def _encrypt(self):
"""Use your key thing to encrypt things."""
from M2Crypto import BIO, SMIME, X509
CERT = self.settings.private_cert
PUB_CERT = self.settings.public_cert
PAYPAL_CERT = self.settings.paypal_cert
CERT_ID = self.settings.cert_id
# Iterate through the fields and pull out the ones that have a value.
plaintext = 'cert_id=%s' % CERT_ID
for name, value in self.items.iteritems():
plaintext += '\n%s=%s' % (name, value)
#plaintext = plaintext.encode('utf-8')
# Begin crypto weirdness.
s = SMIME.SMIME()
s.load_key_bio(BIO.openfile(CERT), BIO.openfile(PUB_CERT))
p7 = s.sign(BIO.MemoryBuffer(plaintext), flags=SMIME.PKCS7_BINARY)
x509 = X509.load_cert_bio(BIO.openfile(PAYPAL_CERT))
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
s.set_cipher(SMIME.Cipher('des_ede3_cbc'))
tmp = BIO.MemoryBuffer()
p7.write_der(tmp)
p7 = s.encrypt(tmp, flags=SMIME.PKCS7_BINARY)
out = BIO.MemoryBuffer()
p7.write(out)
return out.read()
def _encrypt(self):
"""Use your key thing to encrypt things."""
from M2Crypto import BIO, SMIME, X509
# Iterate through the fields and pull out the ones that have a value.
plaintext = 'cert_id=%s\n' % self.cert_id
for name, field in self.fields.items():
value = None
if name in self.initial:
value = self.initial[name]
elif field.initial is not None:
value = field.initial
if value is not None:
# @@@ Make this less hackish and put it in the widget.
if name == "return_url":
name = "return"
plaintext += u'%s=%s\n' % (name, value)
plaintext = plaintext.encode('utf-8')
# Begin crypto weirdness.
s = SMIME.SMIME()
s.load_key_bio(BIO.openfile(self.private_cert), BIO.openfile(self.public_cert))
p7 = s.sign(BIO.MemoryBuffer(plaintext), flags=SMIME.PKCS7_BINARY)
x509 = X509.load_cert_bio(BIO.openfile(self.paypal_cert))
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
s.set_cipher(SMIME.Cipher('des_ede3_cbc'))
tmp = BIO.MemoryBuffer()
p7.write_der(tmp)
p7 = s.encrypt(tmp, flags=SMIME.PKCS7_BINARY)
out = BIO.MemoryBuffer()
p7.write(out)
return out.read()
def create_signature_block(openssl_digest, certificate, private_key, data):
"""Produces a signature block for the data.
Reference
---------
http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
Note: Oracle does not specify the content of the "signature
file block", friendly saying that "These are binary files
not intended to be interpreted by humans".
:param openssl_digest: alrogithm known to OpenSSL used to digest the data
:type openssl_digest: str
TODO: it is not used. M2Crypto cannot pass the signing digest.
:param certificate: filename of the certificate file (PEM format)
:type certificate: str
:param private_key:filename of private key used to sign (PEM format)
:type private_key: str
:param data: the content to be signed
:type data: str
:returns: content of the signature block file as produced by jarsigner
:rtype: str
"""
smime = SMIME.SMIME()
smime.load_key_bio(BIO.openfile(private_key), BIO.openfile(certificate))
pkcs7 = smime.sign(BIO.MemoryBuffer(data), flags=SMIME.PKCS7_BINARY)
tmp = BIO.MemoryBuffer()
pkcs7.write_der(tmp)
return tmp.read()
def test_load_bio(self):
bio = BIO.openfile('tests/x509.pem')
bio2 = BIO.openfile('tests/x509.der')
x509 = X509.load_cert_bio(bio)
x5092 = X509.load_cert_bio(bio2, format=X509.FORMAT_DER)
assert x509.as_text() == x5092.as_text()
assert x509.as_pem() == x5092.as_pem()
assert x509.as_der() == x5092.as_der()
return
def test_load_bio(self):
with BIO.openfile('tests/x509.pem') as bio:
with BIO.openfile('tests/x509.der') as bio2:
x509 = X509.load_cert_bio(bio)
x5092 = X509.load_cert_bio(bio2, format=X509.FORMAT_DER)
with self.assertRaises(ValueError):
X509.load_cert_bio(bio2, format=45678)
self.assertEqual(x509.as_text(), x5092.as_text())
self.assertEqual(x509.as_pem(), x5092.as_pem())
self.assertEqual(x509.as_der(), x5092.as_der())
def test_load_bio(self):
bio = BIO.openfile('tests/x509.pem')
bio2 = BIO.openfile('tests/x509.der')
x509 = X509.load_cert_bio(bio)
x5092 = X509.load_cert_bio(bio2, format=X509.FORMAT_DER)
self.assertRaises(ValueError, X509.load_cert_bio, bio2, format=45678)
assert x509.as_text() == x5092.as_text()
assert x509.as_pem() == x5092.as_pem()
assert x509.as_der() == x5092.as_der()
return
def form_encrypted(self, data):
"""Return an s/mime encrypted form. Refer to
http://sandbox.rulemaker.net/ngps/m2/howto.smime.html for instructions."""
