openkmip / libkmip Goto Github PK
View Code? Open in Web Editor NEWA C implementation of the KMIP specification.
License: Other
A C implementation of the KMIP specification.
License: Other
The following line in the tests setup script dumps a ton of output in the Travis CI console (over 6,000 lines worth):
Line 18 in eadb6f7
Redirect this command to a log file to condense the build output during testing.
As per the libkmip documentation, supported operations include create, get and destroy keys, and supported object types include symmetric and asymmetric encryption keys.
I have a requirement for registering a key to KMIP server. My understanding is I can do that only with Register operation. I want to understand if there is a plan to add support for Register operation in libkmip.
I've been trying to use libkmip with a commercial KMIP server. The same program works correctly with PyKMIP. Has anyone else gotten the the library to work with another server?
Also does one go about debugging an issue like this? The vendor will not provide a hex dump of the encoded packet; with it could probably figure out the problem in a short amount of time.
The error the server is generating:
WARN ... Failed to get ikm type for key (null) rc = -7
WARN ... Failed to get key details for key (null):(null) rc=-7
ERROR ... request.keys.kmip.UnknownOp ClientIP=xx.xx.xx.xx; ServerPort=5696; CN=KMIPtest; Username=KMIPtest;
RequestCount=5812; Operation=1.0_Undefined Operation [0];
info=Exception: ...; ResultReason=GeneralFailure;
errmsg=Unknown key name or insufficient permissions
Add another set of tests (that mirror existing ones) but run through Valgrind, like this:
valgrind -v --leak-check=full ./tests
The expected output should ultimately be something like:
==12384== HEAP SUMMARY:
==12384== in use at exit: 0 bytes in 0 blocks
==12384== total heap usage: 516 allocs, 516 frees, 13,873 bytes allocated
==12384==
==12384== All heap blocks were freed -- no leaks are possible
==12384==
==12384== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
==12384== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
The test should verify that no leaks are possible.
Current implementation does not support Cryptographic Parameters attribute such as cipher mode, padding mode, digest algorithm etc. These parameters are needed to describe the object that needs to be created. As an example, I would like to create a symmetric key with key algorithm AES, key length 256 and cipher mode GCM. I cannot do that today.
All of the kmip_print_*
functions currently leverage printf
to display libkmip structures and values. This makes it hard to test these functions and limits their utility to a single use case: printing to stdout
. Migrate all of these utilities to leverage fprintf
instead, updating the function signatures to also require a FILE *
argument that will be used by fprintf
to send output to any desired buffer.
Once these updates are in place, update the demo applications and documentation to reflect these changes.
The current libkmip unit test suite focuses primarily on verifying the functionality of the encoding and decoding library. The OpenSSL BIO client library is not covered.
The PyKMIP client and server are tested together via Travis CI. Add integration tests to libkmip that use the OpenSSL BIO client API to run basic Create
/Get
/Destroy
commands against the PyKMIP server to verify client functionality.
The addition of the new error code KMIP_ERROR_BUFFER_UNDERFULL
is not reflected in kmip_print_error_string
, the utility function to print the error code string. Update it to match the current set of error codes.
I have already implemented this on an older branch.
From 1.2 spec:
4.25 Query
This operation is used by the client to interrogate the server to determine its capabilities and/or protocol mechanisms.
4.9 Locate
This operation requests that the server search for one or more Managed Objects, depending on the attributes specified in the request. All attributes are allowed to be used.
I'm using version 0.2.0 of libkmip based off commit 5b4e67, with my custom application in which I connect to pyKMIP server using libkmip library. When pyKMIP server time is not synchronized with my server, that is my server time is in future relative to pyKMIP server time, pyKMIP server rejects requests from my server with following error:
2019-12-16 10:05:37,450 - kmip.server.engine - WARNING - Received request with future timestamp. Received timestamp: 1576515938, Current timestamp: 1576515937
I believe that it is fine for pyKMIP server to reject such request, but when my server receives response with indication of that error then app crashes. I have invesitgated that problem a little bit and found out that there is a likely problem in the libkmip library code:
#0 0x0000000000424e5b in kmip_bio_create_symmetric_key (bio=0x6649e0, template_attribute=0x7fffffffcf50, id=0x7fffffffd010,
id_size=0x7fffffffcff4) at kmip_bio.c:200
200 TextString *unique_identifier = pld->unique_identifier;
(gdb) list
195
196 ResponseBatchItem resp_item = resp_m.batch_items[0];
197 result = resp_item.result_status;
198
199 CreateResponsePayload *pld = (CreateResponsePayload *)resp_item.response_payload;
200 TextString *unique_identifier = pld->unique_identifier;
201
202 /* KMIP text strings are not null-terminated by default. Add an extra */
203 /* character to the end of the UUID copy to make space for the null */
204 /* terminator. */
(gdb) p pld
$5 = (CreateResponsePayload *) 0x0
(gdb) p resp_item.response_payload
$6 = (void *) 0x0
(gdb) p resp_item
$7 = {operation = (unknown: 0), unique_batch_item_id = 0x0, result_status = KMIP_STATUS_OPERATION_FAILED,
result_reason = KMIP_REASON_INVALID_MESSAGE, result_message = 0x6648d0, asynchronous_correlation_value = 0x0,
response_payload = 0x0}
(gdb) c
Continuing.
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
Actual crash happens in line 200 of kmip_bio.c. while unique_identifier is being dereferenced. I think it should be conditionally dereferenced when resposne result_Status is success. In my scenario
respons result is INVALID_MESSAGE (I believe that due to time synchronization problem that I described earlier)
(gdb) p resp_item
$7 = {operation = (unknown: 0), unique_batch_item_id = 0x0, result_status = KMIP_STATUS_OPERATION_FAILED,
result_reason = KMIP_REASON_INVALID_MESSAGE, result_message = 0x6648d0, asynchronous_correlation_value = 0x0,
response_payload = 0x0}
Here is the output of the git status -sbu
command after running the compilation:
$ git status -sbu
## master...origin/master
?? bin/demo_create
?? bin/demo_destroy
?? bin/demo_get
?? bin/demo_query
?? bin/tests
Compiled binaries, being a derived product of source code, need to be ignored. Otherwise, there is a risk of accidentally committing them into Git.
As per the libkmip documentation, supported operations include create, get and destroy keys, and supported object types include symmetric and asymmetric encryption keys. So, i should be able to create an RSA keypair.
There is no demo code for creating keypair, so I changed demo_create.c file as follows:
I then build the demo_create binary and tried creating key. I am using PyKMIP server as KMS. However, on running demo_create, I am getting following error in response:
Response Batch Item @ 0xf7f5c0
Operation: Create
Unique Batch Item ID @ (nil)
Result Status: Operation Failed
Result Reason: Invalid Field
Result Message @ 0xfa16c0
Value: Cannot create a PublicKey object with the Create operation.
Asynchronous Correlation Value @ (nil)
Create Response Payload @ (nil)
On looking at the KMIP specs, I found that Public/Private keypair can only be created with CreateKeyPair operation. Is my understanding correct? If so, then does libkmip support creating Public/Private keypairs?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.