Add Encrypt support to the clients

PeterHamilton · PeterHamilton · commit a5e960153c6c · 2017-06-20T11:11:50.000-04:00
This change adds Encrypt operation support to the KMIPProxy and
ProxyKmipClient clients, including unit tests to cover the new
functionality.

Extensive documentation has been added to the header comments for
the new client methods detailing the expected input parameters and
return values. This approach should be followed for all new client
additions going forward.
diff --git a/kmip/pie/api.py b/kmip/pie/api.py
@@ -139,6 +139,25 @@ def destroy(self, uid):
         """
         pass
 
+    @abc.abstractmethod
+    def encrypt(self, data, uid=None, cryptographic_parameters=None,
+                iv_counter_nonce=None):
+        """
+        Encrypt data using the specified encryption key and parameters.
+
+        Args:
+            data (bytes): The bytes to encrypt. Required.
+            uid (string): The unique ID of the encryption key to use.
+                Optional, defaults to None.
+            cryptographic_parameters (dict): A dictionary containing various
+                cryptographic settings to be used for the encryption.
+                Optional, defaults to None.
+            iv_counter_nonce (bytes): The bytes to use for the IV/counter/
+                nonce, if needed by the encryption algorithm and/or cipher
+                mode. Optional, defaults to None.
+        """
+        pass
+
     @abc.abstractmethod
     def mac(self, data, uid, algorithm):
         """
diff --git a/kmip/pie/client.py b/kmip/pie/client.py
@@ -649,6 +649,142 @@ def destroy(self, uid=None):
             message = result.result_message.value
             raise exceptions.KmipOperationFailure(status, reason, message)
 
