thalesgroup.ciphertrust.vault_keys2_op (1.0.0) — module

Perform operations on keys

| "added in version" 1.0.0 of thalesgroup.ciphertrust"

Authors: Anurag Jain, Developer Advocate Thales Group

Install collection

Install with ansible-galaxy collection install thalesgroup.ciphertrust:==1.0.0


Add to requirements.yml

  collections:
    - name: thalesgroup.ciphertrust
      version: 1.0.0

Description

This is a Thales CipherTrust Manager module for working with the CipherTrust Manager APIs, more specifically with key operations API

Usage examples

  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- name: "Create Key"
  thalesgroup.ciphertrust.vault_keys2_create:
    localNode:
        server_ip: "IP/FQDN of CipherTrust Manager"
        server_private_ip: "Private IP in case that is different from above"
        server_port: 5432
        user: "CipherTrust Manager Username"
        password: "CipherTrust Manager Password"
        verify: false
    op_type: create
    name: "key_name"
    algorithm: aes
    size: 256
    usageMask: 3145740

Inputs

    
meta:
    default: null
    description:
    - Optional end-user or service data stored with the key
    - Only applicable for op_type "clone"
    required: false
    type: dict

idSize:
    default: null
    description:
    - Size of the ID for the key
    - Only applicable for op_type "clone"
    required: false
    type: int

padded:
    default: false
    description:
    - This parameter determines the padding for the wrap algorithm while exporting a symmetric
      key
    - If true, the RFC 5649(AES Key Wrap with Padding) is followed and if false, RFC 3394(AES
      Key Wrap) is followed for wrapping the material for the symmetric key.
    - If a certificate is being exported with the "wrappingMethod" set to "encrypt", the
      "padded" parameter must be set to true.
    - This parameter defaults to false.
    - Only applicable for op_type "export"
    required: false
    type: bool

reason:
    default: null
    description:
    - The reason the key is being revoked. Choices are Unspecified, KeyCompromise, CACompromise,
      AffiliationChanged, Superseded, CessationOfOperation or PrivilegeWithdrawn
    - The reason the key is being reactivated. Choices are DeactivatedToActive, ActiveProtectStopToActive
      or DeactivatedToActiveProtectStop
    - Required if op_type is either revoke or reactivate
    type: str

id_type:
    choices:
    - name
    - id
    - uri
    - alias
    description:
    - Query Parameter
    - Type of identifier for the key
    required: false
    type: str

message:
    default: null
    description:
    - Message explaining revocation.
    - Message explaining reactivation.
    required: false
    type: str

op_type:
    choices:
    - destroy
    - archive
    - recover
    - revoke
    - reactivate
    - export
    - clone
    description: Operation to be performed
    required: true
    type: str

pemWrap:
    default: false
    description:
    - If the parameter is set to true, it wraps the PEM encoding of the private key (asymmetric)
      otherwise, the DER encoding of the key is wrapped.
    - Only valid when private keys (asymmetric) and certificates are to be wrapped for
      "mac/sign" and "encrypt" values for "wrappingMethod" parameter.
    - This parameter defaults to false.
    - Only applicable for op_type "export"
    required: false
    type: bool

wrapJWE:
    default: null
    description:
    - Information which is used to wrap a Key using JWE. (JWT ID (JTI) provides a unique
      identifier for the JWT. JTI will be automatically included in JWE if it is available
      in JWT identity token.)
    - Only applicable for op_type "export"
    required: false
    suboptions:
      contentEncryptionAlgorithm:
        choices:
        - AES_128_CBC_HMAC_SHA_256
        - AES_192_CBC_HMAC_SHA_384
        - AES_256_CBC_HMAC_SHA_512
        - AES_128_GCM
        - AES_192_GCM
        - AES_256_GCM
        default: AES_256_GCM
        description: Content Encryption Algorithm is symmetric encryption algorithm used
          to encrypt the data , default is AES_256_GCM.
        required: false
        type: str
      jwtIdentifier:
        default: null
        description: JWT identifier (JTI) is unique identifier for the JWT used by SFDC
          for cache key replay detection.
        required: false
        type: str
      keyEncryptionAlgorithm:
        choices:
        - RSA1_5
        - RSA_OAEP_SHA1
        - RSA_OAEP_SHA256
        - ECDH_ES
        - ECDH_ES_AES_128_KEY_WRAP
        - ECDH_ES_AES_192_KEY_WRAP
        - ECDH_ES_AES_256_KEY_WRAP
        default: RSA_OAEP_SHA1
        description: Key Encryption Algorithm is used to encrypt the Content Encryption
          Key (CEK), default is RSA_OAEP_SHA1. Algorithm should correspond to type of
          public key provided for wrapping.
        required: false
        type: str
      keyIdentifier:
        default: null
        description: Key identifier to be used as "kid" parameter in JWE material and
          JWE header. Defaults to key id.
        required: false
        type: str
    type: dict

