def generate_asymmetric_key(self, key_spec): if not self.generate_supports(key_spec): raise ss.SecretAlgorithmNotSupportedException( key_spec.alg) if key_spec.passphrase: raise ss.GeneratePassphraseNotSupportedException() try: private_id, public_id = self.key_manager.create_key_pair( self.context, key_spec.alg, key_spec.bit_length ) private_key_metadata = self._meta_dict( private_id, key_spec.bit_length, key_spec.alg ) public_key_metadata = self._meta_dict( public_id, key_spec.bit_length, key_spec.alg ) return ss.AsymmetricKeyMetadataDTO( private_key_metadata, public_key_metadata, None ) except Exception as e: LOG.exception("Error generating asymmetric key: {}".format( six.text_type(e))) raise ss.SecretGeneralException(e)
def generate_asymmetric_key(self, key_spec): """Generate an asymmetric key.""" usages = [ key.AsymKeyGenerationRequest.DECRYPT_USAGE, key.AsymKeyGenerationRequest.ENCRYPT_USAGE ] client_key_id = uuid.uuid4().hex algorithm = self._map_algorithm(key_spec.alg.lower()) passphrase = key_spec.passphrase if algorithm is None: raise DogtagPluginAlgorithmException passphrase_key_id = None passphrase_metadata = None if passphrase: if algorithm == key.KeyClient.DSA_ALGORITHM: raise DogtagPluginNotSupportedException( u._("Passphrase encryption is not " "supported for DSA algorithm")) stored_passphrase_info = self.keyclient.archive_key( uuid.uuid4().hex, self.keyclient.PASS_PHRASE_TYPE, passphrase) passphrase_key_id = stored_passphrase_info.get_key_id() passphrase_metadata = {DogtagKRAPlugin.KEY_ID: passphrase_key_id} response = self.keyclient.generate_asymmetric_key( client_key_id, algorithm, key_spec.bit_length, usages) public_key_metadata = { DogtagKRAPlugin.ALG: key_spec.alg, DogtagKRAPlugin.BIT_LENGTH: key_spec.bit_length, DogtagKRAPlugin.SECRET_TYPE: sstore.SecretType.PUBLIC, DogtagKRAPlugin.KEY_ID: response.get_key_id(), DogtagKRAPlugin.CONVERT_TO_PEM: "true" } private_key_metadata = { DogtagKRAPlugin.ALG: key_spec.alg, DogtagKRAPlugin.BIT_LENGTH: key_spec.bit_length, DogtagKRAPlugin.SECRET_TYPE: sstore.SecretType.PRIVATE, DogtagKRAPlugin.KEY_ID: response.get_key_id(), DogtagKRAPlugin.CONVERT_TO_PEM: "true" } if passphrase_key_id: private_key_metadata[DogtagKRAPlugin.PASSPHRASE_KEY_ID] = ( passphrase_key_id) return sstore.AsymmetricKeyMetadataDTO(private_key_metadata, public_key_metadata, passphrase_metadata)
def setUp(self): super(WhenTestingPluginResource, self).setUp() self.plugin_resource = resources self.spec = {'algorithm': 'RSA', 'bit_length': 1024, 'passphrase': 'changeit' } self.content_type = 'application/octet-stream' self.project_model = mock.MagicMock() asymmetric_meta_dto = secret_store.AsymmetricKeyMetadataDTO() # Mock plug-in self.moc_plugin = mock.MagicMock() self.moc_plugin.generate_asymmetric_key.return_value = ( asymmetric_meta_dto) self.moc_plugin.store_secret.return_value = {} moc_plugin_config = { 'return_value.get_plugin_generate.return_value': self.moc_plugin, 'return_value.get_plugin_store.return_value': self.moc_plugin, 'return_value.get_plugin_retrieve_delete.return_value': self.moc_plugin } self.moc_plugin_patcher = mock.patch( 'barbican.plugin.interface.secret_store' '.SecretStorePluginManager', **moc_plugin_config ) self.moc_plugin_patcher.start() self.addCleanup(self.moc_plugin_patcher.stop) project_repo = mock.MagicMock() secret_repo = mock.MagicMock() secret_repo.create_from.return_value = None container_repo = mock.MagicMock() container_repo.create_from.return_value = None container_secret_repo = mock.MagicMock() container_secret_repo.create_from.return_value = None project_secret_repo = mock.MagicMock() project_secret_repo.create_from.return_value = None secret_meta_repo = mock.MagicMock() secret_meta_repo.create_from.return_value = None self.repos = repo.Repositories( container_repo=container_repo, container_secret_repo=container_secret_repo, project_repo=project_repo, secret_repo=secret_repo, project_secret_repo=project_secret_repo, secret_meta_repo=secret_meta_repo )
