This file is indexed.

/usr/share/arc/ssm/crypto.py is in nordugrid-arc-arex 4.0.0-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
'''
   Copyright (C) 2012 STFC.

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
   
   @author: Kevin Haines, Will Rogers
   
   The crypto module calls openssl command line directly, using subprocess.
   We investigated python's crypto libraries (all openssl bindings) and 
   found that none were mature enough to implement the SMIME crypto we had 
   decided on.
'''

from subprocess import Popen, PIPE
import quopri
import base64
import logging

# logging configuration
log = logging.getLogger(__name__)
# Valid ciphers
CIPHERS = ['aes128', 'aes192', 'aes256']


class CryptoException(Exception):
    '''
    Exception for use by the crypto module.
    '''
    pass


def _from_file(filename):
    '''
    Convenience function to read entire file into string.
    '''
    f = open(filename, 'r')
    s = f.read()
    f.close()
    return s


def check_cert_key(certpath, keypath):
    '''
    Check that a certificate and a key match, using openssl directly to fetch
    the modulus of each, which must be the same.
    '''
    try:
        cert = _from_file(certpath)
        key = _from_file(keypath)
    except IOError, e:
        log.error('Could not find cert or key file: %s' % e)
        return False
    
    # Two things the same have the same modulus.
    if cert == key:
        return False

    p1 = Popen(['openssl', 'x509', '-noout', '-modulus'],
               stdin=PIPE, stdout=PIPE, stderr=PIPE)
    modulus1, error = p1.communicate(cert)

    if error != '':
        log.error(error)
        return False

    p2 = Popen(['openssl', 'rsa', '-noout', '-modulus'],
               stdin=PIPE, stdout=PIPE, stderr=PIPE)
    modulus2, error = p2.communicate(key)

    if error != '':
        log.error(error)
        return False
    
    return modulus1.strip() == modulus2.strip()


def sign(text, certpath, keypath):
    '''
    Sign the specified message using the certificate and key in the files specified.
    
    Returns the signed message as an SMIME string, suitable for transmission.
    '''
    try:
        p1 = Popen(['openssl', 'smime', '-sign', '-inkey', keypath, '-signer', certpath, '-text'],
                   stdin=PIPE, stdout=PIPE, stderr=PIPE)
        
        signed_msg, error = p1.communicate(text)
        
        if (error != ''):
            log.error(error)

        return signed_msg
    
    except OSError, e:
        log.error('Failed to sign message: %s' % e)
        raise CryptoException('Message signing failed.  Check cert and key permissions.')


def encrypt(text, certpath, cipher='aes128'):
    '''
    Encrypt the specified message using the certificate string.
    
    Returns the encrypted SMIME text suitable for transmission
    '''
    if cipher not in CIPHERS:
        raise CryptoException('Invalid cipher %s.' % cipher)
    
    cipher = '-' + cipher
    # encrypt
    p1 = Popen(['openssl', 'smime', '-encrypt', cipher, certpath], 
               stdin=PIPE, stdout=PIPE, stderr=PIPE)
    
    enc_txt, error = p1.communicate(text)
    
    if (error != ''):
        log.error(error)

    return enc_txt


def verify(signed_text, capath, check_crl):
    '''
    Verify the signed message has been signed by the certificate (attached to the
    supplied SMIME message) it claims to have, by one of the accepted CAs in
    capath.

    Returns a tuple including the signer's certificate and the plain-text of the
    message if it has been verified.  If the content transfer encoding is specified
    as 'quoted-printable' or 'base64', decode the message body accordingly.
    ''' 
    if signed_text is None or capath is None:
        raise CryptoException('Invalid None argument to verify().')
    # This ensures that openssl knows that the string is finished.
    # It makes no difference if the signed message is correct, but 
    # prevents it from hanging in the case of an empty string.
    signed_text += '\n\n'
    
    signer = get_signer_cert(signed_text)
    
    if not verify_cert(signer, capath, check_crl):
        raise CryptoException('Unverified signer')
    
    # The -noverify flag removes the certificate verification.  The certificate 
    # is verified above; this check would also check that the certificate
    # is allowed to sign with SMIME, which host certificates sometimes aren't.
    p1 = Popen(['openssl', 'smime', '-verify', '-CApath', capath, '-noverify'], 
               stdin=PIPE, stdout=PIPE, stderr=PIPE)
    
    message, error = p1.communicate(signed_text)
    
