/usr/share/arc/ssm/crypto.py is in nordugrid-arc-arex 5.0.5-1ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 | '''
Copyright (C) 2012 STFC.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
@author: Kevin Haines, Will Rogers
The crypto module calls openssl command line directly, using subprocess.
We investigated python's crypto libraries (all openssl bindings) and
found that none were mature enough to implement the SMIME crypto we had
decided on.
'''
from subprocess import Popen, PIPE
import quopri
import base64
import logging
# logging configuration
log = logging.getLogger(__name__)
# Valid ciphers
CIPHERS = ['aes128', 'aes192', 'aes256']
class CryptoException(Exception):
'''
Exception for use by the crypto module.
'''
pass
def _from_file(filename):
'''
Convenience function to read entire file into string.
'''
f = open(filename, 'r')
s = f.read()
f.close()
return s
def check_cert_key(certpath, keypath):
'''
Check that a certificate and a key match, using openssl directly to fetch
the modulus of each, which must be the same.
'''
try:
cert = _from_file(certpath)
key = _from_file(keypath)
except IOError, e:
log.error('Could not find cert or key file: %s', e)
return False
# Two things the same have the same modulus.
if cert == key:
return False
p1 = Popen(['openssl', 'x509', '-noout', '-modulus'],
stdin=PIPE, stdout=PIPE, stderr=PIPE)
modulus1, error = p1.communicate(cert)
if error != '':
log.error(error)
return False
p2 = Popen(['openssl', 'rsa', '-noout', '-modulus'],
stdin=PIPE, stdout=PIPE, stderr=PIPE)
modulus2, error = p2.communicate(key)
if error != '':
log.error(error)
return False
return modulus1.strip() == modulus2.strip()
def sign(text, certpath, keypath):
'''
Sign the specified message using the certificate and key in the files specified.
Returns the signed message as an SMIME string, suitable for transmission.
'''
try:
p1 = Popen(['openssl', 'smime', '-sign', '-inkey', keypath, '-signer', certpath, '-text'],
stdin=PIPE, stdout=PIPE, stderr=PIPE)
signed_msg, error = p1.communicate(text)
if (error != ''):
log.error(error)
return signed_msg
except OSError, e:
log.error('Failed to sign message: %s', e)
raise CryptoException('Message signing failed. Check cert and key permissions.')
def encrypt(text, certpath, cipher='aes128'):
'''
Encrypt the specified message using the certificate string.
Returns the encrypted SMIME text suitable for transmission
'''
if cipher not in CIPHERS:
raise CryptoException('Invalid cipher %s.' % cipher)
cipher = '-' + cipher
# encrypt
p1 = Popen(['openssl', 'smime', '-encrypt', cipher, certpath],
stdin=PIPE, stdout=PIPE, stderr=PIPE)
enc_txt, error = p1.communicate(text)
if (error != ''):
log.error(error)
return enc_txt
def verify(signed_text, capath, check_crl):
'''
Verify the signed message has been signed by the certificate (attached to the
supplied SMIME message) it claims to have, by one of the accepted CAs in
capath.
Returns a tuple including the signer's certificate and the plain-text of the
message if it has been verified. If the content transfer encoding is specified
as 'quoted-printable' or 'base64', decode the message body accordingly.
'''
if signed_text is None or capath is None:
raise CryptoException('Invalid None argument to verify().')
