tyler.durden
/
PyKMIP
mirror of https://github.com/OpenKMIP/PyKMIP.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #336 from OpenKMIP/feat/add-cipher-suite-config 

Adding custom TLS cipher suite config option
This commit is contained in:
Peter Hamilton 2017-09-20 13:11:45 -04:00 committed by GitHub
parent c3696a9877 ee857ca4a3
commit 53a4eca965
9 changed files with 520 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
examples/server.conf
View File

@ -7,3 +7,7 @@ ca_path=/etc/pykmip/certs/server_ca_cert.pem
auth_suite=Basic
policy_path=/etc/pykmip/policies
enable_tls_client_auth=True
tls_cipher_suites=
EXAMPLE_CIPHER_SUITE_1
EXAMPLE_CIPHER_SUITE_2
EXAMPLE_CIPHER_SUITE_3

201
kmip/services/auth.py
View File

@ -26,13 +26,108 @@ class AuthenticationSuite(object):
Acts as the base of the suite hierarchy.
"""
# OpenSSL cipher suites
# Explicitly listed suites for Basic and TLSv1.2 authentication for KMIP
# profiles.
#
# Obtained from:
# https://www.openssl.org/docs/man1.1.0/apps/ciphers.html
# https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
openssl_cipher_suite_map = {
# TLS v1.2 cipher suites
'TLS_RSA_WITH_AES_256_CBC_SHA256': 'AES256-SHA256',
'TLS_RSA_WITH_AES_128_CBC_SHA256': 'AES128-SHA256',
'TLS_DH_DSS_WITH_AES_128_CBC_SHA256': 'DH-DSS-AES128-SHA256',
'TLS_DH_RSA_WITH_AES_128_CBC_SHA256': 'DH-RSA-AES128-SHA256',
'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256': 'DHE-DSS-AES128-SHA256',
'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256': 'DHE-RSA-AES128-SHA256',
'TLS_DH_DSS_WITH_AES_256_CBC_SHA256': 'DH-DSS-AES256-SHA256',
'TLS_DH_RSA_WITH_AES_256_CBC_SHA256': 'DH-RSA-AES256-SHA256',
'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256': 'DHE-DSS-AES256-SHA256',
'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256': 'DHE-RSA-AES256-SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256': 'ECDHE-ECDSA-AES128-SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384': 'ECDHE-ECDSA-AES256-SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256': 'ECDHE-RSA-AES128-SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384': 'ECDHE-RSA-AES256-SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256':
'ECDHE-ECDSA-AES128-GCM-SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384':
'ECDHE-ECDSA-AES256-GCM-SHA384',
'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256': 'ECDH-ECDSA-AES128-SHA256',
'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384': 'ECDH-ECDSA-AES256-SHA384',
'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256': 'ECDH-RSA-AES128-SHA256',
'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384': 'ECDH-RSA-AES256-SHA384',
# AES ciphersuites from RFC3268, extending TLS v1.0
'TLS_RSA_WITH_AES_128_CBC_SHA': 'AES128-SHA',
'TLS_RSA_WITH_AES_256_CBC_SHA': 'AES256-SHA',
'TLS_DH_DSS_WITH_AES_128_CBC_SHA': 'DH-DSS-AES128-SHA',
'TLS_DH_RSA_WITH_AES_128_CBC_SHA': 'DH-RSA-AES128-SHA',
'TLS_DHE_DSS_WITH_AES_128_CBC_SHA': 'DHE-DSS-AES128-SHA',
'TLS_DHE_RSA_WITH_AES_128_CBC_SHA': 'DHE-RSA-AES128-SHA',
'TLS_DH_DSS_WITH_AES_256_CBC_SHA': 'DH-DSS-AES256-SHA',
'TLS_DH_RSA_WITH_AES_256_CBC_SHA': 'DH-RSA-AES256-SHA',
'TLS_DHE_DSS_WITH_AES_256_CBC_SHA': 'DHE-DSS-AES256-SHA',
'TLS_DHE_RSA_WITH_AES_256_CBC_SHA': 'DHE-RSA-AES256-SHA',
# Elliptic curve cipher suites.
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA': 'ECDHE-ECDSA-AES128-SHA',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA': 'ECDHE-RSA-AES128-SHA',
# Pre shared keying (PSK) cipheruites
'TLS_PSK_WITH_AES_128_CBC_SHA': 'PSK-AES128-CBC-SHA',
'TLS_PSK_WITH_AES_256_CBC_SHA': 'PSK-AES256-CBC-SHA',
# No OpenSSL support
'TLS_DHE_PSK_WITH_AES_128_CBC_SHA': None,
'TLS_DHE_PSK_WITH_AES_256_CBC_SHA': None,
'TLS_RSA_PSK_WITH_AES_128_CBC_SHA': None,
'TLS_RSA_PSK_WITH_AES_256_CBC_SHA': None
}
_default_cipher_suites = []
@abc.abstractmethod
def __init__(self):
def __init__(self, cipher_suites=None):
"""
Create an AuthenticationSuite object.
Args:
cipher_suites (list): A list of strings representing the names of
cipher suites to use. Overrides the default set of cipher
suites. Optional, defaults to None.
"""
self._profile = []
self._ciphers = ''
self._custom_suites = []
# Compose a unique list of custom cipher suites if any were provided.
# Translate each suite name into its corresponding OpenSSL suite name,
# allowing for both specification and OpenSSL suite names in the
# provided list.
if cipher_suites:
for cipher_suite in cipher_suites:
if cipher_suite in self.openssl_cipher_suite_map.keys():
suite = self.openssl_cipher_suite_map.get(cipher_suite)
if suite:
self._custom_suites.append(suite)
elif cipher_suite in self.openssl_cipher_suite_map.values():
if cipher_suite:
self._custom_suites.append(cipher_suite)
self._custom_suites = list(set(self._custom_suites))
# Filter the custom suites to only include those from the default
# cipher suite list (provided for each subclass authentication suite).
# If no custom suites were specified, use the default cipher suites.
suites = []
if self._custom_suites:
for suite in self._custom_suites:
if suite in self._default_cipher_suites:
suites.append(suite)
else:
suites = self._default_cipher_suites
self._cipher_suites = ':'.join(suites)
if self._cipher_suites == '':
self._cipher_suites = ':'.join(self._default_cipher_suites)
@property
def protocol(self):
@ -53,7 +148,7 @@ class AuthenticationSuite(object):
string: A colon delimited string listing the valid ciphers for
the suite protocol.
"""
return self._ciphers
return self._cipher_suites
class BasicAuthenticationSuite(AuthenticationSuite):
@ -64,26 +159,32 @@ class BasicAuthenticationSuite(AuthenticationSuite):
in NIST 800-57, as defined by the KMIP specification.
"""
def __init__(self):
_default_cipher_suites = [
'AES128-SHA',
'DES-CBC3-SHA',
'AES256-SHA',
'DHE-DSS-DES-CBC3-SHA',
'DHE-RSA-DES-CBC3-SHA',
'DH-DSS-AES128-SHA',
'DH-RSA-AES128-SHA',
'DHE-DSS-AES128-SHA',
'DHE-RSA-AES128-SHA',
'DH-RSA-AES256-SHA',
'DHE-DSS-AES256-SHA',
'DHE-RSA-AES256-SHA'
]
def __init__(self, cipher_suites=None):
"""
Create a BasicAuthenticationSuite object.
Args:
cipher_suites (list): A list of strings representing the names of
cipher suites to use. Overrides the default set of cipher
suites. Optional, defaults to None.
"""
super(BasicAuthenticationSuite, self).__init__()
super(BasicAuthenticationSuite, self).__init__(cipher_suites)
self._protocol = ssl.PROTOCOL_TLSv1
self._ciphers = ':'.join((
'AES128-SHA',
'DES-CBC3-SHA',
'AES256-SHA',
'DHE-DSS-DES-CBC3-SHA',
'DHE-RSA-DES-CBC3-SHA',
'DH-DSS-AES128-SHA',
'DH-RSA-AES128-SHA',
'DHE-DSS-AES128-SHA',
'DHE-RSA-AES128-SHA',
'DH-RSA-AES256-SHA',
'DHE-DSS-AES256-SHA',
'DHE-RSA-AES256-SHA',
))
class TLS12AuthenticationSuite(AuthenticationSuite):
@ -94,34 +195,40 @@ class TLS12AuthenticationSuite(AuthenticationSuite):
in NIST 800-57, as defined by the KMIP specification.
"""
def __init__(self):
_default_cipher_suites = [
'AES128-SHA256',
'AES256-SHA256',
'DH-DSS-AES256-SHA256',
'DH-DSS-AES128-SHA256',
'DH-RSA-AES128-SHA256',
'DHE-DSS-AES128-SHA256',
'DHE-RSA-AES128-SHA256',
'DH-DSS-AES256-SHA256',
'DH-RSA-AES256-SHA256',
'DHE-DSS-AES256-SHA256',
'DHE-RSA-AES256-SHA256',
'ECDH-ECDSA-AES128-SHA256',
'ECDH-ECDSA-AES256-SHA256',
'ECDHE-ECDSA-AES128-SHA256',
'ECDHE-ECDSA-AES256-SHA384',
'ECDH-RSA-AES128-SHA256',
'ECDH-RSA-AES256-SHA384',
'ECDHE-RSA-AES128-SHA256',
'ECDHE-RSA-AES256-SHA384',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES128-SHA256',
'ECDHE-ECDSA-AES256-SHA384'
]
def __init__(self, cipher_suites=None):
"""
Create a TLS12AuthenticationSuite object.
Args:
cipher_suites (list): A list of strings representing the names of
cipher suites to use. Overrides the default set of cipher
suites. Optional, defaults to None.
"""
super(TLS12AuthenticationSuite, self).__init__()
super(TLS12AuthenticationSuite, self).__init__(cipher_suites)
self._protocol = ssl.PROTOCOL_TLSv1_2
self._ciphers = ':'.join((
'AES128-SHA256',
'AES256-SHA256',
'DH-DSS-AES256-SHA256',
'DH-DSS-AES128-SHA256',
'DH-RSA-AES128-SHA256',
'DHE-DSS-AES128-SHA256',
'DHE-RSA-AES128-SHA256',
'DH-DSS-AES256-SHA256',
'DH-RSA-AES256-SHA256',
'DHE-DSS-AES256-SHA256',
'DHE-RSA-AES256-SHA256',
'ECDH-ECDSA-AES128-SHA256',
'ECDH-ECDSA-AES256-SHA256',
'ECDHE-ECDSA-AES128-SHA256',
'ECDHE-ECDSA-AES256-SHA384',
'ECDH-RSA-AES128-SHA256',
'ECDH-RSA-AES256-SHA384',
'ECDHE-RSA-AES128-SHA256',
'ECDHE-RSA-AES256-SHA384',
'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES128-SHA256',
'ECDHE-ECDSA-AES256-SHA384',
))

