diff options
| author | Adam Young <ayoung@redhat.com> | 2014-02-04 20:43:07 -0500 |
|---|---|---|
| committer | Morgan Fainberg <morgan.fainberg@gmail.com> | 2014-05-09 11:48:17 -0700 |
| commit | 3d6d749e6f0fef682a88758e1a2f6c9e8e7bd23c (patch) | |
| tree | b5ffa079f9bdd6214c581e872ea668217834d312 /keystoneclient/middleware | |
| parent | a95edc7f38d7c267f9efa6c4a413b4a04d2686b0 (diff) | |
| download | python-keystoneclient-3d6d749e6f0fef682a88758e1a2f6c9e8e7bd23c.tar.gz | |
Compressed Signature and Validation
Allows for a new form of document signature.
pkiz_sign will take data and encode it in a string that starts with
the substring "PKIZ_". This prefix indicates that the data has been:
1) Signed via PKI in Crypto Message Syntax (CMS) in binary (DER) format
2) Compressed using zlib (comparable to gzip)
3) urlsafe-base64 decoded
This process is reversed to validate the data.
middleware/auth_token.py will be capable of validating Keystone
tokens that are marshalled in the new format. The current existing
"PKI" tokens will continue to be identified with "MII", issued by
default, and validated as well. It will require corresponding changes
on the Keystone server to issue the new token format.
A separate script for generating the sample
data used in the unit tests,
examples/pki/gen_cmsz.py,
also serves as an example of how to
call the API from Python code.
Some of the sample data for the old tests had to be regenerated. A
stray comma in one of the JSON files made for non-parsing JSON.
Blueprint: compress-tokens
Closes-Bug: #1255321
Change-Id: Ia9a66ba3742da0bcd58c4c096b28cc8a66ad6569
Diffstat (limited to 'keystoneclient/middleware')
| -rw-r--r-- | keystoneclient/middleware/auth_token.py | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/keystoneclient/middleware/auth_token.py b/keystoneclient/middleware/auth_token.py index 637b3b2..f11a260 100644 --- a/keystoneclient/middleware/auth_token.py +++ b/keystoneclient/middleware/auth_token.py @@ -875,7 +875,9 @@ class AuthProtocol(object): 'Token is marked as having been revoked') raise InvalidUserToken( 'Token authorization failed') - + elif cms.is_pkiz(user_token): + verified = self.verify_pkiz_token(user_token) + data = jsonutils.loads(verified) elif cms.is_asn1_token(user_token): verified = self.verify_signed_token(user_token) data = jsonutils.loads(verified) @@ -1228,7 +1230,7 @@ class AuthProtocol(object): revoked_ids = (x['id'] for x in revoked_tokens) return token_id in revoked_ids - def cms_verify(self, data): + def cms_verify(self, data, inform=cms.PKI_ASN1_FORM): """Verifies the signature of the provided data's IAW CMS syntax. If either of the certificate files might be missing, fetch them and @@ -1236,9 +1238,9 @@ class AuthProtocol(object): """ def verify(): try: - return cms.cms_verify( - data, self.signing_cert_file_name, - self.signing_ca_file_name).decode('utf-8') + return cms.cms_verify(data, self.signing_cert_file_name, + self.signing_ca_file_name, + inform=inform).decode('utf-8') except cms.subprocess.CalledProcessError as err: self.LOG.warning('Verify error: %s', err) raise @@ -1265,7 +1267,19 @@ class AuthProtocol(object): raise InvalidUserToken('Token has been revoked') formatted = cms.token_to_cms(signed_text) - return self.cms_verify(formatted) + verified = self.cms_verify(formatted) + return verified + + def verify_pkiz_token(self, signed_text): + if self.is_signed_token_revoked(signed_text): + raise InvalidUserToken('Token has been revoked') + try: + uncompressed = cms.pkiz_uncompress(signed_text) + verified = self.cms_verify(uncompressed, inform=cms.PKIZ_CMS_FORM) + return verified + # TypeError If the signed_text is not zlib compressed + except TypeError: + raise InvalidUserToken(signed_text) def verify_signing_dir(self): if os.path.exists(self.signing_dirname): |