def test_verify_signature_ECC(self, mock_get_pub_key): data = b'224626ae19824466f2a7f39ab7b80f7f' # test every ECC curve for curve in signature_utils.ECC_CURVES: key_type_name = 'ECC_' + curve.name.upper() try: signature_utils.SignatureKeyType.lookup(key_type_name) except exception.SignatureVerificationError: import warnings warnings.warn("ECC curve '%s' not supported" % curve.name) continue # Create a private key to use private_key = ec.generate_private_key(curve, default_backend()) mock_get_pub_key.return_value = private_key.public_key() for hash_name, hash_alg in signature_utils.HASH_METHODS.items(): signer = private_key.signer( ec.ECDSA(hash_alg) ) signer.update(data) signature = base64.b64encode(signer.finalize()) img_sig_cert_uuid = 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693' verifier = signature_utils.get_verifier(None, img_sig_cert_uuid, hash_name, signature, key_type_name) verifier.update(data) verifier.verify()
def test_verify_signature_ECC(self, mock_get_pub_key): data = b'224626ae19824466f2a7f39ab7b80f7f' # test every ECC curve for curve in signature_utils.ECC_CURVES: key_type_name = 'ECC_' + curve.name.upper() try: signature_utils.SignatureKeyType.lookup(key_type_name) except exception.SignatureVerificationError: import warnings warnings.warn("ECC curve '%s' not supported" % curve.name) continue # Create a private key to use private_key = ec.generate_private_key(curve, default_backend()) mock_get_pub_key.return_value = private_key.public_key() for hash_name, hash_alg in signature_utils.HASH_METHODS.items(): signer = private_key.signer(ec.ECDSA(hash_alg)) signer.update(data) signature = base64.b64encode(signer.finalize()) img_sig_cert_uuid = 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693' verifier = signature_utils.get_verifier( None, img_sig_cert_uuid, hash_name, signature, key_type_name) verifier.update(data) verifier.verify()
def test_verify_signature_bad_signature(self, mock_get_pub_key): data = b'224626ae19824466f2a7f39ab7b80f7f' mock_get_pub_key.return_value = TEST_RSA_PRIVATE_KEY.public_key() img_sig_cert_uuid = 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693' verifier = signature_utils.get_verifier(None, img_sig_cert_uuid, 'SHA-256', 'BLAH', signature_utils.RSA_PSS) verifier.update(data) self.assertRaises(crypto_exceptions.InvalidSignature, verifier.verify)
def test_verify_signature_bad_signature(self, mock_get_pub_key): data = b'224626ae19824466f2a7f39ab7b80f7f' mock_get_pub_key.return_value = TEST_RSA_PRIVATE_KEY.public_key() image_properties = {CERT_UUID: 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693', HASH_METHOD: 'SHA-256', KEY_TYPE: 'RSA-PSS', SIGNATURE: 'BLAH'} verifier = signature_utils.get_verifier(None, image_properties) verifier.update(data) self.assertRaises(crypto_exceptions.InvalidSignature, verifier.verify)
def test_verify_signature_bad_signature(self, mock_get_pub_key): data = b'224626ae19824466f2a7f39ab7b80f7f' mock_get_pub_key.return_value = TEST_RSA_PRIVATE_KEY.public_key() image_properties = { CERT_UUID: 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693', HASH_METHOD: 'SHA-256', KEY_TYPE: 'RSA-PSS', SIGNATURE: 'BLAH' } verifier = signature_utils.get_verifier(None, image_properties) verifier.update(data) self.assertRaises(crypto_exceptions.InvalidSignature, verifier.verify)
def test_verify_signature_DSA(self, mock_get_pub_key): data = b'224626ae19824466f2a7f39ab7b80f7f' mock_get_pub_key.return_value = TEST_DSA_PRIVATE_KEY.public_key() for hash_name, hash_alg in signature_utils.HASH_METHODS.items(): signer = TEST_DSA_PRIVATE_KEY.signer(hash_alg) signer.update(data) signature = base64.b64encode(signer.finalize()) img_sig_cert_uuid = 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693' verifier = signature_utils.get_verifier(None, img_sig_cert_uuid, hash_name, signature, signature_utils.DSA) verifier.update(data) verifier.verify()
def test_verify_signature_DSA(self, mock_get_pub_key): data = b'224626ae19824466f2a7f39ab7b80f7f' mock_get_pub_key.return_value = TEST_DSA_PRIVATE_KEY.public_key() for hash_name, hash_alg in signature_utils.HASH_METHODS.items(): signer = TEST_DSA_PRIVATE_KEY.signer( hash_alg ) signer.update(data) signature = base64.b64encode(signer.finalize()) img_sig_cert_uuid = 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693' verifier = signature_utils.get_verifier(None, img_sig_cert_uuid, hash_name, signature, signature_utils.DSA) verifier.update(data) verifier.verify()
