Hi all,
Attached is a patch with some initial work for the Python client
library, specifically focused on the interactions between the DRM and
the python client, and the functionality exposed in the
KeyRequestResource and KeyResource REST APIs.
The easiest way to see this code in action is to run the main function
in the KRAClient module. I usually run this in Eclipse.
You will need to set up a few things first though:
1. Install a CA/KRA. It this is not on the default ports, you will
need to modify the connection information in KRAClient.__main__
2. The python code uses python-requests to talk to the server, and
requests uses openssl. That means you need to export your DRM admin
cert to a PEM file, so that it can be used for client auth. I did this
as follows:
openssl pkcs12 -in ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -out temp4.pem -nodes
Without any changes, the code in KRAClient.__main__ assumes this file
will be in /tmp/temp4.pem.
3. We do some crypto functions using NSS commands (like generating a
symmetric key or wrapping using the transport cert). Therefore, we need
to create an NSS database and populate it with the transport cert. The
code expects it to be at /tmp/drmtest/certdb
I did this as follows:
mkdir /tmp/drmtest/certdb
certutil -N -d /tmp/drmtest/certdb
chmod +r /tmp/drmtest/certdb/*
certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "transportCert cert-pki-tomcat
KRA" -a > transport_cert.txt
certutil -A -d /tmp/drmtest/certdb/ -n "kra transport cert" -i
./transport_cert.txt -a -t "u,u,u"
4. Then just run kraclient.__main__ with no arguments.
The story is still somewhat incomplete, but its a lot of code - so I
want to start getting some eyes on this.
Here is what I plan to add in subsequent patches:
1. Extract the NSS functionality into a separate module nssutil.py, and
import that module only if python-nss is actually installed. Similarly,
only define those functions that need nss if python-nss is installed.
The idea here is that the client library does not necessarily require
NSS. If NSS (and python-nss) is not installed, then the client needs to
provide things like symmetric keys and wrapping etc.
This will almost certainly be the case for Barbican, where they will
generate their own keys, and do their own wrapping.
2. Complete the generate_pki_archive_options() function, and then test
archival.
3. Add logic to handle exceptions. This will almost certainly take the
form of decorator classes that handle the various exceptions and return
codes expected.
4. The new modules pass most of the PEP8 conventions as detected by
pylint. One thing that pylint does not like is having attribute names
that are camelCased. The reason those are there is because they
represent the actual names/attributes as passed over in JSON by the
server. We populate the relevant objects by doing something like this:
def from_dict(self, attr_list):
''' Return KeyInfo from JSON dict '''
for key in attr_list:
setattr(self, key, attr_list[key])
return self
I plan to add a small conversion function that convert camelCased
attribute names to camel_cased to conform with PEP8.
Please review,
Ade