def generateProxyToString(self, lifeTime, diracGroup=False, strength=1024, limited=False, rfc=False, proxyKey=False): """ Generate a proxy and get it as a string Args: lifeTime (int): expected lifetime in seconds of proxy diracGroup (str): diracGroup to add to the certificate strength (int): length in bits of the pair limited (bool): Create a limited proxy """ if not self.__loadedChain: return S_ERROR(DErrno.ENOCHAIN) if not self.__loadedPKey: return S_ERROR(DErrno.ENOPKEY) if self.__isProxy: rfc = self.isRFC().get('Value', False) issuerCert = self.__certList[0] if not proxyKey: proxyKey = crypto.PKey() proxyKey.generate_key(crypto.TYPE_RSA, strength) proxyCert = crypto.X509() if rfc: proxyCert.set_serial_number(str(int(random.random() * 10 ** 10))) cloneSubject = issuerCert.get_subject().clone() cloneSubject.insert_entry("CN", str(int(random.random() * 10 ** 10))) proxyCert.set_subject(cloneSubject) proxyCert.add_extensions(self.__getProxyExtensionList(diracGroup, rfc and not limited, rfc and limited)) else: proxyCert.set_serial_number(issuerCert.get_serial_number()) cloneSubject = issuerCert.get_subject().clone() if limited: cloneSubject.insert_entry("CN", "limited proxy") else: cloneSubject.insert_entry("CN", "proxy") proxyCert.set_subject(cloneSubject) proxyCert.add_extensions(self.__getProxyExtensionList(diracGroup)) proxyCert.set_issuer(issuerCert.get_subject()) proxyCert.set_version(issuerCert.get_version()) proxyCert.set_pubkey(proxyKey) proxyCert.gmtime_adj_notBefore(-900) proxyCert.gmtime_adj_notAfter(int(lifeTime)) proxyCert.sign(self.__keyObj, 'sha256') proxyString = "%s%s" % (crypto.dump_certificate(crypto.FILETYPE_PEM, proxyCert), crypto.dump_privatekey(crypto.FILETYPE_PEM, proxyKey)) for i in range(len(self.__certList)): proxyString += crypto.dump_certificate(crypto.FILETYPE_PEM, self.__certList[i]) return S_OK(proxyString)
def generateProxyToString(self, lifeTime, diracGroup=False, strength=1024, limited=False): """ Generate a proxy and get it as a string Args: - lifeTime : expected lifetime in seconds of proxy - diracGroup : diracGroup to add to the certificate - strength : length in bits of the pair - limited : Create a limited proxy """ if not self.__loadedChain: return S_ERROR("No chain loaded") if not self.__loadedPKey: return S_ERROR("No pkey loaded") issuerCert = self.__certList[0] proxyKey = crypto.PKey() proxyKey.generate_key(crypto.TYPE_RSA, strength) proxyCert = crypto.X509() cloneSubject = issuerCert.get_subject().clone() if limited: cloneSubject.insert_entry("CN", "limited proxy") else: cloneSubject.insert_entry("CN", "proxy") proxyCert.set_subject(cloneSubject) proxyCert.set_serial_number(issuerCert.get_serial_number()) proxyCert.set_issuer(issuerCert.get_subject()) proxyCert.set_version(issuerCert.get_version()) proxyCert.set_pubkey(proxyKey) proxyCert.add_extensions(self.__getProxyExtensionList(diracGroup)) proxyCert.gmtime_adj_notBefore(-900) proxyCert.gmtime_adj_notAfter(lifeTime) proxyCert.sign(self.__keyObj, 'sha1') proxyString = "%s%s" % (crypto.dump_certificate( crypto.FILETYPE_PEM, proxyCert), crypto.dump_privatekey(crypto.FILETYPE_PEM, proxyKey)) for i in range(len(self.__certList)): proxyString += crypto.dump_certificate(crypto.FILETYPE_PEM, self.__certList[i]) return S_OK(proxyString)
if lastEntry[0] == "CN" and lastEntry[1] == "limited proxy": isLimited = True for entryTuple in reqSubj.get_components(): if isLimited and entryTuple[0] == "CN" and entryTuple[1] == "proxy": return S_ERROR( "Request is for a full proxy and chain is a limited one") if entryTuple[0] == "CN" and entryTuple[1] == "limited proxy": isLimited = True newSubj.insert_entry(entryTuple[0], entryTuple[1]) if requireLimited and not isLimited: return S_ERROR( "Only limited proxies are allowed to be delegated but request was for a full one" ) childCert = crypto.X509() childCert.set_subject(newSubj) childCert.set_issuer(issuerCert.get_subject()) childCert.set_serial_number(issuerCert.get_serial_number()) childCert.set_version(issuerCert.get_version()) childCert.set_pubkey(req.get_pubkey()) childCert.add_extensions(self.__getProxyExtensionList(diracGroup)) childCert.gmtime_adj_notBefore(-900) childCert.gmtime_adj_notAfter(lifetime) childCert.sign(self.__keyObj, 'md5') childString = crypto.dump_certificate(crypto.FILETYPE_PEM, childCert) for i in range(len(self.__certList)): childString += crypto.dump_certificate(crypto.FILETYPE_PEM, self.__certList[i])