Add encryption support to the server cryptography engine

This change adds encryption functionality to the cryptographic engine used by the server. It supports a variety of symmetric encryption algorithms and block cipher modes. Asymmetric encryption support will be added in a future patch. Unit tests and minor updates to surrounding core code are included.
2025-12-25 20:53:23 +00:00 · 2017-06-16 16:03:30 -04:00
parent 66f80922f3
commit 7bc613417b
5 changed files with 657 additions and 23 deletions
--- a/kmip/services/server/crypto/api.py
+++ b/kmip/services/server/crypto/api.py
@@ -81,3 +81,43 @@ class CryptographicEngine(object):
        Returns:
            bytes: The MAC data
        """
+
+    @abstractmethod
+    def encrypt(self,
+                encryption_algorithm,
+                encryption_key,
+                plain_text,
+                cipher_mode=None,
+                padding_method=None,
+                iv_nonce=None):
+        """
+        Encrypt data using symmetric encryption.
+
+        Args:
+            encryption_algorithm (CryptographicAlgorithm): An enumeration
+                specifying the symmetric encryption algorithm to use for
+                encryption.
+            encryption_key (bytes): The bytes of the symmetric key to use for
+                encryption.
+            plain_text (bytes): The bytes to be encrypted.
+            cipher_mode (BlockCipherMode): An enumeration specifying the
+                block cipher mode to use with the encryption algorithm.
+                Required in the general case. Optional if the encryption
+                algorithm is RC4 (aka ARC4). If optional, defaults to None.
+            padding_method (PaddingMethod): An enumeration specifying the
+                padding method to use on the data before encryption. Required
+                if the cipher mode is for block ciphers (e.g., CBC, ECB).
+                Optional otherwise, defaults to None.
+            iv_nonce (bytes): The IV/nonce value to use to initialize the mode
+                of the encryption algorithm. Optional, defaults to None. If
+                required and not provided, it will be autogenerated and
+                returned with the cipher text.
+
+        Returns:
+            dict: A dictionary containing the encrypted data, with at least
+                the following key/value fields:
+                * cipher_text - the bytes of the encrypted data
+                * iv_nonce - the bytes of the IV/counter/nonce used if it
+                    was needed by the encryption scheme and if it was
+                    automatically generated for the encryption
+        """