tyler.durden
/
PyKMIP
mirror of https://github.com/OpenKMIP/PyKMIP.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #273 from vbnmmnbv/mac_state_permission_server 

Add state/crypto usage mask checks for MAC operation
This commit is contained in:
Peter Hamilton 2017-04-19 18:02:46 -04:00 committed by GitHub
parent 19560b92b7 a0673dc111
commit 5678c21903
2 changed files with 120 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
kmip/services/server/engine.py
View File

@ -1639,7 +1639,7 @@ class KmipEngine(object):
managed_object.cryptographic_algorithm): managed_object.cryptographic_algorithm):
algorithm = managed_object.cryptographic_algorithm algorithm = managed_object.cryptographic_algorithm
else: else:
raise exceptions.InvalidField( raise exceptions.PermissionDenied(
"The cryptographic algorithm must be specified " "The cryptographic algorithm must be specified "
"for the MAC operation" "for the MAC operation"
) )
@ -1648,7 +1648,7 @@ class KmipEngine(object):
if managed_object.value: if managed_object.value:
key = managed_object.value key = managed_object.value
else: else:
raise exceptions.InvalidField( raise exceptions.PermissionDenied(
"A secret key value must be specified " "A secret key value must be specified "
"for the MAC operation" "for the MAC operation"
) )
@ -1657,10 +1657,22 @@ class KmipEngine(object):
if payload.data: if payload.data:
data = payload.data.value data = payload.data.value
else: else:
raise exceptions.InvalidField( raise exceptions.PermissionDenied(
"No data to be MACed" "No data to be MACed"
) )
if managed_object.state != enums.State.ACTIVE:
raise exceptions.PermissionDenied(
"Object is not in a state that can be used for MACing."
)
if enums.CryptographicUsageMask.MAC_GENERATE not in \
managed_object.cryptographic_usage_masks:
raise exceptions.PermissionDenied(
"MAC Generate must be set in the object's cryptographic "
"usage mask"
)
result = self._cryptography_engine.mac( result = self._cryptography_engine.mac(
algorithm, algorithm,
key, key,

109
kmip/tests/unit/services/server/test_engine.py
View File

@ -4797,7 +4797,9 @@ class TestKmipEngine(testtools.TestCase):
b'\x0B\x0C\x0D\x0E\x0F') b'\x0B\x0C\x0D\x0E\x0F')
algorithm_a = enums.CryptographicAlgorithm.AES algorithm_a = enums.CryptographicAlgorithm.AES
algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512 algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512
obj = pie_objects.SymmetricKey(algorithm_a, 128, key) obj = pie_objects.SymmetricKey(
algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_GENERATE])
obj.state = enums.State.ACTIVE
e._data_session.add(obj) e._data_session.add(obj)
e._data_session.commit() e._data_session.commit()
@ -4887,7 +4889,7 @@ class TestKmipEngine(testtools.TestCase):
args = (payload_no_key, ) args = (payload_no_key, )
regex = "A secret key value must be specified" regex = "A secret key value must be specified"
self.assertRaisesRegexp( self.assertRaisesRegexp(
exceptions.InvalidField, exceptions.PermissionDenied,
regex, regex,
e._process_mac, e._process_mac,
*args *args
@ -4902,7 +4904,7 @@ class TestKmipEngine(testtools.TestCase):
args = (payload_no_algorithm, ) args = (payload_no_algorithm, )
regex = "The cryptographic algorithm must be specified" regex = "The cryptographic algorithm must be specified"
self.assertRaisesRegexp( self.assertRaisesRegexp(
exceptions.InvalidField, exceptions.PermissionDenied,
regex, regex,
e._process_mac, e._process_mac,
*args *args
@ -4917,7 +4919,106 @@ class TestKmipEngine(testtools.TestCase):
args = (payload_no_data, ) args = (payload_no_data, )
regex = "No data to be MACed" regex = "No data to be MACed"
self.assertRaisesRegexp( self.assertRaisesRegexp(
exceptions.InvalidField, exceptions.PermissionDenied,
regex,
e._process_mac,
*args
)
def test_mac_not_active_state(self):
"""
Test that the right error is generated when an MAC request is
received for an object that is not in 'active' state.
"""
e = engine.KmipEngine()
e._data_store = self.engine
e._data_store_session_factory = self.session_factory
e._data_session = e._data_store_session_factory()
e._logger = mock.MagicMock()
e._cryptography_engine.logger = mock.MagicMock()
key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
b'\x00\x00\x00\x00\x00')
data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A'
b'\x0B\x0C\x0D\x0E\x0F')
algorithm_a = enums.CryptographicAlgorithm.AES
algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512
obj = pie_objects.SymmetricKey(
algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_GENERATE])
obj.state = enums.State.PRE_ACTIVE
e._data_session.add(obj)
e._data_session.commit()
e._data_session = e._data_store_session_factory()
uuid = str(obj.unique_identifier)
cryptographic_parameters = attributes.CryptographicParameters(
cryptographic_algorithm=attributes.
CryptographicAlgorithm(algorithm_b)
)
# Verify when cryptographic_parameters is specified in request
payload = mac.MACRequestPayload(
unique_identifier=attributes.UniqueIdentifier(uuid),
cryptographic_parameters=cryptographic_parameters,
data=objects.Data(data)
)
args = (payload,)
regex = "Object is not in a state that can be used for MACing."
self.assertRaisesRegexp(
exceptions.PermissionDenied,
regex,
e._process_mac,
*args
)
def test_mac_crypto_usage_mask_not_set(self):
"""
Test that the right error is generated when an MAC request is
received for an object without proper crypto usage mask set.
"""
e = engine.KmipEngine()
e._data_store = self.engine
e._data_store_session_factory = self.session_factory
e._data_session = e._data_store_session_factory()
e._logger = mock.MagicMock()
e._cryptography_engine.logger = mock.MagicMock()
key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
b'\x00\x00\x00\x00\x00')
data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A'
b'\x0B\x0C\x0D\x0E\x0F')
algorithm_a = enums.CryptographicAlgorithm.AES
algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512
obj = pie_objects.SymmetricKey(
algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_VERIFY])
obj.state = enums.State.ACTIVE
e._data_session.add(obj)
e._data_session.commit()
e._data_session = e._data_store_session_factory()
uuid = str(obj.unique_identifier)
cryptographic_parameters = attributes.CryptographicParameters(
cryptographic_algorithm=attributes.
CryptographicAlgorithm(algorithm_b)
)
# Verify when cryptographic_parameters is specified in request
payload = mac.MACRequestPayload(
unique_identifier=attributes.UniqueIdentifier(uuid),
cryptographic_parameters=cryptographic_parameters,
data=objects.Data(data)
)
args = (payload,)
regex = "MAC Generate must be set in the object's cryptographic " \
"usage mask"
self.assertRaisesRegexp(
exceptions.PermissionDenied,
regex, regex,
e._process_mac, e._process_mac,
*args *args