diff options
author | Martin Basti <mbasti@redhat.com> | 2014-10-16 16:03:46 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-10-21 12:23:03 +0200 |
commit | 9101cfa60f715d03bcb4b0c88a69899b102a16bc (patch) | |
tree | c5a19a2598769ada5e24d8630e8012249d691886 /ipapython | |
parent | eb548147413d63ca368bb92aaca126fd59fc0bee (diff) | |
download | freeipa-9101cfa60f715d03bcb4b0c88a69899b102a16bc.tar.gz freeipa-9101cfa60f715d03bcb4b0c88a69899b102a16bc.tar.xz freeipa-9101cfa60f715d03bcb4b0c88a69899b102a16bc.zip |
DNSSEC: opendnssec services
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417
Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipapython')
-rw-r--r-- | ipapython/p11helper.py | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/ipapython/p11helper.py b/ipapython/p11helper.py new file mode 100644 index 000000000..f084855f4 --- /dev/null +++ b/ipapython/p11helper.py @@ -0,0 +1,40 @@ +#!/usr/bin/python +# +# Copyright (C) 2014 FreeIPA Contributors see COPYING for license +# + +import _ipap11helper +import random + +def generate_master_key(p11, keylabel=u"dnssec-master", key_length=16, + disable_old_keys=True): + assert isinstance(p11, _ipap11helper.P11_Helper) + + key_id = None + while True: + # check if key with this ID exist in LDAP or softHSM + # id is 16 Bytes long + key_id = "".join(chr(random.randint(0, 255)) for _ in xrange(0, 16)) + keys = p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY, + label=keylabel, + id=key_id) + if not keys: + break # we found unique id + + p11.generate_master_key(keylabel, + key_id, + key_length=key_length, + cka_wrap=True, + cka_unwrap=True) + + if disable_old_keys: + # set CKA_WRAP=False for old master keys + master_keys = p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY, + label=keylabel, + cka_wrap=True) + + for handle in master_keys: + # don't disable wrapping for new key + # compare IDs not handle + if key_id != p11.get_attribute(handle, _ipap11helper.CKA_ID): + p11.set_attribute(handle, _ipap11helper.CKA_WRAP, False) |