diff options
Diffstat (limited to 'scripts/rpki/cms.py')
| -rw-r--r-- | scripts/rpki/cms.py | 120 |
1 files changed, 0 insertions, 120 deletions
diff --git a/scripts/rpki/cms.py b/scripts/rpki/cms.py deleted file mode 100644 index 7b4916dc..00000000 --- a/scripts/rpki/cms.py +++ /dev/null @@ -1,120 +0,0 @@ -# $Id$ - -# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH -# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, -# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM -# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE -# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR -# PERFORMANCE OF THIS SOFTWARE. - -"""CMS routines. - -These used to use the OpenSSL CLI too, which was slow. I've since -added minimal PKCS #7 / CMS capability to POW, so we now use that -instead. I should write a pretty DER_object wrapper around the POW -code and include it in x509.py, but I haven't gotten to that yet. -""" - -import os, rpki.x509, rpki.exceptions, lxml.etree, rpki.log, POW - -debug = 1 - -# openssl smime -sign -nodetach -outform DER -signer biz-certs/Alice-EE.cer -# -certfile biz-certs/Alice-CA.cer -inkey biz-certs/Alice-EE.key -# -in THING -out THING.der - -def sign(plaintext, keypair, certs): - """Sign plaintext as CMS with specified key and bag of certificates. - - We have to sort the certificates into the correct order before the - OpenSSL CLI tool will accept them. rpki.x509 handles that for us. - """ - - p7 = POW.PKCS7() - p7.sign(certs[0].get_POW(), keypair.get_POW(), [x.get_POW() for x in certs[1:]], plaintext) - cms = p7.derWrite() - - if debug >= 2: - print - print "Signed CMS:" - dumpasn1(cms) - - return cms - -# openssl smime -verify -inform DER -in THING.der -CAfile biz-certs/Alice-Root.cer - -def verify(cms, ta): - """Verify the signature of a chunk of CMS. - - Returns the plaintext on success, otherwise raise an exception. - """ - - if debug >= 2: - print - print "Verifying CMS:" - dumpasn1(cms) - - p7 = POW.derRead(POW.PKCS7_MESSAGE, cms) - - store = POW.X509Store() - store.addTrust(ta.get_POW()) - - try: - return p7.verify(store) - - except: - if debug >= 1: - print "CMS verification failed, dumping inputs:" - print - print "TA:" - dumpasn1(ta.get_DER()) - print - print "CMS:" - dumpasn1(cms) - raise rpki.exceptions.CMSVerificationFailed, "CMS verification failed" - -# openssl smime -verify -noverify -inform DER -in THING.der - -def extract(cms): - """Extract the content of a signed CMS message WITHOUT verifying the - signature. Don't try this at home, kids. - """ - - return POW.derRead(POW.PKCS7_MESSAGE, cms).extract() - -def xml_verify(cms, ta): - """Composite routine to verify CMS-wrapped XML.""" - - val = lxml.etree.fromstring(verify(cms, ta)) - return val - -def xml_sign(elt, key, certs, encoding = "us-ascii"): - """Composite routine to sign CMS-wrapped XML.""" - - val = sign(lxml.etree.tostring(elt, pretty_print = True, encoding = encoding, xml_declaration = True), - key, certs) - return val - -def dumpasn1(thing): - """Prettyprint an ASN.1 DER object using cryptlib dumpasn1 tool. - Use a temporary file rather than popen4() because dumpasn1 uses - seek() when decoding ASN.1 content nested in OCTET STRING values. - """ - - fn = "dumpasn1.tmp" - try: - f = open(fn, "w") - f.write(thing) - f.close() - f = os.popen("dumpasn1 2>&1 -a " + fn) - print "\n".join(x for x in f.read().splitlines() if x.startswith(" ")) - f.close() - finally: - os.unlink(fn) |