def _get_signing_request(self, der_blob):
""" Extracts signing request from
MyProxy response.
der_blob -- sequence with PKCS10 encoded CSR string
raise -- MyProxyError if no CSR could be extracted
"""
ind = der_blob.find(MyProxy.ASN1_START)
if ind < 0:
raise MyProxyError("CSR missing",
"Could not extract any CSR from ASN1 sequence")
_len = 256*ord(der_blob[ind+2]) + ord(der_blob[ind+3])
c = der_blob[ind:ind+_len+4] # get CSR
if version.LooseVersion(m2_version) < '0.20':
# little hack to overcome missing method in versions < 0.20
import tempfile
tmp_fd, tmp_name = tempfile.mkstemp(suffix='.csr')
f = os.fdopen(tmp_fd,'wb')
f.write(c)
f.close()
req = X509.load_request(tmp_name, X509.FORMAT_DER)
os.remove(tmp_name)
else:
req = X509.load_request_der_string(c)
return req
def test_delegation_get_pubkey_csr(self):
empty_db()
response = self.app.put(url('delegation', delegation_id='test'),
params='{ "renewable": false }')
delegation = Session.query(model.Delegation).first()
response = self.app.get(url('delegation_pubkey', delegation_id='test'))
pubkey1 = response.body
response = self.app.get(url('delegation_pubkey', delegation_id='test'))
pubkey2 = response.body
response = self.app.get(url('delegation_pubkey', delegation_id='test'),
headers={'Accept': 'application/x-pkcs1'})
pubkey3 = response.body
key1 = RSA.load_pub_key_bio(BIO.MemoryBuffer(pubkey1))
key3 = certlib.rsa_load_pub_key_der(pubkey3)
assert key1.pub() == delegation.new_key.pub()
assert pubkey1 == pubkey2
assert key1.pub() == key3.pub()
response = self.app.get(url('delegation_request', delegation_id='test'),
headers={'Accept': 'application/x-pkcs10+der'})
req = X509.load_request_der_string(response.body)
assert key1.pub() == req.get_pubkey().get_rsa().pub()
def test_malformed_data(self):
with self.assertRaises(X509.X509Error):
X509.load_cert_string('Hello')
with self.assertRaises(X509.X509Error):
X509.load_cert_der_string('Hello')
with self.assertRaises(X509.X509Error):
X509.new_stack_from_der('Hello')
with self.assertRaises(X509.X509Error):
X509.load_cert('tests/alltests.py')
with self.assertRaises(X509.X509Error):
X509.load_request('tests/alltests.py')
with self.assertRaises(X509.X509Error):
X509.load_request_string('Hello')
with self.assertRaises(X509.X509Error):
X509.load_request_der_string('Hello')
with self.assertRaises(X509.X509Error):
X509.load_crl('tests/alltests.py')
def test_malformed_data(self):
with self.assertRaises(X509.X509Error):
X509.load_cert_string('Hello')
with self.assertRaises(X509.X509Error):
X509.load_cert_der_string('Hello')
with self.assertRaises(X509.X509Error):
X509.new_stack_from_der('Hello')
with self.assertRaises(X509.X509Error):
X509.load_cert('tests/alltests.py')
with self.assertRaises(X509.X509Error):
X509.load_request('tests/alltests.py')
with self.assertRaises(X509.X509Error):
X509.load_request_string('Hello')
with self.assertRaises(X509.X509Error):
X509.load_request_der_string('Hello')
with self.assertRaises(X509.X509Error):
X509.load_crl('tests/alltests.py')
def test_load_request_bio(self):
(req, _) = self.mkreq(512)
r1 = X509.load_request_der_string(req.as_der())
r2 = X509.load_request_string(req.as_der(), X509.FORMAT_DER)
r3 = X509.load_request_string(req.as_pem(), X509.FORMAT_PEM)
r4 = X509.load_request_bio(BIO.MemoryBuffer(req.as_der()), X509.FORMAT_DER)
r5 = X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), X509.FORMAT_PEM)
for r in [r1, r2, r3, r4, r5]:
assert req.as_der() == r.as_der()
