2014-10-19 10:04:40 -05:00
|
|
|
#
|
|
|
|
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
|
|
|
|
#
|
|
|
|
|
2018-04-05 02:21:16 -05:00
|
|
|
from __future__ import print_function, absolute_import
|
2015-08-12 06:44:11 -05:00
|
|
|
|
2014-10-19 10:04:40 -05:00
|
|
|
import os
|
|
|
|
from pprint import pprint
|
|
|
|
|
2018-07-04 03:07:49 -05:00
|
|
|
import six
|
|
|
|
|
2017-08-23 09:53:31 -05:00
|
|
|
from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
|
2014-10-19 10:04:40 -05:00
|
|
|
from ipaplatform.paths import paths
|
2016-11-22 10:55:10 -06:00
|
|
|
from ipaserver import p11helper as _ipap11helper
|
|
|
|
from ipaserver.dnssec.abshsm import (attrs_name2id, attrs_id2name, AbstractHSM,
|
2015-07-31 03:15:01 -05:00
|
|
|
keytype_id2name, keytype_name2id,
|
|
|
|
ldap2p11helper_api_params)
|
2017-08-25 08:45:24 -05:00
|
|
|
from ipaserver.dnssec.ldapkeydb import str_hexlify
|
|
|
|
|
2018-07-04 03:07:49 -05:00
|
|
|
# pylint: disable=no-name-in-module, import-error
|
|
|
|
if six.PY3:
|
|
|
|
from collections.abc import MutableMapping
|
|
|
|
else:
|
|
|
|
from collections import MutableMapping
|
|
|
|
# pylint: enable=no-name-in-module, import-error
|
|
|
|
|
2014-10-19 10:04:40 -05:00
|
|
|
|
|
|
|
private_key_api_params = set(["label", "id", "data", "unwrapping_key",
|
|
|
|
"wrapping_mech", "key_type", "cka_always_authenticate", "cka_copyable",
|
|
|
|
"cka_decrypt", "cka_derive", "cka_extractable", "cka_modifiable",
|
|
|
|
"cka_private", "cka_sensitive", "cka_sign", "cka_sign_recover",
|
|
|
|
"cka_unwrap", "cka_wrap_with_trusted"])
|
|
|
|
|
|
|
|
public_key_api_params = set(["label", "id", "data", "cka_copyable",
|
|
|
|
"cka_derive", "cka_encrypt", "cka_modifiable", "cka_private",
|
|
|
|
"cka_trusted", "cka_verify", "cka_verify_recover", "cka_wrap"])
|
|
|
|
|
2018-07-04 03:07:49 -05:00
|
|
|
|
|
|
|
class Key(MutableMapping):
|
2014-10-19 10:04:40 -05:00
|
|
|
def __init__(self, p11, handle):
|
|
|
|
self.p11 = p11
|
|
|
|
self.handle = handle
|
|
|
|
# sanity check CKA_ID and CKA_LABEL
|
|
|
|
try:
|
|
|
|
cka_id = self.p11.get_attribute(handle, _ipap11helper.CKA_ID)
|
|
|
|
assert len(cka_id) != 0, 'ipk11id length should not be 0'
|
|
|
|
except _ipap11helper.NotFound:
|
|
|
|
raise _ipap11helper.NotFound('key without ipk11id: handle %s' % handle)
|
|
|
|
|
|
|
|
try:
|
|
|
|
cka_label = self.p11.get_attribute(handle, _ipap11helper.CKA_LABEL)
|
|
|
|
assert len(cka_label) != 0, 'ipk11label length should not be 0'
|
|
|
|
|
|
|
|
except _ipap11helper.NotFound:
|
2017-11-15 08:46:33 -06:00
|
|
|
raise _ipap11helper.NotFound(
|
|
|
|
'key without ipk11label: id 0x%s' % str_hexlify(cka_id))
|
2014-10-19 10:04:40 -05:00
|
|
|
|
|
|
|
def __getitem__(self, key):
|
|
|
|
key = key.lower()
|
|
|
|
try:
|
|
|
|
value = self.p11.get_attribute(self.handle, attrs_name2id[key])
|
|
|
|
if key == 'ipk11keytype':
|
|
|
|
value = keytype_id2name[value]
|
|
|
|
return value
|
|
|
|
except _ipap11helper.NotFound:
|
|
|
|
raise KeyError()
|
|
|
|
|
|
|
|
def __setitem__(self, key, value):
|
|
|
|
key = key.lower()
|
|
|
|
if key == 'ipk11keytype':
|
|
|
|
value = keytype_name2id[value]
|
|
|
|
|
|
|
|
return self.p11.set_attribute(self.handle, attrs_name2id[key], value)
|
|
|
|
|
|
|
|
def __delitem__(self, key):
|
2016-01-06 06:10:11 -06:00
|
|
|
raise _ipap11helper.P11HelperException('__delitem__ is not supported')
|
2014-10-19 10:04:40 -05:00