from M2Crypto import BIO, SMIME, X509
certid = self.settings["PUBLIC_CERT_ID"]
ret = ['CERT_ID=%s' % certid]
ret.extend([u'%s=%s' % (key, val) for key, val in data.items() if val])
raw = "\n".join(ret)
raw = raw.encode('utf-8')
self.log_extra('Plaintext form: %s', raw)
# encrypt the plaintext
# make an smime object
s = SMIME.SMIME()
# load our public and private keys
s.load_key_bio(BIO.openfile(self.localprikey), BIO.openfile(self.localpubkey))
# put the data in the buffer
buf = BIO.MemoryBuffer(raw)
# sign the text
p7 = s.sign(buf, flags=SMIME.PKCS7_BINARY)
# Load target cert to encrypt to.
x509 = X509.load_cert_bio(BIO.openfile(self.paypalpubkey))
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
# Set cipher: 3-key triple-DES in CBC mode.
s.set_cipher(SMIME.Cipher('des_ede3_cbc'))
# save data to buffer
tmp = BIO.MemoryBuffer()
p7.write_der(tmp)
# encrypt
p7 = s.encrypt(tmp, flags=SMIME.PKCS7_BINARY)
out = BIO.MemoryBuffer()
# write into a new buffer
p7.write(out)
# read the result
form = out.read()
self.log_extra('Encrypted form: %s', form)
return mark_safe(u"""<input type="hidden" name="cmd" value="_s-xclick" />
<input type="hidden" name="encrypted" value="%s" />
""" % form)
def setUp(self):
s = SMIME.SMIME()
s.load_key('tests/signer_key.pem', 'tests/signer.pem')
p7 = s.sign(BIO.MemoryBuffer('some text'))
self.filename = 'tests/sig.p7'
f = BIO.openfile(self.filename, 'wb')
assert p7.write(f) == 1
f.close()
self.filenameSmime = 'tests/sig.p7s'
f = BIO.openfile(self.filenameSmime, 'wb')
assert s.write(f, p7, BIO.MemoryBuffer('some text')) == 1
f.close()
def setUp(self):
s = SMIME.SMIME()
s.load_key('tests/signer_key.pem', 'tests/signer.pem')
p7 = s.sign(BIO.MemoryBuffer('some text'))
self.filename = 'tests/sig.p7'
f = BIO.openfile(self.filename, 'wb')
self.assertEqual(p7.write(f), 1)
f.close()
p7 = s.sign(BIO.MemoryBuffer('some text'), SMIME.PKCS7_DETACHED)
self.filenameSmime = 'tests/sig.p7s'
f = BIO.openfile(self.filenameSmime, 'wb')
self.assertEqual(s.write(f, p7, BIO.MemoryBuffer('some text')), 1)
f.close()
def setUp(self):
s = SMIME.SMIME()
s.load_key("tests/signer_key.pem", "tests/signer.pem")
p7 = s.sign(BIO.MemoryBuffer("some text"))
self.filename = "tests/sig.p7"
f = BIO.openfile(self.filename, "wb")
assert p7.write(f) == 1
f.close()
p7 = s.sign(BIO.MemoryBuffer("some text"), SMIME.PKCS7_DETACHED)
self.filenameSmime = "tests/sig.p7s"
f = BIO.openfile(self.filenameSmime, "wb")
assert s.write(f, p7, BIO.MemoryBuffer("some text")) == 1
f.close()
def setUp(self):
s = SMIME.SMIME()
s.load_key('tests/signer_key.pem', 'tests/signer.pem')
p7 = s.sign(BIO.MemoryBuffer(b'some text'))
self.filename = 'tests/sig.p7'
with BIO.openfile(self.filename, 'wb') as f:
self.assertEqual(p7.write(f), 1)
self.filename_der = 'tests/sig.p7.der'
with BIO.openfile(self.filename_der, 'wb') as f:
self.assertEqual(p7.write_der(f), 1)
p7 = s.sign(BIO.MemoryBuffer(b'some text'), SMIME.PKCS7_DETACHED)
self.filenameSmime = 'tests/sig.p7s'
with BIO.openfile(self.filenameSmime, 'wb') as f:
self.assertEqual(s.write(f, p7, BIO.MemoryBuffer(b'some text')), 1)
def load_session(pemfile):
f = BIO.openfile(pemfile)
cptr = m2.ssl_session_read_pem(f.bio_ptr())
f.close()
if cptr is None:
raise Err.get_error()
return Session(cptr, 1)
def load_session(pemfile):
# type: (AnyStr) -> Session
with BIO.openfile(pemfile) as f:
cptr = m2.ssl_session_read_pem(f.bio_ptr())
if cptr is None:
raise SSLError(Err.get_error())
return Session(cptr, 1)
def load_cert(file, format=FORMAT_PEM):
"""
Load certificate from file.
