Revize 76648193
Přidáno uživatelem Michal Seják před téměř 4 roky(ů)
| src/services/cryptography.py | ||
|---|---|---|
| 10 | 10 |
from src.utils.logger import Logger |
| 11 | 11 |
from src.utils.temporary_file import TemporaryFile |
| 12 | 12 |
|
| 13 |
# the prefix of an rsa key |
|
| 14 |
KEY_PREFIX = b"-----BEGIN RSA PRIVATE KEY-----" |
|
| 15 |
|
|
| 16 |
# what every encrypted key contains |
|
| 17 |
GUARANTEED_SUBSTRING_OF_ENCRYPTED_KEYS = "ENCRYPTED" |
|
| 18 |
|
|
| 13 | 19 |
# encryption method to be used when generating private keys |
| 14 | 20 |
PRIVATE_KEY_ENCRYPTION_METHOD = "-aes256" |
| 15 | 21 |
|
| ... | ... | |
| 411 | 417 |
|
| 412 | 418 |
# openssl ca requires the .srl file to exists, therefore a dummy, unused file is created |
| 413 | 419 |
with TemporaryFile("serial.srl", "0") as serial_file, \
|
| 414 |
TemporaryFile("crl.conf", CRL_CONFIG % (index_file_path, serial_file)) as config_file, \
|
|
| 415 |
TemporaryFile("certificate.pem", cert.pem_data) as cert_file, \
|
|
| 416 |
TemporaryFile("private_key.pem", key.private_key) as key_file:
|
|
| 417 |
|
|
| 420 |
TemporaryFile("crl.conf", CRL_CONFIG % (index_file_path, serial_file)) as config_file, \
|
|
| 421 |
TemporaryFile("certificate.pem", cert.pem_data) as cert_file, \
|
|
| 422 |
TemporaryFile("private_key.pem", key.private_key) as key_file:
|
|
| 418 | 423 |
args = ["ca", "-config", config_file, "-gencrl", "-keyfile", key_file, "-cert", cert_file, "-outdir", "."] |
| 419 | 424 |
|
| 420 | 425 |
if key.password is not None and key.password != "": |
| ... | ... | |
| 437 | 442 |
Logger.debug("Function launched.")
|
| 438 | 443 |
|
| 439 | 444 |
with TemporaryFile("certificate.pem", cert.pem_data) as ca_certificate, \
|
| 440 |
TemporaryFile("private_key.pem", key.private_key) as key_file, \
|
|
| 441 |
TemporaryFile("request.der", der_ocsp_request) as request_file:
|
|
| 442 |
|
|
| 445 |
TemporaryFile("private_key.pem", key.private_key) as key_file, \
|
|
| 446 |
TemporaryFile("request.der", der_ocsp_request) as request_file:
|
|
| 443 | 447 |
args = ["ocsp", "-index", index_path, "-CA", ca_certificate, "-rsigner", ca_certificate, "-rkey", key_file, |
| 444 | 448 |
"-reqin", request_file, "-respout", "-"] |
| 445 | 449 |
|
| ... | ... | |
| 448 | 452 |
|
| 449 | 453 |
return self.__run_for_output(args) |
| 450 | 454 |
|
| 455 |
def verify_key(self, key, passphrase): |
|
| 456 |
""" |
|
| 457 |
Verifies whether the provided key is encrypted by the provided passphrase. If passphrase is none, verifies |
|
| 458 |
that the provided key is unencrypted. |
|
| 459 |
:param key: target key |
|
| 460 |
:param passphrase: target passphrase or None |
|
| 461 |
:return: True if the condition is fulfilled, else False |
|
| 462 |
""" |
|
| 463 |
if passphrase is None: |
|
| 464 |
return re.search(GUARANTEED_SUBSTRING_OF_ENCRYPTED_KEYS, key) is None |
|
| 465 |
else: |
|
| 466 |
if re.search(GUARANTEED_SUBSTRING_OF_ENCRYPTED_KEYS, key) is None: |
|
| 467 |
return False |
|
| 468 |
else: |
|
| 469 |
try: |
|
| 470 |
with TemporaryFile("tested_key.pem", key) as f:
|
|
| 471 |
ret = self.__run_for_output(["rsa", "-in", f, "-passin", f"pass:{passphrase}"])
|
|
| 472 |
return ret.startswith(KEY_PREFIX) |
|
| 473 |
except CryptographyException: |
|
| 474 |
return False |
|
| 475 |
|
|
| 451 | 476 |
|
| 452 | 477 |
class CryptographyException(Exception): |
| 453 | 478 |
|
Také k dispozici: Unified diff
Re #8705 - Added the `verify_key` method to CryptoService.