diff options
Diffstat (limited to 'rpkid/rpki/cms.py')
| -rw-r--r-- | rpkid/rpki/cms.py | 120 |
1 files changed, 0 insertions, 120 deletions
diff --git a/rpkid/rpki/cms.py b/rpkid/rpki/cms.py deleted file mode 100644 index 35d08e8a..00000000 --- a/rpkid/rpki/cms.py +++ /dev/null @@ -1,120 +0,0 @@ -# $Id$ - -# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -"""CMS routines. I should write a pretty DER_object wrapper around -the POW code and include it in x509.py, haven't gotten to that yet. -""" - -import os, rpki.x509, rpki.exceptions, lxml.etree, rpki.log, POW - -debug = 1 - -id_data = (1, 2, 840, 113549, 1, 7, 1) - -# openssl smime -sign -nodetach -outform DER -signer biz-certs/Alice-EE.cer -# -certfile biz-certs/Alice-CA.cer -inkey biz-certs/Alice-EE.key -# -in THING -out THING.der - -def sign(plaintext, keypair, certs, oid = id_data, no_certs = False): - """Sign plaintext as CMS with specified key and bag of certificates.""" - - cms = POW.CMS() - cms.sign(certs[0].get_POW(), - keypair.get_POW(), - [x.get_POW() for x in certs[1:]], - plaintext, - ".".join(str(i) for i in oid), - no_certs) - der = cms.derWrite() - - if debug >= 2: - print - print "Signed CMS:" - dumpasn1(der) - - return der - -# openssl smime -verify -inform DER -in THING.der -CAfile biz-certs/Alice-Root.cer - -def verify(der, ta): - """Verify the signature of a chunk of CMS. - - Returns the plaintext on success, otherwise raise an exception. - """ - - if debug >= 2: - print - print "Verifying CMS:" - dumpasn1(der) - - cms = POW.derRead(POW.CMS_MESSAGE, der) - - store = POW.X509Store() - - if isinstance(ta, (tuple, list)): - for x in ta: - store.addTrust(x.get_POW()) - else: - store.addTrust(ta.get_POW()) - - try: - return cms.verify(store) - - except: - if debug >= 1: - print "CMS verification failed, dumping inputs:" - print - if isinstance(ta, (tuple, list)): - for x in ta: - print "TA:" - dumpasn1(x.get_DER()) - else: - print "TA:" - dumpasn1(ta.get_DER()) - print - print "CMS:" - dumpasn1(der) - raise rpki.exceptions.CMSVerificationFailed, "CMS verification failed" - -def xml_verify(der, ta): - """Composite routine to verify CMS-wrapped XML.""" - - val = lxml.etree.fromstring(verify(der, ta)) - return val - -def xml_sign(elt, key, certs, encoding = "us-ascii"): - """Composite routine to sign CMS-wrapped XML.""" - - val = sign(lxml.etree.tostring(elt, pretty_print = True, encoding = encoding, xml_declaration = True), - key, certs) - return val - -def dumpasn1(thing): - """Prettyprint an ASN.1 DER object using cryptlib dumpasn1 tool. - Use a temporary file rather than popen4() because dumpasn1 uses - seek() when decoding ASN.1 content nested in OCTET STRING values. - """ - - fn = "dumpasn1.tmp" - try: - f = open(fn, "w") - f.write(thing) - f.close() - f = os.popen("dumpasn1 2>&1 -a " + fn) - print "\n".join(x for x in f.read().splitlines() if x.startswith(" ")) - f.close() - finally: - os.unlink(fn) |