@type file: string
@param file: Name of file containing certificate in either DER or
PEM format.
@type format: int, either FORMAT_PEM or FORMAT_DER
@param format: Describes the format of the file to be loaded,
either PEM or DER.
@rtype: M2Crypto.X509.X509
@return: M2Crypto.X509.X509 object.
"""
bio = BIO.openfile(file)
if format == FORMAT_PEM:
return load_cert_bio(bio)
elif format == FORMAT_DER:
cptr = m2.d2i_x509(bio._ptr())
if cptr is None:
raise X509Error(Err.get_error())
return X509(cptr, _pyfree=1)
else:
raise ValueError(
"Unknown format. Must be either FORMAT_DER or FORMAT_PEM")
def verify_signature_block(certificate_file, content_file, signature):
"""Verifies the 'signature' over the 'content', trusting the 'certificate'.
:param certificate_file: the trusted certificate (PEM format)
:type certificate_file: str
:param content_file: The signature should match this content
:type content_file: str
:param signature: data (DER format) subject to check
:type signature: str
:return: Error message, or None if the signature validates.
:rtype: str
"""
sig_bio = BIO.MemoryBuffer(signature)
pkcs7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(sig_bio._ptr()), 1)
signers_cert_stack = pkcs7.get0_signers(X509.X509_Stack())
trusted_cert_store = X509.X509_Store()
trusted_cert_store.load_info(certificate_file)
smime = SMIME.SMIME()
smime.set_x509_stack(signers_cert_stack)
smime.set_x509_store(trusted_cert_store)
data_bio = BIO.openfile(content_file)
try:
smime.verify(pkcs7, data_bio)
except SMIME.PKCS7_Error, message:
return "Signature verification error: %s" % message
def load_request(file, format=FORMAT_PEM):
"""
Load certificate request from file.
@type file: string
@param file: Name of file containing certificate request in
either PEM or DER format.
@type format: int, either FORMAT_PEM or FORMAT_DER
@param format: Describes the format of the file to be loaded,
either PEM or DER.
@rtype: M2Crypto.X509.Request
@return: M2Crypto.X509.Request object.
"""
f = BIO.openfile(file)
if format == FORMAT_PEM:
cptr = m2.x509_req_read_pem(f.bio_ptr())
elif format == FORMAT_DER:
cptr = m2.d2i_x509_req(f.bio_ptr())
else:
raise ValueError(
"Unknown filetype. Must be either FORMAT_PEM or FORMAT_DER")
f.close()
if cptr is None:
raise X509Error(Err.get_error())
return Request(cptr, 1)
def create_signature_block(openssl_digest, certificate, private_key,
extra_certs, data):
"""
Produces a signature block for the data.
Reference
---------
http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
Note: Oracle does not specify the content of the "signature
file block", friendly saying that "These are binary files
not intended to be interpreted by humans".
:param openssl_digest: alrogithm known to OpenSSL used to digest the data
:type openssl_digest: str
:param certificate: filename of the certificate file (PEM format)
:type certificate: str
:param private_key:filename of private key used to sign (PEM format)
:type private_key: str
:param extra_certs: additional certificates to embed into the signature (PEM format)
:type extra_certs: array of filenames
:param data: the content to be signed
:type data: bytes
:returns: content of the signature block file as produced by jarsigner
:rtype: bytes
""" # noqa
smime = SMIME.SMIME()
with BIO.openfile(private_key) as k, BIO.openfile(certificate) as c:
smime.load_key_bio(k, c)
if extra_certs is not None:
