def CheckNodeCertificate(cert, _noded_cert_file=pathutils.NODED_CERT_FILE): """Checks the local node daemon certificate against given certificate. Both certificates must be signed with the same key (as stored in the local L{pathutils.NODED_CERT_FILE} file). No error is raised if no local certificate can be found. @type cert: OpenSSL.crypto.X509 @param cert: X509 certificate object @raise errors.X509CertError: When an error related to X509 occurred @raise errors.GenericError: When the verification failed """ try: noded_pem = utils_io.ReadFile(_noded_cert_file) except EnvironmentError as err: if err.errno != errno.ENOENT: raise logging.debug("Node certificate file '%s' was not found", _noded_cert_file) return try: noded_cert = \ OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, noded_pem) except Exception as err: raise errors.X509CertError(_noded_cert_file, "Unable to load certificate: %s" % err) try: noded_key = \ OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, noded_pem) except Exception as err: raise errors.X509CertError(_noded_cert_file, "Unable to load private key: %s" % err) # Check consistency of server.pem file try: X509CertKeyCheck(noded_cert, noded_key) except OpenSSL.SSL.Error: # This should never happen as it would mean the certificate in server.pem # is out of sync with the private key stored in the same file raise errors.X509CertError( _noded_cert_file, "Certificate does not match with private key") # Check with supplied certificate with local key try: X509CertKeyCheck(cert, noded_key) except OpenSSL.SSL.Error: raise errors.GenericError("Given cluster certificate does not match" " local key")
def _VerifyCertificate(cert_pem, _check_fn=utils.CheckNodeCertificate): """Verifies a certificate against the local node daemon certificate. @type cert_pem: string @param cert_pem: Certificate and key in PEM format @rtype: string @return: Formatted key and certificate """ try: cert = \ OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_pem) except Exception, err: raise errors.X509CertError("(stdin)", "Unable to load certificate: %s" % err)
def _VerifyCertificateSoft(cert_pem, error_fn, _check_fn=utils.CheckNodeCertificate): """Verifies a certificate against the local node daemon certificate. @type cert_pem: string @param cert_pem: Certificate in PEM format (no key) """ try: OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, cert_pem) except OpenSSL.crypto.Error as err: pass else: raise error_fn("No private key may be given") try: cert = \ OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_pem) except Exception as err: raise errors.X509CertError("(stdin)", "Unable to load certificate: %s" % err) _check_fn(cert)
@type cert_pem: string @param cert_pem: Certificate in PEM format (no key) """ try: OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, cert_pem) except OpenSSL.crypto.Error, err: pass else: raise error_fn("No private key may be given") try: cert = \ OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_pem) except Exception, err: raise errors.X509CertError("(stdin)", "Unable to load certificate: %s" % err) _check_fn(cert) def VerifyCertificateSoft(data, error_fn, _verify_fn=_VerifyCertificateSoft): """Verifies cluster certificate if existing. @type data: dict @type error_fn: callable @param error_fn: function to call in case of an error @rtype: string @return: Formatted key and certificate """ cert = data.get(constants.SSHS_NODE_DAEMON_CERTIFICATE)
@rtype: string @return: Formatted key and certificate """ try: cert = \ OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_pem) except Exception, err: raise errors.X509CertError("(stdin)", "Unable to load certificate: %s" % err) try: key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, cert_pem) except OpenSSL.crypto.Error, err: raise errors.X509CertError("(stdin)", "Unable to load private key: %s" % err) # Check certificate with given key; this detects cases where the key given on # stdin doesn't match the certificate also given on stdin x509_check_fn = utils.PrepareX509CertKeyCheck(cert, key) try: x509_check_fn() except OpenSSL.SSL.Error: raise errors.X509CertError("(stdin)", "Certificate is not signed with given key") # Standard checks, including check against an existing local certificate # (no-op if that doesn't exist) _check_fn(cert) # Format for storing on disk
""" try: noded_pem = utils_io.ReadFile(_noded_cert_file) except EnvironmentError, err: if err.errno != errno.ENOENT: raise logging.debug("Node certificate file '%s' was not found", _noded_cert_file) return try: noded_cert = \ OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, noded_pem) except Exception, err: raise errors.X509CertError(_noded_cert_file, "Unable to load certificate: %s" % err) try: noded_key = \ OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, noded_pem) except Exception, err: raise errors.X509CertError(_noded_cert_file, "Unable to load private key: %s" % err) # Check consistency of server.pem file try: X509CertKeyCheck(noded_cert, noded_key) except OpenSSL.SSL.Error: # This should never happen as it would mean the certificate in server.pem # is out of sync with the private key stored in the same file raise errors.X509CertError(