Merge branch 'master' into dependabot/pip/database/bigquery/src/main/…

…python/requests-2.31.0 Signed-off-by: ANURAG JAIN <111074839+anugram@users.noreply.github.com>
ThalesGroup · Nov 19, 2024 · 4f64cf9 · 4f64cf9
2 parents 32ff7f3 + 8b648c9
commit 4f64cf9
Show file tree

Hide file tree

Showing 140 changed files with 23,437 additions and 5,694 deletions.
diff --git a/cakm/ekm/README.md b/cakm/ekm/README.md
@@ -0,0 +1,62 @@
+README.md
+
+This SQL script (cakm_ekm_db_restoration.sql) and a C executable (cakm_ekm_config_change.exe) will be used to automatically restore the encrypted VKM/CAKM  databases to CAKM without any customer environment downtime.
+This is a sample script and you can update the same as per your requirement.
+
+Perform the following steps to run SQL script (`cakm_ekm_db_restoration.sql`):
+
+1. Copy `cakm_ekm_db_restoration.sql` and `cakm_ekm_config_change.exe` from github.
+
+2. Place these files on the location where CAKM is installed.<br>For example, `C:\Program Files\CipherTrust\CAKM For SQLServerEKM`
+
+3. Open the command prompt and navigate to the path where CAKM is installed.
+
+4. Below is the sample command to restore the encrypted backup file:
+
+	**Sample**
+
+		#!yaml
+		sqlcmd -S <Hostname> -d <master> -U <sa> -P <password> -i <cakm_ekm_db_restoration.sql> -v keyname=<"DSM_VKM_Migration_Key_2_2"> provider=<"thales_provider"> dbname=<"VKM_DB"> backup=<"C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Backup\VKM_Migration_Testing.bak"> cm_user=<"cm_username"> cm_passwd=<"cm_password"> prop_path=""
+
+	Where, 
+
+	* (-S): SQL Server name
+
+	* (-d): Database name 
+
+	* (-U): SQL Login ID 
+
+	* (-P): SQL Login ID password 
+
+	* (-i): SQL script
+
+	* (-v): provide custom arguments as key="value" pair as specified in above command example:
+
+	* keyname: Keyname present on CipherTrust Manager
+
+	* provider: Crytographic provider
+
+	* backup: DB backup file with complete path
+
+	* dbname: database name with which backup will be restored
+
+	* cm_user: CipherTrust login user name
+
+	* cm_passwd: CipherTrust login password
+
+	* prop_path=""
+		* If you want to provide a path to this parameter, the path should be the location where the **CAKM for MSSQL EKM** is installed. For example, prop_path=`"C:\Program Files\CipherTrust\CAKM For SQLServerEKM\"`.
+		
+		* If an empty value is provided in `prop_path`, then script will use the default path to find the property file and executable file(`cakm_ekm_config_change.exe`).<br>Default path: `C:\Program Files\CipherTrust\CAKM For SQLServerEKM\`.
+		
+	!!! note
+		
+		In the above sample command, the SQL script (cakm_ekm_db_restoration.sql) is provided with `-i` option as an input to run  `sqlcmd` utility.
+
+At the end of script execution, 
+
+* If the encrypted database backup is successfully restored, a **"Restore successful"** message is displayed.
+
+* If the encrypted database backup restore fails, **"Restore failed. Error:`<Detailed Error Message>`"** is displayed.
+
+Please refer to [Thalesdoc](https://thalesdocs.com/ctp/con/cakm/cakm-mssql-ekm/alpha-8.6.1/admin/cakm_mssql_ekm_advanced_topics/cakm_vkm_db_restore/index.html) for more information.
diff --git a/cakm/ekm/cakm_ekm_config_change.exe b/cakm/ekm/cakm_ekm_config_change.exe
diff --git a/cakm/ekm/cakm_ekm_db_restoration.sql b/cakm/ekm/cakm_ekm_db_restoration.sql
@@ -0,0 +1,217 @@
+--cakm_ekm_db_restoration.sql is a sample script designed for db restoration from VKM to CAKM and CAKM to CAKM.
