• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Copyright 2015 Google Inc. All rights reserved.
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7#      http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14"""OpenSSL Crypto-related routines for oauth2client."""
15
16import base64
17
18from OpenSSL import crypto
19
20from oauth2client._helpers import _parse_pem_key
21from oauth2client._helpers import _to_bytes
22
23
24class OpenSSLVerifier(object):
25    """Verifies the signature on a message."""
26
27    def __init__(self, pubkey):
28        """Constructor.
29
30        Args:
31            pubkey: OpenSSL.crypto.PKey, The public key to verify with.
32        """
33        self._pubkey = pubkey
34
35    def verify(self, message, signature):
36        """Verifies a message against a signature.
37
38        Args:
39        message: string or bytes, The message to verify. If string, will be
40                 encoded to bytes as utf-8.
41        signature: string or bytes, The signature on the message. If string,
42                   will be encoded to bytes as utf-8.
43
44        Returns:
45            True if message was signed by the private key associated with the
46            public key that this object was constructed with.
47        """
48        message = _to_bytes(message, encoding='utf-8')
49        signature = _to_bytes(signature, encoding='utf-8')
50        try:
51            crypto.verify(self._pubkey, signature, message, 'sha256')
52            return True
53        except crypto.Error:
54            return False
55
56    @staticmethod
57    def from_string(key_pem, is_x509_cert):
58        """Construct a Verified instance from a string.
59
60        Args:
61            key_pem: string, public key in PEM format.
62            is_x509_cert: bool, True if key_pem is an X509 cert, otherwise it
63                          is expected to be an RSA key in PEM format.
64
65        Returns:
66            Verifier instance.
67
68        Raises:
69            OpenSSL.crypto.Error: if the key_pem can't be parsed.
70        """
71        if is_x509_cert:
72            pubkey = crypto.load_certificate(crypto.FILETYPE_PEM, key_pem)
73        else:
74            pubkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem)
75        return OpenSSLVerifier(pubkey)
76
77
78class OpenSSLSigner(object):
79    """Signs messages with a private key."""
80
81    def __init__(self, pkey):
82        """Constructor.
83
84        Args:
85            pkey: OpenSSL.crypto.PKey (or equiv), The private key to sign with.
86        """
87        self._key = pkey
88
89    def sign(self, message):
90        """Signs a message.
91
92        Args:
93            message: bytes, Message to be signed.
94
95        Returns:
96            string, The signature of the message for the given key.
97        """
98        message = _to_bytes(message, encoding='utf-8')
99        return crypto.sign(self._key, message, 'sha256')
100
101    @staticmethod
102    def from_string(key, password=b'notasecret'):
103        """Construct a Signer instance from a string.
104
105        Args:
106            key: string, private key in PKCS12 or PEM format.
107            password: string, password for the private key file.
108
109        Returns:
110            Signer instance.
111
112        Raises:
113            OpenSSL.crypto.Error if the key can't be parsed.
114        """
115        parsed_pem_key = _parse_pem_key(key)
116        if parsed_pem_key:
117            pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, parsed_pem_key)
118        else:
119            password = _to_bytes(password, encoding='utf-8')
120            pkey = crypto.load_pkcs12(key, password).get_privatekey()
121        return OpenSSLSigner(pkey)
122
123
124def pkcs12_key_as_pem(private_key_text, private_key_password):
125    """Convert the contents of a PKCS12 key to PEM using OpenSSL.
126
127    Args:
128        private_key_text: String. Private key.
129        private_key_password: String. Password for PKCS12.
130
131    Returns:
132        String. PEM contents of ``private_key_text``.
133    """
134    decoded_body = base64.b64decode(private_key_text)
135    private_key_password = _to_bytes(private_key_password)
136
137    pkcs12 = crypto.load_pkcs12(decoded_body, private_key_password)
138    return crypto.dump_privatekey(crypto.FILETYPE_PEM,
139                                  pkcs12.get_privatekey())
140