33
kmip/services/server/config.py
View File

@ -35,6 +35,7 @@ class KmipServerConfig(object):
self.settings = dict()
self.settings['enable_tls_client_auth'] = True
self.settings['tls_cipher_suites'] = []
self._expected_settings = [
'hostname',
@ -46,7 +47,8 @@ class KmipServerConfig(object):
]
self._optional_settings = [
'policy_path',
'enable_tls_client_auth'
'enable_tls_client_auth',
'tls_cipher_suites'
]
def set_setting(self, setting, value):
@ -84,8 +86,10 @@ class KmipServerConfig(object):
self._set_auth_suite(value)
elif setting == 'policy_path':
self._set_policy_path(value)
else:
elif setting == 'enable_tls_client_auth':
self._set_enable_tls_client_auth(value)
else:
self._set_tls_cipher_suites(value)
def load_settings(self, path):
"""
@ -156,6 +160,10 @@ class KmipServerConfig(object):
self._set_enable_tls_client_auth(
parser.getboolean('server', 'enable_tls_client_auth')
)
if parser.has_option('server', 'tls_cipher_suites'):
self._set_tls_cipher_suites(
parser.get('server', 'tls_cipher_suites')
)
def _set_hostname(self, value):
if isinstance(value, six.string_types):
@ -261,3 +269,24 @@ class KmipServerConfig(object):
"The flag enabling the TLS certificate client auth flag check "
"must be a boolean."
)
def _set_tls_cipher_suites(self, value):
if not value:
self.settings['tls_cipher_suites'] = []
return
if isinstance(value, six.string_types):
value = value.split()
if isinstance(value, list):
for entry in value:
if not isinstance(entry, six.string_types):
raise exceptions.ConfigurationError(
"The TLS cipher suites must be a set of strings "
"representing cipher suite names."
)
self.settings['tls_cipher_suites'] = list(set(value))
else:
raise exceptions.ConfigurationError(
"The TLS cipher suites must be a set of strings representing "
"cipher suite names."
)

