2014-10-19 10:04:40 -05:00
|
|
|
#
|
|
|
|
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
|
|
|
|
#
|
|
|
|
|
2017-05-24 08:42:23 -05:00
|
|
|
import logging
|
|
|
|
|
2016-11-22 10:55:10 -06:00
|
|
|
from ipaserver import p11helper as _ipap11helper
|
2014-10-19 10:04:40 -05:00
|
|
|
|
2017-05-24 08:42:23 -05:00
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
2014-10-19 10:04:40 -05:00
|
|
|
attrs_id2name = {
|
|
|
|
#_ipap11helper.CKA_ALLOWED_MECHANISMS: 'ipk11allowedmechanisms',
|
|
|
|
_ipap11helper.CKA_ALWAYS_AUTHENTICATE: 'ipk11alwaysauthenticate',
|
|
|
|
_ipap11helper.CKA_ALWAYS_SENSITIVE: 'ipk11alwayssensitive',
|
|
|
|
#_ipap11helper.CKA_CHECK_VALUE: 'ipk11checkvalue',
|
|
|
|
_ipap11helper.CKA_COPYABLE: 'ipk11copyable',
|
|
|
|
_ipap11helper.CKA_DECRYPT: 'ipk11decrypt',
|
|
|
|
_ipap11helper.CKA_DERIVE: 'ipk11derive',
|
|
|
|
#_ipap11helper.CKA_DESTROYABLE: 'ipk11destroyable',
|
|
|
|
_ipap11helper.CKA_ENCRYPT: 'ipk11encrypt',
|
|
|
|
#_ipap11helper.CKA_END_DATE: 'ipk11enddate',
|
|
|
|
_ipap11helper.CKA_EXTRACTABLE: 'ipk11extractable',
|
|
|
|
_ipap11helper.CKA_ID: 'ipk11id',
|
|
|
|
#_ipap11helper.CKA_KEY_GEN_MECHANISM: 'ipk11keygenmechanism',
|
|
|
|
_ipap11helper.CKA_KEY_TYPE: 'ipk11keytype',
|
|
|
|
_ipap11helper.CKA_LABEL: 'ipk11label',
|
|
|
|
_ipap11helper.CKA_LOCAL: 'ipk11local',
|
|
|
|
_ipap11helper.CKA_MODIFIABLE: 'ipk11modifiable',
|
|
|
|
_ipap11helper.CKA_NEVER_EXTRACTABLE: 'ipk11neverextractable',
|
|
|
|
_ipap11helper.CKA_PRIVATE: 'ipk11private',
|
|
|
|
#_ipap11helper.CKA_PUBLIC_KEY_INFO: 'ipapublickey',
|
|
|
|
#_ipap11helper.CKA_PUBLIC_KEY_INFO: 'ipk11publickeyinfo',
|
|
|
|
_ipap11helper.CKA_SENSITIVE: 'ipk11sensitive',
|
|
|
|
_ipap11helper.CKA_SIGN: 'ipk11sign',
|
|
|
|
_ipap11helper.CKA_SIGN_RECOVER: 'ipk11signrecover',
|
|
|
|
#_ipap11helper.CKA_START_DATE: 'ipk11startdate',
|
|
|
|
#_ipap11helper.CKA_SUBJECT: 'ipk11subject',
|
|
|
|
_ipap11helper.CKA_TRUSTED: 'ipk11trusted',
|
|
|
|
_ipap11helper.CKA_UNWRAP: 'ipk11unwrap',
|
|
|
|
#_ipap11helper.CKA_UNWRAP_TEMPLATE: 'ipk11unwraptemplate',
|
|
|
|
_ipap11helper.CKA_VERIFY: 'ipk11verify',
|
|
|
|
_ipap11helper.CKA_VERIFY_RECOVER: 'ipk11verifyrecover',
|
|
|
|
_ipap11helper.CKA_WRAP: 'ipk11wrap',
|
|
|
|
#_ipap11helper.CKA_WRAP_TEMPLATE: 'ipk11wraptemplate',
|
|
|
|
_ipap11helper.CKA_WRAP_WITH_TRUSTED: 'ipk11wrapwithtrusted',
|
|
|
|
}
|
|
|
|
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
attrs_name2id = {v: k for k, v in attrs_id2name.items()}
|
2014-10-19 10:04:40 -05:00
|
|
|
|
|
|
|
# attribute:
|
|
|
|
# http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#ipk11KeyType
|
|
|
|
#
|
|
|
|
# mapping table:
|
|
|
|
# http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#CK_MECHANISM_TYPE
|
|
|
|
keytype_name2id = {
