def test_rsa_sign(self):
message = b"a secret message!"
private = rsa_generate(2048)
public_key = get_public_key(private)
signature = rsa_sign(private, message)
self.assertTrue(rsa_verify(public_key, message, signature))
message = b"another message!"
self.assertFalse(rsa_verify(public_key, message, signature))
def process_revocation(revocation, callback, cert_path):
global cert_key
if cert_key is None:
# load up the CV signing public key
if cert_path is not None and os.path.exists(cert_path):
logger.info("Lazy loading the revocation certificate from %s",
cert_path)
with open(cert_path, "rb") as f:
certpem = f.read()
cert_key = crypto.x509_import_pubkey(certpem)
if cert_key is None:
logger.warning(
"Unable to check signature of revocation message: %s not available",
cert_path)
elif "signature" not in revocation or revocation["signature"] == "none":
logger.warning("No signature on revocation message from server")
elif not crypto.rsa_verify(cert_key, revocation["msg"].encode("utf-8"),
revocation["signature"].encode("utf-8")):
logger.error("Invalid revocation message siganture %s", revocation)
else:
message = json.loads(revocation["msg"])
logger.debug("Revocation signature validated for revocation: %s",
message)
callback(message)
def await_notifications(callback, revocation_cert_path):
# keep old typo "listen_notfications" around for a few versions
assert config.getboolean(
"cloud_agent", "listen_notifications",
fallback=False) or config.getboolean(
"cloud_agent", "listen_notfications", fallback=False)
try:
import zmq # pylint: disable=import-outside-toplevel
except ImportError as error:
raise Exception(
"install PyZMQ for 'listen_notifications' option") from error
global cert_key
if revocation_cert_path is None:
raise Exception("must specify revocation_cert_path")
context = zmq.Context()
mysock = context.socket(zmq.SUB)
mysock.setsockopt(zmq.SUBSCRIBE, b"")
mysock.connect(f"tcp://{config.get('general', 'receive_revocation_ip')}:"
f"{config.getint('general', 'receive_revocation_port')}")
logger.info(
"Waiting for revocation messages on 0mq %s:%s",
config.get("general", "receive_revocation_ip"),
config.getint("general", "receive_revocation_port"),
)
while True:
rawbody = mysock.recv()
body = json.loads(rawbody)
if cert_key is None:
# load up the CV signing public key
if revocation_cert_path is not None and os.path.exists(
revocation_cert_path):
logger.info("Lazy loading the revocation certificate from %s",
revocation_cert_path)
with open(revocation_cert_path, "rb") as f:
certpem = f.read()
cert_key = crypto.x509_import_pubkey(certpem)
if cert_key is None:
logger.warning(
"Unable to check signature of revocation message: %s not available",
revocation_cert_path)
elif "signature" not in body or body["signature"] == "none":
logger.warning("No signature on revocation message from server")
elif not crypto.rsa_verify(cert_key, body["msg"].encode("utf-8"),
body["signature"].encode("utf-8")):
logger.error("Invalid revocation message siganture %s", body)
else:
message = json.loads(body["msg"])
logger.debug("Revocation signature validated for revocation: %s",
message)
callback(message)
def await_notifications(callback, revocation_cert_path):
global cert_key
if revocation_cert_path is None:
raise Exception("must specify revocation_cert_path")
context = zmq.Context()
mysock = context.socket(zmq.SUB)
mysock.setsockopt(zmq.SUBSCRIBE, b'')
mysock.connect(
"tcp://%s:%s" %
(config.get('cloud_verifier', 'revocation_notifier_ip'),
config.getint('cloud_verifier', 'revocation_notifier_port')))
logger.info('Waiting for revocation messages on 0mq %s:%s' %
(config.get('cloud_verifier', 'revocation_notifier_ip'),
config.getint('cloud_verifier', 'revocation_notifier_port')))
while True:
rawbody = mysock.recv()
body = json.loads(rawbody)
if cert_key is None:
# load up the CV signing public key
if revocation_cert_path is not None and os.path.exists(
revocation_cert_path):
logger.info("Lazy loading the revocation certificate from %s" %
revocation_cert_path)
with open(revocation_cert_path, 'r') as f:
certpem = f.read()
cert_key = crypto.x509_import_pubkey(certpem)
if cert_key is None:
logger.warning(
"Unable to check signature of revocation message: %s not available"
% revocation_cert_path)
elif 'signature' not in body or body['signature'] == 'none':
logger.warning("No signature on revocation message from server")
elif not crypto.rsa_verify(cert_key, body['msg'].encode('utf-8'),
body['signature'].encode('utf-8')):
logger.error("Invalid revocation message siganture %s" % body)
else:
message = json.loads(body['msg'])
logger.debug("Revocation signature validated for revocation: %s" %
message)
callback(message)
