From: Scott Baker Geniwrapper uses two crypto libraries: pyOpenSSL and M2Crypto to implement
+the necessary crypto functionality. Ideally just one of these libraries
+would be used, but unfortunately each of these libraries is independently
+lacking. The pyOpenSSL library is missing many necessary functions, and
+the M2Crypto library has crashed inside of some of the functions. The
+design decision is to use pyOpenSSL whenever possible as it seems more
+stable, and only use M2Crypto for those functions that are not possible
+in pyOpenSSL.
+
+This module exports two classes: Keypair and Certificate. The certificate class implements a general purpose X509 certificate, making
+use of the appropriate pyOpenSSL or M2Crypto abstractions. For more information about this class, see The Certificate Class. Public-private key pairs are implemented by the Keypair class. For more information about this class, see The Keypair Class. The certificate class implements a general purpose X509 certificate, making
+use of the appropriate pyOpenSSL or M2Crypto abstractions. It also adds
+several addition features, such as the ability to maintain a chain of
+parent certificates, and storage of application-specific data.
+
+Certificates include the ability to maintain a chain of parents. Each
+certificate includes a pointer to it's parent certificate. When loaded
+from a file or a string, the parent chain will be automatically loaded.
+When saving a certificate to a file or a string, the caller can choose
+whether to save the parent certificates as well. Create a certificate object. Add an X509 extension to the certificate. Add_extension can only be called
+once for a particular extension name, due to limitations in the underlying
+library. Create a blank X509 certificate and store it in this object. Return the data string that was previously set with set_data Get an X509 extension from the certificate Get the issuer name Return the certificate object of the parent of this certificate. Get the public key of the certificate.
+It is returned in the form of a Keypair object. Get the subject name of the certificate Return True if pkey is identical to the public key that is contained in the certificate. Given a certificate cert, verify that this certificate was signed by the
+public key contained in cert. Throw an exception otherwise. Load the certificate from a file Given a pyOpenSSL X509 object, store that object inside of this
+certificate object. Load the certificate from a string Save the certificate to a file. Save the certificate to a string. Set_data is a wrapper around add_extension. It stores the parameter str in
+the X509 subject_alt_name extension. Set_data can only be called once, due
+to limitations in the underlying library. Sets the issuer private key and name Set the parent certficiate. Get the public key of the certificate. Set the subject name of the certificate Sign the certificate using the issuer private key and issuer subject previous set with set_issuer(). Verify the authenticity of a certificate. Verification examines a chain of certificates to ensure that each parent
+signs the child, and that some certificate in the chain is signed by a
+trusted certificate.
+
+Verification is a basic recursion: The cert Module
+
+
+The Certificate Class
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ if this_certificate was signed by trusted_certs:
+ return
+ else
+ return verify_chain(parent, trusted_certs)
+
+
+At each recursion, the parent is tested to ensure that it did sign the
+child. If a parent did not sign a child, then an exception is thrown. If
+the bottom of the recursion is reached and the certificate does not match
+a trusted root, then an exception is thrown.
+
+
Public-private key pairs are implemented by the Keypair class. +A Keypair object may represent both a public and private key pair, or it +may represent only a public key (this usage is consistent with OpenSSL).
+Creates a Keypair object
+Return the private key in PEM format.
+Create a RSA public/private key pair and store it inside the keypair object
+Return an OpenSSL pkey object
+Given another Keypair object, return TRUE if the two keys are the same.
+Load the private key from a file. Implicity the private key includes the public key.
+Load the private key from a string. Implicitly the private key includes the public key.
+Load the public key from a string. No private key is loaded.
+Load the public key from a string. No private key is loaded.
+Save the private key to a file
+Implements Geni Credentials + +Credentials are layered on top of certificates, and are essentially a +certificate that stores a tuple of parameters.
+Credential is a tuple: + (GIDCaller, GIDObject, LifeTime, Privileges, Delegate) + +These fields are encoded using xmlrpc into the subjectAltName field of the +x509 certificate.
+For more information about this class, see The Credential Class.
