Package ganeti :: Package utils :: Module x509
[hide private]
[frames] | no frames]

Module x509

source code

Utility functions for X509.

Functions [hide private]
 
_ParseAsn1Generalizedtime(value)
Parses an ASN1 GENERALIZEDTIME timestamp as used by pyOpenSSL.
source code
 
GetX509CertValidity(cert)
Returns the validity period of the certificate.
source code
 
_VerifyCertificateInner(expired, not_before, not_after, now, warn_days, error_days)
Verifies certificate validity.
source code
 
VerifyX509Certificate(cert, warn_days, error_days)
Verifies a certificate for LUClusterVerify.
source code
string
SignX509Certificate(cert, key, salt)
Sign a X509 certificate.
source code
 
_ExtractX509CertificateSignature(cert_pem)
Helper function to extract signature from X509 certificate.
source code
tuple; (OpenSSL.crypto.X509, string)
LoadSignedX509Certificate(cert_pem, key)
Verifies a signed X509 certificate.
source code
 
GenerateSelfSignedX509Cert(common_name, validity, serial_no)
Generates a self-signed X509 certificate.
source code
 
GenerateSelfSignedSslCert(filename, serial_no, common_name=constants.X509_CERT_CN, validity=constants.X509_CERT_DEFAULT_VALIDITY, uid=-1, gid=-1)
Legacy function to generate self-signed X509 certificate.
source code
 
GenerateSignedX509Cert(common_name, validity, serial_no, signing_cert_pem)
Generates a signed (but not self-signed) X509 certificate.
source code
 
GenerateSignedSslCert(filename_cert, serial_no, filename_signing_cert, common_name=constants.X509_CERT_CN, validity=constants.X509_CERT_DEFAULT_VALIDITY, uid=-1, gid=-1) source code
tuple; (OpenSSL.X509 object, string)
ExtractX509Certificate(pem)
Extracts the certificate from a PEM-formatted string.
source code
callable
X509CertKeyCheck(cert, key)
Function for verifying certificate with a certain private key.
source code
 
CheckNodeCertificate(cert, _noded_cert_file=pathutils.NODED_CERT_FILE)
Checks the local node daemon certificate against given certificate.
source code
Variables [hide private]
  HEX_CHAR_RE = r"[a-zA-Z0-9]"
  VALID_X509_SIGNATURE_SALT = re.compile("^%s+$" % HEX_CHAR_RE, ...
  X509_SIGNATURE = re.compile(r"^%s:\s*(?P<salt>%s+)/(?P<sign>%s...
  X509_CERT_SIGN_DIGEST = "SHA1"
  _ASN1_TIME_REGEX = re.compile(r"^(\d+)([-+]\d\d)(\d\d)$")
ASN1 time regexp

Imports: time, OpenSSL, re, datetime, calendar, errno, logging, errors, constants, pathutils, utils_text, utils_io, utils_hash


Function Details [hide private]

_ParseAsn1Generalizedtime(value)

source code 

Parses an ASN1 GENERALIZEDTIME timestamp as used by pyOpenSSL.

Parameters:
  • value (string) - ASN1 GENERALIZEDTIME timestamp
Returns:
Seconds since the Epoch (1970-01-01 00:00:00 UTC)

GetX509CertValidity(cert)

source code 

Returns the validity period of the certificate.

Parameters:
  • cert (OpenSSL.crypto.X509) - X509 certificate object

_VerifyCertificateInner(expired, not_before, not_after, now, warn_days, error_days)

source code 

Verifies certificate validity.

Parameters:
  • expired (bool) - Whether pyOpenSSL considers the certificate as expired
  • not_before (number or None) - Unix timestamp before which certificate is not valid
  • not_after (number or None) - Unix timestamp after which certificate is invalid
  • now (number) - Current time as Unix timestamp
  • warn_days (number or None) - How many days before expiration a warning should be reported
  • error_days (number or None) - How many days before expiration an error should be reported

VerifyX509Certificate(cert, warn_days, error_days)

source code 

Verifies a certificate for LUClusterVerify.

Parameters:
  • cert (OpenSSL.crypto.X509) - X509 certificate object
  • warn_days (number or None) - How many days before expiration a warning should be reported
  • error_days (number or None) - How many days before expiration an error should be reported

SignX509Certificate(cert, key, salt)

source code 

Sign a X509 certificate.

An RFC822-like signature header is added in front of the certificate.

Parameters:
  • cert (OpenSSL.crypto.X509) - X509 certificate object
  • key (string) - Key for HMAC
  • salt (string) - Salt for HMAC
Returns: string
Serialized and signed certificate in PEM format

LoadSignedX509Certificate(cert_pem, key)

source code 

Verifies a signed X509 certificate.

Parameters:
  • cert_pem (string) - Certificate in PEM format and with signature header
  • key (string) - Key for HMAC
Returns: tuple; (OpenSSL.crypto.X509, string)
X509 certificate object and salt

GenerateSelfSignedX509Cert(common_name, validity, serial_no)

source code 

Generates a self-signed X509 certificate.

Parameters:
  • common_name (string) - commonName value
  • validity (int) - Validity for certificate in seconds
Returns:
a tuple of strings containing the PEM-encoded private key and certificate

GenerateSelfSignedSslCert(filename, serial_no, common_name=constants.X509_CERT_CN, validity=constants.X509_CERT_DEFAULT_VALIDITY, uid=-1, gid=-1)

source code 

Legacy function to generate self-signed X509 certificate.

Parameters:
  • filename (str) - path to write certificate to
  • common_name (string) - commonName value
  • validity (int) - validity of certificate in number of days
  • uid (int) - the user ID of the user who will be owner of the certificate file
  • gid (int) - the group ID of the group who will own the certificate file
Returns:
a tuple of strings containing the PEM-encoded private key and certificate

GenerateSignedX509Cert(common_name, validity, serial_no, signing_cert_pem)

source code 

Generates a signed (but not self-signed) X509 certificate.

Parameters:
  • common_name (string) - commonName value, should be hostname of the machine
  • validity (int) - Validity for certificate in seconds
  • signing_cert_pem (X509 key) - PEM-encoded private key of the signing certificate
Returns:
a tuple of strings containing the PEM-encoded private key and certificate

ExtractX509Certificate(pem)

source code 

Extracts the certificate from a PEM-formatted string.

Parameters:
  • pem (string)
Returns: tuple; (OpenSSL.X509 object, string)
Certificate object and PEM-formatted certificate

X509CertKeyCheck(cert, key)

source code 

Function for verifying certificate with a certain private key.

Parameters:
  • key (OpenSSL.crypto.PKey) - Private key object
  • cert (OpenSSL.crypto.X509) - X509 certificate object
Returns: callable
Callable doing the actual check; will raise OpenSSL.SSL.Error if certificate is not signed by given private key

CheckNodeCertificate(cert, _noded_cert_file=pathutils.NODED_CERT_FILE)

source code 

Checks the local node daemon certificate against given certificate.

Both certificates must be signed with the same key (as stored in the local pathutils.NODED_CERT_FILE file). No error is raised if no local certificate can be found.

Parameters:
  • cert (OpenSSL.crypto.X509) - X509 certificate object
Raises:

Variables Details [hide private]

VALID_X509_SIGNATURE_SALT

Value:
re.compile("^%s+$" % HEX_CHAR_RE, re.S)

X509_SIGNATURE

Value:
re.compile(r"^%s:\s*(?P<salt>%s+)/(?P<sign>%s+)$" %(re.escape(constant\
s.X509_CERT_SIGNATURE_HEADER), HEX_CHAR_RE, HEX_CHAR_RE), re.S | re.I)