3

ÿn‚a«0ã@sè
dZd
dl
mZ
d
dlZd
dlZd
dlZd
dlmZ
d
dlm	Z	
d
dl
mZ
d
dlm
Z

d
dlmZ
d
d	lmZ
d
d
lmZ
d
dlmZ
d
dlmZ
d
d
lmZ
d
dlZd
dlZd
dlZd
dlmZ
d
dlmZ
d
dlmZ
d
dlm Z m!Z!
d
dlm"Z"
ej#e$ƒ
Z%ej&j'Z'dFdd„
Z(dGdd„
Z)dHdd„
Z*dIdd„
Z+dJdd„
Z,dd„Z-dd „Z.d!d"„Z/dKd$d%„
Z0d&d'„Z1d(d)„Z2d*d+„Z3d,d-„Z4d.d/„Z5d0d1„Z6d2d3„Z7d4d5„Z8d6d7„Z9dLd8d9„
Z:dMd:d;„
Z;d<d=„Z<d>d?„Z=d@dA„Z>dNdBdC„
Z?dDdE„Z@dS)OzzWrappers around standard crypto data elements.

Includes root and intermediate CAs, SSH key_pairs and x509 certificates.

é)
Úabsolute_importN)
Ú
exceptions)
Úbackends)
Úpadding)
Úhashes)
Ú
serialization)
Úx509)
Úprocessutils)
Úlog)
Úexcutils)
Ú	fileutils)
Úcontext)
Údb)
Ú	exception)Ú
_Ú_LE)
Úutilsc

Cs(tj
jr |r tjjtj
jd
|ƒStj
jS)NZprojects)ÚCONFÚcryptoÚuse_project_caÚosÚpathÚjoinÚca_path)
Ú
project_id©rú/usr/lib/python3.6/crypto.pyÚ	ca_folder*s


rc

Cstj
jt|ƒ
tjjƒS)
N)rrrrrrZca_file)
rrrrr0s
rc

Cstj
jt|ƒ
tjjƒS)
N)rrrrrrZkey_file)
rrrrÚkey_path4s
rc

Cstj
jt|ƒ
tjjƒS)
N)rrrrrrÚcrl_file)
rrrrÚcrl_path8s
r c
	CsJtj
jsd}t|ƒ
}
tjj|
ƒ
s,tj|d

‚
t	|
dƒ
}|j
ƒSQRXdS)N)
ÚprojectÚ
r)rrrrrrÚexistsrZCryptoCAFileNotFoundÚopenÚread)rZca_file_pathZcafilerrrÚfetch_ca<s






r&cCsRtƒ}t
jjtƒƒ
sNt
jjt
jjt
jjtƒ
d
dƒƒ
}
t	j
|ƒ

tjd|
|d
dS)z Ensure the CA filesystem exists.ÚCAzgenrootca.shÚsh)
ÚcwdN)
rrrr#rÚabspathrÚdirnameÚ__file__rÚensure_treerÚexecute)Zca_dirZgenrootca_sh_pathrrrÚensure_ca_filesystemFs




r/c
CsÆyœ|jd
ƒ
}
t
j|
tjƒƒ
tj|jdƒ
dƒ
}tj	tj
ƒtjƒƒ}|j|ƒ

|jƒ}t
j|ƒ
}tjrp|jdƒ
}djdd„t|ddd…|ddd…ƒDƒ
ƒ
Stk
rÀ


tjtd	ƒ
d

‚
YnXdS)Nzutf-8ú
 é
Úasciiú
:c
ss|]\}
}|
|V
qdS)
Nr)Ú.0Ú
aÚ
brrrú	<genexpr>`sz'generate_fingerprint.<locals>.<genexpr>ézfailed to generate fingerprint)
Úreason)ÚencoderÚload_ssh_public_keyrÚdefault_backendÚbase64Z	b64decodeÚsplitrZHashZMD5ÚupdateÚfinalizeÚbinasciiÚhexlifyÚsixÚPY3ÚdecoderÚzipÚ	ExceptionrÚInvalidKeypairr)Ú
public_keyÚ	pub_bytesZpub_dataZdigestZmd5hashÚraw_fprrrÚgenerate_fingerprintQs














.


rLc
Cs¼yxt|t
jƒr|jd
ƒ
}tj|tjƒƒ}
tj	|
j
tjƒƒ
ƒ
}t
j
rL|jdƒ
}djdd„t|ddd…|ddd…ƒDƒ
ƒ
Stttjfk
r¶
}
ztjtdƒ
|d	
‚
WYdd}~XnXdS)
Nzutf-8r2r3c
ss|]\}
}|
|V
qdS)
Nr)r4r5r6rrrr7osz,generate_x509_fingerprint.<locals>.<genexpr>r8r1z6failed to generate X509 fingerprint. Error message: %s)
r9)Ú
isinstancerCÚ	text_typer:rZload_pem_x509_certificaterr<rArBÚfingerprintrZSHA1rDrErrFÚ
ValueErrorÚ	TypeErrorÚErrorrrHr)Zpem_keyÚcertrKZexrrrÚgenerate_x509_fingerprintfs