+--users can modify it as needed to accommodate their specific environment restrictions.
+--it is committed at github https://github.com/ThalesGroup/CipherTrust_Application_Protection/cakm/ekm
+
+sp_configure 'xp_cmdshell', 1;
+GO
+RECONFIGURE;
+GO
+
+DECLARE @keyname NVARCHAR(128);
+DECLARE @provider NVARCHAR(128);
+DECLARE @sql NVARCHAR(MAX);
+DECLARE @login_cmd NVARCHAR(MAX);
+DECLARE @cred_cmd NVARCHAR(MAX);
+DECLARE @alter_login NVARCHAR(MAX);
+DECLARE @drop_alter_login NVARCHAR(MAX);
+DECLARE @drop_cred NVARCHAR(MAX);
+DECLARE @drop_login NVARCHAR(MAX);
+DECLARE @dbname NVARCHAR(100);
+DECLARE @backup VARCHAR(200);
+DECLARE @drop_sql NVARCHAR(MAX);
+DECLARE @cm_user NVARCHAR(128);
+DECLARE @cm_passwd NVARCHAR(128);
+DECLARE @login NVARCHAR(128);
+DECLARE @cred NVARCHAR(128);
+DECLARE @prop_file NVARCHAR(MAX);
+DECLARE @prop_file_bkp NVARCHAR(MAX);
+DECLARE @prop_path NVARCHAR(MAX);
+DECLARE @cakm_prop_change NVARCHAR(MAX);
+DECLARE @exec_prop_bkp_cmd NVARCHAR(MAX);
+DECLARE @exec_prop_cmd NVARCHAR(MAX);
+DECLARE @exec_exec_uuid_cmd NVARCHAR(MAX);
+DECLARE @exec_exec_fp_cmd NVARCHAR(MAX);
+DECLARE @exec_rm_prop_bkp_cmd NVARCHAR(MAX);
+
+SET @keyname = N'$(keyname)';
+SET @provider = N'$(provider)';
+SET @dbname = N'$(dbname)';
+SET @backup = N'$(backup)';
+SET @cm_user = N'$(cm_user)';
+SET @cm_passwd = N'$(cm_passwd)';
+SET @login = N'login_' + @keyname;
+SET @cred = N'cred_' + @keyname;
+SET @prop_path =N'$(prop_path)';
+
+IF '$(prop_path)' = ''
+BEGIN
+    SET @prop_file =N'C:\Program Files\CipherTrust\CAKM For SQLServerEKM\cakm_mssql_ekm.properties';
+	SET @prop_file_bkp =N'C:\Program Files\CipherTrust\CAKM For SQLServerEKM\cakm_mssql_ekm.properties_bkp';
+	SET @cakm_prop_change =N'C:\Program Files\CipherTrust\CAKM For SQLServerEKM\cakm_ekm_config_change.exe';
+	PRINT 'Property file path not provided, So using default path';
+END
+ELSE
+BEGIN
+	SET @prop_file = @prop_path + N'\cakm_mssql_ekm.properties';
+	SET @prop_file_bkp = @prop_path + N'\cakm_mssql_ekm.properties_bkp';
+	SET @cakm_prop_change = @prop_path + N'\cakm_ekm_config_change.exe';
+END
+
+SET @exec_prop_bkp_cmd = 'EXEC xp_cmdshell ''copy "' + @prop_file + '" "' + @prop_file_bkp + '"''';
+SET @exec_prop_cmd = 'EXEC xp_cmdshell ''copy "' + @prop_file_bkp + '" "' + @prop_file + '"''';
+SET @exec_rm_prop_bkp_cmd = 'EXEC xp_cmdshell ''del "' + @prop_file_bkp + '"''';
+SET @exec_exec_uuid_cmd = 'EXEC xp_cmdshell ''"' + @cakm_prop_change + '" UUID'';';
+SET @exec_exec_fp_cmd = 'EXEC xp_cmdshell ''"' + @cakm_prop_change + '" FP'';';
+
+-- Execute the command
