Commit 92a7318e authored by Łukasz Nowak's avatar Łukasz Nowak

Simplify signature certificate check.

Except list of PEM encoded certificate strings. Do not try to read them from
file nor download from network.

Also fix few naming errors.
parent 29ece754
...@@ -55,7 +55,7 @@ class NetworkcacheClient(object): ...@@ -55,7 +55,7 @@ class NetworkcacheClient(object):
def __init__(self, shacache, shadir, def __init__(self, shacache, shadir,
signature_private_key_file=None, signature_private_key_file=None,
signature_certificate_file_list=None): signature_certificate_list=None):
''' Set the initial values. ''' ''' Set the initial values. '''
# ShaCache Properties # ShaCache Properties
for k, v in self.parseUrl(shacache).iteritems(): for k, v in self.parseUrl(shacache).iteritems():
...@@ -68,16 +68,7 @@ class NetworkcacheClient(object): ...@@ -68,16 +68,7 @@ class NetworkcacheClient(object):
setattr(self, 'shadir_%s' % k, v) setattr(self, 'shadir_%s' % k, v)
self.signature_private_key_file = signature_private_key_file self.signature_private_key_file = signature_private_key_file
self.signature_certificate_list = signature_certificate_list
self.signature_certificate_file_list = []
self.signature_certificate_url_list = []
if signature_certificate_file_list is not None:
# Split the path and urls
for value in signature_certificate_file_list:
if os.path.exists(value):
self.signature_certificate_file_list.append(value)
elif value.startswith('http'):
self.signature_certificate_url_list.append(value)
def upload(self, file_descriptor, key=None, urlmd5=None, file_name=None, def upload(self, file_descriptor, key=None, urlmd5=None, file_name=None,
valid_until=None, architecture=None): valid_until=None, architecture=None):
...@@ -154,11 +145,11 @@ class NetworkcacheClient(object): ...@@ -154,11 +145,11 @@ class NetworkcacheClient(object):
headers=self.shadir_header_dict) headers=self.shadir_header_dict)
return urllib2.urlopen(request) return urllib2.urlopen(request)
def select(self, urlmd5): def select(self, key):
''' Download a file from shacache by selecting the entry in shadir ''' Download a file from shacache by selecting the entry in shadir
Raise DirectoryNotFound if multiple files are found. Raise DirectoryNotFound if multiple files are found.
''' '''
url = os.path.join(self.shadir_url, urlmd5) url = os.path.join(self.shadir_url, key)
file_descriptor = tempfile.NamedTemporaryFile() file_descriptor = tempfile.NamedTemporaryFile()
request = urllib2.Request(url=url, data=None, request = urllib2.Request(url=url, data=None,
headers=self.shadir_header_dict) headers=self.shadir_header_dict)
...@@ -166,16 +157,15 @@ class NetworkcacheClient(object): ...@@ -166,16 +157,15 @@ class NetworkcacheClient(object):
# Filtering... # Filtering...
data_list = json.loads(data) data_list = json.loads(data)
if self.signature_certificate_file_list or \ if self.signature_certificate_list is not None:
self.signature_certificate_url_list: data_list = filter(lambda x: self._verifySignatureInCertificateList(
method = self._verifySignatureInCertificateList x[1]), data_list)
data_list = filter(lambda x: method(x[1]), data_list)
if not data_list: if not data_list:
raise DirectoryNotFound('Could not find a trustable entry.') raise DirectoryNotFound('Could not find a trustable entry.')
if len(data_list) > 1: if len(data_list) > 1:
raise DirectoryNotFound('Too many entries for a given key. ' \ raise DirectoryNotFound('Too many entries for a given key %r. ' \
'Directory: %s. Entries: %s.' % (urlmd5, str(data_list))) 'Entries: %s.' % (key, str(data_list)))
information_dict, signature = data_list[0] information_dict, signature = data_list[0]
sha512 = information_dict.get('sha512') sha512 = information_dict.get('sha512')
...@@ -185,7 +175,7 @@ class NetworkcacheClient(object): ...@@ -185,7 +175,7 @@ class NetworkcacheClient(object):
""" """
Return the signature based on certification file. Return the signature based on certification file.
""" """
if not self.signature_private_key_file: if self.signature_private_key_file is None:
return '' return ''
SignEVP = M2Crypto.EVP.load_key(self.signature_private_key_file) SignEVP = M2Crypto.EVP.load_key(self.signature_private_key_file)
...@@ -198,38 +188,27 @@ class NetworkcacheClient(object): ...@@ -198,38 +188,27 @@ class NetworkcacheClient(object):
""" """
Returns true if it can find any valid certificate or false if it does not Returns true if it can find any valid certificate or false if it does not
find any. find any.
It must check the local certificate files first before checking the files
which are available under HTTP.
""" """
for certificate_path in self.signature_certificate_file_list: for certificate in self.signature_certificate_list:
if self._verifySignatureCertificate(signature_string, certificate_path): if self._verifySignatureCertificate(signature_string, certificate):
return True return True
for certificate_url in self.signature_certificate_url_list:
file_descriptor = self._fetchCertificateFileFromUrl(certificate_url)
try:
file_name = file_descriptor.name
if self._verifySignatureCertificate(signature_string, file_name):
return True
finally:
file_descriptor.close()
return False return False
def _verifySignatureCertificate(self, signature_string, certificate_path): def _verifySignatureCertificate(self, signature_string, certificate):
""" verify if the signature is valid for a given certificate. """ """ verify if the signature is valid for a given certificate. """
PubKey = M2Crypto.X509.load_cert(certificate_path) certificate_file = tempfile.NamedTemporaryFile()
VerifyEVP = M2Crypto.EVP.PKey() certificate_file.write(certificate)
VerifyEVP.assign_rsa(PubKey.get_pubkey().get_rsa()) certificate_file.flush()
VerifyEVP.verify_init() certificate_file.seek(0)
VerifyEVP.verify_update('') try:
return VerifyEVP.verify_final(signature_string.decode('base64')) PubKey = M2Crypto.X509.load_cert(certificate_file.name)
VerifyEVP = M2Crypto.EVP.PKey()
def _fetchCertificateFileFromUrl(self, certification_file_url): VerifyEVP.assign_rsa(PubKey.get_pubkey().get_rsa())
""" Download the certification files from the url. """ VerifyEVP.verify_init()
return urllib2.urlopen(certification_file_url) VerifyEVP.verify_update('')
return VerifyEVP.verify_final(signature_string.decode('base64'))
finally:
certificate_file.close()
class DirectoryNotFound(Exception): class DirectoryNotFound(Exception):
pass pass
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment