def read(self, istream):
super(KeyBlock, self).read(istream)
tstream = BytearrayStream(istream.read(self.length))
self.key_format_type = KeyFormatType()
self.key_format_type.read(tstream)
if self.is_tag_next(Tags.KEY_COMPRESSION_TYPE, tstream):
self.key_compression_type = KeyBlock.KeyCompressionType()
self.key_compression_type.read(tstream)
self.key_value = KeyValue()
self.key_value.read(tstream)
if self.is_tag_next(Tags.CRYPTOGRAPHIC_ALGORITHM, tstream):
self.cryptographic_algorithm = attributes.CryptographicAlgorithm()
self.cryptographic_algorithm.read(tstream)
if self.is_tag_next(Tags.CRYPTOGRAPHIC_LENGTH, tstream):
self.cryptographic_length = attributes.CryptographicLength()
self.cryptographic_length.read(tstream)
if self.is_tag_next(Tags.KEY_WRAPPING_DATA, tstream):
self.key_wrapping_data = KeyWrappingData()
self.key_wrapping_data.read(tstream)
self.is_oversized(tstream)
self.validate()
def test_build_pie_asymmetric_key(self):
"""
Test that a core asymmetric key object can be converted into a Pie
asymmetric object.
"""
format_type = misc.KeyFormatType(enums.KeyFormatType.PKCS_1)
algorithm = attributes.CryptographicAlgorithm(
enums.CryptographicAlgorithm.RSA)
length = attributes.CryptographicLength(2048)
key_material = cobjects.KeyMaterial(self.public_bytes)
key_value = cobjects.KeyValue(key_material)
key_block = cobjects.KeyBlock(
key_format_type=format_type,
key_compression_type=None,
key_value=key_value,
cryptographic_algorithm=algorithm,
cryptographic_length=length,
key_wrapping_data=None)
core_key = secrets.PublicKey(key_block)
pie_key = self.factory._build_pie_key(core_key, pobjects.PublicKey)
self.assertIsInstance(pie_key, pobjects.PublicKey)
self._test_pie_key(
pie_key, algorithm.value, length.value, self.public_bytes,
format_type.value)
def test_store_asymmetric_key_secret_assert_called(self,
barbican_type,
barbican_key,
kmip_type,
kmip_key,
pkcs1_only):
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048)
secret_dto = secret_store.SecretDTO(barbican_type,
base64.b64encode(barbican_key),
key_spec,
'content_type')
self.secret_store.pkcs1_only = pkcs1_only
self.secret_store.store_secret(secret_dto)
self.secret_store.client.proxy.register.assert_called_once_with(
kmip_type,
mock.ANY,
mock.ANY)
proxy = self.secret_store.client.proxy
register_call_args, _ = proxy.register.call_args
actual_secret = register_call_args[2]
self.assertEqual(
2048,
actual_secret.key_block.cryptographic_length.value)
self.assertEqual(
attr.CryptographicAlgorithm(enums.CryptographicAlgorithm.RSA),
actual_secret.key_block.cryptographic_algorithm)
self.assertEqual(
kmip_key,
actual_secret.key_block.key_value.key_material.value)
def test_store_symmetric_secret_assert_called(self):
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.AES,
128, 'mode')
sym_key = utils.get_symmetric_key()
secret_dto = secret_store.SecretDTO(secret_store.SecretType.SYMMETRIC,
sym_key,
key_spec,
'content_type',
transport_key=None)
self.secret_store.store_secret(secret_dto)
self.secret_store.client.proxy.register.assert_called_once_with(
enums.ObjectType.SYMMETRIC_KEY,
mock.ANY,
mock.ANY)
register_mock = self.secret_store.client.proxy.register
register_call_args, _ = register_mock.call_args
actual_secret = register_call_args[2]
self.assertEqual(
128,
actual_secret.key_block.cryptographic_length.value)
self.assertEqual(
attr.CryptographicAlgorithm(enums.CryptographicAlgorithm.AES),
actual_secret.key_block.cryptographic_algorithm)
self.assertEqual(
base64.b64decode(sym_key),
actual_secret.key_block.key_value.key_material.value)
def test_convert_symmetric_key_core_to_pie(self):
"""
Test that a core symmetric key can be converted into a Pie symmetric
key.
