Developer's Guide
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
ex-kmip-3.cpp
#if defined( P6_LINUX ) || defined( P6_SOLARIS )
#include <unistd.h>
#else
#include <windows.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <memory> // nothrow
#include "p6com.h"
#include "p6loader.h" // Standalone Component Loader definitions
#include "p6regex.h" // Narrow string regular expression interfaces
#include "p6wregex.h" // Wide string regular expression interfaces
#include "p6split.h" // Narrow split and and explode using regex
#include "p6wsplit.h" // Wide split and and explode using wregex
#include "p6jsonreader.h" // Streaming JSON parser interfaces
#include "p6loader.h" // Standalone Component Loader definitions
#include "p6sax2contenthandler.h" // SAX2 content handler definitions
#include "p6sax2xmlreader.h" // Definitions for the main SAX2 interface
#include "p6sax2errorhandler.h" // SAX2 error handler definitions
#include "p6domxml.h" // DOM Parser interface definitions
#include "p6xmlnode.h" // XML and JSON node definitions
#include "p6xpathexpression.h" // XPATH 2.0 expression compilation interface definitions
#include "p6domnodeset.h" // DOM node enumeration interface definitions
#include "p6domnodesetsort.h" // DOM Node sorting interface definitions
#include "p6keystore.h"
#include "p6kmip.h"
#include "p6kmipclient.h"
#include "p6file.h"
#include "p6dir.h"
#include "p6gencerts.h"
#include "p6genkeys.h"
#include "cconsolestream.h"
using namespace P6R;
P6DECLARE_IID( p6ICom );
P6DECLARE_IID( p6IKMIPRequest );
P6DECLARE_CID( p6KMIPClient );
P6DECLARE_IID( p6IKMIPClient );
P6DECLARE_CID( p6Time );
P6DECLARE_IID( p6ITime );
P6DECLARE_IID( p6ISafeString );
P6DECLARE_CID( p6EntropySource );
P6DECLARE_IID( p6IEntropySource );
P6DECLARE_CID( p6Random );
P6DECLARE_IID( p6IRandomInit );
P6DECLARE_IID( p6IRandom );
P6DECLARE_IID( p6IRunningIface );
P6DECLARE_CID( p6Cert );
P6DECLARE_IID( p6ICert );
P6DECLARE_IID( p6ICertInit );
P6DECLARE_CID( p6GenCerts );
P6DECLARE_IID( p6IGenCerts );
P6DECLARE_CID( p6GenKeys );
P6DECLARE_IID( p6IGenKeys );
P6DECLARE_CID( p6Sign );
P6DECLARE_IID( p6ISign );
P6DECLARE_CID( p6SymmetricCrypto );
P6DECLARE_IID( p6ISymmetricCrypto );
P6DECLARE_CID( p6CryptoKey );
P6DECLARE_IID( p6ICryptoKey );
P6DECLARE_IID( p6ICryptoKeyInit );
P6DECLARE_IID( p6ICryptoKeySetMeta );
P6DECLARE_CID( p6Dir );
P6DECLARE_IID( p6IDir );
P6DECLARE_CID( p6UnbufferedFile );
P6DECLARE_IID( p6IUnbufferedFile );
P6DECLARE_IID( p6IKeystoreInit );
P6DECLARE_IID( p6IKeystore );
P6DECLARE_CID( p6Keystore );
P6DECLARE_IID( p6IKeystoreSSL );
P6DECLARE_IID( p6IDataStream );
namespace {
class CKmipExample3
{
public:
P6CLASSMETHOD initialize();
P6CLASSMETHOD run( p6IDataStream *pStreamDebug );
CKmipExample3()
: m_port(0), m_compatMask(0), m_pHostName(NULL)
{ }
~CKmipExample3()
{
if (NULL != m_pHostName) m_cpStr->wstrfree( m_pHostName );
if (NULL != m_cpStoreInit) m_cpStoreInit->close();
}
protected:
P6CLASSMETHOD createSession( p6IKMIPClient* pClient, P6BOOL bWithCredentials );
P6CLASSMETHOD setPreferences( P6KMIP_PREF* pPrefs, const P6WCHAR* pLogDir, P6UINT16 asynchronous, P6UINT32 privateKeyEncoding, P6UINT32 publicKeyEncoding,
P6UINT32 symmetricKeyEncoding, P6UINT32 maxBufferSize, P6UINT32 connectTimeout, P6UINT32 sendTimeout, P6UINT32 receiveTimeout,
P6UINT32 initialBufCount, P6UINT32 growBufsBy );
// -> common actions moved into functions
P6CLASSMETHOD extractUniqueId( p6IKMIPStr* pEnum, P6NCSTR* pUniqueId );
P6R::P6BOOL isEqualId( p6IKMIPStr* pUniqueId, P6NCSTR id );
P6R::P6BOOL isIdContainedIn( p6IKMIPStr* pUniqueId, P6NCSTR id );
// -> key object related
P6CLASSMETHOD getSymmetricKey( p6IKMIPClient* pClient, P6NCSTR keyId, P6UINT32 cipher, P6UINT32 keyLength, p6ICryptoKey** pKey );
P6CLASSMETHODIMPL getWrappedSymmetricKey( p6IKMIPClient* pClient, P6NCSTR keyId, P6NCSTR kekId, P6NCSTR attribName, P6UINT32 cipher, P6UINT32 keyLength );
P6CLASSMETHOD verifyKeyProperties( P6KMIP_MANAGED managedObj, P6NCSTR keyId, P6UINT32 cipher, P6UINT32 keyLength, p6ICryptoKey** pKey );
// -> supports crypto
P6CLASSMETHOD getRNG(P6R::p6IRandom **ppRandom);
P6CLASSMETHOD getIGenKeys( p6IGenKeys** ppGenKeys );
// -> keystore related
P6CLASSMETHOD keystoreAddRootCertFromFile( p6IKeystore* pKeystore, const P6WCHAR* pszCertificateFile );
