diff options
| author | Vishvananda Ishaya <vishvananda@gmail.com> | 2013-01-15 12:19:53 -0800 |
|---|---|---|
| committer | Vishvananda Ishaya <vishvananda@gmail.com> | 2013-01-16 09:54:46 -0800 |
| commit | daa5db3f4e990185522f38d1011cfe37141298fe (patch) | |
| tree | b3ab8fc5218d3ea28c355a2ce16df889b31917e2 /nova/crypto.py | |
| parent | 34ffd41831ee6b6e629a5f5c2e52c2729f00029d (diff) | |
| download | nova-daa5db3f4e990185522f38d1011cfe37141298fe.tar.gz nova-daa5db3f4e990185522f38d1011cfe37141298fe.tar.xz nova-daa5db3f4e990185522f38d1011cfe37141298fe.zip | |
Add encryption method using an ssh public key.
This is a prerequisite for adding support to xenapi with
a guest agent to support the get-password command.
Related to blueprint get-password
Change-Id: I226ea5ee4fd6e326ccbb39cdf9098925d3f45312
Diffstat (limited to 'nova/crypto.py')
| -rw-r--r-- | nova/crypto.py | 43 |
1 files changed, 37 insertions, 6 deletions
diff --git a/nova/crypto.py b/nova/crypto.py index ff76a54d0..68d25e650 100644 --- a/nova/crypto.py +++ b/nova/crypto.py @@ -171,13 +171,44 @@ def decrypt_text(project_id, text): raise exception.ProjectNotFound(project_id=project_id) try: dec, _err = utils.execute('openssl', - 'rsautl', - '-decrypt', - '-inkey', '%s' % private_key, - process_input=text) + 'rsautl', + '-decrypt', + '-inkey', '%s' % private_key, + process_input=text) return dec - except exception.ProcessExecutionError: - raise exception.DecryptionFailure() + except exception.ProcessExecutionError as exc: + raise exception.DecryptionFailure(reason=exc.stderr) + + +def ssh_encrypt_text(ssh_public_key, text): + """Encrypt text with an ssh public key. + + Requires recent ssh-keygen binary in addition to openssl binary. + """ + with utils.tempdir() as tmpdir: + sshkey = os.path.abspath(os.path.join(tmpdir, 'ssh.key')) + with open(sshkey, 'w') as f: + f.write(ssh_public_key) + sslkey = os.path.abspath(os.path.join(tmpdir, 'ssl.key')) + try: + # NOTE(vish): -P is to skip prompt on bad keys + out, _err = utils.execute('ssh-keygen', + '-P', '', + '-e', + '-f', sshkey, + '-m', 'PKCS8') + with open(sslkey, 'w') as f: + f.write(out) + enc, _err = utils.execute('openssl', + 'rsautl', + '-encrypt', + '-pubin', + '-inkey', sslkey, + '-keyform', 'PEM', + process_input=text) + return enc + except exception.ProcessExecutionError as exc: + raise exception.EncryptionFailure(reason=exc.stderr) def revoke_cert(project_id, file_name): |