def test_store_asymmetric_key_secret_assert_called(self, barbican_type,
barbican_key, kmip_type,
kmip_key, pkcs1_only):
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048)
secret_value = base64.b64encode(barbican_key)
secret_dto = secret_store.SecretDTO(barbican_type, secret_value,
key_spec, 'content_type')
self.secret_store.pkcs1_only = pkcs1_only
self.secret_store.store_secret(secret_dto)
secret_value = base64.b64decode(secret_value)
if not pkcs1_only:
secret_value = translations.convert_pem_to_der(
secret_value, barbican_type)
if kmip_type == enums.ObjectType.PUBLIC_KEY:
if pkcs1_only:
secret_value = kss.get_public_key_der_pkcs1(secret_value)
secret = objects.PublicKey(enums.CryptographicAlgorithm.RSA, 2048,
secret_value, enums.KeyFormatType.X_509)
else:
if pkcs1_only:
secret_value = kss.get_private_key_der_pkcs1(secret_value)
secret = objects.PrivateKey(enums.CryptographicAlgorithm.RSA, 2048,
secret_value,
enums.KeyFormatType.PKCS_8)
self.secret_store.client.register.assert_called_once_with(secret)
def get_sample_public_key(pkcs1=False):
if pkcs1:
public_key_value = kss.get_public_key_der_pkcs1(
keys.get_public_key_pem())
key_format_type = enums.KeyFormatType.PKCS_1
else:
public_key_value = keys.get_public_key_der()
key_format_type = enums.KeyFormatType.X_509
return objects.PublicKey(enums.CryptographicAlgorithm.RSA, 2048,
public_key_value, key_format_type)
def test_convert_public_key_pie_to_core(self):
"""
Test that a Pie public key can be converted into a core public key.
"""
pie_key = pobjects.PublicKey(enums.CryptographicAlgorithm.RSA, 2048,
self.public_bytes,
enums.KeyFormatType.PKCS_1)
core_key = self.factory.convert(pie_key)
self.assertIsInstance(core_key, secrets.PublicKey)
self._test_core_key(core_key, enums.CryptographicAlgorithm.RSA, 2048,
self.public_bytes, enums.KeyFormatType.PKCS_1)
def _get_kmip_secret(self, secret_dto):
"""Builds a KMIP object from a SecretDTO
This is needed for register calls. The Barbican object needs to be
converted to KMIP object before it can be stored
:param secret_dto: SecretDTO of secret to be stored
:returns: KMIP object
"""
secret_type = secret_dto.type
key_spec = secret_dto.key_spec
object_type, key_format_type = (
self._map_type_ss_to_kmip(secret_type))
normalized_secret = self._normalize_secret(secret_dto.secret,
secret_type)
kmip_object = None
if object_type == enums.ObjectType.CERTIFICATE:
kmip_object = objects.X509Certificate(normalized_secret)
elif object_type == enums.ObjectType.OPAQUE_DATA:
opaque_type = enums.OpaqueDataType.NONE
kmip_object = objects.OpaqueObject(normalized_secret,
opaque_type)
elif object_type == enums.ObjectType.PRIVATE_KEY:
algorithm = self._get_kmip_algorithm(key_spec.alg)
length = key_spec.bit_length
format_type = enums.KeyFormatType.PKCS_8
kmip_object = objects.PrivateKey(
algorithm, length, normalized_secret, format_type)
elif object_type == enums.ObjectType.PUBLIC_KEY:
algorithm = self._get_kmip_algorithm(key_spec.alg)
length = key_spec.bit_length
format_type = enums.KeyFormatType.X_509
kmip_object = objects.PublicKey(
algorithm, length, normalized_secret, format_type)
elif object_type == enums.ObjectType.SYMMETRIC_KEY:
algorithm = self._get_kmip_algorithm(key_spec.alg)
length = key_spec.bit_length
kmip_object = objects.SymmetricKey(algorithm, length,
normalized_secret)
elif object_type == enums.ObjectType.SECRET_DATA:
data_type = enums.SecretDataType.PASSWORD
kmip_object = objects.SecretData(normalized_secret, data_type)
return kmip_object
def test_public_key_register_get_destroy(self):
"""
Test that the ProxyKmipClient can register, retrieve, and destroy a
public key.