|
|
|
|
"rsa": _ipap11helper.KEY_TYPE_RSA,
|
|
|
|
"aes": _ipap11helper.KEY_TYPE_AES,
|
|
|
|
}
|
|
|
|
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
keytype_id2name = {v: k for k, v in keytype_name2id.items()}
|
2014-10-19 10:04:40 -05:00
|
|
|
|
|
|
|
wrappingmech_name2id = {
|
|
|
|
"rsaPkcs": _ipap11helper.MECH_RSA_PKCS,
|
|
|
|
"rsaPkcsOaep": _ipap11helper.MECH_RSA_PKCS_OAEP,
|
|
|
|
"aesKeyWrap": _ipap11helper.MECH_AES_KEY_WRAP,
|
|
|
|
"aesKeyWrapPad": _ipap11helper.MECH_AES_KEY_WRAP_PAD
|
|
|
|
}
|
|
|
|
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
wrappingmech_id2name = {v: k for k, v in wrappingmech_name2id.items()}
|
2014-10-19 10:04:40 -05:00
|
|
|
|
|
|
|
|
|
|
|
bool_attr_names = set([
|
|
|
|
'ipk11alwaysauthenticate',
|
|
|
|
'ipk11alwayssensitive',
|
|
|
|
'ipk11copyable',
|
|
|
|
'ipk11decrypt',
|
|
|
|
'ipk11derive',
|
|
|
|
'ipk11encrypt',
|
|
|
|
'ipk11extractable',
|
|
|
|
'ipk11local',
|
|
|
|
'ipk11modifiable',
|
|
|
|
'ipk11neverextractable',
|
|
|
|
'ipk11private',
|
|
|
|
'ipk11sensitive',
|
|
|
|
'ipk11sign',
|
|
|
|
'ipk11signrecover',
|
|
|
|
'ipk11trusted',
|
|
|
|
'ipk11unwrap',
|
|
|
|
'ipk11verify',
|
|
|
|
'ipk11verifyrecover',
|
|
|
|
'ipk11wrap',
|
|
|
|
'ipk11wrapwithtrusted',
|
|
|
|
])
|
|
|
|
|
|
|
|
modifiable_attrs_id2name = {
|
|
|
|
_ipap11helper.CKA_DECRYPT: 'ipk11decrypt',
|
|
|
|
_ipap11helper.CKA_DERIVE: 'ipk11derive',
|
|
|
|
_ipap11helper.CKA_ENCRYPT: 'ipk11encrypt',
|
|
|
|
_ipap11helper.CKA_EXTRACTABLE: 'ipk11extractable',
|
|
|
|
_ipap11helper.CKA_ID: 'ipk11id',
|
|
|
|
_ipap11helper.CKA_LABEL: 'ipk11label',
|
|
|
|
_ipap11helper.CKA_SENSITIVE: 'ipk11sensitive',
|
|
|
|
_ipap11helper.CKA_SIGN: 'ipk11sign',
|
|
|
|
_ipap11helper.CKA_SIGN_RECOVER: 'ipk11signrecover',
|
|
|
|
_ipap11helper.CKA_UNWRAP: 'ipk11unwrap',
|
|
|
|
_ipap11helper.CKA_VERIFY: 'ipk11verify',
|
|
|
|
_ipap11helper.CKA_VERIFY_RECOVER: 'ipk11verifyrecover',
|
|
|
|
_ipap11helper.CKA_WRAP: 'ipk11wrap',
|
|
|
|
}
|
|
|
|
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
modifiable_attrs_name2id = {v: k for k, v in modifiable_attrs_id2name.items()}
|
2014-10-19 10:04:40 -05:00
|
|
|
|
2017-05-24 08:42:23 -05:00
|
|
|
|
|
|
|
def sync_pkcs11_metadata(name, source, target):
|
2014-10-19 10:04:40 -05:00
|
|
|
"""sync ipk11 metadata from source object to target object"""
|
|
|
|
|
|
|
|
# iterate over list of modifiable PKCS#11 attributes - this prevents us
|
|
|
|
# from attempting to set read-only attributes like CKA_LOCAL
|
|
|
|
for attr in modifiable_attrs_name2id:
|
|
|
|
if attr in source:
|
|
|
|
if source[attr] != target[attr]:
|
2017-05-24 08:42:23 -05:00
|
|
|
logger.debug('%s: Updating attribute %s from "%s" to "%s"',
|
|
|
|
name,
|
|
|
|
attr,
|
|
|
|
repr(source[attr]),
|
|
|
|
