PKI KRA Python API - dogtagpki/pki GitHub Wiki
This client provides API to perform operations such as storing secure data, key retrieval,key request approval/denial etc.
It uses the methods provided in the resources to perform operations on the data stored in the KRA.
See also:
class KeyId(object):
def __init__(self, key_id=None):
self.value = key_id
Class representing a key ID.
class RequestId(object):
def __init__(self, req_id):
self.value = req_id
Class representing a Request ID.
class KeyData(object):
def __init__(self):
self.algorithm = None
self.nonceData = None
self.size = None
self.wrappedPrivateData = None
def from_dict(self, attr_list):
" Return a KeyData object from a JSON dict "
for key in attr_list:
setattr(self, key, attr_list[key])
return self
This is the object that contains the wrapped secret when that secret is retrieved.
class KeyInfo(object):
def __init__(self):
self.clientID = None
self.keyURL = None
self.algorithm = None
self.status = None
self.ownerName = None
self.size = None
def from_dict(self, attr_list):
" Return KeyInfo from JSON dict "
for key in attr_list:
setattr(self, key, attr_list[key])
return self
def get_key_id(self):
" Return the key ID as parsed from key URL "
if self.keyURL != None:
indx = str(self.keyURL).rfind("/") + 1
return str(self.keyURL)[indx:]
return None
This is the object that contains information stored in the databse record for an archived secret. It does not contain the secret itself.
class KeyInfoCollection(object):
def __init__(self):
self.key_infos = []
self.links = []
def decode_from_json(self, json_value):
" Populate the object from its JSON representation "
infos = json_value['entries']
if not isinstance(infos, types.ListType):
info = KeyInfo()
self.key_infos.append(info.from_dict(infos))
else:
for info in infos:
key_info = KeyInfo()
key_info.from_dict(info)
self.key_infos.append(key_info)
This class represents data returned when searching the KRA archived secrets. Essentially, its a list of KeyInfo objects.
class KeyRequestInfo(object):
def __init__(self):
self.requestURL = None
self.requestType = None
self.keyURL = None
self.requestStatus = None
def from_dict(self, attr_list):
" Return a KeyRequestInfo object from a JSON dict. "
for key in attr_list:
setattr(self, key, attr_list[key])
return self
def get_request_id(self):
" Return the request ID by parsing the request URL. "
if self.requestURL != None:
indx = str(self.requestURL).rfind("/") + 1
return str(self.requestURL)[indx:]
return None
def get_key_id(self):
" Return the ID of the secret referred to by this request. "
if self.keyURL != None:
indx = str(self.keyURL).rfind("/") + 1
return str(self.keyURL)[indx:]
return None
This class represents data about key requests (archival, recovery, key generation etc.) in the KRA.
class KeyRequestInfoCollection(object):
def __init__(self):
self.key_requests = []
self.links = []
def decode_from_json(self, json_value):
" Populate the object from its JSON representation. "
infos = json_value['entries']
if not isinstance(infos, types.ListType):
info = KeyRequestInfo()
self.key_requests.append(info.from_dict(infos))
else:
for info in infos:
key_request_info = KeyRequestInfo()
key_request_info.from_dict(info)
self.key_requests.append(key_request_info)
This class represents the data returned when searching the key requests in the KRA. Essentially, its a list of KeyRequestInfo objects.
class KeyRequestResponse(object):
def __init__(self):
self.requestInfo = None
self.keyData = None
def decode_from_json(self, json_value):
" Populate the object from its JSON representation. "
self.requestInfo = KeyRequestInfo()
self.requestInfo.from_dict(json_value['RequestInfo'])
This class is returned when an archival, recovery or key generation request is created. It includes a KeyRequestInfo object with information about the created request, and a KeyData structure which contains the wrapped secret (if that operation is supported).
class Attribute(object):
def __init__(self, name, value):
self.name = name
self.value = value
Class representing a key/value pair. This object is the basis of the representation of a ResourceMessage.
class AttributeList(object):
def __init__(self):
self.Attribute = []
Class representing a list of attributes. This class is needed because of a JavaMapper used in the REST API.
class ResourceMessage(object):
def __init__(self, class_name):
self.Attributes = AttributeList()
self.ClassName = class_name
def add_attribute(self, name, value):
" Add an attribute to the list. "
attr = Attribute(name, value)
self.Attributes.Attribute.append(attr)
def get_attribute_value(self, name):
" Get the value of a given attribute "
for attr in self.Attributes.Attribute:
if attr.name == name:
return attr.value
return None
This class is the basis for the various types of key requests. It is essentially a list of attributes.
class KeyArchivalRequest(ResourceMessage):
def __init__(self, client_id=None, data_type=None, wrapped_private_data=None,
key_algorithm=None, key_size=None):
ResourceMessage.__init__(self,
"com.netscape.certsrv.key.KeyArchivalRequest")
self.add_attribute("clientID", client_id)
self.add_attribute("dataType", data_type)
self.add_attribute("wrappedPrivateData", wrapped_private_data)
self.add_attribute("keyAlgorithm", key_algorithm)
self.add_attribute("keySize", key_size)
Class representing the object sent to the KRA when archiving a secret
class KeyRecoveryRequest(ResourceMessage):
def __init__(self, key_id=None, request_id=None,
trans_wrapped_session_key=None,
session_wrapped_passphrase=None,
nonce_data=None, certificate=None,
passphrase=None):
ResourceMessage.__init__(self,
"com.netscape.certsrv.key.KeyRecoveryRequest")
self.add_attribute("requestId", request_id)
self.add_attribute("transWrappedSessionKey", trans_wrapped_session_key)
self.add_attribute("sessionWrappedPassphrase", session_wrapped_passphrase)
self.add_attribute("nonceData", nonce_data)
self.add_attribute("certificate", certificate)
self.add_attribute("passphrase", passphrase)
self.add_attribute("keyId", key_id)
Class representing the data sent to the KRA when either creating a request for the recovery of a secret, or, once the request is approved, retrieving the secret.
class SymKeyGenerationRequest(ResourceMessage):
UWRAP_USAGE = "unwrap"
WRAP_USAGE = "wrap"
VERIFY_USAGE = "verify"
SIGN_USAGE = "sign"
DECRYPT_USAGE = "decrypt"
ENCRYPT_USAGE = "encrypt"
def __init__(self, client_id=None, key_size=None, key_algorithm=None,
key_usage=None):
ResourceMessage.__init__(self,
"com.netscape.certsrv.key.SymKeyGenerationRequest")
self.add_attribute("clientID", client_id)
self.add_attribute("keySize", key_size)
self.add_attribute("keyAlgorithm", key_algorithm)
self.add_attribute("keyUsage", key_usage)
Class representing the data sent to the KRA when generating and archiving a symmetric key on the KRA.
The initialize method of the KRAClient
__init__(self, connection):
self.connection = connection
self.key_resource = key.KeyResource(connection)
self.key_request_resource = key.KeyRequestResource(connection)
self.cert_resource = cert.CertResource(connection)
get_transport_cert(self)
Gets the transport cert of the kra - whose details are passed in the connection object.
list_requests(self, request_state=None, request_type=None, client_id=None,
start=None, page_size=None, max_results=None,
max_time=None)
Search for a list of key requests of a specified type and state.
archive_security_data(self, trans_wrapped_session_key, session_key_wrapped_data, client_id, data_type)
Creates a KeyArchivalRequest using the data provided. The trans_wrapped_session_key and the session_key_wrapped_data are encoded together and set in the KeyArchivalRequest object and passed to the server along with the clientId and the dataType. Returns the KeyRequestInfo object.
get_key_data(self, client_id, status)
Returns the KeyDataInfo object of the key with the given clientId and status.
request_recovery(self, key_id, trans_wrapped_session_key, nonce_data)
Create a request to recover a secret.
To retrieve a symmetric key or passphrase, the only parameter that is required is the key_id. It is possible (but not required) to pass in the session keys/passphrase and nonce_data for the retrieval at this time.
To retrieve an asymmetric key, the keyId and the the base-64 encoded certificate is required.
approve_recovery(self, recovery_id)
Approves the key recovery request with the given recovery_id (Request Id)
retrieve_key(self, keyId, request_id, session_wrapped_passphrase, trans_wrapped_session_key, nonce_data)
Returns the KeyData object of the key using a KeyRecoveryRequest generated using the given values.
get_request(self, request_id)
Returns the KeyRequestInfo object for the given RequestId object.
request_key_recovery(self, key_id, b64Certificate)
Returns the RequestId object of the key request with the given Key Id object and the certificate.