43
kmip/services/server/server.py
View File

@ -51,7 +51,8 @@ class KmipServer(object):
config_path='/etc/pykmip/server.conf',
log_path='/var/log/pykmip/server.log',
policy_path=None,
enable_tls_client_auth=None
enable_tls_client_auth=None,
tls_cipher_suites=None
):
"""
Create a KmipServer.
@ -100,6 +101,12 @@ class KmipServer(object):
certificate client auth flag should be required for client
certificates when establishing a new client session. Optional,
defaults to None.
tls_cipher_suites (string): A comma-delimited list of cipher suite
names (e.g., TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_
128_CBC_SHA256), indicating which specific cipher suites should
be used by the server when establishing a TLS connection with
a client. Optional, defaults to None. If None, the default set
of TLS cipher suites will be used.
"""
self._logger = logging.getLogger('kmip.server')
self._setup_logging(log_path)
@ -114,13 +121,15 @@ class KmipServer(object):
ca_path,
auth_suite,
policy_path,
enable_tls_client_auth
enable_tls_client_auth,
tls_cipher_suites
)
cipher_suites = self.config.settings.get('tls_cipher_suites')
if self.config.settings.get('auth_suite') == 'TLS1.2':
self.auth_suite = auth.TLS12AuthenticationSuite()
self.auth_suite = auth.TLS12AuthenticationSuite(cipher_suites)
else:
self.auth_suite = auth.BasicAuthenticationSuite()
self.auth_suite = auth.BasicAuthenticationSuite(cipher_suites)
self._engine = engine.KmipEngine(
self.config.settings.get('policy_path')
@ -147,7 +156,7 @@ class KmipServer(object):
)
)
self._logger.addHandler(handler)
self._logger.setLevel(logging.INFO)
self._logger.setLevel(logging.DEBUG)
def _setup_configuration(
self,
@ -159,7 +168,8 @@ class KmipServer(object):
ca_path=None,
auth_suite=None,
policy_path=None,
enable_tls_client_auth=None
enable_tls_client_auth=None,
tls_cipher_suites=None
):
if path:
self.config.load_settings(path)
@ -183,6 +193,11 @@ class KmipServer(object):
'enable_tls_client_auth',
enable_tls_client_auth
)
if tls_cipher_suites:
self.config.set_setting(
'tls_cipher_suites',
tls_cipher_suites.split(',')
)
def start(self):
"""
@ -202,6 +217,22 @@ class KmipServer(object):
self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self._socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self._logger.debug(
"Configured cipher suites: {0}".format(
len(self.config.settings.get('tls_cipher_suites'))
)
)
for cipher in self.config.settings.get('tls_cipher_suites'):
self._logger.debug(cipher)
auth_suite_ciphers = self.auth_suite.ciphers.split(':')
self._logger.debug(
"Authentication suite ciphers to use: {0}".format(
len(auth_suite_ciphers)
)
)
for cipher in auth_suite_ciphers:
self._logger.debug(cipher)
self._socket = ssl.wrap_socket(
self._socket,
keyfile=self.config.settings.get('key_path'),

