diff options
author | Jenkins <jenkins@review.openstack.org> | 2015-03-10 19:05:01 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2015-03-10 19:05:01 +0000 |
commit | ed43a70012424739b26b06f30d0b08c7090efce5 (patch) | |
tree | 3f0eee05fc51a8b76dd946dcb2949bd30a59b5e8 /keystoneclient/common | |
parent | d403c341323970a8d634c7379eba75c7d016a899 (diff) | |
parent | b317e312aadbdbbe8937172bc5d4a7dd2a8d68d9 (diff) | |
download | python-keystoneclient-ed43a70012424739b26b06f30d0b08c7090efce5.tar.gz |
Merge "token signing support alternative message digest"
Diffstat (limited to 'keystoneclient/common')
-rw-r--r-- | keystoneclient/common/cms.py | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/keystoneclient/common/cms.py b/keystoneclient/common/cms.py index b206d7b..06cba73 100644 --- a/keystoneclient/common/cms.py +++ b/keystoneclient/common/cms.py @@ -38,6 +38,7 @@ PKI_ASN1_PREFIX = 'MII' PKIZ_PREFIX = 'PKIZ_' PKIZ_CMS_FORM = 'DER' PKI_ASN1_FORM = 'PEM' +DEFAULT_TOKEN_DIGEST_ALGORITHM = 'sha256' # The openssl cms command exits with these status codes. @@ -198,11 +199,13 @@ def is_pkiz(token_text): def pkiz_sign(text, signing_cert_file_name, signing_key_file_name, - compression_level=6): + compression_level=6, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): signed = cms_sign_data(text, signing_cert_file_name, signing_key_file_name, - PKIZ_CMS_FORM) + PKIZ_CMS_FORM, + message_digest=message_digest) compressed = zlib.compress(signed, compression_level) encoded = PKIZ_PREFIX + base64.urlsafe_b64encode( @@ -297,13 +300,15 @@ def is_ans1_token(token): return is_asn1_token(token) -def cms_sign_text(data_to_sign, signing_cert_file_name, signing_key_file_name): +def cms_sign_text(data_to_sign, signing_cert_file_name, signing_key_file_name, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): return cms_sign_data(data_to_sign, signing_cert_file_name, - signing_key_file_name) + signing_key_file_name, message_digest=message_digest) def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, - outform=PKI_ASN1_FORM): + outform=PKI_ASN1_FORM, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): """Uses OpenSSL to sign a document. Produces a Base64 encoding of a DER formatted CMS Document @@ -316,7 +321,7 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, the data :param outform: Format for the signed document PKIZ_CMS_FORM or PKI_ASN1_FORM - + :param message_digest: Digest algorithm to use when signing or resigning """ _ensure_subprocess() @@ -330,7 +335,7 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, '-outform', 'PEM', '-nosmimecap', '-nodetach', '-nocerts', '-noattr', - '-md', 'sha256', ], + '-md', message_digest, ], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, @@ -353,8 +358,10 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name, return output -def cms_sign_token(text, signing_cert_file_name, signing_key_file_name): - output = cms_sign_data(text, signing_cert_file_name, signing_key_file_name) +def cms_sign_token(text, signing_cert_file_name, signing_key_file_name, + message_digest=DEFAULT_TOKEN_DIGEST_ALGORITHM): + output = cms_sign_data(text, signing_cert_file_name, signing_key_file_name, + message_digest=message_digest) return cms_to_token(output) |