    # SMIME header and message body are separated by a blank line
    lines = message.strip().splitlines()
    blankline = lines.index('')
    headers = '\n'.join(lines[:blankline])
    body = '\n'.join(lines[blankline + 1:])
    # two possible encodings
    if 'quoted-printable' in headers:
        body = quopri.decodestring(body)
    elif 'base64' in headers:
        body = base64.decodestring(body)
    # otherwise, plain text
    
    # Interesting problem here - we get a message 'Verification successful'
    # to standard error.  We don't want to log this as an error each time,
    # but we do want to see if there's a genuine error...
    log.info(str(error).strip())

    subj = get_certificate_subject(signer)
    return body, subj


def decrypt(encrypted_text, certpath, keypath):
    '''
    Decrypt the specified message using the certificate and key contained in the
    named PEM files. The capath should point to a directory holding all the
    CAs that we accept

    This decryption function can be used whether or not OpenSSL is used to
    encrypt the data
    '''
    # This ensures that openssl knows that the string is finished.
    # It makes no difference if the signed message is correct, but 
    # prevents it from hanging in the case of an empty string.
    encrypted_text += '\n\n'
    
    log.info('Decrypting message.')
    
    p1 = Popen(['openssl', 'smime', '-decrypt',  
                '-recip', certpath, '-inkey', keypath], 
               stdin=PIPE, stdout=PIPE, stderr=PIPE)
    
    enc_txt, error = p1.communicate(encrypted_text)
    
    if (error != ''):
        log.error(error)

    return enc_txt


def verify_cert(certstring, capath, check_crls=True):
    '''
    Verify that the certificate is signed by a CA whose certificate is stored in
    capath.      

    Note that I've had to compare strings in the output of openssl to check
    for verification, which may make this brittle.

    Returns True if the certificate is verified
    '''
    if certstring is None or capath is None:
        raise CryptoException('Invalid None argument to verify_cert().')
    
    args = ['openssl', 'verify', '-CApath', capath]
    
    if check_crls:
        args.append('-crl_check_all')

    p1 = Popen(args, stdin=PIPE, stdout=PIPE, stderr=PIPE)
         
    message, error = p1.communicate(certstring)
    
    # I think this is unlikely ever to happen
    if (error != ''):
        log.error(error)
        
    # There was a tricky problem here.  
    # 'openssl verify' returns 0 whatever happens, so we can't 
    # use the return code to determine whether the verification was 
    # successful.  
    # If it is successful, openssl prints 'OK'
    # If it fails, openssl prints 'error'
    # So:
    log.info('Certificate verification: ' + str(message).strip())
      
    return ('OK' in message and not 'error' in message)


def verify_cert_path(certpath, capath, check_crls=True):
    '''
    Verify certificate, but using the certificate filepath rather than
    the certificate string as in verify_cert.
    '''
    certstring = _from_file(certpath)
    return verify_cert(certstring, capath, check_crls)


def get_certificate_subject(certstring):
    '''
    Return the certificate subject's DN, in legacy openssl format.
    '''
    p1 = Popen(['openssl', 'x509', '-noout', '-subject'],
               stdin=PIPE, stdout=PIPE, stderr=PIPE)
    
    subject, error = p1.communicate(certstring)

    if (error != ''):
        log.error(error)
        raise CryptoException('Failed to get subject: %s' % error)
    
    subject = subject.strip()[9:] # remove 'subject= ' from the front
    return subject


def get_signer_cert(signed_text):
    '''
    Read the signer's certificate from the signed specified message, and return the
    certificate string.
    '''
    # This ensures that openssl knows that the string is finished.
    # It makes no difference if the signed message is correct, but 
    # prevents it from hanging in the case of an empty string.
    signed_text += '\n\n'
    
    p1 = Popen(['openssl', 'smime', '-pk7out'], 
               stdin=PIPE, stdout=PIPE, stderr=PIPE)
    p2 = Popen(['openssl', 'pkcs7', '-print_certs'], 
               stdin=p1.stdout, stdout=PIPE, stderr=PIPE)
    
    p1.stdin.write(signed_text)
    certstring, error = p2.communicate()
    
    if (error != ''):
        log.error(error)
        
    return certstring