def getIssuerCert(self):
"""
Get a issuer cert in the chain
"""
if not self.__loadedChain:
return S_ERROR(DErrno.ENOCHAIN)
if self.__isProxy:
return S_OK(
X509Certificate(self.__certList[self.__firstProxyStep + 1]))
return S_OK(X509Certificate(self.__certList[-1]))
def getIssuerCert( self ):
"""
Get a issuer cert in the chain
"""
if not self.__loadedChain:
return S_ERROR( "No chain loaded" )
if self.__isProxy:
return S_OK( X509Certificate( self.__certList[ self.__firstProxyStep + 1 ] ) )
else:
return S_OK( X509Certificate( self.__certList[ -1 ] ) )
def getCertInChain(self, certPos=0):
"""
Get a certificate in the chain
"""
if not self.__loadedChain:
return S_ERROR("No chain loaded")
return S_OK(X509Certificate(self.__certList[certPos]))
def checkSanity(urlTuple, kwargs):
"""
Check that all ssl environment is ok
"""
useCerts = False
certFile = ""
if "useCertificates" in kwargs and kwargs["useCertificates"]:
certTuple = Locations.getHostCertificateAndKeyLocation()
if not certTuple:
gLogger.error("No cert/key found! ")
return S_ERROR("No cert/key found! ")
certFile = certTuple[0]
useCerts = True
elif "proxyString" in kwargs:
if not isinstance(kwargs["proxyString"], six.string_types if six.PY2 else bytes):
gLogger.error("proxyString parameter is not a valid type", str(type(kwargs["proxyString"])))
return S_ERROR("proxyString parameter is not a valid type")
else:
if "proxyLocation" in kwargs:
certFile = kwargs["proxyLocation"]
else:
certFile = Locations.getProxyLocation()
if not certFile:
gLogger.error("No proxy found")
return S_ERROR("No proxy found")
elif not os.path.isfile(certFile):
gLogger.error("Proxy file does not exist", certFile)
return S_ERROR("%s proxy file does not exist" % certFile)
# For certs always check CA's. For clients skipServerIdentityCheck
if "skipCACheck" not in kwargs or not kwargs["skipCACheck"]:
if not Locations.getCAsLocation():
gLogger.error("No CAs found!")
return S_ERROR("No CAs found!")
if "proxyString" in kwargs:
certObj = X509Chain()
retVal = certObj.loadChainFromString(kwargs["proxyString"])
if not retVal["OK"]:
gLogger.error("Can't load proxy string")
return S_ERROR("Can't load proxy string")
else:
if useCerts:
certObj = X509Certificate()
certObj.loadFromFile(certFile)
else:
certObj = X509Chain()
certObj.loadChainFromFile(certFile)
retVal = certObj.hasExpired()
if not retVal["OK"]:
gLogger.error("Can't verify proxy or certificate file", "%s:%s" % (certFile, retVal["Message"]))
return S_ERROR("Can't verify file %s:%s" % (certFile, retVal["Message"]))
else:
if retVal["Value"]:
notAfter = certObj.getNotAfterDate()
if notAfter["OK"]:
notAfter = notAfter["Value"]
else:
notAfter = "unknown"
gLogger.error("PEM file has expired", "%s is not valid after %s" % (certFile, notAfter))
return S_ERROR("PEM file %s has expired, not valid after %s" % (certFile, notAfter))
idDict = {}
retVal = certObj.getDIRACGroup(ignoreDefault=True)
if retVal["OK"] and retVal["Value"] is not False:
idDict["group"] = retVal["Value"]
if useCerts:
idDict["DN"] = certObj.getSubjectDN()["Value"]
else:
idDict["DN"] = certObj.getIssuerCert()["Value"].getSubjectDN()["Value"]
return S_OK(idDict)
def checkSanity(urlTuple, kwargs):
"""
Check that all ssl environment is ok
"""
useCerts = False
if "useCertificates" in kwargs and kwargs['useCertificates']:
certTuple = Locations.getHostCertificateAndKeyLocation()
if not certTuple:
gLogger.error("No cert/key found! ")
return S_ERROR("No cert/key found! ")
certFile = certTuple[0]
useCerts = True
elif "proxyString" in kwargs:
if type(kwargs['proxyString']) != types.StringType:
gLogger.error("proxyString parameter is not a valid type")
return S_ERROR("proxyString parameter is not a valid type")
else:
if "proxyLocation" in kwargs:
certFile = kwargs["proxyLocation"]
else:
certFile = Locations.getProxyLocation()
if not certFile:
gLogger.error("No proxy found")
return S_ERROR("No proxy found")
elif not os.path.isfile(certFile):
gLogger.error("%s proxy file does not exist" % certFile)
return S_ERROR("%s proxy file does not exist" % certFile)
#For certs always check CA's. For clients skipServerIdentityCheck
if 'skipCACheck' not in kwargs or not kwargs['skipCACheck']:
if not Locations.getCAsLocation():
gLogger.error("No CAs found!")
return S_ERROR("No CAs found!")
if "proxyString" in kwargs:
certObj = X509Chain()
retVal = certObj.loadChainFromString(kwargs['proxyString'])
if not retVal['OK']:
gLogger.error("Can't load proxy string")
return S_ERROR("Can't load proxy string")
else:
if useCerts:
certObj = X509Certificate()
certObj.loadFromFile(certFile)
else:
certObj = X509Chain()
certObj.loadChainFromFile(certFile)
retVal = certObj.hasExpired()
if not retVal['OK']:
gLogger.error("Can't verify file %s:%s" %
(certFile, retVal['Message']))
return S_ERROR("Can't verify file %s:%s" %
(certFile, retVal['Message']))
else:
if retVal['Value']:
notAfter = certObj.getNotAfterDate()
if notAfter['OK']:
notAfter = notAfter['Value']
else:
notAfter = "unknown"
gLogger.error("PEM file has expired",
"%s is not valid after %s" % (certFile, notAfter))
return S_ERROR("PEM file %s has expired, not valid after %s" %
(certFile, notAfter))
idDict = {}
retVal = certObj.getDIRACGroup(ignoreDefault=True)
if retVal['OK'] and retVal['Value'] != False:
idDict['group'] = retVal['Value']
if useCerts:
idDict['DN'] = certObj.getSubjectDN()['Value']
else:
idDict['DN'] = certObj.getIssuerCert()['Value'].getSubjectDN()['Value']
return S_OK(idDict)