From ec465b2e827d81471f8ef7ba3895008f34369ce8 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 26 Feb 2019 16:44:13 -0500
Subject: [PATCH] Fixes for rewrap

If the old and new MKEK and HMAC keys are the same, then no
need to rewrap the pkek.  Added code to skip processing in this
case.

Also, added deprecation message for calling pkcs11_kek_rewrap.py
directly.  We should be using barbican-manage instead.

Also, fix incorrect calls to pkcs11 module by adding missing
key type parameter.  We implicitly assume here that the key type
will not change.

Change-Id: Ic8556072468bc27230d3ebcaf2d54167f9f2116f
---
 barbican/cmd/pkcs11_kek_rewrap.py | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/barbican/cmd/pkcs11_kek_rewrap.py b/barbican/cmd/pkcs11_kek_rewrap.py
index 1d99dc380..38167575c 100644
--- a/barbican/cmd/pkcs11_kek_rewrap.py
+++ b/barbican/cmd/pkcs11_kek_rewrap.py
@@ -45,13 +45,25 @@ class KekRewrap(object):
         self.hsm_session = self.pkcs11.get_session()
         self.new_mkek_label = self.crypto_plugin.mkek_label
         self.new_hmac_label = self.crypto_plugin.hmac_label
-        self.new_mkek = self.crypto_plugin._get_master_key(self.new_mkek_label)
-        self.new_mkhk = self.crypto_plugin._get_master_key(self.new_hmac_label)
+        self.new_mkek_type = self.crypto_plugin.mkek_key_type
+        self.new_hmac_type = self.crypto_plugin.hmac_key_type
+        self.new_mkek = self.crypto_plugin._get_master_key(
+            self.new_mkek_type,
+            self.new_mkek_label)
+        self.new_mkhk = self.crypto_plugin._get_master_key(
+            self.new_hmac_type,
+            self.new_hmac_label)
 
     def rewrap_kek(self, project, kek):
         with self.db_session.begin():
             meta_dict = json.loads(kek.plugin_meta)
 
+            # check if old and new mkek and hmac labels are the same
+            # if so, skip this kek.
+            if (self.new_mkek_label == meta_dict['mkek_label'] and
+                    self.new_hmac_label == meta_dict['hmac_label']):
+                return
+
             if self.dry_run:
                 msg = 'Would have unwrapped key with {} and rewrapped with {}'
                 print(msg.format(meta_dict['mkek_label'], self.new_mkek_label))
@@ -64,12 +76,20 @@ class KekRewrap(object):
 
             session = self.hsm_session
 
+            # TODO(alee) We never store the mkek and hmac key types in the db
+            # record for the KEK metadata.  Therefore, for now assume that the
+            # key types will not change.
+
             # Get KEK's master keys
             kek_mkek = self.pkcs11.get_key_handle(
-                meta_dict['mkek_label'], session
+                self.new_mkek_type,
+                meta_dict['mkek_label'],
+                session
             )
             kek_mkhk = self.pkcs11.get_key_handle(
-                meta_dict['hmac_label'], session
+                self.new_hmac_type,
+                meta_dict['hmac_label'],
+                session
             )
             # Decode data
             iv = base64.b64decode(meta_dict['iv'])
@@ -160,6 +180,9 @@ def main():
     )
     args = parser.parse_args()
 
+    print("Warning: Calling this utility directly is deprecated.  "
+          "Please use barbican-manage instead")
+
     rewrapper = KekRewrap(CONF)
     rewrapper.execute(args.dry_run)
     rewrapper.pkcs11.return_session(rewrapper.hsm_session)