def verify_chain(self, trusted_certs=None):
# Verify a chain of certificates. Each certificate must be signed by
# the public key contained in it's parent. The chain is recursed
# until a certificate is found that is signed by a trusted root.
# verify expiration time
if self.cert.has_expired():
raise CertExpired(self.get_subject(), "client cert")
# if this cert is signed by a trusted_cert, then we are set
for trusted_cert in trusted_certs:
if self.is_signed_by_cert(trusted_cert):
logger.debug("Cert %s signed by trusted cert %s",
self.get_subject(), trusted_cert.get_subject())
# verify expiration of trusted_cert ?
if not trusted_cert.cert.has_expired():
return trusted_cert
else:
logger.debug("Trusted cert %s is expired",
trusted_cert.get_subject())
# if there is no parent, then no way to verify the chain
if not self.parent:
#print self.get_subject(), "has no parent"
raise CertMissingParent(self.get_subject())
# if it wasn't signed by the parent...
if not self.is_signed_by_cert(self.parent):
#print self.get_subject(), "is not signed by parent"
return CertNotSignedByParent(self.get_subject())
# if the parent isn't verified...
self.parent.verify_chain(trusted_certs)
return
def verify_chain(self, trusted_certs = None):
# Verify a chain of certificates. Each certificate must be signed by
# the public key contained in it's parent. The chain is recursed
# until a certificate is found that is signed by a trusted root.
# verify expiration time
if self.cert.has_expired():
raise CertExpired(self.get_subject(), "client cert")
# if this cert is signed by a trusted_cert, then we are set
for trusted_cert in trusted_certs:
if self.is_signed_by_cert(trusted_cert):
logger.debug("Cert %s signed by trusted cert %s", self.get_subject(), trusted_cert.get_subject())
# verify expiration of trusted_cert ?
if not trusted_cert.cert.has_expired():
return trusted_cert
else:
logger.debug("Trusted cert %s is expired", trusted_cert.get_subject())
# if there is no parent, then no way to verify the chain
if not self.parent:
#print self.get_subject(), "has no parent"
raise CertMissingParent(self.get_subject())
# if it wasn't signed by the parent...
if not self.is_signed_by_cert(self.parent):
#print self.get_subject(), "is not signed by parent"
return CertNotSignedByParent(self.get_subject())
# if the parent isn't verified...
self.parent.verify_chain(trusted_certs)
return
def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None):
Certificate.__init__(self, create, subject, string, filename)
if subject:
logger.debug("Creating GID for subject: %s" % subject)
if uuid:
self.uuid = int(uuid)
if hrn:
self.hrn = hrn
self.urn = hrn_to_urn(hrn, 'unknown')
if urn:
self.urn = urn
self.hrn, type = urn_to_hrn(urn)
def verify(self, trusted_certs):
if not self.xml:
self.decode()
# trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
trusted_cert_objects = []
ok_trusted_certs = []
for f in trusted_certs:
try:
# Failures here include unreadable files
# or non PEM files
trusted_cert_objects.append(GID(filename=f))
ok_trusted_certs.append(f)
except Exception, exc:
import traceback
logger.error("Failed to load trusted cert from %s: %r", f, exc)
logger.debug(traceback.format_exc(exc))
def verify(self, trusted_certs):
if not self.xml:
self.decode()
# trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
trusted_cert_objects = []
ok_trusted_certs = []
for f in trusted_certs:
try:
# Failures here include unreadable files
# or non PEM files
trusted_cert_objects.append(GID(filename=f))
ok_trusted_certs.append(f)
except Exception, exc:
import traceback
logger.error("Failed to load trusted cert from %s: %r", f, exc)
logger.debug(traceback.format_exc(exc))
def __init__(self,
create=False,
subject=None,
string=None,
filename=None,
uuid=None,
hrn=None,
urn=None):
Certificate.__init__(self, create, subject, string, filename)
if subject:
logger.debug("Creating GID for subject: %s" % subject)
if uuid:
self.uuid = int(uuid)
if hrn:
self.hrn = hrn
self.urn = hrn_to_urn(hrn, 'unknown')
if urn:
self.urn = urn
self.hrn, type = urn_to_hrn(urn)
def load_from_string(self, string):
# if it is a chain of multiple certs, then split off the first one and
# load it (support for the ---parent--- tag as well as normal chained certs)
string = string.strip()
# if the string has no BEGIN C... then wrap in begin/end
# old behavior was to wrap if it didnt _start_ with BEGIN
# if the string does not start with BEGIN
# then ignore everything before the begin
# if not string.startswith('-----'):
if string.count('-----BEGIN CERTIFICATE') == 0:
string = '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----' % string
logger.debug("Wrapping string for cert in BEGIN/END")
beg = string.find('-----BEGIN CERTIFICATE')
if beg > 0:
# skipping over non cert beginning
logger.debug(
"Skipping non PEM start of cert from string ('%s ...\n... %s'). Skipping to char #%d",
string[:25], string[beg - 15:beg], beg)
string = string[beg:]
parts = []
if string.count('-----BEGIN CERTIFICATE-----') > 1 and \
string.count(Certificate.separator) == 0:
parts = string.split('-----END CERTIFICATE-----', 1)
parts[0] += '-----END CERTIFICATE-----'
else:
parts = string.split(Certificate.separator, 1)
self.cert = crypto.load_certificate(crypto.FILETYPE_PEM, parts[0])
# if there are more certs, then create a parent and let the parent load
# itself from the remainder of the string
if len(parts) > 1 and parts[1] != '':
self.parent = self.__class__()
self.parent.load_from_string(parts[1])
def load_from_string(self, string):
# if it is a chain of multiple certs, then split off the first one and
# load it (support for the ---parent--- tag as well as normal chained certs)
string = string.strip()
# if the string has no BEGIN C... then wrap in begin/end
# old behavior was to wrap if it didnt _start_ with BEGIN
# if the string does not start with BEGIN
# then ignore everything before the begin
# if not string.startswith('-----'):
if string.count('-----BEGIN CERTIFICATE') == 0:
string = '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----' % string
logger.debug("Wrapping string for cert in BEGIN/END")
beg = string.find('-----BEGIN CERTIFICATE')
if beg > 0:
# skipping over non cert beginning
logger.debug("Skipping non PEM start of cert from string ('%s ...\n... %s'). Skipping to char #%d", string[:25], string[beg-15:beg], beg)
string = string[beg:]
parts = []
if string.count('-----BEGIN CERTIFICATE-----') > 1 and \
string.count(Certificate.separator) == 0:
parts = string.split('-----END CERTIFICATE-----',1)
parts[0] += '-----END CERTIFICATE-----'
else:
parts = string.split(Certificate.separator, 1)
self.cert = crypto.load_certificate(crypto.FILETYPE_PEM, parts[0])
# if there are more certs, then create a parent and let the parent load
# itself from the remainder of the string
if len(parts) > 1 and parts[1] != '':
self.parent = self.__class__()
self.parent.load_from_string(parts[1])
