From ac2b6a4104cb2dd383f5c43e04d491ff5bfcb11d Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Feb 07 2018 19:10:58 +0000
Subject: py3 dnssec: convert hexlify to str


hexlify returns bytes and needs to be casted to string before
printing it out.

Related: https://pagure.io/freeipa/issue/4985

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

---

diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index 5a64b84..ee641ae 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -8,7 +8,6 @@ Download keys from LDAP to local HSM.
 This program should be run only on replicas, not on DNSSEC masters.
 """
 
-from binascii import hexlify
 from gssapi.exceptions import GSSError
 import logging
 import os
@@ -24,7 +23,7 @@ from ipaplatform.paths import paths
 from ipaserver.dnssec.abshsm import (sync_pkcs11_metadata,
                                      ldap2p11helper_api_params,
                                      wrappingmech_name2id)
-from ipaserver.dnssec.ldapkeydb import LdapKeyDB
+from ipaserver.dnssec.ldapkeydb import LdapKeyDB, str_hexlify
 from ipaserver.dnssec.localhsm import LocalHSM
 
 logger = logging.getLogger(os.path.basename(__file__))
@@ -36,7 +35,7 @@ WORKDIR = '/tmp'
 def hex_set(s):
     out = set()
     for i in s:
-        out.add("0x%s" % hexlify(i))
+        out.add("0x%s" % str_hexlify(i))
     return out
 
 def update_metadata_set(source_set, target_set):
@@ -72,7 +71,9 @@ def ldap2replica_master_keys_sync(ldapkeydb, localhsm):
                  hex_set(new_keys))
     for mkey_id in new_keys:
         mkey_ldap = ldapkeydb.master_keys[mkey_id]
-        assert mkey_ldap.wrapped_entries, "Master key 0x%s in LDAP is missing key material referenced by ipaSecretKeyRefObject attribute" % hexlify(mkey_id)
+        assert mkey_ldap.wrapped_entries, ("Master key 0x%s in LDAP is " \
+            "missing key material referenced by ipaSecretKeyRefObject " \
+            "attribute") % str_hexlify(mkey_id)
         for wrapped_ldap in mkey_ldap.wrapped_entries:
             unwrapping_key = find_unwrapping_key(
                 localhsm, wrapped_ldap.single_value['ipaWrappingKey'])
@@ -80,14 +81,16 @@ def ldap2replica_master_keys_sync(ldapkeydb, localhsm):
                 break
 
         # TODO: Could it happen in normal cases?
-        assert unwrapping_key is not None, "Local HSM does not contain suitable unwrapping key for master key 0x%s" % hexlify(mkey_id)
+        assert unwrapping_key is not None, ("Local HSM does not contain " \
+            "suitable unwrapping key for master key 0x%s") % \
+            str_hexlify(mkey_id)
 
         params = ldap2p11helper_api_params(mkey_ldap)
         params['data'] = wrapped_ldap.single_value['ipaSecretKey']
         params['unwrapping_key'] = unwrapping_key.handle
         params['wrapping_mech'] = wrappingmech_name2id[wrapped_ldap.single_value['ipaWrappingMech']]
         logger.debug('Importing new master key: 0x%s %s',
-                     hexlify(mkey_id), params)
+                     str_hexlify(mkey_id), params)
         localhsm.p11.import_wrapped_secret_key(**params)
 
     # synchronize metadata about master keys in LDAP
@@ -108,14 +111,14 @@ def ldap2replica_zone_keys_sync(ldapkeydb, localhsm):
     for zkey_id in new_keys:
         zkey_ldap = ldapkeydb.zone_keypairs[zkey_id]
         logger.debug('Looking for unwrapping key "%s" for zone key 0x%s',
-                     zkey_ldap['ipaWrappingKey'], hexlify(zkey_id))
+                     zkey_ldap['ipaWrappingKey'], str_hexlify(zkey_id))
         unwrapping_key = find_unwrapping_key(
             localhsm, zkey_ldap['ipaWrappingKey'])
         assert unwrapping_key is not None, \
                 "Local HSM does not contain suitable unwrapping key for ' \
-                'zone key 0x%s" % hexlify(zkey_id)
+                'zone key 0x%s" % str_hexlify(zkey_id)
 