+Credential is a tuple: + (GIDCaller, GIDObject, LifeTime, Privileges, Delegate) + +These fields are encoded using xmlrpc into the subjectAltName field of the +x509 certificate. Note: Call encode() once the fields have been filled in +to perform this encoding.
+Create a Credential object
+determine whether the credential allows a particular operation to be +performed
+Retrieve the attributes of the credential from the alt-subject-name field +of the X509 certificate. This is automatically done by the various +get_* methods of this class and should not need to be called explicitly.
+Dump the contents of a credential to stdout in human-readable format
+Encode the attributes of the credential into a string and store that +string in the alt-subject-name field of the X509 object. This should be +done immediately before signing the credential.
+get the delegate bit
+get the GID of the object
+get the GID of the object
+get the lifetime of the credential
+return the privileges as a RightList object
+set the delegate bit
+set the GID of the caller
+set the GID of the object
+set the lifetime of this credential
+set the privileges
+Verify that a chain of credentials is valid (see cert.py:verify). In +addition to the checks for ordinary certificates, verification also +ensures that the delegate bit was set by each parent in the chain. If +a delegate bit was not set, then an exception is thrown.
+Implements GENI GID. GIDs are based on certificates, and the GID class is a +descendant of the certificate class.
+Create a new uuid. Returns the UUID as a string.
+GID is a tuplie: + (uuid, hrn, public_key) + +UUID is a unique identifier and is created by the python uuid module + (or the utility function create_uuid() in gid.py).
+For more information about this class, see The GID Class.
+GID is a tuplie: + (uuid, hrn, public_key) + +UUID is a unique identifier and is created by the python uuid module + (or the utility function create_uuid() in gid.py). + +HRN is a human readable name. It is a dotted form similar to a backward domain + name. For example, planetlab.us.arizona.bakers. + +PUBLIC_KEY is the public key of the principal identified by the UUID/HRN. +It is a Keypair object as defined in the cert.py module. + +It is expected that there is a one-to-one pairing between UUIDs and HRN, +but it is uncertain how this would be inforced or if it needs to be enforced. + +These fields are encoded using xmlrpc into the subjectAltName field of the +x509 certificate. Note: Call encode() once the fields have been filled in +to perform this encoding.
+Create a new GID object
+Decode the subject-alt-name field of the X509 certificate into the +fields of the GID. This is automatically called by the various get_*() +functions in this class.
+Dump the credential to stdout.
+Encode the GID fields and package them into the subject-alt-name field +of the X509 certificate. This must be called prior to signing the +certificate. It may only be called once per certificate.
+Verify the chain of authenticity of the GID. First perform the checks +of the certificate class (verifying that each parent signs the child, +etc). In addition, GIDs also confirm that the parent's HRN is a prefix +of the child's HRN. + +Verifying these prefixes prevents a rogue authority from signing a GID +for a principal that is not a member of that authority. For example, +planetlab.us.arizona cannot sign a GID for planetlab.us.princeton.foo.
+This Module implements rights and lists of rights for the Geni wrapper. Rights +are implemented by two classes: + +Right - represents a single right + +RightList - represents a list of rights + +A right may allow several different operations. For example, the "info" right +allows "listslices", "listcomponentresources", etc.
+privilege_table is a list of priviliges and what operations are allowed +per privilege.
+The Right class represents a single privilege.
+For more information about this class, see The Right Class.
+A RightList object represents a list of privileges.
+For more information about this class, see The RightList Class.
+The Right class represents a single privilege.
+Test to see if this right object is allowed to perform an operation. +Returns True if the operation is allowed, False otherwise.
+Test to see if this right is a superset of a child right. A right is a +superset if every operating that is allowed by the child is also allowed +by this object.
+A RightList object represents a list of privileges.
+Add a right to this list
+Check to see if some right in this list allows an operation. This is +done by evaluating the can_perform function of each operation in the +list.
+Check to see if all of the rights in this rightlist are a superset +of all the rights in a child rightlist. A rightlist is a superset +if there is no operation in the child rightlist that cannot be +performed in the parent rightlist.
+Load the rightlist object from a string
+Save the rightlist object to a string. It is saved in the format of a +comma-separated list.
+