IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

py3 dnssec: convert hexlify to str

Browse Source 
hexlify returns bytes and needs to be casted to string before
printing it out.

Related: https://pagure.io/freeipa/issue/4985

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Tomas Krizek
2017-08-25 15:45:24 +02:00
committed by Christian Heimes
parent 005d85ff68
commit efded2264f
4 changed files with 50 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
daemons/dnssec/ipa-dnskeysync-replica
View File

@@ -8,7 +8,6 @@ Download keys from LDAP to local HSM.
This program should be run only on replicas, not on DNSSEC masters.
"""
from binascii import hexlify
from gssapi.exceptions import GSSError
import logging
import os
@@ -24,7 +23,7 @@ from ipaplatform.paths import paths
from ipaserver.dnssec.abshsm import (sync_pkcs11_metadata,
ldap2p11helper_api_params,
wrappingmech_name2id)
from ipaserver.dnssec.ldapkeydb import LdapKeyDB
from ipaserver.dnssec.ldapkeydb import LdapKeyDB, str_hexlify
from ipaserver.dnssec.localhsm import LocalHSM
logger = logging.getLogger(os.path.basename(__file__))
@@ -36,7 +35,7 @@ WORKDIR = '/tmp'
def hex_set(s):
out = set()
for i in s:
out.add("0x%s" % hexlify(i))
out.add("0x%s" % str_hexlify(i))
return out
def update_metadata_set(source_set, target_set):
@@ -72,7 +71,9 @@ def ldap2replica_master_keys_sync(ldapkeydb, localhsm):
hex_set(new_keys))
for mkey_id in new_keys:
mkey_ldap = ldapkeydb.master_keys[mkey_id]
assert mkey_ldap.wrapped_entries, "Master key 0x%s in LDAP is missing key material referenced by ipaSecretKeyRefObject attribute" % hexlify(mkey_id)
assert mkey_ldap.wrapped_entries, ("Master key 0x%s in LDAP is " \
"missing key material referenced by ipaSecretKeyRefObject " \
"attribute") % str_hexlify(mkey_id)
for wrapped_ldap in mkey_ldap.wrapped_entries:
unwrapping_key = find_unwrapping_key(
localhsm, wrapped_ldap.single_value['ipaWrappingKey'])
@@ -80,14 +81,16 @@ def ldap2replica_master_keys_sync(ldapkeydb, localhsm):
break
# TODO: Could it happen in normal cases?
assert unwrapping_key is not None, "Local HSM does not contain suitable unwrapping key for master key 0x%s" % hexlify(mkey_id)
assert unwrapping_key is not None, ("Local HSM does not contain " \
"suitable unwrapping key for master key 0x%s") % \
str_hexlify(mkey_id)
params = ldap2p11helper_api_params(mkey_ldap)
params['data'] = wrapped_ldap.single_value['ipaSecretKey']
params['unwrapping_key'] = unwrapping_key.handle
params['wrapping_mech'] = wrappingmech_name2id[wrapped_ldap.single_value['ipaWrappingMech']]
logger.debug('Importing new master key: 0x%s %s',
hexlify(mkey_id), params)
str_hexlify(mkey_id), params)
localhsm.p11.import_wrapped_secret_key(**params)
# synchronize metadata about master keys in LDAP
@@ -108,14 +111,14 @@ def ldap2replica_zone_keys_sync(ldapkeydb, localhsm):
for zkey_id in new_keys:
zkey_ldap = ldapkeydb.zone_keypairs[zkey_id]
logger.debug('Looking for unwrapping key "%s" for zone key 0x%s',
zkey_ldap['ipaWrappingKey'], hexlify(zkey_id))
zkey_ldap['ipaWrappingKey'], str_hexlify(zkey_id))
unwrapping_key = find_unwrapping_key(
localhsm, zkey_ldap['ipaWrappingKey'])
assert unwrapping_key is not None, \
"Local HSM does not contain suitable unwrapping key for ' \
'zone key 0x%s" % hexlify(zkey_id)
'zone key 0x%s" % str_hexlify(zkey_id)
logger.debug('Importing zone key pair 0x%s', hexlify(zkey_id))
logger.debug('Importing zone key pair 0x%s', str_hexlify(zkey_id))
localhsm.import_private_key(zkey_ldap, zkey_ldap['ipaPrivateKey'],
unwrapping_key)
localhsm.import_public_key(zkey_ldap, zkey_ldap['ipaPublicKey'])