self.assertRaises(ValueError, X509.load_request_bio, BIO.MemoryBuffer(req.as_pem()), 345678)
def test_load_request_bio(self):
(req, _) = self.mkreq(512)
r1 = X509.load_request_der_string(req.as_der())
r2 = X509.load_request_string(req.as_der(), X509.FORMAT_DER)
r3 = X509.load_request_string(req.as_pem(), X509.FORMAT_PEM)
r4 = X509.load_request_bio(BIO.MemoryBuffer(req.as_der()), X509.FORMAT_DER)
r5 = X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), X509.FORMAT_PEM)
for r in [r1, r2, r3, r4, r5]:
assert req.as_der() == r.as_der()
self.assertRaises(ValueError, X509.load_request_bio, BIO.MemoryBuffer(req.as_pem()), 345678)
def test_load_request_bio(self):
(req, _) = self.mkreq(1024)
r1 = X509.load_request_der_string(req.as_der())
r2 = X509.load_request_string(req.as_der(), X509.FORMAT_DER)
r3 = X509.load_request_string(req.as_pem(), X509.FORMAT_PEM)
r4 = X509.load_request_bio(BIO.MemoryBuffer(req.as_der()),
X509.FORMAT_DER)
r5 = X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()),
X509.FORMAT_PEM)
for r in [r1, r2, r3, r4, r5]:
self.assertEqual(req.as_der(), r.as_der())
with self.assertRaises(ValueError):
X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), 345678)
def test_load_request_bio(self):
(req, _) = self.mkreq(1024)
r1 = X509.load_request_der_string(req.as_der())
r2 = X509.load_request_string(req.as_der(), X509.FORMAT_DER)
r3 = X509.load_request_string(req.as_pem(), X509.FORMAT_PEM)
r4 = X509.load_request_bio(BIO.MemoryBuffer(req.as_der()),
X509.FORMAT_DER)
r5 = X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()),
X509.FORMAT_PEM)
for r in [r1, r2, r3, r4, r5]:
self.assertEqual(req.as_der(), r.as_der())
with self.assertRaises(ValueError):
X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), 345678)
def write(self, data):
if self.context_established:
return self.sock.write(data)
if self.key is None:
self.context_established = True
self.sock.write("0"+data)
else:
# Now here goes something really weird. If there is NO
# delegation after the context establishment phase
# (previous if clause), any cipher suite works. If there
# is a delegation after context establishment, it fails
# with any cipher suite except NULL cipher.
#
# This is probably a bug in globus GSI implementation.
if not str(self.sock.get_cipher()).startswith("NULL"):
self.sock.set_cipher_list("NULL-SHA")
self.sock.renegotiate()
self.sock.write("D")
request = ""
while True:
request += self.sock.read(100*1024)
if asn1_sequence_length(request) == len(request):
break
if len(request) > 100*1024:
raise IOError("GSI context error: no cert request in delegation phase")
try:
request = X509.load_request_der_string(request)
except X509.X509Error:
return IOError("GSI context error: bad certificate request received from server")
proxy = proxylib.generate_proxycert(request.get_pubkey(),
self.chain[0], self.key,
globus_bug=False)
self.sock.write(proxy.as_der())
# Even more strange is the fact that switching back to a
# strong cipher after delegation does NOT work also. So
# these lines are commented out:
#
# self.sock.set_cipher_list("ALL:!LOW:!SSLv2")
# self.sock.renegotiate()
self.context_established = True
self.sock.write(data)
def post(self):
if not self.app.config['AUTHORITY_CERTIFICATE']:
return 'The server lacks an authority certificate. Unable to sign the certificate request.', 403
if not self.app.config['AUTHORITY_PRIVATE_KEY']:
return 'The server lacks a private key. Unable to sign the certificate request.', 403
