def sign_file(self, file):
"""
Sign an actor, component or application.
Store the signature in <file>.sign.<hash-cert>
Conf is a Config object with a loaded openssl.conf configuration.
File is the file to be signed.
Equivalent of:
openssl dgst -sha256 -sign "$private_key"
-out "$file.sign.<cert-hash>"
-passin file:$private_dir/ca_password
"$file"
"""
_log.debug("sign_file: file={}".format(file))
private = self.configuration["CA_default"]["private_dir"]
cert_file = self.configuration["CA_default"]["certificate"]
private_key = self.configuration["CA_default"]["private_key"]
password_file = os.path.join(private, "ca_password")
try:
certificate_hash = certificate.cert_hash(certpath=cert_file)
except:
_log.exception("Failed to get certificate hash")
raise Exception("Failed to get certificate hash")
sign_file = file + ".sign." + certificate_hash
log = subprocess.Popen([
"openssl", "dgst", "-sha256", "-sign", private_key, "-passin",
"file:" + password_file, "-out", sign_file, file
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = log.communicate()
if log.returncode != 0:
raise IOError(stderr)
return sign_file
def sign_file(self, file, dir=None):
"""
Sign an actor, component or application.
Store the signature in <file>.sign.<hash-cert>
File is the file to be signed.
Equivalent of:
openssl dgst -sha256 -sign "$private_key"
-out "$file.sign.<cert-hash>"
-passin file:$private_dir/ca_password
"$file"
"""
try:
certificate_hash = certificate.cert_hash(certpath=self.certificate)
except:
_log.exception("Failed to get certificate hash")
raise Exception("Failed to get certificate hash")
sign_file_name = file + ".sign." + certificate_hash
if dir:
sign_file = os.path.join(dir, sign_file_name)
else:
sign_file = sign_file_name
print "signed file name=" + sign_file
log = subprocess.Popen([
"openssl", "dgst", "-sha256", "-sign", self.private_key, "-passin",
"file:" + self.password_file, "-out", sign_file, file
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = log.communicate()
if log.returncode != 0:
raise IOError(stderr)
return sign_file
def sign_file(self, file):
"""
Sign an actor, component or application.
Store the signature in <file>.sign.<hash-cert>
Conf is a Config object with a loaded openssl.conf configuration.
File is the file to be signed.
Equivalent of:
openssl dgst -sha256 -sign "$private_key"
-out "$file.sign.<cert-hash>"
-passin file:$private_dir/ca_password
"$file"
"""
private = self.configuration["CA_default"]["private_dir"]
cert_file = self.configuration["CA_default"]["certificate"]
private_key = self.configuration["CA_default"]["private_key"]
password_file = os.path.join(private, "ca_password")
try:
certificate_hash = certificate.cert_hash(certpath=cert_file)
except:
_log.exception("Failed to get certificate hash")
raise Exception("Failed to get certificate hash")
sign_file = file + ".sign." + certificate_hash
log = subprocess.Popen(["openssl", "dgst", "-sha256",
"-sign", private_key,
"-passin", "file:" + password_file,
"-out", sign_file,
file],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = log.communicate()
if log.returncode != 0:
raise IOError(stderr)
return sign_file
def sign_file(self, file, dir=None):
"""
Sign an actor, component or application.
Store the signature in <file>.sign.<hash-cert>
File is the file to be signed.
Equivalent of:
openssl dgst -sha256 -sign "$private_key"
-out "$file.sign.<cert-hash>"
-passin file:$private_dir/ca_password
"$file"
"""
try:
certificate_hash = certificate.cert_hash(certpath=self.certificate)
except:
_log.exception("Failed to get certificate hash")
raise Exception("Failed to get certificate hash")
sign_file_name = file + ".sign." + certificate_hash
if dir:
sign_file = os.path.join(dir, sign_file_name)
else:
sign_file = sign_file_name
print "signed file name="+sign_file
log = subprocess.Popen(["openssl", "dgst", "-sha256",
"-sign", self.private_key,
"-passin", "file:" + self.password_file,
"-out", sign_file,
file],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = log.communicate()
if log.returncode != 0:
raise IOError(stderr)
return sign_file
def sign_file(self, file, dir=None):
"""
Sign an actor, component or application.
Store the signature in <file>.sign.<hash-cert>
File is the file to be signed.
Equivalent of:
openssl dgst -sha256 -sign "$private_key"
-out "$file.sign.<cert-hash>"
-passin file:$private_dir/ca_password
"$file"
"""
_log.debug("sign_file: file={}".format(file))
try:
certificate_hash = certificate.cert_hash(certpath=self.certificate)
except:
_log.exception("Failed to get certificate hash")
raise Exception("Failed to get certificate hash")
sign_file_name = file + ".sign." + certificate_hash
if dir:
sign_file = os.path.join(dir, sign_file_name)
else:
sign_file = sign_file_name
print "signed file name=" + sign_file
log = subprocess.Popen([
"openssl", "dgst", "-sha256", "-sign", self.private_key, "-passin",
"file:" + self.password_file, "-out", sign_file, file
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = log.communicate()
if log.returncode != 0:
raise IOError(stderr)
with open(sign_file, 'rt') as f:
signature = f.read()
with open(file, 'rt') as f:
content = f.read()
with open(self.certificate, 'rt') as f:
trusted_cert = OpenSSL.crypto.load_certificate(
OpenSSL.crypto.FILETYPE_PEM, f.read())
try:
# Verify signature
OpenSSL.crypto.verify(trusted_cert, signature, content,
'sha256')
_log.debug("verify_signature_content: signature correct")
except Exception as e:
_log.error("OpenSSL verification error", exc_info=True)
return sign_file
def sign_file(self, file, dir=None):
"""
Sign an actor, component or application.
Store the signature in <file>.sign.<hash-cert>
File is the file to be signed.
Equivalent of:
openssl dgst -sha256 -sign "$private_key"
-out "$file.sign.<cert-hash>"
-passin file:$private_dir/ca_password
"$file"
"""
_log.debug("sign_file: file={}".format(file))
try:
certificate_hash = certificate.cert_hash(certpath=self.certificate)
except:
_log.exception("Failed to get certificate hash")
raise Exception("Failed to get certificate hash")
sign_file_name = file + ".sign." + certificate_hash
if dir:
sign_file = os.path.join(dir, sign_file_name)
else:
sign_file = sign_file_name
print "signed file name="+sign_file
log = subprocess.Popen(["openssl", "dgst", "-sha256",
"-sign", self.private_key,
"-passin", "file:" + self.password_file,
"-out", sign_file,
file],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdout, stderr = log.communicate()
if log.returncode != 0:
raise IOError(stderr)
with open(sign_file, 'rt') as f:
signature = f.read()
with open(file, 'rt') as f:
content= f.read()
with open(self.certificate, 'rt') as f:
trusted_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, f.read())
try:
# Verify signature
OpenSSL.crypto.verify(trusted_cert, signature, content, 'sha256')
_log.debug("verify_signature_content: signature correct")
except Exception as e:
_log.error("OpenSSL verification error", exc_info=True)
return sign_file