Merge "Update unwrap key to accept specific variables"

barbican/plugin/crypto/p11_crypto.py

@@ -71,7 +71,11 @@ class P11CryptoPlugin(plugin.CryptoPluginBase):
     def encrypt(self, encrypt_dto, kek_meta_dto, project_id):
         session = self.pkcs11.create_working_session()
 
-        key = self.pkcs11.unwrap_key(kek_meta_dto.plugin_meta, session)
+        meta = json.loads(kek_meta_dto.plugin_meta)
+        key = self.pkcs11.unwrap_key(
+            meta['iv'], meta['hmac'], meta['wrapped_key'],
+            meta['mkek_label'], meta['hmac_label'], session
+        )
         iv = self.pkcs11.generate_random(16, session)
         ck_mechanism = self.pkcs11.build_gcm_mech(iv)
 
@@ -102,7 +106,11 @@ class P11CryptoPlugin(plugin.CryptoPluginBase):
                 project_id):
         session = self.pkcs11.create_working_session()
 
-        key = self.pkcs11.unwrap_key(kek_meta_dto.plugin_meta, session)
+        meta = json.loads(kek_meta_dto.plugin_meta)
+        key = self.pkcs11.unwrap_key(
+            meta['iv'], meta['hmac'], meta['wrapped_key'],
+            meta['mkek_label'], meta['hmac_label'], session
+        )
         meta_extended = json.loads(kek_meta_extended)
         iv = base64.b64decode(meta_extended['iv'])
         iv = self.pkcs11.ffi.new("CK_BYTE[]", iv)

barbican/plugin/crypto/pkcs11.py

@@ -16,7 +16,6 @@ import textwrap
 
 import cffi
 from cryptography.hazmat.primitives import padding
-from oslo_serialization import jsonutils as json
 
 from barbican.common import exception
 from barbican.common import utils
@@ -612,21 +611,27 @@ class PKCS11(object):
         )
         self.check_error(rv)
 
-    def unwrap_key(self, plugin_meta, session):
+    def unwrap_key(self, iv, hmac, wrapped_key, mkek_label, hmac_label,
+                   session):
         """Unwraps byte string to key handle in HSM.
 
-        :param plugin_meta: kek_meta_dto plugin meta (json string)
+        :param iv: the initialization vector used for wrapped key
+        :param hmac: the hmac for used for wrapped key
+        :param wrapped_key: the key to be unwrapped
+        :param mkek_label: label of mkek for used for wrapped key
+        :param hmac_label: label of hmac for used for wrapped key
+        :param session: active HSM session
+
         :returns: Key handle from HSM. No unencrypted bytes.
         """
-        meta = json.loads(plugin_meta)
+        iv = base64.b64decode(iv)
-        iv = base64.b64decode(meta['iv'])
+        hmac = base64.b64decode(hmac)
-        hmac = base64.b64decode(meta['hmac'])
+        wrapped_key = base64.b64decode(wrapped_key)
-        wrapped_key = base64.b64decode(meta['wrapped_key'])
+        mkek = self.get_key_handle(mkek_label, session)
-        mkek = self.get_key_handle(meta['mkek_label'], session)
+        hmac_key = self.get_key_handle(hmac_label, session)
-        hmac_key = self.get_key_handle(meta['hmac_label'], session)
+        LOG.debug("Unwrapping key with %s mkek label", mkek_label)
-        LOG.debug("Unwrapping key with %s mkek label", meta['mkek_label'])
 
-        LOG.debug("Verifying key with %s hmac label", meta['hmac_label'])
+        LOG.debug("Verifying key with %s hmac label", hmac_label)
         self.verify_hmac(hmac_key, hmac, wrapped_key, session)
 
         unwrapped = self.ffi.new("CK_OBJECT_HANDLE *")

barbican/tests/plugin/crypto/test_p11_crypto.py

@@ -14,7 +14,6 @@
 # limitations under the License.
 
 import base64
-import json
 
 import mock
 
@@ -133,10 +132,16 @@ class WhenTestingP11CryptoPlugin(utils.BaseTestCase):
         self.lib.C_EncryptInit.return_value = pkcs11.CKR_OK
         self.lib.C_Encrypt.return_value = pkcs11.CKR_OK
         encrypt_dto = plugin_import.EncryptDTO(payload)
+        kek_meta = mock.MagicMock()
+        kek_meta.plugin_meta = ('{"iv":123,'
+                                '"hmac": "hmac",'
+                                '"wrapped_key": "wrapped_key",'
+                                '"mkek_label": "mkek_label",'
+                                '"hmac_label": "hmac_label"}')
         with mock.patch.object(self.plugin.pkcs11, 'unwrap_key') as key_mock:
             key_mock.return_value = 'unwrapped_key'
             response_dto = self.plugin.encrypt(encrypt_dto,
-                                               mock.MagicMock(),
+                                               kek_meta,
                                                mock.MagicMock())
 
             self.assertEqual(self.lib.C_Encrypt.call_count, 1)
@@ -153,10 +158,16 @@ class WhenTestingP11CryptoPlugin(utils.BaseTestCase):
         kek_meta_extended = '{"iv": "AQIDBAUGBwgJCgsMDQ4PEA=="}'
         decrypt_dto = plugin_import.DecryptDTO(ct)
 
+        kek_meta = mock.MagicMock()
+        kek_meta.plugin_meta = ('{"iv":123,'
+                                '"hmac": "hmac",'
+                                '"wrapped_key": "wrapped_key",'
+                                '"mkek_label": "mkek_label",'
+                                '"hmac_label": "hmac_label"}')
         with mock.patch.object(self.plugin.pkcs11, 'unwrap_key') as key_mock:
             key_mock.return_value = 'unwrapped_key'
             self.plugin.decrypt(decrypt_dto,
-                                mock.MagicMock(),
+                                kek_meta,
                                 kek_meta_extended,
                                 mock.MagicMock())
             self.assertEqual(self.lib.C_Decrypt.call_count, 1)
@@ -213,9 +224,10 @@ class WhenTestingP11CryptoPlugin(utils.BaseTestCase):
         self.lib.C_UnwrapKey.return_value = pkcs11.CKR_OK
         self.lib.C_VerifyInit.return_value = pkcs11.CKR_OK
         self.lib.C_Verify.return_value = pkcs11.CKR_OK
+
         self.plugin.pkcs11.unwrap_key(
-            json.dumps(plugin_meta),
+            plugin_meta['iv'], plugin_meta['hmac'], plugin_meta['wrapped_key'],
-            self.test_session
+            plugin_meta['mkek_label'], plugin_meta['hmac'], self.test_session
         )
         self.assertEqual(self.lib.C_UnwrapKey.call_count, 1)
         self.assertEqual(self.lib.C_Verify.call_count, 1)