def verify_certificate_chain(certificate_chain):
""" Verify the certificate chain to be valid
input:
certificate_chain: [cert1,cert2,cert3]
List of certificates (*in PEM FORMAT*) in the certificate chain. It assumes that the last certificate is the Root CA certificate.
output:
[True|False]
Boolean value
"""
CAfile_contents = _create_CAfile_contents_from_cert_chain(certificate_chain)
CAfile_tempfile_name=utility_functions.store_data_to_temp_file(CAfile_contents)
level1_cert_to_verify_contents = certificate_chain[0]
level1_cert_to_verify_tempfile_name=utility_functions.store_data_to_temp_file(level1_cert_to_verify_contents)
try:
verify_level1_cert_command_out = utility_functions.system_command_logged([openssl_binary_path, 'verify', '-CAfile', CAfile_tempfile_name, level1_cert_to_verify_tempfile_name])
except:
logger.critical("verify_certificate_chain: OPENSSL could not verify cert chain")
logger.debug("OpenSSL verify command output: " + verify_level1_cert_command_out)
logger.debug("Deleting temporary files: " + CAfile_tempfile_name +", " + level1_cert_to_verify_tempfile_name)
os.unlink(CAfile_tempfile_name)
os.unlink(level1_cert_to_verify_tempfile_name)
if verify_level1_cert_command_out.rstrip() == level1_cert_to_verify_tempfile_name + ": OK":
logger.debug("The certificate chain is verified")
return True
else:
logger.debug("The certificate chain is not verified")
return False
def _get_hmacparams_from_certificate_subject_dictionary(certificate_subject_dictionary):
""" Return a dictionary of the HMAC params from the certificate subject dictionary
input:
certificate_subject_dictionary = dictionary of subject params from certificate
output:
hmac_params = Dictionary of HMAC parameters from certificate subject
"""
sw_id_re=re.compile(r'01 ([0-9A-F]{16}) SW_ID')
hw_id_re=re.compile(r'02 ([0-9A-F]{16}) HW_ID')
if 'OU' in certificate_subject_dictionary.keys() and type(certificate_subject_dictionary['OU'])==list:
certificate_subject_dictionary['OU'].sort()
sw_id_element = sw_id_re.match(certificate_subject_dictionary['OU'][0])
hw_id_element = hw_id_re.match(certificate_subject_dictionary['OU'][1])
if sw_id_element == None:
logger.critical("Error in certificate subject. SW_ID field not found. Not a valid certificate. Exiting")
raise RuntimeError("Error in certificate subject. SW_ID field not found. Not a valid certificate. Exiting")
elif hw_id_element == None:
logger.critical("Error in certificate subject. HW_ID field not found. Not a valid certificate. Exiting")
raise RuntimeError("Error in certificate subject. HW_ID field not found. Not a valid certificate. Exiting")
else:
logger.debug("Valid certificate: Found SW_ID and HW_ID")
sw_id_text = sw_id_element.group(1)
hw_id_text = hw_id_element.group(1)
logger.debug('SW_ID = ' + sw_id_text)
logger.debug('HW_ID = ' + hw_id_text)
hw_id_int = int(hw_id_text, 16)
sw_id_int = int(sw_id_text, 16)
hmac_params = HmacParams(hw_id_int, sw_id_int)
return hmac_params
def discover_openSSL_implementation(self):
logger.debug("Beginning discovery of openssl implementation")
logger.debug("Looking for openssl binary")
openssl_binaries = self.which_cmd('openssl')
if len(openssl_binaries)>0:
logger.debug("Found OpenSSL binary at {0}".format(openssl_binaries[0]))
import openssl_binary_implementation as openssl_impl
if sys.platform!='linux2':
openssl_impl.openssl_binary_path=self.relative_path_to_packaged_openssl_binary
else:
openssl_impl.openssl_binary_path=openssl_binaries[0]
if 'OPENSSL_DIR' in os.environ:
if sys.platform!='linux2':
openssl_impl.openssl_binary_path=os.path.join(os.environ['OPENSSL_DIR'],'openssl.exe')
else:
openssl_impl.openssl_binary_path=os.path.join(os.environ['OPENSSL_DIR'],'openssl')
openssl_impl.ccm_crypto_path=self.relative_path_to_packaged_ccm_binary
openssl_impl.cbc_crypto_path=self.relative_path_to_packaged_cbc_binary
else:
try:
logger.debug("Looking for M2Crypto")
import M2Crypto as openssl_impl
except ImportError:
logger.debug("Could not find M2Crypto module")
logger.critical("Could not find OpenSSL Implementation")
