Package ganeti :: Package utils :: Module security
[hide private]
[frames] | no frames]

Module security

source code

Utility functions for security features of Ganeti.

Functions [hide private]
 
UuidToInt(uuid) source code
 
GetCertificateDigest(cert_filename=pathutils.NODED_CLIENT_CERT_FILE)
Reads the SSL certificate and returns the sha1 digest.
source code
 
GenerateNewSslCert(new_cert, cert_filename, serial_no, log_msg, uid=-1, gid=-1)
Creates a new server SSL certificate and backups the old one.
source code
 
GenerateNewClientSslCert(cert_filename, signing_cert_filename, hostname)
Creates a new server SSL certificate and backups the old one.
source code
 
VerifyCertificate(filename)
Verifies a SSL certificate.
source code
 
IsCertificateSelfSigned(cert_filename)
Checks whether the certificate issuer is the same as the owner.
source code

Imports: logging, OpenSSL, os, uuid_module, time, io, x509, constants, errors, pathutils


Function Details [hide private]

GenerateNewSslCert(new_cert, cert_filename, serial_no, log_msg, uid=-1, gid=-1)

source code 

Creates a new server SSL certificate and backups the old one.

Parameters:
  • new_cert (boolean) - whether a new certificate should be created
  • cert_filename (string) - filename of the certificate file
  • serial_no (int) - serial number of the certificate
  • log_msg (string) - log message to be written on certificate creation
  • uid (int) - the user ID of the user who will be owner of the certificate file
  • gid (int) - the group ID of the group who will own the certificate file

GenerateNewClientSslCert(cert_filename, signing_cert_filename, hostname)

source code 

Creates a new server SSL certificate and backups the old one.

Parameters:
  • cert_filename (string) - filename of the certificate file
  • signing_cert_filename (string) - name of the certificate to be used for signing
  • hostname (string) - name of the machine whose cert is created

VerifyCertificate(filename)

source code 

Verifies a SSL certificate.

Parameters:
  • filename (string) - Path to PEM file

IsCertificateSelfSigned(cert_filename)

source code 

Checks whether the certificate issuer is the same as the owner.

Note that this does not actually verify the signature, it simply compares the certificates common name and the issuer's common name. This is sufficient, because now that Ganeti started creating non-self-signed client-certificates, it uses their hostnames as common names and thus they are distinguishable by common name from the server certificates.

Parameters:
  • cert_filename (string) - filename of the certificate to examine