summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomas Krizek <tkrizek@redhat.com>2017-08-25 15:45:24 +0200
committerChristian Heimes <cheimes@redhat.com>2018-02-07 17:27:11 +0100
commitefded2264f79c740ac7dbe4aca24705e734c19b8 (patch)
treeb76926a42313f20958b92e141b70336162258004
parent005d85ff688ad97d0b785f3cc906c142eea4d7cd (diff)
downloadfreeipa-efded2264f79c740ac7dbe4aca24705e734c19b8.tar.gz
freeipa-efded2264f79c740ac7dbe4aca24705e734c19b8.tar.xz
freeipa-efded2264f79c740ac7dbe4aca24705e734c19b8.zip
py3 dnssec: convert hexlify to str
hexlify returns bytes and needs to be casted to string before printing it out. Related: https://pagure.io/freeipa/issue/4985 Signed-off-by: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Diffstat
-rwxr-xr-xdaemons/dnssec/ipa-dnskeysync-replica21
-rwxr-xr-xdaemons/dnssec/ipa-ods-exporter17
-rw-r--r--ipaserver/dnssec/ldapkeydb.py30
-rwxr-xr-xipaserver/dnssec/localhsm.py19
4 files changed, 50 insertions, 37 deletions
diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index 5a64b84cb..ee641ae50 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -8,7 +8,6 @@ Download keys from LDAP to local HSM.
This program should be run only on replicas, not on DNSSEC masters.
"""
-from binascii import hexlify
from gssapi.exceptions import GSSError
import logging
import os
@@ -24,7 +23,7 @@ from ipaplatform.paths import paths
from ipaserver.dnssec.abshsm import (sync_pkcs11_metadata,
ldap2p11helper_api_params,
wrappingmech_name2id)
-from ipaserver.dnssec.ldapkeydb import LdapKeyDB
+from ipaserver.dnssec.ldapkeydb import LdapKeyDB, str_hexlify
from ipaserver.dnssec.localhsm import LocalHSM
logger = logging.getLogger(os.path.basename(__file__))
@@ -36,7 +35,7 @@ WORKDIR = '/tmp'
def hex_set(s):
out = set()
for i in s:
- out.add("0x%s" % hexlify(i))
+ out.add("0x%s" % str_hexlify(i))
return out
def update_metadata_set(source_set, target_set):
@@ -72,7 +71,9 @@ def ldap2replica_master_keys_sync(ldapkeydb, localhsm):
hex_set(new_keys))
for mkey_id in new_keys:
mkey_ldap = ldapkeydb.master_keys[mkey_id]
- assert mkey_ldap.wrapped_entries, "Master key 0x%s in LDAP is missing key material referenced by ipaSecretKeyRefObject attribute" % hexlify(mkey_id)
+ assert mkey_ldap.wrapped_entries, ("Master key 0x%s in LDAP is " \
+ "missing key material referenced by ipaSecretKeyRefObject " \
+ "attribute") % str_hexlify(mkey_id)
for wrapped_ldap in mkey_ldap.wrapped_entries:
unwrapping_key = find_unwrapping_key(
localhsm, wrapped_ldap.single_value['ipaWrappingKey'])
@@ -80,14 +81,16 @@ def ldap2replica_master_keys_sync(ldapkeydb, localhsm):
