assertIsInstance(secret, expected, message)
key_block = result.secret.key_block
key_value = key_block.key_value
key_material = key_value.key_material
expected = key_data
observed = key_material.value
message = utils.build_er_error(key_material.__class__, 'value',
expected, observed, 'value')
self.assertEqual(expected, observed, message)