çáþ\«0ã@sºdZd
dl
mZ
d
dlZd
dlZd
dlZd
dlmZ
d
dlm	Z	
d
dl
mZ
d
dlm
Z

d
dlmZ
d
d	lmZ
d
d
lmZ
d
dlmZ
d
dlmZ
d
d
lmZ
d
dlZd
dlZd
dlZd
dlmZ
d
dlmZ
d
dlmZ
d
dlm Z m!Z!
d
dlm"Z"
ej#e$ƒ
Z%ej&j'Z'ddd„
Z(ddd„
Z)ddd„
Z*ddd„
Z+ddd„
Z,dd„Z-dd „Z.d!d"„Z/d#d$d%„
Z0d&d'„Z1d(d)„Z2d*d+„Z3d,d-„Z4d.d/„Z5d0d1„Z6d2d3„Z7d4d5„Z8d6d7„Z9d#d8d9„
Z:d#d:d;„
Z;d<d=„Z<d>d?„Z=d@dA„Z>ddBdC„
Z?dDdE„Z@dS)FzzWrappers around standard crypto data elements.

Includes root and intermediate CAs, SSH key_pairs and x509 certificates.

é)
Úabsolute_importN)
Ú
exceptions)
Úbackends)
Úpadding)
Úhashes)
Ú
serialization)
Úx509)
Úprocessutils)
Úlog)
Úexcutils)
Ú	fileutils)
Úcontext)
Údb)
Ú	exception)Ú
_Ú_LE)
Úutilsc

Cs8tj
jr.|r.tjjtj
jd
|ƒStj
jS)NZprojects)ÚCONFÚcryptoÚuse_project_caÚosÚpathÚjoinÚca_path)
Ú
project_id©rú./usr/lib/python3/dist-packages/dmapi/crypto.pyÚ	ca_folder*s


rc

Cstj
jt|ƒ
tjjƒS)
N)rrrrrrZca_file)
rrrrr0s
rc

Cstj
jt|ƒ
tjjƒS)
N)rrrrrrÚkey_file)
rrrrÚkey_path4s
rc

Cstj
jt|ƒ
tjjƒS)
N)rrrrrrÚcrl_file)
rrrrÚcrl_path8s
r!c
	Csitj
jsd}t|ƒ
}
tjj|
ƒ
sBtjd
|ƒ
‚
t	|
dƒ}|j
ƒSWdQRXdS)NÚprojectÚ
r)rrrrrrÚexistsrZCryptoCAFileNotFoundÚopenÚread)rZca_file_pathÚcafilerrrÚfetch_ca<s






r(cCsutƒ}t
jjtƒƒ
sqt
jjt
jjt
jjtƒ
d
dƒƒ
}
t	j
|ƒ

tjd|
d|ƒ

dS)z Ensure the CA filesystem exists.ÚCAzgenrootca.shÚshÚcwdN)
rrrr$rÚabspathrÚdirnameÚ__file__rÚensure_treerÚexecute)Zca_dirZgenrootca_sh_pathrrrÚensure_ca_filesystemFs	

	
'

r1c
Cs
yà|jd
ƒ
}
t
j|
tjƒƒ
tj|jdƒ
dƒ
}tj	tj
ƒtjƒƒ}|j|ƒ

|jƒ}t
j|ƒ
}tjr¢|jdƒ
}djdd„t|ddd…|ddd…ƒDƒ
ƒ
SWn*tk
r



tjd	td
ƒ
ƒ
‚
Yn
XdS)Nzutf-8ú
 é
Úasciiú
:c
ss|]\}
}|
|V
qdS)
Nr)Ú.0Ú
aÚ
brrrú	<genexpr>`sz'generate_fingerprint.<locals>.<genexpr>éÚreasonzfailed to generate fingerprint)ÚencoderÚload_ssh_public_keyrÚdefault_backendÚbase64Ú	b64decodeÚsplitrZHashÚMD5ÚupdateÚfinalizeÚbinasciiÚhexlifyÚsixÚPY3ÚdecoderÚzipÚ	ExceptionrÚInvalidKeypairr)Ú
public_keyÚ	pub_bytesZpub_dataÚdigestZmd5hashÚraw_fprrrÚgenerate_fingerprintQs









	

A


	
rQc
Cs
y°t|t
jƒr$|jd
ƒ
}tj|tjƒƒ}
tj	|
j
tjƒƒ
ƒ
}t
j
rr|jdƒ
}djdd„t|ddd…|ddd…ƒDƒ
ƒ
SWnMtttjfk
rÿ
}
z!tjdtd	ƒ
|ƒ
‚
WYdd}~Xn
XdS)
Nzutf-8r4r5c
ss|]\}
}|
|V
qdS)
Nr)r6r7r8rrrr9osz,generate_x509_fingerprint.<locals>.<genexpr>r:r3r;z6failed to generate X509 fingerprint. Error message: %s)Ú
isinstancerGÚ	text_typer<rZload_pem_x509_certificaterr>rErFÚfingerprintrÚSHA1rHrIrrJÚ
ValueErrorÚ	TypeErrorÚErrorrrLr)Zpem_keyÚcertrPÚexrrrÚgenerate_x509_fingerprintfs