break
# TODO: Could it happen in normal cases?
- assert unwrapping_key is not None, "Local HSM does not contain suitable unwrapping key for master key 0x%s" % hexlify(mkey_id)
+ assert unwrapping_key is not None, ("Local HSM does not contain " \
+ "suitable unwrapping key for master key 0x%s") % \
+ str_hexlify(mkey_id)
params = ldap2p11helper_api_params(mkey_ldap)
params['data'] = wrapped_ldap.single_value['ipaSecretKey']
params['unwrapping_key'] = unwrapping_key.handle
params['wrapping_mech'] = wrappingmech_name2id[wrapped_ldap.single_value['ipaWrappingMech']]
logger.debug('Importing new master key: 0x%s %s',
- hexlify(mkey_id), params)
+ str_hexlify(mkey_id), params)
localhsm.p11.import_wrapped_secret_key(**params)
# synchronize metadata about master keys in LDAP
@@ -108,14 +111,14 @@ def ldap2replica_zone_keys_sync(ldapkeydb, localhsm):
for zkey_id in new_keys:
zkey_ldap = ldapkeydb.zone_keypairs[zkey_id]
logger.debug('Looking for unwrapping key "%s" for zone key 0x%s',
- zkey_ldap['ipaWrappingKey'], hexlify(zkey_id))
+ zkey_ldap['ipaWrappingKey'], str_hexlify(zkey_id))
unwrapping_key = find_unwrapping_key(
localhsm, zkey_ldap['ipaWrappingKey'])
assert unwrapping_key is not None, \
"Local HSM does not contain suitable unwrapping key for ' \
- 'zone key 0x%s" % hexlify(zkey_id)
+ 'zone key 0x%s" % str_hexlify(zkey_id)
- logger.debug('Importing zone key pair 0x%s', hexlify(zkey_id))
+ logger.debug('Importing zone key pair 0x%s', str_hexlify(zkey_id))
localhsm.import_private_key(zkey_ldap, zkey_ldap['ipaPrivateKey'],
unwrapping_key)
localhsm.import_public_key(zkey_ldap, zkey_ldap['ipaPublicKey'])
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 261a2ae3d..748bce40d 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -16,7 +16,6 @@ Purpose of this replacement is to upload keys generated by OpenDNSSEC to LDAP.
"""
from __future__ import print_function
-from binascii import hexlify
from datetime import datetime
import dateutil.tz
import dns.dnssec
@@ -38,7 +37,7 @@ from ipapython.dn import DN
from ipapython import ipaldap
from ipaplatform.paths import paths
from ipaserver.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
-from ipaserver.dnssec.ldapkeydb import LdapKeyDB
+from ipaserver.dnssec.ldapkeydb import LdapKeyDB, str_hexlify
from ipaserver.dnssec.localhsm import LocalHSM
logger = logging.getLogger(os.path.basename(__file__))
@@ -299,8 +298,8 @@ def ldap2master_replica_keys_sync(ldapkeydb, localhsm):
new_key_ldap = ldapkeydb.replica_pubkeys_wrap[key_id]
logger.debug('label=%s, id=%s, data=%s',
new_key_ldap['ipk11label'],
- hexlify(new_key_ldap['ipk11id']),
- hexlify(new_key_ldap['ipapublickey']))
+ str_hexlify(new_key_ldap['ipk11id']),
+ str_hexlify(new_key_ldap['ipapublickey']))
localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey'])
# set CKA_WRAP = FALSE for all replica keys removed from LDAP
@@ -339,7 +338,7 @@ def master2ldap_master_keys_sync(ldapkeydb, localhsm):
# synchronize master key metadata to LDAP
for mkey_id, mkey_local in localhsm.master_keys.items():
logger.debug('synchronizing master key metadata: 0x%s',
- hexlify(mkey_id))
+ str_hexlify(mkey_id))
sync_pkcs11_metadata('master2ldap_master', mkey_local, ldapkeydb.master_keys[mkey_id])
# re-wrap all master keys in LDAP with new replica keys (as necessary)
@@ -349,7 +348,7 @@ def master2ldap_master_keys_sync(ldapkeydb, localhsm):
for mkey_id, mkey_ldap in ldapkeydb.master_keys.items():
logger.debug('processing master key data: 0x%s',
- hexlify(mkey_id))
