# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Work.
#
-# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
-# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
-# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
-# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
+# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
# IN THE WORK.
#----------------------------------------------------------------------
#
# The callback should return a string containing the passphrase.
+
def set_passphrase_callback(callback_func):
global glo_passphrase_callback
##
# Sets a fixed passphrase.
+
def set_passphrase(passphrase):
- set_passphrase_callback( lambda k,s,x: passphrase )
+ set_passphrase_callback(lambda k, s, x: passphrase)
##
# Check to see if a passphrase works for a particular private key string.
# Intended to be used by passphrase callbacks for input validation.
+
def test_passphrase(string, passphrase):
try:
- OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, string, (lambda x: passphrase))
+ OpenSSL.crypto.load_privatekey(
+ OpenSSL.crypto.FILETYPE_PEM, string, (lambda x: passphrase))
return True
except:
return False
+
def convert_public_key(key):
keyconvert_path = "/usr/bin/keyconvert.py"
if not os.path.isfile(keyconvert_path):
- raise IOError("Could not find keyconvert in {}".format(keyconvert_path))
+ raise IOError(
+ "Could not find keyconvert in {}".format(keyconvert_path))
# we can only convert rsa keys
if "ssh-dss" in key:
# that it can be expected to see why it failed.
# TODO: for production, cleanup the temporary files
if not os.path.exists(ssl_fn):
- raise Exception("keyconvert: generated certificate not found. keyconvert may have failed.")
+ raise Exception(
+ "keyconvert: generated certificate not found. keyconvert may have failed.")
k = Keypair()
try:
# A Keypair object may represent both a public and private key pair, or it
# may represent only a public key (this usage is consistent with OpenSSL).
+
class Keypair:
key = None # public/private keypair
m2key = None # public key (m2crypto format)
self.load_from_file(filename)
##
- # Create a RSA public/private key pair and store it inside the keypair object
+ # Create a RSA public/private key pair and store it inside the keypair
+ # object
def create(self):
self.key = OpenSSL.crypto.PKey()
self.filename = filename
##
- # Load the private key from a file. Implicity the private key includes the public key.
+ # Load the private key from a file. Implicity the private key includes the
+ # public key.
def load_from_file(self, filename):
self.filename = filename
self.load_from_string(buffer)
##
- # Load the private key from a string. Implicitly the private key includes the public key.
+ # Load the private key from a string. Implicitly the private key includes
+ # the public key.
def load_from_string(self, string):
import M2Crypto
self.m2key = M2Crypto.EVP.load_key_string(
string, functools.partial(glo_passphrase_callback, self, string))
else:
- self.key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, string)
+ self.key = OpenSSL.crypto.load_privatekey(
+ OpenSSL.crypto.FILETYPE_PEM, string)
self.m2key = M2Crypto.EVP.load_key_string(string)
##
# create an m2 x509 cert
m2name = M2Crypto.X509.X509_Name()
- m2name.add_entry_by_txt(field="CN", type=0x1001, entry="junk", len=-1, loc=-1, set=0)
+ m2name.add_entry_by_txt(field="CN", type=0x1001,
+ entry="junk", len=-1, loc=-1, set=0)
m2x509 = M2Crypto.X509.X509()
m2x509.set_pubkey(self.m2key)
m2x509.set_serial_number(0)
# convert the m2 x509 cert to a pyopenssl x509
m2pem = m2x509.as_pem()
- pyx509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, m2pem)
+ pyx509 = OpenSSL.crypto.load_certificate(
+ OpenSSL.crypto.FILETYPE_PEM, m2pem)
# get the pyopenssl pkey from the pyopenssl x509
self.key = pyx509.get_pubkey()
# only informative
def get_filename(self):
- return getattr(self,'filename',None)
+ return getattr(self, 'filename', None)
def dump(self, *args, **kwargs):
print(self.dump_string(*args, **kwargs))
def dump_string(self):
- result = ""
+ result = ""
result += "KEYPAIR: pubkey={:>40}...".format(self.get_pubkey_string())
filename = self.get_filename()
- if filename: result += "Filename {}\n".format(filename)
+ if filename:
+ result += "Filename {}\n".format(filename)