.



rTéc
CsLtj
j|ƒ
}
tjƒ}|
j|ƒ

|jƒ}d
|
jƒ|
jƒf}t	|ƒ
}|||fS)Nz%s %s Generated-by-Nova)
ÚparamikoZRSAKeyZgeneraterCÚStringIOZwrite_private_keyÚgetvalueZget_nameZ
get_base64rL)ÚbitsÚkeyZkeyoutÚprivate_keyrIrOrrrÚgenerate_key_pairvs







r\c
	CsJtj
jsd
}t|ƒ
}
tjj|
ƒ
s,tj|d
‚
t	|
dƒ
}|j
ƒSQRXd
S)zGet crl file for project.N)
r!r")rrrr rrr#rZCryptoCRLFileNotFoundr$r%)rZ
crl_file_pathZcrlfilerrrÚ	fetch_crl€s





r]cCs¢t|ƒ
}t
jj|ƒ
s tj|d

‚
t|dƒ}|jƒ}WdQRXy"tj	|dt
jƒƒ}|j|
t
jƒƒStttjfk
rœ
}
ztjtj|ƒ
d
‚
WYdd}~XnXdS)N)
rÚrb)
r9)rrrr#rÚProjectNotFoundr$r%rZload_pem_private_keyrr<ZdecryptrÚPKCS1v15rPrQrZUnsupportedAlgorithmZDecryptionFailurerCrN)rÚtextZprivate_key_fileÚ
fÚdataZpriv_keyÚexcrrrÚdecrypt_text‹s










recCszt|
t
jƒr|
jd
ƒ
}
y*|jd
ƒ
}tj|tjƒƒ}|j|
t	j
ƒƒStk
rt
}
ztj
t
j|ƒ
d
‚
WYdd}~XnXdS)z_Encrypt text with an ssh public key.

    If text is a Unicode string, encode it to UTF-8.
    zutf-8)
r9N)rMrCrNr:rr;rr<Zencryptrr`rGrZEncryptionFailure)Zssh_public_keyrarJZpub_keyrdrrrÚssh_encrypt_text™s









rfcCsˆyBtj
d
dddd|
t|ƒ
d
tj
d
dddddtjjt|ƒ
d
Wn@tk
rb


tj|d	
‚
Yn"t	j
k
r‚


tj|d	
‚
YnXd
S)zRevoke a cert by file name.ÚopensslÚcaz-configz
./openssl.cnfz-revoke)
r)z-gencrlz-out)
rN)rr.rrrrÚOSErrorrr_r	ZProcessExecutionErrorZRevokeCertFailure)rÚ	file_namerrrÚrevoke_cert©s






rkc
Cs4tj
ƒ}
x&tj|
|ƒD]}t|d
|dƒ
qWdS)zRevoke all user certs.rrjN)r
Úget_admin_contextrZcertificate_get_all_by_userrk)Úuser_idÚadminrSrrrÚrevoke_certs_by_user·s

roc
Cs4tj
ƒ}
x&tj|
|ƒD]}t|d
|dƒ
qWdS)zRevoke all project certs.rrjN)r
rlrZcertificate_get_all_by_projectrk)rrnrSrrrÚrevoke_certs_by_project¾s

rpcCs6tj
ƒ}x(tj|||
ƒD]}t|d
|dƒ
qWdS)z!Revoke certs for user in project.rrjN)r
rlrZ'certificate_get_all_by_user_and_projectrk)rmrrnrSrrrÚ revoke_certs_by_user_and_projectÇs


rqc

Cstj
j|tjƒfS)
z%Helper to generate user cert subject.)rrZproject_cert_subjectrÚisotime)
rrrrÚ_project_cert_subjectÏsrscCstj
j|
|tjƒfS)
z%Helper to generate user cert subject.)rrZuser_cert_subjectrrr)rmrrrrÚ_user_cert_subjectÔs