+ str_hexlify(mkey_id))
# check that all active replicas have own copy of master key
used_replica_keys = set()
@@ -367,13 +366,13 @@ def master2ldap_master_keys_sync(ldapkeydb, localhsm):
new_replica_keys = enabled_replica_key_ids - used_replica_keys
logger.debug('master key 0x%s is not wrapped with replica keys %s',
- hexlify(mkey_id), hex_set(new_replica_keys))
+ str_hexlify(mkey_id), hex_set(new_replica_keys))
# wrap master key with new replica keys
mkey_local = localhsm.find_keys(id=mkey_id).popitem()[1]
for replica_key_id in new_replica_keys:
logger.info('adding master key 0x%s wrapped with replica key 0x%s',
- hexlify(mkey_id), hexlify(replica_key_id))
+ str_hexlify(mkey_id), str_hexlify(replica_key_id))
replica_key = localhsm.replica_pubkeys_wrap[replica_key_id]
keydata = localhsm.p11.export_wrapped_key(mkey_local.handle,
replica_key.handle,
@@ -446,7 +445,7 @@ def master2ldap_zone_keys_purge(ldapkeydb, localhsm):
def hex_set(s):
out = set()
for i in s:
- out.add("0x%s" % hexlify(i))
+ out.add("0x%s" % str_hexlify(i))
return out
diff --git a/ipaserver/dnssec/ldapkeydb.py b/ipaserver/dnssec/ldapkeydb.py
index 30c21ab5c..99e8a403b 100644
--- a/ipaserver/dnssec/ldapkeydb.py
+++ b/ipaserver/dnssec/ldapkeydb.py
@@ -29,7 +29,7 @@ logger = logging.getLogger(__name__)
def uri_escape(val):
"""convert val to %-notation suitable for ID component in URI"""
assert len(val) > 0, "zero-length URI component detected"
- hexval = hexlify(val)
+ hexval = str_hexlify(val)
out = '%'
# pylint: disable=E1127
out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2))
@@ -112,6 +112,13 @@ def get_default_attrs(object_classes):
return result
+def str_hexlify(data):
+ out = hexlify(data)
+ if isinstance(out, bytes):
+ out = out.decode('utf-8')
+ return out
+
+
class Key(collections.MutableMapping):
"""abstraction to hide LDAP entry weirdnesses:
- non-normalized attribute names
@@ -197,7 +204,7 @@ class Key(collections.MutableMapping):
"Key._delete_key() called before Key.schedule_deletion()")
assert self._delentry, "Key._delete_key() called more than once"
logger.debug('deleting key id 0x%s DN %s from LDAP',
- hexlify(self._delentry.single_value['ipk11id']),
+ str_hexlify(self._delentry.single_value['ipk11id']),
self._delentry.dn)
self.ldap.delete_entry(self._delentry)
self._delentry = None
@@ -260,8 +267,8 @@ class MasterKey(Key):
logger.info('adding master key 0x%s wrapped with replica key 0x%s to '
'%s',
- hexlify(self['ipk11id']),
- hexlify(replica_key_id),
+ str_hexlify(self['ipk11id']),
+ str_hexlify(replica_key_id),
entry_dn)
self.ldap.add_entry(entry)
if 'ipaSecretKeyRef' not in self.entry:
@@ -294,7 +301,9 @@ class LdapKeyDB(AbstractHSM):
assert 'ipk11id' in key, 'key is missing ipk11Id in %s' % key.entry.dn
key_id = key['ipk11id']
- assert key_id not in keys, 'duplicate ipk11Id=0x%s in "%s" and "%s"' % (hexlify(key_id), key.entry.dn, keys[key_id].entry.dn)
+ assert key_id not in keys, \
+ 'duplicate ipk11Id=0x%s in "%s" and "%s"' % \
+ (str_hexlify(key_id), key.entry.dn, keys[key_id].entry.dn)
assert 'ipk11label' in key, 'key "%s" is missing ipk11Label' % key.entry.dn
assert 'objectclass' in key.entry, 'key "%s" is missing objectClass attribute' % key.entry.dn
@@ -365,7 +374,8 @@ class LdapKeyDB(AbstractHSM):
new_key.entry['ipaPublicKey'] = pubkey_data
self.ldap.add_entry(new_key.entry)
- logger.debug('imported zone key id: 0x%s', hexlify(new_key['ipk11id']))
+ logger.debug('imported zone key id: 0x%s',
+ str_hexlify(new_key['ipk11id']))
