This change adds request and response payloads for the Recover
operation. Unit test suites are included for both payloads and
both payloads can be imported directly from the payloads package.
This change adds request and response payloads for the
GetUsageAllocation operation. Unit test suites are included for
both payloads and both payloads can be imported directly from the
payloads package.
This change adds request and response payloads for the Cancel
operation. Unit test suites are included for both payloads. Both
payloads can be imported directly from the payloads package.
This change removes unused exceptions defined in core/errors.py,
along with the errors.py module itself. The few used items from
this file are migrated over to core/exceptions.py. Any dependent
code is updated, dropping the use of errors.py and adding in the
use of exceptions.py.
This change adds request and response payloads for the Archive
operation. Unit test suites are included for both payloads and
both payloads can be imported directly from the payloads package.
This update includes new operations and features for the client
and server, in addition to other minor updates and bug fixes:
* Add support for Python 3.6
* Add support for the InitialDate attribute
* Add server support for the GetAttributeList operation
* Add server support for the Locate operation
* Add client and server support for the MAC operation
* Add client and server support for the Revoke operation
* Add client and server support for the Encrypt operation
* Add client and server support for the Decrypt operation
* Add client and server support for the DeriveKey operation
* Add client and server support for the Sign operation
* Add client and server support for the SignatureVerify operation
* Add client and server support for retrieving wrapped keys
* Add client and server support for storing wrapped keys
* Add KMIP 1.4 enumerations
* Add server config option enabling certificate extension checks
* Add server config option defining set of usable TLS ciphers
* Add server config option setting the server log level
* Update server to enforce checking object state and usage masks
* Update server Locate support to allow object name filtering
* Remove support for Python 2.6
* Fix bug with multithreading support with the SQLite backend
* Fix bug with how open() is mocked in the server test suite
* Fix bug with mismapped polymorphic identity for certificates
* Fix bug with socket interrupt handling under Python 3.5
* Fix bug with detached instance errors in the server test suite
This change fixes a bug with the KmipSession logging shared
ciphers used by the TLS connection. The SSLSocket only supports
shared cipher information starting with Python 3.5. Any use of
the server with older versions of Python will fail when any
connection attempts are made. This fix adds a conditional check
that skips logging shared cipher information if the SSLSocket
does not support that information.
Fixes#361
This change fixes violations of E722, the use of except without
specifying an exception type. For now the high-level Exception
class is used as a generic catchall. In the future these cases
will be updated to handle the specific exceptions expected.
This change removes the redundant KmipClient API class from the
pie package. The ProxyKmipClient is the main client going forward
and there is no need for a generic API against which to develop
new clients. If this is needed in the future, it is trivial to
restore.
This change updates the root-level kmip package, allowing users
to now import the client directly from the kmip package:
from kmip import KmipClient
The KmipClient is an alias for the ProxyKmipClient located in
kmip.pie.client. This will simplify usage and help obfuscate
internal package details that may change in the future.
This change renames the CertificateTypeEnum enumeration to
CertificateType, matching the naming schemes of all other
enumerations. This is a backwards incompatible change and
will break any scripts or programs that use the current
CertificateTypeEnum name.
This change updates the root-level kmip package, allowing users
to now import enums directly from the kmip package:
from kmip import enums
Enumerations are used throughout the codebase and user applications
and this will simplify usage and help obfuscate internal package
details that may change in the future.
This change adds a ProxyKmipClient integration test that verifies
that a wrapped key can be registered with the server and can then
be retrieved, along with all of its key wrapping metadata. Minor
updates to the underlying metadata handling are included.
This change makes several minor updates to different structs
pertaining to key wrapping, allowing these structs to accept and
process dict arguments. Unit tests have been updated to reflect
this change.
This change adds an integration test for the ProxyKmipClient that
verifies that Get can be used with a key wrapping specification
to retrieve a key cryptographically wrapped with another key.
This change updates the KMIP object model to support explicitly
storing key wrapping data attributes. Key wrapping data is treated
externally as a dictionary and is stored as individual fields in
the back end. Various unit tests have been updated and added to
support these additions.
This change updates the ProxyKmipClient, allowing Get operation
calls to retrieve wrapped keys by providing key wrapping
specification information with the request. Unit tests have been
added and updated to reflect this change.
This change adds a logging level configuration option for the
server, allowing the admin to control what server activity gets
collected for logging. Unit tests have been added and updated to
cover this new configuration setting.
