Add state/crypto usage mask checks for MAC operation

2025-12-15 07:43:26 +00:00 · 2017-03-31 17:08:20 -07:00
parent 2aabad714a
commit a0673dc111
2 changed files with 120 additions and 7 deletions
--- a/kmip/services/server/engine.py
+++ b/kmip/services/server/engine.py
@@ -1634,7 +1634,7 @@ class KmipEngine(object):
              managed_object.cryptographic_algorithm):
            algorithm = managed_object.cryptographic_algorithm
        else:
-            raise exceptions.InvalidField(
+            raise exceptions.PermissionDenied(
                "The cryptographic algorithm must be specified "
                "for the MAC operation"
            )
@@ -1643,7 +1643,7 @@ class KmipEngine(object):
        if managed_object.value:
            key = managed_object.value
        else:
-            raise exceptions.InvalidField(
+            raise exceptions.PermissionDenied(
                "A secret key value must be specified "
                "for the MAC operation"
            )
@@ -1652,10 +1652,22 @@ class KmipEngine(object):
        if payload.data:
            data = payload.data.value
        else:
-            raise exceptions.InvalidField(
+            raise exceptions.PermissionDenied(
                "No data to be MACed"
            )

+        if managed_object.state != enums.State.ACTIVE:
+            raise exceptions.PermissionDenied(
+                "Object is not in a state that can be used for MACing."
+            )
+
+        if enums.CryptographicUsageMask.MAC_GENERATE not in \
+           managed_object.cryptographic_usage_masks:
+                raise exceptions.PermissionDenied(
+                    "MAC Generate must be set in the object's cryptographic "
+                    "usage mask"
+                )
+
        result = self._cryptography_engine.mac(
            algorithm,
            key,