@property
def replica_pubkeys_wrap(self):
@@ -392,7 +402,7 @@ class LdapKeyDB(AbstractHSM):
'secret key dn="%s" ipk11id=0x%s ipk11label="%s" with ipk11UnWrap = TRUE does not have '\
'"%s" key label' % (
key.entry.dn,
- hexlify(key['ipk11id']),
+ str_hexlify(key['ipk11id']),
str(key['ipk11label']),
prefix)
@@ -437,19 +447,19 @@ if __name__ == '__main__':
print('replica public keys: CKA_WRAP = TRUE')
print('====================================')
for pubkey_id, pubkey in ldapkeydb.replica_pubkeys_wrap.items():
- print(hexlify(pubkey_id))
+ print(str_hexlify(pubkey_id))
pprint(pubkey)
print('')
print('master keys')
print('===========')
for mkey_id, mkey in ldapkeydb.master_keys.items():
- print(hexlify(mkey_id))
+ print(str_hexlify(mkey_id))
pprint(mkey)
print('')
print('zone key pairs')
print('==============')
for key_id, key in ldapkeydb.zone_keypairs.items():
- print(hexlify(key_id))
+ print(str_hexlify(key_id))
pprint(key)
diff --git a/ipaserver/dnssec/localhsm.py b/ipaserver/dnssec/localhsm.py
index ab5b965e9..67a4ed2bb 100755
--- a/ipaserver/dnssec/localhsm.py
+++ b/ipaserver/dnssec/localhsm.py
@@ -5,7 +5,6 @@
from __future__ import print_function
-from binascii import hexlify
import collections
import os
from pprint import pprint
@@ -16,6 +15,8 @@ from ipaserver import p11helper as _ipap11helper
from ipaserver.dnssec.abshsm import (attrs_name2id, attrs_id2name, AbstractHSM,
keytype_id2name, keytype_name2id,
ldap2p11helper_api_params)
+from ipaserver.dnssec.ldapkeydb import str_hexlify
+
private_key_api_params = set(["label", "id", "data", "unwrapping_key",
@@ -45,7 +46,7 @@ class Key(collections.MutableMapping):
except _ipap11helper.NotFound:
raise _ipap11helper.NotFound('key without ipk11label: id 0x%s'
- % hexlify(cka_id))
+ % str_hexlify(cka_id))
def __getitem__(self, key):
key = key.lower()
@@ -114,7 +115,7 @@ class LocalHSM(AbstractHSM):
key = Key(self.p11, h)
o_id = key['ipk11id']
assert o_id not in keys, 'duplicate ipk11Id = 0x%s; keys = %s' % (
- hexlify(o_id), keys)
+ str_hexlify(o_id), keys)
keys[o_id] = key
return keys
@@ -139,7 +140,7 @@ class LocalHSM(AbstractHSM):
prefix = 'dnssec-master'
assert key['ipk11label'] == prefix, \
'secret key ipk11id=0x%s ipk11label="%s" with ipk11UnWrap = TRUE does not have '\
- '"%s" key label' % (hexlify(key['ipk11id']),
+ '"%s" key label' % (str_hexlify(key['ipk11id']),
str(key['ipk11label']), prefix)
return keys
@@ -195,33 +196,33 @@ if __name__ == '__main__':
print('replica public keys: CKA_WRAP = TRUE')
print('====================================')
for pubkey_id, pubkey in localhsm.replica_pubkeys_wrap.items():
- print(hexlify(pubkey_id))
+ print(str_hexlify(pubkey_id))
pprint(pubkey)
print('')
print('replica public keys: all')
print('========================')
for pubkey_id, pubkey in localhsm.replica_pubkeys.items():
- print(hexlify(pubkey_id))
+ print(str_hexlify(pubkey_id))
pprint(pubkey)
print('')
print('master keys')
print('===========')
for mkey_id, mkey in localhsm.master_keys.items():
- print(hexlify(mkey_id))
+ print(str_hexlify(mkey_id))
pprint(mkey)
print('')
print('zone public keys')
print('================')
for key_id, key in localhsm.zone_pubkeys.items():
- print(hexlify(key_id))
+ print(str_hexlify(key_id))
pprint(key)
print('')
print('zone private keys')
print('=================')
for key_id, key in localhsm.zone_privkeys.items():
- print(hexlify(key_id))
+ print(str_hexlify(key_id))
pprint(key)
generated by cgit (git 2.34.1) at 2024-05-05 08:56:34 +0000