This change moves the KMIPProtocol class from the server module
to the services module. Because the client uses KMIPProtocol, and
KMIPProtocol lived in the server module, the client would end up
importing server libraries whenever it was used. If there are any
issues with server dependencies, this would cause the client to
fail for no good reason. This change now insulates the client from
the server code base and prevents this case from happening.
See #509
This change updates the CreateKeyPair payloads to support KMIP 2.0
features, including swapping out TemplateAttributes for the new
Attributes structure in the request payload and removing all
attribute-related encodings from the response payload. Unit tests
have been added to cover these changes.
This change updates the TemplateAttribute conversion utilities to
remove use of various TemplateAttribute subclasses. This reflects
the usage updates added for CreateKeyPair support. All related
unit tests have been updated to reflect this change.
This change updates the CreateKeyPair payloads to the current
payload format, adding properties for different payload attributes
and adding comparison and string operators. Changes are also made
to the PyKMIP clients and the surrounding testing infrastructure
to reflect the payload changes. The official unit test suite for
the CreateKeyPair payloads has been updated to also reflect these
changes.
This change prepares the CreateKeyPair payloads for future
updates to support KMIP 2.0.
This change updates the Locate payloads to support KMIP 2.0
features, including swapping out individual Attribute structures
for the new Attributes structure in the request payload. Unit
tests have been added to cover these changes.
This change updates the Locate payloads to the current payload
format, adding properties for different payload attributes and
adding comparison and string operators. Changes are also made to
the PyKMIP clients and the surrounding testing infrastructure to
reflect the payload changes. An official unit test suite for the
Locate payloads has also been included, which will eventually
replace the existing Locate message tests elsewhere in the test
suite.
This change prepares the Locate payloads for future updates to
support KMIP 2.0.
This changes adds several utilities for working with bit mask
enumerations, including functions to compute bit masks from lists
of enumeration values and vice versa. Unit tests have been added
to cover these new utilities.
This change updates the Register payloads to support KMIP 2.0
features, including swapping out TemplateAttributes for the new
Attributes structure in the request payload and removing all
attribute-related encodings from the response payload. Unit tests
have been added to cover these changes.
This change updates the Register payloads to the current payload
format, adding properties for different payload attributes and
adding comparison and string operators. Changes are also made to
the PyKMIP clients and the surrounding testing infrastructure to
reflect the payload changes. An official unit test suite for the
Register payloads has also been included, which will eventually
replace the existing Register message tests elsewhere in the test
suite.
This change prepares the Register payloads for future updates to
support KMIP 2.0.
When TLS handshake is performed while in `accept()` call, main thread
might blocked up to network timeout effectively locking out other
clients from being able to establish connection with PyKMIP server.
Easy way to reproduce the problem:
1. Start PyKMIP server
2. Establish TCP connection with `nc -v 127.0.0.1 5696`
3. Attempt to connect (concurrently):
`openssl s_client -host 127.0.0.1 -port 5696`
Without the fix, `openssl` would be blocked (won't even do initial TLS
handshake) until `nc` connection times out.
This change updates the Create payloads to support KMIP 2.0
features, including swapping out TemplateAttributes for the new
Attributes structure in the request payload and removing all
attribute-related encodings from the response payload. Unit tests
have been added to cover these changes.
This change adds several attribute-related utilities that support
converting TemplateAttribute structures to the new Attributes
structure and back. These utilities will be used in the updated
operation payloads to support seamless KMIP 2.0 encodings without
requiring broad payload internal and external usage changes.
Unit tests have been included to cover the new utility functions.
This change updates the Create payloads to the current payload
format, adding properties for different payload attributes and
adding comparison and string operators. Changes are also made to
the PyKMIP clients and the surrounding testing infrastructure to
reflect the payload changes. An official unit test suite for the
Create payloads has also been included, which will eventually
replace the existing Create message tests elsewhere in the test
suite.
This change prepares the Create payloads for future updates to
support KMIP 2.0.
This change adds a check to the read and write methods of the new
Attributes object that raises a new VersionNotSupported exception
if KMIP 2.0 is not the version used for encoding and decoding.
The Attributes object is not defined for older versions of KMIP
and therefore cannot be correctly encoded or decoded in those use
cases.
This change adds a new Enum subclass, OrderedEnum, that provides
comparison operators allowing for comparisons between enum values.
This will be used going forward with the KMIPVersion enum enabling
version checking on supported or unsupported object types.
