def test_store_asymmetric_key_secret_assert_called(self, barbican_type, barbican_key, kmip_type, kmip_key, pkcs1_only): key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048) secret_value = base64.b64encode(barbican_key) secret_dto = secret_store.SecretDTO(barbican_type, secret_value, key_spec, 'content_type') self.secret_store.pkcs1_only = pkcs1_only self.secret_store.store_secret(secret_dto) secret_value = base64.b64decode(secret_value) if not pkcs1_only: secret_value = translations.convert_pem_to_der( secret_value, barbican_type) if kmip_type == enums.ObjectType.PUBLIC_KEY: if pkcs1_only: secret_value = kss.get_public_key_der_pkcs1(secret_value) secret = objects.PublicKey(enums.CryptographicAlgorithm.RSA, 2048, secret_value, enums.KeyFormatType.X_509) else: if pkcs1_only: secret_value = kss.get_private_key_der_pkcs1(secret_value) secret = objects.PrivateKey(enums.CryptographicAlgorithm.RSA, 2048, secret_value, enums.KeyFormatType.PKCS_8) self.secret_store.client.register.assert_called_once_with(secret)
def get_sample_public_key(pkcs1=False): if pkcs1: public_key_value = kss.get_public_key_der_pkcs1( keys.get_public_key_pem()) key_format_type = enums.KeyFormatType.PKCS_1 else: public_key_value = keys.get_public_key_der() key_format_type = enums.KeyFormatType.X_509 return objects.PublicKey(enums.CryptographicAlgorithm.RSA, 2048, public_key_value, key_format_type)
def test_convert_public_key_pie_to_core(self): """ Test that a Pie public key can be converted into a core public key. """ pie_key = pobjects.PublicKey(enums.CryptographicAlgorithm.RSA, 2048, self.public_bytes, enums.KeyFormatType.PKCS_1) core_key = self.factory.convert(pie_key) self.assertIsInstance(core_key, secrets.PublicKey) self._test_core_key(core_key, enums.CryptographicAlgorithm.RSA, 2048, self.public_bytes, enums.KeyFormatType.PKCS_1)
def _get_kmip_secret(self, secret_dto): """Builds a KMIP object from a SecretDTO This is needed for register calls. The Barbican object needs to be converted to KMIP object before it can be stored :param secret_dto: SecretDTO of secret to be stored :returns: KMIP object """ secret_type = secret_dto.type key_spec = secret_dto.key_spec object_type, key_format_type = ( self._map_type_ss_to_kmip(secret_type)) normalized_secret = self._normalize_secret(secret_dto.secret, secret_type) kmip_object = None if object_type == enums.ObjectType.CERTIFICATE: kmip_object = objects.X509Certificate(normalized_secret) elif object_type == enums.ObjectType.OPAQUE_DATA: opaque_type = enums.OpaqueDataType.NONE kmip_object = objects.OpaqueObject(normalized_secret, opaque_type) elif object_type == enums.ObjectType.PRIVATE_KEY: algorithm = self._get_kmip_algorithm(key_spec.alg) length = key_spec.bit_length format_type = enums.KeyFormatType.PKCS_8 kmip_object = objects.PrivateKey( algorithm, length, normalized_secret, format_type) elif object_type == enums.ObjectType.PUBLIC_KEY: algorithm = self._get_kmip_algorithm(key_spec.alg) length = key_spec.bit_length format_type = enums.KeyFormatType.X_509 kmip_object = objects.PublicKey( algorithm, length, normalized_secret, format_type) elif object_type == enums.ObjectType.SYMMETRIC_KEY: algorithm = self._get_kmip_algorithm(key_spec.alg) length = key_spec.bit_length kmip_object = objects.SymmetricKey(algorithm, length, normalized_secret) elif object_type == enums.ObjectType.SECRET_DATA: data_type = enums.SecretDataType.PASSWORD kmip_object = objects.SecretData(normalized_secret, data_type) return kmip_object