P6CLASSMETHOD keystoreAddClientCertFromFile( p6IKeystore* pKeystore, const P6WCHAR* pszHostname, const P6WCHAR* pszPrivateKeyFile, const P6WCHAR* pszCertificateFile );
P6CLASSMETHOD createKeystore( const P6WCHAR* pKeystoreName, const P6WCHAR* rootPEM, const P6WCHAR* certPEM, const P6WCHAR* privPEM, p6IKeystoreInit** pInit, p6IKeystore** pKeystore );
P6CLASSMETHOD createPKCS8Key( P6BSTR keyBuffer, P6SIZE keySize, p6ICryptoKey** ppNewKey );
p6ComPtr<p6ISafeString> m_cpStr; // -> generic string library
p6ComPtr<p6ISymmetricCrypto> m_cpCrypto; // -> used to encrypt the contents of the keystore
p6ComPtr<p6ICryptoKey> m_cpSignKey; // -> keystore related
p6ComPtr<p6IRandom> m_cpRandom; // -> used to support key generation
p6ComPtr<p6IKeystore> m_cpKeystore; // -> the KMIP client requires that a properly initialzed keystore is setup
p6ComPtr<p6IKeystoreInit> m_cpStoreInit; // -> keystore related
P6UINT32 m_port; // -> KMIP server port to connect to
P6UINT32 m_compatMask; // -> compatibility mask: 0 use TTLV message encoding, 2 use XML message encoding, 4 use JSON message encoding
P6WCHAR* m_pHostName; // -> IP address or FQDN of KMIP server to connect to
};
// create the key file (supplied by the server vendor) into a p6ICryptoKey object for SSL
//
P6CLASSMETHODIMPL CKmipExample3::createPKCS8Key( P6BSTR keyBuffer, P6SIZE keySize, p6ICryptoKey** ppNewKey )
{
p6ComPtr<p6ICryptoKeyInit> cpKeyInit;
P6ERR err = eOk;
if (P6SUCCEEDED( err = p6CreateCryptoInstance( CID_p6CryptoKey, VALIDATECOMPTR( p6ICryptoKeyInit, cpKeyInit ))))
{
if (P6SUCCEEDED( err = cpKeyInit->initialize( P6CKF_NONE, m_cpRandom )))
{
if (P6SUCCEEDED( err = cpKeyInit->loadPKCS8Key( keyBuffer.pString, (P6UINT32) keyBuffer.length, (P6UINT32) keySize )))
{
err = cpKeyInit->queryInterface( VALIDATEIF( p6ICryptoKey, ppNewKey ));
}
}
}
return err;
}
// The contents of the keystore is protected by a key
P6CLASSMETHODIMPL CKmipExample3::getIGenKeys( p6IGenKeys** ppGenKeys )
{
P6ERR err = eOk;
*ppGenKeys = NULL;
// Create an instance of the p6IGenKeys interface and then initilize it for use
err = p6CreateCryptoInstance( CID_p6GenKeys, VALIDATEIF( p6IGenKeys, ppGenKeys ));
if (P6SUCCEEDED(err))
{
err = (*ppGenKeys)->initialize( P6GENKEY_NOFLAGS, m_cpRandom );
if (P6FAILED( err ))
{
(*ppGenKeys)->release();
*ppGenKeys = NULL;
}
}
return err;
}
P6CLASSMETHODIMPL CKmipExample3::keystoreAddRootCertFromFile( p6IKeystore* pKeystore, const P6WCHAR* pszCertificateFile )
{
P6WCHAR certPath[P6MAXPATH+2] = {0};
P6ERR err = eOk;
if (!pKeystore || !pszCertificateFile) return eInvalidArg;
if (P6FAILED( err = p6GetDirectory( P6D_CONF, certPath, P6MAXPATH, NULL ))) return err;
if (P6FAILED( err = m_cpStr->wstrlcat( certPath, P6CNTOF(certPath), P6TEXT("/"), NULL ))) return err;
if (P6FAILED( err = m_cpStr->wstrlcat( certPath, P6CNTOF(certPath), pszCertificateFile, NULL ))) return err;
p6ComPtr<p6IKeystoreSSL> cpSSLHelp( pKeystore, IID_p6IKeystoreSSL, &err );
if (P6SUCCEEDED( err )) {
err = cpSSLHelp->importTrustedRootCertFromPEMFile( certPath, NULL );
}
return err;
}
P6CLASSMETHODIMPL CKmipExample3::keystoreAddClientCertFromFile( p6IKeystore* pKeystore, const P6WCHAR* pszHostname, const P6WCHAR* pszPrivateKeyFile, const P6WCHAR* pszCertificateFile )
{
P6WCHAR certPath[P6MAXPATH+2] = {0};
P6WCHAR keyPath[P6MAXPATH+2] = {0};
P6ERR err = eOk;
if (!pKeystore || !pszHostname || !pszPrivateKeyFile || !pszCertificateFile ) return eInvalidArg;
if (P6FAILED( err = p6GetDirectory( P6D_CONF, keyPath, P6MAXPATH, NULL ))) return err;
if (P6FAILED( err = m_cpStr->wstrlcat( keyPath, P6CNTOF(keyPath), P6TEXT("/"), NULL ))) return err;
if (P6FAILED( err = m_cpStr->wstrlcat( keyPath, P6CNTOF(keyPath), pszPrivateKeyFile, NULL ))) return err;
if (P6FAILED( err = p6GetDirectory( P6D_CONF, certPath, P6MAXPATH, NULL ))) return err;
if (P6FAILED( err = m_cpStr->wstrlcat( certPath, P6CNTOF(certPath), P6TEXT("/"), NULL ))) return err;
if (P6FAILED( err = m_cpStr->wstrlcat( certPath, P6CNTOF(certPath), pszCertificateFile, NULL ))) return err;
p6ComPtr<p6IKeystoreSSL> cpSSLHelp( pKeystore, IID_p6IKeystoreSSL, &err );
if (P6SUCCEEDED( err )) {
err = cpSSLHelp->importCredentialsPEM( P6TRUE, pszHostname, keyPath, certPath, NULL, NULL );
}
return err;
}
// Create a keystore and then load it with the information we need to connect to the KMIP server.
