NewProvisioningSession expects pkcs8 private key and SHA race fix

------------- Fix SHA hashing to remove race condition. This change fixes the implementation by passing in the digest buffer. ------------- The input to ProvisioningEngine::NewProvisioningSession should be pkcs8 private key instead of pkcs1 private key ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=151273394 Change-Id: Ibcdff7757b2ac2878ee8b1b88365083964bfa10a
2017-03-26 15:26:46 -07:00
parent 187d13a5c3
commit 84f66d2320
33 changed files with 620 additions and 310 deletions
--- a/oem_certificate_generator/oem_certificate.py
+++ b/oem_certificate_generator/oem_certificate.py
@@ -196,8 +196,8 @@ def _random_serial_number():
  return utils.int_from_bytes(os.urandom(16), byteorder='big')


-def _build_certificate(subject_name, issuer_name, system_id, not_valid_before,
-                       valid_duration, public_key, signing_key, ca):
+def build_certificate(subject_name, issuer_name, system_id, not_valid_before,
+                      valid_duration, public_key, signing_key, ca):
  """Utility function to build certificate."""
  builder = x509.CertificateBuilder()
  builder = builder.subject_name(subject_name).issuer_name(issuer_name)
@@ -237,10 +237,10 @@ def generate_intermediate_certificate(args):
    raise ValueError('Root certificate does not match with root private key')
  csr = x509.load_pem_x509_csr(args.csr_file.read(), backends.default_backend())

-  certificate = _build_certificate(csr.subject, root_cert.subject,
-                                   args.system_id, args.not_valid_before,
-                                   args.valid_duration,
-                                   csr.public_key(), root_private_key, True)
+  certificate = build_certificate(csr.subject, root_cert.subject,
+                                  args.system_id, args.not_valid_before,
+                                  args.valid_duration,
+                                  csr.public_key(), root_private_key, True)
  args.output_certificate_file.write(
      certificate.public_bytes(serialization.Encoding.DER))

@@ -282,11 +282,11 @@ def generate_leaf_certificate(args):
          format=serialization.PrivateFormat.PKCS8,
          encryption_algorithm=_get_encryption_algorithm(args.passphrase)))

-  certificate = _build_certificate(subject_name, intermediate_cert.subject,
-                                   system_id, args.not_valid_before,
-                                   args.valid_duration,
-                                   leaf_private_key.public_key(),
-                                   intermediate_private_key, False)
+  certificate = build_certificate(subject_name, intermediate_cert.subject,
+                                  system_id, args.not_valid_before,
+                                  args.valid_duration,
+                                  leaf_private_key.public_key(),
+                                  intermediate_private_key, False)
  args.output_certificate_file.write(
      X509CertificateChain([certificate, intermediate_cert]).der_bytes())