diff options
Diffstat (limited to 'examples/pki/gen_cmsz.py')
| -rw-r--r-- | examples/pki/gen_cmsz.py | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/examples/pki/gen_cmsz.py b/examples/pki/gen_cmsz.py new file mode 100644 index 0000000..6840c08 --- /dev/null +++ b/examples/pki/gen_cmsz.py @@ -0,0 +1,117 @@ +#!/usr/bin/python + +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import json +import os + +from keystoneclient.common import cms +from keystoneclient import utils + +CURRENT_DIR = os.path.abspath(os.path.dirname(__file__)) + + +def make_filename(*args): + return os.path.join(CURRENT_DIR, *args) + + +def generate_revocation_list(): + REVOKED_TOKENS = ['auth_token_revoked', 'auth_v3_token_revoked'] + revoked_list = [] + for token in REVOKED_TOKENS: + with open(make_filename('cms', '%s.pkiz' % name), 'r') as f: + token_data = f.read() + id = utils.hash_signed_token(token_data.encode('utf-8')) + revoked_list.append({ + 'id': id, + "expires": "2112-08-14T17:58:48Z" + }) + with open(make_filename('cms', '%s.pem' % name), 'r') as f: + pem_data = f.read() + token_data = cms.cms_to_token(pem_data).encode('utf-8') + id = utils.hash_signed_token(token_data) + revoked_list.append({ + 'id': id, + "expires": "2112-08-14T17:58:48Z" + }) + revoked_json = json.dumps({"revoked": revoked_list}) + with open(make_filename('cms', 'revocation_list.json'), 'w') as f: + f.write(revoked_json) + encoded = cms.pkiz_sign(revoked_json, + SIGNING_CERT_FILE_NAME, + SIGNING_KEY_FILE_NAME) + with open(make_filename('cms', 'revocation_list.pkiz'), 'w') as f: + f.write(encoded) + + encoded = cms.cms_sign_data(revoked_json, + SIGNING_CERT_FILE_NAME, + SIGNING_KEY_FILE_NAME) + with open(make_filename('cms', 'revocation_list.pem'), 'w') as f: + f.write(encoded) + + +CA_CERT_FILE_NAME = make_filename('certs', 'cacert.pem') +SIGNING_CERT_FILE_NAME = make_filename('certs', 'signing_cert.pem') +SIGNING_KEY_FILE_NAME = make_filename('private', 'signing_key.pem') +EXAMPLE_TOKENS = ['auth_token_revoked', + 'auth_token_unscoped', + 'auth_token_scoped', + 'auth_token_scoped_expired', + 'auth_v3_token_scoped', + 'auth_v3_token_revoked'] + + +# Helper script to generate the sample data for testing +# the signed tokens using the existing JSON data for the +# MII-prefixed tokens. Uses the keys and certificates +# generated in gen_pki.sh. +def generate_der_form(name): + derfile = make_filename('cms', '%s.der' % name) + with open(derfile, 'w') as f: + derform = cms.cms_sign_data(text, + SIGNING_CERT_FILE_NAME, + SIGNING_KEY_FILE_NAME, cms.PKIZ_CMS_FORM) + f.write(derform) + +for name in EXAMPLE_TOKENS: + json_file = make_filename('cms', name + '.json') + pkiz_file = make_filename('cms', name + '.pkiz') + with open(json_file, 'r') as f: + string_data = f.read() + + # validate the JSON + try: + token_data = json.loads(string_data) + except ValueError as v: + raise SystemExit('%s while processing token data from %s: %s' % + (v, json_file, string_data)) + + text = json.dumps(token_data).encode('utf-8') + + # Uncomment to record the token uncompressed, + # useful for debugging + # generate_der_form(name) + + encoded = cms.pkiz_sign(text, + SIGNING_CERT_FILE_NAME, + SIGNING_KEY_FILE_NAME) + + # verify before writing + cms.pkiz_verify(encoded, + SIGNING_CERT_FILE_NAME, + CA_CERT_FILE_NAME) + + with open(pkiz_file, 'w') as f: + f.write(encoded) + + generate_revocation_list() |