summaryrefslogtreecommitdiff
path: root/examples/pki/gen_cmsz.py
blob: 6840c08e5e458e07c86368edcb74dd7d34ff6923 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
#!/usr/bin/python

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

import json
import os

from keystoneclient.common import cms
from keystoneclient import utils

CURRENT_DIR = os.path.abspath(os.path.dirname(__file__))


def make_filename(*args):
    return os.path.join(CURRENT_DIR, *args)


def generate_revocation_list():
    REVOKED_TOKENS = ['auth_token_revoked', 'auth_v3_token_revoked']
    revoked_list = []
    for token in REVOKED_TOKENS:
        with open(make_filename('cms', '%s.pkiz' % name), 'r') as f:
            token_data = f.read()
            id = utils.hash_signed_token(token_data.encode('utf-8'))
            revoked_list.append({
                'id': id,
                "expires": "2112-08-14T17:58:48Z"
            })
        with open(make_filename('cms', '%s.pem' % name), 'r') as f:
            pem_data = f.read()
            token_data = cms.cms_to_token(pem_data).encode('utf-8')
            id = utils.hash_signed_token(token_data)
            revoked_list.append({
                'id': id,
                "expires": "2112-08-14T17:58:48Z"
            })
    revoked_json = json.dumps({"revoked": revoked_list})
    with open(make_filename('cms', 'revocation_list.json'), 'w') as f:
        f.write(revoked_json)
    encoded = cms.pkiz_sign(revoked_json,
                            SIGNING_CERT_FILE_NAME,
                            SIGNING_KEY_FILE_NAME)
    with open(make_filename('cms', 'revocation_list.pkiz'), 'w') as f:
        f.write(encoded)

    encoded = cms.cms_sign_data(revoked_json,
                                SIGNING_CERT_FILE_NAME,
                                SIGNING_KEY_FILE_NAME)
    with open(make_filename('cms', 'revocation_list.pem'), 'w') as f:
        f.write(encoded)


CA_CERT_FILE_NAME = make_filename('certs', 'cacert.pem')
SIGNING_CERT_FILE_NAME = make_filename('certs', 'signing_cert.pem')
SIGNING_KEY_FILE_NAME = make_filename('private', 'signing_key.pem')
EXAMPLE_TOKENS = ['auth_token_revoked',
                  'auth_token_unscoped',
                  'auth_token_scoped',
                  'auth_token_scoped_expired',
                  'auth_v3_token_scoped',
                  'auth_v3_token_revoked']


# Helper script to generate the sample data for testing
# the signed tokens using the existing JSON data for the
# MII-prefixed tokens.  Uses the keys and certificates
# generated in gen_pki.sh.
def generate_der_form(name):
    derfile = make_filename('cms', '%s.der' % name)
    with open(derfile, 'w') as f:
        derform = cms.cms_sign_data(text,
                                    SIGNING_CERT_FILE_NAME,
                                    SIGNING_KEY_FILE_NAME, cms.PKIZ_CMS_FORM)
        f.write(derform)

for name in EXAMPLE_TOKENS:
    json_file = make_filename('cms', name + '.json')
    pkiz_file = make_filename('cms', name + '.pkiz')
    with open(json_file, 'r') as f:
        string_data = f.read()

    # validate the JSON
    try:
        token_data = json.loads(string_data)
    except ValueError as v:
        raise SystemExit('%s while processing token data from %s: %s' %
                         (v, json_file, string_data))

    text = json.dumps(token_data).encode('utf-8')

    # Uncomment to record the token uncompressed,
    # useful for debugging
    # generate_der_form(name)

    encoded = cms.pkiz_sign(text,
                            SIGNING_CERT_FILE_NAME,
                            SIGNING_KEY_FILE_NAME)

    # verify before writing
    cms.pkiz_verify(encoded,
                    SIGNING_CERT_FILE_NAME,
                    CA_CERT_FILE_NAME)

    with open(pkiz_file, 'w') as f:
        f.write(encoded)

    generate_revocation_list()