def generate_asymmetric_key(self, key_spec, context): """Generates an asymmetric key. Returns a AsymmetricKeyMetadataDTO object containing metadata(s) for asymmetric key components. The metadata can be used to retrieve individual components of asymmetric key pair. """ plugin_type = _determine_generation_type(key_spec.alg) if crypto.PluginSupportTypes.ASYMMETRIC_KEY_GENERATION != plugin_type: raise sstore.SecretAlgorithmNotSupportedException(key_spec.alg) generating_plugin = manager.get_manager().get_plugin_store_generate( plugin_type, key_spec.alg, key_spec.bit_length, project_id=context.project_model.id) # Find or create a key encryption key metadata. kek_datum_model, kek_meta_dto = _find_or_create_kek_objects( generating_plugin, context.project_model) generate_dto = crypto.GenerateDTO(key_spec.alg, key_spec.bit_length, None, key_spec.passphrase) # Create the encrypted meta. private_key_dto, public_key_dto, passwd_dto = ( generating_plugin.generate_asymmetric( generate_dto, kek_meta_dto, context.project_model.external_id ) ) _store_secret_and_datum( context, context.private_secret_model, kek_datum_model, private_key_dto) _store_secret_and_datum( context, context.public_secret_model, kek_datum_model, public_key_dto) if key_spec.passphrase and passwd_dto: _store_secret_and_datum( context, context.passphrase_secret_model, kek_datum_model, passwd_dto) return sstore.AsymmetricKeyMetadataDTO()
def generate_asymmetric_key(self, key_spec): """Generate an asymmetric key pair. Creates KMIP attribute objects based on the given KeySpec to send to the server. The KMIP Secret Store currently does not support protecting the private key with a passphrase. :param key_spec: KeySpec with asymmetric algorithm and bit_length :returns: AsymmetricKeyMetadataDTO with the key UUIDs :raises: SecretGeneralException, SecretAlgorithmNotSupportedException """ LOG.debug("Starting asymmetric key generation with KMIP plugin") if not self.generate_supports(key_spec): raise ss.SecretAlgorithmNotSupportedException(key_spec.alg) if key_spec.alg.lower() not in ss.KeyAlgorithm.ASYMMETRIC_ALGORITHMS: raise KMIPSecretStoreError( u._("An unsupported algorithm {algorithm} was passed to " "the 'generate_asymmetric_key' method").format( algorithm=key_spec.alg)) if key_spec.passphrase: raise KMIPSecretStoreError( u._('KMIP plugin does not currently support protecting the ' 'private key with a passphrase')) algorithm = self._get_kmip_algorithm(key_spec.alg) length = key_spec.bit_length try: with self.client: LOG.debug("Opened connection to KMIP client for asymmetric " + "secret generation") public_uuid, private_uuid = self.client.create_key_pair( algorithm, length) LOG.debug( "SUCCESS: Asymmetric key pair generated with " "public key uuid: %s and private key uuid: %s", public_uuid, private_uuid) private_key_metadata = {KMIPSecretStore.KEY_UUID: private_uuid} public_key_metadata = {KMIPSecretStore.KEY_UUID: public_uuid} passphrase_metadata = None return ss.AsymmetricKeyMetadataDTO(private_key_metadata, public_key_metadata, passphrase_metadata) except Exception as e: LOG.exception(u._LE("Error opening or writing to client")) raise ss.SecretGeneralException(str(e))
def generate_asymmetric_key(self, key_spec): if not self.generate_supports(key_spec): raise ss.SecretAlgorithmNotSupportedException( key_spec.alg) if key_spec.passphrase: raise ss.GeneratePassphraseNotSupportedException() try: private_ref, public_ref = self.key_manager.create_key_pair( self.context, key_spec.alg, key_spec.bit_length ) private_key_metadata = { CastellanSecretStore.ALG: key_spec.alg, CastellanSecretStore.BIT_LENGTH: key_spec.bit_length, CastellanSecretStore.KEY_ID: private_ref } public_key_metadata = { CastellanSecretStore.ALG: key_spec.alg, CastellanSecretStore.BIT_LENGTH: key_spec.bit_length, CastellanSecretStore.KEY_ID: public_ref } return ss.AsymmetricKeyMetadataDTO( private_key_metadata, public_key_metadata, None ) except Exception as e: LOG.exception("Error generating asymmetric key: {}".format( six.text_type(e))) raise ss.SecretGeneralException(e)
