ó
Éec@@sodZd
dl
mZ
d
dlZd
dlZd
dlZd
dlmZ
d
dlm	Z	
d
dl
mZ
d
dlm
Z

d
dlmZ
d
d	lmZ
d
d
lmZ
d
dlmZ
d
dlmZ
d
d
lmZ
d
dlZd
dlZd
dlZd
dlmZ
d
dlmZ
d
dlmZ
d
dlm Z m!Z!
d
dlm"Z"
ej#e$ƒ
Z%ej&j'Z'dd„
Z)dd„
Z*dd„
Z+dd„
Z,dd„
Z-d„Z.d„Z/d„Z0dd„
Z1d„Z2d„Z3d„Z4d „Z5d!„Z6d"„Z7d#„Z8d$„Z9d%„Z:dd&„
Z;dd'„
Z<d(„Z=d)„Z>d*„Z?dd+„
Z@d,„ZAdS(-szWrappers around standard crypto data elements.

Includes root and intermediate CAs, SSH key_pairs and x509 certificates.

i(
tabsolute_importN(
t
exceptions(
tbackends(
tpadding(
thashes(
t
serialization(
tx509(
tprocessutils(
tlog(
texcutils(
t	fileutils(
tcontext(
tdb(
t	exception(t
_t_LE(
tutilsc

C@s8tj
jr.|r.tjjtj
jd
|ƒStj
jS(Ntprojects(tCONFtcryptotuse_project_catostpathtjointca_path(
t
project_id((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pyt	ca_folder*s


c

C@stj
jt|ƒ
tjjƒS(
N(RRRRRRtca_file(
R((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pyR0s
c

C@stj
jt|ƒ
tjjƒS(
N(RRRRRRtkey_file(
R((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytkey_path4s
c

C@stj
jt|ƒ
tjjƒS(
N(RRRRRRtcrl_file(
R((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytcrl_path8s
c
C@sntj
jsd}nt|ƒ
}
tjj|
ƒ
sHtj	d
|ƒ
‚
nt
|
dƒ}|jƒSWdQXdS(Ntprojectt
r(RRRtNoneRRRtexistsR
tCryptoCAFileNotFoundtopentread(Rtca_file_pathtcafile((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytfetch_ca<s

	




cC@sxtƒ}t
jjtƒƒ
stt
jjt
jjt
jjtƒ
d
dƒƒ
}
t	j
|ƒ

tjd|
d|ƒ

ndS(s Ensure the CA filesystem exists.tCAsgenrootca.shtshtcwdN(
RRRR#RtabspathRtdirnamet__file__R
tensure_treeRtexecute(tca_dirtgenrootca_sh_path((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytensure_ca_filesystemFs	

	
'

c
C@s
yà|jd
ƒ
}
t
j|
tjƒƒ
tj|jdƒ
dƒ
}tj	tj
ƒtjƒƒ}|j|ƒ

|jƒ}t
j|ƒ
}tjr¥|jdƒ
}ndjd„t|ddd…|ddd…ƒDƒ
ƒ
SWn)tk
r



tjdtd	ƒ
ƒ
‚
n
XdS(
Nsutf-8t
 i
tasciit
:c
s@s|]\}
}|
|V
qdS(
N((t.0t
at
b((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pys	<genexpr>`sitreasonsfailed to generate fingerprint(tencodeRtload_ssh_public_keyRtdefault_backendtbase64t	b64decodetsplitRtHashtMD5tupdatetfinalizetbinasciithexlifytsixtPY3tdecodeRtzipt	ExceptionR
tInvalidKeypairR(t
public_keyt	pub_bytestpub_datatdigesttmd5hashtraw_fp((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytgenerate_fingerprintQs









	

>


	
c
C@sõy³t|t
jƒr'|jd
ƒ
}ntj|tjƒƒ}
tj	|
j
tjƒƒ
ƒ
}t
j
rx|jdƒ
}ndjd„t|ddd…|ddd…ƒDƒ
ƒ
SWn;tttjfk
rð
}
tjdtdƒ
|ƒ
‚
n
XdS(	Nsutf-8R6R7c
s@s|]\}
}|
|V
qdS(
N((R8R9R:((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pys	<genexpr>osii
R;s6failed to generate X509 fingerprint. Error message: %s(t
isinstanceRHt	text_typeR<Rtload_pem_x509_certificateRR>RFRGtfingerprintRtSHA1RIRJRRKt
ValueErrort	TypeErrortErrorR
RMR(tpem_keytcertRStex((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytgenerate_x509_fingerprintfs






