def encrypt_data( sender_privkey_pem, receiver_pubkey_pem, data ): rc, enc_data = c_syndicate.encrypt_data( sender_privkey_pem, receiver_pubkey_pem, data ) if rc != 0: log.error("encrypt_data rc = %s" % rc) return None return enc_data
""" Encrypt and serialize the slice secret with the Observer private key """ # get the public key try: observer_pubkey_pem = CryptoKey.importKey( observer_pkey_pem).publickey().exportKey() except Exception, e: logger.exception(e) logger.error("Failed to derive public key from private key") return None # encrypt the data rc, sealed_slice_secret = c_syndicate.encrypt_data(observer_pkey_pem, observer_pubkey_pem, slice_secret) if rc != 0: logger.error("Failed to encrypt slice secret") return None sealed_slice_secret_b64 = base64.b64encode(sealed_slice_secret) return sealed_slice_secret_b64 #------------------------------- def decrypt_slice_secret(observer_pkey_pem, sealed_slice_secret_b64): """ Unserialize and decrypt a slice secret
def make_host_provision_plan( config, sender_privkey_pem, host_pubkey_pem, hostname, volumes, gateway_pkey_generator=default_gateway_pkey_generator): """ Generate a signed host-specific volume and gateway listing. @config: client configuration @sender_privkey_pem: sender's private key, to sign the listing @host_pubkey_pem: recipient's public key, to encrypt initial gateway keys and user private keys @hostname: name of host on which the gateways run @volumes: list of volume names @gateway_pkey_generator: a callback that takes (config, volume name) and returns the gateway's initial public key Return a dict with the structure: { "volume_name": { "gateways": { "__pkey__": "encrypted pkey", "gateway_name": "gateway_cert_b64", "gateway_name": "gateway_cert_b64", ... }, "users": { user_id: { "pkey": "encrypted pkey", "cert": "user_cert_b64" } ... } } ... } where each volume named has only the gateway certificates on this particular host. Because we create one initial gateway private key per volume, we only need to give that singular private key back. The automounter will change the public key once it gets the private key. """ ret = {} for volume_name in volumes: # get the volume ID volume_cert = object_stub.load_volume_cert(config, volume_name) if volume_cert is None: log.error("No such volume '%s'" % volume_name) return {} volume_id = volume_cert.volume_id # find all gateways in this volume, on this host gateway_certs = list_volume_gateways_by_host(config, volume_id, hostname) if gateway_certs is None: log.error("Failed to load gateway certs for '%s'" % volume_name) return {} if len(gateway_certs) == 0: # no relevant gateways continue # find all associated user certs and their private keys, and serialize them user_certs = {} serialized_gateway_certs = {} for gateway_cert in gateway_certs: # user cert user_cert = object_stub.load_user_cert(config, gateway_cert.owner_id) if user_cert is None: log.error("No such user '%s'" % gateway_cert.owner_id) return {} log.debug("User '%s' owns gateway '%s'" % (user_cert.email, gateway_cert.name)) # user private key user_pkey = storage.load_private_key(config, "user", user_cert.email) if user_pkey is None: log.error("No such user private key '%s'" % user_cert.email) return {} user_pkey_pem = user_pkey.exportKey() rc, user_pkey_pem_enc = libsyndicate.encrypt_data( sender_privkey_pem, host_pubkey_pem, user_pkey_pem) if rc != 0: log.error("Failed to encrypt key for '%s', rc = %s" % (user_cert.email, rc)) return {} user_certs[str(gateway_cert.owner_id)] = { "cert": base64.b64encode(user_cert.SerializeToString()), "pkey": base64.b64encode(user_pkey_pem_enc) } serialized_gateway_certs[gateway_cert.name] = base64.b64encode( gateway_cert.SerializeToString()) # encrypt the private key for this volume's gateways... pkey_pem = gateway_pkey_generator(config, volume_name) if pkey_pem is None: log.debug("Failed to generate gateway key for '%s'" % volume_name) continue rc, pkey_pem_enc = libsyndicate.encrypt_data(sender_privkey_pem, host_pubkey_pem, pkey_pem) if rc != 0: log.error("Failed to encrypt response; rc = %d\n", rc) return {} serialized_gateway_certs["__pkey__"] = base64.b64encode(pkey_pem_enc) # done with this volume ret[volume_name] = { "gateways": serialized_gateway_certs, "users": user_certs } return ret