wrapPBE:
    default: null
    description:
    - WrapPBE produces a derived key from a password and other parameters like salt, iteration
      count, hashing algorithm and derived key length. PBE is currently only supported
      to wrap symmetric keys (AES), private Keys and certificates.
    - Only applicable for op_type "export"
    required: false
    suboptions:
      dklen:
        default: null
        description: Intended length in octets of the derived key. dklen must be in range
          of 14 bytes to 512 bytes.
        required: false
        type: int
      hashAlgorithm:
        choices:
        - hmac-sha1
        - hmac-sha224
        - hmac-sha256
        - hmac-sha384
        - hmac-sha512
        - hmac-sha512/224
        - hmac-sha512/256
        - hmac-sha3-224
        - hmac-sha3-256
        - hmac-sha3-384
        - hmac-sha3-512
        default: null
        description: Underlying hashing algorithm that acts as a pseudorandom function
          to generate derive keys.
        required: false
        type: str
      iteration:
        default: null
        description: Iteration count increase the cost of producing keys from a password.
          Iteration must be in range of 1 to 1,00,00,000.
        required: false
        type: int
      password:
        default: null
        description: Base password to generate derive keys. It cannot be used in conjunction
          with passwordidentifier. password must be in range of 8 bytes to 128 bytes.
        required: false
        type: str
      passwordIdentifier:
        default: null
        description: Secret password identifier for password. It cannot be used in conjunction
          with password.
        required: false
        type: str
      passwordIdentifierType:
        choices:
        - id
        - name
        - slug
        default: null
        description: Type of the Passwordidentifier. If not set then default value is
          name.
        required: false
        type: str
      purpose:
        default: null
        description: User defined purpose. If specified will be prefixed to pbeSalt. pbePurpose
          must not be greater than 128 bytes.
        required: false
        type: str
      salt:
        default: null
        description: A Hex encoded string. pbeSalt must be in range of 16 bytes to 512
          bytes.
        required: false
        type: str
    type: dict

encoding:
    default: null
    description:
    - Specifies the encoding used for the material field.
    - For wrapping scenarios and PKCS12 format, the only valid option is base64. In case
      of "Symmetric Keys" when 'format' parameter has 'base64' value and 'encoding' parameter
      also contains some value. The encoding parameter takes the priority. Options for
      Symmetric Keys are hex or base64
    - Only applicable for op_type "export"
    required: false
    type: str

password:
    default: null
    description:
    - For pkcs12 format, if the pkcs12passwordLink is not present in the Key (RSA keys),
      specify either password or secretDataLink. This should be the base64 encoded value
      of the password.
    - Only applicable for op_type "export"
    required: false
    type: str

wrapHKDF:
    default: null
    description:
    - Information which is used to wrap a Key using HKDF.
    - Only applicable for op_type "export"
    required: false
    suboptions:
      hashAlgorithm:
        choices:
        - hmac-sha1
        - hmac-sha224
        - hmac-sha256
        - hmac-sha384
        - hmac-sha512
        default: null
        description: Hash Algorithm is used for HKDF Wrapping.
        required: false
        type: str
      info:
        default: null
        description: Info is an optional hex value for HKDF based derivation.
        required: false
        type: str
      okmLen:
        default: null
        description: The desired output key material length in integer.
        required: false
        type: str
      salt:
        default: null
        description: Salt is an optional hex value for HKDF based derivation.
        required: false
        type: str
    type: dict

cm_key_id:
    default: null
    description:
    - CM ID of the key that needs to be patched.
    required: true
    type: str