// P6R's SSL looks into the keystore for certificates and the private key when it starts a connection to the KMIP server.
P6CLASSMETHODIMPL CKmipExample3::createKeystore( const P6WCHAR* pKeystoreName, const P6WCHAR* rootPEM, const P6WCHAR* certPEM, const P6WCHAR* privPEM, p6IKeystoreInit** pInit, p6IKeystore** pKeystore )
{
P6ERR err = eOk;
*pInit = NULL;
*pKeystore = NULL;
// Create the keystore and fill it with vendor provided SSL certificates
if (P6FAILED( err = p6CreateInstance( NULL, CID_p6Keystore, VALIDATEIF( p6IKeystoreInit, pInit )))) return err;
err = (*pInit)->queryInterface( VALIDATEIF( p6IKeystore, pKeystore ));
if (P6FAILED( err = (*pInit)->initialize( P6KEYSTORE_NOFLAGS, m_cpCrypto, SH_SHA256, m_cpSignKey )))
{
if (NULL != (*pKeystore)) (*pKeystore)->release();
(*pKeystore) = NULL;
(*pInit)->release();
(*pInit) = NULL;
return err;
}
/*
* The first parameter of openSigned() is the file path where to create and access keystore databases.
* If NULL, then the keystore location will default to the P6R database directory.
* If the SKC is installed in a read-only directory then the first parameter will need to be set to
* an existing read/write directory.
*/
if (P6FAILED( err = (*pInit)->openSigned( NULL, pKeystoreName )))
{
if (NULL != (*pKeystore)) (*pKeystore)->release();
(*pKeystore) = NULL;
(*pInit)->release();
(*pInit) = NULL;
return err;
}
if (P6FAILED( err = keystoreAddRootCertFromFile( (*pKeystore), rootPEM ))) return err;
if (P6FAILED( err = keystoreAddClientCertFromFile( (*pKeystore), m_pHostName, privPEM, certPEM ))) return err;
return eOk;
}
// Key generation requires an entropy source
P6CLASSMETHODIMPL CKmipExample3::getRNG(P6R::p6IRandom **ppRandom)
{
P6ERR err = eOk;
p6ComPtr<p6IRunningIface> cpRIT(IID_p6IRunningIface,&err);
p6ComPtr<p6IEntropySource> cpSource;
if (P6SUCCEEDED( err = p6CreateCryptoInstance( CID_p6EntropySource, VALIDATECOMPTR( p6IEntropySource, cpSource ))))
{
if (P6SUCCEEDED( err = cpSource->initialize( P6ENTROPY_HIGH )))
{
p6ComPtr<p6IRandomInit> cpInit;
if (P6SUCCEEDED( err = p6CreateCryptoInstance( CID_p6Random, VALIDATECOMPTR( p6IRandomInit, cpInit ))))
{
if (P6SUCCEEDED( err = cpInit->initialize( P6RAND_NOFLAGS, cpSource ))) {
err = cpInit.queryInterface(VALIDATEIF(p6IRandom,ppRandom));
}
}
}
}
return err;
}
// Replace the host name of "fqdn.com" to the fully qualified domain name of the server you wish to connect to.