raise RuntimeError("Could not find OpenSSL Implementation")
return openssl_impl
def privkey_pem_to_der(pem_privkey):
""" Convert PEM format PRIVATE key into DER format
input:
pem_privkey: String containing base64 PEM Private key
output
der_privkey: String containing binary Private key
"""
der_privkey = ''
pem_tempfile_name = utility_functions.store_data_to_temp_file(pem_privkey)
try:
der_privkey = utility_functions.system_command_logged(
[
openssl_binary_path, 'rsa', '-in', pem_tempfile_name,
'-inform', 'PEM', '-outform', 'DER'
],
stderr_to_temp=True)
logger.debug2("PEM Format private key: " + hexdump(der_privkey))
except:
logger.critical(
"privkey_pem_to_der: OPENSSL Could not convert PEM key to DER key")
finally:
os.unlink(pem_tempfile_name)
logger.debug("Deleting temporary file: " + pem_tempfile_name)
return der_privkey
def privkey_der_to_pem(der_privkey):
""" Convert binary DER format PRIVATE key into base64 coded ASCII PEM format
input:
der_privkey: String containing binary PRIVATE KEY
output
pem_privkey: String containing base64 PEM PRIVATE KEY
"""
pem_privkey = ''
der_tempfile_name = utility_functions.store_data_to_temp_file(der_privkey)
try:
pem_privkey = utility_functions.system_command_logged(
[
openssl_binary_path, 'rsa', '-in', der_tempfile_name,
'-inform', 'DER', '-outform', 'PEM'
],
stderr_to_temp=True)
logger.debug2("PEM Format Private Key: " + pem_privkey)
except:
logger.critical(
"privkey_der_to_pem: OPENSSL Could not convert DER key to PEM")
finally:
os.unlink(der_tempfile_name)
logger.debug("Deleting temporary file: " + der_tempfile_name)
return pem_privkey
def cert_der_to_pem(der_certificate):
""" Convert binary DER format certificate into base64 coded ASCII PEM format
input:
der_certificate: String containing binary certificate
output
pem_certificate: String containing base64 PEM certificate
"""
der_tempfile_name = utility_functions.store_data_to_temp_file(
der_certificate)
try:
pem_certificate = utility_functions.system_command_logged(
[
openssl_binary_path, 'x509', '-in', der_tempfile_name,
'-inform', 'DER', '-outform', 'PEM'
],
stderr_to_temp=True)
except:
logger.critical(
"cert_der_to_pem: OPENSSL could not convert DER cert to PEM")
logger.debug2("PEM Format certificate: " + pem_certificate)
logger.debug("Deleting temporary file: " + der_tempfile_name)
os.unlink(der_tempfile_name)
return pem_certificate
def discover_openSSL_implementation(self):
logger.debug("Beginning discovery of openssl implementation")
logger.debug("Looking for openssl binary")
openssl_binaries = self.which_cmd('openssl')
if len(openssl_binaries)>0:
logger.debug("Found OpenSSL binary at {0}".format(openssl_binaries[0]))
import openssl_binary_implementation as openssl_impl
if sys.platform!='linux2':
openssl_impl.openssl_binary_path=self.relative_path_to_packaged_openssl_binary
else:
openssl_impl.openssl_binary_path=openssl_binaries[0]
if 'OPENSSL_DIR' in os.environ:
if sys.platform!='linux2':
openssl_impl.openssl_binary_path=os.path.join(os.environ['OPENSSL_DIR'],'openssl.exe')
else:
openssl_impl.openssl_binary_path=os.path.join(os.environ['OPENSSL_DIR'],'openssl')
openssl_impl.ccm_crypto_path=self.relative_path_to_packaged_ccm_binary
openssl_impl.cbc_crypto_path=self.relative_path_to_packaged_cbc_binary
else:
try:
logger.debug("Looking for M2Crypto")
import M2Crypto as openssl_impl
except ImportError:
logger.debug("Could not find M2Crypto module")
logger.critical("Could not find OpenSSL Implementation")
raise RuntimeError("Could not find OpenSSL Implementation")
return openssl_impl
def cert_pem_to_der(pem_certificate):
""" Convert PEM format certificate into DER format
input:
pem_certificate: String containing base64 PEM certificate
output
der_certificate: String containing binary certificate
"""
pem_tempfile_name = utility_functions.store_data_to_temp_file(
pem_certificate)
try:
der_certificate = utility_functions.system_command_logged(
[
openssl_binary_path, 'x509', '-in', pem_tempfile_name,
'-inform', 'PEM', '-outform', 'DER'
],
stderr_to_temp=True)
except:
logger.critical(
