def rewrap_kek(self, project, kek):
with self.db_session.begin():
meta_dict = json.loads(kek.plugin_meta)
if self.dry_run:
msg = 'Would have unwrapped key with {} and rewrapped with {}'
print(msg.format(meta_dict['mkek_label'], self.new_label))
print('Would have updated KEKDatum in db {}'.format(kek.id))
print('Rewrapping KEK {}'.format(kek.id))
print('Pre-change IV: {}, Wrapped Key: {}'.format(
meta_dict['iv'], meta_dict['wrapped_key']))
return
session = self.hsm_session
# Get KEK's master keys
kek_mkek = self.pkcs11._get_key_handle(
meta_dict['mkek_label'], session
)
kek_mkhk = self.pkcs11._get_key_handle(
meta_dict['hmac_label'], session
)
# Decode data
iv = base64.b64decode(meta_dict['iv'])
wrapped_key = base64.b64decode(meta_dict['wrapped_key'])
hmac = base64.b64decode(meta_dict['hmac'])
# Verify HMAC
kek_data = iv + wrapped_key
self.pkcs11.verify_hmac(kek_mkhk, hmac, kek_data, session)
# Unwrap KEK
kek = self.pkcs11.unwrap_key(kek_mkek, iv, wrapped_key, session)
# Wrap KEK with new master keys
new_kek = self.pkcs11.wrap_key(self.new_mkek, kek, session)
# Compute HMAC for rewrapped KEK
new_kek_data = new_kek['iv'] + new_kek['wrapped_key']
new_hmac = self.pkcs11.compute_hmac(self.new_mkhk, new_kek_data,
session)
# Destroy unwrapped KEK
self.pkcs11.destroy_object(kek, session)
# Build updated meta dict
updated_meta = meta_dict.copy()
updated_meta['mkek_label'] = self.new_mkek_label
updated_meta['hmac_label'] = self.new_hmac_label
updated_meta['iv'] = base64.b64encode(new_kek['iv'])
updated_meta['wrapped_key'] = base64.b64encode(
new_kek['wrapped_key'])
updated_meta['hmac'] = base64.b64encode(new_hmac)
print('Post-change IV: {}, Wrapped Key: {}'.format(
updated_meta['iv'], updated_meta['wrapped_key']))
# Update KEK metadata in DB
kek.plugin_meta = p11_crypto.json_dumps_compact(updated_meta)
def recalc_kek_hmac(self, project, kek):
with self.db_session.begin():
meta_dict = json.loads(kek.plugin_meta)
iv = base64.b64decode(meta_dict['iv'])
wrapped_key = base64.b64decode(meta_dict['wrapped_key'])
hmac = base64.b64decode(meta_dict['hmac'])
kek_data = iv + wrapped_key
hmac_key = self.pkcs11.get_key_handle(
meta_dict['hmac_label'], self.session)
# Verify if hmac signature validates with new method
try:
self.pkcs11.verify_hmac(hmac_key, hmac, kek_data, self.session)
sig_good = True
except P11CryptoPluginException as e:
if 'CKR_SIGNATURE_INVALID' in six.text_type(e):
sig_good = False
else:
raise
if sig_good:
msg = 'Skipping KEK {}, good signature'
print(msg.format(kek.kek_label))
return
# Previous method failed.
# Verify if hmac signature validates with old method
try:
self.pkcs11.verify_hmac(
hmac_key, hmac, wrapped_key, self.session
)
sig_bad = True
except P11CryptoPluginException as e:
if 'CKR_SIGNATURE_INVALID' in six.text_type(e):
sig_bad = False
else:
raise
if not sig_bad:
msg = "Skipping KEK {}, can not validate with either method!"
print(msg.format(kek.kek_label))
return
if self.dry_run:
msg = 'KEK {} needs recalculation'
print(msg.format(kek.kek_label))
return
# Calculate new HMAC
new_hmac = self.pkcs11.compute_hmac(
hmac_key, kek_data, self.session
)
# Update KEK plugin_meta with new hmac signature
meta_dict['hmac'] = base64.b64encode(new_hmac)
kek.plugin_meta = p11_crypto.json_dumps_compact(meta_dict)
def recalc_kek_hmac(self, project, kek):
with self.db_session.begin():
meta_dict = json.loads(kek.plugin_meta)
iv = base64.b64decode(meta_dict['iv'])
wrapped_key = base64.b64decode(meta_dict['wrapped_key'])
hmac = base64.b64decode(meta_dict['hmac'])
kek_data = iv + wrapped_key
hmac_key = self.pkcs11.get_key_handle(
meta_dict['hmac_label'], self.session)
# Verify if hmac signature validates with new method
try:
self.pkcs11.verify_hmac(hmac_key, hmac, kek_data, self.session)
sig_good = True
except P11CryptoPluginException as e:
if 'CKR_SIGNATURE_INVALID' in six.text_type(e):
sig_good = False
else:
raise
if sig_good:
msg = 'Skipping KEK {}, good signature'
print(msg.format(kek.kek_label))