"""
# Key encoding obtained from Section 13.4 of the KMIP 1.1 test
# documentation.
key = objects.PublicKey(
enums.CryptographicAlgorithm.RSA,
2048,
(b'\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\x7F\x16\x1C\x00\x42'
b'\x49\x6C\xCD\x6C\x6D\x4D\xAD\xB9\x19\x97\x34\x35\x35\x77\x76'
b'\x00\x3A\xCF\x54\xB7\xAF\x1E\x44\x0A\xFB\x80\xB6\x4A\x87\x55'
b'\xF8\x00\x2C\xFE\xBA\x6B\x18\x45\x40\xA2\xD6\x60\x86\xD7\x46'
b'\x48\x34\x6D\x75\xB8\xD7\x18\x12\xB2\x05\x38\x7C\x0F\x65\x83'
b'\xBC\x4D\x7D\xC7\xEC\x11\x4F\x3B\x17\x6B\x79\x57\xC4\x22\xE7'
b'\xD0\x3F\xC6\x26\x7F\xA2\xA6\xF8\x9B\x9B\xEE\x9E\x60\xA1\xD7'
b'\xC2\xD8\x33\xE5\xA5\xF4\xBB\x0B\x14\x34\xF4\xE7\x95\xA4\x11'
b'\x00\xF8\xAA\x21\x49\x00\xDF\x8B\x65\x08\x9F\x98\x13\x5B\x1C'
b'\x67\xB7\x01\x67\x5A\xBD\xBC\x7D\x57\x21\xAA\xC9\xD1\x4A\x7F'
b'\x08\x1F\xCE\xC8\x0B\x64\xE8\xA0\xEC\xC8\x29\x53\x53\xC7\x95'
b'\x32\x8A\xBF\x70\xE1\xB4\x2E\x7B\xB8\xB7\xF4\xE8\xAC\x8C\x81'
b'\x0C\xDB\x66\xE3\xD2\x11\x26\xEB\xA8\xDA\x7D\x0C\xA3\x41\x42'
b'\xCB\x76\xF9\x1F\x01\x3D\xA8\x09\xE9\xC1\xB7\xAE\x64\xC5\x41'
b'\x30\xFB\xC2\x1D\x80\xE9\xC2\xCB\x06\xC5\xC8\xD7\xCC\xE8\x94'
b'\x6A\x9A\xC9\x9B\x1C\x28\x15\xC3\x61\x2A\x29\xA8\x2D\x73\xA1'
b'\xF9\x93\x74\xFE\x30\xE5\x49\x51\x66\x2A\x6E\xDA\x29\xC6\xFC'
b'\x41\x13\x35\xD5\xDC\x74\x26\xB0\xF6\x05\x02\x03\x01\x00\x01'),
enums.KeyFormatType.PKCS_1)
uid = self.client.register(key)
self.assertIsInstance(uid, six.string_types)
try:
result = self.client.get(uid)
self.assertIsInstance(result, objects.PublicKey)
self.assertEqual(
result, key, "expected {0}\nobserved {1}".format(result, key))
finally:
self.client.destroy(uid)
self.assertRaises(
exceptions.KmipOperationFailure, self.client.get, uid)
self.assertRaises(
exceptions.KmipOperationFailure, self.client.destroy, uid)
b'\xB8\xD7\x18\x12\xB2\x05\x38\x7C\x0F\x65\x83\xBC\x4D\x7D\xC7\xEC'
b'\x11\x4F\x3B\x17\x6B\x79\x57\xC4\x22\xE7\xD0\x3F\xC6\x26\x7F\xA2'
b'\xA6\xF8\x9B\x9B\xEE\x9E\x60\xA1\xD7\xC2\xD8\x33\xE5\xA5\xF4\xBB'
b'\x0B\x14\x34\xF4\xE7\x95\xA4\x11\x00\xF8\xAA\x21\x49\x00\xDF\x8B'