"""
format_type = misc.KeyFormatType(enums.KeyFormatType.RAW)
algorithm = attributes.CryptographicAlgorithm(
enums.CryptographicAlgorithm.AES)
length = attributes.CryptographicLength(128)
key_material = cobjects.KeyMaterial(self.symmetric_bytes)
key_value = cobjects.KeyValue(key_material)
key_block = cobjects.KeyBlock(
key_format_type=format_type,
key_compression_type=None,
key_value=key_value,
cryptographic_algorithm=algorithm,
cryptographic_length=length,
key_wrapping_data=None)
core_key = secrets.SymmetricKey(key_block)
pie_key = self.factory.convert(core_key)
self.assertIsInstance(pie_key, pobjects.SymmetricKey)
self._test_pie_key(
pie_key, algorithm.value, length.value, self.symmetric_bytes,
format_type.value)
def get_sample_symmetric_key(key_b64=utils.get_symmetric_key(),
key_length=128,
algorithm=enums.CryptographicAlgorithm.AES):
key_material = objects.KeyMaterial(base64.b64decode(key_b64))
key_value = objects.KeyValue(key_material)
key_block = objects.KeyBlock(
key_format_type=misc.KeyFormatType(enums.KeyFormatType.RAW),
key_compression_type=None,
key_value=key_value,
cryptographic_algorithm=attr.CryptographicAlgorithm(algorithm),
cryptographic_length=attr.CryptographicLength(key_length),
key_wrapping_data=None)
return secrets.SymmetricKey(key_block)
def _create_cryptographic_parameters(self, params):
bcm = None
padding_method = None
hashing_algorithm = None
key_role_type = None
digital_signature_algorithm = None
cryptographic_algorithm = None
# TODO: Need to implement other fields of CryptographicParameters (3.6)
if params is not None:
if 'block_cipher_mode' in params:
bcm = attributes.CryptographicParameters.BlockCipherMode(
params.get('block_cipher_mode'))
padding_method = None
if 'padding_method' in params:
padding_method = attributes.CryptographicParameters. \
PaddingMethod(params.get('padding_method'))
key_role_type = None
if 'key_role_type' in params:
key_role_type = attributes.CryptographicParameters.KeyRoleType(
params.get('key_role_type'))
hashing_algorithm = None
if 'hashing_algorithm' in params:
hashing_algorithm = attributes.HashingAlgorithm(
params.get("hashing_algorithm"))
if 'digital_signature_algorithm' in params:
digital_signature_algorithm = \
attributes.CryptographicParameters. \
DigitalSignatureAlgorithm(
params.get("digital_signature_algorithm"))
if 'cryptographic_algorithm' in params:
cryptographic_algorithm = attributes.CryptographicAlgorithm(
params.get("cryptographic_algorithm"))
return attributes.CryptographicParameters(
block_cipher_mode=bcm,
padding_method=padding_method,
hashing_algorithm=hashing_algorithm,
key_role_type=key_role_type,
digital_signature_algorithm=digital_signature_algorithm,
cryptographic_algorithm=cryptographic_algorithm)
def get_sample_private_key(pkcs1=False):
if pkcs1:
private_key = kss.get_private_key_der_pkcs1(keys.get_private_key_pem())
key_format_type = misc.KeyFormatType(enums.KeyFormatType.PKCS_1)
else:
private_key = keys.get_private_key_der()
key_format_type = misc.KeyFormatType(enums.KeyFormatType.PKCS_8)
key_material = objects.KeyMaterial(private_key)
key_value = objects.KeyValue(key_material)
key_block = objects.KeyBlock(
key_format_type=key_format_type,
key_compression_type=None,
key_value=key_value,
cryptographic_algorithm=attr.CryptographicAlgorithm(
enums.CryptographicAlgorithm.RSA),
cryptographic_length=attr.CryptographicLength(2048),
key_wrapping_data=None)
return secrets.PrivateKey(key_block)
def _build_core_key(self, key, cls):
algorithm = key.cryptographic_algorithm
length = key.cryptographic_length
value = key.value
format_type = key.key_format_type
key_material = cobjects.KeyMaterial(value)
key_value = cobjects.KeyValue(key_material)
key_block = cobjects.KeyBlock(
key_format_type=misc.KeyFormatType(format_type),
key_compression_type=None,
key_value=key_value,
cryptographic_algorithm=attributes.CryptographicAlgorithm(
algorithm),
cryptographic_length=attributes.CryptographicLength(length),
key_wrapping_data=None)
return cls(key_block)
def test_build_pie_split_key(self):
"""
Test that a core split key object can be converted into a Pie split
key object.
