diff options
| author | Rob Austein <sra@hactrn.net> | 2007-10-03 00:50:46 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2007-10-03 00:50:46 +0000 |
| commit | 2c5dfca16386daa00afca77b8c7edd042a0f27a8 (patch) | |
| tree | 35c77b4b12dbe839f7253c363269112454696148 /scripts/rpki/cms.py | |
| parent | bc34d54e960b5680deb3b601e8a9af10e1b3af7f (diff) | |
Fix CMS code not to expect keys on disk
svn path=/scripts/rpki/cms.py; revision=1080
Diffstat (limited to 'scripts/rpki/cms.py')
| -rw-r--r-- | scripts/rpki/cms.py | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/scripts/rpki/cms.py b/scripts/rpki/cms.py index 86a73643..af237c31 100644 --- a/scripts/rpki/cms.py +++ b/scripts/rpki/cms.py @@ -10,19 +10,18 @@ import os, rpki.x509, rpki.exceptions, lxml.etree # openssl smime -sign -nodetach -outform DER -signer biz-certs/Alice-EE.cer -certfile biz-certs/Alice-CA.cer -inkey biz-certs/Alice-EE.key -in PLAN -out PLAN.der -def encode(xml, key, cert_files): +def encode(xml, keypair, certs): """Encode a chunk of XML as CMS signed with a specified key and bag of certificates. We have to sort the certificates into the correct order before the OpenSSL CLI tool will accept them. rpki.x509 handles that for us. """ - certs = rpki.x509.X509_chain() - certs.load_from_PEM(cert_files) certs.chainsort() signer_filename = "cms.tmp.signer.pem" certfile_filename = "cms.tmp.certfile.pem" + plaintext_filename = "cms.tmp.plaintext" f = open(signer_filename, "w") f.write(certs[0].get_PEM()) @@ -33,14 +32,20 @@ def encode(xml, key, cert_files): f.write(cert.get_PEM()) f.close() - i,o = os.popen2(["openssl", "smime", "-sign", "-nodetach", "-outform", "DER", "-signer", signer_filename, "-certfile", certfile_filename, "-inkey", key]) - i.write(xml) + f = open(plaintext_filename, "w") + f.write(xml) + f.close() + + i,o = os.popen2(("openssl", "smime", "-sign", "-nodetach", "-outform", "DER", "-signer", signer_filename, + "-certfile", certfile_filename, "-inkey", "/dev/stdin", "-in", plaintext_filename)) + i.write(keypair.get_PEM()) i.close() cms = o.read() o.close() os.unlink(signer_filename) os.unlink(certfile_filename) + os.unlink(plaintext_filename) return cms @@ -54,18 +59,28 @@ def decode(cms, ta): verification, we raise an exception. """ - i,o,e = os.popen3(["openssl", "smime", "-verify", "-inform", "DER", "-CAfile", ta]) + ta_filename = "cms.tmp.ta.pem" + + f = open(ta_filename, "w") + f.write(ta.get_PEM()) + f.close() + + i,o,e = os.popen3(("openssl", "smime", "-verify", "-inform", "DER", "-CAfile", ta_filename)) i.write(cms) i.close() xml = o.read() o.close() status = e.read() e.close() + + os.unlink(ta_filename) + if status == "Verification successful\n": return xml else: raise rpki.exceptions.CMSVerificationFailed, "CMS verification failed with status %s" % status + def xml_decode(elt, ta): """Composite routine to decode CMS-wrapped XML.""" return lxml.etree.fromstring(decode(elt, ta)) |