本文整理汇总了Python中sfa.trust.certificate.Certificate类的典型用法代码示例。如果您正苦于以下问题:Python Certificate类的具体用法?Python Certificate怎么用?Python Certificate使用的例子?那么恭喜您, 这里精选的类代码示例或许可以为您提供帮助。
在下文中一共展示了Certificate类的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: GetSelfCredential
def GetSelfCredential(certificate, xnr, type):
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
origin_hrn = Certificate(string=cert).get_subject()
### authenticate the gid
# import here so we can load this module at build-time for sfa2wsdl
#from sfa.storage.alchemy import dbsession
from sfa.storage.model import RegRecord
# xxx-local - the current code runs Resolve, which would forward to
# another registry if needed
# I wonder if this is truly the intention, or shouldn't we instead
# only look in the local db ?
records = self.api.manager.Resolve(self.api, xrn, type, details=False)
if not records:
raise RecordNotFound(hrn)
record_obj = RegRecord (dict=records[0])
# xxx-local the local-only version would read
#record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first()
#if not record_obj: raise RecordNotFound(hrn)
gid = record_obj.get_gid_object()
gid_str = gid.save_to_string(save_parents=True)
self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
# authenticate the certificate against the gid in the db
certificate = Certificate(string=cert)
if not certificate.is_pubkey(gid.get_pubkey()):
for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
if hasattr (obj,'filename'):
raise ConnectionKeyGIDMismatch(gid.get_subject())
return self.api.manager.GetCredential(self.api, xrn, type)示例2: do_POST
def do_POST(self):
"""Handles the HTTPS POST request.
It was copied out from SimpleXMLRPCServer.py and modified to shutdown
the socket cleanly.
"""
try:
peer_cert = Certificate()
peer_cert.load_from_pyopenssl_x509(self.connection.get_peer_certificate())
generic=Generic.the_flavour()
self.api = generic.make_api (peer_cert = peer_cert,
interface = self.server.interface,
key_file = self.server.key_file,
cert_file = self.server.cert_file,
cache = self.cache)
#logger.info("SecureXMLRpcRequestHandler.do_POST:")
#logger.info("interface=%s"%self.server.interface)
#logger.info("key_file=%s"%self.server.key_file)
#logger.info("api=%s"%self.api)
#logger.info("server=%s"%self.server)
#logger.info("handler=%s"%self)
# get arguments
request = self.rfile.read(int(self.headers["content-length"]))
remote_addr = (remote_ip, remote_port) = self.connection.getpeername()
self.api.remote_addr = remote_addr
response = self.api.handle(remote_addr, request, self.server.method_map)
except Exception, fault:
# This should only happen if the module is buggy
# internal error, report as HTTP server error
logger.log_exc("server.do_POST")
response = self.api.prepare_response(fault)示例3: testSign
def testSign(self):
cert = Certificate(subject="test")
# create an issuer and sign the certificate
issuerKey = Keypair(create=True)
issuerSubject = "testissuer"
cert.set_issuer(issuerKey, issuerSubject)
cert.sign()示例4: call
def call(self, cert, xrn, type):
"""
GetSelfCredential a degenerate version of GetCredential used by a client
to get his initial credential when de doesnt have one. This is the same as
GetCredential(..., cred = None, ...)
The registry ensures that the client is the principal that is named by
(type, name) by comparing the public key in the record's GID to the
private key used to encrypt the client side of the HTTPS connection. Thus
it is impossible for one principal to retrieve another principal's
credential without having the appropriate private key.
@param type type of object (user | slice | sa | ma | node)
@param hrn human readable name of authority to list
@return string representation of a credential object
"""
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
self.api.auth.verify_object_belongs_to_me(hrn)
origin_hrn = Certificate(string=cert).get_subject()
self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
### authenticate the gid
# import here so we can load this module at build-time for sfa2wsdl
#from sfa.storage.alchemy import dbsession
from sfa.storage.model import RegRecord
# xxx-local - the current code runs Resolve, which would forward to
# another registry if needed
# I wonder if this is truly the intention, or shouldn't we instead
# only look in the local db ?
records = self.api.manager.Resolve(self.api, xrn, type, details=False)
if not records:
raise RecordNotFound(hrn)
record_obj = RegRecord (dict=records[0])
# xxx-local the local-only version would read
#record_obj = dbsession.query(RegRecord).filter_by(hrn=hrn).first()
#if not record_obj: raise RecordNotFound(hrn)
gid = record_obj.get_gid_object()
gid_str = gid.save_to_string(save_parents=True)
self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
# authenticate the certificate against the gid in the db
certificate = Certificate(string=cert)
if not certificate.is_pubkey(gid.get_pubkey()):
for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
self.api.logger.debug("ConnectionKeyGIDMismatch, %s pubkey: %s"%(name,obj.get_pubkey().get_pubkey_string()))
self.api.logger.debug("ConnectionKeyGIDMismatch, %s dump: %s"%(name,obj.dump_string()))
if hasattr (obj,'filename'):
self.api.logger.debug("ConnectionKeyGIDMismatch, %s filename: %s"%(name,obj.filename))
raise ConnectionKeyGIDMismatch(gid.get_subject())
return self.api.manager.GetCredential(self.api, xrn, type)示例5: get_cert_file
def get_cert_file(self, key_file):
cert_file = os.path.join(self.options.sfi_dir, self.user.replace(self.authority + '.', '') + ".cert")
if (os.path.isfile(cert_file)):
