From 8b30df22fba68b6c6257d480e8f303fc60ba5d7f Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 21 Nov 2014 18:45:08 -0500 Subject: [PATCH] Improvements for KeyClient.archive_encrypted_data(). The archive_encrypted_data() in KeyClient has been modified to have a default value for the algorithm OID and to take a nonce IV object instead of the base-64 encoded value. https://fedorahosted.org/pki/ticket/1155 https://fedorahosted.org/pki/ticket/1156 --- base/common/python/pki/key.py | 67 ++++++++++++++++++++++++++----------------- 1 file changed, 41 insertions(+), 26 deletions(-) diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py index 1f449955b35b8fffe241669c54745ed9d3286729..bcc56747e48b21c8d666a25fa7023a70ca76f90d 100644 --- a/base/common/python/pki/key.py +++ b/base/common/python/pki/key.py @@ -686,28 +686,34 @@ class KeyClient(object): nonce_iv = self.crypto.generate_nonce_iv() session_key = self.crypto.generate_session_key() - trans_wrapped_session_key = \ - self.crypto.asymmetric_wrap(session_key, self.transport_cert) - wrapped_private_data = self.crypto.symmetric_wrap(private_data, - session_key, - nonce_iv=nonce_iv) - algorithm_oid = self.DES_EDE3_CBC_OID - symkey_params = base64.encodestring(nonce_iv) + wrapped_session_key = self.crypto.asymmetric_wrap(session_key, self.transport_cert) - return self.archive_encrypted_data(client_key_id, data_type, - wrapped_private_data, - trans_wrapped_session_key, - algorithm_oid, - symkey_params, - key_algorithm=key_algorithm, - key_size=key_size) + encrypted_data = self.crypto.symmetric_wrap( + private_data, + session_key, + nonce_iv=nonce_iv) + + return self.archive_encrypted_data( + client_key_id, + data_type, + encrypted_data, + wrapped_session_key, + algorithm_oid=None, + nonce_iv=nonce_iv, + key_algorithm=key_algorithm, + key_size=key_size) @pki.handle_exceptions() - def archive_encrypted_data(self, client_key_id, data_type, - encrypted_data, trans_wrapped_session_key, - algorithm_oid, symkey_params, - key_algorithm=None, key_size=None): + def archive_encrypted_data(self, + client_key_id, + data_type, + encrypted_data, + wrapped_session_key, + algorithm_oid=None, + nonce_iv=None, + key_algorithm=None, + key_size=None): """ Archive a secret (symmetric key or passphrase) on the DRM. @@ -715,12 +721,12 @@ class KeyClient(object): data_type, key_algorithm and key_size. The following parameters are also required: - - wrapped_private_data - which is the secret wrapped by a + - encrypted_data - which is the data encrypted by a session key (168 bit 3DES symmetric key) - - trans_wrapped_session_key - the above session key wrapped by + - wrapped_session_key - the above session key wrapped by the DRM transport certificate public key. - the algorithm_oid string for the symmetric key wrap - - the symkey_params for the symmetric key wrap + - the nonce_iv for the symmetric key wrap This function is useful if the caller wants to do their own wrapping of the secret, or if the secret was generated on a separate client @@ -739,13 +745,22 @@ class KeyClient(object): "For symmetric keys, key algorithm and key size " "must be specified") - if (encrypted_data is None) or (trans_wrapped_session_key is None) or \ - (algorithm_oid is None) or (symkey_params is None): - raise TypeError( - "All data and wrapping parameters must be specified") + if not encrypted_data: + raise TypeError('Missing encrypted data') + + if not wrapped_session_key: + raise TypeError('Missing wrapped session key') + + if not algorithm_oid: + algorithm_oid = KeyClient.DES_EDE3_CBC_OID + + if not nonce_iv: + raise TypeError('Missing nonce IV') - twsk = base64.encodestring(trans_wrapped_session_key) data = base64.encodestring(encrypted_data) + twsk = base64.encodestring(wrapped_session_key) + symkey_params = base64.encodestring(nonce_iv) + request = KeyArchivalRequest(client_key_id=client_key_id, data_type=data_type, wrapped_private_data=data, -- 1.8.4.2