def _checkCertificate(self, txn, certPem):
if type(certPem) not in [str, unicode]:
raise Exception(URI_ERROR + "illegal-argument", "Expected type str/unicode for agument certPem, but got %s" % str(type(certPem)))
try:
(cert, cert_text) = unpack_certificate(str(certPem))
except Exception, e:
raise Exception(URI_ERROR + "invalid-certificate", "Could not analyze X509 certificate (%s)" % str(e), str(e))
def _setServiceKeyCertificate(self, txn, serviceKeyUri, certPem):
if type(serviceKeyUri) not in [str, unicode]:
raise Exception(URI_ERROR + "illegal-argument", "Expected type str/unicode for agument serviceKeyUri, but got %s" % str(type(serviceKeyUri)))
uri = self.proto.resolveOrPass(serviceKeyUri)
id = self.proto.uriToId(uri)
txn.execute("SELECT key_fingerprint, cert_fingerprint FROM servicekey WHERE id = ?", [id])
res = txn.fetchone()
if res is not None:
try:
(cert, cert_text) = unpack_certificate(str(certPem))
except Exception, e:
raise Exception(URI_ERROR + "invalid-certificate", "Could analyze X509 certificate (%s)" % str(e), str(e))
else:
## check that certificate matches service key
##
fp = cert["public-key"]["fingerprint"]
if res[0] != fp:
raise Exception(URI_ERROR + "certificate-does-not-match", "Certificate subject public key does not match service key.")
## certificate unchanged
##
if res[1] == cert["fingerprint"]:
return {}
## determine changed/effected services
##
(etls, ctls) = self._getAffectedServices(id)
restartRequired = True if len(etls) > 0 else False
now = utcnow()
txn.execute("UPDATE servicekey SET modified = ?, cert = ?, cert_text = ?, cert_fingerprint = ?, is_cert_selfsigned = ? WHERE id = ?",
[now,
certPem,
cert["text"],
cert["fingerprint"],
cert["is-selfsigned"],
id])
if restartRequired:
reactor.callLater(1, self.proto.restartHub)
delta = {}
delta["modified"] = now
delta["uri"] = uri
delta["certificate"] = cert
self.proto.dispatch(URI_EVENT + "on-servicekey-modified", delta, [self.proto])
delta["uri"] = self.proto.shrink(uri)
return delta
def _checkCertificate(self, txn, certPem):
if type(certPem) not in [str, unicode]:
raise Exception(
URI_ERROR + "illegal-argument",
"Expected type str/unicode for agument certPem, but got %s" %
str(type(certPem)))
try:
(cert, cert_text) = unpack_certificate(str(certPem))
except Exception, e:
raise Exception(URI_ERROR + "invalid-certificate",
"Could not analyze X509 certificate (%s)" % str(e),
str(e))
def _getServiceKeys(self, txn):
txn.execute("SELECT id, created, modified, label, key_pub, key_length, key_fingerprint, cert FROM servicekey ORDER BY label ASC, key_fingerprint ASC")
sks = []
res = txn.fetchall()
for r in res:
try:
(cert, cert_text) = unpack_certificate(str(r[7]))
except:
(cert, cert_text) = (None, "")
sk = {"uri": self.proto.shrink(URI_SERVICEKEY + r[0]),
"created": r[1],
"modified": r[2],
"label": r[3],
"public": r[4],
"length": r[5],
"fingerprint": r[6],
"certificate": cert,
"certificate-text": cert_text}
sks.append(sk)
return sks
def _getServiceKeys(self, txn):
txn.execute(
"SELECT id, created, modified, label, key_pub, key_length, key_fingerprint, cert FROM servicekey ORDER BY label ASC, key_fingerprint ASC"
)
sks = []
res = txn.fetchall()
for r in res:
try:
(cert, cert_text) = unpack_certificate(str(r[7]))
except:
(cert, cert_text) = (None, "")
sk = {
"uri": self.proto.shrink(URI_SERVICEKEY + r[0]),
"created": r[1],
"modified": r[2],
"label": r[3],
"public": r[4],
"length": r[5],
"fingerprint": r[6],
"certificate": cert,