17
daemons/dnssec/ipa-ods-exporter
View File

@@ -16,7 +16,6 @@ Purpose of this replacement is to upload keys generated by OpenDNSSEC to LDAP.
"""
from __future__ import print_function
from binascii import hexlify
from datetime import datetime
import dateutil.tz
import dns.dnssec
@@ -38,7 +37,7 @@ from ipapython.dn import DN
from ipapython import ipaldap
from ipaplatform.paths import paths
from ipaserver.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
from ipaserver.dnssec.ldapkeydb import LdapKeyDB
from ipaserver.dnssec.ldapkeydb import LdapKeyDB, str_hexlify
from ipaserver.dnssec.localhsm import LocalHSM
logger = logging.getLogger(os.path.basename(__file__))
@@ -299,8 +298,8 @@ def ldap2master_replica_keys_sync(ldapkeydb, localhsm):
new_key_ldap = ldapkeydb.replica_pubkeys_wrap[key_id]
logger.debug('label=%s, id=%s, data=%s',
new_key_ldap['ipk11label'],
hexlify(new_key_ldap['ipk11id']),
hexlify(new_key_ldap['ipapublickey']))
str_hexlify(new_key_ldap['ipk11id']),
str_hexlify(new_key_ldap['ipapublickey']))
localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey'])
# set CKA_WRAP = FALSE for all replica keys removed from LDAP
@@ -339,7 +338,7 @@ def master2ldap_master_keys_sync(ldapkeydb, localhsm):
# synchronize master key metadata to LDAP
for mkey_id, mkey_local in localhsm.master_keys.items():
logger.debug('synchronizing master key metadata: 0x%s',
hexlify(mkey_id))
str_hexlify(mkey_id))
sync_pkcs11_metadata('master2ldap_master', mkey_local, ldapkeydb.master_keys[mkey_id])
# re-wrap all master keys in LDAP with new replica keys (as necessary)
@@ -349,7 +348,7 @@ def master2ldap_master_keys_sync(ldapkeydb, localhsm):
for mkey_id, mkey_ldap in ldapkeydb.master_keys.items():
logger.debug('processing master key data: 0x%s',
hexlify(mkey_id))
str_hexlify(mkey_id))
# check that all active replicas have own copy of master key
used_replica_keys = set()
@@ -367,13 +366,13 @@ def master2ldap_master_keys_sync(ldapkeydb, localhsm):
new_replica_keys = enabled_replica_key_ids - used_replica_keys
logger.debug('master key 0x%s is not wrapped with replica keys %s',
hexlify(mkey_id), hex_set(new_replica_keys))
str_hexlify(mkey_id), hex_set(new_replica_keys))
# wrap master key with new replica keys
mkey_local = localhsm.find_keys(id=mkey_id).popitem()[1]
for replica_key_id in new_replica_keys:
logger.info('adding master key 0x%s wrapped with replica key 0x%s',
hexlify(mkey_id), hexlify(replica_key_id))
str_hexlify(mkey_id), str_hexlify(replica_key_id))
replica_key = localhsm.replica_pubkeys_wrap[replica_key_id]
keydata = localhsm.p11.export_wrapped_key(mkey_local.handle,
replica_key.handle,
@@ -446,7 +445,7 @@ def master2ldap_zone_keys_purge(ldapkeydb, localhsm):
def hex_set(s):
out = set()
for i in s:
out.add("0x%s" % hexlify(i))
out.add("0x%s" % str_hexlify(i))
return out