# This ensures that openssl knows that the string is finished.
# It makes no difference if the signed message is correct, but
# prevents it from hanging in the case of an empty string.
signed_text += '\n\n'
signer = get_signer_cert(signed_text)
if not verify_cert(signer, capath, check_crl):
raise CryptoException('Unverified signer')
# The -noverify flag removes the certificate verification. The certificate
# is verified above; this check would also check that the certificate
# is allowed to sign with SMIME, which host certificates sometimes aren't.
p1 = Popen(['openssl', 'smime', '-verify', '-CApath', capath, '-noverify'],
stdin=PIPE, stdout=PIPE, stderr=PIPE)
message, error = p1.communicate(signed_text)
# SMIME header and message body are separated by a blank line
lines = message.strip().splitlines()
blankline = lines.index('')
headers = '\n'.join(lines[:blankline])
body = '\n'.join(lines[blankline + 1:])
# two possible encodings
if 'quoted-printable' in headers:
body = quopri.decodestring(body)
elif 'base64' in headers:
body = base64.decodestring(body)
# otherwise, plain text
# Interesting problem here - we get a message 'Verification successful'
# to standard error. We don't want to log this as an error each time,
# but we do want to see if there's a genuine error...
log.info(str(error).strip())
subj = get_certificate_subject(signer)
return body, subj
def decrypt(encrypted_text, certpath, keypath):
'''
Decrypt the specified message using the certificate and key contained in the
named PEM files. The capath should point to a directory holding all the
CAs that we accept
This decryption function can be used whether or not OpenSSL is used to
encrypt the data
'''
# This ensures that openssl knows that the string is finished.
# It makes no difference if the signed message is correct, but
# prevents it from hanging in the case of an empty string.
encrypted_text += '\n\n'
log.info('Decrypting message.')
p1 = Popen(['openssl', 'smime', '-decrypt',
'-recip', certpath, '-inkey', keypath],
stdin=PIPE, stdout=PIPE, stderr=PIPE)
enc_txt, error = p1.communicate(encrypted_text)
if (error != ''):
log.error(error)
return enc_txt
def verify_cert(certstring, capath, check_crls=True):
'''
Verify that the certificate is signed by a CA whose certificate is stored in
capath.
Note that I've had to compare strings in the output of openssl to check
for verification, which may make this brittle.
Returns True if the certificate is verified
'''
if certstring is None or capath is None:
raise CryptoException('Invalid None argument to verify_cert().')
args = ['openssl', 'verify', '-CApath', capath]
if check_crls:
args.append('-crl_check_all')
p1 = Popen(args, stdin=PIPE, stdout=PIPE, stderr=PIPE)
message, error = p1.communicate(certstring)
# I think this is unlikely ever to happen
if (error != ''):
log.error(error)
# There was a tricky problem here.
# 'openssl verify' returns 0 whatever happens, so we can't
# use the return code to determine whether the verification was
# successful.
# If it is successful, openssl prints 'OK'
# If it fails, openssl prints 'error'
# So:
log.info('Certificate verification: ' + str(message).strip())
return ('OK' in message and 'error' not in message)
def verify_cert_path(certpath, capath, check_crls=True):
'''
Verify certificate, but using the certificate filepath rather than
the certificate string as in verify_cert.
'''
certstring = _from_file(certpath)
return verify_cert(certstring, capath, check_crls)
def get_certificate_subject(certstring):
'''
Return the certificate subject's DN, in legacy openssl format.
'''
p1 = Popen(['openssl', 'x509', '-noout', '-subject'],
stdin=PIPE, stdout=PIPE, stderr=PIPE)
subject, error = p1.communicate(certstring)
if (error != ''):
log.error(error)
raise CryptoException('Failed to get subject: %s' % error)
subject = subject.strip()[9:] # remove 'subject= ' from the front
return subject
def get_signer_cert(signed_text):
'''
Read the signer's certificate from the signed specified message, and return the
certificate string.
'''
# This ensures that openssl knows that the string is finished.
# It makes no difference if the signed message is correct, but
# prevents it from hanging in the case of an empty string.
signed_text += '\n\n'
p1 = Popen(['openssl', 'smime', '-pk7out'],
stdin=PIPE, stdout=PIPE, stderr=PIPE)
p2 = Popen(['openssl', 'pkcs7', '-print_certs'],
stdin=p1.stdout, stdout=PIPE, stderr=PIPE)
p1.stdin.write(signed_text)
certstring, error = p2.communicate()
if (error != ''):
log.error(error)
return certstring
|