This change adds a new Attributes object to the object hierarchy,
which replaces TemplateAttributes in KMIP 2.0. The old attribute
components, like the AttributeName and AttributeIndex, are no
longer used and are instead replaced with the KMIP TTLV tag for
the attributes in question. This brings the attribute encoding
process in line with the rest of the KMIP specification.
To support this change, additional attribute and enumeration
utility functions have been added to simply attribute building
and attribute/enumeration validity checking. New test cases
covering this new functionality are also included.
This change updates the PyKMIP object hierarchy's read/write
method signatures to support propagation of the KMIP version. The
introduction of KMIP 2.0 introduces future KMIP message encodings
that break backwards compatibility; to support this, PyKMIP must
know what KMIP version is being used when encoding or decoding an
object; the KMIP version residing in the client or server alone
is now insufficient. Prior versions of KMIP, namely 1.0 - 1.4,
have been backwards compatible, obviating the need for the KMIP
version at encode/decode time. Going forward, this is no longer
true.
The PyKMIP client and server have been updated to include the
KMIP version when making calls to read/write, as have the
associated test cases covering this functionality.
This change fixes a bug in the KMIPProxy client's support for the
Rekey operation. Specifically, if the operation fails and does not
return a payload, the client will still try to reference the
payload object when checking for TemplateAttribute data. This
causes an AttributeError since the payload is None. This change
fixes this and adds a unit test that covers this specific case.
Fixes#474
This change updates the PyKMIP clients, adding support for getting
and setting the KMIP version they use when making KMIP requests.
You can now do:
>>> client.kmip_version
to get the KMIP version enumeration the client is using. Use:
>>> client.kmip_version = enums.KMIPVersion.KMIP_1_1
to set the KMIP version the client uses.
The client unit tests have been updated to check and cover these
changes.
Fixes#470
This change updates the list of KMIP versions supported by the
server. While the server does not support any specific KMIP 1.3
or 1.4 features, the protocol formats are compatible across KMIP
1.0 to 1.4. Without this change, KMIP 1.3 and 1.4 requests for
older operations, like Create, Get, and Destroy, would fail.
This change also updates the server unit tests impacted by this
change.
Closes#451
This change fixes various pending deprecation warnings throughout
the library caused by recent updates to different dependencies.
While PyKMIP no longer directly triggers these warnings, some
dependencies still do when run through the test suite.
A recent style update to Python 3.6 adds deprecation W605, which
tightens the usage of invalid escape sequences. This patch removes
any instances of invalid escape sequences from the PyKMIP code
base, bringing the library back up to compliance with Python style.
As an application developer, you might expect to be able to turn on
debug logging at the root logger with something like
logging.basicConfig(level=logging.DEBUG)
However, if the application needed to fetch any secrets from a KMIP
server, these previously would be logged as part of the wire protocol.
Further, any passwords in configs would also get logged at DEBUG.
Applications would need to proactively silence such logging, as in
https://github.com/openstack/swift/commit/12b6d46
Now, we will default the logger level to INFO to suppress the debug
logging. However, seeing the on-wire data may still be useful, for
example when developing a new KMIP server. So, allow developers to
consciously set the logger level to DEBUG.
The old text made perfect sense when in a server context, trying to
read requests from clients, but KMIPProtocol is also used by *clients*
to read *responses*. Let's change it to something a little more
request/response agnostic.
Otherwise, you don't get much insight into why you had to settle for
your third configured host. Now, you can get information like
An error occurred while connecting to appliance foo.bar:
[Errno -5] No address associated with hostname
An error occurred while connecting to appliance localhost:
[Errno 111] Connection refused
even when we ultimately succeed in creating a client.
At that point, it's up to the caller to decide whether a stack trace is
appropriate; if the caller decides the connection error is recoverable,
us logging a traceback will only confuse things.
Also, prevent a TypeError during log interpolation by actually using the
argument we were providing.
Otherwise, you can hit errors with tracebacks like
Traceback (most recent call last):
...
File ".../kmip/pie/client.py", line 1573, in __enter__
self.open()
File ".../kmip/pie/client.py", line 135, in open
raise e
IOError: [Errno 2] No such file or directory
... which isn't terribly useful; it doesn't give you any information
about *what* file wasn't found. By using a bare `raise`, you preserve
the rest of the stack and get
Traceback (most recent call last):
...