+    def encrypt(self, data, uid=None, cryptographic_parameters=None,
+                iv_counter_nonce=None):
+        """
+        Encrypt data using the specified encryption key and parameters.
+
+        Args:
+            data (bytes): The bytes to encrypt. Required.
+            uid (string): The unique ID of the encryption key to use.
+                Optional, defaults to None.
+            cryptographic_parameters (dict): A dictionary containing various
+                cryptographic settings to be used for the encryption.
+                Optional, defaults to None.
+            iv_counter_nonce (bytes): The bytes to use for the IV/counter/
+                nonce, if needed by the encryption algorithm and/or cipher
+                mode. Optional, defaults to None.
+
+        Returns:
+            bytes: The encrypted data.
+            bytes: The IV/counter/nonce used with the encryption algorithm,
+                only if it was autogenerated by the server.
+
+        Raises:
+            ClientConnectionNotOpen: if the client connection is unusable
+            KmipOperationFailure: if the operation result is a failure
+            TypeError: if the input arguments are invalid
+
+        Notes:
+            The cryptographic_parameters argument is a dictionary that can
+            contain the following key/value pairs:
+
+            Keys                          | Value
+            ------------------------------|-----------------------------------
+            'block_cipher_mode'           | A BlockCipherMode enumeration
+                                          | indicating the cipher mode to use
+                                          | with the encryption algorithm.
+            'padding_method'              | A PaddingMethod enumeration
+                                          | indicating which padding method to
+                                          | use with the encryption algorithm.
+            'hashing_algorithm'           | A HashingAlgorithm enumeration
+                                          | indicating which hashing algorithm
+                                          | to use.
+            'key_role_type'               | A KeyRoleType enumeration
+                                          | indicating the intended use of the
+                                          | associated cryptographic key.
+            'digital_signature_algorithm' | A DigitalSignatureAlgorithm
+                                          | enumeration indicating which
+                                          | digital signature algorithm to
+                                          | use.
+            'cryptographic_algorithm'     | A CryptographicAlgorithm
+                                          | enumeration indicating which
+                                          | encryption algorithm to use.
+            'random_iv'                   | A boolean indicating whether the
+                                          | server should autogenerate an IV.
+            'iv_length'                   | An integer representing the length
+                                          | of the initialization vector (IV)
+                                          | in bits.
+            'tag_length'                  | An integer representing the length
+                                          | of the authenticator tag in bytes.
+            'fixed_field_length'          | An integer representing the length
+                                          | of the fixed field portion of the
+                                          | IV in bits.
+            'invocation_field_length'     | An integer representing the length
+                                          | of the invocation field portion of
+                                          | the IV in bits.
+            'counter_length'              | An integer representing the length
+                                          | of the coutner portion of the IV
+                                          | in bits.
+            'initial_counter_value'       | An integer representing the
+                                          | starting counter value for CTR
+                                          | mode (typically 1).
+        """
+        # Check input
+        if not isinstance(data, six.binary_type):
+            raise TypeError("data must be bytes")
+        if uid is not None:
+            if not isinstance(uid, six.string_types):
+                raise TypeError("uid must be a string")
+        if cryptographic_parameters is not None:
+            if not isinstance(cryptographic_parameters, dict):
+                raise TypeError("cryptographic_parameters must be a dict")
+        if iv_counter_nonce is not None:
+            if not isinstance(iv_counter_nonce, six.binary_type):
+                raise TypeError("iv_counter_nonce must be bytes")
+
+        # Verify that operations can be given at this time
+        if not self._is_open:
+            raise exceptions.ClientConnectionNotOpen()
+
+        cryptographic_parameters = CryptographicParameters(
+            block_cipher_mode=cryptographic_parameters.get(
+                'block_cipher_mode'
+            ),
+            padding_method=cryptographic_parameters.get('padding_method'),
+            hashing_algorithm=cryptographic_parameters.get(
+                'hashing_algorithm'
+            ),
+            key_role_type=cryptographic_parameters.get('key_role_type'),
+            digital_signature_algorithm=cryptographic_parameters.get(
+                'digital_signature_algorithm'
+            ),
+            cryptographic_algorithm=cryptographic_parameters.get(
+                'cryptographic_algorithm'
+            ),
+            random_iv=cryptographic_parameters.get('random_iv'),
+            iv_length=cryptographic_parameters.get('iv_length'),
+            tag_length=cryptographic_parameters.get('tag_length'),
+            fixed_field_length=cryptographic_parameters.get(
+                'fixed_field_length'
+            ),
+            invocation_field_length=cryptographic_parameters.get(
+                'invocation_field_length'
+            ),
+            counter_length=cryptographic_parameters.get('counter_length'),
+            initial_counter_value=cryptographic_parameters.get(
+                'initial_counter_value'
+            )
+        )
+
+        # Encrypt the provided data and handle the results
+        result = self.proxy.encrypt(
+            data,
+            uid,
+            cryptographic_parameters,
+            iv_counter_nonce
+        )
+
+        status = result.get('result_status')
+        if status == enums.ResultStatus.SUCCESS:
+            return result.get('data'), result.get('iv_counter_nonce')
+        else:
+            raise exceptions.KmipOperationFailure(
+                status,
+                result.get('result_reason'),
+                result.get('result_message')
+            )
+
     def mac(self, data, uid=None, algorithm=None):
         """
         Get the message authentication code for data.
diff --git a/kmip/services/kmip_client.py b/kmip/services/kmip_client.py
@@ -53,6 +53,7 @@
 from kmip.core.messages.payloads import create_key_pair
 from kmip.core.messages.payloads import destroy
 from kmip.core.messages.payloads import discover_versions
+from kmip.core.messages.payloads import encrypt
 from kmip.core.messages.payloads import get
 from kmip.core.messages.payloads import get_attributes
 from kmip.core.messages.payloads import get_attribute_list
@@ -433,6 +434,78 @@ def discover_versions(self, batch=False, protocol_versions=None,
             results = self._process_batch_items(response)
             return results[0]
 
