mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-17 19:52:58 -06:00
41 lines
1.4 KiB
Python
41 lines
1.4 KiB
Python
|
#!/usr/bin/python
|
||
|
#
|
||
|
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
|
||
|
#
|
||
|
|
||
|
import _ipap11helper
|
||
|
import random
|
||
|
|
||
|
def generate_master_key(p11, keylabel=u"dnssec-master", key_length=16,
|
||
|
disable_old_keys=True):
|
||
|
assert isinstance(p11, _ipap11helper.P11_Helper)
|
||
|
|
||
|
key_id = None
|
||
|
while True:
|
||
|
# check if key with this ID exist in LDAP or softHSM
|
||
|
# id is 16 Bytes long
|
||
|
key_id = "".join(chr(random.randint(0, 255)) for _ in xrange(0, 16))
|
||
|
keys = p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY,
|
||
|
label=keylabel,
|
||
|
id=key_id)
|
||
|
if not keys:
|
||
|
break # we found unique id
|
||
|
|
||
|
p11.generate_master_key(keylabel,
|
||
|
key_id,
|
||
|
key_length=key_length,
|
||
|
cka_wrap=True,
|
||
|
cka_unwrap=True)
|
||
|
|
||
|
if disable_old_keys:
|
||
|
# set CKA_WRAP=False for old master keys
|
||
|
master_keys = p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY,
|
||
|
label=keylabel,
|
||
|
cka_wrap=True)
|
||
|
|
||
|
for handle in master_keys:
|
||
|
# don't disable wrapping for new key
|
||
|
# compare IDs not handle
|
||
|
if key_id != p11.get_attribute(handle, _ipap11helper.CKA_ID):
|
||
|
p11.set_attribute(handle, _ipap11helper.CKA_WRAP, False)
|