From accd9abde6eb76c594de75a0051e5367475ebe93 Mon Sep 17 00:00:00 2001
From: Vojtech Myslivec <vojtech.myslivec@nic.cz>
Date: Fri, 31 May 2019 16:25:03 +0200
Subject: [PATCH 1/3] cryptography: Write key with restrictive permissions

---
 certgen/cryptography.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/certgen/cryptography.py b/certgen/cryptography.py
index 8633289..05de507 100644
--- a/certgen/cryptography.py
+++ b/certgen/cryptography.py
@@ -78,12 +78,16 @@ def generate_priv_key_file(key_path):
             curve=ELLIPTIC_CURVE,
             backend=default_backend()
     )
+
+    old_umask = os.umask(0o057)
     with open(key_path, "wb") as f:
         f.write(key.private_bytes(
             encoding=serialization.Encoding.PEM,
             format=serialization.PrivateFormat.TraditionalOpenSSL,
             encryption_algorithm=serialization.NoEncryption()
         ))
+    os.umask(old_umask)
+
 
 
 def key_match(obj, key):
-- 
GitLab


From d6c027418f657189f6f38407a0a0cf9d57535b40 Mon Sep 17 00:00:00 2001
From: Vojtech Myslivec <vojtech.myslivec@nic.cz>
Date: Fri, 31 May 2019 16:25:50 +0200
Subject: [PATCH 2/3] cryptography: Check key permisisons on load

---
 certgen/cryptography.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/certgen/cryptography.py b/certgen/cryptography.py
index 05de507..376eae9 100644
--- a/certgen/cryptography.py
+++ b/certgen/cryptography.py
@@ -5,6 +5,7 @@ Cryptography-related tasks for Sentinel:Certgen
 import datetime
 import logging
 import os
+import stat
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
@@ -99,6 +100,22 @@ def load_or_remove_key(key_path):
     Load the private key from a file or, if it is damaged, remove it from
     the filesystem.
     """
+    # check file existence and correct permissions
+    try:
+        st = os.stat(key_path)
+        # private key should *not* has --x-wxrwx
+        if st.st_mode & (stat.S_IXUSR | stat.S_IWGRP | stat.S_IXGRP | stat.S_IRWXO):
+            logger.warning(
+                    "Private key file (%s) has too benevolent permissions",
+                    key_path
+            )
+    except FileNotFoundError:
+        logger.info(
+                "Private key file (%s) is missing",
+                key_path
+        )
+        return None
+
     try:
         with open(key_path, 'rb') as f:
             key = serialization.load_pem_private_key(
-- 
GitLab


From ed382c8a5312d80bb050f3d3b2f0588453a00280 Mon Sep 17 00:00:00 2001
From: Vojtech Myslivec <vojtech.myslivec@nic.cz>
Date: Fri, 31 May 2019 16:26:35 +0200
Subject: [PATCH 3/3] Release version 6.1

---
 certgen/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/certgen/__init__.py b/certgen/__init__.py
index c0a41a9..ab72706 100644
--- a/certgen/__init__.py
+++ b/certgen/__init__.py
@@ -2,7 +2,7 @@
 Sentinel:Certgen python package
 """
 
-__version__ = '6.0'
+__version__ = '6.1'
 
 
 DEFAULT_CERT_API_HOSTNAME = "sentinel.turris.cz"
-- 
GitLab