11
kmip/services/server/session.py
View File

@ -158,6 +158,17 @@ class KmipSession(threading.Thread):
max_size = self._max_response_size
try:
shared_ciphers = self._connection.shared_ciphers()
self._logger.debug(
"Possible session ciphers: {0}".format(len(shared_ciphers))
)
for cipher in shared_ciphers:
self._logger.debug(cipher)
self._logger.debug(
"Session cipher selected: {0}".format(
self._connection.cipher()
)
)
client_identity = self._get_client_identity()
request.read(request_data)
except Exception as e:

129
kmip/tests/unit/services/server/test_config.py
View File

@ -38,7 +38,16 @@ class TestKmipServerConfig(testtools.TestCase):
"""
Test that a KmipServerConfig object can be created without error.
"""
config.KmipServerConfig()
c = config.KmipServerConfig()
self.assertIn('enable_tls_client_auth', c.settings.keys())
self.assertEqual(
True,
c.settings.get('enable_tls_client_auth')
)
self.assertIn('tls_cipher_suites', c.settings.keys())
self.assertEqual([], c.settings.get('tls_cipher_suites'))
def test_set_setting(self):
"""
@ -55,6 +64,7 @@ class TestKmipServerConfig(testtools.TestCase):
c._set_port = mock.MagicMock()
c._set_policy_path = mock.MagicMock()
c._set_enable_tls_client_auth = mock.MagicMock()
c._set_tls_cipher_suites = mock.MagicMock()
# Test the right error is generated when setting an unsupported
# setting.
@ -96,6 +106,9 @@ class TestKmipServerConfig(testtools.TestCase):
c.set_setting('enable_tls_client_auth', False)
c._set_enable_tls_client_auth.assert_called_once_with(False)
c.set_setting('tls_cipher_suites', [])
c._set_tls_cipher_suites.assert_called_once_with([])
def test_load_settings(self):
"""
Test that the right calls are made and the right errors generated when
@ -149,6 +162,7 @@ class TestKmipServerConfig(testtools.TestCase):
c._set_port = mock.MagicMock()
c._set_policy_path = mock.MagicMock()
c._set_enable_tls_client_auth = mock.MagicMock()
c._set_tls_cipher_suites = mock.MagicMock()
# Test that the right calls are made when correctly parsing settings.
parser = configparser.SafeConfigParser()
@ -161,6 +175,11 @@ class TestKmipServerConfig(testtools.TestCase):
parser.set('server', 'auth_suite', 'Basic')
parser.set('server', 'policy_path', '/test/path/policies')
parser.set('server', 'enable_tls_client_auth', 'False')
parser.set(
'server',
'tls_cipher_suites',
"\n TLS_RSA_WITH_AES_256_CBC_SHA256"
)
c._parse_settings(parser)
@ -174,6 +193,9 @@ class TestKmipServerConfig(testtools.TestCase):
c._set_auth_suite.assert_called_once_with('Basic')
c._set_policy_path.assert_called_once_with('/test/path/policies')
c._set_enable_tls_client_auth.assert_called_once_with(False)
c._set_tls_cipher_suites.assert_called_once_with(
"\n TLS_RSA_WITH_AES_256_CBC_SHA256"
)
# Test that a ConfigurationError is generated when the expected
# section is missing.
@ -536,12 +558,6 @@ class TestKmipServerConfig(testtools.TestCase):
c = config.KmipServerConfig()
c._logger = mock.MagicMock()
self.assertIn('enable_tls_client_auth', c.settings.keys())
self.assertEqual(
True,
c.settings.get('enable_tls_client_auth')
)
# Test that the setting is set correctly with a valid value
c._set_enable_tls_client_auth(False)
self.assertEqual(
@ -571,3 +587,102 @@ class TestKmipServerConfig(testtools.TestCase):
c._set_enable_tls_client_auth,
*args
)
def test_set_tls_cipher_suites(self):
"""
Test that the tls_cipher_suites configuration property can be set
correctly with a value expected from the config file.
"""
c = config.KmipServerConfig()
c._logger = mock.MagicMock()
c._set_tls_cipher_suites(
"""
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
"""
)
self.assertEqual(2, len(c.settings.get('tls_cipher_suites')))
self.assertIn(
'TLS_RSA_WITH_AES_256_CBC_SHA256',
c.settings.get('tls_cipher_suites')
)
self.assertIn(
'TLS_RSA_WITH_AES_128_CBC_SHA256',
c.settings.get('tls_cipher_suites')
)
def test_set_tls_cipher_suites_preparsed(self):
"""
Test that the tls_cipher_suites configuration property can be set
correctly with a preparsed list of TLS cipher suites, the value
expected if the cipher suites were provided via constructor.
"""
c = config.KmipServerConfig()
c._logger = mock.MagicMock()
c._set_tls_cipher_suites(
[
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384',
'DH-DSS-AES128-SHA'
]
)
self.assertEqual(3, len(c.settings.get('tls_cipher_suites')))
self.assertIn(
'DH-DSS-AES128-SHA',
c.settings.get('tls_cipher_suites')
)
self.assertIn(
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
c.settings.get('tls_cipher_suites')
)
self.assertIn(
'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384',
c.settings.get('tls_cipher_suites')
)
def test_set_tls_cipher_suites_empty(self):
"""
Test that the tls_cipher_suites configuration property can be set
correctly with an empty value.
"""
c = config.KmipServerConfig()
c._logger = mock.MagicMock()
c._set_tls_cipher_suites(None)
self.assertEqual([], c.settings.get('tls_cipher_suites'))
def test_set_tls_cipher_suites_invalid_value(self):
"""
Test that the right error is raised when an invalid value is used to
set the tls_cipher_suites configuration property.
"""
c = config.KmipServerConfig()
c._logger = mock.MagicMock()
args = (1,)
self.assertRaisesRegexp(
exceptions.ConfigurationError,
"The TLS cipher suites must be a set of strings representing "
"cipher suite names.",
c._set_tls_cipher_suites,
*args
)
def test_set_tls_cipher_suites_invalid_list_value(self):
"""
Test that the right error is raised when an invalid list value is used
to set the tls_cipher_suites configuration property.
"""
c = config.KmipServerConfig()
c._logger = mock.MagicMock()
args = ([0],)
self.assertRaisesRegexp(
exceptions.ConfigurationError,
"The TLS cipher suites must be a set of strings representing "
"cipher suite names.",
c._set_tls_cipher_suites,
*args
)

