This change adds request and response payloads for the
SignatureVerify operation. Payload factories have been updated to
support SignatureVerify and new unit test suites have been added
to cover the new payload code.
This change adds demos for the ProxyKmipClient, demonstrating how
to encrypt and decrypt messages. Demo utilities have been updated
to support the new demo scripts and the KMIPProxy client has been
updated to correctly return operation results.
This change updates the encrypt/decrypt support in the cryptography
engine to support asymmetric key algorithms, specifically RSA. Unit
tests have been added to validate the new functionality.
This change updates DeriveKey support in the software server to
enforce key truncation. If the derived key is longer than the
requested cryptographic length, the derived key is truncated to
fit the requested length. A unit test has been added to cover
this update.
This change adds several integration tests that exercise the
DeriveKey functionality supported by the ProxyKmipClient. These
tests pass when run against the PyKMIP software server.
This change fixes a series of bugs in the integration test suite
introduced by the previous Get payload update. The integration
test suite now runs successfully against the PyKMIP software
server.
This change adds a demo for the ProxyKmipClient, demonstrating how
to derive keys in a variety of ways, including via encryption,
hashing, HMAC, PBKDF2, and NIST 800 108-C.
This change adds the Decrypt operation to the server. Support is
currently limited to symmetric decryption only. The decryption key
used with the operation must be in the Active state and it must
have the Decrypt bit set in its cryptographic usage mask.
This patch fixes a bug that generates intermittent sqlalchemy
DetachedInstanceErrors during the KMIP server engine unit test
execution. Specifically, this fix disables instance expiration on
commit for the sqlalchemy sessions used throughout the unit tests,
allowing access to instance attributes even if the instance is
detached from a session.
Fixes#312
This change adds the DeriveKey operation to the server. Unit tests
covering the new additions are included. The Query operation has
also been updated to reflect this addition.
This change adds support for retrieving wrapped keys from the KMIP
server. The only supported key wrapping algorithm currently is
the AES-based NIST Key Wrap algorithm (RFC 3394). MAC/signing is
not supported for key wrapping. Attribute-bundling with the wrapped
key value is not supported. Wrapping of the entire key block TTLV
encoding is not supported. Various additional error cases are
included and checked for.
Unit tests covering the additions to Get are included.
This change fixes key wrapping support in the cryptography engine.
The original implementation used a CryptographicAlgorithm enum to
determine what key wrapping algorithm to use for key wrapping.
Closer inspection of the KMIP spec indicates that a BlockCipherMode
enum should be used instead. The engine has been updated to reflect
this change, as have the corresponding key wrapping unit tests.
This change adds key wrapping support to the CryptographyEngine,
supporting RFC 3394, AES Key Wrap, only. Numerous unit tests from
using test vectors from RFC 3394 are included.
This change updates the Get payloads to reflect current coding
styles. It streamlines payload usage and makes it easier to create
and access payload fields. A new unit test suite dedicated to the
Get payloads is added. Surrounding code in the client/server and
associated utilities and unit tests are updated to reflect these
changes.
This change updates the KeyWrappingData struct to conform with
current library styles. This struct is used with key data to
represent a wrapped key and will be used by future patches to
support key wrapping functionality. Updated unit tests matching
the new additions are included.
This change updates the KeyWrappingSpecification struct to conform
with current library styles. This struct is used for key wrapping
functionality and will be used in future patches. Updated unit
tests matching the new additions are included.
This change updates the MACSignatureKeyInformation struct to
conform with current library styles. This struct is used for key
wrapping functionality and will be leveraged by future patches.
Updated unit tests matching the new additions are included.
This change updates the EncryptionKeyInformation struct to conform
with current library styles. This struct is used for key wrapping
functionality and will be leveraged by future patches. Updated
unit tests matching the new additions are included.
This change adds key derivation functionality to the cryptographic
engine, adding support for multiple key derivation methods,
including encrypting, hashing, HMACing, and specific algorithms
like PBKDF2 and NIST 800-108. Numerous unit tests are included
from established cryptographic testing sources to verify the
added functionality.
This change adds decryption functionality to the cryptographic
engine used by the server. It supports a variety of symmetric
decryption algorithms and block cipher modes. Asymmetric
decryption support will be added in a future patch.
Unit tests and minor updates to surrounding code are included.
This change adds request/response payloads for the DeriveKey
operation, updating the payload factories to support DeriveKey.
Unit tests for the payloads and payload factories are included.
The inequality operator was also added to the TemplateAttribute
struct to support the DeriveKey payload unit tests; differences
in Python2.7 and 3+ led to comparison failures.
This change adds support for the DerivationParameters struct,
which is needed for DeriveKey support. Unit tests are included to
cover all newly added code.
This change adds request and response payloads for Decrypt
operation, updating the payload factories to support Decrypt
payloads. Unit tests for all new code are included.
This change adds Encrypt operation support to the KMIPProxy and
ProxyKmipClient clients, including unit tests to cover the new
functionality.
Extensive documentation has been added to the header comments for
the new client methods detailing the expected input parameters and
return values. This approach should be followed for all new client
additions going forward.
