from OpenSSL import crypto
import M2Crypto
from M2Crypto import X509
-from M2Crypto import EVP
+from tempfile import mkstemp
+from sfa.util.sfalogging import logger
from sfa.util.faults import *
def load_from_string(self, string):
# if it is a chain of multiple certs, then split off the first one and
- # load it (support for the ---parent--- tag as well as normal chained certs)
-
- string = string.strip()
+ # load it (support for the ---parent--- tag as well as normal chained certs)
+ string = string.strip()
+
+
+ if not string.startswith('-----'):
+ string = '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----' % string
+
parts = []
+
if string.count('-----BEGIN CERTIFICATE-----') > 1 and \
string.count(Certificate.separator) == 0:
parts = string.split('-----END CERTIFICATE-----',1)
##
# Load the certificate from a file
- def load_from_file(self, filename):
+ def load_from_file(self, filename):
file = open(filename)
string = file.read()
self.load_from_string(string)
# Save the certificate to a file.
# @param save_parents If save_parents==True, then also save the parent certificates.
- def save_to_file(self, filename, save_parents=False):
+ def save_to_file(self, filename, save_parents=True, filep=None):
string = self.save_to_string(save_parents=save_parents)
- open(filename, 'w').write(string)
+ if filep:
+ f = filep
+ else:
+ f = open(filename, 'w')
+ f.write(string)
+ f.close()
+
+ ##
+ # Save the certificate to a random file in /tmp/
+ # @param save_parents If save_parents==True, then also save the parent certificates.
+ def save_to_random_tmp_file(self, save_parents=True):
+ fp, filename = mkstemp(suffix='cert', text=True)
+ fp = os.fdopen(fp, "w")
+ self.save_to_file(filename, save_parents=True, filep=fp)
+ return filename
##
# Sets the issuer private key and name
#print "TRUSTED CERT", trusted_cert.dump()
#print "Client is signed by Trusted?", self.is_signed_by_cert(trusted_cert)
if self.is_signed_by_cert(trusted_cert):
+ # make sure sure the trusted cert's hrn is a prefix of the
+ # signed cert's hrn
+ if not self.get_subject().startswith(trusted_cert.get_subject()):
+ raise GidParentHrn(trusted_cert.get_subject())
#print self.get_subject(), "is signed by a root"
return