Hi Peter, Currently I am trying to add the MAC operation(client and

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

Hi, Er... I have never read 1.3. I am implement

1.3 was only just "officially" accepted by OASIS I believe, so it

CRYPTOGRAPHIC_USAGE_MASK for pie client about pykmip HOT 3 CLOSED

openkmip commented on June 2, 2024

CRYPTOGRAPHIC_USAGE_MASK for pie client

from pykmip.

PeterHamilton commented on June 2, 2024

Hi @vbnmmnbv, thanks for working on this. It's not a trivial feature to support. I have a couple questions and comments:

Which version of the KMIP spec are you looking to support? The MAC operation accepts different inputs if you're using KMIP 1.2 or 1.3.
Where in the spec do you see the requirement for the MAC_GENERATE flag to be set in the CryptographicUsageMask? I don't disagree with you, that seems like it should be required, but I can't find that requirement in the spec.
Just so you're aware, if you want to add MAC operation support to the pie client you will have to add it to the KMIPProxy client as well (the pie client, ProxyKmipClient, just wraps the KMIPProxy one).
You are correct, the CryptographicUsageMask should be an input to the Create and CreateKeyPair operations in the pie client. However, there should really be two masks passed to CreateKeyPair, one for the public key and one for the private key. They aren't supposed to be the same, even though right now the pie client acts like they are. That should be pulled out of _build_key_attributes and done somewhere else.

Hope that helps. Definitely let me know if you need me for anything.

from pykmip.

vbnmmnbv commented on June 2, 2024

Hi,

Er... I have never read 1.3. I am implementing 1.2. PyKMIP currently also doesn't support 1.3, right?
I also haven't found that until I read the words in 3.22 State(in Active): "The object SHALL only be used for all cryptographic purposes that are allowed by its Cryptographic Usage Mask attribute". Maybe you didn't find that because currently PyKMIP doesn't support state~
Right. I know. Thanks for reminding me~
Considering our understanding of the Cryptographic Usage Mask is correct, it should be made as an argument given by the client. For me, right now, I can just skip the mask check in MAC operation on the server side as currently the mask doesn't have any effect in other operations anyway~

Probably I will upload the code this week for your review~

from pykmip.

PeterHamilton commented on June 2, 2024

1.3 was only just "officially" accepted by OASIS I believe, so it's relatively new. I was mainly curious.
Ah, I should've looked in the State docs. We do track state on the server side but we don't do much with it right now.
I think I'm ok with that. It will be relatively easy to add in MAC mask enforcement after the fact. The main work will be adding in the CryptographicEngine support for computing MACs using pyca/cryptography. I haven't spent any time looking into what that entails.

from pykmip.