def loadObject(self, obj):
# expect object to be a Sequence containing a certificate,
# but will accept a plain certificate too (for now)
issuer, subject = getIssuerAndSubject(obj, 1)
if issuer is None or subject is None:
print "Warning: Unexpected SPKI object. Skipping."
print sexp.pprint(obj.sexp())
return
sexp = obj.sexp().encode_canonical()
if self.identity.has_key(sexp):
print "Warning: Duplicate certificate ignored."
return
issuer = issuer.getPrincipal()
subject = subject.getPrincipal()
l = self.byIssuer.get(issuer, [])
l.append(obj)
self.byIssuer[issuer] = l
# if the issuer is a name, then we will enter the certificate
# in multiple slots. one for the full name, and one for the
# base issuer.
if isinstance(issuer, spki.FullyQualifiedName):
prin = issuer.principal
l = self.byIssuer.get(prin, [])
l.append(obj)
self.byIssuer[prin] = l
l = self.bySubject.get(subject, [])
l.append(obj)
self.bySubject[subject] = l
self.identity[sexp] = sexp
def loadObject(self, obj):
if not spki.isa(obj, spki.Entry):
print "Warning: Not an acl entry. Skipping."
print sexp.pprint(obj.sexp())
return
l = self.entries.get(obj.subject, [])
l.append(obj)
self.entries[obj.subject] = l
def loadPrivate(self, obj):
if spki.isa(obj, 'default'):
self._default = 1
elif spki.isa(obj, spki.PasswordEncrypted):
self._priv = obj
self.loadState = self.LOAD_DONE
else:
print "Warning: Unexpected SPKI object. Skipping."
print obj.__class__
print sexp.pprint(obj.sexp())
def loadPublic(self, obj):
if not spki.isa(obj, spki.Hash):
print "Warning: Unexpected SPKI object. Skipping."
print obj.__class__
print sexp.pprint(obj.sexp())
return
self._prin = obj
self._default = 0
self._priv = None
self.loadState = self.LOAD_PRIV
def loadObject(self, obj):
if not spki.isa(obj, spki.PublicKey):
print "Warning: Unexpected SPKI object. Skipping."
print obj.__class__
print sexp.pprint(obj.sexp())
return
p = obj.getPrincipal()
if self.principals.has_key(p):
print "Warning: Duplicate definition of %s" % str(p)
print "Old definition:"
print sexp.pprint(self.principals[p].sexp())
print "New definition:"
print sexp.pprint(obj.sexp())
self.principals[p] = obj
def verify(self, prin, perm, delegate=0):
"""Find a valid certificate chain from ACL to prin for reqPerm.
prin is the principal making the request. perm is the
permission request.
If verify finds a valid certificate chain from the principal
making the request to the ACL, it will return a list
containing the certificates in the chain. The first element
in the list will be the ACL entry. Each subsequent element
will be a certificate delegating some permissions from the
previous element to the next element. The last element will
delegate permissions to the principal.
There is a delegate argument because there can't be more than
one certificate between a valid delegate-able certificate and
the principal requesting permission. That one certificate is
the one that grants permissions to the principal, but doesn't
allow the principal to delegate further. The delegate flag
should always be true when called recursively.
"""
if self.VERBOSE:
print "verify", prin, perm
if not perm:
if self.VERBOSE:
print "cert", "permissions did not delegate"
return None
# A valid chain is always created here and modified as
# recursive calls to verify return and add the current
# certificate to the list.
entry = self.checkACL(prin, perm)
if entry:
return [entry]
certs = self.keys.lookupCertBySubject(prin)
if self.VERBOSE:
print "%d certs authorize %s" % (len(certs), prin)
for certobj in certs:
cert = spki.extractSignedCert(certobj)
if self.VERBOSE:
print sexp.pprint(cert.cert.sexp())
# next method call with recurse
if cert.kind == 'name-cert':
chain = self.verifyNameCert(cert, perm, delegate)
else:
chain = self.verifyCert(cert, perm, delegate)
# defer signature verification until we actually have a
# potential chain from ACL to requested permissions
if not chain:
continue
if not cert.verifySignature(self.keys):
if self.VERBOSE:
print "invalid signature on", cert.cert
continue
# Everythin looks good, so add the current certificate to
# the chain and return
chain.append(cert)
return chain
return None
#! /usr/bin/env python
from pisces.spkilib import sexp
from pisces.spkilib.database import DebugDatabase
import sys
if __name__ == "__main__":
for file in sys.argv[1:]:
print file
db = DebugDatabase(file)
for obj in db.objects:
print sexp.pprint(obj.sexp())
print
