Adding script for rewrapping p11 KEKs

This script pulls all project available KEKs and rewraps them with a MKEK specified in the barbican config file. Change-Id: I5f130b8f6d744195e3ed6c708e96b23b200eea2b
2015-06-26 11:59:02 -05:00 · 2015-06-26 11:59:02 -05:00 · 9d5b06ba7e
commit 9d5b06ba7e
parent a2003a9c10
4 changed files with 211 additions and 1 deletions
--- a/barbican/cmd/pkcs11_kek_rewrap.py
+++ b/barbican/cmd/pkcs11_kek_rewrap.py
@ -0,0 +1,143 @@
 #!/usr/bin/env python
 # Licensed under the Apache License, Version 2.0 (the "License"); you may
 # not use this file except in compliance with the License. You may obtain
 # a copy of the License at
 #
 # http://www.apache.org/licenses/LICENSE-2.0
 #
 #  Unless required by applicable law or agreed to in writing, software
 #  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 #  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #  License for the specific language governing permissions and limitations
 #  under the License.
 import argparse
 import json
 import traceback
 import sqlalchemy
 from sqlalchemy import orm
 from sqlalchemy.orm import scoping
 from barbican.common import utils
 from barbican.model import models
 from barbican.plugin.crypto import p11_crypto
 # Use config values from p11_crypto
 CONF = p11_crypto.CONF
 class KekRewrap(object):
    def __init__(self, db_connection, library_path, login, slot_id,
                 new_mkek_label):
        self.dry_run = False
        self.new_label = new_mkek_label
        self.db_engine = sqlalchemy.create_engine(db_connection)
        self._session_creator = scoping.scoped_session(
            orm.sessionmaker(
                bind=self.db_engine,
                autocommit=True
            )
        )
        self.crypto_plugin = p11_crypto.P11CryptoPlugin(CONF)
        self.pkcs11 = self.crypto_plugin.pkcs11
        self.plugin_name = utils.generate_fullname_for(self.crypto_plugin)
    def rewrap_kek(self, project, kek):
        with self.db_session.begin():
            meta_dict = json.loads(kek.plugin_meta)
            if self.dry_run:
                msg = 'Would have unwrapped key with {} and rewrapped with {}'
                print(msg.format(meta_dict['mkek_label'], self.new_label))
                print('Would have updated KEKDatum in db {}'.format(kek.id))
            else:
                hsm_session = self.pkcs11.create_working_session()
                print('Rewrapping KEK {}'.format(kek.id))
                print('Pre-change IV: {}, Wrapped Key: {}'.format(
                    meta_dict['iv'], meta_dict['wrapped_key']))
                updated_meta = self.pkcs11.rewrap_kek(
                    iv=meta_dict['iv'],
                    wrapped_key=meta_dict['wrapped_key'],
                    hmac=meta_dict['hmac'],
                    mkek_label=meta_dict['mkek_label'],
                    hmac_label=meta_dict['hmac_label'],
                    key_length=32,
                    session=hsm_session
                )
                self.pkcs11.close_session(hsm_session)
                print('Post-change IV: {}, Wrapped Key: {}'.format(
                    updated_meta['iv'], updated_meta['wrapped_key']))
                # Update KEK metadata in DB
                kek.plugin_meta = json.dumps(updated_meta)
    def get_keks_for_project(self, project):
        keks = []
        with self.db_session.begin() as transaction:
            print('Retrieving KEKs for Project {}'.format(project.id))
            query = transaction.session.query(models.KEKDatum)
            query = query.filter_by(project_id=project.id)
            query = query.filter_by(plugin_name=self.plugin_name)
            keks = query.all()
        return keks
    def get_projects(self):
        print('Retrieving all available projects')
        projects = []
        with self.db_session.begin() as transaction:
            projects = transaction.session.query(models.Project).all()
        return projects
    @property
    def db_session(self):
        return self._session_creator()
    def execute(self, dry_run=True):
        self.dry_run = dry_run
        if self.dry_run:
            print('-- Running in dry-run mode --')
        projects = self.get_projects()
        for project in projects:
            keks = self.get_keks_for_project(project)
            for kek in keks:
                try:
                    self.rewrap_kek(project, kek)
                except Exception:
                    print('Error occurred! SQLAlchemy automatically rolled-'
                          'back the transaction')
                    traceback.print_exc()
 def main():
    script_desc = ('Utility to re-wrap project KEKs after rotating an MKEK.')