P6R::P6ERR CKmipExample3::initialize()
{
P6ERR err = eOk;
P6WCHAR dbPath[P6MAXPATH+200] = {0};
p6ComPtr<p6IGenKeys> cpGenKey;
p6ComPtr<p6ICryptoKey> cpKey;
p6ComPtr<p6IDir> cpDir;
if (P6FAILED( err = p6GetRuntimeIface( VALIDATECOMPTR( p6ISafeString, m_cpStr )))) return err;
if (P6FAILED( err = p6CreateInstance(NULL, CID_p6Dir, VALIDATECOMPTR( p6IDir, cpDir )))) return err;
if (P6FAILED( err = cpDir->initialize())) return err;
if (P6FAILED( err = getRNG( m_cpRandom.addressof()))) return err;
// -> right now configuration is hard coded, but could read out of a config file later
// m_compatMask is set to zero for TTLV message encoding, set to 2 for XML message encoding, and set to 4 for JSON message encoding
//
m_port = 5696;
m_compatMask = 0;
if (P6FAILED( err = m_cpStr->wstrdup( P6TEXT("fqdn.com"), &m_pHostName ))) return err;
// -> create the keys required to encrypt the contents of the keystore
if (P6SUCCEEDED( err = getIGenKeys( cpGenKey.addressof() )))
{
err = cpGenKey->genSymmetricKey( m_cpSignKey.addressof(), 256, P6FALSE );
if (P6SUCCEEDED( err )) {
err = cpGenKey->genSymmetricKey( cpKey.addressof(), 256, P6FALSE );
}
}
if (P6SUCCEEDED( err )) err = p6CreateCryptoInstance( CID_p6SymmetricCrypto, VALIDATECOMPTR( p6ISymmetricCrypto, m_cpCrypto ));
if (P6SUCCEEDED( err )) err = m_cpCrypto->initialize( P6SYM_NOPADDING, CIPHER_AES_CFB );
if (P6SUCCEEDED( err )) err = m_cpCrypto->setKey( cpKey );
// -> initialize the keystore with keys provided to us by the server vendor
dbPath[0] = P6CHAR('\0');
if (P6FAILED( err = p6GetDirectory( P6D_DATA, dbPath, P6MAXPATH, NULL ))) return err;
if (P6FAILED( err = m_cpStr->wstrlcat( dbPath, P6CNTOF(dbPath), P6TEXT("/db/KMIP12_keystore"), NULL ))) return err;
cpDir->unlink( dbPath );
dbPath[0] = P6CHAR('\0');
if (P6FAILED( err = p6GetDirectory( P6D_DATA, dbPath, P6MAXPATH, NULL ))) return err;
if (P6FAILED( err = m_cpStr->wstrlcat( dbPath, P6CNTOF(dbPath), P6TEXT("/db/KMIP12_keystore.sig"), NULL ))) return err;
cpDir->unlink( dbPath );
return createKeystore( P6TEXT("KMIP12_keystore"), P6TEXT("RootCert.pem"), P6TEXT("ClientCert.pem"), P6TEXT("ClientPrivate.pem"), m_cpStoreInit.addressof(), m_cpKeystore.addressof() );
}
// The client creates an SSL connection to the KMIP server and then makes its requests
// Configure the client on how it is supposed to behave (e.g., protocol version, use TTLV or XML or JSON, how to encode keys PKCSXXX).
//
P6CLASSMETHODIMPL CKmipExample3::setPreferences( P6KMIP_PREF* pPrefs, const P6WCHAR* pLogDir, P6UINT16 asynchronous, P6UINT32 privateKeyEncoding, P6UINT32 publicKeyEncoding,
P6UINT32 symmetricKeyEncoding, P6UINT32 maxBufferSize, P6UINT32 connectTimeout, P6UINT32 sendTimeout, P6UINT32 receiveTimeout,
P6UINT32 initialBufCount, P6UINT32 growBufsBy )
{
m_cpStr->setMem( pPrefs, 0, sizeof( P6KMIP_PREF ));
pPrefs->pVersion = "1.2"; pPrefs->pSubdirectory = pLogDir;
pPrefs->asynchronous = asynchronous; pPrefs->maxBufferSize = maxBufferSize;
pPrefs->connectTimeout = connectTimeout; pPrefs->sendTimeout = sendTimeout;
pPrefs->receiveTimeout = receiveTimeout; pPrefs->initialBufCount = initialBufCount;
pPrefs->growBufsBy = growBufsBy; pPrefs->privateKeyEncoding = privateKeyEncoding;
pPrefs->publicKeyEncoding = publicKeyEncoding; pPrefs->symmetricKeyEncoding = symmetricKeyEncoding;
pPrefs->compatibility1 = m_compatMask;
return eOk;
}
// We just hard code the credentials (i.e., name and password) for a test if needed
P6CLASSMETHODIMPL CKmipExample3::createSession( p6IKMIPClient* pClient, P6BOOL bWithCredentials )
{
P6KMIP_CREDENTIAL credential;
P6ERR err = eOk;
// -> integration testing setups are often not production quality, some use IP addresses instead of FQDN and thus a non-secure setup
if (P6FAILED( err = pClient->setSSLOptions( NULL, (P6SSF_METHOD_TLS1 | P6SSF_SECURE_CLIENT | P6SSF_SECURE_CLIENT_AUTH | P6SSF_LOG_X509SUBJECTLOOKUPS | P6SSF_VRFY_DISABLEHOSTMATCH)))) return err;
