This change adds a server configuration option to control the
enforcement of TLS certificate client authentication. Before,
client TLS certificates had to include the extended key usage
extension with the clientAuth bit set to be used as sources of
client identity. The new configuration option,
enable_tls_client_auth, allows server admins to enable/disable
this requirement. The configuration setting is optional and the
server defaults to the original enforcing behavior if it is not
set. Admins must explicitly set the option to False to disable
enforcement.
This change adds a demo for the ProxyKmipClient, demonstrating
how to verify a message signature using a public key. Only RSA
keys and signatures are supported for now.
This change adds the SignatureVerify operation to the server. Unit
tests covering the additions are included. The Query operation has
been updated to reflect this addition.
This change adds signature verification support to the server
cryptography engine. Only RSA-based signatures are currently
supported. Unit tests have been added to verify the new
functionality.
This change adds request and response payloads for the
SignatureVerify operation. Payload factories have been updated to
support SignatureVerify and new unit test suites have been added
to cover the new payload code.
This change adds demos for the ProxyKmipClient, demonstrating how
to encrypt and decrypt messages. Demo utilities have been updated
to support the new demo scripts and the KMIPProxy client has been
updated to correctly return operation results.
This change updates the encrypt/decrypt support in the cryptography
engine to support asymmetric key algorithms, specifically RSA. Unit
tests have been added to validate the new functionality.
This change updates DeriveKey support in the software server to
enforce key truncation. If the derived key is longer than the
requested cryptographic length, the derived key is truncated to
fit the requested length. A unit test has been added to cover
this update.
This change adds several integration tests that exercise the
DeriveKey functionality supported by the ProxyKmipClient. These
tests pass when run against the PyKMIP software server.
This change fixes a series of bugs in the integration test suite
introduced by the previous Get payload update. The integration
test suite now runs successfully against the PyKMIP software
server.
This change adds a demo for the ProxyKmipClient, demonstrating how
to derive keys in a variety of ways, including via encryption,
hashing, HMAC, PBKDF2, and NIST 800 108-C.
This change adds the Decrypt operation to the server. Support is
currently limited to symmetric decryption only. The decryption key
used with the operation must be in the Active state and it must
have the Decrypt bit set in its cryptographic usage mask.
This patch fixes a bug that generates intermittent sqlalchemy
DetachedInstanceErrors during the KMIP server engine unit test
execution. Specifically, this fix disables instance expiration on
commit for the sqlalchemy sessions used throughout the unit tests,
allowing access to instance attributes even if the instance is
detached from a session.
Fixes#312
This change adds the DeriveKey operation to the server. Unit tests
covering the new additions are included. The Query operation has
also been updated to reflect this addition.
This change adds support for retrieving wrapped keys from the KMIP
server. The only supported key wrapping algorithm currently is
the AES-based NIST Key Wrap algorithm (RFC 3394). MAC/signing is
not supported for key wrapping. Attribute-bundling with the wrapped
key value is not supported. Wrapping of the entire key block TTLV
encoding is not supported. Various additional error cases are
included and checked for.
Unit tests covering the additions to Get are included.
Peter Hamilton
Peter Hamilton
Dane
alishamayor
Edward Betts