def get_own_cert(self, security_dir=None):
"""
Return the signed runtime certificate
in the "mine" folder. It returns just the certificate,
not the entire chain even if the whole chain is in
the same pem file.
"""
# _log.debug("get_own_cert: node_name={}".format(self.node_name))
cert_dir = os.path.join(self.runtime_dir, "mine")
try:
filename = os.listdir(cert_dir)
certpath = os.path.join(cert_dir, filename[0])
st_cert = open(certpath, 'rt').read()
cert_part = st_cert.split(BEGIN_CRT_LINE)
certstr = "{}{}".format(BEGIN_CRT_LINE, cert_part[1])
cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
certstr)
_log.debug("get_own_cert" "\n\tcertpath={}".format(certpath))
#Check that the certificate parameters are the same as our attributes
if not certificate.cert_O(certstring=certstr) == self.domain:
_log.error("Domain does not match certificate")
raise Exception("Domain does not match certificate")
if not certificate.cert_CN(certstring=certstr) == self.node_name:
_log.error("Node name does not match certificate")
raise Exception("Node name does not match certificate")
if not certificate.cert_DN_Qualifier(
certstring=certstr) == self.node_id:
_log.error("Node ID does not match certificate")
raise Exception("Node ID does not match certificate")
return certpath, cert, certstr
except Exception as err:
# Certificate not available
_log.debug(
"No runtime certificate can be found, err={}".format(err))
return None, None, None
def _store_cert(self, type, certstring=None, certpath=None, force=False):
"""
Store the signed runtime certificate
return values.
path: path to the stored certificate
"""
# _log.debug("store_cert:\n\ttype={}\n\tcertstring={}\n\tcertpath={}\n\tforce=={}".format(type, certstring, certpath, force))
if certpath:
try:
with open(certpath, 'rb') as f:
certstring = f.read()
except Exception as exc:
_log.exception(
"cert path supplied, but failed to read cert at certpath={}, exc={}"
.format(certpath, exc))
raise
elif not certstring:
raise Exception("Neither certstring nor certpath supplied")
commonName = certificate.cert_CN(certstring)
dnQualifier = certificate.cert_DN_Qualifier(certstring)
filename = "{}.pem".format(dnQualifier)
if type not in ["mine", "others"]:
_log.error("type not supported")
raise Exception("type not supported")
storepath = os.path.join(self.runtime_dir, type, filename)
_log.debug("Path to store signed cert as %s" % storepath)
if force or not os.path.isfile(storepath):
_log.debug("Store signed cert as %s" % storepath)
try:
with open(storepath, 'w') as cert_fd:
cert_fd.write(certstring)
except (Exception), err:
_log.exception("Storing signed cert failed")
raise Exception("Storing signed cert failed")
def _store_cert(self, type, certstring=None, certpath=None, force=False):
"""
Store the signed runtime certificate
return values.
path: path to the stored certificate
"""
# _log.debug("store_cert:\n\ttype={}\n\tcertstring={}\n\tcertpath={}\n\tforce=={}".format(type, certstring, certpath, force))
if certpath:
try:
if os.path.islink(certpath):
certpath = os.readlink(certpath)
with open(certpath, 'rb') as f:
certstring = f.read()
except Exception as exc:
_log.exception("cert path supplied, but failed to read cert at certpath={}, exc={}".format(certpath, exc))
raise
elif not certstring:
raise Exception("Neither certstring nor certpath supplied")
commonName = certificate.cert_CN(certstring)
dnQualifier = certificate.cert_DN_Qualifier(certstring)
filename = "{}.pem".format(dnQualifier)
if type not in ["mine","others"]:
_log.error("type not supported")
raise Exception("type not supported")
storepath = os.path.join(self.runtime_dir, type, filename)
_log.debug("Path to store signed cert as %s" % storepath)
if force or not os.path.isfile(storepath):
_log.debug("Store signed cert as %s" % storepath)
try:
with open(storepath, 'w') as cert_fd:
cert_fd.write(certstring)
except (Exception), err:
_log.exception("Storing signed cert failed")
raise Exception("Storing signed cert failed")
def get_own_cert(self):
"""
Return the signed runtime certificate
in the "mine" folder. It returns just the certificate,
not the entire chain even if the whole chain is in
the same pem file.
