Example #1
0
 def get_own_cert(self, security_dir=None):
     """
     Return the signed runtime certificate
     in the "mine" folder. It returns just the certificate,
     not the entire chain even if the whole chain is in
     the same pem file.
     """
     #        _log.debug("get_own_cert: node_name={}".format(self.node_name))
     cert_dir = os.path.join(self.runtime_dir, "mine")
     try:
         filename = os.listdir(cert_dir)
         certpath = os.path.join(cert_dir, filename[0])
         st_cert = open(certpath, 'rt').read()
         cert_part = st_cert.split(BEGIN_CRT_LINE)
         certstr = "{}{}".format(BEGIN_CRT_LINE, cert_part[1])
         cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
                                                certstr)
         _log.debug("get_own_cert" "\n\tcertpath={}".format(certpath))
         #Check that the certificate parameters are the same as our attributes
         if not certificate.cert_O(certstring=certstr) == self.domain:
             _log.error("Domain does not match certificate")
             raise Exception("Domain does not match certificate")
         if not certificate.cert_CN(certstring=certstr) == self.node_name:
             _log.error("Node name does not match certificate")
             raise Exception("Node name does not match certificate")
         if not certificate.cert_DN_Qualifier(
                 certstring=certstr) == self.node_id:
             _log.error("Node ID does not match certificate")
             raise Exception("Node ID does not match certificate")
         return certpath, cert, certstr
     except Exception as err:
         # Certificate not available
         _log.debug(
             "No runtime certificate can be found, err={}".format(err))
         return None, None, None
Example #2
0
 def _store_cert(self, type, certstring=None, certpath=None, force=False):
     """
     Store the signed runtime certificate
     return values.
         path: path to the stored certificate
     """
     #        _log.debug("store_cert:\n\ttype={}\n\tcertstring={}\n\tcertpath={}\n\tforce=={}".format(type, certstring, certpath, force))
     if certpath:
         try:
             with open(certpath, 'rb') as f:
                 certstring = f.read()
         except Exception as exc:
             _log.exception(
                 "cert path supplied, but failed to read cert at certpath={}, exc={}"
                 .format(certpath, exc))
             raise
     elif not certstring:
         raise Exception("Neither certstring nor certpath supplied")
     commonName = certificate.cert_CN(certstring)
     dnQualifier = certificate.cert_DN_Qualifier(certstring)
     filename = "{}.pem".format(dnQualifier)
     if type not in ["mine", "others"]:
         _log.error("type not supported")
         raise Exception("type not supported")
     storepath = os.path.join(self.runtime_dir, type, filename)
     _log.debug("Path to store signed cert as %s" % storepath)
     if force or not os.path.isfile(storepath):
         _log.debug("Store signed cert as %s" % storepath)
         try:
             with open(storepath, 'w') as cert_fd:
                 cert_fd.write(certstring)
         except (Exception), err:
             _log.exception("Storing signed cert failed")
             raise Exception("Storing signed cert failed")
    def _store_cert(self, type, certstring=None, certpath=None, force=False):
        """
        Store the signed runtime certificate
        return values.
            path: path to the stored certificate
        """
#        _log.debug("store_cert:\n\ttype={}\n\tcertstring={}\n\tcertpath={}\n\tforce=={}".format(type, certstring, certpath, force))
        if certpath:
            try:
                if os.path.islink(certpath):
                    certpath = os.readlink(certpath)
                with open(certpath, 'rb') as f:
                    certstring = f.read()
            except Exception as exc:
                _log.exception("cert path supplied, but failed to read cert at certpath={}, exc={}".format(certpath, exc))
                raise
        elif not certstring:
            raise Exception("Neither certstring nor certpath supplied")
        commonName = certificate.cert_CN(certstring)
        dnQualifier = certificate.cert_DN_Qualifier(certstring)
        filename = "{}.pem".format(dnQualifier)
        if type not in ["mine","others"]:
            _log.error("type not supported")
            raise Exception("type not supported")
        storepath = os.path.join(self.runtime_dir, type, filename)
        _log.debug("Path to store signed cert as %s" % storepath)
        if force or not os.path.isfile(storepath):
            _log.debug("Store signed cert as %s" % storepath)
            try:
                with open(storepath, 'w') as cert_fd:
                    cert_fd.write(certstring)
            except (Exception), err:
                _log.exception("Storing signed cert failed")
                raise Exception("Storing signed cert failed")
    def get_own_cert(self):
        """
        Return the signed runtime certificate
        in the "mine" folder. It returns just the certificate,
        not the entire chain even if the whole chain is in
        the same pem file.
