def get_intermediates(self):
if self._cert_container.intermediates:
intermediates = self._cert_container.intermediates.payload
return [
imd
for imd in cert_parser.get_intermediates_pems(intermediates)
]
def get_intermediates(self):
if self._cert_container.intermediates:
intermediates = encodeutils.to_utf8(
self._cert_container.intermediates.payload)
return [
imd
for imd in cert_parser.get_intermediates_pems(intermediates)
]
def get_cert(context, cert_ref, **kwargs):
"""Retrieves the specified cert.
:param context: Ignored in this implementation
:param cert_ref: the UUID of the cert to retrieve
:return: octavia.certificates.common.Cert representation of the
certificate data
:raises CertificateStorageException: if certificate retrieval fails
"""
LOG.info("Loading certificate %s from the local filesystem.", cert_ref)
filename_base = os.path.join(CONF.certificates.storage_path, cert_ref)
filename_certificate = "{0}.crt".format(filename_base)
filename_private_key = "{0}.key".format(filename_base)
filename_intermediates = "{0}.int".format(filename_base)
filename_pkp = "{0}.pass".format(filename_base)
cert_data = dict()
flags = os.O_RDONLY
try:
with os.fdopen(os.open(filename_certificate, flags)) as cert_file:
cert_data['certificate'] = cert_file.read()
except IOError:
LOG.error("Failed to read certificate for %s.", cert_ref)
raise exceptions.CertificateStorageException(
msg="Certificate could not be read.")
try:
with os.fdopen(os.open(filename_private_key, flags)) as key_file:
cert_data['private_key'] = key_file.read()
except IOError:
LOG.error("Failed to read private key for %s", cert_ref)
raise exceptions.CertificateStorageException(
msg="Private Key could not be read.")
try:
with os.fdopen(os.open(filename_intermediates, flags)) as int_file:
cert_data['intermediates'] = int_file.read()
cert_data['intermediates'] = list(
cert_parser.get_intermediates_pems(cert_data['intermediates']))
except IOError:
pass
try:
with os.fdopen(os.open(filename_pkp, flags)) as pass_file:
cert_data['private_key_passphrase'] = pass_file.read()
except IOError:
pass
return local_common.LocalCert(**cert_data)
def store_cert(self,
context,
certificate,
private_key,
intermediates=None,
private_key_passphrase=None,
expiration=None,
name="PKCS12 Certificate Bundle"):
"""Stores a certificate in the certificate manager.
:param context: Oslo context of the request
:param certificate: PEM encoded TLS certificate
:param private_key: private key for the supplied certificate
:param intermediates: ordered and concatenated intermediate certs
:param private_key_passphrase: optional passphrase for the supplied key
:param expiration: the expiration time of the cert in ISO 8601 format
:param name: a friendly name for the cert
:returns: the container_ref of the stored cert
:raises Exception: if certificate storage fails
"""
connection = self.auth.get_barbican_client(context.project_id)
LOG.info("Storing certificate secret '%s' in Barbican.", name)
p12 = crypto.PKCS12()
p12.set_friendlyname(encodeutils.to_utf8(name))
x509_cert = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
p12.set_certificate(x509_cert)
x509_pk = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key)
p12.set_privatekey(x509_pk)
if intermediates:
cert_ints = list(cert_parser.get_intermediates_pems(intermediates))
x509_ints = [
crypto.load_certificate(crypto.FILETYPE_PEM, ci)
for ci in cert_ints
]
p12.set_ca_certificates(x509_ints)
if private_key_passphrase:
raise exceptions.CertificateStorageException(
"Passphrase protected PKCS12 certificates are not supported.")
try:
certificate_secret = connection.secrets.create(
payload=p12.export(), expiration=expiration, name=name)
certificate_secret.store()
return certificate_secret.secret_ref
except Exception as e:
with excutils.save_and_reraise_exception():
LOG.error('Error storing certificate data: %s', str(e))
return None
def store_cert(self, context, certificate, private_key, intermediates=None,
private_key_passphrase=None, expiration=None,
name="PKCS12 Certificate Bundle"):
"""Stores a certificate in the certificate manager.
:param context: Oslo context of the request
:param certificate: PEM encoded TLS certificate
:param private_key: private key for the supplied certificate
:param intermediates: ordered and concatenated intermediate certs
:param private_key_passphrase: optional passphrase for the supplied key
:param expiration: the expiration time of the cert in ISO 8601 format
:param name: a friendly name for the cert
:returns: the container_ref of the stored cert
:raises Exception: if certificate storage fails
"""
connection = self.auth.get_barbican_client(context.project_id)
LOG.info("Storing certificate secret '%s' in Barbican.", name)
p12 = crypto.PKCS12()
p12.set_friendlyname(encodeutils.to_utf8(name))
x509_cert = crypto.load_certificate(crypto.FILETYPE_PEM, certificate)
p12.set_certificate(x509_cert)
x509_pk = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key)
p12.set_privatekey(x509_pk)
if intermediates:
cert_ints = list(cert_parser.get_intermediates_pems(intermediates))
x509_ints = [
crypto.load_certificate(crypto.FILETYPE_PEM, ci)
for ci in cert_ints]
p12.set_ca_certificates(x509_ints)
if private_key_passphrase:
raise exceptions.CertificateStorageException(
"Passphrase protected PKCS12 certificates are not supported.")
try:
certificate_secret = connection.secrets.create(
payload=p12.export(),
expiration=expiration,
name=name
)
certificate_secret.store()
return certificate_secret.secret_ref
except Exception as e:
with excutils.save_and_reraise_exception():
LOG.error('Error storing certificate data: %s', e)
def test_get_intermediates_pkcs7_der_bad(self):
self.assertRaises(
exceptions.UnreadableCert, lambda: list(
cert_parser.get_intermediates_pems(b'\xfe\xfe\xff\xff')))
def test_get_intermediates_pkcs7_der(self):
self.assertEqual(
sample_certs.X509_IMDS_LIST,
list(cert_parser.get_intermediates_pems(sample_certs.PKCS7_DER)))
def test_get_intermediates_pkcs7_pem_bad(self):
self.assertRaises(
exceptions.UnreadableCert, lambda: list(
cert_parser.get_intermediates_pems(
b'-----BEGIN PKCS7-----\nbad data\n-----END PKCS7-----')))
def test_get_intermediates_pem_chain(self):
self.assertEqual(
sample_certs.X509_IMDS_LIST,
list(cert_parser.get_intermediates_pems(sample_certs.X509_IMDS)))
def test_get_intermediates_pem_chain(self):
self.assertEqual(
sample_certs.X509_IMDS_LIST,
[c for c in
cert_parser.get_intermediates_pems(sample_certs.X509_IMDS)])
def test_get_intermediates_pkcs7_der_bad(self):
self.assertRaises(
exceptions.UnreadableCert,
lambda: list(cert_parser.get_intermediates_pems(
'\xfe\xfe\xff\xff')))
def test_get_intermediates_pkcs7_der(self):
self.assertEqual(
sample_certs.X509_IMDS_LIST,
[c for c in
cert_parser.get_intermediates_pems(sample_certs.PKCS7_DER)])
def test_get_intermediates_pkcs7_pem_bad(self):
self.assertRaises(
exceptions.UnreadableCert,
lambda: list(cert_parser.get_intermediates_pems(
'-----BEGIN PKCS7-----\nbad data\n-----END PKCS7-----')))
def get_intermediates(self):
if self._cert_container.intermediates:
intermediates = encodeutils.to_utf8(
self._cert_container.intermediates.payload)
return list(cert_parser.get_intermediates_pems(intermediates))
return None
def test_get_intermediates_pkcs7_pem(self):
self.assertEqual(sample_certs.X509_IMDS_LIST, [
c
for c in cert_parser.get_intermediates_pems(sample_certs.PKCS7_PEM)
])
def get_intermediates(self):
if self._cert_container.intermediates:
intermediates = self._cert_container.intermediates.payload
return [imd for imd in cert_parser.get_intermediates_pems(
intermediates)]