File ".../kmip/pie/client.py", line 1573, in __enter__
self.open()
File ".../kmip/pie/client.py", line 131, in open
self.proxy.open()
File ".../kmip/services/kmip_client.py", line 221, in open
self._create_socket(sock)
File ".../kmip/services/kmip_client.py", line 246, in _create_socket
suppress_ragged_eofs=self.suppress_ragged_eofs)
File ".../eventlet/green/ssl.py", line 379, in wrap_socket
return GreenSSLSocket(sock, *a, **kw)
File ".../eventlet/green/ssl.py", line 68, in __init__
ca_certs, do_handshake_on_connect and six.PY2, *args, **kw)
File ".../ssl.py", line 558, in __init__
self._context.load_verify_locations(ca_certs)
IOError: [Errno 2] No such file or directory
... which makes it clear that it was a problem with the CA certificate
bundle.
This update includes new operations and features for the client
and server, in addition to other minor updates and bug fixes:
* Add Sphinx-based client and server library documentation
* Add server support for third-party authentication systems
* Add client support for the Check operation
* Add client support for the Rekey operation
* Add client support for attestation credentials
* Add functional tests for server auth. and access control
* Add payloads for the Archive and Cancel operations
* Add payloads for the GetUsageAllocation and Poll operations
* Add payloads for the ObtainLease and Recover operations
* Update the server to support group-based operation policies
* Update the server to support live loading of policy files
* Update the server to support custom database file paths
* Update the server to raise PermissionDenied on violations
* Update the client to support custom configuration file paths
* Update the ProxyKmipClient to support Registering names
* Update the ProxyKmipClient to set usage masks for Derived keys
* Update the README to reference the new documentation
* Update the Travis CI config to test building the docs
* Update the Travis CI config to run integration tests
* Remove support for Python 3.3
* Fix a DOS bug by setting the server socket timeout
* Fix a ProxyKmipClient bug with cryptographic parameter handling
* Fix a ProxyKmipClient bug with usage mask processing
This change changes the error the server uses when access control
violations occur, specifically swapping from the more agnostic
ItemNotFound to the more explicit PermissionDenied. This change
better conforms with the expected behavior of a KMIP server.
This change tweaks the format of operation policy files, renaming
the 'default' section of each policy to 'preset'. This reinforces
the idea that this section of the policy is used only when group-
based access control is disabled. It also removes any ambiguity
between this section of the policy and the actual 'default'
policy built into the server.
This change adds a basic error message that gets raised when
attempting to read an unparseable attribute (i.e., an attribute
that is not supported by the library).
Fixes#429
This change adds a new integration test suite, named 'functional',
that is specifically intended to test third-party authentication
and group-based access control with the PyKMIP server. A new tox
environment is added to handle running these tests separately from
the existing 'integration' test suite. New Travis CI configuration
and setup files have also been added to facilitate running these
tests automatically.
This change fixes a potential denial-of-service bug with the
server, setting a default timeout for all server sockets. This
allows the server to drop hung connections without blocking
forever. The interrupt triggered during accept calls is expected
and is now handled appropriately. Server unit tests have been
updated to reflect this change.
Closes#430
This change adds client support for setting custom configuration
file paths, allowing users and developers to place their settings
file wherever they want. All client demo scripts have been updated
to support a '-s' flag that can be used to set the configuration
file for the demo. Client unit tests have also been updated to
include this change.
This change updates the server, adding in support for customizing
the backend storage file used to store all server data. The server
currently uses a simple SQLite database for storage. Prior versions
of the server kept this database file in /tmp, to emphasize the
testing focus of the server. This change loosens that restriction,
now allowing users to customize where the database file lives. A
new configuration option, 'database_path', has been added that will
override the default /tmp location for the database file. This
value can also be passed in if invoking the server via script using
the '-d' flag.
This change adds Rekey operation support to the KMIPProxy client.
The client unit test suite has been updated to cover the new
additions.
Partially addresses #405
This change adds the request/response payloads for the Rekey
operation. Unit tests are included to cover the new payloads. The
payloads package is also updated to allow direct import of the
Rekey payloads going forward.
Partially addresses #405
This change fixes how the ProxyKmipClient handles cryptographic
usage mask values for the CreateKeyPair operation. Originally,
both Encrypt and Decrypt were set by default for both public and
private keys. This is incorrect behavior for certain algorithms.
Now, only the masks specified by the caller are set on the key
pair.
