Exemplo n.º 1
0
def cms_verify(formatted,
               signing_cert_file_name,
               ca_file_name,
               inform=PKI_ASN1_FORM):
    """Verify the signature of the contents IAW CMS syntax.

    :raises subprocess.CalledProcessError:
    :raises keystoneclient.exceptions.CertificateConfigError: if certificate
                                                              is not configured
                                                              properly.
    """
    _ensure_subprocess()
    if isinstance(formatted, six.string_types):
        data = bytearray(formatted, _encoding_for_form(inform))
    else:
        data = formatted
    process = subprocess.Popen([
        'openssl', 'cms', '-verify', '-certfile', signing_cert_file_name,
        '-CAfile', ca_file_name, '-inform', 'PEM', '-nosmimecap', '-nodetach',
        '-nocerts', '-noattr'
    ],
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE,
                               close_fds=True)
    output, err, retcode = _process_communicate_handle_oserror(
        process, data, (signing_cert_file_name, ca_file_name))

    # Do not log errors, as some happen in the positive thread
    # instead, catch them in the calling code and log them there.

    # When invoke the openssl >= 1.1.0 with not exist file, return code should
    # be 2 instead of 1 and error msg will be returned.
    # You can get more from
    # https://www.openssl.org/docs/man1.1.0/apps/cms.html#EXIT-CODES
    #
    # $ openssl cms -verify -certfile not_exist_file -CAfile
    #       not_exist_file -inform PEM -nosmimecap -nodetach
    #       -nocerts -noattr
    # openssl < 1.1.0 returns
    # Error opening certificate file not_exist_file
    # openssl >= 1.1.0 returns
    # cms: Cannot open input file not_exist_file, No such file or directory
    #
    if retcode == OpensslCmsExitStatus.INPUT_FILE_READ_ERROR:
        if err.startswith('Error reading S/MIME message'):
            raise exceptions.CMSError(err)
        else:
            raise exceptions.CertificateConfigError(err)
    # workaround for OpenSSL >= 1.1.0,
    # should return OpensslCmsExitStatus.INPUT_FILE_READ_ERROR
    elif retcode == OpensslCmsExitStatus.COMMAND_OPTIONS_PARSING_ERROR:
        if err.startswith('cms: Cannot open input file'):
            raise exceptions.CertificateConfigError(err)
        else:
            raise subprocess.CalledProcessError(retcode, 'openssl', output=err)
    elif retcode != OpensslCmsExitStatus.SUCCESS:
        raise subprocess.CalledProcessError(retcode, 'openssl', output=err)
    return output
Exemplo n.º 2
0
def cms_verify(formatted, signing_cert_file_name, ca_file_name):
    """Verifies the signature of the contents IAW CMS syntax.

    :raises: subprocess.CalledProcessError
    """
    _ensure_subprocess()
    process = subprocess.Popen([
        "openssl", "cms", "-verify", "-certfile", signing_cert_file_name,
        "-CAfile", ca_file_name, "-inform", "PEM", "-nosmimecap", "-nodetach",
        "-nocerts", "-noattr"
    ],
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE)
    output, err = process.communicate(formatted)
    retcode = process.poll()
    if retcode:
        # Do not log errors, as some happen in the positive thread
        # instead, catch them in the calling code and log them there.
        # NOTE(dmllr): Python 2.6 compatibility:
        # CalledProcessError did not have output keyword argument
        e = subprocess.CalledProcessError(retcode, "openssl")
        e.output = err
        raise e
    return output
Exemplo n.º 3
0
def cms_sign_text(text, signing_cert_file_name, signing_key_file_name):
    """ Uses OpenSSL to sign a document
    Produces a Base64 encoding of a DER formatted CMS Document
    http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax
    """
    _ensure_subprocess()
    process = subprocess.Popen([
        "openssl", "cms", "-sign", "-signer", signing_cert_file_name, "-inkey",
        signing_key_file_name, "-outform", "PEM", "-nosmimecap", "-nodetach",
        "-nocerts", "-noattr"
    ],
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE)
    output, err = process.communicate(text)
    retcode = process.poll()
    if retcode or "Error" in err:
        if retcode == 3:
            LOG.error(
                _("Signing error: Unable to load certificate - "
                  "ensure you've configured PKI with "
                  "'keystone-manage pki_setup'"))
        else:
            LOG.error(_('Signing error: %s') % err)
        raise subprocess.CalledProcessError(retcode, "openssl")
    return output
Exemplo n.º 4
0
def cms_verify(formatted,
               signing_cert_file_name,
               ca_file_name,
               inform=PKI_ASN1_FORM):
    """Verifies the signature of the contents IAW CMS syntax.