m_cpStr->setMem( &credential, 0, sizeof( P6KMIP_CREDENTIAL ));
credential.type = 1;
credential.value.password.userName.pString = "Fred";
credential.value.password.userName.length = 4;
credential.value.password.password.pString = "password1";
credential.value.password.password.length = 9;
return pClient->open( m_pHostName, m_port, (bWithCredentials ? &credential : NULL));
}
// Just return the very first unique identifier from the enumerator
// Some calls can result in multiple unique identifiers returned at the same time (e.g., locate object)
P6CLASSMETHODIMPL CKmipExample3::extractUniqueId( p6IKMIPStr* pEnum, P6NCSTR* pUniqueId )
{
P6CHAR* pGUID = NULL;
P6NCSTR buffer = { NULL, 0 };
P6ERR err = eOk;
pUniqueId->pString = NULL;
pUniqueId->length = 0;
err = pEnum->reset();
err = pEnum->next( &buffer );
if ( 0 < buffer.length )
{
if (NULL == (pGUID = new(std::nothrow) P6CHAR[buffer.length + 2])) return eNoMemory;
pGUID[0] = 0;
buffer.pString = pGUID;
buffer.length += 2;
if (P6FAILED( err = pEnum->next( &buffer ))) return err;
pUniqueId->pString = buffer.pString;
pUniqueId->length = buffer.length;
}
else err = eFail;
return err;
}
// Verify the string returned in pUniqueId matches that in the id parameter
P6R::P6BOOL CKmipExample3::isEqualId( p6IKMIPStr* pUniqueId, P6NCSTR id )
{
P6NCSTR enumStr = {NULL, 0};
P6INT32 match = -1;
P6ERR err = eOk;
if (NULL != pUniqueId)
{
if (P6FAILED( err = extractUniqueId( pUniqueId, &enumStr ))) return P6FALSE;
if (enumStr.length == id.length)
{
err = m_cpStr->strcmp( enumStr.pString, id.pString, id.length, &match );
delete [] enumStr.pString;
}
}
return (0 == match);
}
// What if multiple unique Ids are returned, we want to see if the id parameter is one of them
P6R::P6BOOL CKmipExample3::isIdContainedIn( p6IKMIPStr* pUniqueId, P6NCSTR id )
{
P6CHAR tempName[300];
P6NCSTR buffer = { tempName, 300 };
P6INT32 match = -1;
P6ERR err = eOk;
if (NULL != pUniqueId)
{
err = pUniqueId->reset();
while( P6SUCCEEDED( err = pUniqueId->next( &buffer )))
{
match = -1;
if (buffer.length == id.length)
{
if (P6SUCCEEDED( err = m_cpStr->strcmp( buffer.pString, id.pString, id.length, &match ))) {
if (0 == match) { pUniqueId->release(); return P6TRUE; }
}
}
buffer.length = 300;
}
pUniqueId->release();
}
return P6FALSE;
}
// Ask the KMIP server to return the key matching the unique Key identifier
P6CLASSMETHODIMPL CKmipExample3::getSymmetricKey( p6IKMIPClient* pClient, P6NCSTR keyId, P6UINT32 cipher, P6UINT32 keyLength, p6ICryptoKey** pKey )
{
P6KMIP_RESULT resultCodes;
P6KMIP_GETPARAMS getParams;
P6KMIP_MANAGED managedObj;
m_cpStr->setMem( &resultCodes, 0, sizeof( P6KMIP_RESULT ));
m_cpStr->setMem( &getParams, 0, sizeof( P6KMIP_GETPARAMS ));
m_cpStr->setMem( &managedObj, 0, sizeof( P6KMIP_MANAGED ));
*pKey = NULL;
getParams.uniqueId.pString = keyId.pString;
getParams.uniqueId.length = keyId.length;
pClient->getObject( getParams, &managedObj, &resultCodes );
return verifyKeyProperties( managedObj, keyId, cipher, keyLength, pKey );
}
// Verify that the returned key is as we expected
P6CLASSMETHODIMPL CKmipExample3::verifyKeyProperties( P6KMIP_MANAGED managedObj, P6NCSTR keyId, P6UINT32 cipher, P6UINT32 keyLength, p6ICryptoKey** pKey )
{
P6ERR err = eOk;
if (NULL != managedObj.pUniqueId)
{
if (KMIP_OBJECT_SYMMETRICKEY == managedObj.type)
{
if (cipher != managedObj.value.symmetricKey.cryptoAlgorithm) {
printf("\nunexpected key type returned\n");
}
if (keyLength != managedObj.value.symmetricKey.cryptoLength) {
printf("\nunexpected key length returned\n");
}
(*pKey) = managedObj.value.symmetricKey.value.pKey;
if (NULL != (*pKey))
{
P6CRYPTOKEYCLASS keyClass;
P6CRYPTOKEYTYPE keyType;
P6UUID Guid;
P6INT32 keySize = 0;
P6INT32 version = 0;
err = (*pKey)->getInfo( &keyClass, &keyType, &Guid, &keySize, &version );
if (keyClass != CKC_SYMMETRIC) {
printf("\nkey meta-data class not as expected\n");
}
if (keyType != CKT_SYM) {
