def cms_verify(formatted,
signing_cert_file_name,
ca_file_name,
inform=PKI_ASN1_FORM):
"""Verify the signature of the contents IAW CMS syntax.
:raises subprocess.CalledProcessError:
:raises keystoneclient.exceptions.CertificateConfigError: if certificate
is not configured
properly.
"""
_ensure_subprocess()
if isinstance(formatted, six.string_types):
data = bytearray(formatted, _encoding_for_form(inform))
else:
data = formatted
process = subprocess.Popen([
'openssl', 'cms', '-verify', '-certfile', signing_cert_file_name,
'-CAfile', ca_file_name, '-inform', 'PEM', '-nosmimecap', '-nodetach',
'-nocerts', '-noattr'
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
close_fds=True)
output, err, retcode = _process_communicate_handle_oserror(
process, data, (signing_cert_file_name, ca_file_name))
# Do not log errors, as some happen in the positive thread
# instead, catch them in the calling code and log them there.
# When invoke the openssl >= 1.1.0 with not exist file, return code should
# be 2 instead of 1 and error msg will be returned.
# You can get more from
# https://www.openssl.org/docs/man1.1.0/apps/cms.html#EXIT-CODES
#
# $ openssl cms -verify -certfile not_exist_file -CAfile
# not_exist_file -inform PEM -nosmimecap -nodetach
# -nocerts -noattr
# openssl < 1.1.0 returns
# Error opening certificate file not_exist_file
# openssl >= 1.1.0 returns
# cms: Cannot open input file not_exist_file, No such file or directory
#
if retcode == OpensslCmsExitStatus.INPUT_FILE_READ_ERROR:
if err.startswith('Error reading S/MIME message'):
raise exceptions.CMSError(err)
else:
raise exceptions.CertificateConfigError(err)
# workaround for OpenSSL >= 1.1.0,
# should return OpensslCmsExitStatus.INPUT_FILE_READ_ERROR
elif retcode == OpensslCmsExitStatus.COMMAND_OPTIONS_PARSING_ERROR:
if err.startswith('cms: Cannot open input file'):
raise exceptions.CertificateConfigError(err)
else:
raise subprocess.CalledProcessError(retcode, 'openssl', output=err)
elif retcode != OpensslCmsExitStatus.SUCCESS:
raise subprocess.CalledProcessError(retcode, 'openssl', output=err)
return output
def cms_verify(formatted, signing_cert_file_name, ca_file_name):
"""Verifies the signature of the contents IAW CMS syntax.
:raises: subprocess.CalledProcessError
"""
_ensure_subprocess()
process = subprocess.Popen([
"openssl", "cms", "-verify", "-certfile", signing_cert_file_name,
"-CAfile", ca_file_name, "-inform", "PEM", "-nosmimecap", "-nodetach",
"-nocerts", "-noattr"
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
output, err = process.communicate(formatted)
retcode = process.poll()
if retcode:
# Do not log errors, as some happen in the positive thread
# instead, catch them in the calling code and log them there.
# NOTE(dmllr): Python 2.6 compatibility:
# CalledProcessError did not have output keyword argument
e = subprocess.CalledProcessError(retcode, "openssl")
e.output = err
raise e
return output
def cms_sign_text(text, signing_cert_file_name, signing_key_file_name):
""" Uses OpenSSL to sign a document
Produces a Base64 encoding of a DER formatted CMS Document
http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax
"""
_ensure_subprocess()
process = subprocess.Popen([
"openssl", "cms", "-sign", "-signer", signing_cert_file_name, "-inkey",
signing_key_file_name, "-outform", "PEM", "-nosmimecap", "-nodetach",
"-nocerts", "-noattr"
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
output, err = process.communicate(text)
retcode = process.poll()
if retcode or "Error" in err:
if retcode == 3:
LOG.error(
_("Signing error: Unable to load certificate - "
"ensure you've configured PKI with "
"'keystone-manage pki_setup'"))
else:
LOG.error(_('Signing error: %s') % err)
raise subprocess.CalledProcessError(retcode, "openssl")
return output
def cms_verify(formatted,
signing_cert_file_name,
ca_file_name,
inform=PKI_ASN1_FORM):
"""Verifies the signature of the contents IAW CMS syntax.
:raises subprocess.CalledProcessError:
:raises keystoneclient.exceptions.CertificateConfigError: if certificate
is not configured
properly.