Fixes#412
This change updates the ProxyKmipClient support for the DeriveKey
operation, now allowing the caller to specify a list of
CryptographicUsageMask enumerations to set on the newly derived
key.
Fixes#417
This change updates the server, integrating policy file monitoring
and restructuring the engine. The top-level server entity now
handles loading policy files using the PolicyDirectoryMonitor
subprocess. A shared memory dictionary is used to share newly
modified policy data across the session threads managed by the
server and used by the engine. The legacy policy loading code in
the engine has been removed.
Unit tests have been added and modified for both the server and
engine to verify the functionality of these modifications.
This change adds a PolicyDirectoryMonitor subprocess that can be
used by the server to continuously monitor and load operation
policies from the configured operation policy directory. The
monitor tracks policy file modifications, file creation, and file
deletion, restoring legacy policies from existing policy files
should the current file backing a policy get deleted. Changes to
existing policies are detected and updated as soon as the backing
policy file is saved to disk.
An extensive unit test is included to exercise the different
operating conditions the monitor may encounter.
This change adds Check operation support to the ProxyKmipClient.
The client unit test suite has been updated to cover the new code.
Partially addresses #405
This change adds Check operation support to the KMIPProxy client.
The client unit test suite has been updated to cover the new
additions.
Partially addresses #405
This change fixes a bug with the ProxyKmipClient handling of
cryptographic parameters, specifically handling the case where
no cryptographic parameters are provided for an operation method
call. When no parameters are specified, None is now correctly
propagated through to request handling. A client unit test has
been added to cover this fix.
Fixes#406
This change adds the ability to set the operation policy name
attribute to object creation demo scripts, including demos for
the Create, CreateKeyPair, and Register operations.
This change updates how the server session handles message
processing, adding support for the new authentication plugin
framework. Session unit tests have been updated to account for
this change.
This change updates the ProxyKmipClient support for the Register
operation, adding the ability to register Name attributes with
the managed object being registered. This matches the functionality
available when using the Create operation.
Fixes#400
This change updates server configuration handling, allowing the
server to parse and store configuration settings for authentication
plugins. Unit tests have been added to cover the new functionality.
The help message for the CreateKeyPair demo shows an incorrect
algorithm (AES) but for asymmetric keys PyKMIP only supports RSA
with a minimum length of 512-bits. This change updates the PyKMIP
documentation to correct this.
Signed-off-by: Gaurav Kumar Garg <garg.gaurav52@gmail.com>
This change adds an authentication plugin framework to be used by
the PyKMIP server. This framework will allow the server to query
third-party authentication systems for user identity information,
improving the access control model for the server. The initial
plugin provided queries an instance of the new SLUGS library.
This change adds an implementation of the AttestationCredential
introduced in KMIP 1.2. The underlying Nonce struct is included.
Unit test suites for both objects are provided. Finally, the
Credential struct has also been updated to support the new
credential type.
This change removes the legacy KMIP base class that was originally
used for the KMIPProxy client. The base class simply defined the
KMIP operation methods that the client should support. It has not
been actively used to guide client development for some time and
now just clutters up the code base. The KMIPProxy class has been
updated to remove any reference to this original base class.
This change updates the Authentication object, taking into account
the recent changes made to the Credential object hierarchy. A new
comprehensive unit test suite has been added for the Authentication
object. Usage of the object in the PyKMIP server has also been
updated to reflect these changes.
This change updates the implementation of the Credential objects.
The UsernamePassword and Device credentials are now first-class
objects and, along with the base Credential, have been restructured
to match the current struct style. Comprehensive unit test suites
for each class have been added. Additionally, the credential
factory code and its usage in the KMIPProxy class and associated
test suites have been updated to reflect this change.
This change updates the implementation of the ProtocolVersion
struct, bringing it inline with the current struct style. All
uses of the struct have been updated to reflect these changes,
as have the struct unit tests.
This change updates the PyKMIP server, allowing it to process and
use group-based operation policies. The server still supports the
original operation policy file format, so no immediate difference
should be apparent to users. Future documentation changes will
explain group-based policy files and how they should be used.
This change adds the request payload for the Poll operation. A unit
test suite for the payload is included. The payload can be imported
directly from the payloads package.
This change adds request and response payloads for the ObtainLease
operation. Unit test suites are included for both payloads and
both payloads can be imported directly from the payloads package.
This change adds request and response payloads for the Recover
operation. Unit test suites are included for both payloads and
both payloads can be imported directly from the payloads package.
