Remove pycrypto from dogtag plugin
Change-Id: Ib9771f9d8ab5f49968d6ca328c28c94bba49066d
This commit is contained in:
parent
e708ff3413
commit
452d827074
|
@ -15,13 +15,13 @@
|
|||
|
||||
import base64
|
||||
import copy
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
from cryptography.hazmat.primitives import serialization
|
||||
import datetime
|
||||
import os
|
||||
from oslo_utils import uuidutils
|
||||
import time
|
||||
|
||||
from Crypto.PublicKey import RSA # nosec
|
||||
from Crypto.Util import asn1 # nosec
|
||||
import pki
|
||||
|
||||
subcas_available = True
|
||||
|
@ -316,51 +316,32 @@ class DogtagKRAPlugin(sstore.SecretStoreBase):
|
|||
# as it is treated as an attribute of the asymmetric key pair
|
||||
# stored in the KRA database.
|
||||
|
||||
if key_spec.alg is None:
|
||||
raise sstore.SecretAlgorithmNotSupportedException('None')
|
||||
|
||||
key_info = self.keyclient.get_key_info(key_id)
|
||||
if key_spec.alg.upper() == key.KeyClient.RSA_ALGORITHM:
|
||||
recovered_key = (RSA.importKey(key_info.public_key)
|
||||
.publickey()
|
||||
.exportKey('PEM')).encode('utf-8')
|
||||
elif key_spec.alg.upper() == key.KeyClient.DSA_ALGORITHM:
|
||||
pub_seq = asn1.DerSequence()
|
||||
pub_seq[:] = key_info.public_key
|
||||
recovered_key = (
|
||||
("%s\n%s%s" %
|
||||
(DogtagKRAPlugin.DSA_PUBLIC_KEY_HEADER,
|
||||
pub_seq.encode().encode("base64"),
|
||||
DogtagKRAPlugin.DSA_PUBLIC_KEY_FOOTER)
|
||||
).encode('utf-8')
|
||||
)
|
||||
else:
|
||||
raise sstore.SecretAlgorithmNotSupportedException(
|
||||
key_spec.alg.upper()
|
||||
)
|
||||
recovered_key = serialization.load_der_public_key(
|
||||
key_info.public_key,
|
||||
backend=default_backend()
|
||||
).public_bytes(
|
||||
serialization.Encoding.PEM,
|
||||
serialization.PublicFormat.PKCS1)
|
||||
|
||||
elif secret_type == sstore.SecretType.PRIVATE:
|
||||
key_data = self.keyclient.retrieve_key(key_id)
|
||||
if key_spec.alg.upper() == key.KeyClient.RSA_ALGORITHM:
|
||||
recovered_key = (
|
||||
(RSA.importKey(key_data.data)
|
||||
.exportKey('PEM', passphrase, 8))
|
||||
.encode('utf-8')
|
||||
)
|
||||
elif key_spec.alg.upper() == key.KeyClient.DSA_ALGORITHM:
|
||||
pub_seq = asn1.DerSequence()
|
||||
pub_seq[:] = key_data.data
|
||||
recovered_key = (
|
||||
("%s\n%s%s" %
|
||||
(DogtagKRAPlugin.DSA_PRIVATE_KEY_HEADER,
|
||||
pub_seq.encode().encode("base64"),
|
||||
DogtagKRAPlugin.DSA_PRIVATE_KEY_FOOTER)
|
||||
).encode('utf-8')
|
||||
)
|
||||
private_key = serialization.load_der_private_key(
|
||||
key_data.data,
|
||||
password=None,
|
||||
backend=default_backend()
|
||||
)
|
||||
|
||||
if passphrase is not None:
|
||||
e_alg = serialization.BestAvailableEncryption(passphrase)
|
||||
else:
|
||||
raise sstore.SecretAlgorithmNotSupportedException(
|
||||
key_spec.alg.upper()
|
||||
)
|
||||
e_alg = serialization.NoEncryption()
|
||||
|
||||
recovered_key = private_key.private_bytes(
|
||||
encoding=serialization.Encoding.PEM,
|
||||
format=serialization.PrivateFormat.PKCS8,
|
||||
encryption_algorithm=e_alg
|
||||
)
|
||||
else:
