def cms_verify(formatted,
signing_cert_file_name,
ca_file_name,
inform=PKI_ASN1_FORM):
"""Verify the signature of the contents IAW CMS syntax.
:raises subprocess.CalledProcessError:
:raises keystoneclient.exceptions.CertificateConfigError: if certificate
is not configured
properly.
"""
_ensure_subprocess()
if isinstance(formatted, six.string_types):
data = bytearray(formatted, _encoding_for_form(inform))
else:
data = formatted
process = subprocess.Popen([
'openssl', 'cms', '-verify', '-certfile', signing_cert_file_name,
'-CAfile', ca_file_name, '-inform', 'PEM', '-nosmimecap', '-nodetach',
'-nocerts', '-noattr'
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
close_fds=True)
output, err, retcode = _process_communicate_handle_oserror(
process, data, (signing_cert_file_name, ca_file_name))
# Do not log errors, as some happen in the positive thread
# instead, catch them in the calling code and log them there.
# When invoke the openssl >= 1.1.0 with not exist file, return code should
# be 2 instead of 1 and error msg will be returned.
# You can get more from
# https://www.openssl.org/docs/man1.1.0/apps/cms.html#EXIT-CODES
#
# $ openssl cms -verify -certfile not_exist_file -CAfile
# not_exist_file -inform PEM -nosmimecap -nodetach
# -nocerts -noattr
# openssl < 1.1.0 returns
# Error opening certificate file not_exist_file
# openssl >= 1.1.0 returns
# cms: Cannot open input file not_exist_file, No such file or directory
#
if retcode == OpensslCmsExitStatus.INPUT_FILE_READ_ERROR:
if err.startswith('Error reading S/MIME message'):
raise exceptions.CMSError(err)
else:
raise exceptions.CertificateConfigError(err)
# workaround for OpenSSL >= 1.1.0,
# should return OpensslCmsExitStatus.INPUT_FILE_READ_ERROR
elif retcode == OpensslCmsExitStatus.COMMAND_OPTIONS_PARSING_ERROR:
if err.startswith('cms: Cannot open input file'):
raise exceptions.CertificateConfigError(err)
else:
raise subprocess.CalledProcessError(retcode, 'openssl', output=err)
elif retcode != OpensslCmsExitStatus.SUCCESS:
raise subprocess.CalledProcessError(retcode, 'openssl', output=err)
return output
def _fetch_cert_file(self, cert_type):
try:
response = self._request_strategy.fetch_cert_file(cert_type)
except exceptions.HTTPError as e:
raise exceptions.CertificateConfigError(e.details)
if response.status_code != 200:
raise exceptions.CertificateConfigError(response.text)
return response.text
def cms_verify(formatted,
signing_cert_file_name,
ca_file_name,
inform=PKI_ASN1_FORM):
"""Verifies the signature of the contents IAW CMS syntax.
:raises subprocess.CalledProcessError:
:raises keystoneclient.exceptions.CertificateConfigError: if certificate
is not configured
properly.
"""
_ensure_subprocess()
if isinstance(formatted, six.string_types):
data = bytearray(formatted, _encoding_for_form(inform))
else:
data = formatted
process = subprocess.Popen([
'openssl', 'cms', '-verify', '-certfile', signing_cert_file_name,
'-CAfile', ca_file_name, '-inform', 'PEM', '-nosmimecap', '-nodetach',
'-nocerts', '-noattr'
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
close_fds=True)
output, err, retcode = _process_communicate_handle_oserror(
process, data, (signing_cert_file_name, ca_file_name))
# Do not log errors, as some happen in the positive thread
# instead, catch them in the calling code and log them there.
# When invoke the openssl with not exist file, return code 2
# and error msg will be returned.
# You can get more from
# http://www.openssl.org/docs/apps/cms.html#EXIT_CODES
#
# $ openssl cms -verify -certfile not_exist_file -CAfile
# not_exist_file -inform PEM -nosmimecap -nodetach
# -nocerts -noattr
# Error opening certificate file not_exist_file
#
if retcode == OpensslCmsExitStatus.INPUT_FILE_READ_ERROR:
if err.startswith('Error reading S/MIME message'):
raise exceptions.CMSError(err)
else:
raise exceptions.CertificateConfigError(err)
elif retcode != OpensslCmsExitStatus.SUCCESS:
# NOTE(dmllr): Python 2.6 compatibility:
# CalledProcessError did not have output keyword argument
e = subprocess.CalledProcessError(retcode, 'openssl')
e.output = err
raise e
return output
def cms_verify(formatted, signing_cert_file_name, ca_file_name):
"""Verifies the signature of the contents IAW CMS syntax.
:raises: subprocess.CalledProcessError
:raises: CertificateConfigError if certificate is not configured properly.
"""
_ensure_subprocess()
process = subprocess.Popen([
"openssl", "cms", "-verify", "-certfile", signing_cert_file_name,
"-CAfile", ca_file_name, "-inform", "PEM", "-nosmimecap", "-nodetach",
"-nocerts", "-noattr"
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
universal_newlines=True)
output, err, retcode = _process_communicate_handle_oserror(
process, formatted, (signing_cert_file_name, ca_file_name))
# Do not log errors, as some happen in the positive thread
# instead, catch them in the calling code and log them there.
# When invoke the openssl with not exist file, return code 2
# and error msg will be returned.
# You can get more from
# http://www.openssl.org/docs/apps/cms.html#EXIT_CODES
#
# $ openssl cms -verify -certfile not_exist_file -CAfile \
# not_exist_file -inform PEM -nosmimecap -nodetach \
# -nocerts -noattr
# Error opening certificate file not_exist_file
#
if retcode == 2:
raise exceptions.CertificateConfigError(err)
elif retcode:
# NOTE(dmllr): Python 2.6 compatibility:
# CalledProcessError did not have output keyword argument
e = subprocess.CalledProcessError(retcode, "openssl")
e.output = err
raise e
return output
def wrapper(self):
try:
text = fetch_cert(self)
except ksa_exceptions.HttpError as e:
raise ksc_exceptions.CertificateConfigError(e.details)
return text
