def generate_symmetric(self, generate_dto, kek_meta_dto, keystone_id): """Generate a symmetric key This calls generate_symmetric_key() on the DRM passing in the algorithm, bit_length and id (used as the client_key_id) from the secret. The remaining parameters are not used. Returns a keyId which will be stored in an EncryptedDatum table for later retrieval. """ usages = [ key.SymKeyGenerationRequest.DECRYPT_USAGE, key.SymKeyGenerationRequest.ENCRYPT_USAGE ] client_key_id = uuid.uuid4().hex algorithm = self._map_algorithm(generate_dto.algorithm.lower()) if algorithm is None: raise DogtagPluginAlgorithmException response = self.keyclient.generate_symmetric_key( client_key_id, algorithm, generate_dto.bit_length, usages) return plugin.ResponseDTO(response.get_key_id(), None)
def encrypt(self, encrypt_dto, kek_meta_dto, keystone_id): key = self._get_key_by_label(kek_meta_dto.kek_label) iv = self._generate_iv() gcm = self._build_gcm_params(iv) mech = PyKCS11.Mechanism(self.algorithm, gcm) encrypted = self.session.encrypt(key, encrypt_dto.unencrypted, mech) cyphertext = b''.join(chr(i) for i in encrypted) kek_meta_extended = json.dumps({ 'iv': base64.b64encode(iv) }) return plugin.ResponseDTO(cyphertext, kek_meta_extended)
def encrypt(self, encrypt_dto, kek_meta_dto, keystone_id): """Store a secret in the DRM This will likely require another parameter which includes the wrapped session key to be passed. Until that is added, we will call archive_key() which relies on the DRM python client to create the session keys. We may also be able to be more specific in terms of the data_type if we know that the data being stored is a symmetric key. Until then, we need to assume that the secret is pass_phrase_type. """ data_type = key.KeyClient.PASS_PHRASE_TYPE client_key_id = uuid.uuid4().hex response = self.keyclient.archive_key(client_key_id, data_type, encrypt_dto.unencrypted, key_algorithm=None, key_size=None) return plugin.ResponseDTO(response.get_key_id(), None)
def generate_asymmetric(self, generate_dto, kek_meta_dto, keystone_id): return (plugin.ResponseDTO('insecure_private_key', None), plugin.ResponseDTO('insecure_public_key', None), None)
def generate_symmetric(self, generate_dto, kek_meta_dto, keystone_id): return plugin.ResponseDTO("encrypted insecure key", None)
def encrypt(self, encrypt_dto, kek_meta_dto, keystone_id): cypher_text = b'cypher_text' return plugin.ResponseDTO(cypher_text, None)