def connection(self): connection = PKIConnection(protocol=self.protocol, hostname=self.hostname, port=self.port) connection.set_authentication_cert(self.cert) client = CertClient(connection) return client
def __init__(self, conf=CONF): """Constructor - create the keyclient""" pem_path = conf.dogtag_crypto_plugin.pem_path if pem_path is None: raise ValueError(_("pem_path is required")) pem_password = conf.dogtag_crypto_plugin.pem_password if pem_password is None: raise ValueError(_("pem_password is required")) crypto = None create_nss_db = False nss_db_path = conf.dogtag_crypto_plugin.nss_db_path if nss_db_path is not None: nss_password = conf.dogtag_crypto_plugin.nss_password if nss_password is None: raise ValueError(_("nss_password is required")) if not os.path.exists(nss_db_path): create_nss_db = True cryptoutil.NSSCryptoUtil.setup_database( nss_db_path, nss_password, over_write=True) crypto = cryptoutil.NSSCryptoUtil(nss_db_path, nss_password) # set up connection connection = PKIConnection('https', conf.dogtag_crypto_plugin.drm_host, conf.dogtag_crypto_plugin.drm_port, 'kra') connection.set_authentication_cert(pem_path) # what happened to the password? # until we figure out how to pass the password to requests, we'll # just use -nodes to create the admin cert pem file. Any required # code will end up being in the DRM python client #create kraclient kraclient = KRAClient(connection, crypto) self.keyclient = kraclient.keys self.systemcert_client = kraclient.system_certs if crypto is not None: if create_nss_db: # Get transport cert and insert in the certdb transport_cert = self.systemcert_client.get_transport_cert() tcert = transport_cert[ len(pki.CERT_HEADER): len(transport_cert) - len(pki.CERT_FOOTER)] crypto.import_cert(DogtagCryptoPlugin.TRANSPORT_NICK, base64.decodestring(tcert), "u,u,u") crypto.initialize() self.keyclient.set_transport_cert( DogtagCryptoPlugin.TRANSPORT_NICK)
def __init__(self, conf=CONF): """Constructor - create the keyclient.""" pem_path = conf.dogtag_crypto_plugin.pem_path if pem_path is None: raise ValueError(u._("pem_path is required")) pem_password = conf.dogtag_crypto_plugin.pem_password if pem_password is None: raise ValueError(u._("pem_password is required")) crypto = None create_nss_db = False nss_db_path = conf.dogtag_crypto_plugin.nss_db_path if nss_db_path is not None: nss_password = conf.dogtag_crypto_plugin.nss_password if nss_password is None: raise ValueError(u._("nss_password is required")) if not os.path.exists(nss_db_path): create_nss_db = True cryptoutil.NSSCryptoUtil.setup_database(nss_db_path, nss_password, over_write=True) crypto = cryptoutil.NSSCryptoUtil(nss_db_path, nss_password) # set up connection connection = PKIConnection('https', conf.dogtag_crypto_plugin.drm_host, conf.dogtag_crypto_plugin.drm_port, 'kra') connection.set_authentication_cert(pem_path) # what happened to the password? # until we figure out how to pass the password to requests, we'll # just use -nodes to create the admin cert pem file. Any required # code will end up being in the DRM python client #create kraclient kraclient = KRAClient(connection, crypto) self.keyclient = kraclient.keys self.systemcert_client = kraclient.system_certs if crypto is not None: if create_nss_db: # Get transport cert and insert in the certdb transport_cert = self.systemcert_client.get_transport_cert() tcert = transport_cert[len(pki.CERT_HEADER ):len(transport_cert) - len(pki.CERT_FOOTER)] crypto.import_cert(DogtagCryptoPlugin.TRANSPORT_NICK, base64.decodestring(tcert), "u,u,u") crypto.initialize() self.keyclient.set_transport_cert( DogtagCryptoPlugin.TRANSPORT_NICK)
def run_test(protocol, hostname, port, client_cert, certdb_dir, certdb_password): """ test code execution """ # set up the connection to the DRM, including authentication credentials connection = PKIConnection(protocol, hostname, port, 'kra') connection.set_authentication_cert(client_cert) # create kraclient crypto = pki.crypto.NSSCryptoProvider(certdb_dir, certdb_password) kraclient = KRAClient(connection, crypto) keyclient = kraclient.keys # Get transport cert and insert in the certdb transport_nick = "kra transport cert" transport_cert = kraclient.system_certs.get_transport_cert() print("Subject DN: " + transport_cert.subject_dn) print(transport_cert.encoded) crypto.import_cert(transport_nick, transport_cert) # initialize the certdb for crypto operations # for NSS db, this must be