-        logger.debug('Importing zone key pair 0x%s', hexlify(zkey_id))
+        logger.debug('Importing zone key pair 0x%s', str_hexlify(zkey_id))
         localhsm.import_private_key(zkey_ldap, zkey_ldap['ipaPrivateKey'],
                 unwrapping_key)
         localhsm.import_public_key(zkey_ldap, zkey_ldap['ipaPublicKey'])
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 261a2ae..748bce4 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -16,7 +16,6 @@ Purpose of this replacement is to upload keys generated by OpenDNSSEC to LDAP.
 """
 from __future__ import print_function
 
-from binascii import hexlify
 from datetime import datetime
 import dateutil.tz
 import dns.dnssec
@@ -38,7 +37,7 @@ from ipapython.dn import DN
 from ipapython import ipaldap
 from ipaplatform.paths import paths
 from ipaserver.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
-from ipaserver.dnssec.ldapkeydb import LdapKeyDB
+from ipaserver.dnssec.ldapkeydb import LdapKeyDB, str_hexlify
 from ipaserver.dnssec.localhsm import LocalHSM
 
 logger = logging.getLogger(os.path.basename(__file__))
@@ -299,8 +298,8 @@ def ldap2master_replica_keys_sync(ldapkeydb, localhsm):
         new_key_ldap = ldapkeydb.replica_pubkeys_wrap[key_id]
         logger.debug('label=%s, id=%s, data=%s',
                      new_key_ldap['ipk11label'],
-                     hexlify(new_key_ldap['ipk11id']),
-                     hexlify(new_key_ldap['ipapublickey']))
+                     str_hexlify(new_key_ldap['ipk11id']),
+                     str_hexlify(new_key_ldap['ipapublickey']))
         localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey'])
 
     # set CKA_WRAP = FALSE for all replica keys removed from LDAP
@@ -339,7 +338,7 @@ def master2ldap_master_keys_sync(ldapkeydb, localhsm):
     # synchronize master key metadata to LDAP
     for mkey_id, mkey_local in localhsm.master_keys.items():
         logger.debug('synchronizing master key metadata: 0x%s',
-                     hexlify(mkey_id))
+                     str_hexlify(mkey_id))
         sync_pkcs11_metadata('master2ldap_master', mkey_local, ldapkeydb.master_keys[mkey_id])
 
     # re-wrap all master keys in LDAP with new replica keys (as necessary)
@@ -349,7 +348,7 @@ def master2ldap_master_keys_sync(ldapkeydb, localhsm):
 
     for mkey_id, mkey_ldap in ldapkeydb.master_keys.items():
         logger.debug('processing master key data: 0x%s',
-                     hexlify(mkey_id))
+                     str_hexlify(mkey_id))
 
         # check that all active replicas have own copy of master key
         used_replica_keys = set()
@@ -367,13 +366,13 @@ def master2ldap_master_keys_sync(ldapkeydb, localhsm):
 
         new_replica_keys = enabled_replica_key_ids - used_replica_keys
         logger.debug('master key 0x%s is not wrapped with replica keys %s',
-                     hexlify(mkey_id), hex_set(new_replica_keys))
+                     str_hexlify(mkey_id), hex_set(new_replica_keys))
 
         # wrap master key with new replica keys
         mkey_local = localhsm.find_keys(id=mkey_id).popitem()[1]
         for replica_key_id in new_replica_keys:
             logger.info('adding master key 0x%s wrapped with replica key 0x%s',
-                        hexlify(mkey_id), hexlify(replica_key_id))
+                        str_hexlify(mkey_id), str_hexlify(replica_key_id))
             replica_key = localhsm.replica_pubkeys_wrap[replica_key_id]
             keydata = localhsm.p11.export_wrapped_key(mkey_local.handle,
                     replica_key.handle,
@@ -446,7 +445,7 @@ def master2ldap_zone_keys_purge(ldapkeydb, localhsm):
 def hex_set(s):
     out = set()
     for i in s:
-        out.add("0x%s" % hexlify(i))
+        out.add("0x%s" % str_hexlify(i))
     return out
 
