def get_keypair(config = None):
if not config:
config = SfaConfig()
hierarchy = Hierarchy()
key_dir= hierarchy.basedir
data_dir = config.data_path
keyfile =data_dir + os.sep + "server.key"
certfile = data_dir + os.sep + "server.cert"
# check if files already exist
if os.path.exists(keyfile) and os.path.exists(certfile):
return (keyfile, certfile)
# create temp keypair server key and certificate
(_, tmp_keyfile) = tempfile.mkstemp(suffix='.pkey', prefix='tmpkey', dir='/tmp')
(_, tmp_certfile) = tempfile.mkstemp(suffix='.cert', prefix='tmpcert', dir='/tmp')
tmp_key = Keypair(create=True)
tmp_key.save_to_file(tmp_keyfile)
tmp_cert = Certificate(subject='subject')
tmp_cert.set_issuer(key=tmp_key, subject='subject')
tmp_cert.set_pubkey(tmp_key)
tmp_cert.save_to_file(tmp_certfile, save_parents=True)
# request real pkey from registry
api = ComponentAPI(key_file=tmp_keyfile, cert_file=tmp_certfile)
registry = api.get_registry()
registry.get_key()
key = Keypair(filename=keyfile)
cert = Certificate(subject=hrn)
cert.set_issuer(key=key, subject=hrn)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile, save_parents=True)
return (keyfile, certfile)
def get_cert_file(self, key_file):
cert_file = os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".cert")
if (os.path.isfile(cert_file)):
# we'd perfer to use Registry issued certs instead of self signed certs.
# if this is a Registry cert (GID) then we are done
gid = GID(filename=cert_file)
if gid.get_urn():
return cert_file
# generate self signed certificate
k = Keypair(filename=key_file)
cert = Certificate(subject=self.user)
cert.set_pubkey(k)
cert.set_issuer(k, self.user)
cert.sign()
self.logger.info("Writing self-signed certificate to %s"%cert_file)
cert.save_to_file(cert_file)
self.cert = cert
# try to get registry issued cert
try:
self.logger.info("Getting Registry issued cert")
self.read_config()
# *hack. need to set registyr before _get_gid() is called
self.registry = xmlrpcprotocol.get_server(self.reg_url, key_file, cert_file, timeout=self.options.timeout, verbose=self.options.debug)
gid = self._get_gid(type='user')
self.registry = None
self.logger.info("Writing certificate to %s"%cert_file)
gid.save_to_file(cert_file)
except:
self.logger.info("Failed to download Registry issued cert")
return cert_file
def init_self_signed_cert(hrn, key, server_cert_file):
logger.debug("generating self signed cert")
# generate self signed certificate
cert = Certificate(subject=hrn)
cert.set_issuer(key=key, subject=hrn)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(server_cert_file)
def create_server_keypair(keyfile=None, certfile=None, hrn="component", verbose=False):
"""
create the server key/cert pair in the right place
"""
key = Keypair(filename=keyfile)
key.save_to_file(keyfile)
cert = Certificate(subject=hrn)
cert.set_issuer(key=key, subject=hrn)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile, save_parents=True)
def self_signed_cert_produce(self, output):
self.assert_private_key()
private_key_filename = self.private_key_filename()
keypair = Keypair(filename=private_key_filename)
self_signed = Certificate(subject=self.hrn)
self_signed.set_pubkey(keypair)
self_signed.set_issuer(keypair, self.hrn)
self_signed.sign()
self_signed.save_to_file(output)
#self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
#(self.hrn,output))
return output
def self_signed_cert_produce (self,output):
self.assert_private_key()
private_key_filename = self.private_key_filename()
keypair=Keypair(filename=private_key_filename)
self_signed = Certificate (subject = self.hrn)
self_signed.set_pubkey (keypair)
self_signed.set_issuer (keypair, self.hrn)
self_signed.sign ()
self_signed.save_to_file (output)
self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
(self.hrn,output))
return output
def create_server_keypair(keyfile=None,
certfile=None,
hrn="component",
verbose=False):
"""
create the server key/cert pair in the right place
"""
key = Keypair(filename=keyfile)