repr(target[attr]))
|
2014-10-19 10:04:40 -05:00
|
|
|
target[attr] = source[attr]
|
|
|
|
|
|
|
|
def populate_pkcs11_metadata(source, target):
|
|
|
|
"""populate all ipk11 metadata attributes in target object from source object"""
|
|
|
|
for attr in attrs_name2id:
|
|
|
|
if attr in source:
|
|
|
|
target[attr] = source[attr]
|
|
|
|
|
|
|
|
def ldap2p11helper_api_params(ldap_key):
|
|
|
|
"""prepare dict with metadata parameters suitable for key unwrapping"""
|
|
|
|
unwrap_params = {}
|
|
|
|
|
|
|
|
# some attributes are just renamed
|
|
|
|
direct_param_map = {
|
|
|
|
"ipk11label": "label",
|
|
|
|
"ipk11id": "id",
|
|
|
|
"ipk11copyable": "cka_copyable",
|
|
|
|
"ipk11decrypt": "cka_decrypt",
|
|
|
|
"ipk11derive": "cka_derive",
|
|
|
|
"ipk11encrypt": "cka_encrypt",
|
|
|
|
"ipk11extractable": "cka_extractable",
|
|
|
|
"ipk11modifiable": "cka_modifiable",
|
|
|
|
"ipk11private": "cka_private",
|
|
|
|
"ipk11sensitive": "cka_sensitive",
|
|
|
|
"ipk11sign": "cka_sign",
|
|
|
|
"ipk11unwrap": "cka_unwrap",
|
|
|
|
"ipk11verify": "cka_verify",
|
|
|
|
"ipk11wrap": "cka_wrap",
|
|
|
|
"ipk11wrapwithtrusted": "cka_wrap_with_trusted"
|
|
|
|
}
|
|
|
|
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
for ldap_name, p11h_name in direct_param_map.items():
|
2014-10-19 10:04:40 -05:00
|
|
|
if ldap_name in ldap_key:
|
|
|
|
unwrap_params[p11h_name] = ldap_key[ldap_name]
|
|
|
|
|
|
|
|
# and some others needs conversion
|
|
|
|
|
|
|
|
indirect_param_map = {
|
|
|
|
"ipk11keytype": ("key_type", keytype_name2id),
|
|
|
|
"ipawrappingmech": ("wrapping_mech", wrappingmech_name2id),
|
|
|
|
}
|
|
|
|
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
for ldap_name, rules in indirect_param_map.items():
|
2014-10-19 10:04:40 -05:00
|
|
|
p11h_name, mapping = rules
|
|
|
|
if ldap_name in ldap_key:
|
|
|
|
unwrap_params[p11h_name] = mapping[ldap_key[ldap_name]]
|
|
|
|
|
|
|
|
return unwrap_params
|
|
|
|
|
|
|
|
|
2018-09-26 04:59:50 -05:00
|
|
|
class AbstractHSM:
|
2014-10-19 10:04:40 -05:00
|
|
|
def _filter_replica_keys(self, all_keys):
|
|
|
|
replica_keys = {}
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
for key_id, key in all_keys.items():
|
2014-10-19 10:04:40 -05:00
|
|
|
if not key['ipk11label'].startswith('dnssec-replica:'):
|
|
|
|
continue
|
|
|
|
replica_keys[key_id] = key
|
|
|
|
return replica_keys
|
|
|
|
|
|
|
|
def _filter_zone_keys(self, all_keys):
|
|
|
|
zone_keys = {}
|
Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-11 06:51:14 -05:00
|
|
|
for key_id, key in all_keys.items():
|
2014-10-19 10:04:40 -05:00
|
|
|
if key['ipk11label'] == u'dnssec-master' \
|
|
|
|
or key['ipk11label'].startswith('dnssec-replica:'):
|
|
|
|
continue
|
|
|
|
zone_keys[key_id] = key
|
|
|
|
return zone_keys
|