	

>

	
	
ic
C@sltj
j|ƒ
}
tjƒ}|
j|ƒ

|jƒ}d
|
jƒ|
jƒf}t	|ƒ
}|||fS(Ns%s %s Generated-by-Nova(
tparamikotRSAKeytgenerateRHtStringIOtwrite_private_keytgetvaluetget_namet
get_base64RT(tbitstkeytkeyouttprivate_keyRNRX((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytgenerate_key_pairvs







c
C@sntj
jsd}nt|ƒ
}
tjj|
ƒ
sHtj	d
|ƒ
‚
nt
|
dƒ}|jƒSWdQXdS(sGet crl file for project.R R!N(RRRR"RRRR#R
tCryptoCRLFileNotFoundR%R&(Rt
crl_file_pathtcrlfile((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pyt	fetch_crl€s
	




cC@sÍt|ƒ
}t
jj|ƒ
s3tjd
|ƒ
‚
nt|dƒ}|jƒ}WdQXy5tj	|dtjƒƒ}|j
|
tjƒƒSWn:tttjfk
rÈ
}
tjdtj|ƒ
ƒ
‚
n
XdS(NRtrbR;(RRRR#R
tProjectNotFoundR%R&Rtload_pem_private_keyR"RR>tdecryptRtPKCS1v15RZR[R
tUnsupportedAlgorithmtDecryptionFailureRHRV(Rttexttprivate_key_filet
ftdatatpriv_keytexc((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytdecrypt_text‹s










cC@sšt|
t
jƒr$|
jd
ƒ
}
nyA|jd
ƒ
}tj|tjƒƒ}|j|
t	j
ƒƒSWn.tk
r•
}
tj
dt
j|ƒ
ƒ
‚
n
XdS(s_Encrypt text with an ssh public key.

    If text is a Unicode string, encode it to UTF-8.
    sutf-8R;N(RURHRVR<RR=RR>tencryptRRvRLR
tEncryptionFailure(tssh_public_keyRyROtpub_keyR~((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytssh_encrypt_text™s







cC@s¬y]tj
d
dddd|
dt|ƒ
ƒ

tj
d
dddddtjjdt|ƒ
ƒ

WnHtk
r‚


tjd	|ƒ
‚
n&t	j
k
r§


tjd	|ƒ
‚
n
Xd
S(sRevoke a cert by file name.topenssltcas-configs
./openssl.cnfs-revokeR,s-gencrls-outRN(RR1RRRRtOSErrorR
RsRtProcessExecutionErrortRevokeCertFailure(Rt	file_name((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytrevoke_cert©s


 




c
C@sBtj
ƒ}
x/tj|
|ƒD]}t|d
|dƒ
qWdS(sRevoke all user certs.RRŠN(Rtget_admin_contextRtcertificate_get_all_by_userR‹(tuser_idtadminR^((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytrevoke_certs_by_user·s

c
C@sBtj
ƒ}
x/tj|
|ƒD]}t|d
|dƒ
qWdS(sRevoke all project certs.RRŠN(RRŒRtcertificate_get_all_by_projectR‹(RRR^((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytrevoke_certs_by_project¾s

cC@sEtj
ƒ}x2tj|||
ƒD]}t|d
|dƒ
q"WdS(s!Revoke certs for user in project.RRŠN(RRŒRt'certificate_get_all_by_user_and_projectR‹(RŽRRR^((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pyt revoke_certs_by_user_and_projectÇs


c

C@stj
j|tjƒfS(
s%Helper to generate user cert subject.(RRtproject_cert_subjectRtisotime(
R((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pyt_project_cert_subjectÏscC@stj
j|
|tjƒfS(
s%Helper to generate user cert subject.(RRtuser_cert_subjectRR–(RŽR((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pyt_user_cert_subjectÔs
cC@s^
t||
ƒ}t
jƒÒ}tjjtjj|d
ƒƒ
}tjjtjj|dƒƒ
}t
jddd|t|ƒ
ƒ
t
jdddd|d|d	d
|ƒ

t	|ƒ
}|j
ƒ}WdQXt	|ƒ
}|j
ƒ}	WdQXWdQXt|	|
ƒ\}
}tjjt|
ƒ
d|
ƒ}i|d
6|
d6|d6}
t
jtjƒ|
ƒ
||fS(s-Generate and sign a cert for user in project.stemp.keystemp.csrR…tgenrsas-outtreqs-news-keys-batchs-subjNsnewcerts/%s.pemRŽRRŠ(R™RttempdirRRR-RR1tstrR%R&tsign_csrRRtcertificate_createRRŒ(RŽRRitsubjectttmpdirtkeyfiletcsrfileR{Rltcsrtserialt
signed_csrtfnameR^((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytgenerate_x509_certÚs$
!
!