30
ipaserver/dnssec/ldapkeydb.py
View File

@@ -29,7 +29,7 @@ logger = logging.getLogger(__name__)
def uri_escape(val):
"""convert val to %-notation suitable for ID component in URI"""
assert len(val) > 0, "zero-length URI component detected"
hexval = hexlify(val)
hexval = str_hexlify(val)
out = '%'
# pylint: disable=E1127
out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2))
@@ -112,6 +112,13 @@ def get_default_attrs(object_classes):
return result
def str_hexlify(data):
out = hexlify(data)
if isinstance(out, bytes):
out = out.decode('utf-8')
return out
class Key(collections.MutableMapping):
"""abstraction to hide LDAP entry weirdnesses:
- non-normalized attribute names
@@ -197,7 +204,7 @@ class Key(collections.MutableMapping):
"Key._delete_key() called before Key.schedule_deletion()")
assert self._delentry, "Key._delete_key() called more than once"
logger.debug('deleting key id 0x%s DN %s from LDAP',
hexlify(self._delentry.single_value['ipk11id']),
str_hexlify(self._delentry.single_value['ipk11id']),
self._delentry.dn)
self.ldap.delete_entry(self._delentry)
self._delentry = None
@@ -260,8 +267,8 @@ class MasterKey(Key):
logger.info('adding master key 0x%s wrapped with replica key 0x%s to '
'%s',
hexlify(self['ipk11id']),
hexlify(replica_key_id),
str_hexlify(self['ipk11id']),
str_hexlify(replica_key_id),
entry_dn)
self.ldap.add_entry(entry)
if 'ipaSecretKeyRef' not in self.entry:
@@ -294,7 +301,9 @@ class LdapKeyDB(AbstractHSM):
assert 'ipk11id' in key, 'key is missing ipk11Id in %s' % key.entry.dn
key_id = key['ipk11id']
assert key_id not in keys, 'duplicate ipk11Id=0x%s in "%s" and "%s"' % (hexlify(key_id), key.entry.dn, keys[key_id].entry.dn)
assert key_id not in keys, \
'duplicate ipk11Id=0x%s in "%s" and "%s"' % \
(str_hexlify(key_id), key.entry.dn, keys[key_id].entry.dn)
assert 'ipk11label' in key, 'key "%s" is missing ipk11Label' % key.entry.dn
assert 'objectclass' in key.entry, 'key "%s" is missing objectClass attribute' % key.entry.dn
@@ -365,7 +374,8 @@ class LdapKeyDB(AbstractHSM):
new_key.entry['ipaPublicKey'] = pubkey_data
self.ldap.add_entry(new_key.entry)
logger.debug('imported zone key id: 0x%s', hexlify(new_key['ipk11id']))
logger.debug('imported zone key id: 0x%s',
str_hexlify(new_key['ipk11id']))
@property
def replica_pubkeys_wrap(self):
@@ -392,7 +402,7 @@ class LdapKeyDB(AbstractHSM):
'secret key dn="%s" ipk11id=0x%s ipk11label="%s" with ipk11UnWrap = TRUE does not have '\
'"%s" key label' % (
key.entry.dn,
hexlify(key['ipk11id']),
str_hexlify(key['ipk11id']),
str(key['ipk11label']),
prefix)
@@ -437,19 +447,19 @@ if __name__ == '__main__':
print('replica public keys: CKA_WRAP = TRUE')
print('====================================')
for pubkey_id, pubkey in ldapkeydb.replica_pubkeys_wrap.items():
print(hexlify(pubkey_id))
print(str_hexlify(pubkey_id))
pprint(pubkey)
print('')
print('master keys')
print('===========')
for mkey_id, mkey in ldapkeydb.master_keys.items():
print(hexlify(mkey_id))
print(str_hexlify(mkey_id))
pprint(mkey)
print('')
print('zone key pairs')
print('==============')
for key_id, key in ldapkeydb.zone_keypairs.items():
print(hexlify(key_id))
print(str_hexlify(key_id))
pprint(key)

19
ipaserver/dnssec/localhsm.py
View File

@@ -5,7 +5,6 @@
from __future__ import print_function
from binascii import hexlify
import collections
import os
from pprint import pprint
@@ -16,6 +15,8 @@ from ipaserver import p11helper as _ipap11helper
from ipaserver.dnssec.abshsm import (attrs_name2id, attrs_id2name, AbstractHSM,
keytype_id2name, keytype_name2id,
ldap2p11helper_api_params)
from ipaserver.dnssec.ldapkeydb import str_hexlify
private_key_api_params = set(["label", "id", "data", "unwrapping_key",
@@ -45,7 +46,7 @@ class Key(collections.MutableMapping):
except _ipap11helper.NotFound:
raise _ipap11helper.NotFound('key without ipk11label: id 0x%s'
% hexlify(cka_id))
% str_hexlify(cka_id))
def __getitem__(self, key):
key = key.lower()
@@ -114,7 +115,7 @@ class LocalHSM(AbstractHSM):
key = Key(self.p11, h)
o_id = key['ipk11id']
assert o_id not in keys, 'duplicate ipk11Id = 0x%s; keys = %s' % (
hexlify(o_id), keys)
str_hexlify(o_id), keys)
keys[o_id] = key
return keys
@@ -139,7 +140,7 @@ class LocalHSM(AbstractHSM):
prefix = 'dnssec-master'
assert key['ipk11label'] == prefix, \
'secret key ipk11id=0x%s ipk11label="%s" with ipk11UnWrap = TRUE does not have '\
'"%s" key label' % (hexlify(key['ipk11id']),
'"%s" key label' % (str_hexlify(key['ipk11id']),
str(key['ipk11label']), prefix)
return keys
@@ -195,33 +196,33 @@ if __name__ == '__main__':
print('replica public keys: CKA_WRAP = TRUE')
print('====================================')
for pubkey_id, pubkey in localhsm.replica_pubkeys_wrap.items():
print(hexlify(pubkey_id))
print(str_hexlify(pubkey_id))
pprint(pubkey)
print('')
print('replica public keys: all')
print('========================')
for pubkey_id, pubkey in localhsm.replica_pubkeys.items():
print(hexlify(pubkey_id))
print(str_hexlify(pubkey_id))
pprint(pubkey)
print('')
print('master keys')
print('===========')
for mkey_id, mkey in localhsm.master_keys.items():
print(hexlify(mkey_id))
print(str_hexlify(mkey_id))
pprint(mkey)
print('')
print('zone public keys')
print('================')
for key_id, key in localhsm.zone_pubkeys.items():
print(hexlify(key_id))
print(str_hexlify(key_id))
pprint(key)
print('')
print('zone private keys')
print('=================')
for key_id, key in localhsm.zone_privkeys.items():
print(hexlify(key_id))
print(str_hexlify(key_id))
pprint(key)