Add KMIP to test suite, containerized PyKMIP tests

[cipherboy]

Currently this fails with:

$ podman build -f wrappers/kmip/Dockerfile  .
[ ... snip ... ]
FINISHED --2025-03-22 14:18:24--
Total wall clock time: 0.7s
Downloaded: 2 files, 3.7M in 0.09s (40.8 MB/s)
checksums.txt: OK
okms-cli-linux-x86_64.tar.gz: OK
here
+ pid=5062
+ sleep 10
+ echo 'starting server...'
starting server...
+ /root/.local/bin/pykmip-server --config_path=/go-kms-wrapping/wrappers/kmip/pykmip-server.conf
+ okms --config /go-kms-wrapping/wrappers/kmip/okms.yml kmip create symmetric --alg AES --size 256 --usage encrypt,decrypt --name bao_seal_key
Error: EOF
+ sleep 10
killing server...
+ echo 'killing server...'
+ kill 5062
COMMIT
--> 71f3314b017f
71f3314b017f365a4f3ffca563a39444a8ab9233972b7308025db75a11708b24

In particular, it looks like something is wrong with the OVH KMIP CLI config.. perhaps?

cc: @phsym

[phsym]

Hum, EOF can have many reasons. Most of the time it's ther server rejecting the client tls certs.
When testing with PyKMIP I usually have a client certificate different from the server one.

How did you generate the certificates ? Do you have some PyKMIP logs ?

[phsym]

Using this script https://github.com/OpenKMIP/PyKMIP/blob/6cd44b572b0ca55adf01a8a12078b2284602e64c/bin/create_certificates.py helped a lot

[phsym]

Could also be a TLS cipher mismatch. I didn't recall exactly if you should get a specific error message or just EOF in that case, but PyKMIP logs would have more details. I'll give it a try

[phsym]

@cipherboy I've been playing withit, here's what I did to make it work :

• Set pykmip config auth_suite=TLS1.2
• Generated certificates using the script provided by pykmip (https://github.com/OpenKMIP/PyKMIP/blob/6cd44b572b0ca55adf01a8a12078b2284602e64c/bin/create_certificates.py)
• update server.conf and okms.yaml to use the generated certificates
• removed tls_cipher_suites from pykmip config
• set endpoint to localhost:5696 instead of 127.0.0.1:5696 in okms.yaml (to match the subject of server's cert)
• Update okms-cli to v0.3.4 (I made some pykmip compatibility changes, see next point)
• Added flags --tls12-ciphers TLS_RSA_WITH_AES_128_CBC_SHA256 --no-ccv to okms kmip command (flags added in v0.3.4)

[phsym]

FYI, you can save the created key id in a var easily by appending to your command --output json | jq -r '.UniqueIdentifier'

Then you'll need to activate the key with okms kmip <global args> activate ${KEY_ID}

[phsym]

Alternatively you can easily script the key creation with the following snippet

	kmipClient, err := kmipclient.Dial(
		os.Getenv("BAO_KMIP_ENDPOINT"),
		kmipclient.WithClientCertFiles(os.Getenv("BAO_KMIP_CLIENT_CERT"), os.Getenv("BAO_KMIP_CLIENT_KEY")),
		kmipclient.WithServerName(os.Getenv("BAO_KMIP_SERVER_NAME")),
		kmipclient.WithRootCAFile(os.Getenv("BAO_KMIP_CA_CERT")),
		kmipclient.WithTlsCipherSuiteNames(strings.Split(os.Getenv("BAO_KMIP_TLS12_CIPHERS", ","))),
	)
	if err != nil {
		t.Fatalf("err : %s", err)
	}
	defer kmipClient.Close()

	keyID := kmipClient.Create().
		AES(256, kmip.CryptographicUsageEncrypt|kmip.CryptographicUsageDecrypt).
		WithName("bao_seal_key").MustExec().UniqueIdentifier
	kmipClient.Activate(keyID).MustExec()