return
# Previous method failed.
# Verify if hmac signature validates with old method
try:
self.pkcs11.verify_hmac(
hmac_key, hmac, wrapped_key, self.session
)
sig_bad = True
except P11CryptoPluginException as e:
if 'CKR_SIGNATURE_INVALID' in six.text_type(e):
sig_bad = False
else:
raise
if not sig_bad:
msg = "Skipping KEK {}, can not validate with either method!"
print(msg.format(kek.kek_label))
return
if self.dry_run:
msg = 'KEK {} needs recalculation'
print(msg.format(kek.kek_label))
return
# Calculate new HMAC
new_hmac = self.pkcs11.compute_hmac(
hmac_key, kek_data, self.session
)
# Update KEK plugin_meta with new hmac signature
meta_dict['hmac'] = base64.b64encode(new_hmac)
kek.plugin_meta = p11_crypto.json_dumps_compact(meta_dict)
def rewrap_kek(self, project, kek):
with self.db_session.begin():
meta_dict = json.loads(kek.plugin_meta)
if self.dry_run:
msg = 'Would have unwrapped key with {} and rewrapped with {}'
print(msg.format(meta_dict['mkek_label'], self.new_mkek_label))
print('Would have updated KEKDatum in db {}'.format(kek.id))
print('Rewrapping KEK {}'.format(kek.id))
print('Pre-change IV: {}, Wrapped Key: {}'.format(
meta_dict['iv'], meta_dict['wrapped_key']))
return
session = self.hsm_session
# Get KEK's master keys
kek_mkek = self.pkcs11.get_key_handle(meta_dict['mkek_label'],
session)
kek_mkhk = self.pkcs11.get_key_handle(meta_dict['hmac_label'],
session)
# Decode data
iv = base64.b64decode(meta_dict['iv'])
wrapped_key = base64.b64decode(meta_dict['wrapped_key'])
hmac = base64.b64decode(meta_dict['hmac'])
# Verify HMAC
kek_data = iv + wrapped_key
self.pkcs11.verify_hmac(kek_mkhk, hmac, kek_data, session)
# Unwrap KEK
current_kek = self.pkcs11.unwrap_key(kek_mkek, iv, wrapped_key,
session)
# Wrap KEK with new master keys
new_kek = self.pkcs11.wrap_key(self.new_mkek, current_kek, session)
# Compute HMAC for rewrapped KEK
new_kek_data = new_kek['iv'] + new_kek['wrapped_key']
new_hmac = self.pkcs11.compute_hmac(self.new_mkhk, new_kek_data,
session)
# Destroy unwrapped KEK
self.pkcs11.destroy_object(current_kek, session)
# Build updated meta dict
updated_meta = meta_dict.copy()
updated_meta['mkek_label'] = self.new_mkek_label
updated_meta['hmac_label'] = self.new_hmac_label
updated_meta['iv'] = base64.b64encode(new_kek['iv'])
updated_meta['wrapped_key'] = base64.b64encode(
new_kek['wrapped_key'])
updated_meta['hmac'] = base64.b64encode(new_hmac)
print('Post-change IV: {}, Wrapped Key: {}'.format(
updated_meta['iv'], updated_meta['wrapped_key']))
# Update KEK metadata in DB
kek.plugin_meta = p11_crypto.json_dumps_compact(updated_meta)
def rewrap_kek(self, project, kek):
with self.db_session.begin():
meta_dict = json.loads(kek.plugin_meta)
# check if old and new mkek and hmac labels are the same
# if so, skip this kek.
if (self.new_mkek_label == meta_dict['mkek_label'] and
self.new_hmac_label == meta_dict['hmac_label']):
return
if self.dry_run:
msg = 'Would have unwrapped key with {} and rewrapped with {}'
print(msg.format(meta_dict['mkek_label'], self.new_mkek_label))
print('Would have updated KEKDatum in db {}'.format(kek.id))
print('Rewrapping KEK {}'.format(kek.id))
print('Pre-change IV: {}, Wrapped Key: {}'.format(
meta_dict['iv'], meta_dict['wrapped_key']))
