Remove pycrypto from dogtag plugin

Change-Id: Ib9771f9d8ab5f49968d6ca328c28c94bba49066d
This commit is contained in:
Ade Lee 2018-04-27 16:39:40 +00:00
parent e708ff3413
commit 452d827074
2 changed files with 59 additions and 52 deletions

View File

@ -15,13 +15,13 @@
import base64
import copy
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
import datetime
import os
from oslo_utils import uuidutils
import time
from Crypto.PublicKey import RSA # nosec
from Crypto.Util import asn1 # nosec
import pki
subcas_available = True
@ -316,51 +316,32 @@ class DogtagKRAPlugin(sstore.SecretStoreBase):
# as it is treated as an attribute of the asymmetric key pair
# stored in the KRA database.
if key_spec.alg is None:
raise sstore.SecretAlgorithmNotSupportedException('None')
key_info = self.keyclient.get_key_info(key_id)
if key_spec.alg.upper() == key.KeyClient.RSA_ALGORITHM:
recovered_key = (RSA.importKey(key_info.public_key)
.publickey()
.exportKey('PEM')).encode('utf-8')
elif key_spec.alg.upper() == key.KeyClient.DSA_ALGORITHM:
pub_seq = asn1.DerSequence()
pub_seq[:] = key_info.public_key
recovered_key = (
("%s\n%s%s" %
(DogtagKRAPlugin.DSA_PUBLIC_KEY_HEADER,
pub_seq.encode().encode("base64"),
DogtagKRAPlugin.DSA_PUBLIC_KEY_FOOTER)
).encode('utf-8')
)
else:
raise sstore.SecretAlgorithmNotSupportedException(
key_spec.alg.upper()
)
recovered_key = serialization.load_der_public_key(
key_info.public_key,
backend=default_backend()
).public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.PKCS1)
elif secret_type == sstore.SecretType.PRIVATE:
key_data = self.keyclient.retrieve_key(key_id)
if key_spec.alg.upper() == key.KeyClient.RSA_ALGORITHM:
recovered_key = (
(RSA.importKey(key_data.data)
.exportKey('PEM', passphrase, 8))
.encode('utf-8')
)
elif key_spec.alg.upper() == key.KeyClient.DSA_ALGORITHM:
pub_seq = asn1.DerSequence()
pub_seq[:] = key_data.data
recovered_key = (
("%s\n%s%s" %
(DogtagKRAPlugin.DSA_PRIVATE_KEY_HEADER,
pub_seq.encode().encode("base64"),
DogtagKRAPlugin.DSA_PRIVATE_KEY_FOOTER)
).encode('utf-8')
)
private_key = serialization.load_der_private_key(
key_data.data,
password=None,
backend=default_backend()
)
if passphrase is not None:
e_alg = serialization.BestAvailableEncryption(passphrase)
else:
raise sstore.SecretAlgorithmNotSupportedException(
key_spec.alg.upper()
)
e_alg = serialization.NoEncryption()
recovered_key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=e_alg
)
else:
# TODO(alee-3) send transport key as well when dogtag client API
# changes in case the transport key has changed.

View File

@ -18,7 +18,10 @@ import datetime
import os
import tempfile
from Crypto.PublicKey import RSA # nosec
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
import mock
from requests import exceptions as request_exceptions
import testtools
@ -55,7 +58,9 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
self.plugin_name = "Test Dogtag KRA plugin"
self.cfg_mock = mock.MagicMock(name='config mock')
self.cfg_mock.dogtag_plugin = mock.MagicMock(
nss_db_path=self.nss_dir, plugin_name=self.plugin_name)
nss_db_path=self.nss_dir,
plugin_name=self.plugin_name,
retries=3)
self.plugin = dogtag_import.DogtagKRAPlugin(self.cfg_mock)
self.plugin.keyclient = self.keyclient_mock
@ -163,9 +168,16 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
self.keyclient_mock.retrieve_key.assert_called_once_with('key1', twsk)
def test_get_private_key(self):
test_key = RSA.generate(2048)
test_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
key_data = dogtag_key.KeyData()
key_data.data = test_key.exportKey('DER')
key_data.data = test_key.private_bytes(
serialization.Encoding.DER,
serialization.PrivateFormat.PKCS8,
serialization.NoEncryption())
self.keyclient_mock.retrieve_key.return_value = key_data
secret_metadata = {
dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA,
@ -176,13 +188,23 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
result = self.plugin.get_secret(sstore.SecretType.PRIVATE,
secret_metadata)
self.assertEqual(test_key.exportKey('PEM').encode('utf-8'),
result.secret)
self.assertEqual(
test_key.private_bytes(
serialization.Encoding.PEM,
serialization.PrivateFormat.PKCS8,
serialization.NoEncryption()),
result.secret
)
def test_get_public_key(self):
test_public_key = RSA.generate(2048).publickey()
test_public_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()).public_key()
key_info = dogtag_key.KeyInfo()
key_info.public_key = test_public_key.exportKey('DER')
key_info.public_key = test_public_key.public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.PKCS1)
self.keyclient_mock.get_key_info.return_value = key_info
secret_metadata = {
dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA,
@ -193,8 +215,12 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
result = self.plugin.get_secret(sstore.SecretType.PUBLIC,
secret_metadata)
self.assertEqual(test_public_key.exportKey('PEM').encode('utf-8'),
result.secret)
self.assertEqual(
test_public_key.public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.PKCS1),
result.secret
)
def test_store_passphrase_for_using_in_private_key_retrieval(self):