	

A

	
	
r[ic
Csltj
j|ƒ
}
tjƒ}|
j|ƒ

|jƒ}d
|
jƒ|
jƒf}t	|ƒ
}|||fS)Nz%s %s Generated-by-Nova)
ÚparamikoZRSAKeyZgeneraterGÚStringIOZwrite_private_keyÚgetvalueÚget_nameZ
get_base64rQ)ÚbitsÚkeyZkeyoutÚprivate_keyrMrTrrrÚgenerate_key_pairvs







rcc
	Csitj
jsd
}t|ƒ
}
tjj|
ƒ
sBtjd|ƒ
‚
t	|
dƒ}|j
ƒSWd
QRXd
S)zGet crl file for project.Nr"r#)rrrr!rrr$rZCryptoCRLFileNotFoundr%r&)rZ
crl_file_pathZcrlfilerrrÚ	fetch_crl€s





rdcCsÝt|ƒ
}t
jj|ƒ
s0tjd
|ƒ
‚
t|dƒ}|jƒ}WdQRXy5tj	|dt
jƒƒ}|j|
t
jƒƒSWnLtttjfk
rØ
}
z tjdtj|ƒ
ƒ
‚
WYdd}~Xn
XdS)NrÚrbr;)rrrr$rÚProjectNotFoundr%r&rZload_pem_private_keyrr>ZdecryptrÚPKCS1v15rVrWrZUnsupportedAlgorithmZDecryptionFailurerGrS)rÚtextZprivate_key_fileÚ
fÚdataZpriv_keyÚexcrrrÚdecrypt_text‹s










rlcCs©t|
t
jƒr!|
jd
ƒ
}
yA|jd
ƒ
}tj|tjƒƒ}|j|
t	j
ƒƒSWn@tk
r¤
}
z tj
dt
j|ƒ
ƒ
‚
WYdd}~Xn
XdS)z_Encrypt text with an ssh public key.

    If text is a Unicode string, encode it to UTF-8.
    zutf-8r;N)rRrGrSr<rr=rr>ZencryptrrgrKrZEncryptionFailure)Zssh_public_keyrhrNZpub_keyrkrrrÚssh_encrypt_text™s







rmcCs®y]tj
d
dddd|
dt|ƒ
ƒ

tj
d
dddddtjjdt|ƒ
ƒ

WnJtk
rƒ


tjd	|ƒ
‚
Yn't	j
k
r©


tjd	|ƒ
‚
Yn
Xd
S)zRevoke a cert by file name.ÚopensslÚcaz-configz
./openssl.cnfz-revoker+z-gencrlz-outrN)rr0rrrr ÚOSErrorrrfr	ZProcessExecutionErrorZRevokeCertFailure)rÚ	file_namerrrÚrevoke_cert©s


 




rrc
CsBtj
ƒ}
x/tj|
|ƒD]}t|d
|dƒ
qWdS)zRevoke all user certs.rrqN)r
Úget_admin_contextrZcertificate_get_all_by_userrr)Úuser_idÚadminrYrrrÚrevoke_certs_by_user·s

rvc
CsBtj
ƒ}
x/tj|
|ƒD]}t|d
|dƒ
qWdS)zRevoke all project certs.rrqN)r
rsrZcertificate_get_all_by_projectrr)rrurYrrrÚrevoke_certs_by_project¾s

rwcCsEtj
ƒ}x2tj|||
ƒD]}t|d
|dƒ
q"WdS)z!Revoke certs for user in project.rrqN)r
rsrZ'certificate_get_all_by_user_and_projectrr)rtrrurYrrrÚ revoke_certs_by_user_and_projectÇs


rxc

Cstj
j|tjƒfS)
z%Helper to generate user cert subject.)rrZproject_cert_subjectrÚisotime)
rrrrÚ_project_cert_subjectÏsrzcCstj
j|
|tjƒfS)
z%Helper to generate user cert subject.)rrZuser_cert_subjectrry)rtrrrrÚ_user_cert_subjectÔs
r{cCs^
t||
ƒ}t
jƒÔ}tjjtjj|d
ƒƒ
}tjjtjj|dƒƒ
}t
jddd|t|ƒ
ƒ
t
jdddd|d|d	d
|ƒ

t	|ƒ
}|j
ƒ}WdQRXt	|ƒ
}|j
ƒ}	WdQRXWdQRXt|	|
ƒ\}
}tjjt|
ƒ
d|
ƒ}d
|d|
d|i}
t
jtjƒ|
ƒ
||fS)z-Generate and sign a cert for user in project.ztemp.keyztemp.csrrnZgenrsaz-outÚreqz-newz-keyz-batchz-subjNznewcerts/%s.pemrtrrq)r{rÚtempdirrrr,rr0Ústrr%r&Úsign_csrrrZcertificate_creater
rs)rtrr`ÚsubjectÚtmpdirÚkeyfileÚcsrfilerirbÚcsrÚserialZ
signed_csrÚfnamerYrrrÚgenerate_x509_certÚs$
!
!












