Implement signature generation functionality

Openstacksdk is extended with a signature generation functionality. This adds cryptography to the requirements and lower constraints. Change-Id: Idc15b9a12d408bd4b2e096da8402c374be56f9fa Story: 2002128 Co-Authored-By: Markus Hentsch <markus.hentsch@secustack.com>
2018-07-04 09:56:11 +02:00 · 2018-07-04 09:56:11 +02:00 · f2aeaead02
commit f2aeaead02
parent 2fa2720eeb
4 changed files with 110 additions and 0 deletions
--- a/lower-constraints.txt
+++ b/lower-constraints.txt
@ -1,5 +1,6 @@
 appdirs==1.3.0
 coverage==4.0
+cryptography==2.1
 decorator==3.4.0
 deprecation==1.0
 dogpile.cache==0.6.2
--- a/openstack/image/image_signer.py
+++ b/openstack/image/image_signer.py
@ -0,0 +1,69 @@
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+#
+
+
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives.asymmetric import utils
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+
+from openstack.image.iterable_chunked_file import IterableChunkedFile
+
+HASH_METHODS = {
+    'SHA-224': hashes.SHA224(),
+    'SHA-256': hashes.SHA256(),
+    'SHA-384': hashes.SHA384(),
+    'SHA-512': hashes.SHA512(),
+}
+
+
+class ImageSigner(object):
+    """Image file signature generator.
+
+    Generates signatures for files using a specified private key file.
+    """
+
+    def __init__(self, hash_method='SHA-256', padding_method='RSA-PSS'):
+        padding_types = {
+            'RSA-PSS': padding.PSS(
+                mgf=padding.MGF1(HASH_METHODS[hash_method]),
+                salt_length=padding.PSS.MAX_LENGTH
+            )
+        }
+        # informational attributes
+        self.hash_method = hash_method
+        self.padding_method = padding_method
+        # runtime objects
+        self.private_key = None
+        self.hash = HASH_METHODS[hash_method]
+        self.hasher = hashes.Hash(self.hash, default_backend())
+        self.padding = padding_types[padding_method]
+
+    def load_private_key(self, file_path, password=None):
+        with open(file_path, 'rb') as key_file:
+            self.private_key = serialization.load_pem_private_key(
+                key_file.read(), password=password, backend=default_backend()
+            )
+
+    def generate_signature(self, file_obj):
+        file_obj.seek(0)
+        chunked_file = IterableChunkedFile(file_obj)
+        for chunk in chunked_file:
+            self.hasher.update(chunk)
+        file_obj.seek(0)
+        digest = self.hasher.finalize()
+        signature = self.private_key.sign(
+            digest, self.padding, utils.Prehashed(self.hash)
+        )
+        return signature
--- a/openstack/image/iterable_chunked_file.py
+++ b/openstack/image/iterable_chunked_file.py
@ -0,0 +1,39 @@
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+#
+
+
+class IterableChunkedFile(object):
+    """File object chunk iterator using yield.
+
+    Represents a local file as an iterable object by splitting the file
+    into chunks. Avoids the file from being completely loaded into memory.
+    """
+
+    def __init__(self, file_object, chunk_size=1024 * 1024 * 128, close=False):
+        self.close_after_read = close
+        self.file_object = file_object
+        self.chunk_size = chunk_size
+
+    def __iter__(self):
+        try:
+            while True:
+                data = self.file_object.read(self.chunk_size)
+                if not data:
+                    break
+                yield data
+        finally:
+            if self.close_after_read:
+                self.file_object.close()
+
+    def __len__(self):
+        return len(self.file_object)
--- a/requirements.txt
+++ b/requirements.txt
@ -20,3 +20,4 @@ iso8601>=0.1.11 # MIT
 netifaces>=0.10.4 # MIT

 dogpile.cache>=0.6.2 # BSD
+cryptography>=2.1 # BSD/Apache-2.0