def _get_verifier(self, context, image_id, trusted_certs):
verifier = None
# Use the default certs if the user didn't provide any (and there are
# default certs configured).
if (not trusted_certs and CONF.glance.enable_certificate_validation
and CONF.glance.default_trusted_certificate_ids):
trusted_certs = objects.TrustedCerts(
ids=CONF.glance.default_trusted_certificate_ids)
# Verify image signature if feature is enabled or trusted
# certificates were provided
if trusted_certs or CONF.glance.verify_glance_signatures:
image_meta_dict = self.show(context,
image_id,
include_locations=False)
image_meta = objects.ImageMeta.from_dict(image_meta_dict)
img_signature = image_meta.properties.get('img_signature')
img_sig_hash_method = image_meta.properties.get(
'img_signature_hash_method')
img_sig_cert_uuid = image_meta.properties.get(
'img_signature_certificate_uuid')
img_sig_key_type = image_meta.properties.get(
'img_signature_key_type')
try:
verifier = signature_utils.get_verifier(
context=context,
img_signature_certificate_uuid=img_sig_cert_uuid,
img_signature_hash_method=img_sig_hash_method,
img_signature=img_signature,
img_signature_key_type=img_sig_key_type,
)
except cursive_exception.SignatureVerificationError:
with excutils.save_and_reraise_exception():
LOG.error(
'Image signature verification failed '
'for image: %s', image_id)
# Validate image signature certificate if trusted certificates
# were provided
# NOTE(jackie-truong): Certificate validation will occur if
# trusted_certs are provided, even if the certificate validation
# feature is disabled. This is to provide safety for the user.
# We may want to consider making this a "soft" check in the future.
if trusted_certs:
_verify_certs(context, img_sig_cert_uuid, trusted_certs)
elif CONF.glance.enable_certificate_validation:
msg = ('Image signature certificate validation enabled, '
'but no trusted certificate IDs were provided. '
'Unable to validate the certificate used to '
'verify the image signature.')
LOG.warning(msg)
raise exception.CertificateValidationFailed(msg)
else:
LOG.debug('Certificate validation was not performed. A list '
'of trusted image certificate IDs must be provided '
'in order to validate an image certificate.')
return verifier
def _verify_certs(context, img_sig_cert_uuid, trusted_certs):
try:
certificate_utils.verify_certificate(
context=context,
certificate_uuid=img_sig_cert_uuid,
trusted_certificate_uuids=trusted_certs.ids)
LOG.debug(
'Image signature certificate validation '
'succeeded for certificate: %s', img_sig_cert_uuid)
except cursive_exception.SignatureVerificationError as e:
LOG.warning(
'Image signature certificate validation '
'failed for certificate: %s', img_sig_cert_uuid)
raise exception.CertificateValidationFailed(
cert_uuid=img_sig_cert_uuid, reason=six.text_type(e))