# Could we use just X509.new_stack_from_der() instead?
stack = X509.X509_Stack()
for cert in extra_certs:
stack.push(X509.load_cert(cert))
smime.set_x509_stack(stack)
pkcs7 = smime.sign(BIO.MemoryBuffer(data),
algo=openssl_digest,
flags=(SMIME.PKCS7_BINARY |
SMIME.PKCS7_DETACHED |
SMIME.PKCS7_NOATTR))
tmp = BIO.MemoryBuffer()
pkcs7.write_der(tmp)
return tmp.read()
def save_pem(self, filename):
# type: (AnyStr) -> int
"""
:param filename: name of the file to be loaded
:return: 1 for success or 0 for failure
"""
with BIO.openfile(filename, 'wb') as bio:
return m2.x509_write_pem(bio.bio_ptr(), self.x509)
def load_session(pemfile):
f = BIO.openfile(pemfile)
cptr = m2.ssl_session_read_pem(f.bio_ptr())
f.close()
if cptr is None:
from M2Crypto.SSL import SSLError
raise SSLError(Err.get_error())
return Session(cptr, 1)
def save_key_der(self, file):
# type: (AnyStr) -> int
"""
Save the key pair to a file in DER format.
:param file: Filename to save key to
"""
with BIO.openfile(file, 'wb') as bio:
return self.save_key_der_bio(bio)
def save_pub_key(self, file):
# type: (AnyStr) -> int
"""
Save the public key to a filename in PEM format.
:param file: Name of filename to save key to.
"""
with BIO.openfile(file, 'wb') as bio:
return m2.ec_key_write_pubkey(self.ec, bio._ptr())
def save_key_der(self, file):
"""
Save the key pair to a file in DER format.
@type file: str
@param file: Filename to save key to
"""
bio = BIO.openfile(file, 'wb')
return self.save_key_der_bio(bio)
def save_pub_key(self, file):
"""
Save the public key to a file in PEM format.
@type file: string
@param file: Name of file to save key to.
"""
bio = BIO.openfile(file, 'wb')
return m2.ec_key_write_pubkey(self.ec, bio._ptr())
def set_tmp_dh(self, dhpfile):
# type: (AnyStr) -> int
"""Load ephemeral DH parameters into the context.
@param dhpfile: Filename of the file containing the PEM-encoded
DH parameters.
"""
f = BIO.openfile(dhpfile)
dhp = m2.dh_read_parameters(f.bio_ptr())
return m2.ssl_ctx_set_tmp_dh(self.ctx, dhp)
def set_tmp_dh(self, dhpfile):
"""Load ephemeral DH parameters into the context.
@param dhpfile: File object containing the PEM-encoded DH
parameters.
@type dhpfile: str
"""
f = BIO.openfile(dhpfile)
dhp = m2.dh_read_parameters(f.bio_ptr())
return m2.ssl_ctx_set_tmp_dh(self.ctx, dhp)
def load_pub_key(file):
# type: (AnyStr) -> RSA_pub
"""
Load an RSA public key from file.
:param file: Name of file containing RSA public key in PEM format.
:return: M2Crypto.RSA.RSA_pub object.
"""
with BIO.openfile(file) as bio:
return load_pub_key_bio(bio)
def load_pub_key(file):
# type: (AnyStr) -> EC_pub
"""
Load an EC public key from filename.
@param file: Name of filename containing EC public key in PEM format.
@return: M2Crypto.EC.EC_pub object.
"""
with BIO.openfile(file) as bio:
return load_pub_key_bio(bio)
def _sign_RS(self, alg, header, sbs):
priv_key_u = self._config.get('jws.rsa_key_path', None)
if priv_key_u is None:
raise(JWSException("No private key found for RSA signature"))
bio = BIO.openfile(priv_key_u)
rsa = RSA.load_key_bio(bio)
if not rsa.check_key():
raise(JWSException("Invalid key specified"))
digest = self._get_sha(alg[2:])(sbs).digest()
signature = rsa.sign_rsassa_pss(digest)
return '%s.%s' % (sbs, base64.urlsafe_b64encode(signature))
def from_pem_data(cls, data=None, filename=None):
"""Alternative constructor for loading from PEM format data."""
self = cls.__new__(cls)
if data is not None:
bio = BIO.MemoryBuffer(str(data))
elif filename is not None:
bio = BIO.openfile(filename)
else:
msg = "Please specify either 'data' or 'filename' argument."
raise ValueError(msg)
self.keyobj = self.KEY_MODULE.load_pub_key_bio(bio)
return self
def load_pub_key(file):
"""
Load an EC public key from file.
@type file: string
@param file: Name of file containing EC public key in PEM format.
@rtype: M2Crypto.EC.EC_pub
@return: M2Crypto.EC.EC_pub object.
"""
bio = BIO.openfile(file)
return load_pub_key_bio(bio)
def load_crl(file):
# type: (AnyStr) -> CRL
"""
Load CRL from file.
