Fixes for rewrap

If the old and new MKEK and HMAC keys are the same, then no need to rewrap the pkek. Added code to skip processing in this case. Also, added deprecation message for calling pkcs11_kek_rewrap.py directly. We should be using barbican-manage instead. Also, fix incorrect calls to pkcs11 module by adding missing key type parameter. We implicitly assume here that the key type will not change. Change-Id: Ic8556072468bc27230d3ebcaf2d54167f9f2116f
2019-02-26 16:44:13 -05:00 · 2019-02-26 16:44:13 -05:00 · ec465b2e82
parent 34faa76587
commit ec465b2e82
1 changed files with 27 additions and 4 deletions
--- a/barbican/cmd/pkcs11_kek_rewrap.py
+++ b/barbican/cmd/pkcs11_kek_rewrap.py
@ -45,13 +45,25 @@ class KekRewrap(object):
        self.hsm_session = self.pkcs11.get_session()
        self.new_mkek_label = self.crypto_plugin.mkek_label
        self.new_hmac_label = self.crypto_plugin.hmac_label
-        self.new_mkek = self.crypto_plugin._get_master_key(self.new_mkek_label)
-        self.new_mkhk = self.crypto_plugin._get_master_key(self.new_hmac_label)
+        self.new_mkek_type = self.crypto_plugin.mkek_key_type
+        self.new_hmac_type = self.crypto_plugin.hmac_key_type
+        self.new_mkek = self.crypto_plugin._get_master_key(
+            self.new_mkek_type,
+            self.new_mkek_label)
+        self.new_mkhk = self.crypto_plugin._get_master_key(
+            self.new_hmac_type,
+            self.new_hmac_label)

    def rewrap_kek(self, project, kek):
        with self.db_session.begin():
            meta_dict = json.loads(kek.plugin_meta)

+            # check if old and new mkek and hmac labels are the same
+            # if so, skip this kek.
+            if (self.new_mkek_label == meta_dict['mkek_label'] and
+                    self.new_hmac_label == meta_dict['hmac_label']):
+                return
+
            if self.dry_run:
                msg = 'Would have unwrapped key with {} and rewrapped with {}'
                print(msg.format(meta_dict['mkek_label'], self.new_mkek_label))
@ -64,12 +76,20 @@ class KekRewrap(object):

            session = self.hsm_session

+            # TODO(alee) We never store the mkek and hmac key types in the db
+            # record for the KEK metadata.  Therefore, for now assume that the
+            # key types will not change.
+
            # Get KEK's master keys
            kek_mkek = self.pkcs11.get_key_handle(
-                meta_dict['mkek_label'], session
+                self.new_mkek_type,
+                meta_dict['mkek_label'],
+                session
            )
            kek_mkhk = self.pkcs11.get_key_handle(
-                meta_dict['hmac_label'], session
+                self.new_hmac_type,
+                meta_dict['hmac_label'],
+                session
            )
            # Decode data
            iv = base64.b64decode(meta_dict['iv'])
@ -160,6 +180,9 @@ def main():
    )
    args = parser.parse_args()

+    print("Warning: Calling this utility directly is deprecated.  "
+          "Please use barbican-manage instead")
+
    rewrapper = KekRewrap(CONF)
    rewrapper.execute(args.dry_run)
    rewrapper.pkcs11.return_session(rewrapper.hsm_session)