def decode(self):
data = self.get_data().lstrip('URI:http://')
if data:
dict = xmlrpclib.loads(data)[0][0]
else:
dict = {}
self.lifeTime = dict.get("lifeTime", None)
self.delegate = dict.get("delegate", None)
privStr = dict.get("privileges", None)
if privStr:
self.privileges = Rights(string=privStr)
else:
self.privileges = None
gidCallerStr = dict.get("gidCaller", None)
if gidCallerStr:
self.gidCaller = GID(string=gidCallerStr)
else:
self.gidCaller = None
gidObjectStr = dict.get("gidObject", None)
if gidObjectStr:
self.gidObject = GID(string=gidObjectStr)
else:
self.gidObject = None
def create_credential(owner_cert, target_cert, issuer_key, issuer_cert, typ, expiration, delegatable=False):
"""
{expiration} can be a datetime.datetime or a int/float (see http://docs.python.org/2/library/datetime.html#datetime.date.fromtimestamp) or a string with a UTC timestamp in it
{typ} is used to determine the rights (via ext/sfa/truse/rights.py) can either of the following: "user", "sa", "ma", "cm", "sm", "authority", "slice", "component" also you may specify "admin" for all privileges.
Returns the credential as String
"""
ucred = sfa_cred.Credential()
ucred.set_gid_caller(GID(string=owner_cert))
ucred.set_gid_object(GID(string=target_cert))
ucred.set_expiration(expiration)
if typ == "admin":
if delegatable:
raise ValueError("Admin credentials can not be delegatable")
privileges = sfa_rights.Rights("*")
else:
privileges = sfa_rights.determine_rights(typ, None)
privileges.delegate_all_privileges(delegatable)
ucred.set_privileges(privileges)
ucred.encode()
issuer_key_file, issuer_key_filename = tempfile.mkstemp(); os.write(issuer_key_file, issuer_key); os.close(issuer_key_file)
issuer_cert_file, issuer_cert_filename = tempfile.mkstemp(); os.write(issuer_cert_file, issuer_cert); os.close(issuer_cert_file)
ucred.set_issuer_keys(issuer_key_filename, issuer_cert_filename) # priv, gid
ucred.sign()
os.remove(issuer_key_filename)
os.remove(issuer_cert_filename)
return ucred.save_to_string()
def verify_certificate(certificate, trusted_cert_path=None, crl_path=None):
"""
Taken from ext...gid
Verifies the chain of authenticity of the GID. First performs the checks of the certificate class (verifying that each parent signs the child, etc).
In addition, GIDs also confirm that the parent's HRN is a prefix of the child's HRN, and the parent is of type 'authority'.
Raises a ValueError if bad certificate.
Does not return anything if successful.
"""
try:
trusted_certs = None
if trusted_cert_path:
trusted_certs_paths = [
os.path.join(os.path.expanduser(trusted_cert_path), name)
for name in os.listdir(os.path.expanduser(trusted_cert_path))
if (name != gcf_cred_util.CredentialVerifier.CATEDCERTSFNAME)
and (name[0] != '.')
]
trusted_certs = [
GID(filename=name) for name in trusted_certs_paths
]
gid = GID(string=certificate)
gid.verify_chain(trusted_certs, crl_path)
except SfaFault as e:
raise ValueError("Error verifying certificate: %s" % (str(e), ))
return None
def extract_certificate_info(certificate):
"""Returns the urn, uuid and email of the given certificate."""
user_gid = GID(string=certificate)
user_urn = user_gid.get_urn()
user_uuid = user_gid.get_uuid()
user_email = user_gid.get_email()
return user_urn, user_uuid, user_email
def delegate(self, delegee_gidfile, caller_keyfile, caller_gidfile):
"""
Return a delegated copy of this credential, delegated to the
specified gid's user.