b'\x65\x08\x9F\x98\x13\x5B\x1C\x67\xB7\x01\x67\x5A\xBD\xBC\x7D\x57'
b'\x21\xAA\xC9\xD1\x4A\x7F\x08\x1F\xCE\xC8\x0B\x64\xE8\xA0\xEC\xC8'
b'\x29\x53\x53\xC7\x95\x32\x8A\xBF\x70\xE1\xB4\x2E\x7B\xB8\xB7\xF4'
b'\xE8\xAC\x8C\x81\x0C\xDB\x66\xE3\xD2\x11\x26\xEB\xA8\xDA\x7D\x0C'
b'\xA3\x41\x42\xCB\x76\xF9\x1F\x01\x3D\xA8\x09\xE9\xC1\xB7\xAE\x64'
b'\xC5\x41\x30\xFB\xC2\x1D\x80\xE9\xC2\xCB\x06\xC5\xC8\xD7\xCC\xE8'
b'\x94\x6A\x9A\xC9\x9B\x1C\x28\x15\xC3\x61\x2A\x29\xA8\x2D\x73\xA1'
b'\xF9\x93\x74\xFE\x30\xE5\x49\x51\x66\x2A\x6E\xDA\x29\xC6\xFC\x41'
b'\x13\x35\xD5\xDC\x74\x26\xB0\xF6\x05\x02\x03\x01\x00\x01')
format_type = enums.KeyFormatType.X_509
usage_mask = [enums.CryptographicUsageMask.VERIFY]
name = 'Demo Public Key'
key = objects.PublicKey(algorithm, length, value, format_type, usage_mask,
name)
key.operation_policy_name = opts.operation_policy_name
# Build the client and connect to the server
with client.ProxyKmipClient(config=config,
config_file=opts.config_file) as client:
try:
uid = client.register(key)
logger.info("Successfully registered public key with ID: "
"{0}".format(uid))
except Exception as e:
logger.error(e)
config_file=opts.config_file
) as client:
# Create keys to use for derivation
try:
signing_key_id = client.register(
objects.PublicKey(
enums.CryptographicAlgorithm.RSA,
1120,
(
b'\x30\x81\x89\x02\x81\x81\x00\xac\x13\xd9\xfd\xae\x7b'
b'\x73\x35\xb6\x9c\xd9\x85\x67\xe9\x64\x7d\x99\xbf\x37'
b'\x3a\x9e\x05\xce\x34\x35\xd6\x64\x65\xf3\x28\xb7\xf7'
b'\x33\x4b\x79\x2a\xee\x7e\xfa\x04\x4e\xbc\x4c\x7a\x30'
b'\xb2\x1a\x5d\x7a\x89\xcd\xb3\xa3\x0d\xfc\xd9\xfe\xe9'
b'\x99\x5e\x09\x41\x5e\xdc\x0b\xf9\xe5\xb4\xc3\xf7\x4f'
b'\xf5\x3f\xb4\xd2\x94\x41\xbf\x1b\x7e\xd6\xcb\xdd\x4a'
b'\x47\xf9\x25\x22\x69\xe1\x64\x6f\x6c\x1a\xee\x05\x14'
b'\xe9\x3f\x6c\xb9\xdf\x71\xd0\x6c\x06\x0a\x21\x04\xb4'
b'\x7b\x72\x60\xac\x37\xc1\x06\x86\x1d\xc7\x8c\xa5\xa2'
b'\x5f\xaa\x9c\xb2\xe3\x02\x03\x01\x00\x01'
),
masks=[
enums.CryptographicUsageMask.SIGN,
enums.CryptographicUsageMask.VERIFY
]
)
)
logger.info("Successfully created a new signing key.")