printf("\nkey meta-data type not as expected\n");
}
if (((P6UINT32)keySize) != keyLength) {
printf("\nkey meta-data length not as exoected\n");
}
}
}
}
return err;
}
// When we receive the wrapped key it looks like a binary blob to us since it is encrypted using another key
//
P6CLASSMETHODIMPL CKmipExample3::getWrappedSymmetricKey( p6IKMIPClient* pClient, P6NCSTR keyId, P6NCSTR kekId, P6NCSTR attribName, P6UINT32 cipher, P6UINT32 keyLength )
{
P6KMIP_RESULT resultCodes;
P6KMIP_GETPARAMS getParams;
P6KMIP_MANAGED managedObj;
P6KMIP_WRAPPINGSPEC wrapSpec;
P6UCHAR* pHandle = NULL;
P6BSTR buffer = { NULL, 0 };
P6BOOL bMatch = P6FALSE;
P6ERR err = eOk;
m_cpStr->setMem( &resultCodes, 0, sizeof( P6KMIP_RESULT ));
m_cpStr->setMem( &getParams, 0, sizeof( P6KMIP_GETPARAMS ));
m_cpStr->setMem( &managedObj, 0, sizeof( P6KMIP_MANAGED ));
m_cpStr->setMem( &wrapSpec, 0, sizeof( P6KMIP_WRAPPINGSPEC ));
// -> the wrapping specification tells the server how to wrap (key and method) the managed object we want to get
// -> other managed objects, other than keys, can also be wrapped
wrapSpec.method = KMIP_WRAP_ENCRYPT;
wrapSpec.encryptKey.uniqueId = kekId;
wrapSpec.encryptKey.params.blockCipherMode = KMIP_NISTKEYWRAP;
if ( NULL != attribName.pString ) {
wrapSpec.attribcount = 1;
wrapSpec.pAttributeNames = &attribName;
}
else wrapSpec.encodingOption = KMIP_ENCODING_NO;
getParams.uniqueId.pString = keyId.pString;
getParams.uniqueId.length = keyId.length;
getParams.pSpec = &wrapSpec;
if ( P6FAILED( err = pClient->getObject( getParams, &managedObj, &resultCodes ))) {
printf("\ncall to getObject has failed %x\n", err );
}
else if (KMIP_RESULT_SUCCESS != resultCodes.resultStatus) {
printf("\nKMIP server returned an error for getObect\n");
}
if (NULL != managedObj.pUniqueId)
{
if (!(bMatch = isEqualId( managedObj.pUniqueId, keyId ))) {
printf("\nKMIP server returned an unexpected object\n");
}
// -> "type" indicates which union element is used {1..}, 0 means no value set (Section 9.1.3.2.12 in p6kmip.h, Object Type Enumeration)
// wrappedSymmetricKey - item 25, key Value structure in a Key Block is encrypted and or signed for a symmetric key
if (25 == managedObj.type)
{
if (cipher != managedObj.value.wrappedSymmetricKey.cryptoAlgorithm) {
printf("\nKMIP server returned a wrapped key with the wrong cipher\n");
}
if (keyLength != managedObj.value.wrappedSymmetricKey.cryptoLength) {
printf("\nKMIP server returned a wrapped key with the wrong length\n");
}
// -> extract the wrapped binary key (blob) from the binary enumerator
if (NULL != managedObj.value.wrappedSymmetricKey.pKeyValue)
{
err = managedObj.value.wrappedSymmetricKey.pKeyValue->reset();
err = managedObj.value.wrappedSymmetricKey.pKeyValue->next( &buffer );
if (0 < buffer.length)
{
if (NULL == (pHandle = new(std::nothrow) P6UCHAR[buffer.length + 2])) return eNoMemory;
pHandle[0] = 0;
buffer.pString = pHandle;
buffer.length += 2;
if (P6FAILED( err = managedObj.value.pgpKey.pBlob->next( &buffer ))) return err;
P6UINT32 i=0;
printf("\n\n\n"); for ( i=0; i < buffer.length; i++) printf( "%x", pHandle[i] ); printf("\n size is %d\n", i );
delete [] pHandle;
}
managedObj.value.wrappedSymmetricKey.pKeyValue->release();
}
if (KMIP_WRAP_ENCRYPT != managedObj.value.wrappedSymmetricKey.wrapData.method) {
printf("\nKMIP server returned a wrapped key with the wrong wrap method\n");
}
if (KMIP_NISTKEYWRAP != managedObj.value.wrappedSymmetricKey.wrapData.encryptParams.blockCipherMode) {
printf("\nKMIP server returned a wrapped key with the wrong wrap cipher mode\n");
}
if (NULL == attribName.pString )
{
if (KMIP_ENCODING_NO != managedObj.value.wrappedSymmetricKey.wrapData.encodingOption) {
printf("\nKMIP server returned a wrapped key with the wrong encoding option\n");
}
}
}
}
return err;
}
// Key Wrapping with attributes
// Main client function
// Identical to the KMIP TC_142_12 interop test case.