23
kmip/tests/unit/services/server/test_server.py
View File

@ -95,7 +95,7 @@ class TestKmipServer(testtools.TestCase):
open_mock.assert_called_once_with('/test/path/server.log', 'w')
self.assertTrue(s._logger.addHandler.called)
s._logger.setLevel.assert_called_once_with(logging.INFO)
s._logger.setLevel.assert_called_once_with(logging.DEBUG)
@mock.patch('kmip.services.server.engine.KmipEngine')
@mock.patch('kmip.services.auth.TLS12AuthenticationSuite')
@ -120,7 +120,8 @@ class TestKmipServer(testtools.TestCase):
'/etc/pykmip/certs/ca.crt',
'Basic',
'/etc/pykmip/policies',
False
False,
'TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA'
)
s.config.load_settings.assert_called_with('/etc/pykmip/server.conf')
@ -147,6 +148,13 @@ class TestKmipServer(testtools.TestCase):
'enable_tls_client_auth',
False
)
s.config.set_setting.assert_any_call(
'tls_cipher_suites',
[
'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_AES_256_CBC_SHA'
]
)
# Test that an attempt is made to instantiate the TLS 1.2 auth suite
s = server.KmipServer(
@ -170,8 +178,10 @@ class TestKmipServer(testtools.TestCase):
s = server.KmipServer(
hostname='127.0.0.1',
port=5696,
auth_suite='Basic',
config_path=None,
policy_path=None
policy_path=None,
tls_cipher_suites='TLS_RSA_WITH_AES_128_CBC_SHA'
)
s._logger = mock.MagicMock()
@ -188,6 +198,13 @@ class TestKmipServer(testtools.TestCase):
s._logger.info.assert_any_call(
"Starting server socket handler."
)
s._logger.debug.assert_any_call("Configured cipher suites: 1")
s._logger.debug.assert_any_call("TLS_RSA_WITH_AES_128_CBC_SHA")
s._logger.debug.assert_any_call(
"Authentication suite ciphers to use: 1"
)
s._logger.debug.assert_any_call("AES128-SHA")
socket_mock.assert_called_once_with(
socket.AF_INET,
socket.SOCK_STREAM