"cert_pem_to_der: OPENSSL could not convert PEM cert to DER")
logger.debug2("PEM Format certificate: " + hexdump(der_certificate))
logger.debug("Deleting temporary file: " + pem_tempfile_name)
os.unlink(pem_tempfile_name)
return der_certificate
def encrypt_with_private_key(message, private_key):
""" Encrypt a message with a private key
input:
message: String representing message
private_key: String representing the private key
output:
signature: String representing encrypted message
"""
private_key_tempfile_name = utility_functions.store_data_to_temp_file(
private_key)
message_tempfile_name = utility_functions.store_data_to_temp_file(message)
command_list = [
openssl_binary_path, "rsautl", "-sign", "-pkcs", "-inkey",
private_key_tempfile_name, '-in', message_tempfile_name
]
try:
encrypted_message = utility_functions.system_command_logged(
command_list, stderr_to_temp=True)
except:
logger.critical(
"encrypt_with_private_key: OPENSSL could not perform RSA sign operation"
)
return encrypted_message
def decrypt_with_public_key(encrypted_message, public_key):
""" Decrypt an encrypted message with a public key
input:
encrypted_message = String representation of encrypted message
public_key = String representation of public key
output:
message = String representing decrypted message
"""
public_key_tempfile_name = utility_functions.store_data_to_temp_file(
public_key)
encrypted_message_tempfile_name = utility_functions.store_data_to_temp_file(
encrypted_message)
command_list = [
openssl_binary_path, 'rsautl', '-inkey', public_key_tempfile_name,
'-pubin', '-in', encrypted_message_tempfile_name
]
try:
message = utility_functions.system_command_logged(command_list,
stderr_to_temp=True)
except:
logger.critical(
"decrypt_with_public_key: OPENSSL could not decrypt with public key"
)
return message
def _validate_certificate_params_dict(self, certificate_params_dict):
certificate_params_is_valid = False
generate_new_certificate = False
for key in certificate_params_dict:
if key not in ['C', 'CN', 'L', 'O', 'ST', 'OU', 'emailAddress']:
if key not in ['private_key_path', 'certificate_path']:
logger.error("Invalid Key is being passed in configuration!" + repr(key))
raise RuntimeError("Invalid Key is being passed in configuration!")
else:
# pre-generated cert/key, check if exist
if os.path.exists(certificate_params_dict['private_key_path']) is False:
err_str = "private_key_path does not exist: {0}!".format(certificate_params_dict['private_key_path'])
logger.error(err_str)
certificate_params_is_valid = False
raise RuntimeError(err_str)
if os.path.exists(certificate_params_dict['certificate_path']) is False:
err_str = "certificate_path does not exist: {0}!".format(certificate_params_dict['certificate_path'])
logger.error(err_str)
certificate_params_is_valid = False
raise RuntimeError(err_str)
cert_version = crypto.cert.get_version(crypto.cert.get_text(c_path.load_data_from_file(certificate_params_dict['certificate_path'])))
if cert_version == crypto.cert.CERT_V3:
generate_new_certificate = False
certificate_params_is_valid = True
else:
logger.critical('Certificate version is incorrect: ' + str(cert_version))
raise RuntimeError('Invalid certificate: ' + certificate_params_dict['certificate_path'])
else: # generate new cert/key
certificate_params_is_valid = True
generate_new_certificate = True
return certificate_params_is_valid, generate_new_certificate
def _execute_openssl_certificate_command(command_list, key_pair, key_tempfile_name, shell=False):
try:
certificate_request = utility_functions.system_command_logged(command_list, stderr_to_temp=True, shell=shell)
except subprocess.CalledProcessError, e:
logger.critical("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) +
" \nCommand = " + ' '.join(e.cmd))
def get_public_key_from_cert_chain(certificate_chain_list):
""" Verify certificate chain and extract public key from chain list
"""
if verify_certificate_chain(certificate_chain_list):
return _extract_public_key_from_certificate(certificate_chain_list[0])
else:
logger.critical("The certificate chain could not be verified!")