This change updates ProxyKmipClient support for the CreateKeyPair
operation, adding in optional arguments allowing the user to
specify the cryptographic usage masks for the public and private
keys that will be created. Unit tests have been added to cover
this change.
This change updates how private key bytes are loaded when signing
data. The prior approach required binascii to unhexlify the byte
string. The current approach removes this requirement, matching
the rest of the library. All unit tests have been updated to
reflect this change.
This change updates payload management, streamlining the import
process for kmip.core.messages.payloads. Now any request or
response payload is accessible by importing payloads. All code
importing and using individual payload modules has been updated
to use this new approach.
This change updates the ProxyKmipClient close method, allowing
it to be called without error even when the client connection is
not open. The client unit tests have been updated to reflect this.
This change simplifies how the ProxyKmipClient enforces the open
connection check on operation method calls. Each operation method
is now wrapped with an is_connected decorator which handles the
connection check. All old in-method connection checks have been
removed.
This change adds a server configuration option, tls_cipher_suites,
allowing the server admin to specify a list of cipher suites to be
used when establishing TLS connections with clients. The custom
list supports both cipher suite specification and OpenSSL suite
naming conventions. The list is filtered through a KMIP-approved
set of cipher suites, and then through a set of cipher suites
suitable for the configured authentication suite. Additional debug
logging has been added to the server to provide transparency on
this process.
This change adds a server configuration option to control the
enforcement of TLS certificate client authentication. Before,
client TLS certificates had to include the extended key usage
extension with the clientAuth bit set to be used as sources of
client identity. The new configuration option,
enable_tls_client_auth, allows server admins to enable/disable
this requirement. The configuration setting is optional and the
server defaults to the original enforcing behavior if it is not
set. Admins must explicitly set the option to False to disable
enforcement.
This change adds a demo for the ProxyKmipClient, demonstrating
how to verify a message signature using a public key. Only RSA
keys and signatures are supported for now.
This change adds the SignatureVerify operation to the server. Unit
tests covering the additions are included. The Query operation has
been updated to reflect this addition.
This change adds signature verification support to the server
cryptography engine. Only RSA-based signatures are currently
supported. Unit tests have been added to verify the new
functionality.
This change adds request and response payloads for the
SignatureVerify operation. Payload factories have been updated to
support SignatureVerify and new unit test suites have been added
to cover the new payload code.
This change adds demos for the ProxyKmipClient, demonstrating how
to encrypt and decrypt messages. Demo utilities have been updated
to support the new demo scripts and the KMIPProxy client has been
updated to correctly return operation results.
This change updates the encrypt/decrypt support in the cryptography
engine to support asymmetric key algorithms, specifically RSA. Unit
tests have been added to validate the new functionality.
This change updates DeriveKey support in the software server to
enforce key truncation. If the derived key is longer than the
requested cryptographic length, the derived key is truncated to
fit the requested length. A unit test has been added to cover
this update.
This change adds several integration tests that exercise the
DeriveKey functionality supported by the ProxyKmipClient. These
tests pass when run against the PyKMIP software server.
This change fixes a series of bugs in the integration test suite
introduced by the previous Get payload update. The integration
test suite now runs successfully against the PyKMIP software
server.
This change adds a demo for the ProxyKmipClient, demonstrating how
to derive keys in a variety of ways, including via encryption,
hashing, HMAC, PBKDF2, and NIST 800 108-C.
This change adds the Decrypt operation to the server. Support is
currently limited to symmetric decryption only. The decryption key
used with the operation must be in the Active state and it must
have the Decrypt bit set in its cryptographic usage mask.
This patch fixes a bug that generates intermittent sqlalchemy
DetachedInstanceErrors during the KMIP server engine unit test
execution. Specifically, this fix disables instance expiration on
commit for the sqlalchemy sessions used throughout the unit tests,
allowing access to instance attributes even if the instance is
detached from a session.
Fixes#312
This change adds the DeriveKey operation to the server. Unit tests
covering the new additions are included. The Query operation has
also been updated to reflect this addition.
This change adds support for retrieving wrapped keys from the KMIP
server. The only supported key wrapping algorithm currently is
the AES-based NIST Key Wrap algorithm (RFC 3394). MAC/signing is
not supported for key wrapping. Attribute-bundling with the wrapped
key value is not supported. Wrapping of the entire key block TTLV
encoding is not supported. Various additional error cases are
included and checked for.