logger.info("Signing Key ID: {0}".format(signing_key_id))
except Exception as e:
logger.error(e)
def _process_create_key_pair(self, payload):
self._logger.info("Processing operation: CreateKeyPair")
algorithm = None
length = None
# Process attribute sets
public_key_attributes = {}
private_key_attributes = {}
common_attributes = {}
if payload.public_key_template_attribute:
public_key_attributes = self._process_template_attribute(
payload.public_key_template_attribute)
if payload.private_key_template_attribute:
private_key_attributes = self._process_template_attribute(
payload.private_key_template_attribute)
if payload.common_template_attribute:
common_attributes = self._process_template_attribute(
payload.common_template_attribute)
# Propagate common attributes if not overridden by the public/private
# attribute sets
for key, value in six.iteritems(common_attributes):
if key not in public_key_attributes.keys():
public_key_attributes.update([(key, value)])
if key not in private_key_attributes.keys():
private_key_attributes.update([(key, value)])
# Error check for required attributes.
public_algorithm = public_key_attributes.get('Cryptographic Algorithm')
if public_algorithm:
public_algorithm = public_algorithm.value
else:
raise exceptions.InvalidField(
"The cryptographic algorithm must be specified as an "
"attribute for the public key.")
public_length = public_key_attributes.get('Cryptographic Length')
if public_length:
public_length = public_length.value
else:
# TODO (peterhamilton) The cryptographic length is technically not
# required per the spec. Update the CryptographyEngine to accept a
# None length, allowing it to pick the length dynamically. Default
# to the strongest key size allowed for the algorithm type.
raise exceptions.InvalidField(
"The cryptographic length must be specified as an attribute "
"for the public key.")
public_usage_mask = public_key_attributes.get(
'Cryptographic Usage Mask')
if public_usage_mask is None:
raise exceptions.InvalidField(
"The cryptographic usage mask must be specified as an "
"attribute for the public key.")
private_algorithm = private_key_attributes.get(
'Cryptographic Algorithm')
if private_algorithm:
private_algorithm = private_algorithm.value
else:
raise exceptions.InvalidField(
"The cryptographic algorithm must be specified as an "
"attribute for the private key.")
private_length = private_key_attributes.get('Cryptographic Length')
if private_length:
private_length = private_length.value
else:
# TODO (peterhamilton) The cryptographic length is technically not
# required per the spec. Update the CryptographyEngine to accept a
# None length, allowing it to pick the length dynamically. Default
# to the strongest key size allowed for the algorithm type.
raise exceptions.InvalidField(
"The cryptographic length must be specified as an attribute "
"for the private key.")
private_usage_mask = private_key_attributes.get(
'Cryptographic Usage Mask')
if private_usage_mask is None:
raise exceptions.InvalidField(
"The cryptographic usage mask must be specified as an "
"attribute for the private key.")
if public_algorithm == private_algorithm:
algorithm = public_algorithm
else:
raise exceptions.InvalidField(
"The public and private key algorithms must be the same.")
if public_length == private_length:
length = public_length
else:
raise exceptions.InvalidField(
"The public and private key lengths must be the same.")
public, private = self._cryptography_engine.create_asymmetric_key_pair(
algorithm, length)
public_key = objects.PublicKey(algorithm, length, public.get('value'),
public.get('format'))
private_key = objects.PrivateKey(algorithm, length,
private.get('value'),
private.get('format'))
public_key.names = []
private_key.names = []
self._set_attributes_on_managed_object(public_key,
public_key_attributes)
self._set_attributes_on_managed_object(private_key,
private_key_attributes)
# TODO (peterhamilton) Set additional server-only attributes.
public_key._owner = self._client_identity
private_key._owner = self._client_identity
self._data_session.add(public_key)
self._data_session.add(private_key)
# NOTE (peterhamilton) SQLAlchemy will *not* assign an ID until
# commit is called. This makes future support for UNDO problematic.
self._data_session.commit()
self._logger.info("Created a PublicKey with ID: {0}".format(
public_key.unique_identifier))
self._logger.info("Created a PrivateKey with ID: {0}".format(
private_key.unique_identifier))
response_payload = create_key_pair.CreateKeyPairResponsePayload(
private_key_uuid=attributes.PrivateKeyUniqueIdentifier(
str(private_key.unique_identifier)),
public_key_uuid=attributes.PublicKeyUniqueIdentifier(
str(public_key.unique_identifier)))
self._id_placeholder = str(private_key.unique_identifier)
return response_payload