:param file: Name of file containing CRL in PEM format.
:return: M2Crypto.X509.CRL object.
"""
with BIO.openfile(file) as f:
cptr = m2.x509_crl_read_pem(f.bio_ptr())
return CRL(cptr, 1)
def save_pub_key(self, filename):
# type: (AnyStr) -> int
"""
Save the DSA public key (with parameters) to a file.
@param filename: Save DSA public key (with parameters)
to this file.
@return: 1 (true) if successful
"""
with BIO.openfile(filename, 'wb') as bio:
ret = self.save_pub_key_bio(bio)
return ret
def _encrypt(self):
"""Use your key thing to encrypt things."""
from M2Crypto import BIO, SMIME, X509
# @@@ Could we move this to conf.py?
CERT = settings.PAYPAL_PRIVATE_CERT
PUB_CERT = settings.PAYPAL_PUBLIC_CERT
PAYPAL_CERT = settings.PAYPAL_CERT
CERT_ID = settings.PAYPAL_CERT_ID
# Iterate through the fields and pull out the ones that have a value.
plaintext = 'cert_id=%s\n' % CERT_ID
for name, field in self.fields.iteritems():
value = None
if name in self.initial:
value = self.initial[name]
elif field.initial is not None:
value = field.initial
if value is not None:
# @@@ Make this less hackish and put it in the widget.
if name == "return_url":
name = "return"
plaintext += u'%s=%s\n' % (name, value)
plaintext = plaintext.encode('utf-8')
# Begin crypto weirdness.
s = SMIME.SMIME()
s.load_key_bio(BIO.openfile(CERT), BIO.openfile(PUB_CERT))
p7 = s.sign(BIO.MemoryBuffer(plaintext), flags=SMIME.PKCS7_BINARY)
x509 = X509.load_cert_bio(BIO.openfile(settings.PAYPAL_CERT))
sk = X509.X509_Stack()
sk.push(x509)
s.set_x509_stack(sk)
s.set_cipher(SMIME.Cipher('des_ede3_cbc'))
tmp = BIO.MemoryBuffer()
p7.write_der(tmp)
p7 = s.encrypt(tmp, flags=SMIME.PKCS7_BINARY)
out = BIO.MemoryBuffer()
p7.write(out)
return out.read()
def load_key(file, callback=util.passphrase_callback):
# type: (AnyStr, Callable) -> EC
"""
Factory function that instantiates a EC object.
:param file: Names the filename that contains the PEM representation
of the EC key pair.
:param callback: Python callback object that will be invoked
if the EC key pair is passphrase-protected.
"""
with BIO.openfile(file) as bio:
return load_key_bio(bio, callback)
def sign():
print 'test sign & save...',
buf = makebuf()
s = SMIME.SMIME()
s.load_key('client.pem')
p7 = s.sign(buf, SMIME.PKCS7_DETACHED)
out = BIO.openfile('clear.p7', 'w')
out.write('To: [email protected]\n')
out.write('From: [email protected]\n')
out.write('Subject: testing\n')
buf = makebuf() # Recreate buf, because sign() has consumed it.
s.write(out, p7, buf)
out.close()
buf = makebuf()
p7 = s.sign(buf)
out = BIO.openfile('opaque.p7', 'w')
out.write('To: [email protected]\n')
out.write('From: [email protected]\n')
out.write('Subject: testing\n')
s.write(out, p7)
out.close()
print 'ok'
def load_key(file, callback=util.passphrase_callback):
# type: (AnyStr, Callable) -> RSA
"""
Load an RSA key pair from file.
:param file: Name of file containing RSA public key in PEM format.
:param callback: A Python callable object that is invoked
to acquire a passphrase with which to unlock the
key. The default is util.passphrase_callback.
:return: M2Crypto.RSA.RSA object.
"""
with BIO.openfile(file) as bio:
return load_key_bio(bio, callback)
def load_crl(file):
# type: (AnyStr) -> CRL
"""
Load CRL from file.
@param file: Name of file containing CRL in PEM format.
@return: M2Crypto.X509.CRL object.
"""
with BIO.openfile(file) as f:
cptr = m2.x509_crl_read_pem(f.bio_ptr())
if cptr is None:
raise X509Error(Err.get_error())
return CRL(cptr, 1)
def load_request(file):
"""
Load certificate request from file.
@type file: string
@param file: Name of file containing certificate request in PEM format.
@rtype: M2Crypto.X509.Request
@return: M2Crypto.X509.Request object.
"""
f = BIO.openfile(file)
cptr = m2.x509_req_read_pem(f.bio_ptr())
f.close()
if cptr is None:
raise Err.get_error()
return Request(cptr, 1)
def load_crl(file):
"""
Load CRL from file.