def test_public_key_register_get_destroy(self): """ Test that the ProxyKmipClient can register, retrieve, and destroy a public key. """ # Key encoding obtained from Section 13.4 of the KMIP 1.1 test # documentation. key = objects.PublicKey( enums.CryptographicAlgorithm.RSA, 2048, (b'\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAB\x7F\x16\x1C\x00\x42' b'\x49\x6C\xCD\x6C\x6D\x4D\xAD\xB9\x19\x97\x34\x35\x35\x77\x76' b'\x00\x3A\xCF\x54\xB7\xAF\x1E\x44\x0A\xFB\x80\xB6\x4A\x87\x55' b'\xF8\x00\x2C\xFE\xBA\x6B\x18\x45\x40\xA2\xD6\x60\x86\xD7\x46' b'\x48\x34\x6D\x75\xB8\xD7\x18\x12\xB2\x05\x38\x7C\x0F\x65\x83' b'\xBC\x4D\x7D\xC7\xEC\x11\x4F\x3B\x17\x6B\x79\x57\xC4\x22\xE7' b'\xD0\x3F\xC6\x26\x7F\xA2\xA6\xF8\x9B\x9B\xEE\x9E\x60\xA1\xD7' b'\xC2\xD8\x33\xE5\xA5\xF4\xBB\x0B\x14\x34\xF4\xE7\x95\xA4\x11' b'\x00\xF8\xAA\x21\x49\x00\xDF\x8B\x65\x08\x9F\x98\x13\x5B\x1C' b'\x67\xB7\x01\x67\x5A\xBD\xBC\x7D\x57\x21\xAA\xC9\xD1\x4A\x7F' b'\x08\x1F\xCE\xC8\x0B\x64\xE8\xA0\xEC\xC8\x29\x53\x53\xC7\x95' b'\x32\x8A\xBF\x70\xE1\xB4\x2E\x7B\xB8\xB7\xF4\xE8\xAC\x8C\x81' b'\x0C\xDB\x66\xE3\xD2\x11\x26\xEB\xA8\xDA\x7D\x0C\xA3\x41\x42' b'\xCB\x76\xF9\x1F\x01\x3D\xA8\x09\xE9\xC1\xB7\xAE\x64\xC5\x41' b'\x30\xFB\xC2\x1D\x80\xE9\xC2\xCB\x06\xC5\xC8\xD7\xCC\xE8\x94' b'\x6A\x9A\xC9\x9B\x1C\x28\x15\xC3\x61\x2A\x29\xA8\x2D\x73\xA1' b'\xF9\x93\x74\xFE\x30\xE5\x49\x51\x66\x2A\x6E\xDA\x29\xC6\xFC' b'\x41\x13\x35\xD5\xDC\x74\x26\xB0\xF6\x05\x02\x03\x01\x00\x01'), enums.KeyFormatType.PKCS_1) uid = self.client.register(key) self.assertIsInstance(uid, six.string_types) try: result = self.client.get(uid) self.assertIsInstance(result, objects.PublicKey) self.assertEqual( result, key, "expected {0}\nobserved {1}".format(result, key)) finally: self.client.destroy(uid) self.assertRaises( exceptions.KmipOperationFailure, self.client.get, uid) self.assertRaises( exceptions.KmipOperationFailure, self.client.destroy, uid)
b'\xB8\xD7\x18\x12\xB2\x05\x38\x7C\x0F\x65\x83\xBC\x4D\x7D\xC7\xEC' b'\x11\x4F\x3B\x17\x6B\x79\x57\xC4\x22\xE7\xD0\x3F\xC6\x26\x7F\xA2' b'\xA6\xF8\x9B\x9B\xEE\x9E\x60\xA1\xD7\xC2\xD8\x33\xE5\xA5\xF4\xBB' b'\x0B\x14\x34\xF4\xE7\x95\xA4\x11\x00\xF8\xAA\x21\x49\x00\xDF\x8B' b'\x65\x08\x9F\x98\x13\x5B\x1C\x67\xB7\x01\x67\x5A\xBD\xBC\x7D\x57' b'\x21\xAA\xC9\xD1\x4A\x7F\x08\x1F\xCE\xC8\x0B\x64\xE8\xA0\xEC\xC8' b'\x29\x53\x53\xC7\x95\x32\x8A\xBF\x70\xE1\xB4\x2E\x7B\xB8\xB7\xF4' b'\xE8\xAC\x8C\x81\x0C\xDB\x66\xE3\xD2\x11\x26\xEB\xA8\xDA\x7D\x0C' b'\xA3\x41\x42\xCB\x76\xF9\x1F\x01\x3D\xA8\x09\xE9\xC1\xB7\xAE\x64' b'\xC5\x41\x30\xFB\xC2\x1D\x80\xE9\xC2\xCB\x06\xC5\xC8\xD7\xCC\xE8' b'\x94\x6A\x9A\xC9\x9B\x1C\x28\x15\xC3\x61\x2A\x29\xA8\x2D\x73\xA1' b'\xF9\x93\x74\xFE\x30\xE5\x49\x51\x66\x2A\x6E\xDA\x29\xC6\xFC\x41' b'\x13\x35\xD5\xDC\x74\x26\xB0\xF6\x05\x02\x03\x01\x00\x01') format_type = enums.KeyFormatType.X_509 usage_mask = [enums.CryptographicUsageMask.VERIFY] name = 'Demo Public Key' key = objects.PublicKey(algorithm, length, value, format_type, usage_mask, name) key.operation_policy_name = opts.operation_policy_name # Build the client and connect to the server with client.ProxyKmipClient(config=config, config_file=opts.config_file) as client: try: uid = client.register(key) logger.info("Successfully registered public key with ID: " "{0}".format(uid)) except Exception as e: logger.error(e)
config_file=opts.config_file ) as client: # Create keys to use for derivation try: signing_key_id = client.register( objects.PublicKey( enums.CryptographicAlgorithm.RSA, 1120, ( b'\x30\x81\x89\x02\x81\x81\x00\xac\x13\xd9\xfd\xae\x7b' b'\x73\x35\xb6\x9c\xd9\x85\x67\xe9\x64\x7d\x99\xbf\x37' b'\x3a\x9e\x05\xce\x34\x35\xd6\x64\x65\xf3\x28\xb7\xf7' b'\x33\x4b\x79\x2a\xee\x7e\xfa\x04\x4e\xbc\x4c\x7a\x30' b'\xb2\x1a\x5d\x7a\x89\xcd\xb3\xa3\x0d\xfc\xd9\xfe\xe9' b'\x99\x5e\x09\x41\x5e\xdc\x0b\xf9\xe5\xb4\xc3\xf7\x4f' b'\xf5\x3f\xb4\xd2\x94\x41\xbf\x1b\x7e\xd6\xcb\xdd\x4a' b'\x47\xf9\x25\x22\x69\xe1\x64\x6f\x6c\x1a\xee\x05\x14' b'\xe9\x3f\x6c\xb9\xdf\x71\xd0\x6c\x06\x0a\x21\x04\xb4' b'\x7b\x72\x60\xac\x37\xc1\x06\x86\x1d\xc7\x8c\xa5\xa2' b'\x5f\xaa\x9c\xb2\xe3\x02\x03\x01\x00\x01' ), masks=[ enums.CryptographicUsageMask.SIGN, enums.CryptographicUsageMask.VERIFY ] ) ) logger.info("Successfully created a new signing key.") logger.info("Signing Key ID: {0}".format(signing_key_id)) except Exception as e: logger.error(e)
def _process_create_key_pair(self, payload): self._logger.info("Processing operation: CreateKeyPair") algorithm = None length = None # Process attribute sets public_key_attributes = {} private_key_attributes = {} common_attributes = {} if payload.public_key_template_attribute: public_key_attributes = self._process_template_attribute( payload.public_key_template_attribute) if payload.private_key_template_attribute: private_key_attributes = self._process_template_attribute( payload.private_key_template_attribute) if payload.common_template_attribute: common_attributes = self._process_template_attribute( payload.common_template_attribute) # Propagate common attributes if not overridden by the public/private # attribute sets for key, value in six.iteritems(common_attributes): if key not in public_key_attributes.keys(): public_key_attributes.update([(key, value)]) if key not in private_key_attributes.keys(): private_key_attributes.update([(key, value)]) # Error check for required attributes. public_algorithm = public_key_attributes.get('Cryptographic Algorithm') if public_algorithm: public_algorithm = public_algorithm.value else: raise exceptions.InvalidField( "The cryptographic algorithm must be specified as an " "attribute for the public key.") public_length = public_key_attributes.get('Cryptographic Length') if public_length: public_length = public_length.value else: # TODO (peterhamilton) The cryptographic length is technically not # required per the spec. Update the CryptographyEngine to accept a # None length, allowing it to