def encrypt_data( sender_privkey_pem, receiver_pubkey_pem, data ):
rc, enc_data = c_syndicate.encrypt_data( sender_privkey_pem, receiver_pubkey_pem, data )
if rc != 0:
log.error("encrypt_data rc = %s" % rc)
return None
return enc_data
"""
Encrypt and serialize the slice secret with the Observer private key
"""
# get the public key
try:
observer_pubkey_pem = CryptoKey.importKey(
observer_pkey_pem).publickey().exportKey()
except Exception, e:
logger.exception(e)
logger.error("Failed to derive public key from private key")
return None
# encrypt the data
rc, sealed_slice_secret = c_syndicate.encrypt_data(observer_pkey_pem,
observer_pubkey_pem,
slice_secret)
if rc != 0:
logger.error("Failed to encrypt slice secret")
return None
sealed_slice_secret_b64 = base64.b64encode(sealed_slice_secret)
return sealed_slice_secret_b64
#-------------------------------
def decrypt_slice_secret(observer_pkey_pem, sealed_slice_secret_b64):
"""
Unserialize and decrypt a slice secret
def make_host_provision_plan(
config,
sender_privkey_pem,
host_pubkey_pem,
hostname,
volumes,
gateway_pkey_generator=default_gateway_pkey_generator):
"""
Generate a signed host-specific volume and gateway listing.
@config: client configuration
@sender_privkey_pem: sender's private key, to sign the listing
@host_pubkey_pem: recipient's public key, to encrypt initial gateway keys and user private keys
@hostname: name of host on which the gateways run
@volumes: list of volume names
@gateway_pkey_generator: a callback that takes (config, volume name) and returns the gateway's initial public key
Return a dict with the structure:
{
"volume_name": {
"gateways": {
"__pkey__": "encrypted pkey",
"gateway_name": "gateway_cert_b64",
"gateway_name": "gateway_cert_b64",
...
},
"users": {
user_id: {
"pkey": "encrypted pkey",
"cert": "user_cert_b64"
}
...
}
}
...
}
where each volume named has only the gateway
certificates on this particular host.
Because we create one initial gateway private key
per volume, we only need to give that singular private
key back. The automounter will change the public key
once it gets the private key.
"""
ret = {}
for volume_name in volumes:
# get the volume ID
volume_cert = object_stub.load_volume_cert(config, volume_name)
if volume_cert is None:
log.error("No such volume '%s'" % volume_name)
return {}
volume_id = volume_cert.volume_id
# find all gateways in this volume, on this host
gateway_certs = list_volume_gateways_by_host(config, volume_id,
hostname)
if gateway_certs is None:
log.error("Failed to load gateway certs for '%s'" % volume_name)
return {}
if len(gateway_certs) == 0:
# no relevant gateways
continue
# find all associated user certs and their private keys, and serialize them
user_certs = {}
serialized_gateway_certs = {}
for gateway_cert in gateway_certs:
# user cert
user_cert = object_stub.load_user_cert(config,
gateway_cert.owner_id)
if user_cert is None:
log.error("No such user '%s'" % gateway_cert.owner_id)
return {}
log.debug("User '%s' owns gateway '%s'" %
(user_cert.email, gateway_cert.name))
# user private key
user_pkey = storage.load_private_key(config, "user",
user_cert.email)
if user_pkey is None:
log.error("No such user private key '%s'" % user_cert.email)
return {}
user_pkey_pem = user_pkey.exportKey()
rc, user_pkey_pem_enc = libsyndicate.encrypt_data(
sender_privkey_pem, host_pubkey_pem, user_pkey_pem)
if rc != 0:
log.error("Failed to encrypt key for '%s', rc = %s" %
(user_cert.email, rc))
return {}
user_certs[str(gateway_cert.owner_id)] = {
"cert": base64.b64encode(user_cert.SerializeToString()),
"pkey": base64.b64encode(user_pkey_pem_enc)
}
serialized_gateway_certs[gateway_cert.name] = base64.b64encode(
gateway_cert.SerializeToString())
# encrypt the private key for this volume's gateways...
pkey_pem = gateway_pkey_generator(config, volume_name)
if pkey_pem is None:
log.debug("Failed to generate gateway key for '%s'" % volume_name)
continue
rc, pkey_pem_enc = libsyndicate.encrypt_data(sender_privkey_pem,
host_pubkey_pem, pkey_pem)
if rc != 0:
log.error("Failed to encrypt response; rc = %d\n", rc)
return {}
serialized_gateway_certs["__pkey__"] = base64.b64encode(pkey_pem_enc)
# done with this volume
ret[volume_name] = {
"gateways": serialized_gateway_certs,
"users": user_certs
}
return ret
def make_host_provision_plan(config, sender_privkey_pem, host_pubkey_pem, hostname, volumes, gateway_pkey_generator=default_gateway_pkey_generator):
"""
Generate a signed host-specific volume and gateway listing.
