import os\r
import tempfile\r
import base64\r
-import traceback\r
from tempfile import mkstemp\r
\r
from OpenSSL import crypto\r
import M2Crypto\r
from M2Crypto import X509\r
\r
-from sfa.util.sfalogging import logger\r
-from sfa.util.xrn import urn_to_hrn\r
-from sfa.util.faults import *\r
+from sfa.util.faults import CertExpired, CertMissingParent, CertNotSignedByParent\r
from sfa.util.sfalogging import logger\r
\r
glo_passphrase_callback = None\r
\r
##\r
-# A global callback msy be implemented for requesting passphrases from the\r
+# A global callback may be implemented for requesting passphrases from the\r
# user. The function will be called with three arguments:\r
#\r
# keypair_obj: the keypair object that is calling the passphrase\r
\r
# we can only convert rsa keys\r
if "ssh-dss" in key:\r
- return None\r
+ raise Exception, "keyconvert: dss keys are not supported"\r
\r
(ssh_f, ssh_fn) = tempfile.mkstemp()\r
ssl_fn = tempfile.mktemp()\r
# that it can be expected to see why it failed.\r
# TODO: for production, cleanup the temporary files\r
if not os.path.exists(ssl_fn):\r
- return None\r
+ raise Exception, "keyconvert: generated certificate not found. keyconvert may have failed."\r
\r
k = Keypair()\r
try:\r
k.load_pubkey_from_file(ssl_fn)\r
+ return k\r
except:\r
logger.log_exc("convert_public_key caught exception")\r
- k = None\r
-\r
- # remove the temporary files\r
- os.remove(ssh_fn)\r
- os.remove(ssl_fn)\r
-\r
- return k\r
+ raise\r
+ finally:\r
+ # remove the temporary files\r
+ if os.path.exists(ssh_fn):\r
+ os.remove(ssh_fn)\r
+ if os.path.exists(ssl_fn):\r
+ os.remove(ssl_fn)\r
\r
##\r
# Public-private key pairs are implemented by the Keypair class.\r
\r
if self.isCA != None:\r
# Can't double set properties\r
- raise "Cannot set basicConstraints CA:?? more than once. Was %s, trying to set as %s" % (self.isCA, val)\r
+ raise Exception, "Cannot set basicConstraints CA:?? more than once. Was %s, trying to set as %s" % (self.isCA, val)\r
\r
self.isCA = val\r
if val:\r
\r
# verify expiration time\r
if self.cert.has_expired():\r
- logger.debug("verify_chain: NO our certificate %s has expired" % self.get_printable_subject())\r
+ logger.debug("verify_chain: NO, Certificate %s has expired" % self.get_printable_subject())\r
raise CertExpired(self.get_printable_subject(), "client cert")\r
\r
# if this cert is signed by a trusted_cert, then we are set\r
if self.is_signed_by_cert(trusted_cert):\r
# verify expiration of trusted_cert ?\r
if not trusted_cert.cert.has_expired():\r
- logger.debug("verify_chain: YES cert %s signed by trusted cert %s"%(\r
+ logger.debug("verify_chain: YES. Cert %s signed by trusted cert %s"%(\r
self.get_printable_subject(), trusted_cert.get_printable_subject()))\r
return trusted_cert\r
else:\r
- logger.debug("verify_chain: NO cert %s is signed by trusted_cert %s, but this is expired..."%(\r
+ logger.debug("verify_chain: NO. Cert %s is signed by trusted_cert %s, but that signer is expired..."%(\r
self.get_printable_subject(),trusted_cert.get_printable_subject()))\r
raise CertExpired(self.get_printable_subject()," signer trusted_cert %s"%trusted_cert.get_printable_subject())\r
\r
# if there is no parent, then no way to verify the chain\r
if not self.parent:\r
- logger.debug("verify_chain: NO %s has no parent and issuer %s is not in %d trusted roots"%self.get_printable_subject(), self.get_issuer(), len(trusted_certs))\r
- raise CertMissingParent(self.get_printable_subject(), "Non trusted issuer: %s out of %d trusted roots" % (self.get_issuer(), len(trusted_certs)))\r
+ logger.debug("verify_chain: NO. %s has no parent and issuer %s is not in %d trusted roots"%(self.get_printable_subject(), self.get_issuer(), len(trusted_certs)))\r
+ raise CertMissingParent(self.get_printable_subject() + ": Issuer %s is not one of the %d trusted roots, and cert has no parent." % (self.get_issuer(), len(trusted_certs)))\r
\r
# if it wasn't signed by the parent...\r
if not self.is_signed_by_cert(self.parent):\r
- logger.debug("verify_chain: NO %s is not signed by parent %s, but by %s"%self.get_printable_subject(), self.parent.get_printable_subject(), self.get_issuer())\r
- return CertNotSignedByParent(self.get_printable_subject(), "parent %s, issuer %s" % (selr.parent.get_printable_subject(), self.get_issuer()))\r
+ logger.debug("verify_chain: NO. %s is not signed by parent %s, but by %s"%\\r
+ (self.get_printable_subject(), \r
+ self.parent.get_printable_subject(), \r
+ self.get_issuer()))\r
+ raise CertNotSignedByParent("%s: Parent %s, issuer %s"\\r
+ % (self.get_printable_subject(), \r
+ self.parent.get_printable_subject(),\r
+ self.get_issuer()))\r
\r
# Confirm that the parent is a CA. Only CAs can be trusted as\r
# signers.\r
# Ugly - cert objects aren't parsed so we need to read the\r
# extension and hope there are no other basicConstraints\r
if not self.parent.isCA and not (self.parent.get_extension('basicConstraints') == 'CA:TRUE'):\r
- logger.warn("verify_chain: cert %s's parent %s is not a CA" % (self.get_printable_subject(), self.parent.get_printable_subject()))\r
- return CertNotSignedByParent(self.get_printable_subject(), "Parent %s not a CA" % self.parent.get_printable_subject())\r
+ logger.warn("verify_chain: cert %s's parent %s is not a CA" % \\r
+ (self.get_printable_subject(), self.parent.get_printable_subject()))\r
+ raise CertNotSignedByParent("%s: Parent %s not a CA" % (self.get_printable_subject(),\r
+ self.parent.get_printable_subject()))\r
\r
# if the parent isn't verified...\r
- logger.debug("verify_chain: .. %s, -> verifying parent %s"%(self.get_printable_subject(),self.parent.get_printable_subject()))\r
+ logger.debug("verify_chain: .. %s, -> verifying parent %s"%\\r
+ (self.get_printable_subject(),self.parent.get_printable_subject()))\r
self.parent.verify_chain(trusted_certs)\r
\r
return\r
git://git.onelab.eu / sfa.git / blobdiff