def set_signature(self, acts, key_path=None, chain_paths=misc.EmptyI, chash_dir=None): """Sets the signature value for this action. The 'acts' parameter is the iterable of actions this action should sign. The 'key_path' parameter is the path to the file containing the private key which is used to sign the actions. The 'chain_paths' parameter is an iterable of paths to certificates which are needed to form the chain of trust from the certificate associated with the key in 'key_path' to one of the CAs for the publisher of the actions. The 'chash_dir' parameter is the temporary directory to use while calculating the compressed hashes for chain certs.""" # Turning this into a list makes debugging vastly more # tractable. acts = list(acts) # If key_path is None, then set value to be the hash # of the actions. if key_path is None: # If no private key is set, then no certificate should # have been given. assert self.data is None dgst = m2.EVP.MessageDigest(self.hash_alg) res = dgst.update( self.actions_to_str(acts, generic.Action.sig_version)) assert res == 1, \ "Res was expected to be 1, it was {0}".format(res) self.attrs["value"] = \ misc.binary_to_hex(dgst.final()) else: # If a private key is used, then the certificate it's # paired with must be provided. assert self.data is not None self.__set_chain_certs_data(chain_paths, chash_dir) try: priv_key = m2.RSA.load_key(key_path) except m2.RSA.RSAError: raise apx.BadFileFormat( _("{0} was expected to " "be a RSA key but could not be read " "correctly.").format(key_path)) signer = m2.EVP.PKey(md=self.hash_alg) signer.assign_rsa(priv_key, 1) del priv_key signer.sign_init() signer.sign_update( self.actions_to_str(acts, generic.Action.sig_version)) self.attrs["value"] = \ misc.binary_to_hex(signer.sign_final())
def set_signature(self, acts, key_path=None, chain_paths=misc.EmptyI, chash_dir=None): """Sets the signature value for this action. The 'acts' parameter is the iterable of actions this action should sign. The 'key_path' parameter is the path to the file containing the private key which is used to sign the actions. The 'chain_paths' parameter is an iterable of paths to certificates which are needed to form the chain of trust from the certificate associated with the key in 'key_path' to one of the CAs for the publisher of the actions. The 'chash_dir' parameter is the temporary directory to use while calculating the compressed hashes for chain certs.""" # Turning this into a list makes debugging vastly more # tractable. acts = list(acts) # If key_path is None, then set value to be the hash # of the actions. if key_path is None: # If no private key is set, then no certificate should # have been given. assert self.data is None h = hashlib.new(self.hash_alg) h.update( misc.force_bytes( self.actions_to_str(acts, generic.Action.sig_version))) self.attrs["value"] = h.hexdigest() else: # If a private key is used, then the certificate it's # paired with must be provided. assert self.data is not None self.__set_chain_certs_data(chain_paths, chash_dir) try: with open(key_path, "rb") as f: priv_key = serialization.load_pem_private_key( f.read(), password=None, backend=default_backend()) except ValueError: raise apx.BadFileFormat( _("{0} was expected to " "be a RSA key but could not be read " "correctly.").format(key_path)) hhash = self.__get_hash_by_name(self.hash_alg) signer = priv_key.signer(padding.PKCS1v15(), hhash()) signer.update( misc.force_bytes( self.actions_to_str(acts, generic.Action.sig_version))) self.attrs["value"] = \ misc.binary_to_hex(signer.finalize())
def __make_tmp_cert(d, pth): try: cert = m2.X509.load_cert(pth) except m2.X509.X509Error as e: raise api_errors.BadFileFormat( _("The file {0} was expected to " "be a PEM certificate but it could not be read.").format(pth)) fd, fp = tempfile.mkstemp(dir=d) with os.fdopen(fd, "wb") as fh: fh.write(cert.as_pem()) return fp
def __make_tmp_cert(d, pth): try: with open(pth, "rb") as f: cert = x509.load_pem_x509_certificate(f.read(), default_backend()) except (ValueError, IOError) as e: raise api_errors.BadFileFormat( _("The file {0} was expected to " "be a PEM certificate but it could not be read.").format(pth)) fd, fp = tempfile.mkstemp(dir=d) with os.fdopen(fd, "wb") as fh: fh.write(cert.public_bytes(serialization.Encoding.PEM)) return fp