examples/pki/gen_cmsz.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

#!/usr/bin/python

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

import json
import os

from keystoneclient.common import cms

CURRENT_DIR = os.path.abspath(os.path.dirname(__file__))


def make_filename(*args):
    return os.path.join(CURRENT_DIR, *args)


CA_CERT_FILE_NAME = make_filename('certs', 'cacert.pem')
SIGNING_CERT_FILE_NAME = make_filename('certs', 'signing_cert.pem')
SIGNING_KEY_FILE_NAME = make_filename('private', 'signing_key.pem')
EXAMPLE_TOKENS = ['auth_token_revoked',
                  'auth_token_unscoped',
                  'auth_token_scoped',
                  'auth_token_scoped_expired',
                  'auth_v3_token_scoped',
                  'auth_v3_token_revoked']


# Helper script to generate the sample data for testing
# the signed tokens using the existing JSON data for the
# MII-prefixed tokens.  Uses the keys and certificates
# generated in gen_pki.sh.
def generate_der_form(name):
    derfile = make_filename('cms', '%s.der' % name)
    with open(derfile, 'w') as f:
        derform = cms.cms_sign_data(text,
                                    SIGNING_CERT_FILE_NAME,
                                    SIGNING_KEY_FILE_NAME, cms.PKIZ_CMS_FORM)
        f.write(derform)

for name in EXAMPLE_TOKENS:
    json_file = make_filename('cms', name + '.json')
    pkiz_file = make_filename('cms', name + '.pkiz')
    with open(json_file, 'r') as f:
        string_data = f.read()

    # validate the JSON
    try:
        token_data = json.loads(string_data)
    except ValueError as v:
        raise SystemExit('%s while processing token data from %s: %s' %
                         (v, json_file, string_data))

    text = json.dumps(token_data).encode('utf-8')

    # Uncomment to record the token uncompressed,
    # useful for debugging
    # generate_der_form(name)

    encoded = cms.pkiz_sign(text,
                            SIGNING_CERT_FILE_NAME,
                            SIGNING_KEY_FILE_NAME)

    # verify before writing
    cms.pkiz_verify(encoded,
                    SIGNING_CERT_FILE_NAME,
                    CA_CERT_FILE_NAME)

    with open(pkiz_file, 'w') as f:
        f.write(encoded)