+PRINT "Creating the Backup of Property file";
+
+SET NOCOUNT ON;
+IF NOT EXISTS (
+    SELECT * 
+    FROM sys.tables 
+    WHERE name = 'TempOutput' AND type = 'U'
+)
+BEGIN
+    CREATE TABLE TempOutput (Column1 NVARCHAR(MAX));
+END
+ELSE
+BEGIN
+	delete from TempOutput;
+END
+
+DECLARE @exec_table_cmd NVARCHAR(MAX);
+
+SET @exec_table_cmd = 'INSERT INTO TempOutput (Column1)' + @exec_prop_bkp_cmd + ';';
+EXEC sp_executesql @exec_table_cmd;
+SELECT TOP 1 ISNULL(Column1, 'Success') AS output FROM TempOutput;
+delete from TempOutput;
+
+PRINT "Setting the VKM_mode to 'yes' in Property file"
+
+SET @exec_table_cmd = 'INSERT INTO TempOutput (Column1)' + @exec_exec_uuid_cmd + ';';
+EXEC sp_executesql @exec_table_cmd;
+SELECT TOP 1 ISNULL(Column1, 'Successfully set the VKM_mode as ''yes''') AS output FROM TempOutput;
+delete from TempOutput;
+
+--PRINT @prop_file;
+--PRINT @prop_file_bkp;
+--PRINT @cakm_prop_change;
+
+PRINT "Getting Asymmetric Key from Key Manager"
+
+SET @sql = '
+CREATE ASYMMETRIC KEY ' + QUOTENAME(@keyname) + '
+FROM PROVIDER ' + QUOTENAME(@provider) + '
+WITH 
+PROVIDER_KEY_NAME = ''' + @keyname + ''',
+CREATION_DISPOSITION = OPEN_EXISTING;';
+
+--PRINT @sql;
+EXEC sp_executesql @sql;
+--SELECT name,thumbprint FROM SYS.ASYMMETRIC_KEYS where name = @keyname;
+
+PRINT "Setting login and cred for the key"
+
+SET @login_cmd = '
+CREATE LOGIN ' + QUOTENAME(@login) + '
+FROM ASYMMETRIC KEY ' + QUOTENAME(@keyname)+ ';';
+
+--PRINT @login_cmd;
+EXEC sp_executesql @login_cmd;
+
+SET @cred_cmd = '
+CREATE CREDENTIAL ' + QUOTENAME(@cred) + '
+WITH IDENTITY = ''' + @cm_user + ''' ,
+SECRET = ''' + @cm_passwd + '''
+FOR CRYPTOGRAPHIC PROVIDER ' + QUOTENAME(@provider) + ';';
+
+--PRINT @cred_cmd;
+EXEC sp_executesql @cred_cmd;
+
+SET @alter_login = '
+ALTER LOGIN' + QUOTENAME(@login) + '
+ADD CREDENTIAL' + QUOTENAME(@cred) + ';';
+
+--PRINT @alter_login;
+EXEC sp_executesql @alter_login;
+
+SET @drop_alter_login = '
+ALTER LOGIN' + QUOTENAME(@login) + '
+DROP CREDENTIAL' + QUOTENAME(@cred) + ';';
+
+SET @drop_cred = '
+DROP CREDENTIAL' + QUOTENAME(@cred) + ';';
+
+SET @drop_login = '
+DROP LOGIN' + QUOTENAME(@login) + ';';
+
+
+SET @drop_sql = '
+drop ASYMMETRIC KEY ' + QUOTENAME(@keyname) + ';';
+
+PRINT 'Restoring DB';
+	RESTORE DATABASE @dbname FROM DISK = @backup WITH REPLACE;
+
+IF @@ERROR <> 0
+    BEGIN
+		PRINT 'Restore Failure';
+		PRINT "Dropping Asymmetric Key"
+		--PRINT @drop_sql;
+		EXEC sp_executesql @drop_sql;
+		--SELECT  name,thumbprint FROM SYS.ASYMMETRIC_KEYS where name = @keyname;