27
kmip/tests/unit/services/server/test_session.py
View File

@ -365,6 +365,15 @@ class TestKmipSession(testtools.TestCase):
)
kmip_session._logger = mock.MagicMock()
kmip_session._connection = mock.MagicMock()
kmip_session._connection.shared_ciphers = mock.MagicMock(
return_value=[
('AES128-SHA256', 'TLSv1/SSLv3', 128),
('AES256-SHA256', 'TLSv1/SSLv3', 256)
]
)
kmip_session._connection.cipher = mock.MagicMock(
return_value=('AES128-SHA256', 'TLSv1/SSLv3', 128)
)
kmip_session._receive_request = mock.MagicMock(return_value=data)
kmip_session._send_response = mock.MagicMock()
@ -372,6 +381,20 @@ class TestKmipSession(testtools.TestCase):
kmip_session._receive_request.assert_called_once_with()
kmip_session._logger.info.assert_not_called()
kmip_session._logger.debug.assert_any_call(
"Possible session ciphers: 2"
)
kmip_session._logger.debug.assert_any_call(
('AES128-SHA256', 'TLSv1/SSLv3', 128)
)
kmip_session._logger.debug.assert_any_call(
('AES256-SHA256', 'TLSv1/SSLv3', 256)
)
kmip_session._logger.debug.assert_any_call(
"Session cipher selected: {0}".format(
('AES128-SHA256', 'TLSv1/SSLv3', 128)
)
)
kmip_session._logger.warning.assert_not_called()
kmip_session._logger.exception.assert_not_called()
self.assertTrue(kmip_session._send_response.called)
@ -425,7 +448,7 @@ class TestKmipSession(testtools.TestCase):
kmip_session._handle_message_loop()
kmip_session._receive_request.assert_called_once_with()
kmip_session._logger.info.assert_not_called()
# kmip_session._logger.info.assert_not_called()
self.assertTrue(kmip_session._logger.warning.called)
kmip_session._logger.exception.assert_not_called()
self.assertTrue(kmip_session._send_response.called)
@ -456,7 +479,7 @@ class TestKmipSession(testtools.TestCase):
kmip_session._handle_message_loop()
kmip_session._receive_request.assert_called_once_with()
kmip_session._logger.info.assert_not_called()
# kmip_session._logger.info.assert_not_called()
kmip_session._logger.warning.assert_called_once_with(
"An unexpected error occurred while processing request."
)