key.save_to_file(keyfile)
cert = Certificate(subject=hrn)
cert.set_issuer(key=key, subject=hrn)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile, save_parents=True)
def get_node_key(registry=None, verbose=False):
# this call requires no authentication,
# so we can generate a random keypair here
subject="component"
(kfd, keyfile) = tempfile.mkstemp()
(cfd, certfile) = tempfile.mkstemp()
key = Keypair(create=True)
key.save_to_file(keyfile)
cert = Certificate(subject=subject)
cert.set_issuer(key=key, subject=subject)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile)
registry = server_proxy(url = registry, keyfile=keyfile, certfile=certfile)
registry.get_key_from_incoming_ip()
def get_node_key(self):
# this call requires no authentication,
# so we can generate a random keypair here
subject="component"
(kfd, keyfile) = tempfile.mkstemp()
(cfd, certfile) = tempfile.mkstemp()
key = Keypair(create=True)
key.save_to_file(keyfile)
cert = Certificate(subject=subject)
cert.set_issuer(key=key, subject=subject)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile)
registry = self.get_registry()
# the registry will scp the key onto the node
registry.get_key()
def get_node_key(registry=None, verbose=False):
# this call requires no authentication,
# so we can generate a random keypair here
subject = "component"
(kfd, keyfile) = tempfile.mkstemp()
(cfd, certfile) = tempfile.mkstemp()
key = Keypair(create=True)
key.save_to_file(keyfile)
cert = Certificate(subject=subject)
cert.set_issuer(key=key, subject=subject)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile)
registry = server_proxy(url=registry, keyfile=keyfile, certfile=certfile)
registry.get_key_from_incoming_ip()
def get_node_key(self):
# this call requires no authentication,
# so we can generate a random keypair here
subject = "component"
(kfd, keyfile) = tempfile.mkstemp()
(cfd, certfile) = tempfile.mkstemp()
key = Keypair(create=True)
key.save_to_file(keyfile)
cert = Certificate(subject=subject)
cert.set_issuer(key=key, subject=subject)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile)
registry = self.get_registry()
# the registry will scp the key onto the node
registry.get_key_from_incoming_ip()
def test_is_signed_by(self):
cert1 = Certificate(subject="one")
key1 = Keypair()
key1.create()
cert1.set_pubkey(key1)
# create an issuer and sign the certificate
issuerKey = Keypair(create=True)
issuerSubject = "testissuer"
cert1.set_issuer(issuerKey, issuerSubject)
cert1.sign()
cert2 = Certificate(subject="two")
key2 = Keypair(create=True)
cert2.set_pubkey(key2)
cert2.set_issuer(key1, cert=cert1)
# cert2 is signed by cert1
self.assert_(cert2.is_signed_by_cert(cert1))
# cert1 is not signed by cert2
self.assert_(not cert1.is_signed_by_cert(cert2))
def test_parents(self):
cert_root = Certificate(subject="root")
key_root = Keypair(create=True)
cert_root.set_pubkey(key_root)
cert_root.set_issuer(key_root, "root")
cert_root.sign()
cert1 = Certificate(subject="one")
key1 = Keypair(create=True)
cert1.set_pubkey(key1)
cert1.set_issuer(key_root, "root")
cert1.sign()
cert2 = Certificate(subject="two")
key2 = Keypair(create=True)
cert2.set_pubkey(key2)
cert2.set_issuer(key1, cert=cert1)
cert2.set_parent(cert1)
cert2.sign()
cert3 = Certificate(subject="three")
key3 = Keypair(create=True)
cert3.set_pubkey(key3)
cert3.set_issuer(key2, cert=cert2)
cert3.set_parent(cert2)
cert3.sign()
self.assert_(cert1.verify(key_root))
self.assert_(cert2.is_signed_by_cert(cert1))
self.assert_(cert3.is_signed_by_cert(cert2))
cert3.verify_chain([cert_root])
# now save the chain to a string and load it into a new certificate
str_chain = cert3.save_to_string(save_parents=True)
cert4 = Certificate(string = str_chain)
# verify the newly loaded chain still verifies
cert4.verify_chain([cert_root])
# verify the parentage
self.assertEqual(cert4.get_parent().get_subject(), "two")
self.assertEqual(cert4.get_parent().get_parent().get_subject(), "one")