"""
_ensure_subprocess()
if isinstance(formatted, six.string_types):
data = bytearray(formatted, _encoding_for_form(inform))
else:
data = formatted
process = subprocess.Popen([
'openssl', 'cms', '-verify', '-certfile', signing_cert_file_name,
'-CAfile', ca_file_name, '-inform', 'PEM', '-nosmimecap', '-nodetach',
'-nocerts', '-noattr'
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
close_fds=True)
output, err, retcode = _process_communicate_handle_oserror(
process, data, (signing_cert_file_name, ca_file_name))
# Do not log errors, as some happen in the positive thread
# instead, catch them in the calling code and log them there.
# When invoke the openssl with not exist file, return code 2
# and error msg will be returned.
# You can get more from
# http://www.openssl.org/docs/apps/cms.html#EXIT_CODES
#
# $ openssl cms -verify -certfile not_exist_file -CAfile
# not_exist_file -inform PEM -nosmimecap -nodetach
# -nocerts -noattr
# Error opening certificate file not_exist_file
#
if retcode == OpensslCmsExitStatus.INPUT_FILE_READ_ERROR:
if err.startswith('Error reading S/MIME message'):
raise exceptions.CMSError(err)
else:
raise exceptions.CertificateConfigError(err)
elif retcode != OpensslCmsExitStatus.SUCCESS:
# NOTE(dmllr): Python 2.6 compatibility:
# CalledProcessError did not have output keyword argument
e = subprocess.CalledProcessError(retcode, 'openssl')
e.output = err
raise e
return output
def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
outform=PKI_ASN1_FORM,
message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM):
"""Uses OpenSSL to sign a document.
Produces a Base64 encoding of a DER formatted CMS Document
http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax
:param data_to_sign: data to sign
:param signing_cert_file_name: path to the X509 certificate containing
the public key associated with the private key used to sign the data
:param signing_key_file_name: path to the private key used to sign
the data
:param outform: Format for the signed document PKIZ_CMS_FORM or
PKI_ASN1_FORM
:param message_digest: Digest algorithm to use when signing or resigning
"""
_ensure_subprocess()
if isinstance(data_to_sign, six.string_types):
data = bytearray(data_to_sign, encoding='utf-8')
else:
data = data_to_sign
process = subprocess.Popen(['openssl', 'cms', '-sign',
'-signer', signing_cert_file_name,
'-inkey', signing_key_file_name,
'-outform', 'PEM',
'-nosmimecap', '-nodetach',
'-nocerts', '-noattr',
'-md', message_digest, ],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
close_fds=True)
output, err, retcode = _process_communicate_handle_oserror(
process, data, (signing_cert_file_name, signing_key_file_name))
if retcode != OpensslCmsExitStatus.SUCCESS or ('Error' in err):
if retcode == OpensslCmsExitStatus.CREATE_CMS_READ_MIME_ERROR:
LOG.error(_LE('Signing error: Unable to load certificate - '
'ensure you have configured PKI with '
'"keystone-manage pki_setup"'))
else:
LOG.error(_LE('Signing error: %s'), err)
raise subprocess.CalledProcessError(retcode, 'openssl')
if outform == PKI_ASN1_FORM:
return output.decode('utf-8')
else:
return output
def cms_sign_data(data_to_sign,
signing_cert_file_name,
signing_key_file_name,
outform=PKI_ASN1_FORM):
"""Uses OpenSSL to sign a document.
Produces a Base64 encoding of a DER formatted CMS Document
http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax
:param data_to_sign: data to sign
:param signing_cert_file_name: path to the X509 certificate containing
the public key associated with the private key used to sign the data
:param signing_key_file_name: path to the private key used to sign
the data
:param outform: Format for the signed document PKIZ_CMS_FORM or
PKI_ASN1_FORM
"""
_ensure_subprocess()
if isinstance(data_to_sign, six.string_types):
data = bytearray(data_to_sign, encoding='utf-8')
else:
data = data_to_sign
process = subprocess.Popen([
'openssl', 'cms', '-sign', '-signer', signing_cert_file_name, '-inkey',
signing_key_file_name, '-outform', 'PEM', '-nosmimecap', '-nodetach',
'-nocerts', '-noattr'
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
output, err, retcode = _process_communicate_handle_oserror(
process, data, (signing_cert_file_name, signing_key_file_name))
if retcode or ('Error' in err):
LOG.error('Signing error: %s', err)
if retcode == 3:
LOG.error('Signing error: Unable to load certificate - '
'ensure you have configured PKI with '
'"keystone-manage pki_setup"')
else:
LOG.error('Signing error: %s', err)
raise subprocess.CalledProcessError(retcode, 'openssl')
if outform == PKI_ASN1_FORM:
return output.decode('utf-8')
else:
return output
def cms_verify(formatted, signing_cert_file_name, ca_file_name):
"""Verifies the signature of the contents IAW CMS syntax."""