This change adds request and response payloads for the
GetUsageAllocation operation. Unit test suites are included for
both payloads and both payloads can be imported directly from the
payloads package.
This change adds request and response payloads for the Cancel
operation. Unit test suites are included for both payloads. Both
payloads can be imported directly from the payloads package.
This change removes unused exceptions defined in core/errors.py,
along with the errors.py module itself. The few used items from
this file are migrated over to core/exceptions.py. Any dependent
code is updated, dropping the use of errors.py and adding in the
use of exceptions.py.
This change adds request and response payloads for the Archive
operation. Unit test suites are included for both payloads and
both payloads can be imported directly from the payloads package.
This update includes new operations and features for the client
and server, in addition to other minor updates and bug fixes:
* Add support for Python 3.6
* Add support for the InitialDate attribute
* Add server support for the GetAttributeList operation
* Add server support for the Locate operation
* Add client and server support for the MAC operation
* Add client and server support for the Revoke operation
* Add client and server support for the Encrypt operation
* Add client and server support for the Decrypt operation
* Add client and server support for the DeriveKey operation
* Add client and server support for the Sign operation
* Add client and server support for the SignatureVerify operation
* Add client and server support for retrieving wrapped keys
* Add client and server support for storing wrapped keys
* Add KMIP 1.4 enumerations
* Add server config option enabling certificate extension checks
* Add server config option defining set of usable TLS ciphers
* Add server config option setting the server log level
* Update server to enforce checking object state and usage masks
* Update server Locate support to allow object name filtering
* Remove support for Python 2.6
* Fix bug with multithreading support with the SQLite backend
* Fix bug with how open() is mocked in the server test suite
* Fix bug with mismapped polymorphic identity for certificates
* Fix bug with socket interrupt handling under Python 3.5
* Fix bug with detached instance errors in the server test suite
This change fixes a bug with the KmipSession logging shared
ciphers used by the TLS connection. The SSLSocket only supports
shared cipher information starting with Python 3.5. Any use of
the server with older versions of Python will fail when any
connection attempts are made. This fix adds a conditional check
that skips logging shared cipher information if the SSLSocket
does not support that information.
Fixes#361
This change fixes violations of E722, the use of except without
specifying an exception type. For now the high-level Exception
class is used as a generic catchall. In the future these cases
will be updated to handle the specific exceptions expected.
This change removes the redundant KmipClient API class from the
pie package. The ProxyKmipClient is the main client going forward
and there is no need for a generic API against which to develop
new clients. If this is needed in the future, it is trivial to
restore.
This change updates the root-level kmip package, allowing users
to now import the client directly from the kmip package:
from kmip import KmipClient
The KmipClient is an alias for the ProxyKmipClient located in
kmip.pie.client. This will simplify usage and help obfuscate
internal package details that may change in the future.
This change renames the CertificateTypeEnum enumeration to
CertificateType, matching the naming schemes of all other
enumerations. This is a backwards incompatible change and
will break any scripts or programs that use the current
CertificateTypeEnum name.
This change updates the root-level kmip package, allowing users
to now import enums directly from the kmip package:
from kmip import enums
Enumerations are used throughout the codebase and user applications
and this will simplify usage and help obfuscate internal package
details that may change in the future.
This change adds a ProxyKmipClient integration test that verifies
that a wrapped key can be registered with the server and can then
be retrieved, along with all of its key wrapping metadata. Minor
updates to the underlying metadata handling are included.
This change makes several minor updates to different structs
pertaining to key wrapping, allowing these structs to accept and
process dict arguments. Unit tests have been updated to reflect
this change.
This change adds an integration test for the ProxyKmipClient that
verifies that Get can be used with a key wrapping specification
to retrieve a key cryptographically wrapped with another key.
This change updates the KMIP object model to support explicitly
storing key wrapping data attributes. Key wrapping data is treated
externally as a dictionary and is stored as individual fields in
the back end. Various unit tests have been updated and added to
support these additions.
This change updates the ProxyKmipClient, allowing Get operation
calls to retrieve wrapped keys by providing key wrapping
specification information with the request. Unit tests have been
added and updated to reflect this change.
This change adds a logging level configuration option for the
server, allowing the admin to control what server activity gets
collected for logging. Unit tests have been added and updated to
cover this new configuration setting.
This change updates ProxyKmipClient support for the CreateKeyPair
operation, adding in optional arguments allowing the user to
specify the cryptographic usage masks for the public and private
keys that will be created. Unit tests have been added to cover
this change.
