-
Notifications
You must be signed in to change notification settings - Fork 139
PKI KRA Python API
This client provides API to perform operations such as storing secure data, key retrieval,key request approval/denial etc.
It uses the methods provided in the resources to perform operations on the data stored in the KRA.
See also:
class KeyId(object): def __init__(self, key_id=None): self.value = key_id
Class representing a key ID.
class RequestId(object): def __init__(self, req_id): self.value = req_id
Class representing a Request ID.
class KeyData(object): def __init__(self): self.algorithm = None self.nonceData = None self.size = None self.wrappedPrivateData = None def from_dict(self, attr_list): " Return a KeyData object from a JSON dict " for key in attr_list: setattr(self, key, attr_list[key]) return self
This is the object that contains the wrapped secret when that secret is retrieved.
class KeyInfo(object): def __init__(self): self.clientID = None self.keyURL = None self.algorithm = None self.status = None self.ownerName = None self.size = None def from_dict(self, attr_list): " Return KeyInfo from JSON dict " for key in attr_list: setattr(self, key, attr_list[key]) return self def get_key_id(self): " Return the key ID as parsed from key URL " if self.keyURL != None: indx = str(self.keyURL).rfind("/") + 1 return str(self.keyURL)[indx:] return None
This is the object that contains information stored in the databse record for an archived secret. It does not contain the secret itself.
class KeyInfoCollection(object): def __init__(self): self.key_infos = [] self.links = [] def decode_from_json(self, json_value): " Populate the object from its JSON representation " infos = json_value['entries'] if not isinstance(infos, types.ListType): info = KeyInfo() self.key_infos.append(info.from_dict(infos)) else: for info in infos: key_info = KeyInfo() key_info.from_dict(info) self.key_infos.append(key_info)
This class represents data returned when searching the KRA archived secrets. Essentially, its a list of KeyInfo objects.
class KeyRequestInfo(object): def __init__(self): self.requestURL = None self.requestType = None self.keyURL = None self.requestStatus = None def from_dict(self, attr_list): " Return a KeyRequestInfo object from a JSON dict. " for key in attr_list: setattr(self, key, attr_list[key]) return self def get_request_id(self): " Return the request ID by parsing the request URL. " if self.requestURL != None: indx = str(self.requestURL).rfind("/") + 1 return str(self.requestURL)[indx:] return None def get_key_id(self): " Return the ID of the secret referred to by this request. " if self.keyURL != None: indx = str(self.keyURL).rfind("/") + 1 return str(self.keyURL)[indx:] return None
This class represents data about key requests (archival, recovery, key generation etc.) in the KRA.
class KeyRequestInfoCollection(object): def __init__(self): self.key_requests = [] self.links = [] def decode_from_json(self, json_value): " Populate the object from its JSON representation. " infos = json_value['entries'] if not isinstance(infos, types.ListType): info = KeyRequestInfo() self.key_requests.append(info.from_dict(infos)) else: for info in infos: key_request_info = KeyRequestInfo() key_request_info.from_dict(info) self.key_requests.append(key_request_info)
This class represents the data returned when searching the key requests in the KRA. Essentially, its a list of KeyRequestInfo objects.
class KeyRequestResponse(object): def __init__(self): self.requestInfo = None self.keyData = None def decode_from_json(self, json_value): " Populate the object from its JSON representation. " self.requestInfo = KeyRequestInfo() self.requestInfo.from_dict(json_value['RequestInfo'])
This class is returned when an archival, recovery or key generation request is created. It includes a KeyRequestInfo object with information about the created request, and a KeyData structure which contains the wrapped secret (if that operation is supported).
class Attribute(object): def __init__(self, name, value): self.name = name self.value = value
Class representing a key/value pair. This object is the basis of the representation of a ResourceMessage.
class AttributeList(object): def __init__(self): self.Attribute = []
Class representing a list of attributes. This class is needed because of a JavaMapper used in the REST API.
class ResourceMessage(object): def __init__(self, class_name): self.Attributes = AttributeList() self.ClassName = class_name def add_attribute(self, name, value): " Add an attribute to the list. " attr = Attribute(name, value) self.Attributes.Attribute.append(attr) def get_attribute_value(self, name): " Get the value of a given attribute " for attr in self.Attributes.Attribute: if attr.name == name: return attr.value return None
This class is the basis for the various types of key requests. It is essentially a list of attributes.
class KeyArchivalRequest(ResourceMessage): def __init__(self, client_id=None, data_type=None, wrapped_private_data=None, key_algorithm=None, key_size=None): ResourceMessage.__init__(self, "com.netscape.certsrv.key.KeyArchivalRequest") self.add_attribute("clientID", client_id) self.add_attribute("dataType", data_type) self.add_attribute("wrappedPrivateData", wrapped_private_data) self.add_attribute("keyAlgorithm", key_algorithm) self.add_attribute("keySize", key_size)
Class representing the object sent to the KRA when archiving a secret
class KeyRecoveryRequest(ResourceMessage): def __init__(self, key_id=None, request_id=None, trans_wrapped_session_key=None, session_wrapped_passphrase=None, nonce_data=None, certificate=None, passphrase=None): ResourceMessage.__init__(self, "com.netscape.certsrv.key.KeyRecoveryRequest") self.add_attribute("requestId", request_id) self.add_attribute("transWrappedSessionKey", trans_wrapped_session_key) self.add_attribute("sessionWrappedPassphrase", session_wrapped_passphrase) self.add_attribute("nonceData", nonce_data) self.add_attribute("certificate", certificate) self.add_attribute("passphrase", passphrase) self.add_attribute("keyId", key_id)
Class representing the data sent to the KRA when either creating a request for the recovery of a secret, or, once the request is approved, retrieving the secret.
class SymKeyGenerationRequest(ResourceMessage): UWRAP_USAGE = "unwrap" WRAP_USAGE = "wrap" VERIFY_USAGE = "verify" SIGN_USAGE = "sign" DECRYPT_USAGE = "decrypt" ENCRYPT_USAGE = "encrypt" def __init__(self, client_id=None, key_size=None, key_algorithm=None, key_usage=None): ResourceMessage.__init__(self, "com.netscape.certsrv.key.SymKeyGenerationRequest") self.add_attribute("clientID", client_id) self.add_attribute("keySize", key_size) self.add_attribute("keyAlgorithm", key_algorithm) self.add_attribute("keyUsage", key_usage)
Class representing the data sent to the KRA when generating and archiving a symmetric key on the KRA.
The initialize method of the KRAClient
__init__(self, connection): self.connection = connection self.key_resource = key.KeyResource(connection) self.key_request_resource = key.KeyRequestResource(connection) self.cert_resource = cert.CertResource(connection)
get_transport_cert(self)
Gets the transport cert of the kra - whose details are passed in the connection object.
list_requests(self, request_state=None, request_type=None, client_id=None, start=None, page_size=None, max_results=None, max_time=None)
Search for a list of key requests of a specified type and state.
archive_security_data(self, trans_wrapped_session_key, session_key_wrapped_data, client_id, data_type)
Creates a KeyArchivalRequest using the data provided. The trans_wrapped_session_key and the session_key_wrapped_data are encoded together and set in the KeyArchivalRequest object and passed to the server along with the clientId and the dataType. Returns the KeyRequestInfo object.
get_key_data(self, client_id, status)
Returns the KeyDataInfo object of the key with the given clientId and status.
request_recovery(self, key_id, trans_wrapped_session_key, nonce_data)
Create a request to recover a secret.
To retrieve a symmetric key or passphrase, the only parameter that is required is the key_id. It is possible (but not required) to pass in the session keys/passphrase and nonce_data for the retrieval at this time.
To retrieve an asymmetric key, the keyId and the the base-64 encoded certificate is required.
approve_recovery(self, recovery_id)
Approves the key recovery request with the given recovery_id (Request Id)
retrieve_key(self, keyId, request_id, session_wrapped_passphrase, trans_wrapped_session_key, nonce_data)
Returns the KeyData object of the key using a KeyRecoveryRequest generated using the given values.
get_request(self, request_id)
Returns the KeyRequestInfo object for the given RequestId object.
request_key_recovery(self, key_id, b64Certificate)
Returns the RequestId object of the key request with the given Key Id object and the certificate.
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |