def __init__(self,
create=False,
subject=None,
string=None,
filename=None,
uuid=None,
hrn=None,
urn=None,
lifeDays=1825,
email=None,
serial_number=0):
self.uuid = None
self.hrn = None
self.urn = None
self.email = None # for adding to the SubjectAltName
Certificate.__init__(self, lifeDays, create, subject, string, filename,
None, serial_number)
if subject:
logger.debug("Creating GID for subject: %s" % subject)
if uuid:
self.uuid = int(uuid)
if hrn:
self.hrn = hrn
self.urn = hrn_to_urn(hrn, 'unknown')
if urn:
self.urn = urn
self.hrn, type = urn_to_hrn(urn)
if email:
self.set_email(email)
def verify_chain(self, trusted_certs = None):
# do the normal certificate verification stuff
trusted_root = Certificate.verify_chain(self, trusted_certs)
if self.parent:
# make sure the parent's hrn is a prefix of the child's hrn
if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()):
raise GidParentHrn("This cert HRN %s isn't in the namespace for parent HRN %s" % (self.get_hrn(), self.parent.get_hrn()))
# Parent must also be an authority (of some type) to sign a GID
# There are multiple types of authority - accept them all here
if not self.parent.get_type().find('authority') == 0:
raise GidInvalidParentHrn("This cert %s's parent %s is not an authority (is a %s)" % (self.get_hrn(), self.parent.get_hrn(), self.parent.get_type()))
# Then recurse up the chain - ensure the parent is a trusted
# root or is in the namespace of a trusted root
self.parent.verify_chain(trusted_certs)
else:
# make sure that the trusted root's hrn is a prefix of the child's
trusted_gid = GID(string=trusted_root.save_to_string())
trusted_type = trusted_gid.get_type()
trusted_hrn = trusted_gid.get_hrn()
#if trusted_type == 'authority':
# trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')]
cur_hrn = self.get_hrn()
if not hrn_authfor_hrn(trusted_hrn, cur_hrn):
raise GidParentHrn("Trusted root with HRN %s isn't a namespace authority for this cert: %s" % (trusted_hrn, cur_hrn))
# There are multiple types of authority - accept them all here
if not trusted_type.find('authority') == 0:
raise GidInvalidParentHrn("This cert %s's trusted root signer %s is not an authority (is a %s)" % (self.get_hrn(), trusted_hrn, trusted_type))
return
def verify_chain(self, trusted_certs=None, crl_path=None):
#<UT>
#Certificate revocation check
if crl_path:
crl_file = os.path.join(crl_path, self.get_issuer())
if os.path.isfile(crl_file):
with open(crl_file, 'r') as f:
crl_obj = crypto.load_crl(crypto.FILETYPE_PEM, f.read())
revoked_certs = crl_obj.get_revoked()
for rc in revoked_certs:
serial = int(rc.get_serial(),
16) # conversion from hex to dec
if serial == self.get_serial_number():
raise GidRevoked(
"Certificate with serial number 0x%s for %s has been revoked by %s."
% (rc.get_serial(), self.get_subject(),
self.get_issuer()))
# do the normal certificate verification stuff
trusted_root = Certificate.verify_chain(self, trusted_certs)
if self.parent:
# make sure the parent's hrn is a prefix of the child's hrn
if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()):
raise GidParentHrn(
"This cert HRN %s isn't in the namespace for parent HRN %s"
% (self.get_hrn(), self.parent.get_hrn()))
# Parent must also be an authority (of some type) to sign a GID
# There are multiple types of authority - accept them all here
if not self.parent.get_type().find('authority') == 0:
raise GidInvalidParentHrn(
"This cert %s's parent %s is not an authority (is a %s)" %
(self.get_hrn(), self.parent.get_hrn(),
self.parent.get_type()))
# Then recurse up the chain - ensure the parent is a trusted
# root or is in the namespace of a trusted root
self.parent.verify_chain(trusted_certs)
else:
# make sure that the trusted root's hrn is a prefix of the child's
trusted_gid = GID(string=trusted_root.save_to_string())
trusted_type = trusted_gid.get_type()
trusted_hrn = trusted_gid.get_hrn()
#if trusted_type == 'authority':
# trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')]
cur_hrn = self.get_hrn()
if not hrn_authfor_hrn(trusted_hrn, cur_hrn):
raise GidParentHrn(
"Trusted root with HRN %s isn't a namespace authority for this cert: %s"
% (trusted_hrn, cur_hrn))
# There are multiple types of authority - accept them all here
if not trusted_type.find('authority') == 0:
raise GidInvalidParentHrn(
"This cert %s's trusted root signer %s is not an authority (is a %s)"
% (self.get_hrn(), trusted_hrn, trusted_type))
return
def verify_chain(self, trusted_certs = None):
# do the normal certificate verification stuff
Certificate.verify_chain(self, trusted_certs)
if self.parent:
# make sure the parent delegated rights to the child
if not self.parent.get_delegate():
raise MissingDelegateBit(self.parent.get_subject())
# make sure the rights given to the child are a subset of the
# parents rights
if not self.parent.get_privileges().is_superset(self.get_privileges()):
raise ChildRightsNotSubsetOfParent(self.get_subject()
+ " " + self.parent.get_privileges().save_to_string()
+ " " + self.get_privileges().save_to_string())
return
def verify_chain(self, trusted_certs=None):
# do the normal certificate verification stuff
Certificate.verify_chain(self, trusted_certs)
if self.parent:
# make sure the parent delegated rights to the child
if not self.parent.get_delegate():
raise MissingDelegateBit(self.parent.get_subject())
# make sure the rights given to the child are a subset of the
# parents rights
if not self.parent.get_privileges().is_superset(
self.get_privileges()):
raise ChildRightsNotSubsetOfParent(
self.get_subject() + " " +
self.parent.get_privileges().save_to_string() + " " +
self.get_privileges().save_to_string())
return
def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None,
lifeDays=1825, email=None, serial_number=0):
self.uuid = None
self.hrn = None
self.urn = None
self.email = None # for adding to the SubjectAltName
Certificate.__init__(self, lifeDays, create, subject, string, filename, None, serial_number)
if subject:
logger.debug("Creating GID for subject: %s" % subject)
if uuid:
self.uuid = int(uuid)
if hrn:
self.hrn = hrn
self.urn = hrn_to_urn(hrn, 'unknown')
if urn:
self.urn = urn
self.hrn, type = urn_to_hrn(urn)
if email:
self.set_email(email)
def __init__(self,
create=False,
subject=None,
string=None,
filename=None,
uuid=None,
hrn=None,
urn=None,
lifeDays=1825):
Certificate.__init__(self, lifeDays, create, subject, string, filename)
if subject:
logger.debug("Creating GID for subject: %s" % subject)
if uuid:
self.uuid = int(uuid)
if hrn:
self.hrn = hrn
self.urn = hrn_to_urn(hrn, 'unknown')
if urn:
self.urn = urn
self.hrn, type = urn_to_hrn(urn)
def verify_chain(self, trusted_certs = None, crl_path=None):
#<UT>
#Certificate revocation check
if crl_path:
crl_file = os.path.join(crl_path, self.get_issuer())
if os.path.isfile(crl_file):
with open(crl_file, 'r') as f:
crl_obj = crypto.load_crl(crypto.FILETYPE_PEM, f.read())
revoked_certs = crl_obj.get_revoked()
for rc in revoked_certs:
serial = int(rc.get_serial(), 16) # conversion from hex to dec
if serial == self.get_serial_number():
raise GidRevoked("Certificate with serial number 0x%s for %s has been revoked by %s." % (rc.get_serial(), self.get_subject(), self.get_issuer()))
# do the normal certificate verification stuff
trusted_root = Certificate.verify_chain(self, trusted_certs)
if self.parent:
# make sure the parent's hrn is a prefix of the child's hrn
if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()):
raise GidParentHrn("This cert HRN %s isn't in the namespace for parent HRN %s" % (self.get_hrn(), self.parent.get_hrn()))
# Parent must also be an authority (of some type) to sign a GID
# There are multiple types of authority - accept them all here
if not self.parent.get_type().find('authority') == 0:
raise GidInvalidParentHrn("This cert %s's parent %s is not an authority (is a %s)" % (self.get_hrn(), self.parent.get_hrn(), self.parent.get_type()))
# Then recurse up the chain - ensure the parent is a trusted
# root or is in the namespace of a trusted root
self.parent.verify_chain(trusted_certs)
else:
# make sure that the trusted root's hrn is a prefix of the child's
trusted_gid = GID(string=trusted_root.save_to_string())
trusted_type = trusted_gid.get_type()
trusted_hrn = trusted_gid.get_hrn()
#if trusted_type == 'authority':
# trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')]
cur_hrn = self.get_hrn()
if not hrn_authfor_hrn(trusted_hrn, cur_hrn):
raise GidParentHrn("Trusted root with HRN %s isn't a namespace authority for this cert: %s" % (trusted_hrn, cur_hrn))
# There are multiple types of authority - accept them all here
if not trusted_type.find('authority') == 0:
raise GidInvalidParentHrn("This cert %s's trusted root signer %s is not an authority (is a %s)" % (self.get_hrn(), trusted_hrn, trusted_type))
return
def __init__(self, create=False, subject=None, string=None, filename=None):
Certificate.__init__(self, create, subject, string, filename)
def __init__(self, create=False, subject=None, string=None, filename=None):
Certificate.__init__(self, create, subject, string, filename)