certificate_request_der = base64.b64decode(request.json.get('certificate_request'));
certificate_request = X509.load_request_der_string(certificate_request_der);
if not (certificate_request.get_subject().CN == current_user.username):
return 'I will not a sign certificate request for a different user ! (Got "%s" while "%s" was expected)' % (certificate_request.get_subject().CN, current_user.username), 403
# Create a new certificate
certificate = X509.X509()
# Set the certificate version
certificate.set_version(2)
# Copy the certificate public key from the certificate request
certificate.set_pubkey(certificate_request.get_pubkey())
# Set the certificate issuer
certificate.set_issuer(self.app.config['AUTHORITY_CERTIFICATE'].get_subject())
# Set the certificate subject
subject_name = X509.X509_Name()
subject_name.CN = certificate_request.get_subject().CN or ''
subject_name.OU = self.app.config['AUTHORITY_CERTIFICATE'].get_subject().OU or ''
subject_name.O = self.app.config['AUTHORITY_CERTIFICATE'].get_subject().O or ''
subject_name.L = self.app.config['AUTHORITY_CERTIFICATE'].get_subject().L or ''
subject_name.ST = self.app.config['AUTHORITY_CERTIFICATE'].get_subject().ST or ''
subject_name.C = self.app.config['AUTHORITY_CERTIFICATE'].get_subject().C or ''
certificate.set_subject(subject_name)
# Set the certificate "not before" timestamp
not_before = ASN1.ASN1_UTCTIME()
not_before.set_datetime(datetime.today() + timedelta(days=-1))
certificate.set_not_before(not_before)
# Set the certificate "not after" timestamp
not_after = ASN1.ASN1_UTCTIME()
not_after.set_datetime(datetime.today() + self.app.config['CERTIFICATE_VALIDITY_DURATION'])
certificate.set_not_after(not_after)
# The issued certificate shall not be used as a certificate authority
certificate.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE'))
# Sign the certificate
pkey = EVP.PKey()
pkey.assign_rsa(self.app.config['AUTHORITY_PRIVATE_KEY'], capture=False)
certificate.sign(pkey, 'sha1')
current_user.certificate = certificate
DATABASE.session.commit()
result = {
'certificate': current_user.certificate_string,
}
return jsonify(result)
def post(self):
if not self.app.config['AUTHORITY_CERTIFICATE']:
return 'The server lacks an authority certificate. Unable to sign the certificate request.', 403
if not self.app.config['AUTHORITY_PRIVATE_KEY']:
return 'The server lacks a private key. Unable to sign the certificate request.', 403
certificate_request_der = base64.b64decode(
request.json.get('certificate_request'))
certificate_request = X509.load_request_der_string(
certificate_request_der)
if not (certificate_request.get_subject().CN == current_user.username):
return 'I will not a sign certificate request for a different user ! (Got "%s" while "%s" was expected)' % (
certificate_request.get_subject().CN,
current_user.username), 403
# Create a new certificate
certificate = X509.X509()
# Set the certificate version
certificate.set_version(2)
# Copy the certificate public key from the certificate request
certificate.set_pubkey(certificate_request.get_pubkey())
# Set the certificate issuer
certificate.set_issuer(
self.app.config['AUTHORITY_CERTIFICATE'].get_subject())
# Set the certificate subject
subject_name = X509.X509_Name()
subject_name.CN = certificate_request.get_subject().CN or ''
subject_name.OU = self.app.config['AUTHORITY_CERTIFICATE'].get_subject(
).OU or ''
subject_name.O = self.app.config['AUTHORITY_CERTIFICATE'].get_subject(
).O or ''
subject_name.L = self.app.config['AUTHORITY_CERTIFICATE'].get_subject(