"""
# _log.debug("get_own_cert: node_name={}".format(self.node_name))
try:
certpath = self.get_own_cert_path()
st_cert = open(certpath, 'rt').read()
cert_part = st_cert.split(BEGIN_CRT_LINE)
certstr = "{}{}".format(BEGIN_CRT_LINE, cert_part[1])
cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
certstr)
_log.debug("get_own_cert"
"\n\tcertpath={}".format(certpath))
#Check that the certificate parameters are the same as our attributes
if not certificate.cert_O(certstring=certstr) == self.domain:
_log.error("Domain does not match certificate")
raise Exception("Domain does not match certificate")
if not certificate.cert_CN(certstring=certstr) == self.node_name:
_log.error("Node name does not match certificate")
raise Exception("Node name does not match certificate")
if not certificate.cert_DN_Qualifier(certstring=certstr) == self.node_id:
_log.error("Node ID does not match certificate")
raise Exception("Node ID does not match certificate")
return certpath, cert, certstr
except Exception as err:
# Certificate not available
_log.debug("No runtime certificate can be found, err={}".format(err))
return None, None, None
def others_cert_stored(self, certstring):
"""
Check if the certificate is already store in the other folder
"""
# _log.debug("others_cert_stored")
dnQualifier = certificate.cert_DN_Qualifier(certstring)
filename = "{}.pem".format(dnQualifier)
path = os.path.join(self.runtime_dir, "others", filename)
if os.path.isfile(path):
return True
else:
return False
def others_cert_stored(self, certstring):
"""
Check if the certificate is already store in the other folder
"""
# _log.debug("others_cert_stored")
dnQualifier = certificate.cert_DN_Qualifier(certstring)
filename = "{}.pem".format(dnQualifier)
path = os.path.join(self.runtime_dir, "others", filename)
if os.path.isfile(path):
return True
else:
return False
def _decode_jwt_cb(certstring, token, node, actor_id=None, callback=None):
"""Decode JSON Web Token"""
# _log.debug("_decode_jwt_cb\n\tsender certstring={}\n\ttoken={}\n\tnode={}\n\tactor_id={}\n\tcallback={}".format(certstring, token, node, actor_id, callback))
sender_public_key = certificate.get_public_key_from_certstr(certstring)
sender_node_id = certificate.cert_DN_Qualifier(certstring=certstring)
# The signature is verified using the Elliptic Curve public key of the sender.
# Exception raised if signature verification fails or if issuer and/or audience are incorrect.
decoded = jwt.decode(token, sender_public_key, algorithms=['ES256'],
issuer=sender_node_id, audience=node.id)
if actor_id and ('sub' in decoded) and (decoded["sub"] != actor_id):
raise # Exception raised if subject (actor_id) is incorrect.
if callback:
callback(decoded=decoded)
def _decode_jwt_cb(certstring, token, node, actor_id=None, callback=None):
"""Decode JSON Web Token"""
# _log.debug("_decode_jwt_cb\n\tsender certstring={}\n\ttoken={}\n\tnode={}\n\tactor_id={}\n\tcallback={}".format(certstring, token, node, actor_id, callback))
sender_public_key = certificate.get_public_key_from_certstr(certstring)
sender_node_id = certificate.cert_DN_Qualifier(certstring=certstring)
# The signature is verified using the Elliptic Curve public key of the sender.
# Exception raised if signature verification fails or if issuer and/or audience are incorrect.
decoded = jwt.decode(token,
sender_public_key,
algorithms=['ES256'],
issuer=sender_node_id,
audience=node.id)
if actor_id and ('sub' in decoded) and (decoded["sub"] != actor_id):
raise # Exception raised if subject (actor_id) is incorrect.
if callback:
callback(decoded=decoded)