"certificate-text": cert_text
}
sks.append(sk)
return sks
def _setServiceKeyCertificate(self, txn, serviceKeyUri, certPem):
if type(serviceKeyUri) not in [str, unicode]:
raise Exception(
URI_ERROR + "illegal-argument",
"Expected type str/unicode for agument serviceKeyUri, but got %s"
% str(type(serviceKeyUri)))
uri = self.proto.resolveOrPass(serviceKeyUri)
id = self.proto.uriToId(uri)
txn.execute(
"SELECT key_fingerprint, cert_fingerprint FROM servicekey WHERE id = ?",
[id])
res = txn.fetchone()
if res is not None:
try:
(cert, cert_text) = unpack_certificate(str(certPem))
except Exception, e:
raise Exception(URI_ERROR + "invalid-certificate",
"Could analyze X509 certificate (%s)" % str(e),
str(e))
else:
## check that certificate matches service key
##
fp = cert["public-key"]["fingerprint"]
if res[0] != fp:
raise Exception(
URI_ERROR + "certificate-does-not-match",
"Certificate subject public key does not match service key."
)
## certificate unchanged
##
if res[1] == cert["fingerprint"]:
return {}
## determine changed/effected services
##
(etls, ctls) = self._getAffectedServices(id)
restartRequired = True if len(etls) > 0 else False
now = utcnow()
txn.execute(
"UPDATE servicekey SET modified = ?, cert = ?, cert_text = ?, cert_fingerprint = ?, is_cert_selfsigned = ? WHERE id = ?",
[
now, certPem, cert["text"], cert["fingerprint"],
cert["is-selfsigned"], id
])
if restartRequired:
reactor.callLater(1, self.proto.restartHub)
delta = {}
delta["modified"] = now
delta["uri"] = uri
delta["certificate"] = cert
self.proto.dispatch(URI_EVENT + "on-servicekey-modified",
delta, [self.proto])
delta["uri"] = self.proto.shrink(uri)
return delta
def _importServiceKeys(self, txn, removeImported):
## filled with imported keys
##
svckeys = []
## look in keys/certs import directory
##
import_dir = str(
self.proto.factory.services["config"].get("import-dir"))
if os.path.isdir(import_dir):
log.msg("service key/cert import: walking import directory %s" %
import_dir)
for root, dirs, files in os.walk(import_dir):
for f in files:
filename = os.path.join(root, f)
ext = os.path.splitext(filename)[1][1:]
basename = os.path.splitext(os.path.basename(filename))[0]
if ext == 'key':
keyFile = filename
log.msg(
"service key/cert import: considering key file %s"
% keyFile)
## verify file actually is a RSA key
##
try:
key_pem = open(keyFile).read()
(key_pub_pem, key_length,
key_fingerprint) = check_rsa_key(key_pem)
except Exception, e:
log.msg(
"skipping key from file %s - invalid RSA key (%s)"
% (keyFile, e))
else:
## skip keys we already have
##
txn.execute(
"SELECT id FROM servicekey WHERE key_fingerprint = ?",
[key_fingerprint])
res = txn.fetchone()
if res is not None:
log.msg(
"skipping key from file %s already imported (fingerprint %s)"
% (keyFile, key_fingerprint))
else:
## check if we have a corresponding cert file
##
certFile = os.path.join(
os.path.dirname(filename),
basename + '.crt')
if not os.path.isfile(certFile):
log.msg(
"skipping key from file %s because cert file %s does not exist"
% (keyFile, certFile))
else:
try:
certPem = open(certFile).read()
(cert, cert_text
) = unpack_certificate(certPem)
except Exception, e:
log.msg(
"skipping cert from file %s - invalid RSA cert (%s)"
% (certFile, e))
else:
log.msg(
"importing key from file %s (fingerprint %s) and cert from file %s"
% (keyFile, key_fingerprint,
certFile))
id = newid()
svckey_uri = URI_SERVICEKEY + id
now = utcnow()
## Auto-generate label
##
key_label = basename + datetime.datetime.utcnow(