    :raises subprocess.CalledProcessError:
    :raises keystoneclient.exceptions.CertificateConfigError: if certificate
                                                              is not configured
                                                              properly.
    """
    _ensure_subprocess()
    if isinstance(formatted, six.string_types):
        data = bytearray(formatted, _encoding_for_form(inform))
    else:
        data = formatted
    process = subprocess.Popen([
        'openssl', 'cms', '-verify', '-certfile', signing_cert_file_name,
        '-CAfile', ca_file_name, '-inform', 'PEM', '-nosmimecap', '-nodetach',
        '-nocerts', '-noattr'
    ],
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE,
                               close_fds=True)
    output, err, retcode = _process_communicate_handle_oserror(
        process, data, (signing_cert_file_name, ca_file_name))

    # Do not log errors, as some happen in the positive thread
    # instead, catch them in the calling code and log them there.

    # When invoke the openssl with not exist file, return code 2
    # and error msg will be returned.
    # You can get more from
    # http://www.openssl.org/docs/apps/cms.html#EXIT_CODES
    #
    # $ openssl cms -verify -certfile not_exist_file -CAfile
    #       not_exist_file -inform PEM -nosmimecap -nodetach
    #       -nocerts -noattr
    # Error opening certificate file not_exist_file
    #
    if retcode == OpensslCmsExitStatus.INPUT_FILE_READ_ERROR:
        if err.startswith('Error reading S/MIME message'):
            raise exceptions.CMSError(err)
        else:
            raise exceptions.CertificateConfigError(err)
    elif retcode != OpensslCmsExitStatus.SUCCESS:
        # NOTE(dmllr): Python 2.6 compatibility:
        # CalledProcessError did not have output keyword argument
        e = subprocess.CalledProcessError(retcode, 'openssl')
        e.output = err
        raise e
    return output
Exemplo n.º 5
0
def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
                  outform=PKI_ASN1_FORM,
                  message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM):
    """Uses OpenSSL to sign a document.

    Produces a Base64 encoding of a DER formatted CMS Document
    http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax

    :param data_to_sign: data to sign
    :param signing_cert_file_name:  path to the X509 certificate containing
        the public key associated with the private key used to sign the data
    :param signing_key_file_name: path to the private key used to sign
        the data
    :param outform: Format for the signed document PKIZ_CMS_FORM or
        PKI_ASN1_FORM
    :param message_digest: Digest algorithm to use when signing or resigning

    """
    _ensure_subprocess()
    if isinstance(data_to_sign, six.string_types):
        data = bytearray(data_to_sign, encoding='utf-8')
    else:
        data = data_to_sign
    process = subprocess.Popen(['openssl', 'cms', '-sign',
                                '-signer', signing_cert_file_name,
                                '-inkey', signing_key_file_name,
                                '-outform', 'PEM',
                                '-nosmimecap', '-nodetach',
                                '-nocerts', '-noattr',
                                '-md', message_digest, ],
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE,
                               close_fds=True)

    output, err, retcode = _process_communicate_handle_oserror(
        process, data, (signing_cert_file_name, signing_key_file_name))

    if retcode != OpensslCmsExitStatus.SUCCESS or ('Error' in err):
        if retcode == OpensslCmsExitStatus.CREATE_CMS_READ_MIME_ERROR:
            LOG.error(_LE('Signing error: Unable to load certificate - '
                          'ensure you have configured PKI with '
                          '"keystone-manage pki_setup"'))
        else:
            LOG.error(_LE('Signing error: %s'), err)
        raise subprocess.CalledProcessError(retcode, 'openssl')
    if outform == PKI_ASN1_FORM:
        return output.decode('utf-8')
    else:
        return output
Exemplo n.º 6
0
def cms_sign_data(data_to_sign,
                  signing_cert_file_name,
                  signing_key_file_name,
                  outform=PKI_ASN1_FORM):
    """Uses OpenSSL to sign a document.

    Produces a Base64 encoding of a DER formatted CMS Document
    http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax

    :param data_to_sign: data to sign
    :param signing_cert_file_name:  path to the X509 certificate containing
        the public key associated with the private key used to sign the data
    :param signing_key_file_name: path to the private key used to sign
        the data
    :param outform: Format for the signed document PKIZ_CMS_FORM or
        PKI_ASN1_FORM


    """
    _ensure_subprocess()
    if isinstance(data_to_sign, six.string_types):
        data = bytearray(data_to_sign, encoding='utf-8')
    else:
        data = data_to_sign
    process = subprocess.Popen([
        'openssl', 'cms', '-sign', '-signer', signing_cert_file_name, '-inkey',
        signing_key_file_name, '-outform', 'PEM', '-nosmimecap', '-nodetach',
        '-nocerts', '-noattr'
    ],
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE)

    output, err, retcode = _process_communicate_handle_oserror(
        process, data, (signing_cert_file_name, signing_key_file_name))

