diff options
| author | Lei Zhang <zhang.lei.fly@gmail.com> | 2013-10-15 11:21:56 +0800 |
|---|---|---|
| committer | Lei Zhang <zhang.lei.fly@gmail.com> | 2013-10-28 23:35:56 +0800 |
| commit | 0c8faa3efc81ea4d2d93f64c118a965091bdf5b4 (patch) | |
| tree | f9dd16a352cdfd02e6e3dfe4079c367bce0f0903 /keystoneclient/common | |
| parent | cc0e06ff87495178051d107534402dc42ad39c45 (diff) | |
| download | python-keystoneclient-0c8faa3efc81ea4d2d93f64c118a965091bdf5b4.tar.gz | |
Migrate the keystone.common.cms to keystoneclient
- Add checking the openssl return code 2, related to following review
https://review.openstack.org/#/c/22716/
- Add support set subprocess to the cms, when we already know which
subprocess to use.
Closes-Bug: #1142574
Change-Id: I3f86e6ca8bb7738f57051ce7f0f5662b20e7a22b
Diffstat (limited to 'keystoneclient/common')
| -rw-r--r-- | keystoneclient/common/cms.py | 42 |
1 files changed, 38 insertions, 4 deletions
diff --git a/keystoneclient/common/cms.py b/keystoneclient/common/cms.py index 8bc24f9..da04029 100644 --- a/keystoneclient/common/cms.py +++ b/keystoneclient/common/cms.py @@ -12,10 +12,20 @@ # License for the specific language governing permissions and limitations # under the License. -import hashlib +"""Certificate signing functions. + +Call set_subprocess() with the subprocess module. Either Python's +subprocess or eventlet.green.subprocess can be used. + +If set_subprocess() is not called, this module will pick Python's subprocess +or eventlet.green.subprocess based on if os module is patched by eventlet. +""" +import hashlib import logging +from keystoneclient import exceptions + subprocess = None LOG = logging.getLogger(__name__) @@ -38,10 +48,20 @@ def _ensure_subprocess(): import subprocess # noqa +def set_subprocess(_subprocess=None): + """Set subprocess module to use. + The subprocess could be eventlet.green.subprocess if using eventlet, + or Python's subprocess otherwise. + """ + global subprocess + subprocess = _subprocess + + def cms_verify(formatted, signing_cert_file_name, ca_file_name): """Verifies the signature of the contents IAW CMS syntax. :raises: subprocess.CalledProcessError + :raises: CertificateConfigError if certificate is not configured properly. """ _ensure_subprocess() process = subprocess.Popen(["openssl", "cms", "-verify", @@ -55,9 +75,23 @@ def cms_verify(formatted, signing_cert_file_name, ca_file_name): stderr=subprocess.PIPE) output, err = process.communicate(formatted) retcode = process.poll() - if retcode: - # Do not log errors, as some happen in the positive thread - # instead, catch them in the calling code and log them there. + + # Do not log errors, as some happen in the positive thread + # instead, catch them in the calling code and log them there. + + # When invoke the openssl with not exist file, return code 2 + # and error msg will be returned. + # You can get more from + # http://www.openssl.org/docs/apps/cms.html#EXIT_CODES + # + # $ openssl cms -verify -certfile not_exist_file -CAfile \ + # not_exist_file -inform PEM -nosmimecap -nodetach \ + # -nocerts -noattr + # Error opening certificate file not_exist_file + # + if retcode == 2: + raise exceptions.CertificateConfigError(err) + elif retcode: # NOTE(dmllr): Python 2.6 compatibility: # CalledProcessError did not have output keyword argument e = subprocess.CalledProcessError(retcode, "openssl") |