|
|
|
|
|
|
|
def __iter__(self):
|
|
|
|
"""generates list of ipa names of all attributes present in the object"""
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
for pkcs11_id, ipa_name in attrs_id2name.items():
|
2014-10-19 10:04:40 -05:00
|
|
|
try:
|
|
|
|
self.p11.get_attribute(self.handle, pkcs11_id)
|
|
|
|
except _ipap11helper.NotFound:
|
|
|
|
continue
|
|
|
|
|
|
|
|
yield ipa_name
|
|
|
|
|
|
|
|
def __len__(self):
|
|
|
|
cnt = 0
|
2016-10-07 08:07:49 -05:00
|
|
|
for _attr in self:
|
2014-10-19 10:04:40 -05:00
|
|
|
cnt += 1
|
|
|
|
return cnt
|
|
|
|
|
|
|
|
def __str__(self):
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
return str(dict(self))
|
2014-10-19 10:04:40 -05:00
|
|
|
|
|
|
|
def __repr__(self):
|
|
|
|
return self.__str__()
|
|
|
|
|
2017-03-29 11:53:11 -05:00
|
|
|
|
2014-10-19 10:04:40 -05:00
|
|
|
class LocalHSM(AbstractHSM):
|
2017-03-29 11:53:11 -05:00
|
|
|
def __init__(self, library, label, pin):
|
2014-10-19 10:04:40 -05:00
|
|
|
self.cache_replica_pubkeys = None
|
2017-03-29 11:53:11 -05:00
|
|
|
self.p11 = _ipap11helper.P11_Helper(label, pin, library)
|
2014-10-19 10:04:40 -05:00
|
|
|
|
|
|
|
def __del__(self):
|
|
|
|
self.p11.finalize()
|
|
|
|
|
|
|
|
def find_keys(self, **kwargs):
|
|
|
|
"""Return dict with Key objects matching given criteria.
|
|
|
|
|
|
|
|
CKA_ID is used as key so all matching objects have to have unique ID."""
|
|
|
|
|
|
|
|
# this is a hack for old p11-kit URI parser
|
|
|
|
# see https://bugs.freedesktop.org/show_bug.cgi?id=85057
|
|
|
|
if 'uri' in kwargs:
|
|
|
|
kwargs['uri'] = kwargs['uri'].replace('type=', 'object-type=')
|
|
|
|
|
|
|
|
handles = self.p11.find_keys(**kwargs)
|
|
|
|
keys = {}
|
|
|
|
for h in handles:
|
|
|
|
key = Key(self.p11, h)
|
|
|
|
o_id = key['ipk11id']
|
|
|
|
assert o_id not in keys, 'duplicate ipk11Id = 0x%s; keys = %s' % (
|
2017-08-25 08:45:24 -05:00
|
|
|
str_hexlify(o_id), keys)
|
2014-10-19 10:04:40 -05:00
|
|
|
keys[o_id] = key
|
|
|
|
|
|
|
|
return keys
|
|
|
|
|
|
|
|
@property
|
|
|
|
def replica_pubkeys(self):
|
|
|
|
return self._filter_replica_keys(
|
|
|
|
self.find_keys(objclass=_ipap11helper.KEY_CLASS_PUBLIC_KEY))
|
|
|
|
|
|
|
|
@property
|
|
|
|
def replica_pubkeys_wrap(self):
|
|
|
|
return self._filter_replica_keys(
|
|
|
|
self.find_keys(objclass=_ipap11helper.KEY_CLASS_PUBLIC_KEY,
|
|
|
|
cka_wrap=True))
|
|
|
|
|
|
|
|
@property
|
|
|
|
def master_keys(self):
|
|
|
|
"""Get all usable DNSSEC master keys"""
|
|
|
|
keys = self.find_keys(objclass=_ipap11helper.KEY_CLASS_SECRET_KEY, label=u'dnssec-master', cka_unwrap=True)
|
|
|
|
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
for key in keys.values():
|
2014-10-19 10:04:40 -05:00
|
|
|
prefix = 'dnssec-master'
|
|
|
|
assert key['ipk11label'] == prefix, \
|
2017-12-15 09:33:50 -06:00
|
|
|
'secret key ipk11id=0x%s ipk11label="%s" with ipk11UnWrap ' \
|
|
|
|
'= TRUE does not have "%s" key label' % (
|
|
|
|
str_hexlify(key['ipk11id']),
|
|
|
|
str(key['ipk11label']), prefix
|
|
|
|
)
|
2014-10-19 10:04:40 -05:00
|
|
|
|
|
|
|
return keys
|
|
|
|
|
|
|
|
@property
|
|
|
|
def active_master_key(self):
|
|
|
|
"""Get one active DNSSEC master key suitable for key wrapping"""
|
|
|
|
keys = self.find_keys(objclass=_ipap11helper.KEY_CLASS_SECRET_KEY,
|
|
|
|
label=u'dnssec-master', cka_wrap=True, cka_unwrap=True)
|
|
|
|
assert len(keys) > 0, "DNSSEC master key with UN/WRAP = TRUE not found"