done after importing the transport cert crypto.initialize() # set transport cert into keyclient keyclient.set_transport_cert(transport_nick) # Test 2: Get key request info print("Now getting key request") try: key_request = keyclient.get_request_info('2') print_key_request(key_request) except pki.RequestNotFoundException: pass # Test 3: List requests print("Now listing some requests") keyrequests = keyclient.list_requests('complete', 'securityDataRecovery') print(keyrequests.key_requests) for request in keyrequests.key_requests: print_key_request(request) # Test 4: generate symkey -- same as barbican_encode() print("Now generating symkey on KRA") client_key_id = "Vek #1" + time.strftime('%c') algorithm = "AES" key_size = 128 usages = [ key.SymKeyGenerationRequest.DECRYPT_USAGE, key.SymKeyGenerationRequest.ENCRYPT_USAGE ] response = keyclient.generate_symmetric_key(client_key_id, algorithm=algorithm, size=key_size, usages=usages) print_key_request(response.request_info) print("Request ID is " + response.request_info.get_request_id()) key_id = response.get_key_id() # Test 5: Confirm the key_id matches print("Now getting key ID for clientKeyID=\"" + client_key_id + "\"") key_infos = keyclient.list_keys(client_key_id=client_key_id, status=keyclient.KEY_STATUS_ACTIVE) key_id2 = None for key_info in key_infos.key_infos: print_key_info(key_info) key_id2 = key_info.get_key_id() if key_id == key_id2: print("Success! The keys from generation and search match.") else: print("Failure - key_ids for generation do not match!") # Test 6: Barbican_decode() - Retrieve while providing # trans_wrapped_session_key session_key = crypto.generate_session_key() wrapped_session_key = crypto.asymmetric_wrap(session_key, keyclient.transport_cert) print("My key id is " + str(key_id)) key_data = keyclient.retrieve_key( key_id, trans_wrapped_session_key=wrapped_session_key) print_key_data(key_data) unwrapped_key = crypto.symmetric_unwrap(key_data.encrypted_data, session_key, nonce_iv=key_data.nonce_data) key1 = b64encode(unwrapped_key) # Test 7: Recover key without providing trans_wrapped_session_key key_data = keyclient.retrieve_key(key_id) print_key_data(key_data) key2 = b64encode(key_data.data) # Test 8 - Confirm that keys returned are the same if key1 == key2: print("Success: The keys returned match! Key = " + str(key1)) else: print("Failure: The returned keys do not match!") print("key1: " + key1) print("key2: " + key2) # Test 10 = test BadRequestException on create() print("Trying to generate a new symkey with the same client ID") try: keyclient.generate_symmetric_key(client_key_id, algorithm=algorithm, size=key_size, usages=usages) except pki.BadRequestException as exc: print("BadRequestException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 11 - Test RequestNotFoundException on get_request_info print("Try to list a nonexistent request") try: keyclient.get_request_info('200000034') except pki.RequestNotFoundException as exc: print("RequestNotFoundException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 12 - Test exception on retrieve_key. print("Try to retrieve an invalid key") try: keyclient.retrieve_key('2000003434') except pki.KeyNotFoundException as exc: print("KeyNotFoundException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 13 = getKeyInfo print("Get key info for existing key") key_info = keyclient.get_key_info(key_id) print_key_info(key_info) # Test 14: get the active key print("Get the active key for client id: " + client_key_id) key_info = keyclient.get_active_key_info(client_key_id) print_key_info(key_info) # Test 15: change the key status print("Change the key status") keyclient.modify_key_status(key_id, keyclient.KEY_STATUS_INACTIVE) print_key_info(keyclient.get_key_info(key_id)) # Test 16: Get key info for non-existent key print("Get key info for non-existent key") try: keyclient.get_key_info('200004556') except pki.KeyNotFoundException as exc: print("KeyNotFoundException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 17: Get key info for non-existent active key print("Get non-existent active key") try: key_info = keyclient.get_active_key_info(client_key_id) print_key_info(key_info) except pki.ResourceNotFoundException as exc: print("ResourceNotFoundException thrown - Code: " + exc.code + "Message: " + exc.message) # Test 18: Generate a symmetric key with default parameters client_key_id = "Vek #3" + time.strftime('%c') response = keyclient.generate_symmetric_key(client_key_id) print_key_request(response.request_info) # Test 19: Try to archive key print("try to archive key") print("key to archive: " + key1) client_key_id = "Vek #4" + time.strftime('%c') response = keyclient.archive_key(client_key_id, keyclient.SYMMETRIC_KEY_TYPE, b64decode(key1), key_algorithm=keyclient.AES_ALGORITHM, key_size=128) print_key_request(response.request_info) # Test 20: Lets get it back key_info = keyclient.get_active_key_info(client_key_id) print_key_info(key_info) key_data = keyclient.retrieve_key(key_info.get_key_id()) print_key_data(key_data) key2 = b64encode(key_data.data) if key1 == key2: print("Success: archived and recovered keys match") else: print("Error: archived and recovered keys do not match") print() # Test 20: Generating asymmetric keys print("Generating asymmetric keys") try: response = keyclient.generate_asymmetric_key("Vek #5" + time.strftime('%c'), algorithm="RSA", key_size=1024, usages=None) print_key_request(response.request_info) except pki.BadRequestException as exc: print("BadRequestException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 21: Get key information of the newly generated asymmetric keys print("Retrieving key information") key_info = keyclient.get_key_info(response.request_info.get_key_id()) print_key_info(key_info)
parser.add_argument("--number-of-clients", help="Number of thread", type=int) parser.add_argument("--number-of-tests-per-client", help="Number of test per thread", type=int) parser.add_argument("--ca-cert-path", help="path for CA signing certifcate") log = logging.getLogger() logging.basicConfig(stream=sys.stdout, level=logging.INFO) args = parser.parse_args() # Create a PKIConnection object that stores the details of the CA. connection = PKIConnection('https', args.hostname, args.port, cert_paths=args.ca_cert_path) # The pem file used for authentication. Created from a p12 file using the # command - # openssl pkcs12 -in <p12_file_path> -out /tmp/auth.pem -nodes connection.set_authentication_cert(args.client_cert) # Instantiate the CertClient cert_client = CertClient(connection) class cert_enroll(object): """ #This class will enroll the certificate. """ def __init__(self, sn_uid): """ Constructor """ # Enrolling an user certificate
def run_test(protocol, hostname, port, client_cert, certdb_dir, certdb_password): """ test code execution """ # set up the connection to the DRM, including authentication credentials connection = PKIConnection(protocol, hostname, port, 'kra') connection.set_authentication_cert(client_cert) # create kraclient crypto = pki.crypto.NSSCryptoProvider(certdb_dir, certdb_password) kraclient = KRAClient(connection, crypto) keyclient = kraclient.keys # Get transport cert and insert in the certdb transport_nick = "kra transport cert" transport_cert = kraclient.system_certs.get_transport_cert() print("Subject DN: " + transport_cert.subject_dn) print(transport_cert.encoded) crypto.import_cert(transport_nick, transport_cert) # initialize the certdb for crypto operations # for NSS db, this must be done after importing the transport cert crypto.initialize() # set transport cert into keyclient keyclient.set_transport_cert(transport_nick) # Test 2: Get key request info print("Now getting key request") try: key_request = keyclient.get_request_info('2') print_key_request(key_request) except pki.RequestNotFoundException: pass # Test 3: List requests print("Now listing some requests") keyrequests = keyclient.list_requests('complete', 'securityDataRecovery') print(keyrequests.key_requests) for request in keyrequests.key_requests: print_key_request(request) # Test 4: generate symkey -- same as barbican_encode() print("Now generating symkey on KRA") client_key_id = "Vek #1" + time.strftime('%c') algorithm = "AES" key_size = 128 usages = [key.SymKeyGenerationRequest.DECRYPT_USAGE, key.SymKeyGenerationRequest.ENCRYPT_USAGE] response = keyclient.generate_symmetric_key(client_key_id, algorithm=algorithm, size=key_size, usages=usages) print_key_request(response.request_info) print("Request ID is " + response.request_info.get_request_id()) key_id = response.get_key_id() # Test 5: Confirm the key_id matches print("Now getting key ID for clientKeyID=\"" + client_key_id + "\"") key_infos = keyclient.list_keys(client_key_id=client_key_id, status=keyclient.KEY_STATUS_ACTIVE) key_id2 = None for key_info in key_infos.key_infos: print_key_info(key_info) key_id2 = key_info.get_key_id() if key_id == key_id2: print("Success! The keys from generation and search match.") else: print("Failure - key_ids for generation do not match!") # Test 6: Barbican_decode() - Retrieve while providing # trans_wrapped_session_key session_key = crypto.generate_session_key() wrapped_session_key = crypto.asymmetric_wrap(session_key, keyclient.transport_cert) print("My key id is " + str(key_id)) key_data = keyclient.retrieve_key( key_id, trans_wrapped_session_key=wrapped_session_key) print_key_data(key_data) unwrapped_key = crypto.symmetric_unwrap(key_data.encrypted_data, session_key, nonce_iv=key_data.nonce_data) key1 = b64encode(unwrapped_key) # Test 7: Recover key without providing trans_wrapped_session_key key_data = keyclient.retrieve_key(key_id) print_key_data(key_data) key2 = b64encode(key_data.data) # Test 8 - Confirm that keys returned are the same if key1 == key2: print("Success: The keys returned match! Key = " + str(key1)) else: print("Failure: The returned keys do not match!") print("key1: " + key1) print("key2: " + key2) # Test 10 = test BadRequestException on create() print("Trying to generate a new symkey with the same client ID") try: keyclient.generate_symmetric_key(client_key_id, algorithm=algorithm, size=key_size, usages=usages) except pki.BadRequestException as exc: print("BadRequestException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 11 - Test RequestNotFoundException on get_request_info print("Try to list a nonexistent request") try: keyclient.get_request_info('200000034') except pki.RequestNotFoundException as exc: print("RequestNotFoundException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 12 - Test exception on retrieve_key. print("Try to retrieve an invalid key") try: keyclient.retrieve_key('2000003434') except pki.KeyNotFoundException as exc: print("KeyNotFoundException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 13 = getKeyInfo print("Get key info for existing key") key_info = keyclient.get_key_info(key_id) print_key_info(key_info) # Test 14: get the active key print("Get the active key for client id: " + client_key_id) key_info = keyclient.get_active_key_info(client_key_id) print_key_info(key_info) # Test 15: change the key status print("Change the key status") keyclient.modify_key_status(key_id, keyclient.KEY_STATUS_INACTIVE) print_key_info(keyclient.get_key_info(key_id)) # Test 16: Get key info for non-existent key print("Get key info for non-existent key") try: keyclient.get_key_info('200004556') except pki.KeyNotFoundException as exc: print("KeyNotFoundException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 17: Get key info for non-existent active key print("Get non-existent active key") try: key_info = keyclient.get_active_key_info(client_key_id) print_key_info(key_info) except pki.ResourceNotFoundException as exc: print("ResourceNotFoundException thrown - Code: " + exc.code + "Message: " + exc.message) # Test 18: Generate a symmetric key with default parameters client_key_id = "Vek #3" + time.strftime('%c') response = keyclient.generate_symmetric_key(client_key_id) print_key_request(response.request_info) # Test 19: Try to archive key print("try to archive key") print("key to archive: " + key1) client_key_id = "Vek #4" + time.strftime('%c') response = keyclient.archive_key(client_key_id, keyclient.SYMMETRIC_KEY_TYPE, b64decode(key1), key_algorithm=keyclient.AES_ALGORITHM, key_size=128) print_key_request(response.request_info) # Test 20: Lets get it back key_info = keyclient.get_active_key_info(client_key_id) print_key_info(key_info) key_data = keyclient.retrieve_key(key_info.get_key_id()) print_key_data(key_data) key2 = b64encode(key_data.data) if key1 == key2: print("Success: archived and recovered keys match") else: print("Error: archived and recovered keys do not match") print() # Test 20: Generating asymmetric keys print("Generating asymmetric keys") try: response = keyclient.generate_asymmetric_key( "Vek #5" + time.strftime('%c'), algorithm="RSA", key_size=1024, usages=None ) print_key_request(response.request_info) except pki.BadRequestException as exc: print("BadRequestException thrown - Code:" + exc.code + " Message: " + exc.message) # Test 21: Get key information of the newly generated asymmetric keys print("Retrieving key information") key_info = keyclient.get_key_info(response.request_info.get_key_id()) print_key_info(key_info)