return
session = self.hsm_session
# TODO(alee) We never store the mkek and hmac key types in the db
# record for the KEK metadata. Therefore, for now assume that the
# key types will not change.
# Get KEK's master keys
kek_mkek = self.pkcs11.get_key_handle(
self.new_mkek_type,
meta_dict['mkek_label'],
session
)
kek_mkhk = self.pkcs11.get_key_handle(
self.new_hmac_type,
meta_dict['hmac_label'],
session
)
# Decode data
iv = base64.b64decode(meta_dict['iv'])
wrapped_key = base64.b64decode(meta_dict['wrapped_key'])
hmac = base64.b64decode(meta_dict['hmac'])
# Verify HMAC
kek_data = iv + wrapped_key
self.pkcs11.verify_hmac(kek_mkhk, hmac, kek_data, session)
# Unwrap KEK
current_kek = self.pkcs11.unwrap_key(kek_mkek, iv, wrapped_key,
session)
# Wrap KEK with new master keys
new_kek = self.pkcs11.wrap_key(self.new_mkek, current_kek,
session)
# Compute HMAC for rewrapped KEK
new_kek_data = new_kek['iv'] + new_kek['wrapped_key']
new_hmac = self.pkcs11.compute_hmac(self.new_mkhk, new_kek_data,
session)
# Destroy unwrapped KEK
self.pkcs11.destroy_object(current_kek, session)
# Build updated meta dict
updated_meta = meta_dict.copy()
updated_meta['mkek_label'] = self.new_mkek_label
updated_meta['hmac_label'] = self.new_hmac_label
updated_meta['iv'] = base64.b64encode(new_kek['iv'])
updated_meta['wrapped_key'] = base64.b64encode(
new_kek['wrapped_key'])
updated_meta['hmac'] = base64.b64encode(new_hmac)
print('Post-change IV: {}, Wrapped Key: {}'.format(
updated_meta['iv'], updated_meta['wrapped_key']))
# Update KEK metadata in DB
kek.plugin_meta = p11_crypto.json_dumps_compact(updated_meta)
def rewrap_kek(self, project, kek):
with self.db_session.begin():
meta_dict = json.loads(kek.plugin_meta)
# check if old and new mkek and hmac labels are the same
# if so, skip this kek.
if (self.new_mkek_label == meta_dict['mkek_label']
and self.new_hmac_label == meta_dict['hmac_label']):
return
if self.dry_run:
msg = 'Would have unwrapped key with {} and rewrapped with {}'
print(msg.format(meta_dict['mkek_label'], self.new_mkek_label))
print('Would have updated KEKDatum in db {}'.format(kek.id))
print('Rewrapping KEK {}'.format(kek.id))
print('Pre-change IV: {}, Wrapped Key: {}'.format(
meta_dict['iv'], meta_dict['wrapped_key']))
return
session = self.hsm_session
# TODO(alee) We never store the mkek and hmac key types in the db
# record for the KEK metadata. Therefore, for now assume that the
# key types will not change.
# Get KEK's master keys
kek_mkek = self.pkcs11.get_key_handle(self.new_mkek_type,
meta_dict['mkek_label'],
session)
kek_mkhk = self.pkcs11.get_key_handle(self.new_hmac_type,
meta_dict['hmac_label'],
session)
# Decode data
iv = base64.b64decode(meta_dict['iv'])
wrapped_key = base64.b64decode(meta_dict['wrapped_key'])
hmac = base64.b64decode(meta_dict['hmac'])
# Verify HMAC
kek_data = iv + wrapped_key
self.pkcs11.verify_hmac(kek_mkhk, hmac, kek_data, session)
# Unwrap KEK
current_kek = self.pkcs11.unwrap_key(kek_mkek, iv, wrapped_key,
session)
# Wrap KEK with new master keys
new_kek = self.pkcs11.wrap_key(self.new_mkek, current_kek, session)
# Compute HMAC for rewrapped KEK
new_kek_data = new_kek['iv'] + new_kek['wrapped_key']
new_hmac = self.pkcs11.compute_hmac(self.new_mkhk, new_kek_data,
session)
# Destroy unwrapped KEK
self.pkcs11.destroy_object(current_kek, session)
# Build updated meta dict
updated_meta = meta_dict.copy()
updated_meta['mkek_label'] = self.new_mkek_label
updated_meta['hmac_label'] = self.new_hmac_label
updated_meta['iv'] = base64.b64encode(new_kek['iv'])
updated_meta['wrapped_key'] = base64.b64encode(
new_kek['wrapped_key'])
updated_meta['hmac'] = base64.b64encode(new_hmac)
print('Post-change IV: {}, Wrapped Key: {}'.format(
updated_meta['iv'], updated_meta['wrapped_key']))
# Update KEK metadata in DB
kek.plugin_meta = p11_crypto.json_dumps_compact(updated_meta)