r‡cCsM
d
|}d|}tj
ƒ
}tjjtjj|dƒƒ
}tjjtjj|dƒƒ
}t||ƒ
tjddddd	d
d|dd
|
ddd|d|ddddƒ
\}}tjdddd|ddd|ddƒ\}	}tj	|	ƒ
}
t
|ƒ
}tjr9
|
j
dƒ
}
|j
dƒ
}WdQRX|
||fS)z:Generate a cert for passwordless auth for user in project.z/CN=%sz%s@localhostztemp.keyz	temp.confrnr|z-x509z-nodesz-daysZ3650z-configz-newkeyzrsa:%sz-outformZPEMz-keyoutz-subjz-extensionsZ
v3_req_clientÚbinaryTZpkcs12z-exportz-inkeyz	-passwordzpass:Z
process_inputr4zutf-8N)rr}rrr,rÚ_create_x509_openssl_configr0r?Ú	b64encoder[rGrHrI)rtr`r€Úupnrr‚ÚconffileZcertificateÚ_errÚoutrbrTrrrÚgenerate_winrm_x509_certòs,



!
!




	





	

rc
Cs4d
}t|dƒ}|j
||
ƒ

WdQRXdS)Nz®distinguished_name  = req_distinguished_name
[req_distinguished_name]
[v3_req_client]
extendedKeyUsage = clientAuth
subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:%s
Ú
w)r%Úwrite)rŒr‹ÚcontentÚfilerrrr‰
s

r‰c
Csqtj
jt|ƒ
ƒ
smtj
jtj
jtj
jtƒ
d
dƒƒ
}
tj	d|
|t
|ƒ
dtƒƒ

dS)Nr)zgeninter.shr*r+)rrr$rr,rr-r.rr0rzr)rZgeninter_sh_pathrrrÚ_ensure_project_folder
s


	
'

r”c
Cs´t|ƒ
}
t
jj|
d
ƒ}t
jj|
dƒ}t
jj|ƒ
rLdStd|dƒ\}}t|dƒ}|j|ƒ

WdQRXt|dƒ}|j|ƒ

WdQRXdS)Nz
server.keyz
server.crtzproject-vpnir)rrrrr$r‡r%r‘)rZproject_folderZkey_fnZcrt_fnrar„r‚ÚcrtfilerrrÚgenerate_vpn_files%
s







r–cCsEtj
jsd}
|
s(t|tƒƒSt|
ƒ

t|t|
ƒ
ƒS)
N)rrrÚ	_sign_csrrr”)Úcsr_textrrrrr8
s






rc
 Cs^
tj
ƒK
}tjj|d
ƒ}tjj|dƒ}y*t|dƒ}|j|ƒ

WdQRXWn9tk
rž


tj	ƒ
t
jtdƒ
ƒ

WdQRXYn
Xt
j
d|
ƒ
tj|
ƒ

tjdddd	|d
dd|d
|
ƒ	

tjddd|ddd
|
ƒ
\}}|jdƒ
djƒ}t|dƒ}	||	jƒfSWdQRXWdQRXdS)Nzinbound.csrzoutbound.csrrzFailed to write inbound.csrzFlags path: %srnroz-batchz-outz-configz
./openssl.cnfz-infilesr+rz-inz-serialz-nooutú
=r:r#)rr}rrrr%r‘ÚIOErrorrZsave_and_reraise_exceptionÚLOGrrÚdebugrr/r0Ú
rpartitionÚstripr&)
r˜rrZinboundZoutboundrƒrŽrr…r•rrrr—A
s$
















r—)AÚ__doc__Ú
__future__rr?rErZcryptographyrZcryptography.hazmatrZ)cryptography.hazmat.primitives.asymmetricrZcryptography.hazmat.primitivesrrrZoslo_concurrencyr	Zoslo_logr
ÚloggingZ
oslo_utilsrrr\rGZ
dmapi.confÚdmapir
rrZ
dmapi.i18nrrrÚ	getLoggerÚ__name__r›Úconfrrrrr!r(r1rQr[rcrdrlrmrrrvrwrxrzr{r‡rr‰r”r–rr—rrrrÚ<module>sb