pick the length dynamically. Default # to the strongest key size allowed for the algorithm type. raise exceptions.InvalidField( "The cryptographic length must be specified as an attribute " "for the public key.") public_usage_mask = public_key_attributes.get( 'Cryptographic Usage Mask') if public_usage_mask is None: raise exceptions.InvalidField( "The cryptographic usage mask must be specified as an " "attribute for the public key.") private_algorithm = private_key_attributes.get( 'Cryptographic Algorithm') if private_algorithm: private_algorithm = private_algorithm.value else: raise exceptions.InvalidField( "The cryptographic algorithm must be specified as an " "attribute for the private key.") private_length = private_key_attributes.get('Cryptographic Length') if private_length: private_length = private_length.value else: # TODO (peterhamilton) The cryptographic length is technically not # required per the spec. Update the CryptographyEngine to accept a # None length, allowing it to pick the length dynamically. Default # to the strongest key size allowed for the algorithm type. raise exceptions.InvalidField( "The cryptographic length must be specified as an attribute " "for the private key.") private_usage_mask = private_key_attributes.get( 'Cryptographic Usage Mask') if private_usage_mask is None: raise exceptions.InvalidField( "The cryptographic usage mask must be specified as an " "attribute for the private key.") if public_algorithm == private_algorithm: algorithm = public_algorithm else: raise exceptions.InvalidField( "The public and private key algorithms must be the same.") if public_length == private_length: length = public_length else: raise exceptions.InvalidField( "The public and private key lengths must be the same.") public, private = self._cryptography_engine.create_asymmetric_key_pair( algorithm, length) public_key = objects.PublicKey(algorithm, length, public.get('value'), public.get('format')) private_key = objects.PrivateKey(algorithm, length, private.get('value'), private.get('format')) public_key.names = [] private_key.names = [] self._set_attributes_on_managed_object(public_key, public_key_attributes) self._set_attributes_on_managed_object(private_key, private_key_attributes) # TODO (peterhamilton) Set additional server-only attributes. public_key._owner = self._client_identity private_key._owner = self._client_identity self._data_session.add(public_key) self._data_session.add(private_key) # NOTE (peterhamilton) SQLAlchemy will *not* assign an ID until # commit is called. This makes future support for UNDO problematic. self._data_session.commit() self._logger.info("Created a PublicKey with ID: {0}".format( public_key.unique_identifier)) self._logger.info("Created a PrivateKey with ID: {0}".format( private_key.unique_identifier)) response_payload = create_key_pair.CreateKeyPairResponsePayload( private_key_uuid=attributes.PrivateKeyUniqueIdentifier( str(private_key.unique_identifier)), public_key_uuid=attributes.PublicKeyUniqueIdentifier( str(public_key.unique_identifier))) self._id_placeholder = str(private_key.unique_identifier) return response_payload