raise RuntimeError("The certificate chain could not be verified!")
def get_public_key_from_cert_chain(certificate_chain_list):
""" Verify certificate chain and extract public key from chain list
"""
if verify_certificate_chain(certificate_chain_list):
return _extract_public_key_from_certificate(certificate_chain_list[0])
else:
logger.critical("The certificate chain could not be verified!")
raise RuntimeError("The certificate chain could not be verified!")
def gen_rsa_key_pair(key_size_in_bits, key_exponent, priv_key_output_file,
pub_key_output_file):
""" Generate RSA Key pair
input:
key_size_in_bits: Size of the key in bits.
key_exponent: [3, 65537]
Exponent used in key calculation.
priv_key_output_file: File name for storing private key
pub_key_output_file: File name for storing public key
output:
returned value: {"public_key": [Generated public key],
"private_key": [Generated private key] }
Dictionary holding the values of public and private keys
"""
logger.debug("the openssl_binary is:{0}".format(openssl_binary_path))
if key_exponent == 3:
exponent_str = "-3"
elif key_exponent == 65537:
exponent_str = "-f4"
else:
logger.warning(
"Exponent value supplied is INVALID! going with default exponent of 65537."
)
exponent_str = "-f4"
key_size_str = str(key_size_in_bits)
if priv_key_output_file is not None:
pk_file = open(priv_key_output_file, "wb")
else:
pk_file = tempfile.NamedTemporaryFile(delete=False)
logger.debug(
"No output file specified for private key storage, so creating temp file: "
+ pk_file.name)
try:
private_key = utility_functions.system_command_logged(
[openssl_binary_path, "genrsa", exponent_str, key_size_str],
stderr_to_temp=True)
except subprocess.CalledProcessError, e:
os.unlink(pk_file.name)
logger.critical(
"gen_rsa_key_pair: OPENSSL Errored out on generation of RSA key.")
logger.critical(
"call to OpenSSL binary returned an error!: retval = " +
str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError(
"call to OpenSSL binary returned an error!: retval = " +
str(e.returncode) + " Command = " + str(e.cmd))
def init_from_cert(self, cert):
# Extract the params from the cert
cert_text = cert_functions.get_text(cert)
params = cert_functions.get_subject_params(
cert_functions.get_subject(cert_text))
# Patterns to look for
sw_id_re = re.compile(r'01 ([0-9A-F]{16}) SW_ID')
hw_id_re = re.compile(r'02 ([0-9A-F]{16}) HW_ID')
hash_algo_re = re.compile(r'07 ([0-9]{4}) SHA([0-9]+)')
# Extract the fields
if 'OU' in params.keys() and type(params['OU']) == list:
params['OU'].sort()
sw_id_element, hw_id_element, hash_algo_element = None, None, None
for p in params['OU']:
if sw_id_element is None:
sw_id_element = sw_id_re.match(p)
if hw_id_element is None:
hw_id_element = hw_id_re.match(p)
if hash_algo_element is None:
hash_algo_element = hash_algo_re.match(p)
# Check if fields are missing
if sw_id_element is None:
logger.critical(
"Error in certificate subject. SW_ID field not found. Not a valid certificate. Exiting"
)
raise RuntimeError(
"Error in certificate subject. SW_ID field not found. Not a valid certificate. Exiting"
)
elif hw_id_element is None:
logger.critical(
"Error in certificate subject. HW_ID field not found. Not a valid certificate. Exiting"
)
raise RuntimeError(
"Error in certificate subject. HW_ID field not found. Not a valid certificate. Exiting"
)
# Update the fields
logger.debug("Valid certificate: Found SW_ID and HW_ID")
sw_id_text = sw_id_element.group(1)
hw_id_text = hw_id_element.group(1)
hash_algo_text = hash_algo_element.group(
2) if hash_algo_element is not None else '256'
logger.debug('SW_ID = ' + sw_id_text)
logger.debug('HW_ID = ' + hw_id_text)
self.msm_id = int(hw_id_text, 16)
self.sw_id = int(sw_id_text, 16)
self.hash_algo = 'sha' + hash_algo_text
def get_public_key_from_private_key(private_key):
""" Extracts public key from provided private key