"""
# get the gid of the object we are delegating
object_gid = self.get_gid_object()
object_hrn = object_gid.get_hrn()
# the hrn of the user who will be delegated to
delegee_gid = GID(filename=delegee_gidfile)
delegee_hrn = delegee_gid.get_hrn()
#user_key = Keypair(filename=keyfile)
#user_hrn = self.get_gid_caller().get_hrn()
subject_string = "%s delegated to %s" % (object_hrn, delegee_hrn)
dcred = Credential(subject=subject_string)
dcred.set_gid_caller(delegee_gid)
dcred.set_gid_object(object_gid)
dcred.set_parent(self)
dcred.set_expiration(self.get_expiration())
dcred.set_privileges(self.get_privileges())
dcred.get_privileges().delegate_all_privileges(True)
#dcred.set_issuer_keys(keyfile, delegee_gidfile)
dcred.set_issuer_keys(caller_keyfile, caller_gidfile)
dcred.encode()
dcred.sign()
return dcred
def verify(self, trusted_certs=None, schema=None, trusted_certs_required=True):
if not self.xml:
self.decode()
# validate against RelaxNG schema
if HAVELXML and not self.legacy:
if schema and os.path.exists(schema):
tree = etree.parse(StringIO(self.xml))
schema_doc = etree.parse(schema)
xmlschema = etree.XMLSchema(schema_doc)
if not xmlschema.validate(tree):
error = xmlschema.error_log.last_error
message = "%s: %s (line %s)" % (self.get_summary_tostring(), error.message, error.line)
raise CredentialNotVerifiable(message)
if trusted_certs_required and trusted_certs is None:
trusted_certs = []
# trusted_cert_objects = [GID(filename=f) for f in trusted_certs]
trusted_cert_objects = []
ok_trusted_certs = []
# If caller explicitly passed in None that means skip cert chain validation.
# Strange and not typical
if trusted_certs is not None:
for f in trusted_certs:
try:
# Failures here include unreadable files
# or non PEM files
trusted_cert_objects.append(GID(filename=f))
ok_trusted_certs.append(f)
except Exception, exc:
logger.error("Failed to load trusted cert from %s: %r" % (f, exc))
trusted_certs = ok_trusted_certs
def create_credential_ex(owner_cert,
target_cert,
issuer_key,
issuer_cert,
privileges_list,
expiration,
delegatable=True,
parent_creds=None):
"""
{expiration} can be a datetime.datetime or a int/float (see http://docs.python.org/2/library/datetime.html#datetime.date.fromtimestamp) or a string with a UTC timestamp in it
{privileges_list} list of privileges as list
Returns the credential as String
"""
ucred = sfa_cred.Credential()
ucred.set_gid_caller(GID(string=owner_cert))
ucred.set_gid_object(GID(string=target_cert))
ucred.set_expiration(expiration)
#Check if delegated credentials have been requested
if parent_creds:
cred_obj = sfa_cred.Credential(string=parent_creds[0]['SFA'])
ucred.set_parent(cred_obj)
privileges_str = ','.join(privileges_list)
privileges = sfa_rights.Rights(privileges_str)
privileges.delegate_all_privileges(delegatable)
ucred.set_privileges(privileges)
ucred.encode()
issuer_key_file, issuer_key_filename = tempfile.mkstemp()
os.write(issuer_key_file, issuer_key)
os.close(issuer_key_file)
issuer_cert_file, issuer_cert_filename = tempfile.mkstemp()
os.write(issuer_cert_file, issuer_cert)
os.close(issuer_cert_file)
ucred.set_issuer_keys(issuer_key_filename,
issuer_cert_filename) # priv, gid
ucred.sign()
os.remove(issuer_key_filename)
os.remove(issuer_cert_filename)
return ucred.save_to_string()
def sign(self):
if not self.issuer_privkey:
logger.warn("Cannot sign credential (no private key)")
return
if not self.issuer_gid:
logger.warn("Cannot sign credential (no issuer gid)")
return
doc = parseString(self.get_xml())
sigs = doc.getElementsByTagName("signatures")[0]
# Create the signature template to be signed
signature = Signature()
signature.set_refid(self.get_refid())
sdoc = parseString(signature.get_xml())
sig_ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True)
sigs.appendChild(sig_ele)
self.xml = doc.toxml()
# Split the issuer GID into multiple certificates if it's a chain
chain = GID(filename=self.issuer_gid)
gid_files = []
while chain:
gid_files.append(chain.save_to_random_tmp_file(False))
if chain.get_parent():
chain = chain.get_parent()
else:
chain = None
# Call out to xmlsec1 to sign it
ref = 'Sig_%s' % self.get_refid()
filename = self.save_to_random_tmp_file()
command='%s --sign --node-id "%s" --privkey-pem %s,%s %s' \
% (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename)
# print 'command',command
signed = os.popen(command).read()
os.remove(filename)
for gid_file in gid_files:
os.remove(gid_file)
self.xml = signed
# This is no longer a legacy credential
if self.legacy:
self.legacy = None
# Update signatures
self.decode()
class Signature(object):
def __init__(self, string=None):
self.refid = None
self.issuer_gid = None
self.xml = None
if string:
self.xml = string
self.decode()
def get_refid(self):
if not self.refid:
self.decode()
return self.refid
def get_xml(self):
if not self.xml:
self.encode()
return self.xml
def set_refid(self, id):
self.refid = id
def get_issuer_gid(self):
if not self.gid:
self.decode()
return self.gid
def set_issuer_gid(self, gid):
self.gid = gid
def decode(self):
try:
doc = parseString(self.xml)
except ExpatError,e:
logger.log_exc ("Failed to parse credential, %s"%self.xml)
raise
sig = doc.getElementsByTagName("Signature")[0]
self.set_refid(sig.getAttribute("xml:id").strip("Sig_"))
keyinfo = sig.getElementsByTagName("X509Data")[0]
szgid = getTextNode(keyinfo, "X509Certificate")
szgid = "-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----" % szgid
self.set_issuer_gid(GID(string=szgid))
def decode(self):
if not self.xml:
return
doc = parseString(self.xml)
sigs = []
signed_cred = doc.getElementsByTagName("signed-credential")