keyFormat:
    choices:
    - pkcs1
    - pkcs8
    - pkcs12
    - jwe
    default: null
    description:
    - "The format of the returned key material. If the algorithm is 'rsa' or 'ec'. The\
      \ value can be one of 'pkcs1', 'pkcs8' , 'pkcs12', or 'jwe'. The default value is\
      \ 'pkcs8'. If algorithm is \u2018rsa\u2019 and format is 'pkcs12', the key material\
      \ will contain the base64-encoded value of the PFX file. The value 'base64' is used\
      \ for symmetric keys, for which the format of the returned key material is base64-encoded\
      \ if wrapping is applied (i.e., either 'wrapKeyName' or 'wrapPublicKey' is specified),otherwise,\
      \ the format is hex-encoded, unless 'base64' is given. If the \"format\" is 'jwe'\
      \ then the \"material\" for the symmetric key, asymmetric key or certificate will\
      \ be wrapped in JWE format. \"wrapKeyName\"(should be a public key) or \"wrapPublicKey\"\
      \ and \"wrapJWE\" parameters are required for 'jwe' format. The value 'opaque' is\
      \ supported for symmetric keys with 'opaque' format only."
    - Only applicable for op_type "export"
    required: false
    type: str

localNode:
    description:
    - this holds the connection parameters required to communicate with an instance of
      CipherTrust Manager (CM)
    - holds IP/FQDN of the server, username, password, and port
    required: true
    suboptions:
      password:
        description: admin password of CM
        required: true
        type: str
      server_ip:
        description: CM Server IP or FQDN
        required: true
        type: str
      server_port:
        default: 5432
        description: Port on which CM server is listening
        required: true
        type: int
      server_private_ip:
        description: internal or private IP of the CM Server, if different from the server_ip
        required: true
        type: str
      user:
        description: admin username of CM
        required: true
        type: str
      verify:
        default: false
        description: if SSL verification is required
        required: true
        type: bool
    type: dict

combineXts:
    default: false
    description:
    - If set to true, then full material of XTS/CBC-CS1 key will be exported.
    - Only applicable for op_type "export"
    required: false
    type: bool

newKeyName:
    default: null
    description:
    - Key name for the new cloned key.
    - Only applicable for op_type "clone"
    required: false
    type: str

wrapRSAAES:
    default: null
    description:
    - Information which is used to wrap/unwrap asymmetric keys using RSA AES KWP method.
      This method internally requires AES key size to generate a temporary AES key and
      RSA padding. To use WrapRSAAES, algorithm "RSA/RSAAESKEYWRAPPADDING" must be specified
      in WrappingEncryptionAlgo.
    - Only applicable for op_type "export"
    required: false
    suboptions:
      aesKeySize:
        choices:
        - 128
        - 192
        - 256
        default: 256
        description: Size of AES key for RSA AES KWP.
        required: false
        type: int
      padding:
        choices:
        - oaep
        - oaep256
        - oaep384
        - oaep512
        default: oaep256
        description: Padding specifies the type of padding scheme that needs to be set
          when exporting the Key using RSA AES wrap
        required: false
        type: str
    type: dict

key_version:
    description:
    - Query Parameter
    - Key version
    - Defaults to the latest version
    - Valid only if id_type is "name"
    required: false
    type: int

signingAlgo:
    choices:
    - RSA
    - RSA-PSS
    default: null
    description:
    - This parameter specifies the algorithm to be used for generating the signature for
      the verification of the "macSignBytes" during import of key material. The "wrappingMethod"
      should be "mac/sign" to verify the signature("macSignBytes") of the key material("material").
    - Only applicable for op_type "export"
    required: false
    type: str

wrapKeyName:
    default: null
    description:
    - The key material will be wrapped with material of the specified key name. The "material"
      property in the response will be base64 encoded ciphertext. If the "wrappingMethod"
      field is set to "encrypt", then the wrapping key must be an AES key, RSA private
      key or RSA public key. For the export of symmetric keys with the "encrypt" method,
      the three key types are allowed but for the export of a private key if the "wrapRSAAES"
      parameters are not set, the wrapping key has to be an AES key with a size of 256
      bits. If "wrapRSAAES" parameters are set, then the wrapping key has to either be
      an RSA private or public key. You can set either "wrapKeyName" parameter or "wrapPublicKey"
      at a time. The wrapping key should be active with a protect stop date that is not
      expired.
    - Only applicable for op_type "export"
    required: false
    type: str

wrapKeyIDType:
    choices:
    - name
    - id
    - alias
    default: null
    description:
    - IDType specifies how the wrapKeyName should be interpreted.
    - Only applicable for op_type "export"
    required: false
    type: str

wrapPublicKey:
    default: null
    description:
    - If the algorithm is 'aes','tdes','hmac-*', 'seed' or 'aria', this value will be
      used to encrypt the returned key material. This value is ignored for other algorithms.
      Value must be an RSA public key, PEM-encoded public key in either PKCS1 or PKCS8
      format, or a PEM-encoded X.509 certificate. If set, the returned 'material' value
      will be a Base64 encoded PKCS#1 v1.5 encrypted key. View "wrapPublicKey" in export
      parameters for more information. Only applicable if 'includeMaterial' is true.
    - Only applicable for op_type "export"
    required: false
    type: str