).strftime("_%Y%m%d_%H%M%S")
#key_label = basename
txn.execute(
"INSERT INTO servicekey (id, created, label, key_priv, key_pub, key_length, key_fingerprint, cert, cert_fingerprint) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)",
[
id,
now,
key_label,
key_pem,
key_pub_pem,
key_length,
key_fingerprint,
certPem,
cert['fingerprint'],
])
svckey = {
"uri": svckey_uri,
"created": now,
"label": key_label,
"length": key_length,
"fingerprint": key_fingerprint,
"public": key_pub_pem,
"certificate": cert,
"certificate-text": cert_text
}
self.proto.dispatch(
URI_EVENT +
"on-servicekey-created", svckey,
[])
svckey["uri"] = self.proto.shrink(
svckey_uri)
svckeys.append(svckey)
if removeImported:
os.remove(keyFile)
os.remove(certFile)
log.msg(
"removed imported key file %s and cert file %s"
% (keyFile, certFile))
def _importServiceKeys(self, txn, removeImported):
## filled with imported keys
##
svckeys = []
## look in keys/certs import directory
##
import_dir = str(self.proto.factory.services["config"].get("import-dir"))
if os.path.isdir(import_dir):
log.msg("service key/cert import: walking import directory %s" % import_dir)
for root, dirs, files in os.walk(import_dir):
for f in files:
filename = os.path.join(root, f)
ext = os.path.splitext(filename)[1][1:]
basename = os.path.splitext(os.path.basename(filename))[0]
if ext == 'key':
keyFile = filename
log.msg("service key/cert import: considering key file %s" % keyFile)
## verify file actually is a RSA key
##
try:
key_pem = open(keyFile).read()
(key_pub_pem, key_length, key_fingerprint) = check_rsa_key(key_pem)
except Exception, e:
log.msg("skipping key from file %s - invalid RSA key (%s)" % (keyFile, e))
else:
## skip keys we already have
##
txn.execute("SELECT id FROM servicekey WHERE key_fingerprint = ?", [key_fingerprint])
res = txn.fetchone()
if res is not None:
log.msg("skipping key from file %s already imported (fingerprint %s)" % (keyFile, key_fingerprint))
else:
## check if we have a corresponding cert file
##
certFile = os.path.join(os.path.dirname(filename), basename + '.crt')
if not os.path.isfile(certFile):
log.msg("skipping key from file %s because cert file %s does not exist" % (keyFile, certFile))
else:
try:
certPem = open(certFile).read()
(cert, cert_text) = unpack_certificate(certPem)
except Exception, e:
log.msg("skipping cert from file %s - invalid RSA cert (%s)" % (certFile, e))
else:
log.msg("importing key from file %s (fingerprint %s) and cert from file %s" % (keyFile, key_fingerprint, certFile))
id = newid()
svckey_uri = URI_SERVICEKEY + id
now = utcnow()
## Auto-generate label
##
key_label = basename + datetime.datetime.utcnow().strftime("_%Y%m%d_%H%M%S")
#key_label = basename
txn.execute("INSERT INTO servicekey (id, created, label, key_priv, key_pub, key_length, key_fingerprint, cert, cert_fingerprint) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)",
[id,
now,
key_label,
key_pem,
key_pub_pem,
key_length,
key_fingerprint,
certPem,
cert['fingerprint'],
])
svckey = {"uri": svckey_uri,
"created": now,
"label": key_label,
"length": key_length,
"fingerprint": key_fingerprint,
"public": key_pub_pem,
"certificate": cert,
"certificate-text": cert_text}
self.proto.dispatch(URI_EVENT + "on-servicekey-created", svckey, [])
svckey["uri"] = self.proto.shrink(svckey_uri)
svckeys.append(svckey)
if removeImported:
os.remove(keyFile)
os.remove(certFile)
log.msg("removed imported key file %s and cert file %s" % (keyFile, certFile))