+    def encrypt(self,
+                data,
+                unique_identifier=None,
+                cryptographic_parameters=None,
+                iv_counter_nonce=None,
+                credential=None):
+        """
+        Encrypt data using the specified encryption key and parameters.
+
+        Args:
+            data (bytes): The bytes to encrypt. Required.
+            unique_identifier (string): The unique ID of the encryption key
+                to use. Optional, defaults to None.
+            cryptographic_parameters (CryptographicParameters): A structure
+                containing various cryptographic settings to be used for the
+                encryption. Optional, defaults to None.
+            iv_counter_nonce (bytes): The bytes to use for the IV/counter/
+                nonce, if needed by the encryption algorithm and/or cipher
+                mode. Optional, defaults to None.
+            credential (Credential): A credential object containing a set of
+                authorization parameters for the operation. Optional, defaults
+                to None.
+
+        Returns:
+            dict: The results of the encrypt operation, containing the
+                following key/value pairs:
+
+                Key                 | Value
+                --------------------|-----------------------------------------
+                'unique_identifier' | (string) The unique ID of the encryption
+                                    | key used to encrypt the data.
+                'data'              | (bytes) The encrypted data.
+                'iv_counter_nonce'  | (bytes) The IV/counter/nonce used for
+                                    | the encryption, if autogenerated.
+                'result_status'     | (ResultStatus) An enumeration indicating
+                                    | the status of the operation result.
+                'result_reason'     | (ResultReason) An enumeration providing
+                                    | context for the result status.
+                'result_message'    | (string) A message providing additional
+                                    | context for the operation result.
+        """
+        operation = Operation(OperationEnum.ENCRYPT)
+
+        request_payload = encrypt.EncryptRequestPayload(
+            unique_identifier=unique_identifier,
+            data=data,
+            cryptographic_parameters=cryptographic_parameters,
+            iv_counter_nonce=iv_counter_nonce
+        )
+        batch_item = messages.RequestBatchItem(
+            operation=operation,
+            request_payload=request_payload
+        )
+
+        request = self._build_request_message(credential, [batch_item])
+        response = self._send_and_receive_message(request)
+        batch_item = response.batch_items[0]
+        payload = batch_item.response_payload
+
+        result = {}
+
+        if payload:
+            result['unique_identifier'] = payload.unique_identifier
+            result['data'] = payload.data
+            result['iv_counter_nonce'] = payload.iv_counter_nonce
+
+        result['result_status'] = batch_item.result_status
+        result['result_reason'] = batch_item.result_reason
+        result['result_message'] = batch_item.result_message
+
+        return result
+
     def mac(self, data, unique_identifier=None,
             cryptographic_parameters=None, credential=None):
         return self._mac(
diff --git a/kmip/tests/unit/pie/test_api.py b/kmip/tests/unit/pie/test_api.py
@@ -59,6 +59,18 @@ def revoke(self, revocation_reason, uid, revocation_message,
     def destroy(self, uid):
         super(DummyKmipClient, self).destroy(uid)
 
+    def encrypt(self,
+                data,
+                uid=None,
+                cryptographic_parameters=None,
+                iv_counter_nonce=None):
+        super(DummyKmipClient, self).encrypt(
+            data,
+            uid,
+            cryptographic_parameters,
+            iv_counter_nonce
+        )
+
     def mac(self, data, uid, algorithm):
         super(DummyKmipClient, self).mac(data, uid, algorithm)
 
@@ -147,6 +159,14 @@ def test_destroy(self):
         dummy = DummyKmipClient()
         dummy.destroy('uid')
 
+    def test_encrypt(self):
+        """
+        Test that the encrypt method can be called without error.
+        :return:
+        """
+        dummy = DummyKmipClient()
+        dummy.encrypt('data', 'uid', 'crypto_params', 'iv')
+
     def test_mac(self):
         """
         Test that the mac method can be called without error.
diff --git a/kmip/tests/unit/pie/test_client.py b/kmip/tests/unit/pie/test_client.py
diff --git a/kmip/tests/unit/services/test_kmip_client.py b/kmip/tests/unit/services/test_kmip_client.py
