Merge pull request #273 from vbnmmnbv/mac_state_permission_server

Add state/crypto usage mask checks for MAC operation
2025-12-15 07:43:26 +00:00 · 2017-04-19 18:02:46 -04:00
parent 19560b92b7 a0673dc111
commit 5678c21903
2 changed files with 120 additions and 7 deletions
--- a/kmip/services/server/engine.py
+++ b/kmip/services/server/engine.py
@@ -1639,7 +1639,7 @@ class KmipEngine(object):
              managed_object.cryptographic_algorithm):
            algorithm = managed_object.cryptographic_algorithm
        else:
-            raise exceptions.InvalidField(
+            raise exceptions.PermissionDenied(
                "The cryptographic algorithm must be specified "
                "for the MAC operation"
            )
@@ -1648,7 +1648,7 @@ class KmipEngine(object):
        if managed_object.value:
            key = managed_object.value
        else:
-            raise exceptions.InvalidField(
+            raise exceptions.PermissionDenied(
                "A secret key value must be specified "
                "for the MAC operation"
            )
@@ -1657,10 +1657,22 @@ class KmipEngine(object):
        if payload.data:
            data = payload.data.value
        else:
-            raise exceptions.InvalidField(
+            raise exceptions.PermissionDenied(
                "No data to be MACed"
            )

+        if managed_object.state != enums.State.ACTIVE:
+            raise exceptions.PermissionDenied(
+                "Object is not in a state that can be used for MACing."
+            )
+
+        if enums.CryptographicUsageMask.MAC_GENERATE not in \
+           managed_object.cryptographic_usage_masks:
+                raise exceptions.PermissionDenied(
+                    "MAC Generate must be set in the object's cryptographic "
+                    "usage mask"
+                )
+
        result = self._cryptography_engine.mac(
            algorithm,
            key,