Comments (3)
Hi @vbnmmnbv, thanks for working on this. It's not a trivial feature to support. I have a couple questions and comments:
-
Which version of the KMIP spec are you looking to support? The MAC operation accepts different inputs if you're using KMIP 1.2 or 1.3.
-
Where in the spec do you see the requirement for the MAC_GENERATE flag to be set in the CryptographicUsageMask? I don't disagree with you, that seems like it should be required, but I can't find that requirement in the spec.
-
Just so you're aware, if you want to add MAC operation support to the pie client you will have to add it to the KMIPProxy client as well (the pie client, ProxyKmipClient, just wraps the KMIPProxy one).
-
You are correct, the CryptographicUsageMask should be an input to the Create and CreateKeyPair operations in the pie client. However, there should really be two masks passed to CreateKeyPair, one for the public key and one for the private key. They aren't supposed to be the same, even though right now the pie client acts like they are. That should be pulled out of _build_key_attributes and done somewhere else.
Hope that helps. Definitely let me know if you need me for anything.
from pykmip.
Hi,
-
Er... I have never read 1.3. I am implementing 1.2. PyKMIP currently also doesn't support 1.3, right?
-
I also haven't found that until I read the words in 3.22 State(in Active): "The object SHALL only be used for all cryptographic purposes that are allowed by its Cryptographic Usage Mask attribute". Maybe you didn't find that because currently PyKMIP doesn't support state~
-
Right. I know. Thanks for reminding me~
-
Considering our understanding of the Cryptographic Usage Mask is correct, it should be made as an argument given by the client. For me, right now, I can just skip the mask check in MAC operation on the server side as currently the mask doesn't have any effect in other operations anyway~
Probably I will upload the code this week for your review~
from pykmip.
-
1.3 was only just "officially" accepted by OASIS I believe, so it's relatively new. I was mainly curious.
-
Ah, I should've looked in the State docs. We do track state on the server side but we don't do much with it right now.
-
I think I'm ok with that. It will be relatively easy to add in MAC mask enforcement after the fact. The main work will be adding in the CryptographicEngine support for computing MACs using pyca/cryptography. I haven't spent any time looking into what that entails.
from pykmip.
Related Issues (20)
- kmip 1.4 server -> pykmip client error with server_correlation_value in header HOT 2
- Error when trying to destroy an unrevoked key HOT 1
- The read operation timed out (PyKMIP Client)
- Constantly getting different SSL errors HOT 3
- PyKMIP on Windows platform
- Upload release wheels to pypi
- Error with SQLAlchemy 2.0.0rc1
- test_mac_with_cryptographic_failure fails HOT 1
- reading version.py causing issue while packaging product
- The master branch fails PEP8 checks
- Only Sqlite ? HOT 1
- Key Derivation throwing struct.error: unpack requires a buffer of 4 bytes HOT 4
- OSError: [Errno 107] Transport endpoint is not connected HOT 1
- Use of removed ssl.wrap_socket
- Request new release
- Self-Signed verification issue when using certificates on Windows with Python 3.8.6/3.7.9 HOT 2
- Hashicorp Vault KMIP client: kmip.core.exceptions.ReadValueError: Tried to read Base.tag HOT 7
- ipv6 support
- Signature Verification Issue Due to Missing Cryptography Backend Functions
- Asymmetric key encryption and decryption
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pykmip.