Skip to content

Commit

Permalink
Update macsec CAK keys in profile for tests to change to type7 encode…
Browse files Browse the repository at this point in the history 
…d format (sonic-net#16388)

* Change the CAK key length check in config plugin, macsec test profile changes

* Fix the format in add_profile api

The changes needed in various macsec unit tests and config plugin when we move to accept the type 7 encoded key format for macsec. This goes along with PR : sonic-net/sonic-swss#2892 raised earlier.
  • Loading branch information
@judyjoseph @mssonicbld
judyjoseph authored and mssonicbld committed Sep 8, 2023
1 parent 3310592 commit 527a412
Show file tree
Hide file tree
Showing 7 changed files with 29 additions and 33 deletions.
2 changes: 1 addition & 1 deletion dockers/docker-macsec/cli-plugin-tests/config_db.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
"MACSEC_PROFILE|macsec_profile": {
"cipher_suite": "GCM-AES-XPN-256",
"policy": "security",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a",
"primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
"priority": "0",
"rekey_period": "900",
Expand Down
10 changes: 5 additions & 5 deletions dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@


profile_name = "test"
primary_cak = "01234567890123456789012345678912"
primary_cak = "2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541"
primary_ckn = "01234567890123456789012345678912"


Expand Down Expand Up @@ -48,7 +48,7 @@ def test_macsec_valid_profile(self, mock_cfgdb):

profile_name = "test"
profile_map = {
"primary_cak": "0123456789012345678901234567891201234567890123456789012345678912",
"primary_cak": "3946080a0407070303530256560a04504650530352565e731f1a5c4f524f4b5a5e547b79777c6663754b5e465253050d0d0503565a48470b0b030604020c520a54",
"primary_ckn": "01234567890123456789012345678912",
"priority": 64,
"cipher_suite": "GCM-AES-XPN-256",
Expand Down Expand Up @@ -109,7 +109,7 @@ def test_macsec_port(self, mock_cfgdb):
runner = CliRunner()

result = runner.invoke(macsec.macsec, ["profile", "add", "test",
"--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"],
"--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"],
obj=cfgdb)
assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
result = runner.invoke(macsec.macsec, ["port", "add", "Ethernet0", "test"], obj=cfgdb)
Expand Down Expand Up @@ -141,8 +141,8 @@ def test_macsec_invalid_operation(self, mock_cfgdb):
result = runner.invoke(macsec.macsec, ["profile", "del", "test"], obj=cfgdb)
assert result.exit_code != 0

result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb)
result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb)
assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
# Repeat add profile
result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb)
result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb)
assert result.exit_code != 0
8 changes: 4 additions & 4 deletions dockers/docker-macsec/cli/config/plugins/macsec.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,11 +137,11 @@ def add_profile(profile, priority, cipher_suite, primary_cak, primary_ckn, polic
profile_table["cipher_suite"] = cipher_suite

if "128" in cipher_suite:
if len(primary_cak) != 32:
ctx.fail("Expect the length of CAK is 32, but got {}".format(len(primary_cak)))
if len(primary_cak) != 66:
ctx.fail("Expect the length of CAK is 66, but got {}".format(len(primary_cak)))
elif "256" in cipher_suite:
if len(primary_cak) != 64:
ctx.fail("Expect the length of CAK is 64, but got {}".format(len(primary_cak)))
if len(primary_cak) != 130:
ctx.fail("Expect the length of CAK is 130, but got {}".format(len(primary_cak)))
if not is_hexstring(primary_cak):
ctx.fail("Expect the primary_cak is valid hex string")
if not is_hexstring(primary_ckn):
Expand Down
8 changes: 4 additions & 4 deletions src/sonic-config-engine/tests/macsec_profile.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,18 @@
"MACSEC_PROFILE":{
"macsec-profile": {
"cipher_suite": "GCM-AES-XPN-256",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a",
"primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
"priority": "0",
"rekey_period": "60"
},
"macsec-profile2": {
"cipher_suite": "GCM-AES-XPN-256",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a",
"primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
"priority": "0",
"rekey_period": "60"
Expand Down
4 changes: 2 additions & 2 deletions src/sonic-yang-models/tests/files/sample_config_db.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2030,9 +2030,9 @@
"test": {
"priority": "64",
"cipher_suite": "GCM-AES-128",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "00000000000000000000000000000000",
"fallback_cak": "000000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "11111111111111111111111111111111",
"policy": "security",
"enable_replay_protect": "true",
Expand Down
22 changes: 11 additions & 11 deletions src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@
"name": "test32",
"priority": 64,
"cipher_suite": "GCM-AES-128",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "00000000000000000000000000000000",
"fallback_cak": "000000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "11111111111111111111111111111111",
"policy": "security",
"enable_replay_protect": "true",
Expand All @@ -21,9 +21,9 @@
"name": "test64",
"priority": 64,
"cipher_suite": "GCM-AES-XPN-256",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a",
"primary_ckn": "6162636465666768696A6B6C6D6E6F706162636465666768696A6B6C6D6E6F70",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
"policy": "security",
"enable_replay_protect": "true",
Expand Down Expand Up @@ -61,7 +61,7 @@
{
"name": "test",
"cipher_suite": "gcm-aes-128",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70"
}
]
Expand All @@ -74,9 +74,9 @@
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "0123456789ABCDEF0123456789ABCDEF",
"fallback_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"fallback_ckn": "6162636465666768696A6B6C6D6E6F70"
}
]
Expand All @@ -89,7 +89,7 @@
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEFA",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d7",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70A"
}
]
Expand All @@ -115,9 +115,9 @@
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
"fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111"
}
]
Expand All @@ -130,7 +130,7 @@
"MACSEC_PROFILE_LIST": [
{
"name": "test",
"primary_cak": "0123456789ABCDEF0123456789ABCDEF",
"primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
"primary_ckn": "6162636465666768696A6B6C6D6E6F70",
"replay_window": 64
}
Expand Down
8 changes: 2 additions & 6 deletions src/sonic-yang-models/yang-models/sonic-macsec.yang
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ module sonic-macsec {

leaf primary_cak {
type string {
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
pattern "[0-9a-fA-F]{66}|[0-9a-fA-F]{130}";
}
mandatory true;
}
Expand All @@ -60,7 +60,7 @@ module sonic-macsec {

leaf fallback_cak {
type string {
pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
pattern "[0-9a-fA-F]{66}|[0-9a-fA-F]{130}";
}
}

Expand All @@ -70,10 +70,6 @@ module sonic-macsec {
}
}

must "string-length(primary_cak) = string-length(primary_ckn)";

must "string-length(fallback_cak) = string-length(fallback_ckn)";

must "string-length(fallback_cak) = string-length(primary_cak)";

must "primary_ckn != fallback_ckn";
Expand Down

0 comments on commit 527a412

Please sign in to comment.