rtcCsüt||
ƒ}t
jƒœ}tjjtjj|d
ƒƒ
}tjjtjj|dƒƒ
}t
jddd|t|ƒ
ƒ
t
jdddd|d|d	d
|ƒ

t	|ƒ
}|j
ƒ}WdQRXt	|ƒ
}|j
ƒ}	WdQRXWdQRXt|	|
ƒ\}
}tjjt|
ƒ
d|
ƒ}||
|d
œ}
t
jtjƒ|
ƒ
||fS)z-Generate and sign a cert for user in project.ztemp.keyztemp.csrrgZgenrsaz-outÚreqz-newz-keyz-batchz-subjNznewcerts/%s.pem)rmrrj)rtrÚtempdirrrr*rr.Ústrr$r%Úsign_csrrrZcertificate_creater
rl)rmrrYÚsubjectÚtmpdirÚkeyfileÚcsrfilerbr[ÚcsrÚserialZ
signed_csrZfnamerSrrrÚgenerate_x509_certÚs$


















rcCsèd
|}d|}tj
ƒÀ}tjjtjj|dƒƒ
}tjjtjj|dƒƒ
}t||ƒ
tjddddd	d
d|dd
|
ddd|d|dddd\}}tjdddd|dd|dd	\}	}tj	|	ƒ
}
t
|ƒ
}tjrÔ|
j
dƒ
}
|j
dƒ
}WdQRX|
||fS)z:Generate a cert for passwordless auth for user in project.z/CN=%sz%s@localhostztemp.keyz	temp.confrgruz-x509z-nodesz-daysZ3650z-configz-newkeyzrsa:%sz-outformZPEMz-keyoutz-subjz-extensionsZ
v3_req_clientT)
ÚbinaryZpkcs12z-exportz-inkeyz	-passwordzpass:)Z
process_inputr€r2zutf-8N)rrvrrr*rÚ_create_x509_openssl_configr.r=Z	b64encoderTrCrDrE)rmrYryÚupnrzr{ÚconffileZcertificateÚ_errÚoutr[rOrrrÚgenerate_winrm_x509_certòs,



















r†c
Cs,d
}t|dƒ}|j
||
ƒ

WdQRXdS)Nz®distinguished_name  = req_distinguished_name
[req_distinguished_name]
[v3_req_client]
extendedKeyUsage = clientAuth
subjectAltName = otherName:1.3.6.1.4.1.311.20.2.3;UTF8:%s
Ú
w)r$Úwrite)rƒr‚ZcontentÚfilerrrr
s

rc
CsNtj
jt|ƒ
ƒ
sJtj
jtj
jtj
jtƒ
d
dƒƒ
}
tj	d|
|t
|ƒ
tƒd
dS)Nr'zgeninter.shr()
r))rrr#rr*rr+r,rr.rsr)rZgeninter_sh_pathrrrÚ_ensure_project_folder
s






rŠc
Csˆt|ƒ
}
t
jj|
d
ƒ}t
jj|
dƒ}t
jj|ƒ
r4dStd|dƒ\}}t|dƒ}|j|ƒ

WdQRXt|dƒ}|j|ƒ

WdQRXdS)Nz
server.keyz
server.crtzproject-vpnir‡)rrrrr#rr$rˆ)rZproject_folderZkey_fnZcrt_fnrZr}r{ÚcrtfilerrrÚgenerate_vpn_files%
s







rŒcCs2tj
jsd}
|
st|tƒƒSt|
ƒ

t|t|
ƒ
ƒS)
N)rrrÚ	_sign_csrrrŠ)Úcsr_textrrrrrx8
s





rxc
 Cs
tj
ƒþ}tjj|d
ƒ}tjj|dƒ}y$t|dƒ}|j|ƒ

WdQRXWn6tk
r‚


tj	ƒ
t
jtdƒ
ƒ

WdQRXYnXt
j
d|
ƒ
tj|
ƒ

tjdddd	|d
dd||
d


tjddd|dd|
d
\}}|jdƒ
djƒ}t|dƒ}	||	jƒfSQRXWdQRXdS)Nzinbound.csrzoutbound.csrr‡zFailed to write inbound.csrzFlags path: %srgrhz-batchz-outz-configz
./openssl.cnfz-infiles)
r)rz-inz-serialz-nooutú
=r8r")rrvrrrr$rˆÚIOErrorrZsave_and_reraise_exceptionÚLOGrrÚdebugrr-r.Ú
rpartitionÚstripr%)
rŽrrzZinboundZoutboundr|r…r„r~r‹rrrrA
s$















r)
N)
N)
N)
N)
N)
rU)
rU)
rU)
N)AÚ__doc__Z
__future__rr=rArZcryptographyrZcryptography.hazmatrZ)cryptography.hazmat.primitives.asymmetricrZcryptography.hazmat.primitivesrrrZoslo_concurrencyr	Zoslo_logr
ZloggingZ
oslo_utilsrrrVrCZ
dmapi.confZdmapir
rrZ
dmapi.i18nrrrZ	getLoggerÚ__name__r‘Zconfrrrrr r&r/rLrTr\r]rerfrkrorprqrsrtrr†rrŠrŒrxrrrrrÚ<module>sb