This change updates how private key bytes are loaded when signing
data. The prior approach required binascii to unhexlify the byte
string. The current approach removes this requirement, matching
the rest of the library. All unit tests have been updated to
reflect this change.
This change updates payload management, streamlining the import
process for kmip.core.messages.payloads. Now any request or
response payload is accessible by importing payloads. All code
importing and using individual payload modules has been updated
to use this new approach.
This change updates the ProxyKmipClient close method, allowing
it to be called without error even when the client connection is
not open. The client unit tests have been updated to reflect this.
This change simplifies how the ProxyKmipClient enforces the open
connection check on operation method calls. Each operation method
is now wrapped with an is_connected decorator which handles the
connection check. All old in-method connection checks have been
removed.
This change adds a server configuration option, tls_cipher_suites,
allowing the server admin to specify a list of cipher suites to be
used when establishing TLS connections with clients. The custom
list supports both cipher suite specification and OpenSSL suite
naming conventions. The list is filtered through a KMIP-approved
set of cipher suites, and then through a set of cipher suites
suitable for the configured authentication suite. Additional debug
logging has been added to the server to provide transparency on
this process.
This change adds a server configuration option to control the
enforcement of TLS certificate client authentication. Before,
client TLS certificates had to include the extended key usage
extension with the clientAuth bit set to be used as sources of
client identity. The new configuration option,
enable_tls_client_auth, allows server admins to enable/disable
this requirement. The configuration setting is optional and the
server defaults to the original enforcing behavior if it is not
set. Admins must explicitly set the option to False to disable
enforcement.
This change adds a demo for the ProxyKmipClient, demonstrating
how to verify a message signature using a public key. Only RSA
keys and signatures are supported for now.
This change adds the SignatureVerify operation to the server. Unit
tests covering the additions are included. The Query operation has
been updated to reflect this addition.
This change adds signature verification support to the server
cryptography engine. Only RSA-based signatures are currently
supported. Unit tests have been added to verify the new
functionality.
This change adds request and response payloads for the
SignatureVerify operation. Payload factories have been updated to
support SignatureVerify and new unit test suites have been added
to cover the new payload code.
This change adds demos for the ProxyKmipClient, demonstrating how
to encrypt and decrypt messages. Demo utilities have been updated
to support the new demo scripts and the KMIPProxy client has been
updated to correctly return operation results.
This change updates the encrypt/decrypt support in the cryptography
engine to support asymmetric key algorithms, specifically RSA. Unit
tests have been added to validate the new functionality.
This change updates DeriveKey support in the software server to
enforce key truncation. If the derived key is longer than the
requested cryptographic length, the derived key is truncated to
fit the requested length. A unit test has been added to cover
this update.
This change adds several integration tests that exercise the
DeriveKey functionality supported by the ProxyKmipClient. These
tests pass when run against the PyKMIP software server.
This change fixes a series of bugs in the integration test suite
introduced by the previous Get payload update. The integration
test suite now runs successfully against the PyKMIP software
server.
This change adds a demo for the ProxyKmipClient, demonstrating how
to derive keys in a variety of ways, including via encryption,
hashing, HMAC, PBKDF2, and NIST 800 108-C.
This change adds the Decrypt operation to the server. Support is
currently limited to symmetric decryption only. The decryption key
used with the operation must be in the Active state and it must
have the Decrypt bit set in its cryptographic usage mask.
This patch fixes a bug that generates intermittent sqlalchemy
DetachedInstanceErrors during the KMIP server engine unit test
execution. Specifically, this fix disables instance expiration on
commit for the sqlalchemy sessions used throughout the unit tests,
allowing access to instance attributes even if the instance is
detached from a session.
Fixes#312
This change adds the DeriveKey operation to the server. Unit tests
covering the new additions are included. The Query operation has
also been updated to reflect this addition.
This change adds support for retrieving wrapped keys from the KMIP
server. The only supported key wrapping algorithm currently is
the AES-based NIST Key Wrap algorithm (RFC 3394). MAC/signing is
not supported for key wrapping. Attribute-bundling with the wrapped
key value is not supported. Wrapping of the entire key block TTLV
encoding is not supported. Various additional error cases are
included and checked for.
Unit tests covering the additions to Get are included.
Peter Hamilton
Andrey Smirnov
Peter Hamilton
Tim Burke
uniscon1105
Dane
alishamayor
Edward Betts