@type file: string
@param file: Name of file containing CRL in PEM format.
@rtype: M2Crypto.X509.CRL
@return: M2Crypto.X509.CRL object.
"""
f = BIO.openfile(file)
cptr = m2.x509_crl_read_pem(f.bio_ptr())
f.close()
if cptr is None:
raise X509Error(Err.get_error())
return CRL(cptr, 1)
def load_params(file, callback=util.passphrase_callback):
# type: (AnyStr, Callable) -> DSA
"""
Factory function that instantiates a DSA object with DSA
parameters from a file.
@param file: Names the file (a path) that contains the PEM
representation of the DSA parameters.
@param callback: A Python callback object that will be
invoked if the DSA parameters file is
passphrase-protected.
@return: instance of DSA.
"""
with BIO.openfile(file) as bio:
ret = load_params_bio(bio, callback)
return ret
def load_key(file, callback=util.passphrase_callback):
# type: (AnyStr, Callable) -> PKey
"""
Load an M2Crypto.EVP.PKey from file.
:param file: Name of file containing the key in PEM format.
:param callback: A Python callable object that is invoked
to acquire a passphrase with which to protect the
key.
:return: M2Crypto.EVP.PKey object.
"""
with BIO.openfile(file, 'r') as bio:
cptr = m2.pkey_read_pem(bio.bio, callback)
return PKey(cptr, 1)
def load_key(file, callback=util.passphrase_callback):
# type: (AnyStr, Callable) -> DSA
"""
Factory function that instantiates a DSA object from a
PEM encoded DSA key pair.
:param file: Names the file (a path) that contains the PEM
representation of the DSA key pair.
:param callback: A Python callback object that will be
invoked if the DSA key pair is
passphrase-protected.
:return: instance of DSA.
"""
with BIO.openfile(file) as bio:
ret = load_key_bio(bio, callback)
return ret
def save_key(self,
filename,
cipher='aes_128_cbc',
callback=util.passphrase_callback):
# type: (AnyStr, str, Callable) -> int
"""
Save the DSA key pair to a file.
:param filename: Save the DSA key pair to this file.
:param cipher: name of symmetric key algorithm and mode
to encrypt the private key.
:return: 1 (true) if successful
"""
with BIO.openfile(filename, 'wb') as bio:
ret = self.save_key_bio(bio, cipher, callback)
return ret
def load_key(file, callback=util.passphrase_callback):
"""
Load an RSA key pair from file.
@type file: string
@param file: Name of file containing RSA public key in PEM format.
@type callback: Python callable
@param callback: A Python callable object that is invoked
to acquire a passphrase with which to unlock the key.
The default is util.passphrase_callback.
@rtype: M2Crypto.RSA.RSA
@return: M2Crypto.RSA.RSA object.
"""
bio = BIO.openfile(file)
return load_key_bio(bio, callback)
def save_key(self, file, cipher='aes_128_cbc',
callback=util.passphrase_callback):
# type: (AnyStr, Optional[str], Callable) -> int
"""
Save the key pair to a file in PEM format.
@param file: Name of file to save key to.
@param cipher: Symmetric cipher to protect the key. The default
cipher is 'aes_128_cbc'. If cipher is None, then the key is saved
in the clear.
@param callback: A Python callable object that is invoked
to acquire a passphrase with which to protect the key.
The default is util.passphrase_callback.
"""
with BIO.openfile(file, 'wb') as bio:
return self.save_key_bio(bio, cipher, callback)
def load_pub_key(file, callback=util.passphrase_callback):
# type: (AnyStr, Callable) -> DSA_pub
"""
Factory function that instantiates a DSA_pub object using
a DSA public key contained in PEM file. The PEM file
must contain the parameters in addition to the public key.
:param file: Names the file (a path) that contains the PEM
representation of the DSA public key.
:param callback: A Python callback object that will be
invoked should the DSA public key be
passphrase-protected.
:return: instance of DSA_pub.
"""
with BIO.openfile(file) as bio:
ret = load_pub_key_bio(bio, callback)
return ret
def save_key(self,
filename,
cipher='aes_128_cbc',
callback=util.passphrase_callback):
"""
Save the DSA key pair to a file.
@type filename: str
@param filename: Save the DSA key pair to this file.
@type cipher: str
@param cipher: name of symmetric key algorithm and mode
to encrypt the private key.
@return: 1 (true) if successful
"""
bio = BIO.openfile(filename, 'wb')
ret = self.save_key_bio(bio, cipher, callback)
bio.close()
return ret
def load_key_pubkey(file, callback=util.passphrase_callback):
# type: (AnyStr, Callable) -> PKey
"""
Load an M2Crypto.EVP.PKey from a public key as a file.
