ganeti.utils.x509

module documentation

Utility functions for X509.

Function	`CheckNodeCertificate`	Checks the local node daemon certificate against given certificate.
Function	`ExtractX509Certificate`	Extracts the certificate from a PEM-formatted string.
Function	`GenerateSelfSignedSslCert`	Legacy function to generate self-signed X509 certificate.
Function	`GenerateSelfSignedX509Cert`	Generates a self-signed X509 certificate.
Function	`GenerateSignedSslCert`	Undocumented
Function	`GenerateSignedX509Cert`	Generates a signed (but not self-signed) X509 certificate.
Function	`GetX509CertValidity`	Returns the validity period of the certificate.
Function	`LoadSignedX509Certificate`	Verifies a signed X509 certificate.
Function	`SignX509Certificate`	Sign a X509 certificate.
Function	`VerifyX509Certificate`	Verifies a certificate for LUClusterVerify.
Function	`X509CertKeyCheck`	Function for verifying certificate with a certain private key.
Constant	`CERT_ERROR`	Undocumented
Constant	`CERT_WARNING`	Undocumented
Constant	`HEX_CHAR_RE`	Undocumented
Constant	`VALID_X509_SIGNATURE_SALT`	Undocumented
Constant	`X509_SIGNATURE`	Undocumented
Function	`_ExtractX509CertificateSignature`	Helper function to extract signature from X509 certificate.
Function	`_ParseAsn1Generalizedtime`	Parses an ASN1 GENERALIZEDTIME timestamp as used by pyOpenSSL.
Function	`_VerifyCertificateInner`	Verifies certificate validity.
Constant	`_ASN1_TIME_REGEX`	Undocumented

def CheckNodeCertificate(cert, _noded_cert_file=pathutils.NODED_CERT_FILE): ¶

Checks the local node daemon certificate against given certificate.

Both certificates must be signed with the same key (as stored in the local pathutils.NODED_CERT_FILE file). No error is raised if no local certificate can be found.

Parameters
cert:OpenSSL.crypto.X509	X509 certificate object
_noded_cert_file	Undocumented
Raises
`errors.X509CertError`	When an error related to X509 occurred
`errors.GenericError`	When the verification failed

def ExtractX509Certificate(pem): ¶

Extracts the certificate from a PEM-formatted string.

Parameters
pem:string	Undocumented
Returns
tuple; (OpenSSL.X509 object, string)	Certificate object and PEM-formatted certificate

def GenerateSelfSignedSslCert(filename, serial_no, common_name=constants.X509_CERT_CN, validity=constants.X509_CERT_DEFAULT_VALIDITY, uid=-1, gid=-1): ¶

Legacy function to generate self-signed X509 certificate.

Parameters
filename:str	path to write certificate to
serial_no	Undocumented
common_name:string	commonName value
validity:int	validity of certificate in number of days
uid:int	the user ID of the user who will be owner of the certificate file
gid:int	the group ID of the group who will own the certificate file
Returns
a tuple of strings containing the PEM-encoded private key and certificate

def GenerateSelfSignedX509Cert(common_name, validity, serial_no): ¶

Generates a self-signed X509 certificate.

Parameters
common_name:string	commonName value
validity:int	Validity for certificate in seconds
serial_no	Undocumented
Returns
a tuple of strings containing the PEM-encoded private key and certificate

def GenerateSignedSslCert(filename_cert, serial_no, filename_signing_cert, common_name=constants.X509_CERT_CN, validity=constants.X509_CERT_DEFAULT_VALIDITY, uid=-1, gid=-1): ¶

Undocumented

def GenerateSignedX509Cert(common_name, validity, serial_no, signing_cert_pem): ¶

Generates a signed (but not self-signed) X509 certificate.

Parameters
common_name:string	commonName value, should be hostname of the machine
validity:int	Validity for certificate in seconds
serial_no	Undocumented
signing_cert_pem:X509 key	PEM-encoded private key of the signing certificate
Returns
a tuple of strings containing the PEM-encoded private key and certificate

def GetX509CertValidity(cert): ¶

Returns the validity period of the certificate.

Parameters
cert:OpenSSL.crypto.X509	X509 certificate object

def LoadSignedX509Certificate(cert_pem, key): ¶

Verifies a signed X509 certificate.

Parameters
cert_pem:string	Certificate in PEM format and with signature header
key:string	Key for HMAC
Returns
tuple; (OpenSSL.crypto.X509, string)	X509 certificate object and salt

def SignX509Certificate(cert, key, salt): ¶

Sign a X509 certificate.

An RFC822-like signature header is added in front of the certificate.

Parameters
cert:OpenSSL.crypto.X509	X509 certificate object
key:string	Key for HMAC
salt:string	Salt for HMAC
Returns
string	Serialized and signed certificate in PEM format

def VerifyX509Certificate(cert, warn_days, error_days): ¶

Verifies a certificate for LUClusterVerify.

Parameters
cert:OpenSSL.crypto.X509	X509 certificate object
warn_days:number or None	How many days before expiration a warning should be reported
error_days:number or None	How many days before expiration an error should be reported

def X509CertKeyCheck(cert, key): ¶

Function for verifying certificate with a certain private key.

Parameters
cert:OpenSSL.crypto.X509	X509 certificate object
key:OpenSSL.crypto.PKey	Private key object
Returns
callable	Callable doing the actual check; will raise `OpenSSL.SSL.Error` if certificate is not signed by given private key

CERT_ERROR = ¶

Undocumented

CERT_WARNING = ¶

Undocumented

HEX_CHAR_RE: str = ¶

Undocumented

Value

'[a-zA-Z0-9]'

VALID_X509_SIGNATURE_SALT = ¶

Undocumented

Value

re.compile('^%s+$'%HEX_CHAR_RE, re.S)

X509_SIGNATURE = ¶

Undocumented

Value

re.compile('^%s:\\s*(?P<salt>%s+)/(?P<sign>%s+)$'%(re.escape(constants.X509_CERT_SIGNATURE_HEADER↵
),
                                                   HEX_CHAR_RE,
                                                   HEX_CHAR_RE),
           re.S|re.I)

def _ExtractX509CertificateSignature(cert_pem): ¶

Helper function to extract signature from X509 certificate.

def _ParseAsn1Generalizedtime(value): ¶

Parses an ASN1 GENERALIZEDTIME timestamp as used by pyOpenSSL.

Parameters
value:string or bytes	ASN1 GENERALIZEDTIME timestamp
Returns
Seconds since the Epoch (1970-01-01 00:00:00 UTC)

def _VerifyCertificateInner(expired, not_before, not_after, now, warn_days, error_days): ¶

Verifies certificate validity.

Parameters
expired:bool	Whether pyOpenSSL considers the certificate as expired
not_before:number or None	Unix timestamp before which certificate is not valid
not_after:number or None	Unix timestamp after which certificate is invalid
now:number	Current time as Unix timestamp
warn_days:number or None	How many days before expiration a warning should be reported
error_days:number or None	How many days before expiration an error should be reported

_ASN1_TIME_REGEX = ¶

Undocumented

Value

re.compile(r'^(\d+)([-\+]\d\d)(\d\d)$')