AccessGrid.Security.CertificateRepository

Package AccessGrid :: Package Security :: Module CertificateRepository

[show private | hide private]

Module AccessGrid.Security.CertificateRepository

Certificate management module.

The on-disk repository looks like this:

<repo_root>/
            metadata.db
            certificates/<subject_hash>/
                               <issuer_serial_hash>/cert.pem
                                                    user_files/
                               <modulus_hash>.req.pem
            privatekeys/
                        <modulus_hash>

Classes
`Certificate`
`CertificateDescriptor`
`CertificateRepository`
`CertificateRequestDescriptor`

Exceptions
`RepoAlreadyExists`	Thrown if repository already exists, and the CertificateRepository constructor was invoked with create=1.
`RepoBadPassphrase`
`RepoDoesNotExist`	Thrown if repository does not exist, and the CertificateRepository constructor was invoked with create=0.
`RepoInvalidCertificate`	Thrown if an attempt was made to use an invalid certificate.

Function Summary
	`ClassifyCertificate(path)` Prod at the certificate given to see what it is, and if we need to ask for a private key.
	`ConstructSigningPolicy(cert)` Construct a simple signing policy based on the subject name of cert.
	`ParseSigningPolicy(policyFH)` Parse a signing policy from filehandle policyFH.
	`utc2time(t)` Convert a UTC time (as kept in the X509 notbefore/notafter fields) to seconds since the epoch.
	`utc2tuple(t)`

Variable Summary
`str`	`__revision__` = `'$Id: CertificateRepository.py,v 1.22 200...`
`Logger`	`log` = `<logging.Logger instance at 0x011B3508>`

Function Details

ClassifyCertificate(path)

Prod at the certificate given to see what it is, and if we need to ask for a private key.

A PEM-formatted cert will have a "BEGIN CERTIFICATE" line; if it has a private key included it'll include "BEGIN RSA PRIVATE KEY".

If it doesn't have those, we can try opening it up as a pkcs12 cert. If it's a pkcs12, but is encrypted, we'll get

crypto.Error: [('PKCS12 routines', 'PKCS12_parse', 'mac verify failure')]

If it's not a pkcs file, we'll get

crypto.Error: [('asn1 encoding routines', 'd2i_PKCS12', 'expecting an asn1 sequence')]

If it's unencrypted, we'll get the actual certificate, and can show the name.

We return a tuple (certType, certObj, needPkey). CertType is a string "PEM", "PKCS12". certObj is the certificate itself; it'll be an X509 for a PEM certificate, a PKCS12 object for a pkcs12 obj. needPkey is true if a separate keyfile must be loaded.

ConstructSigningPolicy(cert)

Construct a simple signing policy based on the subject name of cert.

It might not be right, but it might be.

We make it match on all parts of the cert's subject except for CN.

ParseSigningPolicy(policyFH)

Parse a signing policy from filehandle policyFH.

For now, we just return the CA name that it represents so we don't get bogged down in parsing minutiae.

utc2time(t)

Convert a UTC time (as kept in the X509 notbefore/notafter fields) to seconds since the epoch.

We need to handle conversion out of our local timezone, because time.mktime() converts to the local timezone, but the tuple returned by utc2tuple is GMT.

Variable Details

revision

Type:: str
Value:: '$Id: CertificateRepository.py,v 1.22 2004/09/10 03:58:53 judson Exp $\ '

log

Type:: Logger
Value:: <logging.Logger instance at 0x011B3508>

Generated by Epydoc 2.1 on Thu Apr 14 16:39:31 2005

http://epydoc.sf.net