|
|
|
|
return keys.popitem()[1]
|
|
|
|
|
|
|
|
@property
|
|
|
|
def zone_pubkeys(self):
|
|
|
|
return self._filter_zone_keys(
|
|
|
|
self.find_keys(objclass=_ipap11helper.KEY_CLASS_PUBLIC_KEY))
|
|
|
|
|
|
|
|
@property
|
|
|
|
def zone_privkeys(self):
|
|
|
|
return self._filter_zone_keys(
|
|
|
|
self.find_keys(objclass=_ipap11helper.KEY_CLASS_PRIVATE_KEY))
|
|
|
|
|
|
|
|
|
|
|
|
def import_public_key(self, source, data):
|
|
|
|
params = ldap2p11helper_api_params(source)
|
|
|
|
# filter out params inappropriate for public keys
|
2016-10-11 10:35:01 -05:00
|
|
|
for par in set(params).difference(public_key_api_params):
|
2014-10-19 10:04:40 -05:00
|
|
|
del params[par]
|
|
|
|
params['data'] = data
|
|
|
|
|
|
|
|
h = self.p11.import_public_key(**params)
|
|
|
|
return Key(self.p11, h)
|
|
|
|
|
|
|
|
def import_private_key(self, source, data, unwrapping_key):
|
|
|
|
params = ldap2p11helper_api_params(source)
|
|
|
|
# filter out params inappropriate for private keys
|
2016-10-11 10:35:01 -05:00
|
|
|
for par in set(params).difference(private_key_api_params):
|
2014-10-19 10:04:40 -05:00
|
|
|
del params[par]
|
|
|
|
params['data'] = data
|
|
|
|
params['unwrapping_key'] = unwrapping_key.handle
|
|
|
|
|
|
|
|
h = self.p11.import_wrapped_private_key(**params)
|
|
|
|
return Key(self.p11, h)
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
if 'SOFTHSM2_CONF' not in os.environ:
|
|
|
|
os.environ['SOFTHSM2_CONF'] = paths.DNSSEC_SOFTHSM2_CONF
|
2017-08-23 09:53:31 -05:00
|
|
|
localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
|
2014-10-19 10:04:40 -05:00
|
|
|
open(paths.DNSSEC_SOFTHSM_PIN).read())
|
|
|
|
|
2015-08-12 06:44:11 -05:00
|
|
|
print('replica public keys: CKA_WRAP = TRUE')
|
|
|
|
print('====================================')
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
for pubkey_id, pubkey in localhsm.replica_pubkeys_wrap.items():
|
2017-08-25 08:45:24 -05:00
|
|
|
print(str_hexlify(pubkey_id))
|
2014-10-19 10:04:40 -05:00
|
|
|
pprint(pubkey)
|
|
|
|
|
2015-08-12 06:44:11 -05:00
|
|
|
print('')
|
|
|
|
print('replica public keys: all')
|
|
|
|
print('========================')
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
for pubkey_id, pubkey in localhsm.replica_pubkeys.items():
|
2017-08-25 08:45:24 -05:00
|
|
|
print(str_hexlify(pubkey_id))
|
2014-10-19 10:04:40 -05:00
|
|
|
pprint(pubkey)
|
|
|
|
|
2015-08-12 06:44:11 -05:00
|
|
|
print('')
|
|
|
|
print('master keys')
|
|
|
|
print('===========')
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
for mkey_id, mkey in localhsm.master_keys.items():
|
2017-08-25 08:45:24 -05:00
|
|
|
print(str_hexlify(mkey_id))
|
2014-10-19 10:04:40 -05:00
|
|
|
pprint(mkey)
|
|
|
|
|
2015-08-12 06:44:11 -05:00
|
|
|
print('')
|
|
|
|
print('zone public keys')
|
|
|
|
print('================')
|
2017-11-15 08:46:33 -06:00
|
|
|
for key_id, zkey in localhsm.zone_pubkeys.items():
|
2017-08-25 08:45:24 -05:00
|
|
|
print(str_hexlify(key_id))
|
2017-11-15 08:46:33 -06:00
|
|
|
pprint(zkey)
|
2014-10-19 10:04:40 -05:00
|
|
|
|
2015-08-12 06:44:11 -05:00
|
|
|
print('')
|
|
|
|
print('zone private keys')
|
|
|
|
print('=================')
|
2017-11-15 08:46:33 -06:00
|
|
|
for key_id, zkey in localhsm.zone_privkeys.items():
|
2017-08-25 08:45:24 -05:00
|
|
|
print(str_hexlify(key_id))
|
2017-11-15 08:46:33 -06:00
|
|
|
pprint(zkey)
|