def loadObject(self, obj): # expect object to be a Sequence containing a certificate, # but will accept a plain certificate too (for now) issuer, subject = getIssuerAndSubject(obj, 1) if issuer is None or subject is None: print "Warning: Unexpected SPKI object. Skipping." print sexp.pprint(obj.sexp()) return sexp = obj.sexp().encode_canonical() if self.identity.has_key(sexp): print "Warning: Duplicate certificate ignored." return issuer = issuer.getPrincipal() subject = subject.getPrincipal() l = self.byIssuer.get(issuer, []) l.append(obj) self.byIssuer[issuer] = l # if the issuer is a name, then we will enter the certificate # in multiple slots. one for the full name, and one for the # base issuer. if isinstance(issuer, spki.FullyQualifiedName): prin = issuer.principal l = self.byIssuer.get(prin, []) l.append(obj) self.byIssuer[prin] = l l = self.bySubject.get(subject, []) l.append(obj) self.bySubject[subject] = l self.identity[sexp] = sexp
def loadObject(self, obj): if not spki.isa(obj, spki.Entry): print "Warning: Not an acl entry. Skipping." print sexp.pprint(obj.sexp()) return l = self.entries.get(obj.subject, []) l.append(obj) self.entries[obj.subject] = l
def loadPrivate(self, obj): if spki.isa(obj, 'default'): self._default = 1 elif spki.isa(obj, spki.PasswordEncrypted): self._priv = obj self.loadState = self.LOAD_DONE else: print "Warning: Unexpected SPKI object. Skipping." print obj.__class__ print sexp.pprint(obj.sexp())
def loadPublic(self, obj): if not spki.isa(obj, spki.Hash): print "Warning: Unexpected SPKI object. Skipping." print obj.__class__ print sexp.pprint(obj.sexp()) return self._prin = obj self._default = 0 self._priv = None self.loadState = self.LOAD_PRIV
def loadObject(self, obj): if not spki.isa(obj, spki.PublicKey): print "Warning: Unexpected SPKI object. Skipping." print obj.__class__ print sexp.pprint(obj.sexp()) return p = obj.getPrincipal() if self.principals.has_key(p): print "Warning: Duplicate definition of %s" % str(p) print "Old definition:" print sexp.pprint(self.principals[p].sexp()) print "New definition:" print sexp.pprint(obj.sexp()) self.principals[p] = obj
def verify(self, prin, perm, delegate=0): """Find a valid certificate chain from ACL to prin for reqPerm. prin is the principal making the request. perm is the permission request. If verify finds a valid certificate chain from the principal making the request to the ACL, it will return a list containing the certificates in the chain. The first element in the list will be the ACL entry. Each subsequent element will be a certificate delegating some permissions from the previous element to the next element. The last element will delegate permissions to the principal. There is a delegate argument because there can't be more than one certificate between a valid delegate-able certificate and the principal requesting permission. That one certificate is the one that grants permissions to the principal, but doesn't allow the principal to delegate further. The delegate flag should always be true when called recursively. """ if self.VERBOSE: print "verify", prin, perm if not perm: if self.VERBOSE: print "cert", "permissions did not delegate" return None # A valid chain is always created here and modified as # recursive calls to verify return and add the current # certificate to the list. entry = self.checkACL(prin, perm) if entry: return [entry] certs = self.keys.lookupCertBySubject(prin) if self.VERBOSE: print "%d certs authorize %s" % (len(certs), prin) for certobj in certs: cert = spki.extractSignedCert(certobj) if self.VERBOSE: print sexp.pprint(cert.cert.sexp()) # next method call with recurse if cert.kind == 'name-cert': chain = self.verifyNameCert(cert, perm, delegate) else: chain = self.verifyCert(cert, perm, delegate) # defer signature verification until we actually have a # potential chain from ACL to requested permissions if not chain: continue if not cert.verifySignature(self.keys): if self.VERBOSE: print "invalid signature on", cert.cert continue # Everythin looks good, so add the current certificate to # the chain and return chain.append(cert) return chain return None
#! /usr/bin/env python from pisces.spkilib import sexp from pisces.spkilib.database import DebugDatabase import sys if __name__ == "__main__": for file in sys.argv[1:]: print file db = DebugDatabase(file) for obj in db.objects: print sexp.pprint(obj.sexp()) print