return result
##
# When saving a certificate to a file or a string, the caller can choose
# whether to save the parent certificates as well.
+
class Certificate:
digest = "sha256"
# issuerKey = None
# issuerSubject = None
# parent = None
- isCA = None # will be a boolean once set
+ isCA = None # will be a boolean once set
separator = "-----parent-----"
self.x509 = OpenSSL.crypto.X509()
# FIXME: Use different serial #s
self.x509.set_serial_number(3)
- self.x509.gmtime_adj_notBefore(0) # 0 means now
- self.x509.gmtime_adj_notAfter(lifeDays*60*60*24) # five years is default
- self.x509.set_version(2) # x509v3 so it can have extensions
-
+ self.x509.gmtime_adj_notBefore(0) # 0 means now
+ self.x509.gmtime_adj_notAfter(
+ lifeDays * 60 * 60 * 24) # five years is default
+ self.x509.set_version(2) # x509v3 so it can have extensions
##
# Given a pyOpenSSL X509 object, store that object inside of this
def load_from_string(self, string):
# if it is a chain of multiple certs, then split off the first one and
- # load it (support for the ---parent--- tag as well as normal chained certs)
+ # load it (support for the ---parent--- tag as well as normal chained
+ # certs)
if string is None or string.strip() == "":
logger.warn("Empty string in load_from_string")
return
string = string.strip()
-
+
# If it's not in proper PEM format, wrap it
if string.count('-----BEGIN CERTIFICATE') == 0:
string = '-----BEGIN CERTIFICATE-----\n{}\n-----END CERTIFICATE-----'\
# such as the text of the certificate, skip the text
beg = string.find('-----BEGIN CERTIFICATE')
if beg > 0:
- # skipping over non cert beginning
+ # skipping over non cert beginning
string = string[beg:]
parts = []
if string.count('-----BEGIN CERTIFICATE-----') > 1 and \
- string.count(Certificate.separator) == 0:
- parts = string.split('-----END CERTIFICATE-----',1)
+ string.count(Certificate.separator) == 0:
+ parts = string.split('-----END CERTIFICATE-----', 1)
parts[0] += '-----END CERTIFICATE-----'
else:
parts = string.split(Certificate.separator, 1)
- self.x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, parts[0])
+ self.x509 = OpenSSL.crypto.load_certificate(
+ OpenSSL.crypto.FILETYPE_PEM, parts[0])
if self.x509 is None:
- logger.warn("Loaded from string but cert is None: {}".format(string))
+ logger.warn(
+ "Loaded from string but cert is None: {}".format(string))
# if there are more certs, then create a parent and let the parent load
# itself from the remainder of the string
if self.x509 is None:
logger.warn("None cert in certificate.save_to_string")
return ""
- string = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, self.x509)
+ string = OpenSSL.crypto.dump_certificate(
+ OpenSSL.crypto.FILETYPE_PEM, self.x509)
if PY3 and isinstance(string, bytes):
string = string.decode()
if save_parents and self.parent:
# let's try to make this a little more usable as is makes logs hairy
# FIXME: Consider adding 'urn:publicid' and 'uuid' back for GENI?
pretty_fields = ['email']
+
def filter_chunk(self, chunk):
for field in self.pretty_fields:
if field in chunk:
- return " "+chunk
+ return " " + chunk
def pretty_cert(self):
message = "[Cert."
x = self.x509.get_subject()
ou = getattr(x, "OU")
- if ou: message += " OU: {}".format(ou)
+ if ou:
+ message += " OU: {}".format(ou)
cn = getattr(x, "CN")
- if cn: message += " CN: {}".format(cn)
+ if cn:
+ message += " CN: {}".format(cn)
data = self.get_data(field='subjectAltName')
if data:
message += " SubjectAltName:"
counter = 0
filtered = [self.filter_chunk(chunk) for chunk in data.split()]
- message += " ".join( [f for f in filtered if f])
+ message += " ".join([f for f in filtered if f])
omitted = len([f for f in filtered if not f])
if omitted:
message += "..+{} omitted".format(omitted)
else:
self.add_extension('basicConstraints', 1, 'CA:FALSE')
-
-
##
# Add an X509 extension to the certificate. Add_extension can only be called
# once for a particular extension name, due to limitations in the underlying
return self.data[field]
##
- # Sign the certificate using the issuer private key and issuer subject previous set with set_issuer().
+ # Sign the certificate using the issuer private key and issuer subject
+ # previous set with set_issuer().
def sign(self):
logger.debug('certificate.sign')
# @param Trusted_certs is a list of certificates that are trusted.
#
- def verify_chain(self, trusted_certs = None):
+ def verify_chain(self, trusted_certs=None):
# Verify a chain of certificates. Each certificate must be signed by
# the public key contained in it's parent. The chain is recursed
# until a certificate is found that is signed by a trusted root.
if debug_verify_chain:
logger.debug("verify_chain: NO. Cert {} is signed by trusted_cert {}, "
"but that signer is expired..."
- .format(self.pretty_name(),trusted_cert.pretty_name()))
+ .format(self.pretty_cert(), trusted_cert.pretty_cert()))
raise CertExpired("{} signer trusted_cert {}"
.format(self.pretty_name(), trusted_cert.pretty_name()))
else:
return
- ### more introspection
+ # more introspection
def get_extensions(self):
import M2Crypto
# pyOpenSSL does not have a way to get extensions
logger.debug("X509 had {} extensions".format(nb_extensions))
for i in range(nb_extensions):
ext = m2x509.get_ext_at(i)
- triples.append( (ext.get_name(), ext.get_value(), ext.get_critical(),) )
+ triples.append(
+ (ext.get_name(), ext.get_value(), ext.get_critical(),))
return triples
def get_data_names(self):
def get_all_datas(self):
triples = self.get_extensions()
for name in self.get_data_names():
- triples.append( (name,self.get_data(name),'data',) )
+ triples.append((name, self.get_data(name), 'data',))
return triples
# only informative
def get_filename(self):
- return getattr(self,'filename',None)
+ return getattr(self, 'filename', None)
def dump(self, *args, **kwargs):
print(self.dump_string(*args, **kwargs))
git://git.onelab.eu / sfa.git / blobdiff