def _checkCertificate(self, txn, certPem): if type(certPem) not in [str, unicode]: raise Exception(URI_ERROR + "illegal-argument", "Expected type str/unicode for agument certPem, but got %s" % str(type(certPem))) try: (cert, cert_text) = unpack_certificate(str(certPem)) except Exception, e: raise Exception(URI_ERROR + "invalid-certificate", "Could not analyze X509 certificate (%s)" % str(e), str(e))
def _setServiceKeyCertificate(self, txn, serviceKeyUri, certPem): if type(serviceKeyUri) not in [str, unicode]: raise Exception(URI_ERROR + "illegal-argument", "Expected type str/unicode for agument serviceKeyUri, but got %s" % str(type(serviceKeyUri))) uri = self.proto.resolveOrPass(serviceKeyUri) id = self.proto.uriToId(uri) txn.execute("SELECT key_fingerprint, cert_fingerprint FROM servicekey WHERE id = ?", [id]) res = txn.fetchone() if res is not None: try: (cert, cert_text) = unpack_certificate(str(certPem)) except Exception, e: raise Exception(URI_ERROR + "invalid-certificate", "Could analyze X509 certificate (%s)" % str(e), str(e)) else: ## check that certificate matches service key ## fp = cert["public-key"]["fingerprint"] if res[0] != fp: raise Exception(URI_ERROR + "certificate-does-not-match", "Certificate subject public key does not match service key.") ## certificate unchanged ## if res[1] == cert["fingerprint"]: return {} ## determine changed/effected services ## (etls, ctls) = self._getAffectedServices(id) restartRequired = True if len(etls) > 0 else False now = utcnow() txn.execute("UPDATE servicekey SET modified = ?, cert = ?, cert_text = ?, cert_fingerprint = ?, is_cert_selfsigned = ? WHERE id = ?", [now, certPem, cert["text"], cert["fingerprint"], cert["is-selfsigned"], id]) if restartRequired: reactor.callLater(1, self.proto.restartHub) delta = {} delta["modified"] = now delta["uri"] = uri delta["certificate"] = cert self.proto.dispatch(URI_EVENT + "on-servicekey-modified", delta, [self.proto]) delta["uri"] = self.proto.shrink(uri) return delta
def _checkCertificate(self, txn, certPem): if type(certPem) not in [str, unicode]: raise Exception( URI_ERROR + "illegal-argument", "Expected type str/unicode for agument certPem, but got %s" % str(type(certPem))) try: (cert, cert_text) = unpack_certificate(str(certPem)) except Exception, e: raise Exception(URI_ERROR + "invalid-certificate", "Could not analyze X509 certificate (%s)" % str(e), str(e))
def _getServiceKeys(self, txn): txn.execute("SELECT id, created, modified, label, key_pub, key_length, key_fingerprint, cert FROM servicekey ORDER BY label ASC, key_fingerprint ASC") sks = [] res = txn.fetchall() for r in res: try: (cert, cert_text) = unpack_certificate(str(r[7])) except: (cert, cert_text) = (None, "") sk = {"uri": self.proto.shrink(URI_SERVICEKEY + r[0]), "created": r[1], "modified": r[2], "label": r[3], "public": r[4], "length": r[5], "fingerprint": r[6], "certificate": cert, "certificate-text": cert_text} sks.append(sk) return sks
def _getServiceKeys(self, txn): txn.execute( "SELECT id, created, modified, label, key_pub, key_length, key_fingerprint, cert FROM servicekey ORDER BY label ASC, key_fingerprint ASC" ) sks = [] res = txn.fetchall() for r in res: try: (cert, cert_text) = unpack_certificate(str(r[7])) except: (cert, cert_text) = (None, "") sk = { "uri": self.proto.shrink(URI_SERVICEKEY + r[0]), "created": r[1], "modified": r[2], "label": r[3], "public": r[4], "length": r[5], "fingerprint": r[6], "certificate": cert, "certificate-text": cert_text } sks.append(sk) return sks
def _setServiceKeyCertificate(self, txn, serviceKeyUri, certPem): if type(serviceKeyUri) not in [str, unicode]: raise Exception( URI_ERROR + "illegal-argument", "Expected type str/unicode for agument serviceKeyUri, but got %s" % str(type(serviceKeyUri))) uri = self.proto.resolveOrPass(serviceKeyUri) id = self.proto.uriToId(uri) txn.execute( "SELECT key_fingerprint, cert_fingerprint FROM servicekey WHERE id = ?", [id]) res = txn.fetchone() if res is not None: try: (cert, cert_text) = unpack_certificate(str(certPem)) except Exception, e: raise Exception(URI_ERROR + "invalid-certificate", "Could analyze X509 certificate (%s)" % str(e), str(e)) else: ## check that certificate matches service key ## fp = cert["public-key"]["fingerprint"] if res[0] != fp: raise Exception( URI_ERROR + "certificate-does-not-match", "Certificate subject public key does not match service key." ) ## certificate unchanged ## if res[1] == cert["fingerprint"]: return {} ## determine changed/effected services ## (etls, ctls) = self._getAffectedServices(id) restartRequired = True if len(etls) > 0 else False now = utcnow() txn.execute( "UPDATE servicekey SET modified = ?, cert = ?, cert_text = ?, cert_fingerprint = ?, is_cert_selfsigned = ? WHERE id = ?", [ now, certPem, cert["text"], cert["fingerprint"], cert["is-selfsigned"], id ]) if restartRequired: reactor.callLater(1, self.proto.restartHub) delta = {} delta["modified"] = now delta["uri"] = uri delta["certificate"] = cert self.proto.dispatch(URI_EVENT + "on-servicekey-modified", delta, [self.proto]) delta["uri"] = self.proto.shrink(uri) return delta
