Remove pycrypto from dogtag plugin
Change-Id: Ib9771f9d8ab5f49968d6ca328c28c94bba49066d
This commit is contained in:
parent
e708ff3413
commit
452d827074
|
@ -15,13 +15,13 @@
|
||||||
|
|
||||||
import base64
|
import base64
|
||||||
import copy
|
import copy
|
||||||
|
from cryptography.hazmat.backends import default_backend
|
||||||
|
from cryptography.hazmat.primitives import serialization
|
||||||
import datetime
|
import datetime
|
||||||
import os
|
import os
|
||||||
from oslo_utils import uuidutils
|
from oslo_utils import uuidutils
|
||||||
import time
|
import time
|
||||||
|
|
||||||
from Crypto.PublicKey import RSA # nosec
|
|
||||||
from Crypto.Util import asn1 # nosec
|
|
||||||
import pki
|
import pki
|
||||||
|
|
||||||
subcas_available = True
|
subcas_available = True
|
||||||
|
@ -316,51 +316,32 @@ class DogtagKRAPlugin(sstore.SecretStoreBase):
|
||||||
# as it is treated as an attribute of the asymmetric key pair
|
# as it is treated as an attribute of the asymmetric key pair
|
||||||
# stored in the KRA database.
|
# stored in the KRA database.
|
||||||
|
|
||||||
if key_spec.alg is None:
|
|
||||||
raise sstore.SecretAlgorithmNotSupportedException('None')
|
|
||||||
|
|
||||||
key_info = self.keyclient.get_key_info(key_id)
|
key_info = self.keyclient.get_key_info(key_id)
|
||||||
if key_spec.alg.upper() == key.KeyClient.RSA_ALGORITHM:
|
recovered_key = serialization.load_der_public_key(
|
||||||
recovered_key = (RSA.importKey(key_info.public_key)
|
key_info.public_key,
|
||||||
.publickey()
|
backend=default_backend()
|
||||||
.exportKey('PEM')).encode('utf-8')
|
).public_bytes(
|
||||||
elif key_spec.alg.upper() == key.KeyClient.DSA_ALGORITHM:
|
serialization.Encoding.PEM,
|
||||||
pub_seq = asn1.DerSequence()
|
serialization.PublicFormat.PKCS1)
|
||||||
pub_seq[:] = key_info.public_key
|
|
||||||
recovered_key = (
|
|
||||||
("%s\n%s%s" %
|
|
||||||
(DogtagKRAPlugin.DSA_PUBLIC_KEY_HEADER,
|
|
||||||
pub_seq.encode().encode("base64"),
|
|
||||||
DogtagKRAPlugin.DSA_PUBLIC_KEY_FOOTER)
|
|
||||||
).encode('utf-8')
|
|
||||||
)
|
|
||||||
else:
|
|
||||||
raise sstore.SecretAlgorithmNotSupportedException(
|
|
||||||
key_spec.alg.upper()
|
|
||||||
)
|
|
||||||
|
|
||||||
elif secret_type == sstore.SecretType.PRIVATE:
|
elif secret_type == sstore.SecretType.PRIVATE:
|
||||||
key_data = self.keyclient.retrieve_key(key_id)
|
key_data = self.keyclient.retrieve_key(key_id)
|
||||||
if key_spec.alg.upper() == key.KeyClient.RSA_ALGORITHM:
|
private_key = serialization.load_der_private_key(
|
||||||
recovered_key = (
|
key_data.data,
|
||||||
(RSA.importKey(key_data.data)
|
password=None,
|
||||||
.exportKey('PEM', passphrase, 8))
|
backend=default_backend()
|
||||||
.encode('utf-8')
|
)
|
||||||
)
|
|
||||||
elif key_spec.alg.upper() == key.KeyClient.DSA_ALGORITHM:
|
if passphrase is not None:
|
||||||
pub_seq = asn1.DerSequence()
|
e_alg = serialization.BestAvailableEncryption(passphrase)
|
||||||
pub_seq[:] = key_data.data
|
|
||||||
recovered_key = (
|
|
||||||
("%s\n%s%s" %
|
|
||||||
(DogtagKRAPlugin.DSA_PRIVATE_KEY_HEADER,
|
|
||||||
pub_seq.encode().encode("base64"),
|
|
||||||
DogtagKRAPlugin.DSA_PRIVATE_KEY_FOOTER)
|
|
||||||
).encode('utf-8')
|
|
||||||
)
|
|
||||||
else:
|
else:
|
||||||
raise sstore.SecretAlgorithmNotSupportedException(
|
e_alg = serialization.NoEncryption()
|
||||||
key_spec.alg.upper()
|
|
||||||
)
|
recovered_key = private_key.private_bytes(
|
||||||
|
encoding=serialization.Encoding.PEM,
|
||||||
|
format=serialization.PrivateFormat.PKCS8,
|
||||||
|
encryption_algorithm=e_alg
|
||||||
|
)
|
||||||
else:
|
else:
|
||||||
# TODO(alee-3) send transport key as well when dogtag client API
|
# TODO(alee-3) send transport key as well when dogtag client API
|
||||||
# changes in case the transport key has changed.
|
# changes in case the transport key has changed.
|
||||||
|
|
|
@ -18,7 +18,10 @@ import datetime
|
||||||
import os
|
import os
|
||||||
import tempfile
|
import tempfile
|
||||||
|
|
||||||
from Crypto.PublicKey import RSA # nosec
|
from cryptography.hazmat.backends import default_backend
|
||||||
|
from cryptography.hazmat.primitives.asymmetric import rsa
|
||||||
|
from cryptography.hazmat.primitives import serialization
|
||||||
|
|
||||||
import mock
|
import mock
|
||||||
from requests import exceptions as request_exceptions
|
from requests import exceptions as request_exceptions
|
||||||
import testtools
|
import testtools
|
||||||
|
@ -55,7 +58,9 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
|
||||||
self.plugin_name = "Test Dogtag KRA plugin"
|
self.plugin_name = "Test Dogtag KRA plugin"
|
||||||
self.cfg_mock = mock.MagicMock(name='config mock')
|
self.cfg_mock = mock.MagicMock(name='config mock')
|
||||||
self.cfg_mock.dogtag_plugin = mock.MagicMock(
|
self.cfg_mock.dogtag_plugin = mock.MagicMock(
|
||||||
nss_db_path=self.nss_dir, plugin_name=self.plugin_name)
|
nss_db_path=self.nss_dir,
|
||||||
|
plugin_name=self.plugin_name,
|
||||||
|
retries=3)
|
||||||
self.plugin = dogtag_import.DogtagKRAPlugin(self.cfg_mock)
|
self.plugin = dogtag_import.DogtagKRAPlugin(self.cfg_mock)
|
||||||
self.plugin.keyclient = self.keyclient_mock
|
self.plugin.keyclient = self.keyclient_mock
|
||||||
|
|
||||||
|
@ -163,9 +168,16 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
|
||||||
self.keyclient_mock.retrieve_key.assert_called_once_with('key1', twsk)
|
self.keyclient_mock.retrieve_key.assert_called_once_with('key1', twsk)
|
||||||
|
|
||||||
def test_get_private_key(self):
|
def test_get_private_key(self):
|
||||||
test_key = RSA.generate(2048)
|
test_key = rsa.generate_private_key(
|
||||||
|
public_exponent=65537,
|
||||||
|
key_size=2048,
|
||||||
|
backend=default_backend()
|
||||||
|
)
|
||||||
key_data = dogtag_key.KeyData()
|
key_data = dogtag_key.KeyData()
|
||||||
key_data.data = test_key.exportKey('DER')
|
key_data.data = test_key.private_bytes(
|
||||||
|
serialization.Encoding.DER,
|
||||||
|
serialization.PrivateFormat.PKCS8,
|
||||||
|
serialization.NoEncryption())
|
||||||
self.keyclient_mock.retrieve_key.return_value = key_data
|
self.keyclient_mock.retrieve_key.return_value = key_data
|
||||||
secret_metadata = {
|
secret_metadata = {
|
||||||
dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA,
|
dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA,
|
||||||
|
@ -176,13 +188,23 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
|
||||||
result = self.plugin.get_secret(sstore.SecretType.PRIVATE,
|
result = self.plugin.get_secret(sstore.SecretType.PRIVATE,
|
||||||
secret_metadata)
|
secret_metadata)
|
||||||
|
|
||||||
self.assertEqual(test_key.exportKey('PEM').encode('utf-8'),
|
self.assertEqual(
|
||||||
result.secret)
|
test_key.private_bytes(
|
||||||
|
serialization.Encoding.PEM,
|
||||||
|
serialization.PrivateFormat.PKCS8,
|
||||||
|
serialization.NoEncryption()),
|
||||||
|
result.secret
|
||||||
|
)
|
||||||
|
|
||||||
def test_get_public_key(self):
|
def test_get_public_key(self):
|
||||||
test_public_key = RSA.generate(2048).publickey()
|
test_public_key = rsa.generate_private_key(
|
||||||
|
public_exponent=65537,
|
||||||
|
key_size=2048,
|
||||||
|
backend=default_backend()).public_key()
|
||||||
key_info = dogtag_key.KeyInfo()
|
key_info = dogtag_key.KeyInfo()
|
||||||
key_info.public_key = test_public_key.exportKey('DER')
|
key_info.public_key = test_public_key.public_bytes(
|
||||||
|
serialization.Encoding.DER,
|
||||||
|
serialization.PublicFormat.PKCS1)
|
||||||
self.keyclient_mock.get_key_info.return_value = key_info
|
self.keyclient_mock.get_key_info.return_value = key_info
|
||||||
secret_metadata = {
|
secret_metadata = {
|
||||||
dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA,
|
dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA,
|
||||||
|
@ -193,8 +215,12 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
|
||||||
result = self.plugin.get_secret(sstore.SecretType.PUBLIC,
|
result = self.plugin.get_secret(sstore.SecretType.PUBLIC,
|
||||||
secret_metadata)
|
secret_metadata)
|
||||||
|
|
||||||
self.assertEqual(test_public_key.exportKey('PEM').encode('utf-8'),
|
self.assertEqual(
|
||||||
result.secret)
|
test_public_key.public_bytes(
|
||||||
|
serialization.Encoding.PEM,
|
||||||
|
serialization.PublicFormat.PKCS1),
|
||||||
|
result.secret
|
||||||
|
)
|
||||||
|
|
||||||
def test_store_passphrase_for_using_in_private_key_retrieval(self):
|
def test_store_passphrase_for_using_in_private_key_retrieval(self):
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue