PyKMIP icon indicating copy to clipboard operation
PyKMIP copied to clipboard
verified publisher icon OpenKMIP

Add support for Cryptographic Parameters attribute

Open arvind5 opened this issue 5 years ago • 3 comments

Current implementation does not support Cryptographic Parameters attribute such as cipher mode, padding mode, digest algorithm etc. These parameters are needed to describe the object that needs to be created. As an example, I would like to create a symmetric key with key algorithm AES, key length 256 and cipher mode GCM. I cannot do that today.

arvind5 avatar Feb 04 '20 05:02 arvind5

Hi @arvind5, thank you for filing this issue. My apologies for the extreme delay; I've been out and unable to work on PyKMIP due to the ongoing pandemic. I should have more time to work on this going forward.

PyKMIP does support the CryptographicParameters attribute, so I'll need more information to help understand your use case here. Are you just using the Create operation to create symmetric keys with specific configuration values?

PeterHamilton avatar Jun 30 '20 13:06 PeterHamilton

Hi @PeterHamilton, thanks for your response. I have a PyKMIP server 0.9.1 installed on my machine and I am using libkmip client to perform Create Key operation on PyKMIP server.

I want to pass some cryptographic parameters such as Cipher Mode along with other parameters, viz. Key Length, Key Algorithm as part of Create Key request. Since, libkmip client does not support cryptographic parameters attribute so I modified it to add support for cryptographic parameters as per the guidelines given in KMIP specs.

After making those changes, when I tried to perform Create Key operation on PyKMIP server, I got following error from server:

  Result Status: Operation Failed
  Result Reason: Invalid Field
  Result Message @ 0x22236c0
    Value: The Cryptographic Parameters attribute is unsupported.

If I comment these lines in PyKMIP server, then the operation get successful. Please help if am missing on anything.

arvind5 avatar Jul 22 '20 03:07 arvind5

Hey @PeterHamilton -- Following up on this, as I'm experiencing the same pain point right now. I'm trying to use PyKMIP as a testing server, I have my own client written which I'm testing. In the KMIP 1.2 specs, it's specified that cryptographic parameters must EITHER be specified in the encrypt request itself, OR attached to the encryption object whose UID you specify. My understanding is that right now, ManagedObjects don't have a way to store cryptographic parameters, so they must be passed in with encrypt. But for my purposes, it would be very beneficial to be able to not have to pass these parameters via the encrypt request, and only at time of creation. I would be happy to try to take a crack at these changes myself, if you could point me to where in code you think changes would need to be made.

marksg07 avatar Oct 04 '21 23:10 marksg07