 
diff --git a/ipaserver/dnssec/ldapkeydb.py b/ipaserver/dnssec/ldapkeydb.py
index 30c21ab..99e8a40 100644
--- a/ipaserver/dnssec/ldapkeydb.py
+++ b/ipaserver/dnssec/ldapkeydb.py
@@ -29,7 +29,7 @@ logger = logging.getLogger(__name__)
 def uri_escape(val):
     """convert val to %-notation suitable for ID component in URI"""
     assert len(val) > 0, "zero-length URI component detected"
-    hexval = hexlify(val)
+    hexval = str_hexlify(val)
     out = '%'
     # pylint: disable=E1127
     out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2))
@@ -112,6 +112,13 @@ def get_default_attrs(object_classes):
     return result
 
 
+def str_hexlify(data):
+    out = hexlify(data)
+    if isinstance(out, bytes):
+        out = out.decode('utf-8')
+    return out
+
+
 class Key(collections.MutableMapping):
     """abstraction to hide LDAP entry weirdnesses:
         - non-normalized attribute names
@@ -197,7 +204,7 @@ class Key(collections.MutableMapping):
             "Key._delete_key() called before Key.schedule_deletion()")
         assert self._delentry, "Key._delete_key() called more than once"
         logger.debug('deleting key id 0x%s DN %s from LDAP',
-                     hexlify(self._delentry.single_value['ipk11id']),
+                     str_hexlify(self._delentry.single_value['ipk11id']),
                      self._delentry.dn)
         self.ldap.delete_entry(self._delentry)
         self._delentry = None
@@ -260,8 +267,8 @@ class MasterKey(Key):
 
         logger.info('adding master key 0x%s wrapped with replica key 0x%s to '
                     '%s',
-                    hexlify(self['ipk11id']),
-                    hexlify(replica_key_id),
+                    str_hexlify(self['ipk11id']),
+                    str_hexlify(replica_key_id),
                     entry_dn)
         self.ldap.add_entry(entry)
         if 'ipaSecretKeyRef' not in self.entry:
@@ -294,7 +301,9 @@ class LdapKeyDB(AbstractHSM):
 
             assert 'ipk11id' in key, 'key is missing ipk11Id in %s' % key.entry.dn
             key_id = key['ipk11id']
-            assert key_id not in keys, 'duplicate ipk11Id=0x%s in "%s" and "%s"' % (hexlify(key_id), key.entry.dn, keys[key_id].entry.dn)
+            assert key_id not in keys, \
+                'duplicate ipk11Id=0x%s in "%s" and "%s"' % \
+                (str_hexlify(key_id), key.entry.dn, keys[key_id].entry.dn)
             assert 'ipk11label' in key, 'key "%s" is missing ipk11Label' % key.entry.dn
             assert 'objectclass' in key.entry, 'key "%s" is missing objectClass attribute' % key.entry.dn
 
@@ -365,7 +374,8 @@ class LdapKeyDB(AbstractHSM):
         new_key.entry['ipaPublicKey'] = pubkey_data
 
         self.ldap.add_entry(new_key.entry)
-        logger.debug('imported zone key id: 0x%s', hexlify(new_key['ipk11id']))
+        logger.debug('imported zone key id: 0x%s',
+                     str_hexlify(new_key['ipk11id']))
 
     @property
     def replica_pubkeys_wrap(self):
@@ -392,7 +402,7 @@ class LdapKeyDB(AbstractHSM):
                 'secret key dn="%s" ipk11id=0x%s ipk11label="%s" with ipk11UnWrap = TRUE does not have '\
                 '"%s" key label' % (
                     key.entry.dn,
-                    hexlify(key['ipk11id']),
+                    str_hexlify(key['ipk11id']),
                     str(key['ipk11label']),
                     prefix)
 