    parser = argparse.ArgumentParser(description=script_desc)
    parser.add_argument(
        '--dry-run',
        action='store_true',
        help='Displays changes that will be made (Non-destructive)'
    )
    args = parser.parse_args()
    rewrapper = KekRewrap(
        db_connection=CONF.sql_connection,
        library_path=CONF.p11_crypto_plugin.library_path,
        login=CONF.p11_crypto_plugin.login,
        slot_id=CONF.p11_crypto_plugin.slot_id,
        new_mkek_label=CONF.p11_crypto_plugin.mkek_label
    )
    rewrapper.execute(args.dry_run)
 if __name__ == '__main__':
    main()
--- a/barbican/plugin/crypto/pkcs11.py
+++ b/barbican/plugin/crypto/pkcs11.py
@ -485,7 +485,7 @@ class PKCS11(object):
        ck_attributes = self.build_attributes([
            Attribute(CKA_CLASS, CKO_SECRET_KEY),
            Attribute(CKA_KEY_TYPE, CKK_AES),
-            Attribute(CKA_LABEL, mkek_label)
+            Attribute(CKA_LABEL, str(mkek_label))
        ])
        rv = self.lib.C_FindObjectsInit(
            session, ck_attributes.template, len(ck_attributes.template)
@ -542,6 +542,44 @@ class PKCS11(object):
        self.check_error(rv)
        return object_handle_ptr[0]
    def rewrap_kek(self, iv, wrapped_key, hmac, mkek_label, hmac_label,
                   key_length, session):
        unwrapped_kek = self.unwrap_key(iv, hmac, wrapped_key, mkek_label,
                                        hmac_label, session)
        mkek = self.key_handles[self.current_mkek_label]
        iv = self.generate_random(16, session)
        mech = self.ffi.new("CK_MECHANISM *")
        mech.mechanism = CKM_AES_CBC_PAD
        mech.parameter = iv
        mech.parameter_len = 16
        padded_length = key_length + self.block_size
        buf = self.ffi.new("CK_BYTE[{0}]".format(padded_length))
        buf_len = self.ffi.new("CK_ULONG *", padded_length)
        rv = self.lib.C_WrapKey(
            session,
            mech,
            mkek,
            unwrapped_kek,
            buf,
            buf_len
        )
        self.check_error(rv)
        wrapped_kek = self.ffi.buffer(buf, buf_len[0])[:]
        hmac = self.compute_hmac(wrapped_kek, session)
        return {
            'iv': base64.b64encode(self.ffi.buffer(iv)[:]),
            'wrapped_key': base64.b64encode(wrapped_kek),
            'hmac': base64.b64encode(hmac),
            'mkek_label': self.current_mkek_label,
            'hmac_label': self.current_hmac_label
        }
    def generate_wrapped_kek(self, kek_label, key_length, session):
        # generate a non-persistent key that is extractable
        ck_attributes = self.build_attributes([
--- a/barbican/tests/plugin/crypto/test_p11_crypto.py
+++ b/barbican/tests/plugin/crypto/test_p11_crypto.py
@ -232,6 +232,34 @@ class WhenTestingP11CryptoPlugin(utils.BaseTestCase):
        self.assertEqual(self.lib.C_UnwrapKey.call_count, 1)
        self.assertEqual(self.lib.C_Verify.call_count, 1)
    def test_rewrap_kek(self):
        plugin_meta = {
            'iv': base64.b64encode(b"\x00" * 16),
            'hmac': base64.b64encode(b"\x00" * 32),
            'wrapped_key': base64.b64encode(b"\x00" * 48),
            'mkek_label': 'mkek',
            'hmac_label': 'hmac',
        }
        self.lib.C_WrapKey.return_value = pkcs11.CKR_OK
        self.lib.C_UnwrapKey.return_value = pkcs11.CKR_OK
        self.lib.C_VerifyInit.return_value = pkcs11.CKR_OK
        self.lib.C_Verify.return_value = pkcs11.CKR_OK
        self.lib.C_SignInit.return_value = pkcs11.CKR_OK
        self.lib.C_Sign.return_value = pkcs11.CKR_OK
        self.plugin.pkcs11.rewrap_kek(
            plugin_meta['iv'],
            plugin_meta['wrapped_key'],
            plugin_meta['hmac'],
            plugin_meta['mkek_label'],
            plugin_meta['hmac'],
            32,
            self.test_session
        )
        self.assertEqual(self.lib.C_UnwrapKey.call_count, 1)
        self.assertEqual(self.lib.C_WrapKey.call_count, 1)
        self.assertEqual(self.lib.C_Verify.call_count, 1)
    def test_generate_asymmetric_raises_error(self):
        self.assertRaises(NotImplementedError,
                          self.plugin.generate_asymmetric,
--- a/setup.cfg
+++ b/setup.cfg
@ -27,6 +27,7 @@ console_scripts =
    barbican-keystone-listener = barbican.cmd.keystone_listener:main
    barbican-worker = barbican.cmd.worker:main
    barbican-worker-retry-scheduler = barbican.cmd.worker_retry_scheduler:main
    pkcs11-kek-rewrap = barbican.cmd.pkcs11_kek_rewrap:main
 barbican.secretstore.plugin =
    store_crypto = barbican.plugin.store_crypto:StoreCryptoAdapterPlugin