input:
private_key: String representation of private key
output:
public key: String representation of public key
"""
privkey_tempfile = utility_functions.store_data_to_temp_file(private_key)
try:
public_key = utility_functions.system_command_logged([openssl_binary_path, "rsa", "-in", privkey_tempfile, "-pubout"], stderr_to_temp=True)
except subprocess.CalledProcessError, e:
logger.critical("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
def privkey_der_to_pem(der_privkey):
""" Convert binary DER format PRIVATE key into base64 coded ASCII PEM format
input:
der_privkey: String containing binary PRIVATE KEY
output
pem_privkey: String containing base64 PEM PRIVATE KEY
"""
der_tempfile_name = utility_functions.store_data_to_temp_file(der_privkey)
try:
pem_privkey = utility_functions.system_command_logged([openssl_binary_path, 'rsa', '-in', der_tempfile_name, '-inform', 'DER', '-outform', 'PEM'], stderr_to_temp=True)
except:
logger.critical("privkey_der_to_pem: OPENSSL Could not convert DER key to PEM")
logger.debug2("PEM Format Private Key: " + pem_privkey)
logger.debug("Deleting temporary file: " + der_tempfile_name)
os.unlink(der_tempfile_name)
return pem_privkey
def privkey_pem_to_der(pem_privkey):
""" Convert PEM format PRIVATE key into DER format
input:
pem_privkey: String containing base64 PEM Private key
output
der_privkey: String containing binary Private key
"""
pem_tempfile_name = utility_functions.store_data_to_temp_file(pem_privkey)
try:
der_privkey = utility_functions.system_command_logged([openssl_binary_path, 'rsa', '-in', pem_tempfile_name, '-inform', 'PEM', '-outform', 'DER'], stderr_to_temp=True)
except:
logger.critical("privkey_pem_to_der: OPENSSL Could not convert PEM key to DER key")
logger.debug2("PEM Format private key: " + hexdump(der_privkey))
logger.debug("Deleting temporary file: " + pem_tempfile_name)
os.unlink(pem_tempfile_name)
return der_privkey
def _extract_public_key_from_certificate(certificate):
""" Pulls out public key stored in certificate.
input:
certificate = String representation of PEM certificate
output:
public_key = String representation of public key in certificate
"""
certificate_tempfile_name=utility_functions.store_data_to_temp_file(certificate)
command_list = [openssl_binary_path, 'x509', '-in', certificate_tempfile_name, '-pubkey', '-noout', '-inform', 'PEM']
try:
public_key = utility_functions.system_command_logged(command_list)
except:
logger.critical("_extract_public_key_from_certificate: OPENSSL could not extract public key from cert")
return public_key
def cert_der_to_pem(der_certificate):
""" Convert binary DER format certificate into base64 coded ASCII PEM format
input:
der_certificate: String containing binary certificate
output
pem_certificate: String containing base64 PEM certificate
"""
der_tempfile_name = utility_functions.store_data_to_temp_file(der_certificate)
try:
pem_certificate = utility_functions.system_command_logged([openssl_binary_path, 'x509', '-in', der_tempfile_name, '-inform', 'DER', '-outform', 'PEM'], stderr_to_temp=True)
except:
logger.critical("cert_der_to_pem: OPENSSL could not convert DER cert to PEM")
logger.debug2("PEM Format certificate: " + pem_certificate)
logger.debug("Deleting temporary file: " + der_tempfile_name)
os.unlink(der_tempfile_name)
return pem_certificate
def cert_pem_to_der(pem_certificate):
""" Convert PEM format certificate into DER format
input:
pem_certificate: String containing base64 PEM certificate
output
der_certificate: String containing binary certificate
"""
pem_tempfile_name = utility_functions.store_data_to_temp_file(pem_certificate)
try:
der_certificate = utility_functions.system_command_logged([openssl_binary_path, 'x509', '-in', pem_tempfile_name, '-inform', 'PEM', '-outform', 'DER'], stderr_to_temp=True)
except:
