ipapython/dnssec/abshsm.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187

#!/usr/bin/python
#
# Copyright (C) 2014  FreeIPA Contributors see COPYING for license
#

import _ipap11helper

attrs_id2name = {
    #_ipap11helper.CKA_ALLOWED_MECHANISMS: 'ipk11allowedmechanisms',
    _ipap11helper.CKA_ALWAYS_AUTHENTICATE: 'ipk11alwaysauthenticate',
    _ipap11helper.CKA_ALWAYS_SENSITIVE: 'ipk11alwayssensitive',
    #_ipap11helper.CKA_CHECK_VALUE: 'ipk11checkvalue',
    _ipap11helper.CKA_COPYABLE: 'ipk11copyable',
    _ipap11helper.CKA_DECRYPT: 'ipk11decrypt',
    _ipap11helper.CKA_DERIVE: 'ipk11derive',
    #_ipap11helper.CKA_DESTROYABLE: 'ipk11destroyable',
    _ipap11helper.CKA_ENCRYPT: 'ipk11encrypt',
    #_ipap11helper.CKA_END_DATE: 'ipk11enddate',
    _ipap11helper.CKA_EXTRACTABLE: 'ipk11extractable',
    _ipap11helper.CKA_ID: 'ipk11id',
    #_ipap11helper.CKA_KEY_GEN_MECHANISM: 'ipk11keygenmechanism',
    _ipap11helper.CKA_KEY_TYPE: 'ipk11keytype',
    _ipap11helper.CKA_LABEL: 'ipk11label',
    _ipap11helper.CKA_LOCAL: 'ipk11local',
    _ipap11helper.CKA_MODIFIABLE: 'ipk11modifiable',
    _ipap11helper.CKA_NEVER_EXTRACTABLE: 'ipk11neverextractable',
    _ipap11helper.CKA_PRIVATE: 'ipk11private',
    #_ipap11helper.CKA_PUBLIC_KEY_INFO: 'ipapublickey',
    #_ipap11helper.CKA_PUBLIC_KEY_INFO: 'ipk11publickeyinfo',
    _ipap11helper.CKA_SENSITIVE: 'ipk11sensitive',
    _ipap11helper.CKA_SIGN: 'ipk11sign',
    _ipap11helper.CKA_SIGN_RECOVER: 'ipk11signrecover',
    #_ipap11helper.CKA_START_DATE: 'ipk11startdate',
    #_ipap11helper.CKA_SUBJECT: 'ipk11subject',
    _ipap11helper.CKA_TRUSTED: 'ipk11trusted',
    _ipap11helper.CKA_UNWRAP: 'ipk11unwrap',
    #_ipap11helper.CKA_UNWRAP_TEMPLATE: 'ipk11unwraptemplate',
    _ipap11helper.CKA_VERIFY: 'ipk11verify',
    _ipap11helper.CKA_VERIFY_RECOVER: 'ipk11verifyrecover',
    _ipap11helper.CKA_WRAP: 'ipk11wrap',
    #_ipap11helper.CKA_WRAP_TEMPLATE: 'ipk11wraptemplate',
    _ipap11helper.CKA_WRAP_WITH_TRUSTED: 'ipk11wrapwithtrusted',
}

attrs_name2id = dict(zip(attrs_id2name.values(), attrs_id2name.keys()))

# attribute:
# http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#ipk11KeyType
#
# mapping table:
# http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema#CK_MECHANISM_TYPE
keytype_name2id = {
        "rsa": _ipap11helper.KEY_TYPE_RSA,
        "aes": _ipap11helper.KEY_TYPE_AES,
        }

keytype_id2name = dict(zip(keytype_name2id.values(), keytype_name2id.keys()))

wrappingmech_name2id = {
        "rsaPkcs": _ipap11helper.MECH_RSA_PKCS,
        "rsaPkcsOaep": _ipap11helper.MECH_RSA_PKCS_OAEP,
        "aesKeyWrap": _ipap11helper.MECH_AES_KEY_WRAP,
        "aesKeyWrapPad": _ipap11helper.MECH_AES_KEY_WRAP_PAD
        }

wrappingmech_id2name = dict(zip(wrappingmech_name2id.values(),
    wrappingmech_name2id.keys()))


