Add 'barbican-manage hsm check_[mkek|hmac].

New command to check if a label exists, so
that a script that generate the keys can use
it to determine wheteher gen_mkek/gejn_hmac
needs to be called or not.

Change-Id: I6eb0d138fe3d3f322d94e47d21ec6ec58469995e
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
This commit is contained in:
Moisés Guimarães de Medeiros 2018-10-09 16:20:31 +02:00 committed by Douglas Mendizábal
parent 1aaf326e1d
commit 1872ea54d8
3 changed files with 74 additions and 4 deletions

View File

@ -172,6 +172,27 @@ class HSMCommands(object):
description = "Subcommands for managing HSM/PKCS11"
check_mkek_description = "Checks if a MKEK label is available"
@args('--library-path', metavar='<library-path>', dest='libpath',
default='/usr/lib/libCryptoki2_64.so',
help='Path to vendor PKCS11 library')
@args('--slot-id', metavar='<slot-id>', dest='slotid', default=1,
help='HSM Slot id (Should correspond to a configured PKCS11 slot, \
default is 1)')
@args('--passphrase', metavar='<passphrase>', default=None, required=True,
help='Password to login to PKCS11 session')
@args('--label', '-L', metavar='<label>', default='primarymkek',
help='The label of the Master Key Encrypt Key')
def check_mkek(self, passphrase, libpath=None, slotid=None, label=None):
CKK_AES = 'CKK_AES'
self._create_pkcs11_session(str(passphrase), str(libpath), int(slotid))
handle = self.pkcs11.get_key_handle(CKK_AES, str(label), self.session)
self.pkcs11.return_session(self.session)
if not handle:
print("Label {label} is not set.".format(label=label))
sys.exit(1)
gen_mkek_description = "Generates a new MKEK"
@args('--library-path', metavar='<library-path>', dest='libpath',
@ -199,6 +220,30 @@ class HSMCommands(object):
self.pkcs11.return_session(self.session)
print("MKEK successfully generated!")
check_hmac_description = "Checks if a HMAC key label is available"
@args('--library-path', metavar='<library-path>', dest='libpath',
default='/usr/lib/libCryptoki2_64.so',
help='Path to vendor PKCS11 library')
@args('--slot-id', metavar='<slot-id>', dest='slotid', default=1,
help='HSM Slot id (Should correspond to a configured PKCS11 slot, \
default is 1)')
@args('--passphrase', metavar='<passphrase>', default=None, required=True,
help='Password to login to PKCS11 session')
@args('--label', '-L', metavar='<label>', default='primarymkek',
help='The label of the Master HMAC key')
@args('--key-type', '-t', metavar='<key type>', dest='keytype',
default='CKK_AES', help='The HMAC Key Type (e.g. CKK_AES)')
def check_hmac(self, passphrase, libpath=None, slotid=None, label=None,
keytype=None):
self._create_pkcs11_session(str(passphrase), str(libpath), int(slotid))
handle = self.pkcs11.get_key_handle(str(keytype), str(label),
self.session)
self.pkcs11.return_session(self.session)
if not handle:
print("Label {label} is not set.".format(label=label))
sys.exit(1)
gen_hmac_description = "Generates a new HMAC key"
@args('--library-path', metavar='<library-path>', dest='libpath',
@ -248,10 +293,7 @@ class HSMCommands(object):
def _verify_label_does_not_exist(self, key_type, label, session):
key_handle = self.pkcs11.get_key_handle(key_type, label, session)
if key_handle:
print(
"The label {label} already exists! "
"Please try again.".format(label=label)
)
print("The label {label} already exists!".format(label=label))
sys.exit(1)
@ -358,5 +400,6 @@ def main():
except Exception as e:
sys.exit("ERROR: %s" % e)
if __name__ == '__main__':
main()

View File

@ -156,6 +156,16 @@ class TestBarbicanManage(TestBarbicanManageBase):
['barbican.cmd.barbican_manage', 'db', 'current'], mock_current,
False, sql_url='mockdburl')
@mock.patch('barbican.plugin.crypto.pkcs11.PKCS11')
def test_hsm_check_mkek(self, mock_pkcs11):
mock_pkcs11.return_value.get_session.return_value = 1
mock_pkcs11.return_value.get_key_handle.return_value = 1
mock_getkey = mock_pkcs11.return_value.get_key_handle
self._main_test_helper(
['barbican.cmd.barbican_manage', 'hsm', 'check_mkek',
'--library-path', 'mocklib', '--passphrase', 'mockpassewd',
'--label', 'mocklabel'], mock_getkey, 'CKK_AES', 'mocklabel', 1)
@mock.patch('barbican.plugin.crypto.pkcs11.PKCS11')
def test_hsm_gen_mkek(self, mock_pkcs11):
mock_pkcs11.return_value.get_session.return_value = 1
@ -194,6 +204,16 @@ class TestBarbicanManage(TestBarbicanManageBase):
mock_genkey, 'CKK_AES', 48, 'CKM_AES_KEY_GEN', 1, 'mocklabel',
encrypt=True, wrap=True, master_key=True)
@mock.patch('barbican.plugin.crypto.pkcs11.PKCS11')
def test_hsm_check_hmac(self, mock_pkcs11):
mock_pkcs11.return_value.get_session.return_value = 1
mock_pkcs11.return_value.get_key_handle.return_value = 1
mock_getkey = mock_pkcs11.return_value.get_key_handle
self._main_test_helper(
['barbican.cmd.barbican_manage', 'hsm', 'check_hmac',
'--library-path', 'mocklib', '--passphrase', 'mockpassewd',
'--label', 'mocklabel'], mock_getkey, 'CKK_AES', 'mocklabel', 1)
@mock.patch('barbican.plugin.crypto.pkcs11.PKCS11')
def test_hsm_gen_hmac_non_default_length(self, mock_pkcs11):
mock_pkcs11.return_value.get_session.return_value = 1

View File

@ -0,0 +1,7 @@
---
features:
- |
Added two new subcommands to `barbican-manage hsm` that can query the HSM
to check if a MKEK or HMAC key with the given label already exists. See
`barbican-manage hsm check_mkek --help` and
`barbican-manage hsm check_hmac --help` for details.