        """
#        _log.debug("get_own_cert: node_name={}".format(self.node_name))
        try:
            certpath = self.get_own_cert_path()
            st_cert = open(certpath, 'rt').read()
            cert_part = st_cert.split(BEGIN_CRT_LINE)
            certstr = "{}{}".format(BEGIN_CRT_LINE, cert_part[1])
            cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
                                                  certstr)
            _log.debug("get_own_cert"
                       "\n\tcertpath={}".format(certpath))
            #Check that the certificate parameters are the same as our attributes
            if not certificate.cert_O(certstring=certstr) == self.domain:
                _log.error("Domain does not match certificate")
                raise Exception("Domain does not match certificate")
            if not certificate.cert_CN(certstring=certstr) == self.node_name:
                _log.error("Node name does not match certificate")
                raise Exception("Node name does not match certificate")
            if not certificate.cert_DN_Qualifier(certstring=certstr) == self.node_id:
                _log.error("Node ID does not match certificate")
                raise Exception("Node ID does not match certificate")
            return certpath, cert, certstr
        except Exception as err:
            # Certificate not available
            _log.debug("No runtime certificate can be found, err={}".format(err))
            return None, None, None
Example #5
0
 def others_cert_stored(self, certstring):
     """
     Check if the certificate is already store in the other folder
     """
     #        _log.debug("others_cert_stored")
     dnQualifier = certificate.cert_DN_Qualifier(certstring)
     filename = "{}.pem".format(dnQualifier)
     path = os.path.join(self.runtime_dir, "others", filename)
     if os.path.isfile(path):
         return True
     else:
         return False
    def others_cert_stored(self, certstring):
        """
        Check if the certificate is already store in the other folder
        """
#        _log.debug("others_cert_stored")
        dnQualifier = certificate.cert_DN_Qualifier(certstring)
        filename = "{}.pem".format(dnQualifier)
        path = os.path.join(self.runtime_dir, "others", filename)
        if os.path.isfile(path):
            return True
        else:
            return False
Example #7
0
def _decode_jwt_cb(certstring, token, node, actor_id=None, callback=None):
    """Decode JSON Web Token"""
#    _log.debug("_decode_jwt_cb\n\tsender certstring={}\n\ttoken={}\n\tnode={}\n\tactor_id={}\n\tcallback={}".format(certstring, token, node, actor_id, callback))
    sender_public_key = certificate.get_public_key_from_certstr(certstring)
    sender_node_id = certificate.cert_DN_Qualifier(certstring=certstring)
    # The signature is verified using the Elliptic Curve public key of the sender.
    # Exception raised if signature verification fails or if issuer and/or audience are incorrect.
    decoded = jwt.decode(token, sender_public_key, algorithms=['ES256'],
                         issuer=sender_node_id, audience=node.id)
    if actor_id and ('sub' in decoded) and (decoded["sub"] != actor_id):
        raise  # Exception raised if subject (actor_id) is incorrect.
    if callback:
        callback(decoded=decoded)
Example #8
0
def _decode_jwt_cb(certstring, token, node, actor_id=None, callback=None):
    """Decode JSON Web Token"""
    #    _log.debug("_decode_jwt_cb\n\tsender certstring={}\n\ttoken={}\n\tnode={}\n\tactor_id={}\n\tcallback={}".format(certstring, token, node, actor_id, callback))
    sender_public_key = certificate.get_public_key_from_certstr(certstring)
    sender_node_id = certificate.cert_DN_Qualifier(certstring=certstring)
    # The signature is verified using the Elliptic Curve public key of the sender.
    # Exception raised if signature verification fails or if issuer and/or audience are incorrect.
    decoded = jwt.decode(token,
                         sender_public_key,
                         algorithms=['ES256'],
                         issuer=sender_node_id,
                         audience=node.id)
    if actor_id and ('sub' in decoded) and (decoded["sub"] != actor_id):
        raise  # Exception raised if subject (actor_id) is incorrect.
    if callback:
        callback(decoded=decoded)