From bb2e7708ab80d13faf7b36a1f05999ce8496e6ef Mon Sep 17 00:00:00 2001 From: Danny Hermes Date: Wed, 14 Jan 2015 17:02:21 -0800 Subject: [PATCH] Adding protected method to convert PKCS12 key to PEM. --- oauth2client/crypt.py | 34 +++++++++++++++++++++++++++- tests/test_jwt.py | 52 ++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 84 insertions(+), 2 deletions(-) diff --git a/oauth2client/crypt.py b/oauth2client/crypt.py index 1c5748e..f877de1 100644 --- a/oauth2client/crypt.py +++ b/oauth2client/crypt.py @@ -137,7 +137,6 @@ try: password = password.encode('utf-8') pkey = crypto.load_pkcs12(key, password).get_privatekey() return OpenSSLSigner(pkey) - except ImportError: OpenSSLVerifier = None OpenSSLSigner = None @@ -287,6 +286,39 @@ def _parse_pem_key(raw_key_input): return raw_key_input[offset:] +def private_key_as_pem(private_key_text, private_key_password=None): + """Convert the contents of a key to PEM. + + First tries to determine if the current key is PEM, then tries to + use OpenSSL to convert from PKCS12 to PEM. + + Args: + private_key_text: String. Private key. + private_key_password: Optional string. Password for PKCS12. + + Returns: + String. PEM contents of ``private_key_text``. + + Raises: + ImportError: If key is PKCS12 and OpenSSL is not installed. + """ + decoded_body = base64.b64decode(private_key_text) + pem_contents = _parse_pem_key(decoded_body) + if pem_contents is None: + if OpenSSLVerifier is None or OpenSSLSigner is None: + raise ImportError('OpenSSL not installed. Required to convert ' + 'PKCS12 key to PEM.') + + if isinstance(private_key_password, six.string_types): + private_key_password = private_key_password.encode('ascii') + + pkcs12 = crypto.load_pkcs12(decoded_body, private_key_password) + pem_contents = crypto.dump_privatekey(crypto.FILETYPE_PEM, + pkcs12.get_privatekey()) + + return pem_contents + + def _urlsafe_b64encode(raw_bytes): if isinstance(raw_bytes, six.text_type): raw_bytes = raw_bytes.encode('utf-8') diff --git a/tests/test_jwt.py b/tests/test_jwt.py index a2cd37d..7d09b6d 100644 --- a/tests/test_jwt.py +++ b/tests/test_jwt.py @@ -23,19 +23,21 @@ Unit tests for oauth2client. __author__ = 'jcgregorio@google.com (Joe Gregorio)' import os +import mock import sys import tempfile import time import unittest from .http_mock import HttpMockSequence -from oauth2client import crypt +from oauth2client import client from oauth2client.client import Credentials from oauth2client.client import SignedJwtAssertionCredentials from oauth2client.client import VerifyJwtTokenError from oauth2client.client import verify_id_token from oauth2client.client import HAS_OPENSSL from oauth2client.client import HAS_CRYPTO +from oauth2client import crypt from oauth2client.file import Storage @@ -47,6 +49,7 @@ def datafile(filename): class CryptTests(unittest.TestCase): + def setUp(self): self.format = 'p12' self.signer = crypt.OpenSSLSigner @@ -185,6 +188,51 @@ class CryptTests(unittest.TestCase): self._check_jwt_failure(jwt, 'Wrong recipient') +class Test_crypt_private_key_as_pem(unittest.TestCase): + + def _make_signed_jwt_creds(self, private_key_file='privatekey.p12', + private_key=None): + private_key = private_key or datafile(private_key_file) + return SignedJwtAssertionCredentials( + 'some_account@example.com', + private_key, + scope='read+write', + sub='joe@example.org') + + def test_succeeds(self): + self.assertEqual(True, HAS_OPENSSL) + + credentials = self._make_signed_jwt_creds() + pem_contents = crypt.private_key_as_pem( + credentials.private_key, + private_key_password=credentials.private_key_password) + + private_key_as_pem = datafile('pem_from_pkcs12.pem') + private_key_as_pem = crypt._parse_pem_key(private_key_as_pem) + self.assertEqual(pem_contents, private_key_as_pem) + + def test_without_openssl(self): + credentials = self._make_signed_jwt_creds() + with mock.patch('oauth2client.crypt.OpenSSLSigner', None): + self.assertRaises(ImportError, crypt.private_key_as_pem, + credentials.private_key, + private_key_password=credentials.private_key_password) + + def test_with_pem_key(self): + credentials = self._make_signed_jwt_creds(private_key_file='privatekey.pem') + pem_contents = crypt.private_key_as_pem( + credentials.private_key, + private_key_password=credentials.private_key_password) + expected_pem_key = datafile('privatekey.pem') + self.assertEqual(pem_contents, expected_pem_key) + + def test_with_nonsense_key(self): + credentials = self._make_signed_jwt_creds(private_key=b'NOT_A_KEY') + self.assertRaises(crypt.crypto.Error, crypt.private_key_as_pem, + credentials.private_key, + private_key_password=credentials.private_key_password) + + class PEMCryptTestsPyCrypto(CryptTests): def setUp(self): self.format = 'pem' @@ -291,6 +339,7 @@ class PEMSignedJwtAssertionCredentialsPyCryptoTests( class PKCSSignedJwtAssertionCredentialsPyCryptoTests(unittest.TestCase): + def test_for_failure(self): crypt.Signer = crypt.PyCryptoSigner private_key = datafile('privatekey.p12') @@ -311,5 +360,6 @@ class TestHasOpenSSLFlag(unittest.TestCase): self.assertEqual(True, HAS_OPENSSL) self.assertEqual(True, HAS_CRYPTO) + if __name__ == '__main__': unittest.main()