|
||||
# TODO(alee-3) send transport key as well when dogtag client API
|
||||
# changes in case the transport key has changed.
|
||||
|
|
|
@ -18,7 +18,10 @@ import datetime
|
|||
import os
|
||||
import tempfile
|
||||
|
||||
from Crypto.PublicKey import RSA # nosec
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
from cryptography.hazmat.primitives.asymmetric import rsa
|
||||
from cryptography.hazmat.primitives import serialization
|
||||
|
||||
import mock
|
||||
from requests import exceptions as request_exceptions
|
||||
import testtools
|
||||
|
@ -55,7 +58,9 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
|
|||
self.plugin_name = "Test Dogtag KRA plugin"
|
||||
self.cfg_mock = mock.MagicMock(name='config mock')
|
||||
self.cfg_mock.dogtag_plugin = mock.MagicMock(
|
||||
nss_db_path=self.nss_dir, plugin_name=self.plugin_name)
|
||||
nss_db_path=self.nss_dir,
|
||||
plugin_name=self.plugin_name,
|
||||
retries=3)
|
||||
self.plugin = dogtag_import.DogtagKRAPlugin(self.cfg_mock)
|
||||
self.plugin.keyclient = self.keyclient_mock
|
||||
|
||||
|
@ -163,9 +168,16 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
|
|||
self.keyclient_mock.retrieve_key.assert_called_once_with('key1', twsk)
|
||||
|
||||
def test_get_private_key(self):
|
||||
test_key = RSA.generate(2048)
|
||||
test_key = rsa.generate_private_key(
|
||||
public_exponent=65537,
|
||||
key_size=2048,
|
||||
backend=default_backend()
|
||||
)
|
||||
key_data = dogtag_key.KeyData()
|
||||
key_data.data = test_key.exportKey('DER')
|
||||
key_data.data = test_key.private_bytes(
|
||||
serialization.Encoding.DER,
|
||||
serialization.PrivateFormat.PKCS8,
|
||||
serialization.NoEncryption())
|
||||
self.keyclient_mock.retrieve_key.return_value = key_data
|
||||
secret_metadata = {
|
||||
dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA,
|
||||
|
@ -176,13 +188,23 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
|
|||
result = self.plugin.get_secret(sstore.SecretType.PRIVATE,
|
||||
secret_metadata)
|
||||
|
||||
self.assertEqual(test_key.exportKey('PEM').encode('utf-8'),
|
||||
result.secret)
|
||||
self.assertEqual(
|
||||
test_key.private_bytes(
|
||||
serialization.Encoding.PEM,
|
||||
serialization.PrivateFormat.PKCS8,
|
||||
serialization.NoEncryption()),
|
||||
result.secret
|
||||
)
|
||||
|
||||
def test_get_public_key(self):
|
||||
test_public_key = RSA.generate(2048).publickey()
|
||||
test_public_key = rsa.generate_private_key(
|
||||
public_exponent=65537,
|
||||
key_size=2048,
|
||||
backend=default_backend()).public_key()
|
||||
key_info = dogtag_key.KeyInfo()
|
||||
key_info.public_key = test_public_key.exportKey('DER')
|
||||
key_info.public_key = test_public_key.public_bytes(
|
||||
serialization.Encoding.DER,
|
||||
serialization.PublicFormat.PKCS1)
|
||||
self.keyclient_mock.get_key_info.return_value = key_info
|
||||
secret_metadata = {
|
||||
dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA,
|
||||
|
@ -193,8 +215,12 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
|
|||
result = self.plugin.get_secret(sstore.SecretType.PUBLIC,
|
||||
secret_metadata)
|
||||
|
||||
self.assertEqual(test_public_key.exportKey('PEM').encode('utf-8'),
|
||||
result.secret)
|
||||
self.assertEqual(
|
||||
test_public_key.public_bytes(
|
||||
serialization.Encoding.PEM,
|
||||
serialization.PublicFormat.PKCS1),
|
||||
result.secret
|
||||
)
|
||||
|
||||
def test_store_passphrase_for_using_in_private_key_retrieval(self):
|
||||
|
||||
|
|
Loading…
Reference in New Issue