def verify_chain(self, trusted_certs=None): # Verify a chain of certificates. Each certificate must be signed by # the public key contained in it's parent. The chain is recursed # until a certificate is found that is signed by a trusted root. # verify expiration time if self.cert.has_expired(): raise CertExpired(self.get_subject(), "client cert") # if this cert is signed by a trusted_cert, then we are set for trusted_cert in trusted_certs: if self.is_signed_by_cert(trusted_cert): logger.debug("Cert %s signed by trusted cert %s", self.get_subject(), trusted_cert.get_subject()) # verify expiration of trusted_cert ? if not trusted_cert.cert.has_expired(): return trusted_cert else: logger.debug("Trusted cert %s is expired", trusted_cert.get_subject()) # if there is no parent, then no way to verify the chain if not self.parent: #print self.get_subject(), "has no parent" raise CertMissingParent(self.get_subject()) # if it wasn't signed by the parent... if not self.is_signed_by_cert(self.parent): #print self.get_subject(), "is not signed by parent" return CertNotSignedByParent(self.get_subject()) # if the parent isn't verified... self.parent.verify_chain(trusted_certs) return
def verify_chain(self, trusted_certs = None): # Verify a chain of certificates. Each certificate must be signed by # the public key contained in it's parent. The chain is recursed # until a certificate is found that is signed by a trusted root. # verify expiration time if self.cert.has_expired(): raise CertExpired(self.get_subject(), "client cert") # if this cert is signed by a trusted_cert, then we are set for trusted_cert in trusted_certs: if self.is_signed_by_cert(trusted_cert): logger.debug("Cert %s signed by trusted cert %s", self.get_subject(), trusted_cert.get_subject()) # verify expiration of trusted_cert ? if not trusted_cert.cert.has_expired(): return trusted_cert else: logger.debug("Trusted cert %s is expired", trusted_cert.get_subject()) # if there is no parent, then no way to verify the chain if not self.parent: #print self.get_subject(), "has no parent" raise CertMissingParent(self.get_subject()) # if it wasn't signed by the parent... if not self.is_signed_by_cert(self.parent): #print self.get_subject(), "is not signed by parent" return CertNotSignedByParent(self.get_subject()) # if the parent isn't verified... self.parent.verify_chain(trusted_certs) return
def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None): Certificate.__init__(self, create, subject, string, filename) if subject: logger.debug("Creating GID for subject: %s" % subject) if uuid: self.uuid = int(uuid) if hrn: self.hrn = hrn self.urn = hrn_to_urn(hrn, 'unknown') if urn: self.urn = urn self.hrn, type = urn_to_hrn(urn)
def verify(self, trusted_certs): if not self.xml: self.decode() # trusted_cert_objects = [GID(filename=f) for f in trusted_certs] trusted_cert_objects = [] ok_trusted_certs = [] for f in trusted_certs: try: # Failures here include unreadable files # or non PEM files trusted_cert_objects.append(GID(filename=f)) ok_trusted_certs.append(f) except Exception, exc: import traceback logger.error("Failed to load trusted cert from %s: %r", f, exc) logger.debug(traceback.format_exc(exc))
def load_from_string(self, string): # if it is a chain of multiple certs, then split off the first one and # load it (support for the ---parent--- tag as well as normal chained certs) string = string.strip() # if the string has no BEGIN C... then wrap in begin/end # old behavior was to wrap if it didnt _start_ with BEGIN # if the string does not start with BEGIN # then ignore everything before the begin # if not string.startswith('-----'): if string.count('-----BEGIN CERTIFICATE') == 0: string = '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----' % string logger.debug("Wrapping string for cert in BEGIN/END") beg = string.find('-----BEGIN CERTIFICATE') if beg > 0: # skipping over non cert beginning logger.debug( "Skipping non PEM start of cert from string ('%s ...\n... %s'). Skipping to char #%d", string[:25], string[beg - 15:beg], beg) string = string[beg:] parts = [] if string.count('-----BEGIN CERTIFICATE-----') > 1 and \ string.count(Certificate.separator) == 0: parts = string.split('-----END CERTIFICATE-----', 1) parts[0] += '-----END CERTIFICATE-----' else: parts = string.split(Certificate.separator, 1) self.cert = crypto.load_certificate(crypto.FILETYPE_PEM, parts[0]) # if there are more certs, then create a parent and let the parent load # itself from the remainder of the string if len(parts) > 1 and parts[1] != '': self.parent = self.__class__() self.parent.load_from_string(parts[1])
def load_from_string(self, string): # if it is a chain of multiple certs, then split off the first one and # load it (support for the ---parent--- tag as well as normal chained certs) string = string.strip() # if the string has no BEGIN C... then wrap in begin/end # old behavior was to wrap if it didnt _start_ with BEGIN # if the string does not start with BEGIN # then ignore everything before the begin # if not string.startswith('-----'): if string.count('-----BEGIN CERTIFICATE') == 0: string = '-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----' % string logger.debug("Wrapping string for cert in BEGIN/END") beg = string.find('-----BEGIN CERTIFICATE') if beg > 0: # skipping over non cert beginning logger.debug("Skipping non PEM start of cert from string ('%s ...\n... %s'). Skipping to char #%d", string[:25], string[beg-15:beg], beg) string = string[beg:] parts = [] if string.count('-----BEGIN CERTIFICATE-----') > 1 and \ string.count(Certificate.separator) == 0: parts = string.split('-----END CERTIFICATE-----',1) parts[0] += '-----END CERTIFICATE-----' else: parts = string.split(Certificate.separator, 1) self.cert = crypto.load_certificate(crypto.FILETYPE_PEM, parts[0]) # if there are more certs, then create a parent and let the parent load # itself from the remainder of the string if len(parts) > 1 and parts[1] != '': self.parent = self.__class__() self.parent.load_from_string(parts[1])