:param file: Name of file containing the key in PEM format.
:param callback: A Python callable object that is invoked
to acquire a passphrase with which to protect the
key.
:return: M2Crypto.EVP.PKey object.
"""
with BIO.openfile(file, 'r') as bio:
cptr = m2.pkey_read_pem_pubkey(bio._ptr(), callback)
if cptr is None:
raise EVPError(Err.get_error())
return PKey(cptr, 1)
def load_key(file, callback=util.passphrase_callback):
"""
Factory function that instantiates a DSA object from a
PEM encoded DSA key pair.
@type file: str
@param file: Names the file (a path) that contains the PEM
representation of the DSA key pair.
@type callback: A Python callable
@param callback: A Python callback object that will be
invoked if the DSA key pair is
passphrase-protected.
@rtype: DSA
@return: instance of DSA.
"""
bio = BIO.openfile(file)
ret = load_key_bio(bio, callback)
bio.close()
return ret
def _get_x509_list(cert):
x509_list = []
fd = BIO.openfile(cert, 'rb')
cert = X509.load_cert_bio(fd)
try:
while True:
x509_list.append(cert)
log.debug("Loaded " + cert.get_subject().as_text())
cert = X509.load_cert_bio(fd)
except X509.X509Error:
# When there are no more certs, this is what we get, so it is fine
pass
except BIO.BIOError:
# When there are no more certs, this is what we get, so it is fine
# Python 2.4
pass
del fd
return x509_list
def save(self, filename, format=FORMAT_PEM):
"""
Saves X.509 certificate request to a file. Default output
format is PEM.
@type filename: string
@param filename: Name of the file the request will be saved to.
@type format: int
@param format: Controls what output format is used to save the request.
Either FORMAT_PEM or FORMAT_DER to save in PEM or DER format.
Raises ValueError if an unknown format is used.
"""
bio = BIO.openfile(filename, 'wb')
if format == FORMAT_PEM:
return m2.x509_req_write_pem(bio.bio_ptr(), self.req)
elif format == FORMAT_DER:
return m2.i2d_x509_req_bio(bio.bio_ptr(), self.req)
else:
raise ValueError(
"Unknown filetype. Must be either FORMAT_DER or FORMAT_PEM")
def save(self, filename, format=FORMAT_PEM):
# type: (AnyStr, int) -> int
"""
Saves X.509 certificate to a file. Default output
format is PEM.
@param filename: Name of the file the cert will be saved to.
@param format: Controls what output format is used to save the cert.
Either FORMAT_PEM or FORMAT_DER to save in PEM or DER format.
Raises a ValueError if an unknow format is used.
@return: 1 for success or 0 for failure
"""
with BIO.openfile(filename, 'wb') as bio:
if format == FORMAT_PEM:
return m2.x509_write_pem(bio.bio_ptr(), self.x509)
elif format == FORMAT_DER:
return m2.i2d_x509_bio(bio.bio_ptr(), self.x509)
else:
raise ValueError(
"Unknown filetype. Must be either FORMAT_PEM or FORMAT_DER")
def load_pub_key(file, callback=util.passphrase_callback):
"""
Factory function that instantiates a DSA_pub object using
a DSA public key contained in PEM file. The PEM file
must contain the parameters in addition to the public key.
@type file: str
@param file: Names the file (a path) that contains the PEM
representation of the DSA public key.
@type callback: A Python callable
@param callback: A Python callback object that will be
invoked should the DSA public key be
passphrase-protected.
@rtype: DSA_pub
@return: instance of DSA_pub.
"""
bio = BIO.openfile(file)
ret = load_pub_key_bio(bio, callback)
bio.close()
return ret
def save_key(self, file, cipher='aes_128_cbc',
callback=util.passphrase_callback):
"""
Save the key pair to a file in PEM format.
@type file: string
@param file: Name of file to save key to.
@type cipher: string
@param cipher: Symmetric cipher to protect the key. The default
cipher is 'aes_128_cbc'. If cipher is None, then the key is saved
in the clear.
@type callback: Python callable
@param callback: A Python callable object that is invoked
to acquire a passphrase with which to protect the key.
The default is util.passphrase_callback.
"""
bio = BIO.openfile(file, 'wb')
return self.save_key_bio(bio, cipher, callback)
def save(self, filename, format=FORMAT_PEM):
# type: (AnyStr, int) -> int
"""
Saves X.509 certificate request to a file. Default output
format is PEM.
@param filename: Name of the file the request will be saved to.