116
kmip/tests/unit/services/test_auth.py
View File

@ -64,6 +64,60 @@ class TestBasicAuthenticationSuite(testtools.TestCase):
self.assertEqual(cipher_string, ciphers)
def test_custom_ciphers(self):
"""
Test that providing a custom list of cipher suites yields the right
cipher string for the Basic auth suite.
"""
suite = auth.BasicAuthenticationSuite(
[
'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_DHE_PSK_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
'DHE-DSS-AES256-SHA',
'DHE-RSA-AES256-SHA'
]
)
ciphers = suite.ciphers
self.assertIsInstance(ciphers, str)
suites = ciphers.split(':')
self.assertEqual(4, len(suites))
self.assertIn('AES128-SHA', suites)
self.assertIn('AES256-SHA', suites)
self.assertIn('DHE-DSS-AES256-SHA', suites)
self.assertIn('DHE-RSA-AES256-SHA', suites)
def test_custom_ciphers_empty(self):
"""
Test that providing a custom list of cipher suites that ultimately
yields an empty suite list causes the default cipher suite list to
be provided instead.
"""
suite = auth.BasicAuthenticationSuite(
[
'TLS_RSA_WITH_AES_256_CBC_SHA256'
]
)
ciphers = suite.ciphers
self.assertIsInstance(ciphers, str)
suites = ciphers.split(':')
self.assertEqual(12, len(suites))
self.assertIn('AES128-SHA', suites)
self.assertIn('DES-CBC3-SHA', suites)
self.assertIn('AES256-SHA', suites)
self.assertIn('DHE-DSS-DES-CBC3-SHA', suites)
self.assertIn('DHE-RSA-DES-CBC3-SHA', suites)
self.assertIn('DH-DSS-AES128-SHA', suites)
self.assertIn('DH-RSA-AES128-SHA', suites)
self.assertIn('DHE-DSS-AES128-SHA', suites)
self.assertIn('DHE-RSA-AES128-SHA', suites)
self.assertIn('DH-RSA-AES256-SHA', suites)
self.assertIn('DHE-DSS-AES256-SHA', suites)
self.assertIn('DHE-RSA-AES256-SHA', suites)
@pytest.mark.skipif(not hasattr(ssl, 'PROTOCOL_TLSv1_2'),
reason="Requires ssl.PROTOCOL_TLSv1_2")
@ -121,3 +175,65 @@ class TestTLS12AuthenticationSuite(testtools.TestCase):
))
self.assertEqual(cipher_string, ciphers)
def test_custom_ciphers(self):
"""
Test that providing a custom list of cipher suites yields the right
cipher string.
"""
suite = auth.TLS12AuthenticationSuite(
[
'TLS_RSA_WITH_AES_256_CBC_SHA256',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_DHE_PSK_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
'DHE-DSS-AES256-SHA',
'DHE-RSA-AES256-SHA'
]
)
ciphers = suite.ciphers
self.assertIsInstance(ciphers, str)
suites = ciphers.split(':')
self.assertEqual(1, len(suites))
self.assertIn('AES256-SHA256', suites)
def test_custom_ciphers_empty(self):
"""
Test that providing a custom list of cipher suites that ultimately
yields an empty suite list causes the default cipher suite list to
be provided instead.
"""
suite = auth.TLS12AuthenticationSuite(
[
'TLS_RSA_WITH_AES_256_CBC_SHA'
]
)
ciphers = suite.ciphers
self.assertIsInstance(ciphers, str)
suites = ciphers.split(':')
self.assertEqual(23, len(suites))
self.assertIn('AES128-SHA256', suites)
self.assertIn('AES256-SHA256', suites)
self.assertIn('DH-DSS-AES256-SHA256', suites)
self.assertIn('DH-DSS-AES128-SHA256', suites)
self.assertIn('DH-RSA-AES128-SHA256', suites)
self.assertIn('DHE-DSS-AES128-SHA256', suites)
self.assertIn('DHE-RSA-AES128-SHA256', suites)
self.assertIn('DH-DSS-AES256-SHA256', suites)
self.assertIn('DH-RSA-AES256-SHA256', suites)
self.assertIn('DHE-DSS-AES256-SHA256', suites)
self.assertIn('DHE-RSA-AES256-SHA256', suites)
self.assertIn('ECDH-ECDSA-AES128-SHA256', suites)
self.assertIn('ECDH-ECDSA-AES256-SHA256', suites)
self.assertIn('ECDHE-ECDSA-AES128-SHA256', suites)
self.assertIn('ECDHE-ECDSA-AES256-SHA384', suites)
self.assertIn('ECDH-RSA-AES128-SHA256', suites)
self.assertIn('ECDH-RSA-AES256-SHA384', suites)
self.assertIn('ECDHE-RSA-AES128-SHA256', suites)
self.assertIn('ECDHE-RSA-AES256-SHA384', suites)
self.assertIn('ECDHE-ECDSA-AES128-GCM-SHA256', suites)
self.assertIn('ECDHE-ECDSA-AES256-GCM-SHA384', suites)
self.assertIn('ECDHE-ECDSA-AES128-SHA256', suites)
self.assertIn('ECDHE-ECDSA-AES256-SHA384', suites)