"""
key_block = cobjects.KeyBlock(
key_format_type=misc.KeyFormatType(enums.KeyFormatType.RAW),
key_compression_type=None,
key_value=cobjects.KeyValue(
cobjects.KeyMaterial(self.symmetric_bytes)
),
cryptographic_algorithm=attributes.CryptographicAlgorithm(
enums.CryptographicAlgorithm.AES
),
cryptographic_length=attributes.CryptographicLength(128),
key_wrapping_data=None
)
core_split_key = secrets.SplitKey(
split_key_parts=3,
key_part_identifier=1,
split_key_threshold=2,
split_key_method=enums.SplitKeyMethod.XOR,
prime_field_size=None,
key_block=key_block
)
pie_split_key = self.factory._build_pie_split_key(core_split_key)
self.assertIsInstance(pie_split_key, pobjects.SplitKey)
self._test_pie_key(
pie_split_key,
enums.CryptographicAlgorithm.AES,
128,
self.symmetric_bytes,
enums.KeyFormatType.RAW
)
self.assertEqual(3, pie_split_key.split_key_parts)
self.assertEqual(1, pie_split_key.key_part_identifier)
self.assertEqual(2, pie_split_key.split_key_threshold)
self.assertEqual(
enums.SplitKeyMethod.XOR,
pie_split_key.split_key_method
)
self.assertIsNone(pie_split_key.prime_field_size)
def test_build_pie_symmetric_key_on_invalid_format(self):
"""
Test that a TypeError exception is raised when attempting to create a
Pie SymmetricKey object from a core SymmetricKey object with an
incompatible format.
"""
format_type = misc.KeyFormatType(enums.KeyFormatType.OPAQUE)
algorithm = attributes.CryptographicAlgorithm(
enums.CryptographicAlgorithm.AES)
length = attributes.CryptographicLength(128)
key_material = cobjects.KeyMaterial(self.symmetric_bytes)
key_value = cobjects.KeyValue(key_material)
key_block = cobjects.KeyBlock(key_format_type=format_type,
key_compression_type=None,
key_value=key_value,
cryptographic_algorithm=algorithm,
cryptographic_length=length,
key_wrapping_data=None)
core_key = secrets.SymmetricKey(key_block)
args = [core_key, pobjects.SymmetricKey]
self.assertRaises(TypeError, self.factory._build_pie_key, *args)
def _build_core_split_key(self, secret):
key_material = cobjects.KeyMaterial(secret.value)
key_value = cobjects.KeyValue(key_material)
key_wrapping_data = None
if secret.key_wrapping_data:
key_wrapping_data = cobjects.KeyWrappingData(
**secret.key_wrapping_data)
key_block = cobjects.KeyBlock(
key_format_type=misc.KeyFormatType(secret.key_format_type),
key_compression_type=None,
key_value=key_value,
cryptographic_algorithm=attributes.CryptographicAlgorithm(
secret.cryptographic_algorithm),
cryptographic_length=attributes.CryptographicLength(
secret.cryptographic_length),
key_wrapping_data=key_wrapping_data)
return secrets.SplitKey(split_key_parts=secret.split_key_parts,
key_part_identifier=secret.key_part_identifier,
split_key_threshold=secret.split_key_threshold,
split_key_method=secret.split_key_method,
prime_field_size=secret.prime_field_size,
key_block=key_block)
def test_create_cryptographic_parameters(self):
"""
Test that a CryptographicParameters attribute can be created.