Unit tests covering the additions to Get are included.
This change fixes key wrapping support in the cryptography engine.
The original implementation used a CryptographicAlgorithm enum to
determine what key wrapping algorithm to use for key wrapping.
Closer inspection of the KMIP spec indicates that a BlockCipherMode
enum should be used instead. The engine has been updated to reflect
this change, as have the corresponding key wrapping unit tests.
This change adds key wrapping support to the CryptographyEngine,
supporting RFC 3394, AES Key Wrap, only. Numerous unit tests from
using test vectors from RFC 3394 are included.
This change updates the Get payloads to reflect current coding
styles. It streamlines payload usage and makes it easier to create
and access payload fields. A new unit test suite dedicated to the
Get payloads is added. Surrounding code in the client/server and
associated utilities and unit tests are updated to reflect these
changes.
This change updates the KeyWrappingData struct to conform with
current library styles. This struct is used with key data to
represent a wrapped key and will be used by future patches to
support key wrapping functionality. Updated unit tests matching
the new additions are included.
This change updates the KeyWrappingSpecification struct to conform
with current library styles. This struct is used for key wrapping
functionality and will be used in future patches. Updated unit
tests matching the new additions are included.
This change updates the MACSignatureKeyInformation struct to
conform with current library styles. This struct is used for key
wrapping functionality and will be leveraged by future patches.
Updated unit tests matching the new additions are included.
This change updates the EncryptionKeyInformation struct to conform
with current library styles. This struct is used for key wrapping
functionality and will be leveraged by future patches. Updated
unit tests matching the new additions are included.
This change adds key derivation functionality to the cryptographic
engine, adding support for multiple key derivation methods,
including encrypting, hashing, HMACing, and specific algorithms
like PBKDF2 and NIST 800-108. Numerous unit tests are included
from established cryptographic testing sources to verify the
added functionality.
This change adds decryption functionality to the cryptographic
engine used by the server. It supports a variety of symmetric
decryption algorithms and block cipher modes. Asymmetric
decryption support will be added in a future patch.
Unit tests and minor updates to surrounding code are included.
This change adds request/response payloads for the DeriveKey
operation, updating the payload factories to support DeriveKey.
Unit tests for the payloads and payload factories are included.
The inequality operator was also added to the TemplateAttribute
struct to support the DeriveKey payload unit tests; differences
in Python2.7 and 3+ led to comparison failures.
This change adds support for the DerivationParameters struct,
which is needed for DeriveKey support. Unit tests are included to
cover all newly added code.
This change adds request and response payloads for Decrypt
operation, updating the payload factories to support Decrypt
payloads. Unit tests for all new code are included.
This change adds Encrypt operation support to the KMIPProxy and
ProxyKmipClient clients, including unit tests to cover the new
functionality.
Extensive documentation has been added to the header comments for
the new client methods detailing the expected input parameters and
return values. This approach should be followed for all new client
additions going forward.
This change adds the Encrypt operation to the server. Support is
currently limited to symmetric encryption only. The encryption key
used with the operation must be in the Active state and it must
have the Encrypt bit set in its cryptographic usage mask.
This change adds encryption functionality to the cryptographic
engine used by the server. It supports a variety of symmetric
encryption algorithms and block cipher modes. Asymmetric encryption
support will be added in a future patch.
Unit tests and minor updates to surrounding core code are included.
This change adds request and response payloads for the Encrypt
operation, updating the payload factories to support Encrypt
payloads. Unit tests for all new code are included.
This change updates the CryptographicParameters struct, removing the
primitive class wrappers that it used to use for attribute values
and replacing them with struct properties that internally manage the
primitive objects directly. This gutting and regutting necessitates
cascading changes to every part of the library that used these
internal primitive class wrappers, including unit tests, client and
client tests, and attribute factory handlers. All of these have been
updated to reflect the correct usage of the CryptographicParameters
struct.
This change also adds in additional attribute members for the
CryptographicParameters struct to bring it up to spec with KMIP 1.2.
This change loosens the input requirements for ProxyKmipClient
operations that accept a secret UID. Operations like Get and
Destroy used to require a string value but are allowed in the
KMIP specification to take no value at all. This change updates
the ProxyKmipClient to properly reflect the specification. The
underlying KMIPProxy client is mostly unchanged.
