def parse_cmsg(self, cmsg):
req = cmsg.get_dest()
part1 = cmsg.get_part1()
part2 = cmsg.get_part2()
blob = cmsg.get_part3()
if self.decrypt_name:
if part1 != 'ENC1':
self.log.error('Expect encrypted message')
return (None, None)
if not self.decrypt_name or not self.ca_name:
self.log.error('Cannot decrypt message')
return (None, None)
self.log.trace("decrypt: %s", req)
js, sgn = self.cms.decrypt_and_verify(part2, self.decrypt_name, self.ca_name)
elif part1 == 'ENC1':
self.log.error('Got encrypted msg but cannot decrypt it')
return (None, None)
elif self.ca_name:
if not part2:
self.log.error('Expect signed message: %r', part1)
return (None, None)
self.log.trace("verify: %s", req)
js, sgn = self.cms.verify(part1, part2, self.ca_name)
else:
self.log.trace("no crypto: %s", req)
js, sgn = part1, None
msg = Struct.from_json(js)
if msg.req != req:
self.log.error ('hijacked message')
return (None, None)
if self.time_window:
age = time.time() - msg.time
if abs(age) > self.time_window:
self.log.error('time diff bigger than %d s', self.time_window)
return (None, None)
if blob is not None:
if not self.ca_name and not part2:
if getattr(msg, 'blob_hash', None):
self.log.debug ('blob hash ignored')
elif getattr(msg, 'blob_hash', None):
ht, hs, hv = msg.blob_hash.partition(':')
if ht == 'SHA-1':
bh = sha1(blob).hexdigest()
else:
self.log.error ('unsupported hash type: %s', ht)
return (None, None)
if bh != hv:
self.log.error ('blob hash does not match: %s <> %s', bh, hv)
return (None, None)
else:
self.log.error ('blob hash missing')
return (None, None)
elif msg.get('blob_hash', None):
self.log.error ('blob hash exists without blob')
return (None, None)
return msg, sgn
def parse_json(js):
return Struct.from_json(js)