+		--EXEC xp_cmdshell 'whoami';
+		--EXEC xp_cmdshell 'C:\EKM\a.exe';
+
+		PRINT "Setting the VKM_mode to 'no' in Property file"
+		--PRINT @exec_exec_fp_cmd;
+		SET @exec_table_cmd = 'INSERT INTO TempOutput (Column1)' + @exec_exec_fp_cmd + ';';
+		EXEC sp_executesql @exec_table_cmd;
+		SELECT TOP 1 ISNULL(Column1, 'Successfully set the VKM_mode as ''no''') AS output FROM TempOutput;
+		delete from TempOutput;
+
+		PRINT "Getting Asymmetric Key from Key Manager"
+		--PRINT @sql;
+		EXEC sp_executesql @sql;
+		--SELECT  name,thumbprint FROM SYS.ASYMMETRIC_KEYS where name = @keyname;
+
+		PRINT 'Restoring DB';		
+		RESTORE DATABASE @dbname FROM DISK = @backup WITH REPLACE;
+		IF @@ERROR <> 0
+    		BEGIN
+				PRINT 'Restore Failure';
+				PRINT "dropping login and cred for the key"
+				--PRINT @drop_alter_login;
+				EXEC sp_executesql @drop_alter_login;
+				--PRINT @drop_cred;
+				EXEC sp_executesql @drop_cred;
+				--PRINT @drop_login;
+				EXEC sp_executesql @drop_login;
+				PRINT "Dropping Asymmetric Key"
+				--PRINT @drop_sql;
+				EXEC sp_executesql @drop_sql;
+		END
+		ELSE
+		BEGIN
+			PRINT 'Restore Successful.';
+		END
+    END
+    ELSE
+    BEGIN
+        PRINT 'Restore Successful.';
+    END
+
+PRINT "Restoring the Backup of Property file";
+--PRINT @exec_prop_cmd;
+
+SET @exec_table_cmd = 'INSERT INTO TempOutput (Column1)' + @exec_prop_cmd + ';';
+EXEC sp_executesql @exec_table_cmd;
+SELECT TOP 1 ISNULL(Column1, 'Success') AS output FROM TempOutput;
+delete from TempOutput;
+
+PRINT "Removing the Backup of Property file";
+--PRINT @exec_rm_prop_bkp_cmd;
+SET @exec_table_cmd = 'INSERT INTO TempOutput (Column1)' + @exec_rm_prop_bkp_cmd + ';';
+EXEC sp_executesql @exec_table_cmd;
+SELECT TOP 1 ISNULL(Column1, 'Removed Successfully') AS output FROM TempOutput;
+drop table TempOutput;
diff --git a/crypto/csharp/CryptoOpAesGcm.cs b/crypto/csharp/CryptoOpAesGcm.cs
@@ -103,7 +103,9 @@ 1. latest version is not required to be picked.
 
                 //The nonce sizes supported by this instance: 12 bytes (96 bits).
                 //which should be a unique value for every operation with the same key.
-                byte[] nonce = { 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x30, 0x31 };
+                byte[] nonce = new byte[12];
+                Random random = new Random();
+                random.NextBytes(nonce);
 
                 try
                 {
@@ -180,4 +182,4 @@ private static NaeAesGcm GetOrGenerateKey(NaeKeyManagement naeKeyManagement, Nae
             return naeAesGcm;
         }
     }
-}
+}