cC@sO
d
|}d|}tj
ƒ 
}tjjtjj|dƒƒ
}tjjtjj|dƒƒ
}t||ƒ
tjddddd	d
d|dd
|
ddd|d|dddtƒ
\}}tjdddd|ddd|dtƒ\}	}t	j
|	ƒ
}
t|ƒ
}tj
r<
|
jdƒ
}
|jdƒ
}nWdQX|
||fS(s:Generate a cert for passwordless auth for user in project.s/CN=%ss%s@localhoststemp.keys	temp.confR…R›s-x509s-nodess-dayst3650s-configs-newkeysrsa:%ss-outformtPEMs-keyouts-subjs-extensionst
v3_req_clienttbinarytpkcs12s-exports-inkeys	-passwordspass:t
process_inputR6sutf-8N(RRœRRR-Rt_create_x509_openssl_configR1tTrueR?t	b64encodeR`RHRIRJ(RŽRiR tupnR¡R¢tconffiletcertificatet_errtoutRlRX((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytgenerate_winrm_x509_certòs,



!
!




	





	

cC@s3d
}t|dƒ}|j
||
ƒ

WdQXdS(Ns®distinguished_name  = req_distinguished_name
[req_distinguished_name]
[v3_req_client]
extendedKeyUsage = clientAuth
subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:%s
t
w(R%twrite(R³R²tcontenttfile((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pyR¯
s

c
C@sttj
jt|ƒ
ƒ
sptj
jtj
jtj
jtƒ
d
dƒƒ
}
tj	d|
|t
|ƒ
dtƒƒ

ndS(NR*sgeninter.shR+R,(RRR#RR-RR.R/RR1R—R(Rtgeninter_sh_path((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pyt_ensure_project_folder
s


	
'

c
C@s²t|ƒ
}
t
jj|
d
ƒ}t
jj|
dƒ}t
jj|ƒ
rLdStd|dƒ\}}t|dƒ}|j|ƒ

WdQXt|dƒ}|j|ƒ

WdQXdS(Ns
server.keys
server.crtsproject-vpniR¸(RRRRR#R¨R%R¹(Rtproject_foldertkey_fntcrt_fnRjR¤R¢tcrtfile((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pytgenerate_vpn_files%
s







cC@sHtj
jsd}
n|
s+t|tƒƒSt|
ƒ

t|t|
ƒ
ƒS(
N(RRRR"t	_sign_csrRR½(tcsr_textR((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pyRž8
s

	




c
C@sY
tj
ƒG
}tjj|d
ƒ}tjj|dƒ}y)t|dƒ}|j|ƒ

WdQXWn7tk
r›


tj	ƒ
t
jtdƒ
ƒ

WdQXn
Xt
j
d|
ƒ
tj|
ƒ

tjdddd	|d
dd|d
|
ƒ	

tjddd|ddd
|
ƒ
\}}|jdƒ
djƒ}t|dƒ}	||	jƒfSWdQXWdQXdS(Nsinbound.csrsoutbound.csrR¸sFailed to write inbound.csrsFlags path: %sR…R†s-batchs-outs-configs
./openssl.cnfs-infilesR,Rs-ins-serials-nooutt
=iR!(RRœRRRR%R¹tIOErrorR	tsave_and_reraise_exceptiontLOGR
RtdebugR
R0R1t
rpartitiontstripR&(
RÄRR¡tinboundtoutboundR£R¶RµR¥RÁ((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pyRÃA
s$
















(Bt__doc__t
__future__RR?RFRtcryptographyR
tcryptography.hazmatRt)cryptography.hazmat.primitives.asymmetricRtcryptography.hazmat.primitivesRRRtoslo_concurrencyRtoslo_logRtloggingt
oslo_utilsR	R
RaRHt
dmapi.conftdmapiRRR
t
dmapi.i18nRRRt	getLoggert__name__RÈtconfRR"RRRRR)R4RTR`RmRqRR„R‹RR’R”R—R™R¨R·R¯R½RÂRžRÃ(((s0/usr/lib/python2.7/dist-packages/dmapi/crypto.pyt<module>sb