def generate_asymmetric_key(self, key_spec): """Generate an asymmetric key. Note that barbican expects all secrets to be base64 encoded. """ usages = [ key.AsymKeyGenerationRequest.DECRYPT_USAGE, key.AsymKeyGenerationRequest.ENCRYPT_USAGE ] client_key_id = uuid.uuid4().hex algorithm = self._map_algorithm(key_spec.alg.lower()) passphrase = key_spec.passphrase if algorithm is None: raise DogtagPluginAlgorithmException passphrase_key_id = None passphrase_metadata = None if passphrase: if algorithm == key.KeyClient.DSA_ALGORITHM: raise DogtagPluginNotSupportedException( u._("Passphrase encryption is not " "supported for DSA algorithm")) stored_passphrase_info = self.keyclient.archive_key( uuid.uuid4().hex, self.keyclient.PASS_PHRASE_TYPE, base64.b64encode(passphrase)) passphrase_key_id = stored_passphrase_info.get_key_id() passphrase_metadata = {DogtagKRAPlugin.KEY_ID: passphrase_key_id} # Barbican expects stored keys to be base 64 encoded. We need to # add flag to the keyclient.generate_asymmetric_key() call above # to ensure that the key that is stored is base64 encoded. # # As a workaround until that update is available, we will store a # parameter "generated" to indicate that the response must be base64 # encoded on retrieval. Note that this will not work for transport # key encoded data. response = self.keyclient.generate_asymmetric_key( client_key_id, algorithm, key_spec.bit_length, usages) public_key_metadata = { DogtagKRAPlugin.ALG: key_spec.alg, DogtagKRAPlugin.BIT_LENGTH: key_spec.bit_length, DogtagKRAPlugin.KEY_ID: response.get_key_id(), DogtagKRAPlugin.CONVERT_TO_PEM: "true", DogtagKRAPlugin.GENERATED: True } private_key_metadata = { DogtagKRAPlugin.ALG: key_spec.alg, DogtagKRAPlugin.BIT_LENGTH: key_spec.bit_length, DogtagKRAPlugin.KEY_ID: response.get_key_id(), DogtagKRAPlugin.CONVERT_TO_PEM: "true", DogtagKRAPlugin.GENERATED: True } if passphrase_key_id: private_key_metadata[DogtagKRAPlugin.PASSPHRASE_KEY_ID] = ( passphrase_key_id) return sstore.AsymmetricKeyMetadataDTO(private_key_metadata, public_key_metadata, passphrase_metadata)
def generate_asymmetric_key(self, key_spec): """Generate an asymmetric key pair. Creates KMIP attribute objects based on the given KeySpec to send to the server. The KMIP Secret Store currently does not support protecting the private key with a passphrase. :param key_spec: KeySpec with asymmetric algorithm and bit_length :returns: AsymmetricKeyMetadataDTO with the key UUIDs :raises: SecretGeneralException, SecretAlgorithmNotSupportedException """ LOG.debug("Starting asymmetric key generation with KMIP plugin") if not self.generate_supports(key_spec): raise ss.SecretAlgorithmNotSupportedException(key_spec.alg) if key_spec.alg.lower() not in ss.KeyAlgorithm.ASYMMETRIC_ALGORITHMS: raise KMIPSecretStoreError( u._("An unsupported algorithm {algorithm} was passed to " "the 'generate_asymmetric_key' method").format( algorithm=key_spec.alg)) if key_spec.passphrase: raise KMIPSecretStoreError( u._('KMIP plugin does not currently support protecting the ' 'private key with a passphrase')) algorithm = self._create_cryptographic_algorithm_attribute( key_spec.alg) length = self._create_cryptographic_length_attribute( key_spec.bit_length) attributes = [algorithm, length] common = CommonTemplateAttribute(attributes=attributes) try: self.client.open() LOG.debug("Opened connection to KMIP client for asymmetric " + "secret generation") result = self.client.create_key_pair( common_template_attribute=common, credential=self.credential) except Exception as e: LOG.exception(u._LE("Error opening or writing to client")) raise ss.SecretGeneralException(str(e)) else: if result.result_status.enum == enums.ResultStatus.SUCCESS: LOG.debug( "SUCCESS: Asymmetric key pair generated with " "public key uuid: %s and private key uuid: %s", result.public_key_uuid.value, result.private_key_uuid.value) private_key_metadata = { KMIPSecretStore.KEY_UUID: result.private_key_uuid.value } public_key_metadata = { KMIPSecretStore.KEY_UUID: result.public_key_uuid.value } passphrase_metadata = None return ss.AsymmetricKeyMetadataDTO(private_key_metadata, public_key_metadata, passphrase_metadata) else: self._raise_secret_general_exception(result) finally: self.client.close() LOG.debug("Closed connection to KMIP client for asymmetric " "secret generation")