def decode(self): data = self.get_data().lstrip('URI:http://') if data: dict = xmlrpclib.loads(data)[0][0] else: dict = {} self.lifeTime = dict.get("lifeTime", None) self.delegate = dict.get("delegate", None) privStr = dict.get("privileges", None) if privStr: self.privileges = Rights(string=privStr) else: self.privileges = None gidCallerStr = dict.get("gidCaller", None) if gidCallerStr: self.gidCaller = GID(string=gidCallerStr) else: self.gidCaller = None gidObjectStr = dict.get("gidObject", None) if gidObjectStr: self.gidObject = GID(string=gidObjectStr) else: self.gidObject = None
def verify(self, trusted_certs=None, schema=None, trusted_certs_required=True): if not self.xml: print "\n\n\n\n\n\n\n\n\n\n\n\n\n----------------------CRED\n\n\n\n\n\n\n\n\n\n\n\n\n" print "not xml" self.decode() # validate against RelaxNG schema if HAVELXML and not self.legacy: if schema and os.path.exists(schema): tree = etree.parse(StringIO(self.xml)) schema_doc = etree.parse(schema) xmlschema = etree.XMLSchema(schema_doc) if not xmlschema.validate(tree): error = xmlschema.error_log.last_error message = "%s: %s (line %s)" % (self.get_summary_tostring(), error.message, error.line) raise CredentialNotVerifiable(message) if trusted_certs_required and trusted_certs is None: trusted_certs = [] # trusted_cert_objects = [GID(filename=f) for f in trusted_certs] trusted_cert_objects = [] ok_trusted_certs = [] # If caller explicitly passed in None that means skip cert chain validation. # Strange and not typical if trusted_certs is not None: for f in trusted_certs: try: # Failures here include unreadable files # or non PEM files trusted_cert_objects.append(GID(filename=f)) ok_trusted_certs.append(f) except Exception, exc: pass trusted_certs = ok_trusted_certs
def delegate(self, delegee_gidfile, caller_keyfile, caller_gidfile): """ Return a delegated copy of this credential, delegated to the specified gid's user. """ # get the gid of the object we are delegating object_gid = self.get_gid_object() object_hrn = object_gid.get_hrn() # the hrn of the user who will be delegated to delegee_gid = GID(filename=delegee_gidfile) delegee_hrn = delegee_gid.get_hrn() #user_key = Keypair(filename=keyfile) #user_hrn = self.get_gid_caller().get_hrn() subject_string = "%s delegated to %s" % (object_hrn, delegee_hrn) dcred = Credential(subject=subject_string) dcred.set_gid_caller(delegee_gid) dcred.set_gid_object(object_gid) dcred.set_parent(self) dcred.set_expiration(self.get_expiration()) dcred.set_privileges(self.get_privileges()) dcred.get_privileges().delegate_all_privileges(True) #dcred.set_issuer_keys(keyfile, delegee_gidfile) dcred.set_issuer_keys(caller_keyfile, caller_gidfile) dcred.encode() dcred.sign() return dcred
def sign(self): if not self.issuer_privkey: return if not self.issuer_gid: return doc = parseString(self.get_xml()) sigs = doc.getElementsByTagName("signatures")[0] # Create the signature template to be signed signature = Signature() signature.set_refid(self.get_refid()) sdoc = parseString(signature.get_xml()) sig_ele = doc.importNode(sdoc.getElementsByTagName("Signature")[0], True) sigs.appendChild(sig_ele) self.xml = doc.toxml("utf-8") # Split the issuer GID into multiple certificates if it's a chain chain = GID(filename=self.issuer_gid) gid_files = [] while chain: gid_files.append(chain.save_to_random_tmp_file(False)) if chain.get_parent(): chain = chain.get_parent() else: chain = None # Call out to xmlsec1 to sign it ref = 'Sig_%s' % self.get_refid() filename = self.save_to_random_tmp_file() print "**********************************",'%s --sign --node-id "%s" --privkey-pem %s,%s %s' % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename) command='%s --sign --node-id "%s" --privkey-pem %s,%s %s' \ % (self.xmlsec_path, ref, self.issuer_privkey, ",".join(gid_files), filename) # print 'command',command signed = os.popen(command).read() print "*************************************",signed os.remove(filename) for gid_file in gid_files: os.remove(gid_file) self.xml = signed # This is no longer a legacy credential if self.legacy: self.legacy = None # Update signatures self.decode()
def decode(self): if not self.xml: return doc = parseString(self.xml) sigs = [] signed_cred = doc.getElementsByTagName("signed-credential") # Is this a signed-cred or just a cred? if len(signed_cred) > 0: creds = signed_cred[0].getElementsByTagName("credential") signatures = signed_cred[0].getElementsByTagName("signatures") if len(signatures) > 0: sigs = signatures[0].getElementsByTagName("Signature") else: creds = doc.getElementsByTagName("credential") if creds is None or len(creds) == 0: # malformed cred file raise CredentialNotVerifiable("Malformed XML: No credential tag found") # Just take the first cred if there are more than one cred = creds[0] self.set_refid(cred.getAttribute("xml:id")) self.set_expiration(utcparse(getTextNode(cred, "expires"))) # import traceback # stack = traceback.extract_stack() og = getTextNode(cred, "owner_gid") # ABAC creds will have this be None and use this method # if og is None: # found = False # for frame in stack: # if 'super(ABACCredential, self).decode()' in frame: # found = True # break # if not found: # raise CredentialNotVerifiable("Malformed XML: No owner_gid found") self.gidCaller = GID(string=og) tg = getTextNode(cred, "target_gid") # if tg is None: # found = False # for frame in stack: # if 'super(ABACCredential, self).decode()' in frame: # found = True # break # if not found: # raise CredentialNotVerifiable("Malformed XML: No target_gid found") self.gidObject = GID(string=tg) # Process privileges rlist = Rights() priv_nodes = cred.getElementsByTagName("privileges") if len(priv_nodes) > 0: privs = priv_nodes[0] for priv in privs.getElementsByTagName("privilege"): kind = getTextNode(priv, "name") deleg = str2bool(getTextNode(priv, "can_delegate")) if kind == '*': # Convert * into the default privileges for the credential's type # Each inherits the delegatability from the * above _ , type = urn_to_hrn(self.gidObject.get_urn()) rl = determine_rights(type, self.gidObject.get_urn()) for r in rl.rights: r.delegate = deleg rlist.add(r) else: rlist.add(Right(kind.strip(), deleg)) self.set_privileges(rlist) # Is there a parent? parent = cred.getElementsByTagName("parent") if len(parent) > 0: parent_doc = parent[0].getElementsByTagName("credential")[0] parent_xml = parent_doc.toxml("utf-8") if parent_xml is None or parent_xml.strip() == "": raise CredentialNotVerifiable("Malformed XML: Had parent tag but it is empty") self.parent = Credential(string=parent_xml) self.updateRefID() # Assign the signatures to the credentials for sig in sigs: Sig = Signature(string=sig.toxml("utf-8")) for cur_cred in self.get_credential_list(): if cur_cred.get_refid() == Sig.get_refid(): cur_cred.set_signature(Sig)
class Signature(object): def __init__(self, string=None): self.refid = None self.issuer_gid = None self.xml = None if string: self.xml = string self.decode() def get_refid(self): if not self.refid: self.decode() return self.refid def get_xml(self): if not self.xml: self.encode() return self.xml def set_refid(self, id): self.refid = id def get_issuer_gid(self): if not self.gid: self.decode() return self.gid def set_issuer_gid(self, gid): self.gid = gid def decode(self): try: doc = parseString(self.xml) except ExpatError,e: raise sig = doc.getElementsByTagName("Signature")[0] ref_id = sig.getAttribute("xml:id").strip().strip("Sig_") # The xml:id tag is optional, and could be in a # Reference xml:id or Reference UID sub element instead if not ref_id or ref_id == '': reference = sig.getElementsByTagName('Reference')[0] ref_id = reference.getAttribute('xml:id').strip().strip('Sig_') if not ref_id or ref_id == '': ref_id = reference.getAttribute('URI').strip().strip('#') self.set_refid(ref_id) keyinfos = sig.getElementsByTagName("X509Data") gids = None for keyinfo in keyinfos: certs = keyinfo.getElementsByTagName("X509Certificate") for cert in certs: if len(cert.childNodes) > 0: szgid = cert.childNodes[0].nodeValue szgid = szgid.strip() szgid = "-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----" % szgid if gids is None: gids = szgid else: gids += "\n" + szgid if gids is None: raise CredentialNotVerifiable("Malformed XML: No certificate found in signature") self.set_issuer_gid(GID(string=gids))
help="filename of private key of signing user") parser.add_option('--trusted_roots_directory', help='Directory of trusted root certs') parser.add_option('--create', help="name of file of ABAC speaksfor cred to create") parser.add_option( '--useObject', action='store_true', default=False, help= 'Use the ABACCredential object to create the credential (default False)' ) options, args = parser.parse_args(sys.argv) tool_gid = GID(filename=options.tool_cert_file) if options.create: if options.user_cert_file and options.user_key_file \ and options.ma_cert_file: user_gid = GID(filename=options.user_cert_file) ma_gid = GID(filename=options.ma_cert_file) if options.useObject: create_sign_abaccred(tool_gid, user_gid, ma_gid, \ options.user_key_file, \ options.create) else: create_speaks_for(tool_gid, user_gid, ma_gid, \ options.user_key_file, \ options.create) else:
try: uuidO = uuid.UUID(fields=uuidarg) except: try: uuidO = uuid.UUID(bytes=uuidarg) except: try: uuidO = uuid.UUID(bytes_le=uuidarg) except: pass if uuidO is not None: uuidI = uuidO.int newgid = GID(create=True, subject=subject, uuid=uuidI, urn=urn, lifeDays=lifeDays) if email: newgid.set_email(email) if public_key is None: # create a new key pair keys = Keypair(create=True) else: # use the specified public key file keys = Keypair() keys.load_pubkey_from_file(public_key) newgid.set_pubkey(keys) newgid.set_is_ca(ca)