Closes#261
This change updates the server results returned by the Query
operation to match the current set of supported features. The tests
for Query have been updated to better reflect testing across KMIP
versions.
This change removes the original KMIPServer implementation, along
with all supporting classes. The KmipServer implementation is the
only supported server implementation going forward.
This change fixes a bug with the CreateKeyPair demo script for the
KMIPProxy client. The key pair name was never included with the
create request due to variable name overuse. This change fixes the
variable names thereby fixing the demo script.
Fixes#249
This change removes PyKMIP support for Python2.6. The last release
of Python2.6 occurred in October 2013, over 3 years ago. It also
does not support security features needed to use PyKMIP according
to best practices. This change drops tox and TravisCI settings for
Python2.6 and updates setup to no longer categorize the library as
Python2.6 compliant. The README has been updated accordingly.
Closes#116
This change restructures how access controls are enforced for
different server operations, pulling common code into a shared
method for reuse. The server unit tests have been updated to
reflect this change.
This change updates the server and managed object set to support
the InitialDate attribute. The InitialDate is set when the Create,
CreateKeyPair, and Register operations are invoked and can be
listed and retrieved with the GetAttributeList and GetAttributes
operations respectively. The server unit tests have been updated
to reflect these changes.
This change adds support for the GetAttributeList operation. The
user can specify the ID of a managed object and get back a list
containing the names of all attributes currently set on the object.
The user can also omit the ID and the server will default to using
the ID placeholder for the object ID. New server tests have been
added to cover this feature. The GetAttributeList payloads have
also been updated for consistency with other payloads, requiring
minor updates in other clients and unit tests.
This change fixes a bug introduced with the addition of Python3.5
support. In Python3.5, SIGINT is silently ignored for system calls
(e.g., socket.accept) if the SIGINT signal handler does not raise
an exception. This causes the server to delay shutdown when
receiving SIGINT until after a new connection has been made. This
change updates the server's SIGINT signal handler to raise the
correct exception and updates the error handling code while serving
connections to account for this change in SIGINT processing. This
allows the server to shutdown immediately upon receiving SIGINT.
The server unit tests are updated to account for this change.
This change updates the polymorphic identity used by
X509Certificate objects. The original identity was already used by
the base Certificate object, causing sqlalchemy to raise a warning
when used. This change resolves the identity reassignment and
prevents the warning from being displayed.
This change updates how the built-in open function is mocked in
the PyKMIP server test suite. On some platforms the old approach
was insufficient. This change explicitly references the builtins
module for Python3+, removing the old module-based mock.
This change fixes a bug that could occur when accessing the server
with multiple threads or processes. The SQLite backend by default
does not support multithreading. This change updates how the
SQLite backend is instantiated, preventing error generation when
using multiple clients simultaenously. The server unit test suite
has been updated to cover the change.
This update includes new operations and features for the clients
and server, in addition to other minor updates and bug fixes:
* Add support for Python 3.5
* Add support for the State and OperationPolicyName attributes
* Add server support for the Activate and GetAttributes operations
* Add server support for certificate-based client authentication
* Add server support for object access control via operation policy
* Add server support for loading of user-defined operation policies
* Add client support for the GetAttributes operation
* Update clients to support operation policy names with objects
* Update ProxyKmipClient to support names when creating new objects
* Remove coveralls integration
* Fix bug with server termination on missing request credential
* Fix bug with closing the client while unconnected to a server
* Fix bug with default values overriding server conf file settings
* Fix bug with early server termination on bad client certificates
* Fix bug with deprecated usage of the bandit config file
* Fix bug with ProxyKmipClient registering unset object attributes
This change fixes a bug in the ProxyKmipClient, specifically in
the register method. The client would create attributes for the
object to register, regardless if those attributes were set on
the object. This could cause attribute value overwrites, deleting
valid default values with empty values. This change adds checks
to ensure these attributes are not created with the request if
they are not set on the object. The client unit tests have been
updated to reflect this change.
This change updates the server to better handle exceptions thrown
while looking up the value of different attributes on managed
objects. Some managed objects in PyKMIP don't currently support
attributes they are supposed to. This can cause lookup errors
when using GetAttributes. This change suppresses any exceptions
and simply returns None for the missing attribute value. The
server unit tests have been updated to account for this change.
Peter Hamilton
Peter Hamilton
Dane
alishamayor
Edward Betts
Hao Shen
Peter Hamilton
Charles Stephens