[PATCH] pki-common key fixes
by Kent Lamb
Hi,
In working for the NIST SP800-108 and GP key sanity check patches, some additional items were found with ComputeSessionKey error reporting and DiversifyKey mkmappings
-kent
10 years, 1 month
[PATCH] GP Key Sanity Checks
by Kent Lamb
Hi,
The attached TPS patch is for GP Key checks as will be required by an upcoming DoD spec doc. Doc is currently in early draft stages.
-kent
10 years, 1 month
[PATCH] NIST SP800-108 KDF
by Kent Lamb
Hi all,
The attached patches allow for newer NIST approved stronger algorithms for KDF. See NIST Special Publication 800-108. Most of the impact is in symkey. Additional mods were required for some backwards compatibility for existing card stocks that are in use under the current RHCS8.x diversification scheme.
Thanks
Kent
10 years, 1 month
[PATCH] 194 - Initial work for python client API
by Ade Lee
Hi all,
Attached is a patch with some initial work for the Python client
library, specifically focused on the interactions between the DRM and
the python client, and the functionality exposed in the
KeyRequestResource and KeyResource REST APIs.
The easiest way to see this code in action is to run the main function
in the KRAClient module. I usually run this in Eclipse.
You will need to set up a few things first though:
1. Install a CA/KRA. It this is not on the default ports, you will
need to modify the connection information in KRAClient.__main__
2. The python code uses python-requests to talk to the server, and
requests uses openssl. That means you need to export your DRM admin
cert to a PEM file, so that it can be used for client auth. I did this
as follows:
openssl pkcs12 -in ~/.dogtag/pki-tomcat/ca_admin_cert.p12 -out temp4.pem -nodes
Without any changes, the code in KRAClient.__main__ assumes this file
will be in /tmp/temp4.pem.
3. We do some crypto functions using NSS commands (like generating a
symmetric key or wrapping using the transport cert). Therefore, we need
to create an NSS database and populate it with the transport cert. The
code expects it to be at /tmp/drmtest/certdb
I did this as follows:
mkdir /tmp/drmtest/certdb
certutil -N -d /tmp/drmtest/certdb
chmod +r /tmp/drmtest/certdb/*
certutil -L -d /var/lib/pki/pki-tomcat/alias/ -n "transportCert cert-pki-tomcat KRA" -a > transport_cert.txt
certutil -A -d /tmp/drmtest/certdb/ -n "kra transport cert" -i ./transport_cert.txt -a -t "u,u,u"
4. Then just run kraclient.__main__ with no arguments.
The story is still somewhat incomplete, but its a lot of code - so I
want to start getting some eyes on this.
Here is what I plan to add in subsequent patches:
1. Extract the NSS functionality into a separate module nssutil.py, and
import that module only if python-nss is actually installed. Similarly,
only define those functions that need nss if python-nss is installed.
The idea here is that the client library does not necessarily require
NSS. If NSS (and python-nss) is not installed, then the client needs to
provide things like symmetric keys and wrapping etc.
This will almost certainly be the case for Barbican, where they will
generate their own keys, and do their own wrapping.
2. Complete the generate_pki_archive_options() function, and then test
archival.
3. Add logic to handle exceptions. This will almost certainly take the
form of decorator classes that handle the various exceptions and return
codes expected.
4. The new modules pass most of the PEP8 conventions as detected by
pylint. One thing that pylint does not like is having attribute names
that are camelCased. The reason those are there is because they
represent the actual names/attributes as passed over in JSON by the
server. We populate the relevant objects by doing something like this:
def from_dict(self, attr_list):
''' Return KeyInfo from JSON dict '''
for key in attr_list:
setattr(self, key, attr_list[key])
return self
I plan to add a small conversion function that convert camelCased
attribute names to camel_cased to conform with PEP8.
Please review,
Ade
10 years, 2 months
[PATCH] 405-407 Remaining REST changes
by Endi Sukma Dewata
The REST client/interface for CA profiles, system certificates, and keys
have been modified to return Response objects to allow better handling
of server responses.
Ticket #554
--
Endi S. Dewata
10 years, 2 months
[PATCH] 389 Updated REST interface for users.
by Endi Sukma Dewata
The REST interface for users has been modified to return Response
objects to allow better handling of server responses. Other REST
interfaces will be modified in subsequent patches. Once all interfaces
are updated, the client library can be updated to use RESTEasy 3.0 API.
Clients using the client library or XML/JSON directly are not affected
by these changes.
Ticket #554
--
Endi S. Dewata
10 years, 2 months
