def _maybe_create_challenge_key(self):
"""Generate key the first time it runs if key does not exist"""
if not os.path.exists(self._challenge_key_file):
logging.info('Generating challenge key and written into %s',
self._challenge_key_file)
challenge_key = ec.generate_private_key(ec.SECP384R1(),
default_backend())
cert_utils.write_key(challenge_key, self._challenge_key_file)
def load_public_key_to_base64der(self):
with TemporaryDirectory(prefix='/tmp/test_cert_utils') as temp_dir:
key = ec.generate_private_key(ec.SECP384R1(), default_backend())
cu.write_key(key, os.path.join(temp_dir, 'test.key'))
base64der = cu.load_public_key_to_base64der(
os.path.join(temp_dir, 'test.key'), )
der = base64.b64decode(base64der)
pub_key = serialization.load_der_public_key(der, default_backend())
self.assertEqual(pub_key, key.public_key())
def test_key(self):
with TemporaryDirectory(prefix='/tmp/test_cert_utils') as temp_dir:
key = ec.generate_private_key(ec.SECP384R1(), default_backend())
cu.write_key(key, os.path.join(temp_dir, 'test.key'))
key_load = cu.load_key(os.path.join(temp_dir, 'test.key'))
key_bytes = key.private_bytes(
serialization.Encoding.PEM,
serialization.PrivateFormat.TraditionalOpenSSL,
serialization.NoEncryption())
key_load_bytes = key_load.private_bytes(
serialization.Encoding.PEM,
serialization.PrivateFormat.TraditionalOpenSSL,
serialization.NoEncryption())
self.assertEqual(key_bytes, key_load_bytes)
async def _request_sign_done_success(self, cert):
if not self._is_valid_certificate(cert):
BOOTSTRAP_EXCEPTION.labels(cause='RequestSignDoneInvalidCert').inc()
self._schedule_next_bootstrap(hard_failure=True)
return
try:
cert_utils.write_key(self._gateway_key, self._gateway_key_file)
cert_utils.write_cert(cert.cert_der, self._gateway_cert_file)
except Exception as exp:
BOOTSTRAP_EXCEPTION.labels(cause='RequestSignDoneWriteCert:%s' % type(exp).__name__).inc()
logging.error('Failed to write cert: %s', exp)
# need to restart control_proxy
await self._bootstrap_success_cb(True)
self._gateway_key = None
self._schedule_next_bootstrap_check()
logging.info("Bootstrapped Successfully!")
def _request_sign_done(self, future):
"""Callback for RequestSign.future
1. check whether future correctly returns
2. check whether returned cert is valid
3. write key and cert into files, reset self._gateway_key to None
If any steps fails, call _retry_bootstrap,
Otherwise call _schedule_periodic_bootstrap_check.
Args:
future: Future object returned by async RequestSign gRPC call
"""
err = future.exception()
if err:
err = 'RequestSign error! [%s], %s' % (err.code(), err.details())
BOOTSTRAP_EXCEPTION.labels(cause='RequestSignDoneResp').inc()
logging.error(err)
self._retry_bootstrap(hard_failure=False)
return
cert = future.result()
if not self._is_valid_certificate(cert):
BOOTSTRAP_EXCEPTION.labels(
cause='RequestSignDoneInvalidCert').inc()
self._retry_bootstrap(hard_failure=True)
return
try:
cert_utils.write_key(self._gateway_key, self._gateway_key_file)
cert_utils.write_cert(cert.cert_der, self._gateway_cert_file)
except Exception as exp:
BOOTSTRAP_EXCEPTION.labels(cause='RequestSignDoneWriteCert:%s' %
type(exp).__name__).inc()
logging.error('Failed to write cert: %s', exp)
logging.info('Bootstrap succeeds')
# need to restart control_proxy
self._bootstrap_success_cb(True)
self._gateway_key = None
self._schedule_periodic_bootstrap_check()
