Пример #1
0
def process_revocation(revocation, callback, cert_path):
    global cert_key

    if cert_key is None:
        # load up the CV signing public key
        if cert_path is not None and os.path.exists(cert_path):
            logger.info("Lazy loading the revocation certificate from %s",
                        cert_path)
            with open(cert_path, "rb") as f:
                certpem = f.read()
            cert_key = crypto.x509_import_pubkey(certpem)

    if cert_key is None:
        logger.warning(
            "Unable to check signature of revocation message: %s not available",
            cert_path)
    elif "signature" not in revocation or revocation["signature"] == "none":
        logger.warning("No signature on revocation message from server")
    elif not crypto.rsa_verify(cert_key, revocation["msg"].encode("utf-8"),
                               revocation["signature"].encode("utf-8")):
        logger.error("Invalid revocation message siganture %s", revocation)
    else:
        message = json.loads(revocation["msg"])
        logger.debug("Revocation signature validated for revocation: %s",
                     message)
        callback(message)
Пример #2
0
def await_notifications(callback, revocation_cert_path):
    # keep old typo "listen_notfications" around for a few versions
    assert config.getboolean(
        "cloud_agent", "listen_notifications",
        fallback=False) or config.getboolean(
            "cloud_agent", "listen_notfications", fallback=False)
    try:
        import zmq  # pylint: disable=import-outside-toplevel
    except ImportError as error:
        raise Exception(
            "install PyZMQ for 'listen_notifications' option") from error

    global cert_key

    if revocation_cert_path is None:
        raise Exception("must specify revocation_cert_path")

    context = zmq.Context()
    mysock = context.socket(zmq.SUB)
    mysock.setsockopt(zmq.SUBSCRIBE, b"")
    mysock.connect(f"tcp://{config.get('general', 'receive_revocation_ip')}:"
                   f"{config.getint('general', 'receive_revocation_port')}")

    logger.info(
        "Waiting for revocation messages on 0mq %s:%s",
        config.get("general", "receive_revocation_ip"),
        config.getint("general", "receive_revocation_port"),
    )

    while True:
        rawbody = mysock.recv()
        body = json.loads(rawbody)

        if cert_key is None:
            # load up the CV signing public key
            if revocation_cert_path is not None and os.path.exists(
                    revocation_cert_path):
                logger.info("Lazy loading the revocation certificate from %s",
                            revocation_cert_path)
                with open(revocation_cert_path, "rb") as f:
                    certpem = f.read()
                cert_key = crypto.x509_import_pubkey(certpem)

        if cert_key is None:
            logger.warning(
                "Unable to check signature of revocation message: %s not available",
                revocation_cert_path)
        elif "signature" not in body or body["signature"] == "none":
            logger.warning("No signature on revocation message from server")
        elif not crypto.rsa_verify(cert_key, body["msg"].encode("utf-8"),
                                   body["signature"].encode("utf-8")):
            logger.error("Invalid revocation message siganture %s", body)
        else:
            message = json.loads(body["msg"])
            logger.debug("Revocation signature validated for revocation: %s",
                         message)
            callback(message)
Пример #3
0
def await_notifications(callback, revocation_cert_path):
    global cert_key

    if revocation_cert_path is None:
        raise Exception("must specify revocation_cert_path")

    context = zmq.Context()
    mysock = context.socket(zmq.SUB)
    mysock.setsockopt(zmq.SUBSCRIBE, b'')
    mysock.connect(
        "tcp://%s:%s" %
        (config.get('cloud_verifier', 'revocation_notifier_ip'),
         config.getint('cloud_verifier', 'revocation_notifier_port')))

    logger.info('Waiting for revocation messages on 0mq %s:%s' %
                (config.get('cloud_verifier', 'revocation_notifier_ip'),
                 config.getint('cloud_verifier', 'revocation_notifier_port')))

    while True:
        rawbody = mysock.recv()
        body = json.loads(rawbody)

        if cert_key is None:
            # load up the CV signing public key
            if revocation_cert_path is not None and os.path.exists(
                    revocation_cert_path):
                logger.info("Lazy loading the revocation certificate from %s" %
                            revocation_cert_path)
                with open(revocation_cert_path, 'r') as f:
                    certpem = f.read()
                cert_key = crypto.x509_import_pubkey(certpem)

        if cert_key is None:
            logger.warning(
                "Unable to check signature of revocation message: %s not available"
                % revocation_cert_path)
        elif 'signature' not in body or body['signature'] == 'none':
            logger.warning("No signature on revocation message from server")
        elif not crypto.rsa_verify(cert_key, body['msg'].encode('utf-8'),
                                   body['signature'].encode('utf-8')):
            logger.error("Invalid revocation message siganture %s" % body)
        else:
            message = json.loads(body['msg'])
            logger.debug("Revocation signature validated for revocation: %s" %
                         message)
            callback(message)