bool_attr_names = set([
    'ipk11alwaysauthenticate',
    'ipk11alwayssensitive',
    'ipk11copyable',
    'ipk11decrypt',
    'ipk11derive',
    'ipk11encrypt',
    'ipk11extractable',
    'ipk11local',
    'ipk11modifiable',
    'ipk11neverextractable',
    'ipk11private',
    'ipk11sensitive',
    'ipk11sign',
    'ipk11signrecover',
    'ipk11trusted',
    'ipk11unwrap',
    'ipk11verify',
    'ipk11verifyrecover',
    'ipk11wrap',
    'ipk11wrapwithtrusted',
])

modifiable_attrs_id2name = {
    _ipap11helper.CKA_DECRYPT: 'ipk11decrypt',
    _ipap11helper.CKA_DERIVE: 'ipk11derive',
    _ipap11helper.CKA_ENCRYPT: 'ipk11encrypt',
    _ipap11helper.CKA_EXTRACTABLE: 'ipk11extractable',
    _ipap11helper.CKA_ID: 'ipk11id',
    _ipap11helper.CKA_LABEL: 'ipk11label',
    _ipap11helper.CKA_SENSITIVE: 'ipk11sensitive',
    _ipap11helper.CKA_SIGN: 'ipk11sign',
    _ipap11helper.CKA_SIGN_RECOVER: 'ipk11signrecover',
    _ipap11helper.CKA_UNWRAP: 'ipk11unwrap',
    _ipap11helper.CKA_VERIFY: 'ipk11verify',
    _ipap11helper.CKA_VERIFY_RECOVER: 'ipk11verifyrecover',
    _ipap11helper.CKA_WRAP: 'ipk11wrap',
}

modifiable_attrs_name2id = dict(zip(modifiable_attrs_id2name.values(),
    modifiable_attrs_id2name.keys()))

def sync_pkcs11_metadata(log, source, target):
    """sync ipk11 metadata from source object to target object"""

    # iterate over list of modifiable PKCS#11 attributes - this prevents us
    # from attempting to set read-only attributes like CKA_LOCAL
    for attr in modifiable_attrs_name2id:
        if attr in source:
            if source[attr] != target[attr]:
                log.debug('Updating attribute %s from "%s" to "%s"', attr, repr(source[attr]), repr(target[attr]))
                target[attr] = source[attr]

def populate_pkcs11_metadata(source, target):
    """populate all ipk11 metadata attributes in target object from source object"""
    for attr in attrs_name2id:
        if attr in source:
            target[attr] = source[attr]

def ldap2p11helper_api_params(ldap_key):
    """prepare dict with metadata parameters suitable for key unwrapping"""
    unwrap_params = {}

    # some attributes are just renamed
    direct_param_map = {
            "ipk11label": "label",
            "ipk11id": "id",
            "ipk11copyable": "cka_copyable",
            "ipk11decrypt": "cka_decrypt",
            "ipk11derive": "cka_derive",
            "ipk11encrypt": "cka_encrypt",
            "ipk11extractable": "cka_extractable",
            "ipk11modifiable": "cka_modifiable",
            "ipk11private": "cka_private",
            "ipk11sensitive": "cka_sensitive",
            "ipk11sign": "cka_sign",
            "ipk11unwrap": "cka_unwrap",
            "ipk11verify": "cka_verify",
            "ipk11wrap": "cka_wrap",
            "ipk11wrapwithtrusted": "cka_wrap_with_trusted"
            }

    for ldap_name, p11h_name in direct_param_map.iteritems():
        if ldap_name in ldap_key:
            unwrap_params[p11h_name] = ldap_key[ldap_name]

    # and some others needs conversion

    indirect_param_map = {
            "ipk11keytype": ("key_type", keytype_name2id),
            "ipawrappingmech": ("wrapping_mech", wrappingmech_name2id),
            }

    for ldap_name, rules in indirect_param_map.iteritems():
        p11h_name, mapping = rules
        if ldap_name in ldap_key:
            unwrap_params[p11h_name] = mapping[ldap_key[ldap_name]]

    return unwrap_params


class AbstractHSM(object):
    def _filter_replica_keys(self, all_keys):
        replica_keys = {}
        for key_id, key in all_keys.iteritems():
            if not key['ipk11label'].startswith('dnssec-replica:'):
                continue
            replica_keys[key_id] = key
        return replica_keys

    def _filter_zone_keys(self, all_keys):
        zone_keys = {}
        for key_id, key in all_keys.iteritems():
            if key['ipk11label'] == u'dnssec-master' \
                or key['ipk11label'].startswith('dnssec-replica:'):
                continue
            zone_keys[key_id] = key
        return zone_keys