secretDataLink:
    default: null
    description:
    - For pkcs12 format, either secretDataLink or password should be specified. The value
      can be either ID or name of Secret Data.
    - Only applicable for op_type "export"
    required: false
    type: str

wrappingMethod:
    choices:
    - encrypt
    - mac/sign
    - pbe
    default: null
    description:
    - This parameter specifies the wrapping method used to wrap/mac/sign the key material.
    - Only applicable for op_type "export"
    required: false
    type: str

includeMaterial:
    default: false
    description:
    - Query Parameter
    - weather to include the key material if the op_type is clone
    - applicable only if op_type is clone
    required: false
    type: bool

wrappingHashAlgo:
    default: null
    description:
    - This parameter specifies the hashing algorithm used if "wrappingMethod" corresponds
      to "mac/sign". In case of MAC operation, the hashing algorithm used will be inferred
      from the type of HMAC key("macSignKeyIdentifier").
    - In case of SIGN operation, the possible values are sha1, sha224, sha256, sha384
      or sha512
    - Only applicable for op_type "export"
    required: false
    type: str

secretDataEncoding:
    default: null
    description:
    - For pkcs12 format, this field specifies the encoding method used for the secretDataLink
      material. Ignore this field if secretData is created from REST and is in plain format.
      Specify the value of this field as HEX format if secretData is created from KMIP.
    - Only applicable for op_type "export"
    required: false
    type: str

macSignKeyIdentifier:
    default: null
    description:
    - This parameter specifies the identifier of the key used for generating the MAC or
      signature("macSignBytes") of the key whose key material is to be exported
    - The "wrappingMethod" should be "mac/sign" to generate the MAC/signature.
    - To generate a MAC, the key should be a HMAC key.
    - To generate a signature, the key should be an RSA private key.
    - Only applicable for op_type "export"
    required: false
    type: str

wrapPublicKeyPadding:
    choices:
    - pkcs1
    - oaep
    - oaep256
    - oaep384
    - oaep512
    default: null
    description:
    - WrapPublicKeyPadding specifies the type of padding scheme that needs to be set when
      importing the Key using the specified wrapkey. Accepted values are "pkcs1", "oaep",
      "oaep256", "oaep384", "oaep512", and will default to "pkcs1" when 'wrapPublicKeyPadding'
      is not set and 'WrapPublicKey' is set.
    - While creating a new key, wrapPublicKeyPadding parameter should be specified only
      if 'includeMaterial' is true. In this case, key will get created and in response
      wrapped material using specified wrapPublicKeyPadding and other wrap parameters
      will be returned.
    - Only applicable for op_type "export"
    required: false
    type: str

wrappingEncryptionAlgo:
    choices:
    - AES/AESKEYWRAP
    - AES/AESKEYWRAPPADDING
    - RSA/RSAAESKEYWRAPPADDING
    default: null
    description:
    - It indicates the Encryption Algorithm information for wrapping the key. Format is
      Algorithm/Mode/Padding. For example AES/AESKEYWRAP. Here AES is Algorithm, AESKEYWRAP
      is Mode & Padding is not specified. AES/AESKEYWRAP is RFC-3394 & AES/AESKEYWRAPPADDING
      is RFC-5649. For wrapping private key, only AES/AESKEYWRAPPADDING is allowed. RSA/RSAAESKEYWRAPPADDING
      is used to wrap/unwrap asymmetric keys using RSA AES KWP method. Refer "WrapRSAAES"
      to provide optional parameters.
    - Only applicable for op_type "export"
    required: false
    type: str

compromiseOccurrenceDate:
    default: null
    description:
    - Date/time when the object was first believed to be compromised, if known.
    - Only valid if the revocation reason is CACompromise or KeyCompromise, otherwise
      ignored.
    - Defaults to key's creation time.
    required: false
    type: str

macSignKeyIdentifierType:
    choices:
    - name
    - id
    - alias
    default: null
    description:
    - This parameter specifies the identifier of the key("macSignKeyIdentifier") used
      for generating MAC or signature of the key material. The "wrappingMethod" should
      be "mac/sign" to verify the mac/signature("macSignBytes") of the key material("material")
    - Only applicable for op_type "export"
    required: false
    type: str