//
P6CLASSMETHODIMPL CKmipExample3::run( p6IDataStream *pStreamDebug )
{
p6ComPtr<p6IKMIPClient> cpClient;
p6ComPtr<p6ITime> cpClock;
P6KMIP_PREF preferences;
P6KMIP_RESULT resultCodes;
P6KMIP_REGKEYPARAMS keyParams;
P6KMIP_NEWOBJECT newKey;
P6KMIP_REVOCATION reason;
P6KMIP_ATTRIBUTE attributeList[6];
P6NCSTR kekId = {NULL, 0};
P6NCSTR dataKeyId = {NULL, 0};
P6NCSTR attribName = {"Cryptographic Usage Mask", 24};
p6ICryptoKey* pKekKey = NULL;
p6ICryptoKey* pDataKey = NULL;
p6ICryptoKeySetMeta* pMeta = NULL;
p6IGenKeys* pGenKey = NULL;
p6IKMIPStr* pUniqueId = NULL;
P6BOOL bMatch = P6FALSE;
P6TIME tStamp = 0;
P6ERR err = eOk;
// [1] Initialize, "TC_142_12" directory created in the configured log directory to hold all logs for this example
// -> the KMIP client is just a component, the using code can create any number of them as each is independent of all others
//
if (P6FAILED( err = p6CreateInstance( NULL, CID_p6KMIPClient, VALIDATECOMPTR( p6IKMIPClient, cpClient )))) return err;
setPreferences( &preferences, P6TEXT("TC_142_12"), 0, 0, 0, 0, 60000, 30000, 30000, 120000, 2, 2 );
err = cpClient->initialize( (P6KMIPFLG_TRACE_MSGS | P6KMIPFLG_TRACE_FORMATKMIPXML), m_cpKeystore, preferences );
if (P6FAILED( err = p6CreateInstance( NULL, CID_p6Time, VALIDATECOMPTR( p6ITime, cpClock )))) return err;
err = cpClock->initialize();
// [2] Open a connection to the KMIP server via SSL
if (P6FAILED( err = createSession( cpClient, P6FALSE ))) { return err; }
// [3] Generate and register the key encrypting key (KEK) and set it's meta data
// -> this key will be used to wrap the next key that we create
if (P6SUCCEEDED( err = getIGenKeys( &pGenKey )))
{
err = pGenKey->genSymmetricKey( &pKekKey, 128, P6FALSE );
pGenKey->release();
if (P6FAILED(err)) return err;
}
if (P6SUCCEEDED( err = pKekKey->queryInterface( VALIDATEIF( p6ICryptoKeySetMeta, &pMeta ))))
{
pMeta->setCipher( CIPHER_AES_CBC );
pMeta->release();
pMeta = NULL;
}
// -> activate the key (i.e., change its state from PRE-ACTIVE) by setting its activation date into the past
err = cpClock->now( &tStamp );
err = cpClock->addHours( &tStamp, -1 );
m_cpStr->setMem( &resultCodes, 0, sizeof( P6KMIP_RESULT ));
m_cpStr->setMem( &keyParams, 0, sizeof( P6KMIP_REGKEYPARAMS ));
m_cpStr->setMem( &newKey, 0, sizeof( P6KMIP_NEWOBJECT ));
// -> the name attirbute is an alias placed on the key
attributeList[0].type = KMIP_ATTRIB_NAME;
attributeList[0].index = 0;
attributeList[0].value.name.type = KMIP_NAME_TEXTSTR;
attributeList[0].value.name.value.pString = "TC-142-12-key1";
attributeList[0].value.name.value.length = 14;
// -> tell the KMIP server that this is a KEK
attributeList[1].type = KMIP_ATTRIB_CRYPTOUSAGEMASK;
attributeList[1].index = 0;
attributeList[1].value.cryptoUsageMask = KMIP_USE_WRAPKEY;
m_cpStr->setMem( &attributeList[2], 0, sizeof( P6KMIP_ATTRIBUTE ));
attributeList[2].type = KMIP_ATTRIB_CRYPTOPARAMS;
attributeList[2].index = 0;
attributeList[2].value.cParams.blockCipherMode = KMIP_NISTKEYWRAP;
// -> time stamps are in GMT
attributeList[3].type = KMIP_ATTRIB_ACTIVATIONDATE;
attributeList[3].index = 0;
attributeList[3].value.activationDate = tStamp;
keyParams.attributes.attribCount = 4;
keyParams.attributes.pAttributeList = attributeList;
keyParams.type = 1;
keyParams.value.pKey = pKekKey;
if (P6FAILED( err = cpClient->registerKeyObject( keyParams, &newKey, &resultCodes ))) {
printf("\ncall to registerKeyObject has failed %x\n", err );
}
else if (KMIP_RESULT_SUCCESS != resultCodes.resultStatus) {
printf("\nKMIP server returned an error\n");
}
pKekKey->release();
if (NULL != newKey.pUniqueId)
{
// -> verify that the key id returned is as expected, value stored in the kekId variable while we free the enumerator
err = extractUniqueId( newKey.pUniqueId, &kekId );
newKey.pUniqueId->release();
newKey.pUniqueId = NULL;
}
// [4] Here the client generates the key and saves it (i.e., register ) the key material on the KMIP server
if (P6SUCCEEDED( err = getIGenKeys( &pGenKey )))
{
err = pGenKey->genSymmetricKey( &pDataKey, 128, P6FALSE );
pGenKey->release();
if (P6FAILED(err)) return err;
}
// -> set the meta data on the key indicating the crypto algorthm used (i.e., AES) which will be copied
// into the KMIP key block that holds the key material and its meta data
// -> key meta data is stored in attributes and in the key block
if (P6SUCCEEDED( err = pDataKey->queryInterface( VALIDATEIF( p6ICryptoKeySetMeta, &pMeta ))))
{
pMeta->setCipher( CIPHER_AES_CBC );
pMeta->release();
}
m_cpStr->setMem( &resultCodes, 0, sizeof( P6KMIP_RESULT ));
m_cpStr->setMem( &keyParams, 0, sizeof( P6KMIP_REGKEYPARAMS ));