logger.critical("cert_pem_to_der: OPENSSL could not convert PEM cert to DER")
logger.debug2("PEM Format certificate: " + hexdump(der_certificate))
logger.debug("Deleting temporary file: " + pem_tempfile_name)
os.unlink(pem_tempfile_name)
return der_certificate
def decrypt_with_public_key(encrypted_message, public_key):
""" Decrypt an encrypted message with a public key
input:
encrypted_message = String representation of encrypted message
public_key = String representation of public key
output:
message = String representing decrypted message
"""
public_key_tempfile_name =utility_functions.store_data_to_temp_file(public_key)
encrypted_message_tempfile_name = utility_functions.store_data_to_temp_file(encrypted_message)
command_list=[openssl_binary_path, 'rsautl', '-inkey', public_key_tempfile_name, '-pubin', '-in', encrypted_message_tempfile_name]
try:
message = utility_functions.system_command_logged(command_list, stderr_to_temp=True)
except:
logger.critical("decrypt_with_public_key: OPENSSL could not decrypt with public key")
return message
def encrypt_with_private_key(message, private_key):
""" Encrypt a message with a private key
input:
message: String representing message
private_key: String representing the private key
output:
signature: String representing encrypted message
"""
private_key_tempfile_name =utility_functions.store_data_to_temp_file(private_key)
message_tempfile_name = utility_functions.store_data_to_temp_file(message)
command_list = [openssl_binary_path, "rsautl", "-sign", "-pkcs", "-inkey", private_key_tempfile_name, '-in', message_tempfile_name]
try:
encrypted_message = utility_functions.system_command_logged(command_list, stderr_to_temp=True)
except:
logger.critical("encrypt_with_private_key: OPENSSL could not perform RSA sign operation")
return encrypted_message
def generate_hash(hashing_algorithm, file_to_hash):
""" Function to generate hashes of input file using the standard hashing algoritm specified
input: hashing_algorithm: ["SHA1"|"SHA256"]
file_to_hash: The file to calculate the hash of.
output: string representing hash of file_to_hash
"""
if hashing_algorithm.lower() not in ["sha1", "sha256"]:
logger.warning("The algorithm specified is invalid! Using SHA256 as default.")
hashing_algorithm="-sha256"
else:
hashing_algorithm = "-" + hashing_algorithm
try:
generated_hash = utility_functions.system_command_logged([openssl_binary_path, "dgst", hashing_algorithm, file_to_hash]).rstrip().split("= ")[1]
except:
logger.critical("generate_hash: OPENSSL Hash generation failed")
return generated_hash
def gen_rsa_key_pair(key_size_in_bits, key_exponent, priv_key_output_file, pub_key_output_file):
""" Generate RSA Key pair
input:
key_size_in_bits: Size of the key in bits.
key_exponent: [3, 65537]
Exponent used in key calculation.
priv_key_output_file: File name for storing private key
pub_key_output_file: File name for storing public key
output:
returned value: {"public_key": [Generated public key],
"private_key": [Generated private key] }
Dictionary holding the values of public and private keys
"""
logger.debug("the openssl_binary is:{0}".format(openssl_binary_path))
if key_exponent==3:
exponent_str="-3"
elif key_exponent == 65537:
exponent_str="-f4"
else:
logger.warning("Exponent value supplied is INVALID! going with default exponent of 65537.")
exponent_str="-f4"
key_size_str=str(key_size_in_bits)
if priv_key_output_file is not None:
pk_file=open(priv_key_output_file,"wb")
else:
pk_file=tempfile.NamedTemporaryFile(delete=False)
logger.debug("No output file specified for private key storage, so creating temp file: " + pk_file.name)
try:
private_key = utility_functions.system_command_logged([openssl_binary_path, "genrsa", exponent_str, key_size_str], stderr_to_temp=True)
except subprocess.CalledProcessError, e:
logger.critical("gen_rsa_key_pair: OPENSSL Errored out on generation of RSA key.")
