Revision 3718bf6d
b/lib/serializer.py | ||
---|---|---|
112 | 112 |
signed_dict = { |
113 | 113 |
'msg': txt, |
114 | 114 |
'salt': salt, |
115 |
} |
|
115 |
} |
|
116 |
|
|
116 | 117 |
if key_selector: |
117 | 118 |
signed_dict["key_selector"] = key_selector |
118 |
message = salt + key_selector + txt |
|
119 | 119 |
else: |
120 |
message = salt + txt |
|
121 |
signed_dict["hmac"] = utils.Sha1Hmac(key, message) |
|
120 |
key_selector = "" |
|
121 |
|
|
122 |
signed_dict["hmac"] = utils.Sha1Hmac(key, txt, salt=salt + key_selector) |
|
122 | 123 |
|
123 | 124 |
return DumpJson(signed_dict, indent=False) |
124 | 125 |
|
... | ... | |
156 | 157 |
key_selector = "" |
157 | 158 |
hmac_key = key |
158 | 159 |
|
159 |
if not utils.VerifySha1Hmac(hmac_key, salt + key_selector + msg, hmac_sign): |
|
160 |
if not utils.VerifySha1Hmac(hmac_key, msg, hmac_sign, |
|
161 |
salt=salt + key_selector): |
|
160 | 162 |
raise errors.SignatureError('Invalid Signature') |
161 | 163 |
|
162 | 164 |
return LoadJson(msg), salt |
b/lib/utils.py | ||
---|---|---|
2608 | 2608 |
|
2609 | 2609 |
return ("%s: %s/%s\n\n%s" % |
2610 | 2610 |
(constants.X509_CERT_SIGNATURE_HEADER, salt, |
2611 |
Sha1Hmac(key, salt + cert_pem),
|
|
2611 |
Sha1Hmac(key, cert_pem, salt=salt),
|
|
2612 | 2612 |
cert_pem)) |
2613 | 2613 |
|
2614 | 2614 |
|
... | ... | |
2647 | 2647 |
# Dump again to ensure it's in a sane format |
2648 | 2648 |
sane_pem = OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, cert) |
2649 | 2649 |
|
2650 |
if not VerifySha1Hmac(key, salt + sane_pem, signature):
|
|
2650 |
if not VerifySha1Hmac(key, sane_pem, signature, salt=salt):
|
|
2651 | 2651 |
raise errors.GenericError("X509 certificate signature is invalid") |
2652 | 2652 |
|
2653 | 2653 |
return (cert, salt) |
2654 | 2654 |
|
2655 | 2655 |
|
2656 |
def Sha1Hmac(key, text): |
|
2656 |
def Sha1Hmac(key, text, salt=None):
|
|
2657 | 2657 |
"""Calculates the HMAC-SHA1 digest of a text. |
2658 | 2658 |
|
2659 | 2659 |
HMAC is defined in RFC2104. |
... | ... | |
2663 | 2663 |
@type text: string |
2664 | 2664 |
|
2665 | 2665 |
""" |
2666 |
return hmac.new(key, text, sha1).hexdigest() |
|
2666 |
if salt: |
|
2667 |
salted_text = salt + text |
|
2668 |
else: |
|
2669 |
salted_text = text |
|
2670 |
|
|
2671 |
return hmac.new(key, salted_text, sha1).hexdigest() |
|
2667 | 2672 |
|
2668 | 2673 |
|
2669 |
def VerifySha1Hmac(key, text, digest): |
|
2674 |
def VerifySha1Hmac(key, text, digest, salt=None):
|
|
2670 | 2675 |
"""Verifies the HMAC-SHA1 digest of a text. |
2671 | 2676 |
|
2672 | 2677 |
HMAC is defined in RFC2104. |
... | ... | |
2680 | 2685 |
@return: Whether HMAC-SHA1 digest matches |
2681 | 2686 |
|
2682 | 2687 |
""" |
2683 |
return digest.lower() == Sha1Hmac(key, text).lower() |
|
2688 |
return digest.lower() == Sha1Hmac(key, text, salt=salt).lower()
|
|
2684 | 2689 |
|
2685 | 2690 |
|
2686 | 2691 |
def SafeEncode(text): |
b/test/ganeti.utils_unittest.py | ||
---|---|---|
2013 | 2013 |
self.assertEqual(utils.Sha1Hmac("3YzMxZWE", longtext), |
2014 | 2014 |
"35901b9a3001a7cdcf8e0e9d7c2e79df2223af54") |
2015 | 2015 |
|
2016 |
def testSha1HmacSalt(self): |
|
2017 |
self.assertEqual(utils.Sha1Hmac("TguMTA2K", "", salt="abc0"), |
|
2018 |
"4999bf342470eadb11dfcd24ca5680cf9fd7cdce") |
|
2019 |
self.assertEqual(utils.Sha1Hmac("TguMTA2K", "", salt="abc9"), |
|
2020 |
"17a4adc34d69c0d367d4ffbef96fd41d4df7a6e8") |
|
2021 |
self.assertEqual(utils.Sha1Hmac("3YzMxZWE", "Hello World", salt="xyz0"), |
|
2022 |
"7f264f8114c9066afc9bb7636e1786d996d3cc0d") |
|
2023 |
|
|
2016 | 2024 |
def testVerifySha1Hmac(self): |
2017 | 2025 |
self.assert_(utils.VerifySha1Hmac("", "", ("fbdb1d1b18aa6c08324b" |
2018 | 2026 |
"7d64b71fb76370690e1d"))) |
... | ... | |
2029 | 2037 |
self.assert_(utils.VerifySha1Hmac("3YzMxZWE", "Hello World", |
2030 | 2038 |
digest.title())) |
2031 | 2039 |
|
2040 |
def testVerifySha1HmacSalt(self): |
|
2041 |
self.assert_(utils.VerifySha1Hmac("TguMTA2K", "", |
|
2042 |
("17a4adc34d69c0d367d4" |
|
2043 |
"ffbef96fd41d4df7a6e8"), |
|
2044 |
salt="abc9")) |
|
2045 |
self.assert_(utils.VerifySha1Hmac("3YzMxZWE", "Hello World", |
|
2046 |
("7f264f8114c9066afc9b" |
|
2047 |
"b7636e1786d996d3cc0d"), |
|
2048 |
salt="xyz0")) |
|
2049 |
|
|
2032 | 2050 |
|
2033 | 2051 |
if __name__ == '__main__': |
2034 | 2052 |
testutils.GanetiTestProgram() |
Also available in: Unified diff