# we'd perfer to use Registry issued certs instead of self signed certs.
# if this is a Registry cert (GID) then we are done
gid = GID(filename=cert_file)
if gid.get_urn():
return cert_file
# generate self signed certificate
k = Keypair(filename=key_file)
cert = Certificate(subject=self.user)
cert.set_pubkey(k)
cert.set_issuer(k, self.user)
cert.sign()
self.logger.info("Writing self-signed certificate to %s"%cert_file)
cert.save_to_file(cert_file)
self.cert = cert
# try to get registry issued cert
try:
self.logger.info("Getting Registry issued cert")
self.read_config()
# *hack. need to set registyr before _get_gid() is called
self.registry = xmlrpcprotocol.get_server(self.reg_url, key_file, cert_file, timeout=self.options.timeout, verbose=self.options.debug)
gid = self._get_gid(type='user')
self.registry = None
self.logger.info("Writing certificate to %s"%cert_file)
gid.save_to_file(cert_file)
except:
self.logger.info("Failed to download Registry issued cert")
return cert_file示例6: get_trusted_certs
def get_trusted_certs(self, opts, args):
"""
return uhe trusted certs at this interface
"""
trusted_certs = self.registry.get_trusted_certs()
for trusted_cert in trusted_certs:
gid = GID(string=trusted_cert)
gid.dump()
cert = Certificate(string=trusted_cert)
self.logger.debug('Sfi.get_trusted_certs -> %r'%cert.get_subject())
return 示例7: CreateGid
def CreateGid(self, api, xrn, cert):
# get the authority
authority = Xrn(xrn=xrn).get_authority_hrn()
auth_info = api.auth.get_auth_info(authority)
if not cert:
pkey = Keypair(create=True)
else:
certificate = Certificate(string=cert)
pkey = certificate.get_pubkey()
gid = api.auth.hierarchy.create_gid(xrn, create_uuid(), pkey)
return gid.save_to_string(save_parents=True)示例8: init_self_signed_cert
def init_self_signed_cert(hrn, key, server_cert_file):
logger.debug("generating self signed cert")
# generate self signed certificate
cert = Certificate(subject=hrn)
cert.set_issuer(key=key, subject=hrn)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(server_cert_file)示例9: __init__
def __init__(self, create=False, subject=None, string=None, filename=None, uuid=None, hrn=None, urn=None):
Certificate.__init__(self, create, subject, string, filename)
if subject:
logger.debug("Creating GID for subject: %s" % subject)
if uuid:
self.uuid = int(uuid)
if hrn:
self.hrn = hrn
self.urn = hrn_to_urn(hrn, 'unknown')
if urn:
self.urn = urn
self.hrn, type = urn_to_hrn(urn)示例10: create_server_keypair
def create_server_keypair(keyfile=None, certfile=None, hrn="component", verbose=False):
"""
create the server key/cert pair in the right place
"""
key = Keypair(filename=keyfile)
key.save_to_file(keyfile)
cert = Certificate(subject=hrn)
cert.set_issuer(key=key, subject=hrn)
cert.set_pubkey(key)
cert.sign()
cert.save_to_file(certfile, save_parents=True) 示例11: self_signed_cert_produce
def self_signed_cert_produce (self,output):
self.assert_private_key()
private_key_filename = self.private_key_filename()
keypair=Keypair(filename=private_key_filename)
self_signed = Certificate (subject = self.hrn)
self_signed.set_pubkey (keypair)
self_signed.set_issuer (keypair, self.hrn)
self_signed.sign ()
self_signed.save_to_file (output)
self.logger.debug("SfaClientBootstrap: Created self-signed certificate for %s in %s"%\
(self.hrn,output))
return output示例12: __init__
def __init__(self, config = "/etc/sfa/sfa_config.py", encoding = "utf-8",
methods='sfa.methods', peer_cert = None, interface = None,
key_file = None, cert_file = None, cache = None):
BaseAPI.__init__(self, config=config, encoding=encoding, methods=methods, \
peer_cert=peer_cert, interface=interface, key_file=key_file, \
cert_file=cert_file, cache=cache)
self.encoding = encoding
from sfa.util.table import SfaTable
self.SfaTable = SfaTable
# Better just be documenting the API
if config is None:
return
# Load configuration
self.config = Config(config)
self.auth = Auth(peer_cert)
self.interface = interface
self.key_file = key_file
self.key = Keypair(filename=self.key_file)
self.cert_file = cert_file
self.cert = Certificate(filename=self.cert_file)
self.credential = None
# Initialize the PLC shell only if SFA wraps a myPLC
rspec_type = self.config.get_aggregate_type()
if (rspec_type == 'pl' or rspec_type == 'vini' or \
rspec_type == 'eucalyptus' or rspec_type == 'max'):
self.plshell = self.getPLCShell()
self.plshell_version = "4.3"
self.hrn = self.config.SFA_INTERFACE_HRN
self.time_format = "%Y-%m-%d %H:%M:%S"示例13: verify_chain
def verify_chain(self, trusted_certs = None):
# do the normal certificate verification stuff
trusted_root = Certificate.verify_chain(self, trusted_certs)
if self.parent:
# make sure the parent's hrn is a prefix of the child's hrn
if not hrn_authfor_hrn(self.parent.get_hrn(), self.get_hrn()):
raise GidParentHrn("This cert HRN %s isn't in the namespace for parent HRN %s" % (self.get_hrn(), self.parent.get_hrn()))
# Parent must also be an authority (of some type) to sign a GID
# There are multiple types of authority - accept them all here
if not self.parent.get_type().find('authority') == 0:
raise GidInvalidParentHrn("This cert %s's parent %s is not an authority (is a %s)" % (self.get_hrn(), self.parent.get_hrn(), self.parent.get_type()))
# Then recurse up the chain - ensure the parent is a trusted
# root or is in the namespace of a trusted root
self.parent.verify_chain(trusted_certs)
else:
# make sure that the trusted root's hrn is a prefix of the child's
trusted_gid = GID(string=trusted_root.save_to_string())
trusted_type = trusted_gid.get_type()
trusted_hrn = trusted_gid.get_hrn()
#if trusted_type == 'authority':