def make_host_provision_plan(config, sender_privkey_pem, host_pubkey_pem, hostname, volumes, gateway_pkey_generator=default_gateway_pkey_generator): """ Generate a signed host-specific volume and gateway listing. @config: client configuration @sender_privkey_pem: sender's private key, to sign the listing @host_pubkey_pem: recipient's public key, to encrypt initial gateway keys and user private keys @hostname: name of host on which the gateways run @volumes: list of volume names @gateway_pkey_generator: a callback that takes (config, volume name) and returns the gateway's initial public key Return a dict with the structure: { "volume_name": { "gateways": { "__pkey__": "encrypted pkey", "gateway_name": "gateway_cert_b64", "gateway_name": "gateway_cert_b64", ... }, "users": { user_id: { "pkey": "encrypted pkey", "cert": "user_cert_b64" } ... } } ... } where each volume named has only the gateway certificates on this particular host. Because we create one initial gateway private key per volume, we only need to give that singular private key back. The automounter will change the public key once it gets the private key. """ ret = {} for volume_name in volumes: # get the volume ID volume_cert = object_stub.load_volume_cert(config, volume_name) if volume_cert is None: log.error("No such volume '%s'" % volume_name) return {} volume_id = volume_cert.volume_id # find all gateways in this volume, on this host gateway_certs = list_volume_gateways_by_host(config, volume_id, hostname) if gateway_certs is None: log.error("Failed to load gateway certs for '%s'" % volume_name) return {} if len(gateway_certs) == 0: # no relevant gateways continue # find all associated user certs and their private keys, and serialize them user_certs = {} serialized_gateway_certs = {} for gateway_cert in gateway_certs: # user cert user_cert = object_stub.load_user_cert(config, gateway_cert.owner_id) if user_cert is None: log.error("No such user '%s'" % gateway_cert.owner_id) return {} log.debug("User '%s' owns gateway '%s'" % (user_cert.email, gateway_cert.name)) # user private key user_pkey = storage.load_private_key(config, "user", user_cert.email) if user_pkey is None: log.error("No such user private key '%s'" % user_cert.email) return {} user_pkey_pem = user_pkey.exportKey() rc, user_pkey_pem_enc = libsyndicate.encrypt_data(sender_privkey_pem, host_pubkey_pem, user_pkey_pem) if rc != 0: log.error("Failed to encrypt key for '%s', rc = %s" % (user_cert.email, rc)) return {} user_certs[ str(gateway_cert.owner_id) ] = { "cert": base64.b64encode(user_cert.SerializeToString()), "pkey": base64.b64encode(user_pkey_pem_enc) } serialized_gateway_certs[gateway_cert.name] = base64.b64encode(gateway_cert.SerializeToString()) # encrypt the private key for this volume's gateways... pkey_pem = gateway_pkey_generator(config, volume_name) if pkey_pem is None: log.debug("Failed to generate gateway key for '%s'" % volume_name) continue rc, pkey_pem_enc = libsyndicate.encrypt_data(sender_privkey_pem, host_pubkey_pem, pkey_pem) if rc != 0: log.error("Failed to encrypt response; rc = %d\n", rc) return {} serialized_gateway_certs["__pkey__"] = base64.b64encode(pkey_pem_enc) # done with this volume ret[volume_name] = { "gateways": serialized_gateway_certs, "users": user_certs } return ret
#------------------------------- def encrypt_slice_secret( observer_pkey_pem, slice_secret ): """ Encrypt and serialize the slice secret with the Observer private key """ # get the public key try: observer_pubkey_pem = CryptoKey.importKey( observer_pkey_pem ).publickey().exportKey() except Exception, e: logger.exception(e) logger.error("Failed to derive public key from private key") return None # encrypt the data rc, sealed_slice_secret = c_syndicate.encrypt_data( observer_pkey_pem, observer_pubkey_pem, slice_secret ) if rc != 0: logger.error("Failed to encrypt slice secret") return None sealed_slice_secret_b64 = base64.b64encode( sealed_slice_secret ) return sealed_slice_secret_b64 #------------------------------- def decrypt_slice_secret( observer_pkey_pem, sealed_slice_secret_b64 ): """ Unserialize and decrypt a slice secret """