"""
value = {
'block_cipher_mode': enums.BlockCipherMode.NIST_KEY_WRAP,
'padding_method': enums.PaddingMethod.ANSI_X9_23,
'key_role_type': enums.KeyRoleType.KEK,
'hashing_algorithm': enums.HashingAlgorithm.SHA_512,
'digital_signature_algorithm':
enums.DigitalSignatureAlgorithm.ECDSA_WITH_SHA512,
'cryptographic_algorithm': enums.CryptographicAlgorithm.HMAC_SHA512
}
params = self.factory.create_attribute_value(
enums.AttributeType.CRYPTOGRAPHIC_PARAMETERS, value)
# TODO (peter-hamilton): Update assertEquals after structure changes
self.assertIsInstance(params, attributes.CryptographicParameters)
self.assertEqual(
attributes.CryptographicParameters.BlockCipherMode(
enums.BlockCipherMode.NIST_KEY_WRAP), params.block_cipher_mode)
self.assertEqual(
attributes.CryptographicParameters.PaddingMethod(
enums.PaddingMethod.ANSI_X9_23), params.padding_method)
self.assertEqual(
attributes.CryptographicParameters.KeyRoleType(
enums.KeyRoleType.KEK), params.key_role_type)
self.assertEqual(
attributes.HashingAlgorithm(enums.HashingAlgorithm.SHA_512),
params.hashing_algorithm)
self.assertEqual(
attributes.CryptographicParameters.DigitalSignatureAlgorithm(
enums.DigitalSignatureAlgorithm.ECDSA_WITH_SHA512),
params.digital_signature_algorithm)
self.assertEqual(
attributes.CryptographicAlgorithm(
enums.CryptographicAlgorithm.HMAC_SHA512),
params.cryptographic_algorithm)
def test_store_asymmetric_key_secret_assert_called(self, barbican_type,
barbican_key, kmip_type,
kmip_key, pkcs1_only):
key_spec = secret_store.KeySpec(secret_store.KeyAlgorithm.RSA, 2048)
secret_dto = secret_store.SecretDTO(barbican_type,
base64.b64encode(barbican_key),
key_spec, 'content_type')
self.secret_store.pkcs1_only = pkcs1_only
self.secret_store.store_secret(secret_dto)
self.secret_store.client.register.assert_called_once_with(
object_type=kmip_type,
template_attribute=mock.ANY,
secret=mock.ANY,
credential=self.credential)
_, register_call_kwargs = self.secret_store.client.register.call_args
actual_secret = register_call_kwargs.get('secret')
self.assertEqual(2048,
actual_secret.key_block.cryptographic_length.value)
self.assertEqual(
attr.CryptographicAlgorithm(enums.CryptographicAlgorithm.RSA),
actual_secret.key_block.cryptographic_algorithm)
self.assertEqual(kmip_key,
actual_secret.key_block.key_value.key_material.value)
def setUp(self):
super(TestMACRequestPayload, self).setUp()
self.unique_identifier = attributes.UniqueIdentifier(value='1')
self.cryptographic_parameters = \
attributes.CryptographicParameters(
cryptographic_algorithm=attributes.CryptographicAlgorithm(
enums.CryptographicAlgorithm.HMAC_SHA512)
)
self.data = objects.Data(
value=(b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B'
b'\x0C\x0D\x0E\x0F'))
self.encoding_full = utils.BytearrayStream((
b'\x42\x00\x79\x01\x00\x00\x00\x40\x42\x00\x94\x07\x00\x00\x00\x01'
b'\x31\x00\x00\x00\x00\x00\x00\x00\x42\x00\x2b\x01\x00\x00\x00\x10'
b'\x42\x00\x28\x05\x00\x00\x00\x04\x00\x00\x00\x0b\x00\x00\x00\x00'
b'\x42\x00\xc2\x08\x00\x00\x00\x10\x00\x01\x02\x03\x04\x05\x06\x07'
b'\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f'))
self.encoding_no_data = utils.BytearrayStream((
b'\x42\x00\x79\x01\x00\x00\x00\x28\x42\x00\x94\x07\x00\x00\x00\x01'
b'\x31\x00\x00\x00\x00\x00\x00\x00\x42\x00\x2b\x01\x00\x00\x00\x10'
b'\x42\x00\x28\x05\x00\x00\x00\x04\x00\x00\x00\x0b\x00\x00\x00\x00'
))
def create_attribute_value(self, name, value):
# Switch on the name of the attribute
if name is enums.AttributeType.UNIQUE_IDENTIFIER:
return attributes.UniqueIdentifier(value)
elif name is enums.AttributeType.NAME:
return self._create_name(value)
elif name is enums.AttributeType.OBJECT_TYPE:
return attributes.ObjectType(value)
elif name is enums.AttributeType.CRYPTOGRAPHIC_ALGORITHM:
return attributes.CryptographicAlgorithm(value)
elif name is enums.AttributeType.CRYPTOGRAPHIC_LENGTH:
return self._create_cryptographic_length(value)
elif name is enums.AttributeType.CRYPTOGRAPHIC_PARAMETERS:
return self._create_cryptographic_parameters(value)
elif name is enums.AttributeType.CRYPTOGRAPHIC_DOMAIN_PARAMETERS:
raise NotImplementedError()
elif name is enums.AttributeType.CERTIFICATE_TYPE:
raise NotImplementedError()
elif name is enums.AttributeType.CERTIFICATE_LENGTH:
return primitives.Integer(value, enums.Tags.CERTIFICATE_LENGTH)
elif name is enums.AttributeType.X_509_CERTIFICATE_IDENTIFIER:
raise NotImplementedError()
elif name is enums.AttributeType.X_509_CERTIFICATE_SUBJECT:
raise NotImplementedError()
elif name is enums.AttributeType.X_509_CERTIFICATE_ISSUER:
raise NotImplementedError()
elif name is enums.AttributeType.CERTIFICATE_IDENTIFIER:
raise NotImplementedError()
elif name is enums.AttributeType.CERTIFICATE_SUBJECT:
raise NotImplementedError()
elif name is enums.AttributeType.CERTIFICATE_ISSUER:
raise NotImplementedError()
elif name is enums.AttributeType.DIGITAL_SIGNATURE_ALGORITHM:
raise NotImplementedError()
elif name is enums.AttributeType.DIGEST:
return attributes.Digest()
elif name is enums.AttributeType.OPERATION_POLICY_NAME:
return attributes.OperationPolicyName(value)
elif name is enums.AttributeType.CRYPTOGRAPHIC_USAGE_MASK:
return self._create_cryptographic_usage_mask(value)
elif name is enums.AttributeType.LEASE_TIME:
return primitives.Interval(value, enums.Tags.LEASE_TIME)
elif name is enums.AttributeType.USAGE_LIMITS:
raise NotImplementedError()
elif name is enums.AttributeType.STATE:
return attributes.State(value)
elif name is enums.AttributeType.INITIAL_DATE:
return primitives.DateTime(value, enums.Tags.INITIAL_DATE)
elif name is enums.AttributeType.ACTIVATION_DATE:
return primitives.DateTime(value, enums.Tags.ACTIVATION_DATE)
elif name is enums.AttributeType.PROCESS_START_DATE:
return primitives.DateTime(value, enums.Tags.PROCESS_START_DATE)
elif name is enums.AttributeType.PROTECT_STOP_DATE:
return primitives.DateTime(value, enums.Tags.PROTECT_STOP_DATE)
elif name is enums.AttributeType.DEACTIVATION_DATE:
return primitives.DateTime(value, enums.Tags.DEACTIVATION_DATE)
elif name is enums.AttributeType.DESTROY_DATE:
return primitives.DateTime(value, enums.Tags.DESTROY_DATE)
elif name is enums.AttributeType.COMPROMISE_OCCURRENCE_DATE:
return primitives.DateTime(value,
enums.Tags.COMPROMISE_OCCURRENCE_DATE)
elif name is enums.AttributeType.COMPROMISE_DATE:
return primitives.DateTime(value, enums.Tags.COMPROMISE_DATE)
elif name is enums.AttributeType.REVOCATION_REASON:
raise NotImplementedError()
elif name is enums.AttributeType.ARCHIVE_DATE:
return primitives.DateTime(value, enums.Tags.ARCHIVE_DATE)
elif name is enums.AttributeType.OBJECT_GROUP:
return self._create_object_group(value)
elif name is enums.AttributeType.FRESH:
return primitives.Boolean(value, enums.Tags.FRESH)
elif name is enums.AttributeType.LINK:
raise NotImplementedError()
elif name is enums.AttributeType.APPLICATION_SPECIFIC_INFORMATION:
return self._create_application_specific_information(value)
elif name is enums.AttributeType.CONTACT_INFORMATION:
return self._create_contact_information(value)
elif name is enums.AttributeType.LAST_CHANGE_DATE:
return primitives.DateTime(value, enums.Tags.LAST_CHANGE_DATE)
elif name is enums.AttributeType.CUSTOM_ATTRIBUTE:
return attributes.CustomAttribute(value)
else:
if not isinstance(name, str):
raise ValueError('Unrecognized attribute type: '
'{0}'.format(name))
elif name.startswith('x-'):
# Custom attribute indicated
return attributes.CustomAttribute(value)