This change adds the Encrypt operation to the server. Support is
currently limited to symmetric encryption only. The encryption key
used with the operation must be in the Active state and it must
have the Encrypt bit set in its cryptographic usage mask.
This change adds encryption functionality to the cryptographic
engine used by the server. It supports a variety of symmetric
encryption algorithms and block cipher modes. Asymmetric encryption
support will be added in a future patch.
Unit tests and minor updates to surrounding core code are included.
This change adds request and response payloads for the Encrypt
operation, updating the payload factories to support Encrypt
payloads. Unit tests for all new code are included.
This change updates the CryptographicParameters struct, removing the
primitive class wrappers that it used to use for attribute values
and replacing them with struct properties that internally manage the
primitive objects directly. This gutting and regutting necessitates
cascading changes to every part of the library that used these
internal primitive class wrappers, including unit tests, client and
client tests, and attribute factory handlers. All of these have been
updated to reflect the correct usage of the CryptographicParameters
struct.
This change also adds in additional attribute members for the
CryptographicParameters struct to bring it up to spec with KMIP 1.2.
This change loosens the input requirements for ProxyKmipClient
operations that accept a secret UID. Operations like Get and
Destroy used to require a string value but are allowed in the
KMIP specification to take no value at all. This change updates
the ProxyKmipClient to properly reflect the specification. The
underlying KMIPProxy client is mostly unchanged.
Closes#261
This change updates the server results returned by the Query
operation to match the current set of supported features. The tests
for Query have been updated to better reflect testing across KMIP
versions.
This change removes the original KMIPServer implementation, along
with all supporting classes. The KmipServer implementation is the
only supported server implementation going forward.
This change fixes a bug with the CreateKeyPair demo script for the
KMIPProxy client. The key pair name was never included with the
create request due to variable name overuse. This change fixes the
variable names thereby fixing the demo script.
Fixes#249
This change removes PyKMIP support for Python2.6. The last release
of Python2.6 occurred in October 2013, over 3 years ago. It also
does not support security features needed to use PyKMIP according
to best practices. This change drops tox and TravisCI settings for
Python2.6 and updates setup to no longer categorize the library as
Python2.6 compliant. The README has been updated accordingly.
Closes#116
This change restructures how access controls are enforced for
different server operations, pulling common code into a shared
method for reuse. The server unit tests have been updated to
reflect this change.
This change updates the server and managed object set to support
the InitialDate attribute. The InitialDate is set when the Create,
CreateKeyPair, and Register operations are invoked and can be
listed and retrieved with the GetAttributeList and GetAttributes
operations respectively. The server unit tests have been updated
to reflect these changes.
This change adds support for the GetAttributeList operation. The
user can specify the ID of a managed object and get back a list
containing the names of all attributes currently set on the object.
The user can also omit the ID and the server will default to using
the ID placeholder for the object ID. New server tests have been
added to cover this feature. The GetAttributeList payloads have
also been updated for consistency with other payloads, requiring
minor updates in other clients and unit tests.
This change fixes a bug introduced with the addition of Python3.5
support. In Python3.5, SIGINT is silently ignored for system calls
(e.g., socket.accept) if the SIGINT signal handler does not raise
an exception. This causes the server to delay shutdown when
receiving SIGINT until after a new connection has been made. This
change updates the server's SIGINT signal handler to raise the
correct exception and updates the error handling code while serving
connections to account for this change in SIGINT processing. This
allows the server to shutdown immediately upon receiving SIGINT.
The server unit tests are updated to account for this change.
This change updates the polymorphic identity used by
X509Certificate objects. The original identity was already used by
the base Certificate object, causing sqlalchemy to raise a warning
when used. This change resolves the identity reassignment and
prevents the warning from being displayed.
This change updates how the built-in open function is mocked in
the PyKMIP server test suite. On some platforms the old approach
was insufficient. This change explicitly references the builtins
module for Python3+, removing the old module-based mock.
This change fixes a bug that could occur when accessing the server
with multiple threads or processes. The SQLite backend by default
does not support multithreading. This change updates how the
SQLite backend is instantiated, preventing error generation when
using multiple clients simultaenously. The server unit test suite
has been updated to cover the change.
This update includes new operations and features for the clients
and server, in addition to other minor updates and bug fixes:
* Add support for Python 3.5
* Add support for the State and OperationPolicyName attributes
* Add server support for the Activate and GetAttributes operations
* Add server support for certificate-based client authentication
* Add server support for object access control via operation policy
* Add server support for loading of user-defined operation policies
* Add client support for the GetAttributes operation
* Update clients to support operation policy names with objects
* Update ProxyKmipClient to support names when creating new objects
* Remove coveralls integration
* Fix bug with server termination on missing request credential
* Fix bug with closing the client while unconnected to a server
* Fix bug with default values overriding server conf file settings
* Fix bug with early server termination on bad client certificates
* Fix bug with deprecated usage of the bandit config file
* Fix bug with ProxyKmipClient registering unset object attributes
Dane Fichter
Peter Hamilton
Peter Hamilton
Hao Shen
Peter Hamilton
Charles Stephens