diff --git a/barbican/plugin/dogtag.py b/barbican/plugin/dogtag.py index 4dc437f21..95c983952 100644 --- a/barbican/plugin/dogtag.py +++ b/barbican/plugin/dogtag.py @@ -15,13 +15,13 @@ import base64 import copy +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import serialization import datetime import os from oslo_utils import uuidutils import time -from Crypto.PublicKey import RSA # nosec -from Crypto.Util import asn1 # nosec import pki subcas_available = True @@ -316,51 +316,32 @@ class DogtagKRAPlugin(sstore.SecretStoreBase): # as it is treated as an attribute of the asymmetric key pair # stored in the KRA database. - if key_spec.alg is None: - raise sstore.SecretAlgorithmNotSupportedException('None') - key_info = self.keyclient.get_key_info(key_id) - if key_spec.alg.upper() == key.KeyClient.RSA_ALGORITHM: - recovered_key = (RSA.importKey(key_info.public_key) - .publickey() - .exportKey('PEM')).encode('utf-8') - elif key_spec.alg.upper() == key.KeyClient.DSA_ALGORITHM: - pub_seq = asn1.DerSequence() - pub_seq[:] = key_info.public_key - recovered_key = ( - ("%s\n%s%s" % - (DogtagKRAPlugin.DSA_PUBLIC_KEY_HEADER, - pub_seq.encode().encode("base64"), - DogtagKRAPlugin.DSA_PUBLIC_KEY_FOOTER) - ).encode('utf-8') - ) - else: - raise sstore.SecretAlgorithmNotSupportedException( - key_spec.alg.upper() - ) + recovered_key = serialization.load_der_public_key( + key_info.public_key, + backend=default_backend() + ).public_bytes( + serialization.Encoding.PEM, + serialization.PublicFormat.PKCS1) elif secret_type == sstore.SecretType.PRIVATE: key_data = self.keyclient.retrieve_key(key_id) - if key_spec.alg.upper() == key.KeyClient.RSA_ALGORITHM: - recovered_key = ( - (RSA.importKey(key_data.data) - .exportKey('PEM', passphrase, 8)) - .encode('utf-8') - ) - elif key_spec.alg.upper() == key.KeyClient.DSA_ALGORITHM: - pub_seq = asn1.DerSequence() - pub_seq[:] = key_data.data - recovered_key = ( - ("%s\n%s%s" % - (DogtagKRAPlugin.DSA_PRIVATE_KEY_HEADER, - pub_seq.encode().encode("base64"), - DogtagKRAPlugin.DSA_PRIVATE_KEY_FOOTER) - ).encode('utf-8') - ) + private_key = serialization.load_der_private_key( + key_data.data, + password=None, + backend=default_backend() + ) + + if passphrase is not None: + e_alg = serialization.BestAvailableEncryption(passphrase) else: - raise sstore.SecretAlgorithmNotSupportedException( - key_spec.alg.upper() - ) + e_alg = serialization.NoEncryption() + + recovered_key = private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.PKCS8, + encryption_algorithm=e_alg + ) else: # TODO(alee-3) send transport key as well when dogtag client API # changes in case the transport key has changed. diff --git a/barbican/tests/plugin/test_dogtag.py b/barbican/tests/plugin/test_dogtag.py index 6f82792f3..a057413a5 100644 --- a/barbican/tests/plugin/test_dogtag.py +++ b/barbican/tests/plugin/test_dogtag.py @@ -18,7 +18,10 @@ import datetime import os import tempfile -from Crypto.PublicKey import RSA # nosec +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives.asymmetric import rsa +from cryptography.hazmat.primitives import serialization + import mock from requests import exceptions as request_exceptions import testtools @@ -55,7 +58,9 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase): self.plugin_name = "Test Dogtag KRA plugin" self.cfg_mock = mock.MagicMock(name='config mock') self.cfg_mock.dogtag_plugin = mock.MagicMock( - nss_db_path=self.nss_dir, plugin_name=self.plugin_name) + nss_db_path=self.nss_dir, + plugin_name=self.plugin_name, + retries=3) self.plugin = dogtag_import.DogtagKRAPlugin(self.cfg_mock) self.plugin.keyclient = self.keyclient_mock @@ -163,9 +168,16 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase): self.keyclient_mock.retrieve_key.assert_called_once_with('key1', twsk) def test_get_private_key(self): - test_key = RSA.generate(2048) + test_key = rsa.generate_private_key( + public_exponent=65537, + key_size=2048, + backend=default_backend() + ) key_data = dogtag_key.KeyData() - key_data.data = test_key.exportKey('DER') + key_data.data = test_key.private_bytes( + serialization.Encoding.DER, + serialization.PrivateFormat.PKCS8, + serialization.NoEncryption()) self.keyclient_mock.retrieve_key.return_value = key_data secret_metadata = { dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA, @@ -176,13 +188,23 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase): result = self.plugin.get_secret(sstore.SecretType.PRIVATE, secret_metadata) - self.assertEqual(test_key.exportKey('PEM').encode('utf-8'), - result.secret) + self.assertEqual( + test_key.private_bytes( + serialization.Encoding.PEM, + serialization.PrivateFormat.PKCS8, + serialization.NoEncryption()), + result.secret + ) def test_get_public_key(self): - test_public_key = RSA.generate(2048).publickey() + test_public_key = rsa.generate_private_key( + public_exponent=65537, + key_size=2048, + backend=default_backend()).public_key() key_info = dogtag_key.KeyInfo() - key_info.public_key = test_public_key.exportKey('DER') + key_info.public_key = test_public_key.public_bytes( + serialization.Encoding.DER, + serialization.PublicFormat.PKCS1) self.keyclient_mock.get_key_info.return_value = key_info secret_metadata = { dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA, @@ -193,8 +215,12 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase): result = self.plugin.get_secret(sstore.SecretType.PUBLIC, secret_metadata) - self.assertEqual(test_public_key.exportKey('PEM').encode('utf-8'), - result.secret) + self.assertEqual( + test_public_key.public_bytes( + serialization.Encoding.PEM, + serialization.PublicFormat.PKCS1), + result.secret + ) def test_store_passphrase_for_using_in_private_key_retrieval(self):