# Is this a signed-cred or just a cred?
if len(signed_cred) > 0:
creds = signed_cred[0].getElementsByTagName("credential")
signatures = signed_cred[0].getElementsByTagName("signatures")
if len(signatures) > 0:
sigs = signatures[0].getElementsByTagName("Signature")
else:
creds = doc.getElementsByTagName("credential")
if creds is None or len(creds) == 0:
# malformed cred file
raise CredentialNotVerifiable(
"Malformed XML: No credential tag found")
# Just take the first cred if there are more than one
cred = creds[0]
self.set_refid(cred.getAttribute("xml:id"))
self.set_expiration(utcparse(getTextNode(cred, "expires")))
self.gidCaller = GID(string=getTextNode(cred, "owner_gid"))
self.gidObject = GID(string=getTextNode(cred, "target_gid"))
# Process privileges
privs = cred.getElementsByTagName("privileges")[0]
rlist = Rights()
for priv in privs.getElementsByTagName("privilege"):
kind = getTextNode(priv, "name")
deleg = str2bool(getTextNode(priv, "can_delegate"))
if kind == '*':
# Convert * into the default privileges for the credential's type
# Each inherits the delegatability from the * above
_, type = urn_to_hrn(self.gidObject.get_urn())
rl = determine_rights(type, self.gidObject.get_urn())
for r in rl.rights:
r.delegate = deleg
rlist.add(r)
else:
rlist.add(Right(kind.strip(), deleg))
self.set_privileges(rlist)
# Is there a parent?
parent = cred.getElementsByTagName("parent")
if len(parent) > 0:
parent_doc = parent[0].getElementsByTagName("credential")[0]
parent_xml = parent_doc.toxml()
self.parent = Credential(string=parent_xml)
self.updateRefID()
# Assign the signatures to the credentials
for sig in sigs:
Sig = Signature(string=sig.toxml())
for cur_cred in self.get_credential_list():
if cur_cred.get_refid() == Sig.get_refid():
cur_cred.set_signature(Sig)
def get_serial_number(certificate):
"Returns the serial number of given certificate"
user_gid = GID(string=certificate)
return user_gid.get_serial_number()
uuidO = uuid.UUID(int=int(uuidarg))
except Exception, e:
try:
uuidO = uuid.UUID(fields=uuidarg)
except:
try:
uuidO = uuid.UUID(bytes=uuidarg)
except:
try:
uuidO = uuid.UUID(bytes_le=uuidarg)
except:
pass
if uuidO is not None:
uuidI = uuidO.int
newgid = GID(create=True, subject=subject, uuid=uuidI, urn=urn, lifeDays=lifeDays, serial_number=serial_number)
if email:
newgid.set_email(email)
if public_key is None:
# create a new key pair
keys = Keypair(create=True)
else:
# use the specified public key file
keys = Keypair()
keys.load_pubkey_from_file(public_key)
newgid.set_pubkey(keys)
newgid.set_is_ca(ca)
if issuer_key and issuer_cert:
# the given issuer will issue this cert
try:
uuidO = uuid.UUID(fields=uuidarg)
except:
try:
uuidO = uuid.UUID(bytes=uuidarg)
except:
try:
uuidO = uuid.UUID(bytes_le=uuidarg)
except:
pass
if uuidO is not None:
uuidI = uuidO.int
newgid = GID(create=True,
subject=subject,
uuid=uuidI,
urn=urn,
lifeDays=lifeDays)
if email:
newgid.set_email(email)
if public_key is None:
# create a new key pair
keys = Keypair(create=True)
else:
# use the specified public key file
keys = Keypair()
keys.load_pubkey_from_file(public_key)
newgid.set_pubkey(keys)
newgid.set_is_ca(ca)