def test_verify_signature_DSA(self, mock_get_pub_key): data = b'224626ae19824466f2a7f39ab7b80f7f' mock_get_pub_key.return_value = TEST_DSA_PRIVATE_KEY.public_key() for hash_name, hash_alg in signature_utils.HASH_METHODS.items(): signer = TEST_DSA_PRIVATE_KEY.signer(hash_alg) signer.update(data) signature = base64.b64encode(signer.finalize()) image_props = { CERT_UUID: 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693', HASH_METHOD: hash_name, KEY_TYPE: 'DSA', SIGNATURE: signature } verifier = signature_utils.get_verifier(None, image_props) verifier.update(data) verifier.verify()
def test_verify_signature_DSA(self, mock_get_pub_key): data = b'224626ae19824466f2a7f39ab7b80f7f' mock_get_pub_key.return_value = TEST_DSA_PRIVATE_KEY.public_key() for hash_name, hash_alg in signature_utils.HASH_METHODS.items(): signer = TEST_DSA_PRIVATE_KEY.signer( hash_alg ) signer.update(data) signature = base64.b64encode(signer.finalize()) image_props = {CERT_UUID: 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693', HASH_METHOD: hash_name, KEY_TYPE: 'DSA', SIGNATURE: signature} verifier = signature_utils.get_verifier(None, image_props) verifier.update(data) verifier.verify()
def test_verify_signature_ECC(self, mock_get_pub_key): data = b'224626ae19824466f2a7f39ab7b80f7f' # test every ECC curve for curve in signature_utils.ECC_CURVES: # Create a private key to use private_key = ec.generate_private_key(curve, default_backend()) mock_get_pub_key.return_value = private_key.public_key() for hash_name, hash_alg in signature_utils.HASH_METHODS.items(): signer = private_key.signer(ec.ECDSA(hash_alg)) signer.update(data) signature = base64.b64encode(signer.finalize()) image_props = { CERT_UUID: 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693', HASH_METHOD: hash_name, KEY_TYPE: 'ECC_' + curve.name.upper(), SIGNATURE: signature } verifier = signature_utils.get_verifier(None, image_props) verifier.update(data) verifier.verify()
def test_verify_signature_ECC(self, mock_get_pub_key): data = b'224626ae19824466f2a7f39ab7b80f7f' # test every ECC curve for curve in signature_utils.ECC_CURVES: # Create a private key to use private_key = ec.generate_private_key(curve, default_backend()) mock_get_pub_key.return_value = private_key.public_key() for hash_name, hash_alg in signature_utils.HASH_METHODS.items(): signer = private_key.signer( ec.ECDSA(hash_alg) ) signer.update(data) signature = base64.b64encode(signer.finalize()) image_props = {CERT_UUID: 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693', HASH_METHOD: hash_name, KEY_TYPE: 'ECC_' + curve.name.upper(), SIGNATURE: signature} verifier = signature_utils.get_verifier(None, image_props) verifier.update(data) verifier.verify()
def download(self, context, image_id, data=None, dst_path=None): """Calls out to Glance for data and writes data.""" if CONF.glance.allowed_direct_url_schemes and dst_path is not None: image = self.show(context, image_id, include_locations=True) for entry in image.get('locations', []): loc_url = entry['url'] loc_meta = entry['metadata'] o = urlparse.urlparse(loc_url) xfer_mod = self._get_transfer_module(o.scheme) if xfer_mod: try: xfer_mod.download(context, o, dst_path, loc_meta) LOG.info(_LI("Successfully transferred " "using %s"), o.scheme) return except Exception: LOG.exception(_LE("Download image error")) try: image_chunks = self._client.call(context, 1, 'data', image_id) except Exception: _reraise_translated_image_exception(image_id) # Retrieve properties for verification of Glance image signature verifier = None if CONF.glance.verify_glance_signatures: image_meta_dict = self.show(context, image_id, include_locations=False) image_meta = objects.ImageMeta.from_dict(image_meta_dict) img_signature = image_meta.properties.get('img_signature') img_sig_hash_method = image_meta.properties.get( 'img_signature_hash_method') img_sig_cert_uuid = image_meta.properties.get( 'img_signature_certificate_uuid') img_sig_key_type = image_meta.properties.get( 'img_signature_key_type') try: verifier = signature_utils.get_verifier( context, img_sig_cert_uuid, img_sig_hash_method, img_signature, img_sig_key_type) except exception.SignatureVerificationError: with excutils.save_and_reraise_exception(): LOG.error( _LE('Image signature verification failed ' 'for image: %s'), image_id) close_file = False if data is None and dst_path: data = open(dst_path, 'wb') close_file = True if data is None: # Perform image signature verification if verifier: try: for chunk in image_chunks: verifier.update(chunk) verifier.verify() LOG.info( _LI('Image signature verification succeeded ' 'for image: %s'), image_id) except cryptography.exceptions.InvalidSignature: with excutils.save_and_reraise_exception(): LOG.error( _LE('Image signature verification failed ' 'for image: %s'), image_id) return image_chunks else: try: for chunk in image_chunks: if verifier: verifier.update(chunk) data.write(chunk) if verifier: verifier.verify() LOG.info( _LI('Image signature verification succeeded ' 'for image %s'), image_id) except cryptography.exceptions.InvalidSignature: data.truncate(0) with excutils.save_and_reraise_exception(): LOG.error( _LE('Image signature verification failed ' 'for image: %s'), image_id) except Exception as ex: with excutils.save_and_reraise_exception(): LOG.error(_LE("Error writing to %(path)s: %(exception)s"), { 'path': dst_path, 'exception': ex }) finally: if close_file: data.close()
def download(self, context, image_id, data=None, dst_path=None): """Calls out to Glance for data and writes data.""" if CONF.glance.allowed_direct_url_schemes and dst_path is not None: image = self.show(context, image_id, include_locations=True) for entry in image.get('locations', []): loc_url = entry['url'] loc_meta = entry['metadata'] o = urlparse.urlparse(loc_url) xfer_mod = self._get_transfer_module(o.scheme) if xfer_mod: try: xfer_mod.download(context, o, dst_path, loc_meta) LOG.info(_LI("Successfully transferred " "using %s"), o.scheme) return except Exception: LOG.exception(_LE("Download image error")) try: image_chunks = self._client.call(context, 1, 'data', image_id) except Exception: _reraise_translated_image_exception(image_id) # Retrieve properties for verification of Glance image signature verifier = None if CONF.glance.verify_glance_signatures: image_meta_dict = self.show(context, image_id, include_locations=False) image_meta = objects.ImageMeta.from_dict(image_meta_dict) img_signature = image_meta.properties.get('img_signature') img_sig_hash_method = image_meta.properties.get( 'img_signature_hash_method' ) img_sig_cert_uuid = image_meta.properties.get( 'img_signature_certificate_uuid' ) img_sig_key_type = image_meta.properties.get( 'img_signature_key_type' ) try: verifier = signature_utils.get_verifier(context, img_sig_cert_uuid, img_sig_hash_method, img_signature, img_sig_key_type) except exception.SignatureVerificationError: with excutils.save_and_reraise_exception(): LOG.error(_LE('Image signature verification failed ' 'for image: %s'), image_id) close_file = False if data is None and dst_path: data = open(dst_path, 'wb') close_file = True if data is None: # Perform image signature verification if verifier: try: for chunk in image_chunks: verifier.update(chunk) verifier.verify() LOG.info(_LI('Image signature verification succeeded ' 'for image: %s'), image_id) except cryptography.exceptions.InvalidSignature: with excutils.save_and_reraise_exception(): LOG.error(_LE('Image signature verification failed ' 'for image: %s'), image_id) return image_chunks else: try: for chunk in image_chunks: if verifier: verifier.update(chunk) data.write(chunk) if verifier: verifier.verify() LOG.info(_LI('Image signature verification succeeded ' 'for image %s'), image_id) except cryptography.exceptions.InvalidSignature: data.truncate(0) with excutils.save_and_reraise_exception(): LOG.error(_LE('Image signature verification failed ' 'for image: %s'), image_id) except Exception as ex: with excutils.save_and_reraise_exception(): LOG.error(_LE("Error writing to %(path)s: %(exception)s"), {'path': dst_path, 'exception': ex}) finally: if close_file: data.close()