openstack/python-keystoneclient
Code Issues Proposed changes

Merge "token signing support alternative message digest"

Browse Source
This commit is contained in:
Jenkins
2015-03-10 19:05:01 +00:00
committed by Gerrit Code Review
parent d403c34132 b317e312aa
commit ed43a70012
1 changed files with 16 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
keystoneclient/common/cms.py
View File

@@ -38,6 +38,7 @@ PKI_ASN1_PREFIX = 'MII'
PKIZ_PREFIX = 'PKIZ_' PKIZ_PREFIX = 'PKIZ_'
PKIZ_CMS_FORM = 'DER' PKIZ_CMS_FORM = 'DER'
PKI_ASN1_FORM = 'PEM' PKI_ASN1_FORM = 'PEM'
DEFAULT_TOKEN_DIGEST_ALGORITHM = 'sha256'
# The openssl cms command exits with these status codes. # The openssl cms command exits with these status codes.
@@ -198,11 +199,13 @@ def is_pkiz(token_text):
def pkiz_sign(text, def pkiz_sign(text,
signing_cert_file_name, signing_cert_file_name,
signing_key_file_name, signing_key_file_name,
compression_level=6): compression_level=6,
message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM):
signed = cms_sign_data(text, signed = cms_sign_data(text,
signing_cert_file_name, signing_cert_file_name,
signing_key_file_name, signing_key_file_name,
PKIZ_CMS_FORM) PKIZ_CMS_FORM,
message_digest=message_digest)
compressed = zlib.compress(signed, compression_level) compressed = zlib.compress(signed, compression_level)
encoded = PKIZ_PREFIX + base64.urlsafe_b64encode( encoded = PKIZ_PREFIX + base64.urlsafe_b64encode(
@@ -297,13 +300,15 @@ def is_ans1_token(token):
return is_asn1_token(token) return is_asn1_token(token)
def cms_sign_text(data_to_sign, signing_cert_file_name, signing_key_file_name): def cms_sign_text(data_to_sign, signing_cert_file_name, signing_key_file_name,
message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM):
return cms_sign_data(data_to_sign, signing_cert_file_name, return cms_sign_data(data_to_sign, signing_cert_file_name,
signing_key_file_name) signing_key_file_name, message_digest=message_digest)
def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
outform=PKI_ASN1_FORM): outform=PKI_ASN1_FORM,
message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM):
"""Uses OpenSSL to sign a document. """Uses OpenSSL to sign a document.
Produces a Base64 encoding of a DER formatted CMS Document Produces a Base64 encoding of a DER formatted CMS Document
@@ -316,7 +321,7 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
the data the data
:param outform: Format for the signed document PKIZ_CMS_FORM or :param outform: Format for the signed document PKIZ_CMS_FORM or
PKI_ASN1_FORM PKI_ASN1_FORM
:param message_digest: Digest algorithm to use when signing or resigning
""" """
_ensure_subprocess() _ensure_subprocess()
@@ -330,7 +335,7 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
'-outform', 'PEM', '-outform', 'PEM',
'-nosmimecap', '-nodetach', '-nosmimecap', '-nodetach',
'-nocerts', '-noattr', '-nocerts', '-noattr',
'-md', 'sha256', ], '-md', message_digest, ],
stdin=subprocess.PIPE, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, stderr=subprocess.PIPE,
@@ -353,8 +358,10 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
return output return output
def cms_sign_token(text, signing_cert_file_name, signing_key_file_name): def cms_sign_token(text, signing_cert_file_name, signing_key_file_name,
output = cms_sign_data(text, signing_cert_file_name, signing_key_file_name) message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM):
output = cms_sign_data(text, signing_cert_file_name, signing_key_file_name,
message_digest=message_digest)
return cms_to_token(output) return cms_to_token(output)