def set_signature(self,
acts,
key_path=None,
chain_paths=misc.EmptyI,
chash_dir=None):
"""Sets the signature value for this action.
The 'acts' parameter is the iterable of actions this action
should sign.
The 'key_path' parameter is the path to the file containing the
private key which is used to sign the actions.
The 'chain_paths' parameter is an iterable of paths to
certificates which are needed to form the chain of trust from
the certificate associated with the key in 'key_path' to one of
the CAs for the publisher of the actions.
The 'chash_dir' parameter is the temporary directory to use
while calculating the compressed hashes for chain certs."""
# Turning this into a list makes debugging vastly more
# tractable.
acts = list(acts)
# If key_path is None, then set value to be the hash
# of the actions.
if key_path is None:
# If no private key is set, then no certificate should
# have been given.
assert self.data is None
dgst = m2.EVP.MessageDigest(self.hash_alg)
res = dgst.update(
self.actions_to_str(acts, generic.Action.sig_version))
assert res == 1, \
"Res was expected to be 1, it was {0}".format(res)
self.attrs["value"] = \
misc.binary_to_hex(dgst.final())
else:
# If a private key is used, then the certificate it's
# paired with must be provided.
assert self.data is not None
self.__set_chain_certs_data(chain_paths, chash_dir)
try:
priv_key = m2.RSA.load_key(key_path)
except m2.RSA.RSAError:
raise apx.BadFileFormat(
_("{0} was expected to "
"be a RSA key but could not be read "
"correctly.").format(key_path))
signer = m2.EVP.PKey(md=self.hash_alg)
signer.assign_rsa(priv_key, 1)
del priv_key
signer.sign_init()
signer.sign_update(
self.actions_to_str(acts, generic.Action.sig_version))
self.attrs["value"] = \
misc.binary_to_hex(signer.sign_final())
def set_signature(self,
acts,
key_path=None,
chain_paths=misc.EmptyI,
chash_dir=None):
"""Sets the signature value for this action.
The 'acts' parameter is the iterable of actions this action
should sign.
The 'key_path' parameter is the path to the file containing the
private key which is used to sign the actions.
The 'chain_paths' parameter is an iterable of paths to
certificates which are needed to form the chain of trust from
the certificate associated with the key in 'key_path' to one of
the CAs for the publisher of the actions.
The 'chash_dir' parameter is the temporary directory to use
while calculating the compressed hashes for chain certs."""
# Turning this into a list makes debugging vastly more
# tractable.
acts = list(acts)
# If key_path is None, then set value to be the hash
# of the actions.
if key_path is None:
# If no private key is set, then no certificate should
# have been given.
assert self.data is None
h = hashlib.new(self.hash_alg)
h.update(
misc.force_bytes(
self.actions_to_str(acts, generic.Action.sig_version)))
self.attrs["value"] = h.hexdigest()
else:
# If a private key is used, then the certificate it's
# paired with must be provided.
assert self.data is not None
self.__set_chain_certs_data(chain_paths, chash_dir)
try:
with open(key_path, "rb") as f:
priv_key = serialization.load_pem_private_key(
f.read(), password=None, backend=default_backend())
except ValueError:
raise apx.BadFileFormat(
_("{0} was expected to "
"be a RSA key but could not be read "
"correctly.").format(key_path))
hhash = self.__get_hash_by_name(self.hash_alg)
signer = priv_key.signer(padding.PKCS1v15(), hhash())
signer.update(
misc.force_bytes(
self.actions_to_str(acts, generic.Action.sig_version)))
self.attrs["value"] = \
misc.binary_to_hex(signer.finalize())
def __make_tmp_cert(d, pth):
try:
cert = m2.X509.load_cert(pth)
except m2.X509.X509Error as e:
raise api_errors.BadFileFormat(
_("The file {0} was expected to "
"be a PEM certificate but it could not be read.").format(pth))
fd, fp = tempfile.mkstemp(dir=d)
with os.fdopen(fd, "wb") as fh:
fh.write(cert.as_pem())
return fp
def __make_tmp_cert(d, pth):
try:
with open(pth, "rb") as f:
cert = x509.load_pem_x509_certificate(f.read(), default_backend())
except (ValueError, IOError) as e:
raise api_errors.BadFileFormat(
_("The file {0} was expected to "
"be a PEM certificate but it could not be read.").format(pth))
fd, fp = tempfile.mkstemp(dir=d)
with os.fdopen(fd, "wb") as fh:
fh.write(cert.public_bytes(serialization.Encoding.PEM))
return fp