).L or ''
subject_name.ST = self.app.config['AUTHORITY_CERTIFICATE'].get_subject(
).ST or ''
subject_name.C = self.app.config['AUTHORITY_CERTIFICATE'].get_subject(
).C or ''
certificate.set_subject(subject_name)
# Set the certificate "not before" timestamp
not_before = ASN1.ASN1_UTCTIME()
not_before.set_datetime(datetime.today() + timedelta(days=-1))
certificate.set_not_before(not_before)
# Set the certificate "not after" timestamp
not_after = ASN1.ASN1_UTCTIME()
not_after.set_datetime(
datetime.today() +
self.app.config['CERTIFICATE_VALIDITY_DURATION'])
certificate.set_not_after(not_after)
# The issued certificate shall not be used as a certificate authority
certificate.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE'))
# Sign the certificate
pkey = EVP.PKey()
pkey.assign_rsa(self.app.config['AUTHORITY_PRIVATE_KEY'],
capture=False)
certificate.sign(pkey, 'sha1')
current_user.certificate = certificate
DATABASE.session.commit()
result = {
'certificate': current_user.certificate_string,
}
return jsonify(result)
def pkioperation(data):
input_bio = BIO.MemoryBuffer(data)
signer = SMIME.SMIME()
cert_store = X509.X509_Store()
cert_store.load_info(certstore_path)
signer.set_x509_store(cert_store)
p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(input_bio._ptr()), 1)
signers = p7.get0_signers(X509.X509_Stack())
f = open('p7signers.pem', 'w')
f.write(signers.pop().as_pem())
f.close()
signer.set_x509_stack(signers)
data = signer.verify(p7, flags=SMIME.PKCS7_NOVERIFY)
###########################
#Decrypt
####
s = SMIME.SMIME()
# Load private key and cert.
s.load_key(key_path, certstore_path)
input_der = BIO.MemoryBuffer(data)
p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(input_der._ptr()), 1)
# Decrypt p7.
out = s.decrypt(p7)
#f = open('csr.der', 'w')
#f.write(out)
#f.close()
####
#Convert the certificate to pem
#####
#openssl_convert = 'openssl req -in csr.der -inform der -out csr.pem'
#call(cmd(openssl_convert))
x509_request = X509.load_request_der_string(out)
x509_request.save_pem('csr.pem')
#################################
# After decryption, we will get csr
# and generate cert. For now, we will use an existing certificate
#################################
openssl_create_cert = 'openssl x509 -req -in csr.pem \
-extensions v3_ios -CA {} -CAkey {} -CAserial {} -out device_cert.pem \
-extfile {}'.format(
certstore_path,
key_path,
serial_path,
PKI_DIR + '/openssl.cnf')
print openssl_create_cert
call(cmd(openssl_create_cert))
######
#Create degenerate pkcs7 der from the cert file
####
openssl_degenerate = 'openssl crl2pkcs7 -nocrl -certfile device_cert.pem \
-out degenerate_cert.p7b -outform der'
print openssl_degenerate
call(cmd(openssl_degenerate))
degen_der = open('degenerate_cert.p7b').read()
#####
# Encrypt
openssl_encrypt = 'openssl smime -encrypt -des3 \
-in degenerate_cert.p7b -out enc_cert.der -outform der -binary p7signers.pem'
print openssl_encrypt
call(cmd(openssl_encrypt))
###Sign
openssl_sign = 'openssl smime -sign -signer ra_cert.pem \
-in enc_cert.der -binary -out final_response_python.der -outform der -inkey ra_private.pem'
#call(cmd(openssl_sign))
sign_data = open('enc_cert.der').read()
buf = BIO.MemoryBuffer(sign_data)
s = SMIME.SMIME()
s.load_key(key_path, certstore_path)
p7 = s.sign(buf, flags=SMIME.PKCS7_BINARY)
f = BIO.File(open('final_response_python.der', 'w'))
p7.write_der(f)
f.close()
f = open('final_response_python.der')
data = f.read()
print "Goodbye"
return data