def _importServiceKeys(self, txn, removeImported): ## filled with imported keys ## svckeys = [] ## look in keys/certs import directory ## import_dir = str( self.proto.factory.services["config"].get("import-dir")) if os.path.isdir(import_dir): log.msg("service key/cert import: walking import directory %s" % import_dir) for root, dirs, files in os.walk(import_dir): for f in files: filename = os.path.join(root, f) ext = os.path.splitext(filename)[1][1:] basename = os.path.splitext(os.path.basename(filename))[0] if ext == 'key': keyFile = filename log.msg( "service key/cert import: considering key file %s" % keyFile) ## verify file actually is a RSA key ## try: key_pem = open(keyFile).read() (key_pub_pem, key_length, key_fingerprint) = check_rsa_key(key_pem) except Exception, e: log.msg( "skipping key from file %s - invalid RSA key (%s)" % (keyFile, e)) else: ## skip keys we already have ## txn.execute( "SELECT id FROM servicekey WHERE key_fingerprint = ?", [key_fingerprint]) res = txn.fetchone() if res is not None: log.msg( "skipping key from file %s already imported (fingerprint %s)" % (keyFile, key_fingerprint)) else: ## check if we have a corresponding cert file ## certFile = os.path.join( os.path.dirname(filename), basename + '.crt') if not os.path.isfile(certFile): log.msg( "skipping key from file %s because cert file %s does not exist" % (keyFile, certFile)) else: try: certPem = open(certFile).read() (cert, cert_text ) = unpack_certificate(certPem) except Exception, e: log.msg( "skipping cert from file %s - invalid RSA cert (%s)" % (certFile, e)) else: log.msg( "importing key from file %s (fingerprint %s) and cert from file %s" % (keyFile, key_fingerprint, certFile)) id = newid() svckey_uri = URI_SERVICEKEY + id now = utcnow() ## Auto-generate label ## key_label = basename + datetime.datetime.utcnow( ).strftime("_%Y%m%d_%H%M%S") #key_label = basename txn.execute( "INSERT INTO servicekey (id, created, label, key_priv, key_pub, key_length, key_fingerprint, cert, cert_fingerprint) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)", [ id, now, key_label, key_pem, key_pub_pem, key_length, key_fingerprint, certPem, cert['fingerprint'], ]) svckey = { "uri": svckey_uri, "created": now, "label": key_label, "length": key_length, "fingerprint": key_fingerprint, "public": key_pub_pem, "certificate": cert, "certificate-text": cert_text } self.proto.dispatch( URI_EVENT + "on-servicekey-created", svckey, []) svckey["uri"] = self.proto.shrink( svckey_uri) svckeys.append(svckey) if removeImported: os.remove(keyFile) os.remove(certFile) log.msg( "removed imported key file %s and cert file %s" % (keyFile, certFile))
def _importServiceKeys(self, txn, removeImported): ## filled with imported keys ## svckeys = [] ## look in keys/certs import directory ## import_dir = str(self.proto.factory.services["config"].get("import-dir")) if os.path.isdir(import_dir): log.msg("service key/cert import: walking import directory %s" % import_dir) for root, dirs, files in os.walk(import_dir): for f in files: filename = os.path.join(root, f) ext = os.path.splitext(filename)[1][1:] basename = os.path.splitext(os.path.basename(filename))[0] if ext == 'key': keyFile = filename log.msg("service key/cert import: considering key file %s" % keyFile) ## verify file actually is a RSA key ## try: key_pem = open(keyFile).read() (key_pub_pem, key_length, key_fingerprint) = check_rsa_key(key_pem) except Exception, e: log.msg("skipping key from file %s - invalid RSA key (%s)" % (keyFile, e)) else: ## skip keys we already have ## txn.execute("SELECT id FROM servicekey WHERE key_fingerprint = ?", [key_fingerprint]) res = txn.fetchone() if res is not None: log.msg("skipping key from file %s already imported (fingerprint %s)" % (keyFile, key_fingerprint)) else: ## check if we have a corresponding cert file ## certFile = os.path.join(os.path.dirname(filename), basename + '.crt') if not os.path.isfile(certFile): log.msg("skipping key from file %s because cert file %s does not exist" % (keyFile, certFile)) else: try: certPem = open(certFile).read() (cert, cert_text) = unpack_certificate(certPem) except Exception, e: log.msg("skipping cert from file %s - invalid RSA cert (%s)" % (certFile, e)) else: log.msg("importing key from file %s (fingerprint %s) and cert from file %s" % (keyFile, key_fingerprint, certFile)) id = newid() svckey_uri = URI_SERVICEKEY + id now = utcnow() ## Auto-generate label ## key_label = basename + datetime.datetime.utcnow().strftime("_%Y%m%d_%H%M%S") #key_label = basename txn.execute("INSERT INTO servicekey (id, created, label, key_priv, key_pub, key_length, key_fingerprint, cert, cert_fingerprint) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)", [id, now, key_label, key_pem, key_pub_pem, key_length, key_fingerprint, certPem, cert['fingerprint'], ]) svckey = {"uri": svckey_uri, "created": now, "label": key_label, "length": key_length, "fingerprint": key_fingerprint, "public": key_pub_pem, "certificate": cert, "certificate-text": cert_text} self.proto.dispatch(URI_EVENT + "on-servicekey-created", svckey, []) svckey["uri"] = self.proto.shrink(svckey_uri) svckeys.append(svckey) if removeImported: os.remove(keyFile) os.remove(certFile) log.msg("removed imported key file %s and cert file %s" % (keyFile, certFile))