1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
#!/usr/bin/python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import json
import os
from keystoneclient.common import cms
from keystoneclient import utils
CURRENT_DIR = os.path.abspath(os.path.dirname(__file__))
def make_filename(*args):
return os.path.join(CURRENT_DIR, *args)
def generate_revocation_list():
REVOKED_TOKENS = ['auth_token_revoked', 'auth_v3_token_revoked']
revoked_list = []
for token in REVOKED_TOKENS:
with open(make_filename('cms', '%s.pkiz' % name), 'r') as f:
token_data = f.read()
id = utils.hash_signed_token(token_data.encode('utf-8'))
revoked_list.append({
'id': id,
"expires": "2112-08-14T17:58:48Z"
})
with open(make_filename('cms', '%s.pem' % name), 'r') as f:
pem_data = f.read()
token_data = cms.cms_to_token(pem_data).encode('utf-8')
id = utils.hash_signed_token(token_data)
revoked_list.append({
'id': id,
"expires": "2112-08-14T17:58:48Z"
})
revoked_json = json.dumps({"revoked": revoked_list})
with open(make_filename('cms', 'revocation_list.json'), 'w') as f:
f.write(revoked_json)
encoded = cms.pkiz_sign(revoked_json,
SIGNING_CERT_FILE_NAME,
SIGNING_KEY_FILE_NAME)
with open(make_filename('cms', 'revocation_list.pkiz'), 'w') as f:
f.write(encoded)
encoded = cms.cms_sign_data(revoked_json,
SIGNING_CERT_FILE_NAME,
SIGNING_KEY_FILE_NAME)
with open(make_filename('cms', 'revocation_list.pem'), 'w') as f:
f.write(encoded)
CA_CERT_FILE_NAME = make_filename('certs', 'cacert.pem')
SIGNING_CERT_FILE_NAME = make_filename('certs', 'signing_cert.pem')
SIGNING_KEY_FILE_NAME = make_filename('private', 'signing_key.pem')
EXAMPLE_TOKENS = ['auth_token_revoked',
'auth_token_unscoped',
'auth_token_scoped',
'auth_token_scoped_expired',
'auth_v3_token_scoped',
'auth_v3_token_revoked']
# Helper script to generate the sample data for testing
# the signed tokens using the existing JSON data for the
# MII-prefixed tokens. Uses the keys and certificates
# generated in gen_pki.sh.
def generate_der_form(name):
derfile = make_filename('cms', '%s.der' % name)
with open(derfile, 'w') as f:
derform = cms.cms_sign_data(text,
SIGNING_CERT_FILE_NAME,
SIGNING_KEY_FILE_NAME, cms.PKIZ_CMS_FORM)
f.write(derform)
for name in EXAMPLE_TOKENS:
json_file = make_filename('cms', name + '.json')
pkiz_file = make_filename('cms', name + '.pkiz')
with open(json_file, 'r') as f:
string_data = f.read()
# validate the JSON
try:
token_data = json.loads(string_data)
except ValueError as v:
raise SystemExit('%s while processing token data from %s: %s' %
(v, json_file, string_data))
text = json.dumps(token_data).encode('utf-8')
# Uncomment to record the token uncompressed,
# useful for debugging
# generate_der_form(name)
encoded = cms.pkiz_sign(text,
SIGNING_CERT_FILE_NAME,
SIGNING_KEY_FILE_NAME)
# verify before writing
cms.pkiz_verify(encoded,
SIGNING_CERT_FILE_NAME,
CA_CERT_FILE_NAME)
with open(pkiz_file, 'w') as f:
f.write(encoded)
generate_revocation_list()
|