@param format: Controls what output format is used to save the request.
Either FORMAT_PEM or FORMAT_DER to save in PEM or DER format.
Raises ValueError if an unknown format is used.
@return: 1 for success, 0 for failure.
The error code can be obtained by ERR_get_error.
"""
with BIO.openfile(filename, 'wb') as bio:
if format == FORMAT_PEM:
return m2.x509_req_write_pem(bio.bio_ptr(), self.req)
elif format == FORMAT_DER:
return m2.i2d_x509_req_bio(bio.bio_ptr(), self.req)
else:
raise ValueError(
"Unknown filetype. Must be either FORMAT_DER or FORMAT_PEM")
def load_request(file, format=FORMAT_PEM):
# type: (AnyStr, int) -> Request
"""
Load certificate request from file.
:param file: Name of file containing certificate request in
either PEM or DER format.
:param format: Describes the format of the file to be loaded,
either PEM or DER. (using constants FORMAT_PEM
and FORMAT_DER)
:return: Request object.
"""
with BIO.openfile(file) as f:
if format == FORMAT_PEM:
cptr = m2.x509_req_read_pem(f.bio_ptr())
elif format == FORMAT_DER:
cptr = m2.d2i_x509_req(f.bio_ptr())
else:
raise ValueError(
"Unknown filetype. Must be either FORMAT_PEM or FORMAT_DER")
return Request(cptr, 1)
def load_cert(file, format=FORMAT_PEM):
# type: (AnyStr, int) -> X509
"""
Load certificate from file.
:param file: Name of file containing certificate in either DER or
PEM format.
:param format: Describes the format of the file to be loaded,
either PEM or DER.
:return: M2Crypto.X509.X509 object.
"""
with BIO.openfile(file) as bio:
if format == FORMAT_PEM:
return load_cert_bio(bio)
elif format == FORMAT_DER:
cptr = m2.d2i_x509(bio._ptr())
return X509(cptr, _pyfree=1)
else:
raise ValueError(
"Unknown format. Must be either FORMAT_DER or FORMAT_PEM")
def load_cert(file, format=FORMAT_PEM):
"""
Load certificate from file.
@type file: string
@param file: Name of file containing certificate in either DER or PEM format.
@type format: int, either FORMAT_PEM or FORMAT_DER
@param format: Describes the format of the file to be loaded, either PEM or DER.
@rtype: M2Crypto.X509.X509
@return: M2Crypto.X509.X509 object.
"""
bio = BIO.openfile(file)
if format == FORMAT_PEM:
return load_cert_bio(bio)
elif format == FORMAT_DER:
cptr = m2.d2i_x509(bio._ptr())
if cptr is None:
raise X509Error(Err.get_error())
return X509(cptr, _pyfree=1)
else:
raise ValueError(
"Unknown format. Must be either FORMAT_DER or FORMAT_PEM")
def load_request(file, format=FORMAT_PEM):
"""
Load certificate request from file.
@type file: string
@param file: Name of file containing certificate request in either PEM or DER format.
@type format: int, either FORMAT_PEM or FORMAT_DER
@param format: Describes the format of the file to be loaded, either PEM or DER.
@rtype: M2Crypto.X509.Request
@return: M2Crypto.X509.Request object.
"""
f = BIO.openfile(file)
if format == FORMAT_PEM:
cptr = m2.x509_req_read_pem(f.bio_ptr())
elif format == FORMAT_DER:
cptr = m2.d2i_x509_req(f.bio_ptr())
else:
raise ValueError(
"Unknown filetype. Must be either FORMAT_PEM or FORMAT_DER")
f.close()
if cptr is None:
raise X509Error(Err.get_error())
return Request(cptr, 1)
def sign(private_key_path, certificate_path, request_path):
if not get_extension(certificate_path, 'keyUsage') == 'Digital Signature':
print(
'ERROR sign: key pair %s and %s could not be used for signing file because policy'
% (private_key_path, certificate_path))
exit(1)
request = None
try:
request = X509.load_request(request_path)
except (IOError, X509.X509Error):
print('ERROR sign: Could not load request from %s' % request_path)
exit(1)
text = BIO.MemoryBuffer(request.as_pem())
smime = SMIME.SMIME()
try:
smime.load_key(private_key_path, certificate_path)
except (ValueError, IOError, X509.X509Error):
print('ERROR sign: Could not load digital signature')
exit(1)
sign_request = smime.sign(text)
sign_request_file = BIO.openfile(request_path + '.sign', 'w')
smime.write(sign_request_file, sign_request)
sign_request_file.close()
print('Signing request was saved to %s' % request_path + '.sign')