    if retcode or ('Error' in err):
        LOG.error('Signing error: %s', err)
        if retcode == 3:
            LOG.error('Signing error: Unable to load certificate - '
                      'ensure you have configured PKI with '
                      '"keystone-manage pki_setup"')
        else:
            LOG.error('Signing error: %s', err)
        raise subprocess.CalledProcessError(retcode, 'openssl')
    if outform == PKI_ASN1_FORM:
        return output.decode('utf-8')
    else:
        return output
Exemplo n.º 7
0
def cms_verify(formatted, signing_cert_file_name, ca_file_name):
    """Verifies the signature of the contents IAW CMS syntax."""
    _ensure_subprocess()
    process = subprocess.Popen([
        "openssl", "cms", "-verify", "-certfile", signing_cert_file_name,
        "-CAfile", ca_file_name, "-inform", "PEM", "-nosmimecap", "-nodetach",
        "-nocerts", "-noattr"
    ],
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE)
    output, err = process.communicate(formatted)
    retcode = process.poll()
    if retcode:
        LOG.error(_('Verify error: %s') % err)
        raise subprocess.CalledProcessError(retcode, "openssl", output=err)
    return output
Exemplo n.º 8
0
def cms_verify(formatted, signing_cert_file_name, ca_file_name):
    """Verifies the signature of the contents IAW CMS syntax.

    :raises: subprocess.CalledProcessError
    :raises: CertificateConfigError if certificate is not configured properly.
    """
    _ensure_subprocess()
    process = subprocess.Popen([
        "openssl", "cms", "-verify", "-certfile", signing_cert_file_name,
        "-CAfile", ca_file_name, "-inform", "PEM", "-nosmimecap", "-nodetach",
        "-nocerts", "-noattr"
    ],
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE,
                               universal_newlines=True)
    output, err, retcode = _process_communicate_handle_oserror(
        process, formatted, (signing_cert_file_name, ca_file_name))

    # Do not log errors, as some happen in the positive thread
    # instead, catch them in the calling code and log them there.

    # When invoke the openssl with not exist file, return code 2
    # and error msg will be returned.
    # You can get more from
    # http://www.openssl.org/docs/apps/cms.html#EXIT_CODES
    #
    # $ openssl cms -verify -certfile not_exist_file -CAfile \
    #       not_exist_file -inform PEM -nosmimecap -nodetach \
    #       -nocerts -noattr
    # Error opening certificate file not_exist_file
    #
    if retcode == 2:
        raise exceptions.CertificateConfigError(err)
    elif retcode:
        # NOTE(dmllr): Python 2.6 compatibility:
        # CalledProcessError did not have output keyword argument
        e = subprocess.CalledProcessError(retcode, "openssl")
        e.output = err
        raise e
    return output
Exemplo n.º 9
0
def cms_sign_text(text, signing_cert_file_name, signing_key_file_name):
    """Uses OpenSSL to sign a document.

    Produces a Base64 encoding of a DER formatted CMS Document
    http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax
    """
    _ensure_subprocess()
    process = subprocess.Popen([
        "openssl", "cms", "-sign", "-signer", signing_cert_file_name, "-inkey",
        signing_key_file_name, "-outform", "PEM", "-nosmimecap", "-nodetach",
        "-nocerts", "-noattr"
    ],
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE)
    output, err = process.communicate(text)
    retcode = process.poll()
    if retcode or "Error" in err:
        LOG.error('Signing error: %s' % err)
        raise subprocess.CalledProcessError(retcode, "openssl")
    return output
Exemplo n.º 10
0
Arquivo: cms.py Projeto: hl10502/vsm
def cms_verify(formatted, signing_cert_file_name, ca_file_name):
    """
        verifies the signature of the contents IAW CMS syntax
    """
    _ensure_subprocess()
    process = subprocess.Popen([
        "openssl", "cms", "-verify", "-certfile", signing_cert_file_name,
        "-CAfile", ca_file_name, "-inform", "PEM", "-nosmimecap", "-nodetach",
        "-nocerts", "-noattr"
    ],
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE)
    output, err = process.communicate(formatted)
    retcode = process.poll()
    if retcode:
        LOG.error('Verify error: %s' % err)
        # NOTE(dmllr): Python 2.6 compatibility:
        # CalledProcessError did not have output keyword argument
        e = subprocess.CalledProcessError(retcode, "openssl")
        e.output = err
        raise e
    return output
Exemplo n.º 11
0
def cms_sign_text(text, signing_cert_file_name, signing_key_file_name):
    """Uses OpenSSL to sign a document.

    Produces a Base64 encoding of a DER formatted CMS Document
    http://en.wikipedia.org/wiki/Cryptographic_Message_Syntax
    """
    _ensure_subprocess()
    data = bytearray(text, encoding='utf-8')
    process = subprocess.Popen([
        'openssl', 'cms', '-sign', '-signer', signing_cert_file_name, '-inkey',
        signing_key_file_name, '-outform', 'PEM', '-nosmimecap', '-nodetach',
        '-nocerts', '-noattr'
    ],
                               stdin=subprocess.PIPE,
                               stdout=subprocess.PIPE,
                               stderr=subprocess.PIPE)

    output, err, retcode = _process_communicate_handle_oserror(
        process, data, (signing_cert_file_name, signing_key_file_name))

    if retcode or ('Error' in err):
        LOG.error('Signing error: %s' % err)
        raise subprocess.CalledProcessError(retcode, 'openssl')
    return output.decode('utf-8')