1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
# $Id$
"""CMS routines.
For the moment these just call the OpenSSL CLI tool, which is slow,
requires disk I/O, and likes PEM format. Fix this later.
"""
import os, rpki.x509, rpki.exceptions, lxml.etree, rpki.log
debug = 1
# openssl smime -sign -nodetach -outform DER -signer biz-certs/Alice-EE.cer
# -certfile biz-certs/Alice-CA.cer -inkey biz-certs/Alice-EE.key
# -in THING -out THING.der
def sign(plaintext, keypair, certs):
"""Sign plaintext as CMS with specified key and bag of certificates.
We have to sort the certificates into the correct order before the
OpenSSL CLI tool will accept them. rpki.x509 handles that for us.
"""
certs.chainsort()
mypid = str(os.getpid())
rpki.log.trace()
signer_filename = "cms.tmp." + mypid + ".signer.pem"
certfile_filename = "cms.tmp." + mypid + ".certfile.pem"
plaintext_filename = "cms.tmp." + mypid + ".plaintext"
signed_filename = "cms.tmp." + mypid + ".signed"
key_filename = "cms.tmp." + mypid + ".key.pem"
rpki.log.trace()
f = open(signer_filename, "w")
f.write(certs[0].get_PEM())
f.close()
rpki.log.trace()
f = open(certfile_filename, "w")
for cert in certs[1:]:
f.write(cert.get_PEM())
f.close()
rpki.log.trace()
f = open(plaintext_filename, "w")
f.write(plaintext)
f.close()
rpki.log.trace()
# This is evil, key should NOT be on disk, but OpenSSL CLI goes into
# a spin wait sometimes and I now suspect it's an I/O problem.
# So we whack this with chmod() to minimize the risk.
f = open(key_filename, "w")
f.close()
os.chmod(key_filename, 0600)
f = open(key_filename, "w")
f.write(keypair.get_PEM())
f.close()
os.chmod(key_filename, 0600)
cmd = ("openssl", "smime", "-sign", "-nodetach", "-outform", "DER", "-binary",
"-inkey", key_filename,
"-signer", signer_filename,
"-certfile", certfile_filename,
"-in", plaintext_filename,
"-out", signed_filename)
rpki.log.debug("CMS signing command: %s" % str(cmd))
rpki.log.trace()
pid = os.fork()
if pid == 0:
rpki.log.trace()
os.execvp(cmd[0], cmd)
raise rpki.exceptions.SubprocessError, "os.execvp() returned, which should never happen"
rpki.log.trace()
assert pid != 0
retpid, status = os.waitpid(pid, 0)
rpki.log.trace()
if status != 0:
raise rpki.exceptions.SubprocessError, "CMS signing command returned status 0x%x" % status
rpki.log.trace()
f = open(signed_filename, "r")
cms = f.read()
f.close()
rpki.log.trace()
os.unlink(key_filename)
os.unlink(signer_filename)
os.unlink(certfile_filename)
os.unlink(plaintext_filename)
os.unlink(signed_filename)
rpki.log.trace()
if debug >= 2:
print
print "Signed CMS:"
dumpasn1(cms)
return cms
# openssl smime -verify -inform DER -in THING.der -CAfile biz-certs/Alice-Root.cer
def verify(cms, ta):
"""Verify the signature of a chunk of CMS.
Returns the plaintext on success. If OpenSSL CLI tool reports
anything other than successful verification, we raise an exception.
"""
if debug >= 2:
print
print "Verifying CMS:"
dumpasn1(cms)
mypid = str(os.getpid())
ta_filename = "cms.tmp." + mypid + ".ta.pem"
f = open(ta_filename, "w")
f.write(ta.get_PEM())
f.close()
i,o,e = os.popen3(("openssl", "smime", "-verify", "-inform", "DER", "-binary", "-CAfile", ta_filename))
i.write(cms)
i.close()
plaintext = o.read()
o.close()
status = e.read()
e.close()
os.unlink(ta_filename)
if status == "Verification successful\n":
return plaintext
else:
if debug >= 1:
print "CMS verification failed, dumping inputs:"
print
print "TA:"
dumpasn1(ta.get_DER())
print
print "CMS:"
dumpasn1(cms)
raise rpki.exceptions.CMSVerificationFailed, "CMS verification failed with status %s" % status
def xml_verify(cms, ta):
"""Composite routine to verify CMS-wrapped XML."""
val = lxml.etree.fromstring(verify(cms, ta))
return val
def xml_sign(elt, key, certs, encoding = "us-ascii"):
"""Composite routine to sign CMS-wrapped XML."""
val = sign(lxml.etree.tostring(elt, pretty_print = True, encoding = encoding, xml_declaration = True),
key, certs)
return val
def dumpasn1(thing):
"""Prettyprint an ASN.1 DER object using cryptlib dumpasn1 tool.
Use a temporary file rather than popen4() because dumpasn1 uses
seek() when decoding ASN.1 content nested in OCTET STRING values.
"""
fn = "dumpasn1.tmp"
try:
f = open(fn, "w")
f.write(thing)
f.close()
f = os.popen("dumpasn1 2>&1 -a " + fn)
print "\n".join(x for x in f.read().splitlines() if x.startswith(" "))
f.close()
finally:
os.unlink(fn)
|
