From 1726eb3eb794c03cd4cc15484fb943cc61cfe3ec Mon Sep 17 00:00:00 2001 From: mssonicbld <79238446+mssonicbld@users.noreply.github.com> Date: Thu, 21 Sep 2023 20:39:01 +0800 Subject: [PATCH] Update macsec CAK keys in profile for tests to change to type7 encoded format (#16388) (#16626) * Change the CAK key length check in config plugin, macsec test profile changes * Fix the format in add_profile api The changes needed in various macsec unit tests and config plugin when we move to accept the type 7 encoded key format for macsec. This goes along with PR : sonic-net/sonic-swss#2892 raised earlier. Co-authored-by: judyjoseph <53951155+judyjoseph@users.noreply.github.com> --- .../cli-plugin-tests/config_db.json | 2 +- .../cli-plugin-tests/test_config_macsec.py | 10 ++++----- .../cli/config/plugins/macsec.py | 8 +++---- .../tests/macsec_profile.json | 8 +++---- .../tests/files/sample_config_db.json | 4 ++-- .../yang_model_tests/tests_config/macsec.json | 22 +++++++++---------- .../yang-models/sonic-macsec.yang | 8 ++----- 7 files changed, 29 insertions(+), 33 deletions(-) diff --git a/dockers/docker-macsec/cli-plugin-tests/config_db.json b/dockers/docker-macsec/cli-plugin-tests/config_db.json index 8c6b6893e5..9f4c266d42 100644 --- a/dockers/docker-macsec/cli-plugin-tests/config_db.json +++ b/dockers/docker-macsec/cli-plugin-tests/config_db.json @@ -2,7 +2,7 @@ "MACSEC_PROFILE|macsec_profile": { "cipher_suite": "GCM-AES-XPN-256", "policy": "security", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a", "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435", "priority": "0", "rekey_period": "900", diff --git a/dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py b/dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py index 45ab80c7ed..3a279bd612 100644 --- a/dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py +++ b/dockers/docker-macsec/cli-plugin-tests/test_config_macsec.py @@ -8,7 +8,7 @@ import macsec profile_name = "test" -primary_cak = "01234567890123456789012345678912" +primary_cak = "2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541" primary_ckn = "01234567890123456789012345678912" @@ -48,7 +48,7 @@ class TestConfigMACsec(object): profile_name = "test" profile_map = { - "primary_cak": "0123456789012345678901234567891201234567890123456789012345678912", + "primary_cak": "3946080a0407070303530256560a04504650530352565e731f1a5c4f524f4b5a5e547b79777c6663754b5e465253050d0d0503565a48470b0b030604020c520a54", "primary_ckn": "01234567890123456789012345678912", "priority": 64, "cipher_suite": "GCM-AES-XPN-256", @@ -109,7 +109,7 @@ class TestConfigMACsec(object): runner = CliRunner() result = runner.invoke(macsec.macsec, ["profile", "add", "test", - "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], + "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info) result = runner.invoke(macsec.macsec, ["port", "add", "Ethernet0", "test"], obj=cfgdb) @@ -141,8 +141,8 @@ class TestConfigMACsec(object): result = runner.invoke(macsec.macsec, ["profile", "del", "test"], obj=cfgdb) assert result.exit_code != 0 - result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) + result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) assert result.exit_code == 0, "exit code: {}, Exception: {}, Traceback: {}".format(result.exit_code, result.exception, result.exc_info) # Repeat add profile - result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=01234567890123456789012345678912","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) + result = runner.invoke(macsec.macsec, ["profile", "add", "test", "--primary_cak=2363647040534355560e000802065d574d400e000e030307075f0e5050000e5541","--primary_ckn=01234567890123456789012345678912"], obj=cfgdb) assert result.exit_code != 0 diff --git a/dockers/docker-macsec/cli/config/plugins/macsec.py b/dockers/docker-macsec/cli/config/plugins/macsec.py index 1b820dfd0e..9f5ac5bd7b 100644 --- a/dockers/docker-macsec/cli/config/plugins/macsec.py +++ b/dockers/docker-macsec/cli/config/plugins/macsec.py @@ -137,11 +137,11 @@ def add_profile(profile, priority, cipher_suite, primary_cak, primary_ckn, polic profile_table["cipher_suite"] = cipher_suite if "128" in cipher_suite: - if len(primary_cak) != 32: - ctx.fail("Expect the length of CAK is 32, but got {}".format(len(primary_cak))) + if len(primary_cak) != 66: + ctx.fail("Expect the length of CAK is 66, but got {}".format(len(primary_cak))) elif "256" in cipher_suite: - if len(primary_cak) != 64: - ctx.fail("Expect the length of CAK is 64, but got {}".format(len(primary_cak))) + if len(primary_cak) != 130: + ctx.fail("Expect the length of CAK is 130, but got {}".format(len(primary_cak))) if not is_hexstring(primary_cak): ctx.fail("Expect the