# trusted_hrn = trusted_hrn[:trusted_hrn.rindex('.')]
cur_hrn = self.get_hrn()
if not hrn_authfor_hrn(trusted_hrn, cur_hrn):
raise GidParentHrn("Trusted root with HRN %s isn't a namespace authority for this cert: %s" % (trusted_hrn, cur_hrn))
# There are multiple types of authority - accept them all here
if not trusted_type.find('authority') == 0:
raise GidInvalidParentHrn("This cert %s's trusted root signer %s is not an authority (is a %s)" % (self.get_hrn(), trusted_hrn, trusted_type))
return示例14: __init__
def __init__ (self, encoding="utf-8", methods='sfa.methods',
config = "/etc/sfa/sfa_config",
peer_cert = None, interface = None,
key_file = None, cert_file = None, cache = None):
XmlrpcApi.__init__ (self, encoding)
# we may be just be documenting the API
if config is None:
return
# Load configuration
self.config = Config(config)
self.credential = None
self.auth = Auth(peer_cert)
self.interface = interface
self.hrn = self.config.SFA_INTERFACE_HRN
self.key_file = key_file
self.key = Keypair(filename=self.key_file)
self.cert_file = cert_file
self.cert = Certificate(filename=self.cert_file)
self.cache = cache
if self.cache is None:
self.cache = Cache()
# load registries
from sfa.server.registry import Registries
self.registries = Registries()
# load aggregates
from sfa.server.aggregate import Aggregates
self.aggregates = Aggregates()
# filled later on by generic/Generic
self.manager=None
self._dbsession=None示例15: call
def call(self, cert, xrn, type):
"""
GetSelfCredential a degenerate version of GetCredential used by a client
to get his initial credential when de doesnt have one. This is the same as
GetCredential(..., cred = None, ...)
The registry ensures that the client is the principal that is named by
(type, name) by comparing the public key in the record's GID to the
private key used to encrypt the client side of the HTTPS connection. Thus
it is impossible for one principal to retrieve another principal's
credential without having the appropriate private key.
@param type type of object (user | slice | sa | ma | node)
@param hrn human readable name of authority to list
@return string representation of a credential object
"""
if type:
hrn = urn_to_hrn(xrn)[0]
else:
hrn, type = urn_to_hrn(xrn)
self.api.auth.verify_object_belongs_to_me(hrn)
origin_hrn = Certificate(string=cert).get_subject()
self.api.logger.info("interface: %s\tcaller-hrn: %s\ttarget-hrn: %s\tmethod-name: %s"%(self.api.interface, origin_hrn, hrn, self.name))
manager = self.api.get_interface_manager()
# authenticate the gid
records = manager.resolve(self.api, xrn, type)
if not records:
raise RecordNotFound(hrn)
record = SfaRecord(dict=records[0])
gid = record.get_gid_object()
gid_str = gid.save_to_string(save_parents=True)
self.api.auth.authenticateGid(gid_str, [cert, type, hrn])
# authenticate the certificate against the gid in the db
certificate = Certificate(string=cert)
if not certificate.is_pubkey(gid.get_pubkey()):
for (obj,name) in [ (certificate,"CERT"), (gid,"GID"), ]:
self.api.logger.debug("ConnectionKeyGIDMismatch, %s pubkey: %s"%(name,obj.get_pubkey().get_pubkey_string()))
self.api.logger.debug("ConnectionKeyGIDMismatch, %s dump: %s"%(name,obj.dump_string()))
if hasattr (obj,'filename'):
self.api.logger.debug("ConnectionKeyGIDMismatch, %s filename: %s"%(name,obj.filename))
raise ConnectionKeyGIDMismatch(gid.get_subject())
return manager.get_credential(self.api, xrn, type, is_self=True)