openstack
/
barbican
Code Issues Proposed changes

Remove pycrypto from dogtag plugin 

Change-Id: Ib9771f9d8ab5f49968d6ca328c28c94bba49066d
This commit is contained in:
Ade Lee 2018-04-27 16:39:40 +00:00
parent e708ff3413
commit 452d827074
2 changed files with 59 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
barbican/plugin/dogtag.py
View File

@ -15,13 +15,13 @@
import base64 import base64
import copy import copy
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
import datetime import datetime
import os import os
from oslo_utils import uuidutils from oslo_utils import uuidutils
import time import time
from Crypto.PublicKey import RSA # nosec
from Crypto.Util import asn1 # nosec
import pki import pki
subcas_available = True subcas_available = True
@ -316,51 +316,32 @@ class DogtagKRAPlugin(sstore.SecretStoreBase):
# as it is treated as an attribute of the asymmetric key pair # as it is treated as an attribute of the asymmetric key pair
# stored in the KRA database. # stored in the KRA database.
if key_spec.alg is None:
raise sstore.SecretAlgorithmNotSupportedException('None')
key_info = self.keyclient.get_key_info(key_id) key_info = self.keyclient.get_key_info(key_id)
if key_spec.alg.upper() == key.KeyClient.RSA_ALGORITHM: recovered_key = serialization.load_der_public_key(
recovered_key = (RSA.importKey(key_info.public_key) key_info.public_key,
.publickey() backend=default_backend()
.exportKey('PEM')).encode('utf-8') ).public_bytes(
elif key_spec.alg.upper() == key.KeyClient.DSA_ALGORITHM: serialization.Encoding.PEM,
pub_seq = asn1.DerSequence() serialization.PublicFormat.PKCS1)
pub_seq[:] = key_info.public_key
recovered_key = (
("%s\n%s%s" %
(DogtagKRAPlugin.DSA_PUBLIC_KEY_HEADER,
pub_seq.encode().encode("base64"),
DogtagKRAPlugin.DSA_PUBLIC_KEY_FOOTER)
).encode('utf-8')
)
else:
raise sstore.SecretAlgorithmNotSupportedException(
key_spec.alg.upper()
)
elif secret_type == sstore.SecretType.PRIVATE: elif secret_type == sstore.SecretType.PRIVATE:
key_data = self.keyclient.retrieve_key(key_id) key_data = self.keyclient.retrieve_key(key_id)
if key_spec.alg.upper() == key.KeyClient.RSA_ALGORITHM: private_key = serialization.load_der_private_key(
recovered_key = ( key_data.data,
(RSA.importKey(key_data.data) password=None,
.exportKey('PEM', passphrase, 8)) backend=default_backend()
.encode('utf-8') )
)
elif key_spec.alg.upper() == key.KeyClient.DSA_ALGORITHM: if passphrase is not None:
pub_seq = asn1.DerSequence() e_alg = serialization.BestAvailableEncryption(passphrase)
pub_seq[:] = key_data.data
recovered_key = (
("%s\n%s%s" %
(DogtagKRAPlugin.DSA_PRIVATE_KEY_HEADER,
pub_seq.encode().encode("base64"),
DogtagKRAPlugin.DSA_PRIVATE_KEY_FOOTER)
).encode('utf-8')
)
else: else:
raise sstore.SecretAlgorithmNotSupportedException( e_alg = serialization.NoEncryption()
key_spec.alg.upper()
) recovered_key = private_key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=e_alg
)
else: else:
# TODO(alee-3) send transport key as well when dogtag client API # TODO(alee-3) send transport key as well when dogtag client API
# changes in case the transport key has changed. # changes in case the transport key has changed.

46
barbican/tests/plugin/test_dogtag.py
View File

@ -18,7 +18,10 @@ import datetime
import os import os
import tempfile import tempfile
from Crypto.PublicKey import RSA # nosec from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
import mock import mock
from requests import exceptions as request_exceptions from requests import exceptions as request_exceptions
import testtools import testtools
@ -55,7 +58,9 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
self.plugin_name = "Test Dogtag KRA plugin" self.plugin_name = "Test Dogtag KRA plugin"
self.cfg_mock = mock.MagicMock(name='config mock') self.cfg_mock = mock.MagicMock(name='config mock')
self.cfg_mock.dogtag_plugin = mock.MagicMock( self.cfg_mock.dogtag_plugin = mock.MagicMock(
nss_db_path=self.nss_dir, plugin_name=self.plugin_name) nss_db_path=self.nss_dir,
plugin_name=self.plugin_name,
retries=3)
self.plugin = dogtag_import.DogtagKRAPlugin(self.cfg_mock) self.plugin = dogtag_import.DogtagKRAPlugin(self.cfg_mock)
self.plugin.keyclient = self.keyclient_mock self.plugin.keyclient = self.keyclient_mock
@ -163,9 +168,16 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
self.keyclient_mock.retrieve_key.assert_called_once_with('key1', twsk) self.keyclient_mock.retrieve_key.assert_called_once_with('key1', twsk)
def test_get_private_key(self): def test_get_private_key(self):
test_key = RSA.generate(2048) test_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()
)
key_data = dogtag_key.KeyData() key_data = dogtag_key.KeyData()
key_data.data = test_key.exportKey('DER') key_data.data = test_key.private_bytes(
serialization.Encoding.DER,
serialization.PrivateFormat.PKCS8,
serialization.NoEncryption())
self.keyclient_mock.retrieve_key.return_value = key_data self.keyclient_mock.retrieve_key.return_value = key_data
secret_metadata = { secret_metadata = {
dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA, dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA,
@ -176,13 +188,23 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
result = self.plugin.get_secret(sstore.SecretType.PRIVATE, result = self.plugin.get_secret(sstore.SecretType.PRIVATE,
secret_metadata) secret_metadata)
self.assertEqual(test_key.exportKey('PEM').encode('utf-8'), self.assertEqual(
result.secret) test_key.private_bytes(
serialization.Encoding.PEM,
serialization.PrivateFormat.PKCS8,
serialization.NoEncryption()),
result.secret
)
def test_get_public_key(self): def test_get_public_key(self):
test_public_key = RSA.generate(2048).publickey() test_public_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
backend=default_backend()).public_key()
key_info = dogtag_key.KeyInfo() key_info = dogtag_key.KeyInfo()
key_info.public_key = test_public_key.exportKey('DER') key_info.public_key = test_public_key.public_bytes(
serialization.Encoding.DER,
serialization.PublicFormat.PKCS1)
self.keyclient_mock.get_key_info.return_value = key_info self.keyclient_mock.get_key_info.return_value = key_info
secret_metadata = { secret_metadata = {
dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA, dogtag_import.DogtagKRAPlugin.ALG: sstore.KeyAlgorithm.RSA,
@ -193,8 +215,12 @@ class WhenTestingDogtagKRAPlugin(utils.BaseTestCase):
result = self.plugin.get_secret(sstore.SecretType.PUBLIC, result = self.plugin.get_secret(sstore.SecretType.PUBLIC,
secret_metadata) secret_metadata)
self.assertEqual(test_public_key.exportKey('PEM').encode('utf-8'), self.assertEqual(
result.secret) test_public_key.public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.PKCS1),
result.secret
)
def test_store_passphrase_for_using_in_private_key_retrieval(self): def test_store_passphrase_for_using_in_private_key_retrieval(self):