Пример #1
0
def build_key(logger, object_type, key_format_type):

    key_value = build_secret_value(logger, object_type)
    cryptographic_algorithm = build_cryptographic_algorithm(
        logger, object_type)
    cryptographic_length = build_cryptographic_length(logger, object_type)

    key_block = build_key_block(
        key_format_type,
        key_value,
        cryptographic_algorithm,
        cryptographic_length)

    if object_type == ObjectType.SYMMETRIC_KEY:
        return SymmetricKey(key_block)
    elif object_type == ObjectType.PUBLIC_KEY:
        return PublicKey(key_block)
    elif object_type == ObjectType.PRIVATE_KEY:
        return PrivateKey(key_block)
    elif object_type == ObjectType.SECRET_DATA:
        kind = SecretData.SecretDataType(SecretDataType.PASSWORD)
        return SecretData(secret_data_type=kind,
                          key_block=key_block)
    else:
        logger.error("Unrecognized object type, could not build key")
        sys.exit()
Пример #2
0
    def _get_kmip_secret(self, secret_dto):
        """Builds a KMIP object from a SecretDTO

        This is needed for register calls. The Barbican object needs to be
        converted to KMIP object before it can be stored

        :param secret_dto: SecretDTO of secret to be stored
        :returns: KMIP object
        """
        secret_type = secret_dto.type
        object_type, key_format_type = (self._map_type_ss_to_kmip(secret_type))

        normalized_secret = self._normalize_secret(secret_dto.secret,
                                                   secret_type)
        kmip_object = None
        if object_type == enums.ObjectType.CERTIFICATE:
            kmip_object = Certificate(
                certificate_type=enums.CertificateTypeEnum.X_509,
                certificate_value=normalized_secret)
        elif object_type == enums.ObjectType.OPAQUE_DATA:
            opaque_type = Opaque.OpaqueDataType(enums.OpaqueDataType.NONE)
            opaque_value = Opaque.OpaqueDataValue(normalized_secret)
            kmip_object = Opaque(opaque_type, opaque_value)
        elif (object_type == enums.ObjectType.SYMMETRIC_KEY
              or object_type == enums.ObjectType.SECRET_DATA
              or object_type == enums.ObjectType.PRIVATE_KEY
              or object_type == enums.ObjectType.PUBLIC_KEY):
            key_material = KeyMaterial(normalized_secret)
            key_value = KeyValue(key_material)

            key_spec = secret_dto.key_spec
            algorithm = None
            if key_spec.alg is not None:
                algorithm_name = self._map_algorithm_ss_to_kmip(
                    key_spec.alg.lower())
                algorithm = CryptographicAlgorithm(algorithm_name)
            bit_length = None
            if key_spec.bit_length is not None:
                bit_length = CryptographicLength(key_spec.bit_length)

            key_block = KeyBlock(
                key_format_type=misc.KeyFormatType(key_format_type),
                key_compression_type=None,
                key_value=key_value,
                cryptographic_algorithm=algorithm,
                cryptographic_length=bit_length,
                key_wrapping_data=None)

            if object_type == enums.ObjectType.SYMMETRIC_KEY:
                kmip_object = SymmetricKey(key_block)
            elif object_type == enums.ObjectType.PRIVATE_KEY:
                kmip_object = PrivateKey(key_block)
            elif object_type == enums.ObjectType.PUBLIC_KEY:
                kmip_object = PublicKey(key_block)
            elif object_type == enums.ObjectType.SECRET_DATA:
                kind = SecretData.SecretDataType(enums.SecretDataType.PASSWORD)
                return SecretData(secret_data_type=kind, key_block=key_block)

        return kmip_object
Пример #3
0
    def test_passphrase_register_get_destroy(self):
        """
        Tests that passphrases can be properly registered, retrieved,
        and destroyed
        """

        # properties copied from test case example :
        # http://docs.oasis-open.org/kmip/testcases/v1.1/cn01/kmip-testcases-v1.1-cn01.html#_Toc333488777

        pass_obj_type = ObjectType.SECRET_DATA

        mask_flags = [CryptographicUsageMask.VERIFY]
        attribute_type = AttributeType.CRYPTOGRAPHIC_USAGE_MASK
        usage_mask = self.attr_factory.create_attribute(
            attribute_type, mask_flags)

        name = Attribute.AttributeName('Name')
        pass_name = 'Integration Test - Register-Get-Destroy Passphrase'

        pass_name_value = Name.NameValue(pass_name)

        name_type = Name.NameType(NameType.UNINTERPRETED_TEXT_STRING)
        pass_value = Name(name_value=pass_name_value, name_type=name_type)

        pass_name_attr = Attribute(attribute_name=name,
                                   attribute_value=pass_value)

        pass_attributes = [usage_mask, pass_name_attr]

        pass_template_attribute = TemplateAttribute(attributes=pass_attributes)

        pass_format_type = SecretData.SecretDataType(SecretDataType.PASSWORD)

        key_format_type = KeyFormatType(KeyFormatTypeEnum.OPAQUE)
        key_data = b'\x70\x65\x65\x6b\x2d\x61\x2d\x62\x6f\x6f\x21\x21'

        key_material = KeyMaterial(key_data)
        key_value = KeyValue(key_material)

        key_block = KeyBlock(key_format_type=key_format_type,
                             key_compression_type=None,
                             key_value=key_value,
                             key_wrapping_data=None)

        pass_obj = SecretData(secret_data_type=pass_format_type,
                              key_block=key_block)

        pass_result = self.client.register(pass_obj_type,
                                           pass_template_attribute,
                                           pass_obj,
                                           credential=None)

        self._check_result_status(pass_result, ResultStatus,
                                  ResultStatus.SUCCESS)

        self._check_uuid(pass_result.uuid.value, str)

        # Check that the returned key bytes match what was provided
        pass_uuid = pass_result.uuid.value

        pass_result = self.client.get(uuid=pass_uuid, credential=None)

        self._check_result_status(pass_result, ResultStatus,
                                  ResultStatus.SUCCESS)

        self._check_object_type(pass_result.object_type.value, ObjectType,
                                ObjectType.SECRET_DATA)

        self._check_uuid(pass_result.uuid.value, str)

        # Check the secret type
        pass_secret = pass_result.secret

        pass_secret_expected = SecretData

        self.assertIsInstance(pass_secret, pass_secret_expected)

        pass_material = pass_result.secret.key_block.key_value.key_material\
            .value

        expected = key_data

        self.assertEqual(expected, pass_material)

        self.logger.debug('Destroying cert: ' + pass_name +
                          '\nWith " "UUID: ' + pass_result.uuid.value)

        pass_result = self.client.destroy(pass_result.uuid.value)

        self._check_result_status(pass_result, ResultStatus,
                                  ResultStatus.SUCCESS)

        self._check_uuid(pass_result.uuid.value, str)

        # Verify the secret was destroyed
        pass_result_destroyed_result = self.client.get(uuid=pass_uuid,
                                                       credential=None)

        self._check_result_status(pass_result_destroyed_result, ResultStatus,
                                  ResultStatus.OPERATION_FAILED)

        expected = ResultReason
        pass_observed = type(pass_result_destroyed_result.result_reason.value)

        self.assertEqual(expected, pass_observed)
Пример #4
0
 def _create_secret_data(self, value):
     if value:
         kind = SecretData.SecretDataType(value.get("secret_data_type"))
         key_block = self._build_key_block(value)
         return SecretData(kind, key_block)
     return SecretData()