logger.critical("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
def get_hmac_params_from_cert(cls,
certificate=None,
extracted_attributes=None):
""" Return a dictionary of the HMAC params from the certificate subject dictionary
input:
certificate_subject_dictionary = dictionary of subject params from certificate
output:
hmac_params = Dictionary of HMAC parameters from certificate subject
"""
if certificate:
certificate_subject_dictionary = crypto.cert.get_subject_params(
crypto.cert.get_subject(certificate))
sw_id_re = re.compile(r'01 ([0-9A-F]{16}) SW_ID')
hw_id_re = re.compile(r'02 ([0-9A-F]{16}) HW_ID')
if 'OU' in certificate_subject_dictionary.keys() and type(
certificate_subject_dictionary['OU']) == list:
certificate_subject_dictionary['OU'].sort()
sw_id_element = sw_id_re.match(
certificate_subject_dictionary['OU'][0])
hw_id_element = hw_id_re.match(
certificate_subject_dictionary['OU'][1])
logger.debug("Valid certificate: Found SW_ID and HW_ID")
sw_id = sw_id_element.group(
1) if sw_id_element is not None else None
hw_id = hw_id_element.group(
1) if hw_id_element is not None else None
elif extracted_attributes:
if extracted_attributes.from_hash_segment:
hmac_params = cls.get_hmac_params_from_extracted_attributes(
extracted_attributes)
sw_id = hmac_params.sw_id_str
hw_id = hmac_params.msm_id_str
else:
sw_id = extracted_attributes.sw_id
hw_id = extracted_attributes.hw_id
else:
logger.critical(
"certificate and extracted_attributes cannot both be none")
raise RuntimeError(
"certificate and attribute_extractor cannot both be none")
if sw_id is None:
logger.critical("Error in image. SW_ID field not found. Exiting")
raise RuntimeError(
"Error in image. SW_ID field not found. Exiting")
elif hw_id is None:
logger.critical("Error in image. HW_ID field not found. Exiting")
raise RuntimeError(
"Error in image. HW_ID field not found. Exiting")
logger.debug('SW_ID = ' + sw_id)
logger.debug('HW_ID = ' + hw_id)
hmac_params = HmacParams(int(hw_id, 16), int(sw_id, 16))
return hmac_params
try:
private_key = utility_functions.system_command_logged([openssl_binary_path, "genrsa", exponent_str, key_size_str], stderr_to_temp=True)
except subprocess.CalledProcessError, e:
logger.critical("gen_rsa_key_pair: OPENSSL Errored out on generation of RSA key.")
logger.critical("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
logger.debug("Writing generated private key to PEM file:" + pk_file.name)
pk_file.write(private_key)
pk_file.close()
try:
public_key = utility_functions.system_command_logged([openssl_binary_path, "rsa", "-in", pk_file.name, "-pubout"], stderr_to_temp=True)
except subprocess.CalledProcessError, e:
logger.critical("gen_rsa_key_pair: OPENSSL could not get public key")
logger.critical("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError("call to OpenSSL binary returned an error!: retval = " + str(e.returncode) + " Command = " + str(e.cmd))
if pub_key_output_file is not None:
logger.debug("Writing public key to file: " + pub_key_output_file)
pubk_file=open(pub_key_output_file,"wb")
pubk_file.write(public_key)
pubk_file.close()
if priv_key_output_file is None:
logger.debug("Since private key file is temporary, deleting: " + pk_file.name)
os.unlink(pk_file.name)
return {'private_key': private_key, 'public_key': public_key}
"call to OpenSSL binary returned an error!: retval = " +
str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError(
"call to OpenSSL binary returned an error!: retval = " +
str(e.returncode) + " Command = " + str(e.cmd))
logger.debug("Writing generated private key to PEM file:" + pk_file.name)
pk_file.write(private_key)
pk_file.close()
try:
public_key = utility_functions.system_command_logged(
[openssl_binary_path, "rsa", "-in", pk_file.name, "-pubout"],
stderr_to_temp=True)
except subprocess.CalledProcessError, e:
logger.critical("gen_rsa_key_pair: OPENSSL could not get public key")
logger.critical(
"call to OpenSSL binary returned an error!: retval = " +
str(e.returncode) + " Command = " + str(e.cmd))
raise RuntimeError(
"call to OpenSSL binary returned an error!: retval = " +
str(e.returncode) + " Command = " + str(e.cmd))
if pub_key_output_file is not None:
logger.debug("Writing public key to file: " + pub_key_output_file)
pubk_file = open(pub_key_output_file, "wb")
pubk_file.write(public_key)
pubk_file.close()
if priv_key_output_file is None:
logger.debug("Since private key file is temporary, deleting: " +