@@ -437,19 +447,19 @@ if __name__ == '__main__':
     print('replica public keys: CKA_WRAP = TRUE')
     print('====================================')
     for pubkey_id, pubkey in ldapkeydb.replica_pubkeys_wrap.items():
-        print(hexlify(pubkey_id))
+        print(str_hexlify(pubkey_id))
         pprint(pubkey)
 
     print('')
     print('master keys')
     print('===========')
     for mkey_id, mkey in ldapkeydb.master_keys.items():
-        print(hexlify(mkey_id))
+        print(str_hexlify(mkey_id))
         pprint(mkey)
 
     print('')
     print('zone key pairs')
     print('==============')
     for key_id, key in ldapkeydb.zone_keypairs.items():
-        print(hexlify(key_id))
+        print(str_hexlify(key_id))
         pprint(key)
diff --git a/ipaserver/dnssec/localhsm.py b/ipaserver/dnssec/localhsm.py
index ab5b965..67a4ed2 100755
--- a/ipaserver/dnssec/localhsm.py
+++ b/ipaserver/dnssec/localhsm.py
@@ -5,7 +5,6 @@
 
 from __future__ import print_function
 
-from binascii import hexlify
 import collections
 import os
 from pprint import pprint
@@ -16,6 +15,8 @@ from ipaserver import p11helper as _ipap11helper
 from ipaserver.dnssec.abshsm import (attrs_name2id, attrs_id2name, AbstractHSM,
                                      keytype_id2name, keytype_name2id,
                                      ldap2p11helper_api_params)
+from ipaserver.dnssec.ldapkeydb import str_hexlify
+
 
 
 private_key_api_params = set(["label", "id", "data", "unwrapping_key",
@@ -45,7 +46,7 @@ class Key(collections.MutableMapping):
 
         except _ipap11helper.NotFound:
             raise _ipap11helper.NotFound('key without ipk11label: id 0x%s'
-                    % hexlify(cka_id))
+                    % str_hexlify(cka_id))
 
     def __getitem__(self, key):
         key = key.lower()
@@ -114,7 +115,7 @@ class LocalHSM(AbstractHSM):
             key = Key(self.p11, h)
             o_id = key['ipk11id']
             assert o_id not in keys, 'duplicate ipk11Id = 0x%s; keys = %s' % (
-                    hexlify(o_id), keys)
+                    str_hexlify(o_id), keys)
             keys[o_id] = key
 
         return keys
@@ -139,7 +140,7 @@ class LocalHSM(AbstractHSM):
             prefix = 'dnssec-master'
             assert key['ipk11label'] == prefix, \
                 'secret key ipk11id=0x%s ipk11label="%s" with ipk11UnWrap = TRUE does not have '\
-                '"%s" key label' % (hexlify(key['ipk11id']),
+                '"%s" key label' % (str_hexlify(key['ipk11id']),
                         str(key['ipk11label']), prefix)
 
         return keys
@@ -195,33 +196,33 @@ if __name__ == '__main__':
     print('replica public keys: CKA_WRAP = TRUE')
     print('====================================')
     for pubkey_id, pubkey in localhsm.replica_pubkeys_wrap.items():
-        print(hexlify(pubkey_id))
+        print(str_hexlify(pubkey_id))
         pprint(pubkey)
 
     print('')
     print('replica public keys: all')
     print('========================')
     for pubkey_id, pubkey in localhsm.replica_pubkeys.items():
-        print(hexlify(pubkey_id))
+        print(str_hexlify(pubkey_id))
         pprint(pubkey)
 
     print('')
     print('master keys')
     print('===========')
     for mkey_id, mkey in localhsm.master_keys.items():
-        print(hexlify(mkey_id))
+        print(str_hexlify(mkey_id))
         pprint(mkey)
 
     print('')
     print('zone public keys')
     print('================')
     for key_id, key in localhsm.zone_pubkeys.items():
-        print(hexlify(key_id))
+        print(str_hexlify(key_id))
         pprint(key)
 
     print('')
     print('zone private keys')
     print('=================')
     for key_id, key in localhsm.zone_privkeys.items():
-        print(hexlify(key_id))
+        print(str_hexlify(key_id))
         pprint(key)