_ensure_subprocess()
process = subprocess.Popen([
"openssl", "cms", "-verify", "-certfile", signing_cert_file_name,
"-CAfile", ca_file_name, "-inform", "PEM", "-nosmimecap", "-nodetach",
"-nocerts", "-noattr"
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
output, err = process.communicate(formatted)
retcode = process.poll()
if retcode:
LOG.error(_('Verify error: %s') % err)
raise subprocess.CalledProcessError(retcode, "openssl", output=err)
return output
def cms_verify(formatted, signing_cert_file_name, ca_file_name):
"""Verifies the signature of the contents IAW CMS syntax.
:raises: subprocess.CalledProcessError
:raises: CertificateConfigError if certificate is not configured properly.
"""
_ensure_subprocess()
process = subprocess.Popen([
"openssl", "cms", "-verify", "-certfile", signing_cert_file_name,
"-CAfile", ca_file_name, "-inform", "PEM", "-nosmimecap", "-nodetach",
"-nocerts", "-noattr"
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
universal_newlines=True)
output, err, retcode = _process_communicate_handle_oserror(
process, formatted, (signing_cert_file_name, ca_file_name))
# Do not log errors, as some happen in the positive thread
# instead, catch them in the calling code and log them there.
# When invoke the openssl with not exist file, return code 2
# and error msg will be returned.
# You can get more from
# http://www.openssl.org/docs/apps/cms.html#EXIT_CODES
#
# $ openssl cms -verify -certfile not_exist_file -CAfile \
# not_exist_file -inform PEM -nosmimecap -nodetach \
# -nocerts -noattr
# Error opening certificate file not_exist_file
#
if retcode == 2:
raise exceptions.CertificateConfigError(err)
elif retcode:
# NOTE(dmllr): Python 2.6 compatibility:
# CalledProcessError did not have output keyword argument
e = subprocess.CalledProcessError(retcode, "openssl")
e.output = err
raise e
return output
def cms_sign_text(text, signing_cert_file_name, signing_key_file_name):
"""Uses OpenSSL to sign a document.
Produces a Base64 encoding of a DER formatted CMS Document
http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax
"""
_ensure_subprocess()
process = subprocess.Popen([
"openssl", "cms", "-sign", "-signer", signing_cert_file_name, "-inkey",
signing_key_file_name, "-outform", "PEM", "-nosmimecap", "-nodetach",
"-nocerts", "-noattr"
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
output, err = process.communicate(text)
retcode = process.poll()
if retcode or "Error" in err:
LOG.error('Signing error: %s' % err)
raise subprocess.CalledProcessError(retcode, "openssl")
return output
def cms_verify(formatted, signing_cert_file_name, ca_file_name):
"""
verifies the signature of the contents IAW CMS syntax
"""
_ensure_subprocess()
process = subprocess.Popen([
"openssl", "cms", "-verify", "-certfile", signing_cert_file_name,
"-CAfile", ca_file_name, "-inform", "PEM", "-nosmimecap", "-nodetach",
"-nocerts", "-noattr"
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
output, err = process.communicate(formatted)
retcode = process.poll()
if retcode:
LOG.error('Verify error: %s' % err)
# NOTE(dmllr): Python 2.6 compatibility:
# CalledProcessError did not have output keyword argument
e = subprocess.CalledProcessError(retcode, "openssl")
e.output = err
raise e
return output
def cms_sign_text(text, signing_cert_file_name, signing_key_file_name):
"""Uses OpenSSL to sign a document.
Produces a Base64 encoding of a DER formatted CMS Document
http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax
"""
_ensure_subprocess()
data = bytearray(text, encoding='utf-8')
process = subprocess.Popen([
'openssl', 'cms', '-sign', '-signer', signing_cert_file_name, '-inkey',
signing_key_file_name, '-outform', 'PEM', '-nosmimecap', '-nodetach',
'-nocerts', '-noattr'
],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
output, err, retcode = _process_communicate_handle_oserror(
process, data, (signing_cert_file_name, signing_key_file_name))
if retcode or ('Error' in err):
LOG.error('Signing error: %s' % err)
raise subprocess.CalledProcessError(retcode, 'openssl')
return output.decode('utf-8')