m_cpStr->setMem( &newKey, 0, sizeof( P6KMIP_NEWOBJECT ));
attributeList[0].type = KMIP_ATTRIB_NAME;
attributeList[0].index = 0;
attributeList[0].value.name.type = KMIP_NAME_TEXTSTR;
attributeList[0].value.name.value.pString = "TC-142-12-key2";
attributeList[0].value.name.value.length = 14;
// -> tell the KMIP server that this key is to be used for encrypting data
attributeList[1].type = KMIP_ATTRIB_CRYPTOUSAGEMASK;
attributeList[1].index = 0;
attributeList[1].value.cryptoUsageMask = KMIP_USE_ENCRYPT | KMIP_USE_DECRYPT;
keyParams.attributes.attribCount = 2;
keyParams.attributes.pAttributeList = attributeList;
keyParams.type = 1;
keyParams.value.pKey = pDataKey;
if ( P6FAILED( err = cpClient->registerKeyObject( keyParams, &newKey, &resultCodes ))) {
printf("\ncall to registerKeyObject has failed %x\n", err );
}
else if (KMIP_RESULT_SUCCESS != resultCodes.resultStatus) {
printf("\nKMIP server returned an error\n");
}
pDataKey->release();
pDataKey = NULL;
if (NULL != newKey.pUniqueId)
{
// -> verify that the key id returned is as expected, and we need to release the enumerator returned even if we do not use it
err = extractUniqueId( newKey.pUniqueId, &dataKeyId );
newKey.pUniqueId->release();
newKey.pUniqueId = NULL;
}
// [5] Download the keys off the server in wrapped and unwrapped modes
err = getWrappedSymmetricKey( cpClient, dataKeyId, kekId, attribName, KMIP_AES, 128 ); // -> key encrypted
err = getSymmetricKey( cpClient, dataKeyId, KMIP_AES, 128, &pDataKey ); // -> key in the clear unwrapped
if (P6SUCCEEDED(err) && NULL != pDataKey) pDataKey->release();
// [6] Clean up
// -> if the imported data key was created we need to clean up and remove it from the KMIP server
// -> the data key was not activated so we can just destroy it
if (NULL != dataKeyId.pString)
{
m_cpStr->setMem( &resultCodes, 0, sizeof( P6KMIP_RESULT ));
err = cpClient->destroyObject( dataKeyId, NULL, &newKey.pUniqueId, &resultCodes );
if ( P6FAILED( err )) {
printf("\ndestroying data key call has failed\n");
}
else if (KMIP_RESULT_SUCCESS != resultCodes.resultStatus) {
printf("\nKMIP server returned an error\n");
}
// -> we could verify that the returned ID of the key that was deleted as we expected
if (NULL != newKey.pUniqueId) {
newKey.pUniqueId->release();
newKey.pUniqueId = NULL;
}
delete [] dataKeyId.pString;
}
// -> we cannot just destroy an ACTIVE key, we MUST first change its state one way is to revoke it
m_cpStr->setMem( &resultCodes, 0, sizeof( P6KMIP_RESULT ));
m_cpStr->setMem( &reason, 0, sizeof( P6KMIP_REVOCATION ));
pUniqueId = NULL;
reason.reasonCode = KMIP_REVOC_UNSPECIFIED;
if ( P6FAILED( err = cpClient->revokeObject( kekId, reason, NULL, NULL, &pUniqueId, &resultCodes ))) {
printf("\ncall to revokeObject has failed %x\n", err );
}
else if (KMIP_RESULT_SUCCESS != resultCodes.resultStatus) {
printf("\nKMIP server returned an error on revoke key\n");
}
if (NULL != pUniqueId)
{
if (!(bMatch = isEqualId( pUniqueId, kekId ))) {
printf("\nKMIP server returned unexpected uniqueId for revoked key\n");
}
}
// -> if the Key encrypting key (KEK) was created and revoked, then remove it from the server
if (NULL != kekId.pString)
{
m_cpStr->setMem( &resultCodes, 0, sizeof( P6KMIP_RESULT ));
err = cpClient->destroyObject( kekId, NULL, &newKey.pUniqueId, &resultCodes );
if ( P6FAILED( err )) {
printf("\ndestroying data key call has failed\n");
}
else if (KMIP_RESULT_SUCCESS != resultCodes.resultStatus) {
printf("\nKMIP server returned an error\n");
}
// -> we could verify that the returned ID of the key that was deleted as we expected
if (NULL != newKey.pUniqueId) {
newKey.pUniqueId->release();
newKey.pUniqueId = NULL;
}
delete [] kekId.pString;
}
return cpClient->close();
}
P6VOID KMIP_TC_142_12( p6IDataStream* pDataStream )
{
CKmipExample3 example;
P6CHAR szTmp[32];
P6ERR err = eOk;
if (P6SUCCEEDED( err = example.initialize())) {
err = example.run(pDataStream);
}
printf( "KMIP client result: [ %s ]\n", p6ErrToStr(err, &szTmp[0], P6CHARCNT(szTmp)) );
}
} // namespace
// p6InitializeLoader() must be called before anything else can run.
//
int main(int argc,char *argv[])
{
p6ComPtr<p6IDataStream> cpDataStream;
P6ERR err = eOk;
if ( P6SUCCEEDED( err = P6EXAMPLES::CConsoleStream::createInstance( NULL, VALIDATECOMPTR( p6IDataStream, cpDataStream ))))
{
if ( P6SUCCEEDED( err = p6InitializeLoader( cpDataStream, 9, P6SCLF_ALLLOG )))
{
KMIP_TC_142_12(cpDataStream);
p6CleanupLoader();
}
else printf("ERROR: Failed to initialize the loader [ %x ]\n", err );
}
else printf( "ERROR: Failed to create CConsoleStream [ %x ]\n", err );
return err;
}