##
-# Geniwrapper uses two crypto libraries: pyOpenSSL and M2Crypto to implement
+# SFA uses two crypto libraries: pyOpenSSL and M2Crypto to implement
# the necessary crypto functionality. Ideally just one of these libraries
# would be used, but unfortunately each of these libraries is independently
# lacking. The pyOpenSSL library is missing many necessary functions, and
import os
import tempfile
import base64
+import traceback
from OpenSSL import crypto
import M2Crypto
from M2Crypto import X509
from sfa.util.faults import *
def convert_public_key(key):
- # find the keyconvert program
- from sfa.util.config import Config
- config = Config()
- keyconvert = 'keyconvert'
- loaded = False
- default_path = "/usr/share/keyconvert/" + keyconvert
- cwd = os.path.dirname(os.path.abspath(__file__))
- alt_path = os.sep.join(cwd.split(os.sep)[:-1] + ['keyconvert', 'keyconvert'])
- geni_path = config.basepath + os.sep + "keyconvert/keyconvert"
- files = [default_path, alt_path, geni_path]
- for path in files:
- if os.path.isfile(path):
- keyconvert_fn = path
- loaded = True
- break
-
- if not loaded:
- raise Exception, "Could not find keyconvert in " + ", ".join(files)
+ keyconvert_path = "/usr/bin/keyconvert"
+ if not os.path.isfile(keyconvert_path):
+ raise IOError, "Could not find keyconvert in %s" % keyconvert_path
# we can only convert rsa keys
if "ssh-dss" in key:
- print "XXX: DSA key encountered, ignoring"
return None
(ssh_f, ssh_fn) = tempfile.mkstemp()
os.write(ssh_f, key)
os.close(ssh_f)
- if not os.path.exists(keyconvert_fn):
- report.trace(" keyconvet utility " + str(keyconvert_fn) + "does not exist")
- sys.exit(-1)
-
- cmd = keyconvert_fn + " " + ssh_fn + " " + ssl_fn
+ cmd = keyconvert_path + " " + ssh_fn + " " + ssl_fn
os.system(cmd)
-
+
# this check leaves the temporary file containing the public key so
# that it can be expected to see why it failed.
# TODO: for production, cleanup the temporary files
if not os.path.exists(ssl_fn):
- report.trace(" failed to convert key from " + ssh_fn + " to " + ssl_fn)
return None
-
+
k = Keypair()
try:
k.load_pubkey_from_file(ssl_fn)
except:
- print "XXX: Error while converting key: ", key_str
+ traceback.print_exc()
k = None
# remove the temporary files
def as_pem(self):
return crypto.dump_privatekey(crypto.FILETYPE_PEM, self.key)
+ ##
+ # Return an M2Crypto key object
+
def get_m2_pkey(self):
if not self.m2key:
self.m2key = M2Crypto.EVP.load_key_string(self.as_pem())
return self.m2key
+ ##
+ # Returns a string containing the public key represented by this object.
+
+ def get_pubkey_string(self):
+ m2pkey = self.get_m2_pkey()
+ return base64.b64encode(m2pkey.as_der())
+
##
# Return an OpenSSL pkey object
k.verify_update(data)
return M2Crypto.m2.verify_final(k.ctx, base64.b64decode(sig), k.pkey)
+ def compute_hash(self, value):
+ return self.sign_string(str(value))
+
##
# The certificate class implements a general purpose X509 certificate, making
# use of the appropriate pyOpenSSL or M2Crypto abstractions. It also adds
# until a certificate is found that is signed by a trusted root.
# TODO: verify expiration time
-
+ #print "====Verify Chain====="
# if this cert is signed by a trusted_cert, then we are set
for trusted_cert in trusted_certs:
+ #print "***************"
# TODO: verify expiration of trusted_cert ?
+ #print "CLIENT CERT", self.dump()
+ #print "TRUSTED CERT", trusted_cert.dump()
+ #print "Client is signed by Trusted?", self.is_signed_by_cert(trusted_cert)
if self.is_signed_by_cert(trusted_cert):
#print self.get_subject(), "is signed by a root"
return
git://git.onelab.eu / sfa.git / blobdiff