Fix symkey retrieval in python client

Keys (like symmetric keys and asymmetric keys) are returned from the KRA either encrypted or key wrapped. Because the AES keywrapping algorithm cannot be decrypted using AES CBC, we need special logic to unwrap the keys. The flow here is as follows: 1. When a key retrieval request is sent to the server, the client sends the encryption and key wrapping algorithms it requires the key to be wrapped along with the wrapping key. 2. If no encryption algorithm or key wrap algorithm is recieved, the server assumes its talking to an old client and uses DES3. 3. The key is retrieved and (on server's choice) is wrapped or encrypted. The return package will have either encryption or key wrap algorithm set (depending on how the key was encrypted/wrapped.) 4. client uses that to determine how to unwrap key. This patch: 1. Makes sure the key wrap algorithm requested by client is passed through and used to wrap the retrieved key. 2. Adds logic in the python client to unwrap/decrypt. 3. As python-cryptography does not yet support AES KeyWrap with padding, the python client is configured to request AES-CBC by default. Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1
author: Ade Lee <alee@redhat.com> 2017-04-06 17:09:39 -0400
committer: Ade Lee <alee@redhat.com> 2017-04-13 17:20:51 -0400
commit: 716dca464943a22eb6588187fba9fad85e1c1345 (patch)
tree: 0bcdb9ed7892fb6c4e0d4c05c10fc3e0d70c18d4 /base/common/python/pki/crypto.py
parent: c381566ddf1f4f05330063bb012d59e5c1753b13 (diff)
1 files changed, 50 insertions, 1 deletions
diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py
index b767abd2e..0891acd68 100644
--- a/base/common/python/pki/crypto.py
+++ b/base/common/python/pki/crypto.py
@@ -34,10 +34,21 @@ from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.ciphers import (
     Cipher, algorithms, modes
 )
+from cryptography.hazmat.primitives import keywrap
 from cryptography.hazmat.primitives import padding
 from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
 import cryptography.x509
 
+# encryption algorithms OIDs
+DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}"
+AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}"
+
+# Wrap Algorithm names as defined by JSS.
+WRAP_AES_CBC_PAD = "AES/CBC/PKCS5Padding"
+WRAP_AES_KEY_WRAP = "AES KeyWrap"
+WRAP_AES_KEY_WRAP_PAD = "AES KeyWrap/Padding"
+WRAP_DES3_CBC_PAD = "DES3/CBC/Pad"
+
 
 class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
     """
@@ -96,7 +107,11 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
         DES3 key.
         """
 
-    # abc.abstractmethod
+    @abc.abstractmethod
+    def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv):
+        """ Unwrap data that has been key wrapped using AES KeyWrap """
+
+    @abc.abstractmethod
     def get_cert(self, cert_nick):
         """ Get the certificate for the specified cert_nick. """
 
@@ -302,6 +317,18 @@ class NSSCryptoProvider(CryptoProvider):
         public_key = wrapping_cert.subject_public_key_info.public_key
         return nss.pub_wrap_sym_key(mechanism, public_key, data)
 
+    def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv):
+        """
+        :param mechanism        Key wrapping mechanism
+        :param data:            Data to be unwrapped
+        :param wrapping_key:    Wrapping Key
+        :param nonce_iv         Nonce data
+        :return:                Unwrapped data
+
+        Return unwrapped data for data wrapped using AES KeyWrap
+        """
+        raise NotImplementedError()
+
     def get_cert(self, cert_nick):
         """
         :param cert_nick       Nickname for the certificate to be returned
@@ -461,6 +488,28 @@ class CryptographyCryptoProvider(CryptoProvider):
             PKCS1v15()
         )
 
+    def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv):
+        """
+        :param mechanism        key wrapping mechanism
+        :param data:            data to unwrap
+        :param wrapping_key:    AES key used to wrap data
+        :param nonce_iv         Nonce data
+        :return:                unwrapped data
+
+        Unwrap the encrypted data which has been wrapped using a
+        KeyWrap mechanism.
+        """
+        if mechanism == WRAP_AES_CBC_PAD or mechanism == WRAP_DES3_CBC_PAD:
+            return self.symmetric_unwrap(
+                data,
+                wrapping_key,
+                nonce_iv=nonce_iv)
+
+        if mechanism == WRAP_AES_KEY_WRAP:
+            return keywrap.aes_key_unwrap(wrapping_key, data, self.backend)
+
+        raise ValueError("Unsupported key wrap algorithm: " + mechanism)
+
     def get_cert(self, cert_nick):
         """
         :param cert_nick  Nickname for the certificate to be returned.
author	Ade Lee <alee@redhat.com>	2017-04-06 17:09:39 -0400
committer	Ade Lee <alee@redhat.com>	2017-04-13 17:20:51 -0400
commit	716dca464943a22eb6588187fba9fad85e1c1345 (patch)
tree	0bcdb9ed7892fb6c4e0d4c05c10fc3e0d70c18d4 /base/common/python/pki/crypto.py
parent	c381566ddf1f4f05330063bb012d59e5c1753b13 (diff)