Update macsec CAK keys in profile for tests to change to type7 encoded format (#16388) (#16626)

* Change the CAK key length check in config plugin, macsec test profile changes

* Fix the format in add_profile api

The changes needed in various macsec unit tests and config plugin when we move to accept the type 7 encoded key format for macsec. This goes along with PR : sonic-net/sonic-swss#2892 raised earlier.

Co-authored-by: judyjoseph <[email protected]>

Author: mssonicbld

dockers/docker-macsec/cli-plugin-tests/config_db.json

@@ -2,7 +2,7 @@
     "MACSEC_PROFILE|macsec_profile": {
             "cipher_suite": "GCM-AES-XPN-256",
             "policy": "security",
-            "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
+            "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a",
             "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
             "priority": "0",
             "rekey_period": "900",

dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py

@@ -8,7 +8,7 @@
 
 
 profile_name = "test"
-primary_cak = "01234567890123456789012345678912"
+primary_cak = "2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541"
 primary_ckn = "01234567890123456789012345678912"
 
 
@@ -48,7 +48,7 @@ def test_macsec_valid_profile(self, mock_cfgdb):
 
         profile_name = "test"
         profile_map = {
-            "primary_cak": "0123456789012345678901234567891201234567890123456789012345678912",
+            "primary_cak": "3946080a0407070303530256560a04504650530352565e731f1a5c4f524f4b5a5e547b79777c6663754b5e465253050d0d0503565a48470b0b030604020c520a54",
             "primary_ckn": "01234567890123456789012345678912",
             "priority": 64,
             "cipher_suite": "GCM-AES-XPN-256",
@@ -109,7 +109,7 @@ def test_macsec_port(self, mock_cfgdb):
         runner = CliRunner()
 
         result = runner.invoke(macsec.macsec, ["profile", "add", "test",
-                "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"],
+                "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"],
                 obj=cfgdb)
         assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
         result = runner.invoke(macsec.macsec, ["port", "add", "Ethernet0", "test"], obj=cfgdb)
@@ -141,8 +141,8 @@ def test_macsec_invalid_operation(self, mock_cfgdb):
         result = runner.invoke(macsec.macsec, ["profile", "del", "test"], obj=cfgdb)
         assert result.exit_code != 0
 
-        result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb)
+        result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb)
         assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info)
         # Repeat add profile
-        result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb)
+        result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb)
         assert result.exit_code != 0

dockers/docker-macsec/cli/config/plugins/macsec.py

@@ -137,11 +137,11 @@ def add_profile(profile, priority, cipher_suite, primary_cak, primary_ckn, polic
     profile_table["cipher_suite"] = cipher_suite
 
     if "128" in cipher_suite:
-        if len(primary_cak) != 32:
-            ctx.fail("Expect the length of CAK is 32, but got {}".format(len(primary_cak)))
+        if len(primary_cak) != 66:
+            ctx.fail("Expect the length of CAK is 66, but got {}".format(len(primary_cak)))
     elif "256" in cipher_suite:
-        if len(primary_cak) != 64:
-            ctx.fail("Expect the length of CAK is 64, but got {}".format(len(primary_cak)))
+        if len(primary_cak) != 130:
+            ctx.fail("Expect the length of CAK is 130, but got {}".format(len(primary_cak)))
     if not is_hexstring(primary_cak):
         ctx.fail("Expect the primary_cak is valid hex string")
     if not is_hexstring(primary_ckn):

src/sonic-config-engine/tests/macsec_profile.json

@@ -2,18 +2,18 @@
     "MACSEC_PROFILE":{
         "macsec-profile": {
             "cipher_suite": "GCM-AES-XPN-256",
-            "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
+            "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a",
             "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
-            "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
+            "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
             "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
             "priority": "0",
             "rekey_period": "60"
         },
         "macsec-profile2": {
             "cipher_suite": "GCM-AES-XPN-256",
-            "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
+            "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a",
             "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
-            "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
+            "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
             "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
             "priority": "0",
             "rekey_period": "60"

