def _maybe_create_challenge_key(self): """Generate key the first time it runs if key does not exist""" if not os.path.exists(self._challenge_key_file): logging.info('Generating challenge key and written into %s', self._challenge_key_file) challenge_key = ec.generate_private_key(ec.SECP384R1(), default_backend()) cert_utils.write_key(challenge_key, self._challenge_key_file)
def load_public_key_to_base64der(self): with TemporaryDirectory(prefix='/tmp/test_cert_utils') as temp_dir: key = ec.generate_private_key(ec.SECP384R1(), default_backend()) cu.write_key(key, os.path.join(temp_dir, 'test.key')) base64der = cu.load_public_key_to_base64der( os.path.join(temp_dir, 'test.key'), ) der = base64.b64decode(base64der) pub_key = serialization.load_der_public_key(der, default_backend()) self.assertEqual(pub_key, key.public_key())
def test_key(self): with TemporaryDirectory(prefix='/tmp/test_cert_utils') as temp_dir: key = ec.generate_private_key(ec.SECP384R1(), default_backend()) cu.write_key(key, os.path.join(temp_dir, 'test.key')) key_load = cu.load_key(os.path.join(temp_dir, 'test.key')) key_bytes = key.private_bytes( serialization.Encoding.PEM, serialization.PrivateFormat.TraditionalOpenSSL, serialization.NoEncryption()) key_load_bytes = key_load.private_bytes( serialization.Encoding.PEM, serialization.PrivateFormat.TraditionalOpenSSL, serialization.NoEncryption()) self.assertEqual(key_bytes, key_load_bytes)
async def _request_sign_done_success(self, cert): if not self._is_valid_certificate(cert): BOOTSTRAP_EXCEPTION.labels(cause='RequestSignDoneInvalidCert').inc() self._schedule_next_bootstrap(hard_failure=True) return try: cert_utils.write_key(self._gateway_key, self._gateway_key_file) cert_utils.write_cert(cert.cert_der, self._gateway_cert_file) except Exception as exp: BOOTSTRAP_EXCEPTION.labels(cause='RequestSignDoneWriteCert:%s' % type(exp).__name__).inc() logging.error('Failed to write cert: %s', exp) # need to restart control_proxy await self._bootstrap_success_cb(True) self._gateway_key = None self._schedule_next_bootstrap_check() logging.info("Bootstrapped Successfully!")
def _request_sign_done(self, future): """Callback for RequestSign.future 1. check whether future correctly returns 2. check whether returned cert is valid 3. write key and cert into files, reset self._gateway_key to None If any steps fails, call _retry_bootstrap, Otherwise call _schedule_periodic_bootstrap_check. Args: future: Future object returned by async RequestSign gRPC call """ err = future.exception() if err: err = 'RequestSign error! [%s], %s' % (err.code(), err.details()) BOOTSTRAP_EXCEPTION.labels(cause='RequestSignDoneResp').inc() logging.error(err) self._retry_bootstrap(hard_failure=False) return cert = future.result() if not self._is_valid_certificate(cert): BOOTSTRAP_EXCEPTION.labels( cause='RequestSignDoneInvalidCert').inc() self._retry_bootstrap(hard_failure=True) return try: cert_utils.write_key(self._gateway_key, self._gateway_key_file) cert_utils.write_cert(cert.cert_der, self._gateway_cert_file) except Exception as exp: BOOTSTRAP_EXCEPTION.labels(cause='RequestSignDoneWriteCert:%s' % type(exp).__name__).inc() logging.error('Failed to write cert: %s', exp) logging.info('Bootstrap succeeds') # need to restart control_proxy self._bootstrap_success_cb(True) self._gateway_key = None self._schedule_periodic_bootstrap_check()