@config: client configuration
@sender_privkey_pem: sender's private key, to sign the listing
@host_pubkey_pem: recipient's public key, to encrypt initial gateway keys and user private keys
@hostname: name of host on which the gateways run
@volumes: list of volume names
@gateway_pkey_generator: a callback that takes (config, volume name) and returns the gateway's initial public key
Return a dict with the structure:
{
"volume_name": {
"gateways": {
"__pkey__": "encrypted pkey",
"gateway_name": "gateway_cert_b64",
"gateway_name": "gateway_cert_b64",
...
},
"users": {
user_id: {
"pkey": "encrypted pkey",
"cert": "user_cert_b64"
}
...
}
}
...
}
where each volume named has only the gateway
certificates on this particular host.
Because we create one initial gateway private key
per volume, we only need to give that singular private
key back. The automounter will change the public key
once it gets the private key.
"""
ret = {}
for volume_name in volumes:
# get the volume ID
volume_cert = object_stub.load_volume_cert(config, volume_name)
if volume_cert is None:
log.error("No such volume '%s'" % volume_name)
return {}
volume_id = volume_cert.volume_id
# find all gateways in this volume, on this host
gateway_certs = list_volume_gateways_by_host(config, volume_id, hostname)
if gateway_certs is None:
log.error("Failed to load gateway certs for '%s'" % volume_name)
return {}
if len(gateway_certs) == 0:
# no relevant gateways
continue
# find all associated user certs and their private keys, and serialize them
user_certs = {}
serialized_gateway_certs = {}
for gateway_cert in gateway_certs:
# user cert
user_cert = object_stub.load_user_cert(config, gateway_cert.owner_id)
if user_cert is None:
log.error("No such user '%s'" % gateway_cert.owner_id)
return {}
log.debug("User '%s' owns gateway '%s'" % (user_cert.email, gateway_cert.name))
# user private key
user_pkey = storage.load_private_key(config, "user", user_cert.email)
if user_pkey is None:
log.error("No such user private key '%s'" % user_cert.email)
return {}
user_pkey_pem = user_pkey.exportKey()
rc, user_pkey_pem_enc = libsyndicate.encrypt_data(sender_privkey_pem, host_pubkey_pem, user_pkey_pem)
if rc != 0:
log.error("Failed to encrypt key for '%s', rc = %s" % (user_cert.email, rc))
return {}
user_certs[ str(gateway_cert.owner_id) ] = {
"cert": base64.b64encode(user_cert.SerializeToString()),
"pkey": base64.b64encode(user_pkey_pem_enc)
}
serialized_gateway_certs[gateway_cert.name] = base64.b64encode(gateway_cert.SerializeToString())
# encrypt the private key for this volume's gateways...
pkey_pem = gateway_pkey_generator(config, volume_name)
if pkey_pem is None:
log.debug("Failed to generate gateway key for '%s'" % volume_name)
continue
rc, pkey_pem_enc = libsyndicate.encrypt_data(sender_privkey_pem, host_pubkey_pem, pkey_pem)
if rc != 0:
log.error("Failed to encrypt response; rc = %d\n", rc)
return {}
serialized_gateway_certs["__pkey__"] = base64.b64encode(pkey_pem_enc)
# done with this volume
ret[volume_name] = {
"gateways": serialized_gateway_certs,
"users": user_certs
}
return ret
#-------------------------------
def encrypt_slice_secret( observer_pkey_pem, slice_secret ):
"""
Encrypt and serialize the slice secret with the Observer private key
"""
# get the public key
try:
observer_pubkey_pem = CryptoKey.importKey( observer_pkey_pem ).publickey().exportKey()
except Exception, e:
logger.exception(e)
logger.error("Failed to derive public key from private key")
return None
# encrypt the data
rc, sealed_slice_secret = c_syndicate.encrypt_data( observer_pkey_pem, observer_pubkey_pem, slice_secret )
if rc != 0:
logger.error("Failed to encrypt slice secret")
return None
sealed_slice_secret_b64 = base64.b64encode( sealed_slice_secret )
return sealed_slice_secret_b64
#-------------------------------
def decrypt_slice_secret( observer_pkey_pem, sealed_slice_secret_b64 ):
"""
Unserialize and decrypt a slice secret
"""
