tyler.durden
/
PyKMIP
mirror of https://github.com/OpenKMIP/PyKMIP.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add state/crypto usage mask checks for MAC operation

This commit is contained in:
Hao Shen 2017-03-31 17:08:20 -07:00
parent 2aabad714a
commit a0673dc111
2 changed files with 120 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
kmip/services/server/engine.py
View File

@ -1634,7 +1634,7 @@ class KmipEngine(object):
managed_object.cryptographic_algorithm): managed_object.cryptographic_algorithm):
algorithm = managed_object.cryptographic_algorithm algorithm = managed_object.cryptographic_algorithm
else: else:
raise exceptions.InvalidField( raise exceptions.PermissionDenied(
"The cryptographic algorithm must be specified " "The cryptographic algorithm must be specified "
"for the MAC operation" "for the MAC operation"
) )
@ -1643,7 +1643,7 @@ class KmipEngine(object):
if managed_object.value: if managed_object.value:
key = managed_object.value key = managed_object.value
else: else:
raise exceptions.InvalidField( raise exceptions.PermissionDenied(
"A secret key value must be specified " "A secret key value must be specified "
"for the MAC operation" "for the MAC operation"
) )
@ -1652,10 +1652,22 @@ class KmipEngine(object):
if payload.data: if payload.data:
data = payload.data.value data = payload.data.value
else: else:
raise exceptions.InvalidField( raise exceptions.PermissionDenied(
"No data to be MACed" "No data to be MACed"
) )
if managed_object.state != enums.State.ACTIVE:
raise exceptions.PermissionDenied(
"Object is not in a state that can be used for MACing."
)
if enums.CryptographicUsageMask.MAC_GENERATE not in \
managed_object.cryptographic_usage_masks:
raise exceptions.PermissionDenied(
"MAC Generate must be set in the object's cryptographic "
"usage mask"
)
result = self._cryptography_engine.mac( result = self._cryptography_engine.mac(
algorithm, algorithm,
key, key,

109
kmip/tests/unit/services/server/test_engine.py
View File

@ -4641,7 +4641,9 @@ class TestKmipEngine(testtools.TestCase):
b'\x0B\x0C\x0D\x0E\x0F') b'\x0B\x0C\x0D\x0E\x0F')
algorithm_a = enums.CryptographicAlgorithm.AES algorithm_a = enums.CryptographicAlgorithm.AES
algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512 algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512
obj = pie_objects.SymmetricKey(algorithm_a, 128, key) obj = pie_objects.SymmetricKey(
algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_GENERATE])
obj.state = enums.State.ACTIVE
e._data_session.add(obj) e._data_session.add(obj)
e._data_session.commit() e._data_session.commit()
@ -4731,7 +4733,7 @@ class TestKmipEngine(testtools.TestCase):
args = (payload_no_key, ) args = (payload_no_key, )
regex = "A secret key value must be specified" regex = "A secret key value must be specified"
self.assertRaisesRegexp( self.assertRaisesRegexp(
exceptions.InvalidField, exceptions.PermissionDenied,
regex, regex,
e._process_mac, e._process_mac,
*args *args
@ -4746,7 +4748,7 @@ class TestKmipEngine(testtools.TestCase):
args = (payload_no_algorithm, ) args = (payload_no_algorithm, )
regex = "The cryptographic algorithm must be specified" regex = "The cryptographic algorithm must be specified"
self.assertRaisesRegexp( self.assertRaisesRegexp(
exceptions.InvalidField, exceptions.PermissionDenied,
regex, regex,
e._process_mac, e._process_mac,
*args *args
@ -4761,7 +4763,106 @@ class TestKmipEngine(testtools.TestCase):
args = (payload_no_data, ) args = (payload_no_data, )
regex = "No data to be MACed" regex = "No data to be MACed"
self.assertRaisesRegexp( self.assertRaisesRegexp(
exceptions.InvalidField, exceptions.PermissionDenied,
regex,
e._process_mac,
*args
)
def test_mac_not_active_state(self):
"""
Test that the right error is generated when an MAC request is
received for an object that is not in 'active' state.
"""
e = engine.KmipEngine()
e._data_store = self.engine
e._data_store_session_factory = self.session_factory
e._data_session = e._data_store_session_factory()
e._logger = mock.MagicMock()
e._cryptography_engine.logger = mock.MagicMock()
key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
b'\x00\x00\x00\x00\x00')
data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A'
b'\x0B\x0C\x0D\x0E\x0F')
algorithm_a = enums.CryptographicAlgorithm.AES
algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512
obj = pie_objects.SymmetricKey(
algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_GENERATE])
obj.state = enums.State.PRE_ACTIVE
e._data_session.add(obj)
e._data_session.commit()
e._data_session = e._data_store_session_factory()
uuid = str(obj.unique_identifier)
cryptographic_parameters = attributes.CryptographicParameters(
cryptographic_algorithm=attributes.
CryptographicAlgorithm(algorithm_b)
)
# Verify when cryptographic_parameters is specified in request
payload = mac.MACRequestPayload(
unique_identifier=attributes.UniqueIdentifier(uuid),
cryptographic_parameters=cryptographic_parameters,
data=objects.Data(data)
)
args = (payload,)
regex = "Object is not in a state that can be used for MACing."
self.assertRaisesRegexp(
exceptions.PermissionDenied,
regex,
e._process_mac,
*args
)
def test_mac_crypto_usage_mask_not_set(self):
"""
Test that the right error is generated when an MAC request is
received for an object without proper crypto usage mask set.
"""
e = engine.KmipEngine()
e._data_store = self.engine
e._data_store_session_factory = self.session_factory
e._data_session = e._data_store_session_factory()
e._logger = mock.MagicMock()
e._cryptography_engine.logger = mock.MagicMock()
key = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
b'\x00\x00\x00\x00\x00')
data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A'
b'\x0B\x0C\x0D\x0E\x0F')
algorithm_a = enums.CryptographicAlgorithm.AES
algorithm_b = enums.CryptographicAlgorithm.HMAC_SHA512
obj = pie_objects.SymmetricKey(
algorithm_a, 128, key, [enums.CryptographicUsageMask.MAC_VERIFY])
obj.state = enums.State.ACTIVE
e._data_session.add(obj)
e._data_session.commit()
e._data_session = e._data_store_session_factory()
uuid = str(obj.unique_identifier)
cryptographic_parameters = attributes.CryptographicParameters(
cryptographic_algorithm=attributes.
CryptographicAlgorithm(algorithm_b)
)
# Verify when cryptographic_parameters is specified in request
payload = mac.MACRequestPayload(
unique_identifier=attributes.UniqueIdentifier(uuid),
cryptographic_parameters=cryptographic_parameters,
data=objects.Data(data)
)
args = (payload,)
regex = "MAC Generate must be set in the object's cryptographic " \
"usage mask"
self.assertRaisesRegexp(
exceptions.PermissionDenied,
regex, regex,
e._process_mac, e._process_mac,
*args *args