primary_cak is valid hex string") if not is_hexstring(primary_ckn): diff --git a/src/sonic-config-engine/tests/macsec_profile.json b/src/sonic-config-engine/tests/macsec_profile.json index b70f1a0521..87e633e49b 100644 --- a/src/sonic-config-engine/tests/macsec_profile.json +++ b/src/sonic-config-engine/tests/macsec_profile.json @@ -2,18 +2,18 @@ "MACSEC_PROFILE":{ "macsec-profile": { "cipher_suite": "GCM-AES-XPN-256", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a", "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435", - "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111", "priority": "0", "rekey_period": "60" }, "macsec-profile2": { "cipher_suite": "GCM-AES-XPN-256", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a", "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435", - "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111", "priority": "0", "rekey_period": "60" diff --git a/src/sonic-yang-models/tests/files/sample_config_db.json b/src/sonic-yang-models/tests/files/sample_config_db.json index b3f64c991b..dc4bf90e50 100644 --- a/src/sonic-yang-models/tests/files/sample_config_db.json +++ b/src/sonic-yang-models/tests/files/sample_config_db.json @@ -2258,9 +2258,9 @@ "test": { "priority": "64", "cipher_suite": "GCM-AES-128", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", - "fallback_cak": "00000000000000000000000000000000", + "fallback_cak": "000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "11111111111111111111111111111111", "policy": "security", "enable_replay_protect": "true", diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json index cfd7c512a6..5c748606ee 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/macsec.json @@ -7,9 +7,9 @@ "name": "test32", "priority": 64, "cipher_suite": "GCM-AES-128", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", - "fallback_cak": "00000000000000000000000000000000", + "fallback_cak": "000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "11111111111111111111111111111111", "policy": "security", "enable_replay_protect": "true", @@ -21,9 +21,9 @@ "name": "test64", "priority": 64, "cipher_suite": "GCM-AES-XPN-256", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "5207554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c03312432262706080a00005b554f4e007975707670725b0a54540c0252445e5d7a29252b046a", "primary_ckn": "6162636465666768696A6B6C6D6E6F706162636465666768696A6B6C6D6E6F70", - "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111", "policy": "security", "enable_replay_protect": "true", @@ -61,7 +61,7 @@ { "name": "test", "cipher_suite": "gcm-aes-128", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70" } ] @@ -74,9 +74,9 @@ "MACSEC_PROFILE_LIST": [ { "name": "test", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", - "fallback_cak": "0123456789ABCDEF0123456789ABCDEF", + "fallback_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "fallback_ckn": "6162636465666768696A6B6C6D6E6F70" } ] @@ -89,7 +89,7 @@ "MACSEC_PROFILE_LIST": [ { "name": "test", - "primary_cak": "0123456789ABCDEF0123456789ABCDEFA", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d7", "primary_ckn": "6162636465666768696A6B6C6D6E6F70A" } ] @@ -115,9 +115,9 @@ "MACSEC_PROFILE_LIST": [ { "name": "test", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", - "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000", + "fallback_cak": "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", "fallback_ckn": "1111111111111111111111111111111111111111111111111111111111111111" } ] @@ -130,7 +130,7 @@ "MACSEC_PROFILE_LIST": [ { "name": "test", - "primary_cak": "0123456789ABCDEF0123456789ABCDEF", + "primary_cak": "1159485744465e5a537272050a1011073557475152020c0e040c57223a357d7d71", "primary_ckn": "6162636465666768696A6B6C6D6E6F70", "replay_window": 64 } diff --git a/src/sonic-yang-models/yang-models/sonic-macsec.yang b/src/sonic-yang-models/yang-models/sonic-macsec.yang index f908589190..b3d04b725a 100644 --- a/src/sonic-yang-models/yang-models/sonic-macsec.yang +++ b/src/sonic-yang-models/yang-models/sonic-macsec.yang @@ -46,7 +46,7 @@ module sonic-macsec { leaf primary_cak { type string { - pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}"; + pattern "[0-9a-fA-F]{66}|[0-9a-fA-F]{130}"; } mandatory true; } @@ -60,7 +60,7 @@ module sonic-macsec { leaf fallback_cak { type string { - pattern "[0-9a-fA-F]{32}|[0-9a-fA-F]{64}"; + pattern "[0-9a-fA-F]{66}|[0-9a-fA-F]{130}"; } } @@ -70,10 +70,6 @@ module sonic-macsec { } } - must "string-length(primary_cak) = string-length(primary_ckn)"; - - must "string-length(fallback_cak) = string-length(fallback_ckn)"; - must "string-length(fallback_cak) = string-length(primary_cak)"; must "primary_ckn != fallback_ckn";