From 9101cfa60f715d03bcb4b0c88a69899b102a16bc Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 16 Oct 2014 16:03:46 +0200 Subject: DNSSEC: opendnssec services Tickets: https://fedorahosted.org/freeipa/ticket/3801 https://fedorahosted.org/freeipa/ticket/4417 Design: https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC Reviewed-By: Jan Cholasta Reviewed-By: David Kupka --- ipapython/p11helper.py | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 ipapython/p11helper.py (limited to 'ipapython') diff --git a/ipapython/p11helper.py b/ipapython/p11helper.py new file mode 100644 index 000000000..f084855f4 --- /dev/null +++ b/ipapython/p11helper.py @@ -0,0 +1,40 @@ +#!/usr/bin/python +# +# Copyright (C) 2014 FreeIPA Contributors see COPYING for license +# + +import _ipap11helper +import random + +def generate_master_key(p11, keylabel=u"dnssec-master", key_length=16, + disable_old_keys=True): + assert isinstance(p11, _ipap11helper.P11_Helper) + + key_id = None + while True: + # check if key with this ID exist in LDAP or softHSM + # id is 16 Bytes long + key_id = "".join(chr(random.randint(0, 255)) for _ in xrange(0, 16)) + keys = p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY, + label=keylabel, + id=key_id) + if not keys: + break # we found unique id + + p11.generate_master_key(keylabel, + key_id, + key_length=key_length, + cka_wrap=True, + cka_unwrap=True) + + if disable_old_keys: + # set CKA_WRAP=False for old master keys + master_keys = p11.find_keys(_ipap11helper.KEY_CLASS_SECRET_KEY, + label=keylabel, + cka_wrap=True) + + for handle in master_keys: + # don't disable wrapping for new key + # compare IDs not handle + if key_id != p11.get_attribute(handle, _ipap11helper.CKA_ID): + p11.set_attribute(handle, _ipap11helper.CKA_WRAP, False) -- cgit