src/sonic-yang-models/tests/files/sample_config_db.json

@@ -2258,9 +2258,9 @@
             "test": {
                 "priority": "64",
                 "cipher_suite": "GCM-AES-128",
-                "primary_cak": "0123456789ABCDEF0123456789ABCDEF",
+                "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
                 "primary_ckn": "6162636465666768696A6B6C6D6E6F70",
-                "fallback_cak": "00000000000000000000000000000000",
+                "fallback_cak": "000000000000000000000000000000000000000000000000000000000000000000",
                 "fallback_ckn": "11111111111111111111111111111111",
                 "policy": "security",
                 "enable_replay_protect": "true",

src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json

@@ -7,9 +7,9 @@
                         "name": "test32",
                         "priority": 64,
                         "cipher_suite": "GCM-AES-128",
-                        "primary_cak": "0123456789ABCDEF0123456789ABCDEF",
+                        "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
                         "primary_ckn": "6162636465666768696A6B6C6D6E6F70",
-                        "fallback_cak": "00000000000000000000000000000000",
+                        "fallback_cak": "000000000000000000000000000000000000000000000000000000000000000000",
                         "fallback_ckn": "11111111111111111111111111111111",
                         "policy": "security",
                         "enable_replay_protect": "true",
@@ -21,9 +21,9 @@
                         "name": "test64",
                         "priority": 64,
                         "cipher_suite": "GCM-AES-XPN-256",
-                        "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
+                        "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a",
                         "primary_ckn": "6162636465666768696A6B6C6D6E6F706162636465666768696A6B6C6D6E6F70",
-                        "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
+                        "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
                         "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111",
                         "policy": "security",
                         "enable_replay_protect": "true",
@@ -61,7 +61,7 @@
                     {
                         "name": "test",
                         "cipher_suite": "gcm-aes-128",
-                        "primary_cak": "0123456789ABCDEF0123456789ABCDEF",
+                        "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
                         "primary_ckn": "6162636465666768696A6B6C6D6E6F70"
                     }
                 ]
@@ -74,9 +74,9 @@
                 "MACSEC_PROFILE_LIST": [
                     {
                         "name": "test",
-                        "primary_cak": "0123456789ABCDEF0123456789ABCDEF",
+                        "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
                         "primary_ckn": "6162636465666768696A6B6C6D6E6F70",
-                        "fallback_cak": "0123456789ABCDEF0123456789ABCDEF",
+                        "fallback_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
                         "fallback_ckn": "6162636465666768696A6B6C6D6E6F70"
                     }
                 ]
@@ -89,7 +89,7 @@
                 "MACSEC_PROFILE_LIST": [
                     {
                         "name": "test",
-                        "primary_cak": "0123456789ABCDEF0123456789ABCDEFA",
+                        "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d7",
                         "primary_ckn": "6162636465666768696A6B6C6D6E6F70A"
                     }
                 ]
@@ -115,9 +115,9 @@
                 "MACSEC_PROFILE_LIST": [
                     {
                         "name": "test",
-                        "primary_cak": "0123456789ABCDEF0123456789ABCDEF",
+                        "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
                         "primary_ckn": "6162636465666768696A6B6C6D6E6F70",
-                        "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000",
+                        "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
                         "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111"
                     }
                 ]
@@ -130,7 +130,7 @@
                 "MACSEC_PROFILE_LIST": [
                     {
                         "name": "test",
-                        "primary_cak": "0123456789ABCDEF0123456789ABCDEF",
+                        "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71",
                         "primary_ckn": "6162636465666768696A6B6C6D6E6F70",
                         "replay_window": 64
                     }

src/sonic-yang-models/yang-models/sonic-macsec.yang

@@ -46,7 +46,7 @@ module sonic-macsec {
 
                 leaf primary_cak {
                     type string {
-                        pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
+                        pattern "[0-9a-fA-F]{66}|[0-9a-fA-F]{130}";
                     }
                     mandatory true;
                 }
@@ -60,7 +60,7 @@ module sonic-macsec {
 
                 leaf fallback_cak {
                     type string {
-                        pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}";
+                        pattern "[0-9a-fA-F]{66}|[0-9a-fA-F]{130}";
                     }
                 }
 
@@ -70,10 +70,6 @@ module sonic-macsec {
                     }
                 }
 
-                must "string-length(primary_cak) = string-length(primary_ckn)";
-
-                must "string-length(fallback_cak) = string-length(fallback_ckn)";
-
                 must "string-length(fallback_cak) = string-length(primary_cak)";
 
                 must "primary_ckn != fallback_ckn";