def do_cert(self, line):
if SSL.check_cert_exist(line):
cert = SSL.get_cert(line)
keyusage = ["digitalSignature", "nonRepudiation", "keyEncipherment"]
extendedkeys = ["1.3.6.1.5.5.7.3.9"]
if SSL.cert_equal_to_key_and_extended_key(cert, keyusage, extendedkeys, strict=False):
Config().config.set("ocsp", "cert", line)
else:
print "Certificate is not valid to use with OCSP Responder"
else:
profile = Render.select_profile()
certid = Render.select_cert(profile=profile)
Config().config.set("ocsp", "cert", certid)
if Config().config.getboolean("ocsp", "enable") and len(Config().config.get("ocsp", "cert")) > 0:
Daemons.start_daemon("ocsp")
else:
print "OCSP must be enable and valid certificate for responder must be present"
def show_cert(self, certid=None):
list = []
if certid:
rawmode = False
if "_" in certid and certid.split("_")[1] == "raw":
rawmode = True
certid = certid.split("_")[0]
i=0
for cert in SSL.get_all_certificates():
if certid == cert['id']:
i = 1
SSL.display_cert(cert['cert'])
if rawmode:
print crypto.dump_certificate(crypto.FILETYPE_PEM, cert['cert'])
if i == 0:
print "*** Certificate not found"
else:
for cert in SSL.get_all_certificates():
state = SSL.get_state_cert(cert['cert'])
list.append((cert['id'], SSL.get_x509_name(cert['cert'].get_subject()), state))
Render.print_table(('ID', 'Subject', 'State'), list)
def do_profile(self, line):
if line:
profile = line.split(' ')[0]
else:
profile = raw_input("Profile name : ")
keys_usage = []
extended_keys = []
if Config().config.has_section("profile_" + profile):
keys_usage = str(Config().config.get("profile_" + profile, "keyusage")).split('|')
extended_keys = str(Config().config.get("profile_" + profile, "extended")).split('|')
else:
Config().config.add_section("profile_"+profile)
keys_usage = Render.print_selector(SSL.get_key_usage(), keys_usage)
extended_keys = Render.print_selector(SSL.get_extended_key_usage(), extended_keys)
Config().config.set("profile_" + profile, "keyusage", '|'.join(keys_usage))
Config().config.set("profile_" + profile, "extended", '|'.join(extended_keys))
rep = raw_input("Use LDAP if enable to search subject (y/n) : ")
if "y" in rep:
filter = raw_input("LDAP Filter : ")
Config().config.set("profile_" + profile, "ldap", filter)
else:
Config().config.set("profile_" + profile, "ldap", "false")
def do_create(self, line):
profile = Render.select_profile()
if profile:
self.create_cert(profile)
def create_cert(self, profile):
before = datetime.utcnow()
after = before + timedelta(days=Config().config.getint("cert", "validity"))
pkey = SSL.create_key(Config().config.getint("cert", "key_size"))
ca = SSL.get_ca()
cert = SSL.create_cert(pkey)
if Config().config.get("ldap", "enable") and "false" not in Config().config.get("profile_" + profile, "ldap"):
print "Search in LDAP"
l = LDAP()
filter = Config().config.get("profile_" + profile, "ldap")
res = l.get_dn(l.get_basedn(), filter, ['cn', 'mail', 'uid'])
listSearch = {}
users = {}
for elt in res:
key = elt[0]
val = elt[1]['cn'][0]
mail = None
if 'mail' in elt[1].keys():
mail = elt[1]['mail'][0]
val = val + " (mail : " + elt[1]['mail'][0] + ")"
listSearch.update({key: val})
users.update({key: {'mail': mail, 'cn': elt[1]['cn'][0]}})
nbr_select = 0
while nbr_select != 1:
userList = Render.print_selector(listSearch)
nbr_select = len(userList)
email = users[userList[0]]['mail']
cn = users[userList[0]]['cn']
subject_array = userList[0].split(',')
subject_array.reverse()
subject_array.pop()
subject = '/'.join(subject_array) + "/CN=" + cn
else:
cn = raw_input("Common Name : ")
email = raw_input("Mail address : ")
subject = Config().config.get("ca", "base_cn") + "/CN=" + cn
subject_x509 = SSL.parse_str_to_x509Name(subject, cert.get_subject())
issuer_x509 = ca.get_subject()
if email:
subject_x509.emailAddress = email
cert.set_subject(subject_x509)
cert.set_issuer(issuer_x509)
cert.set_notBefore(before.strftime("%Y%m%d%H%M%S%Z")+"Z")
cert.set_notAfter(after.strftime("%Y%m%d%H%M%S%Z")+"Z")
cert.set_serial_number(int(time() * 1000000))
cert.set_version(2)
bsConst = "CA:FALSE"
cert.add_extensions([
crypto.X509Extension("basicConstraints", True, bsConst),
crypto.X509Extension("keyUsage", True, SSL.get_key_usage_from_profile(profile)),
crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=cert),
])
cert.add_extensions([
crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always", issuer=ca)
])
cert.add_extensions([
crypto.X509Extension("extendedKeyUsage", False, SSL.get_extended_key_usage_from_profile(profile))
])
if Config().config.getboolean("crl", "enable"):
crlUri = "URI:" + Config().config.get("crl", "uri")
cert.add_extensions([
crypto.X509Extension("crlDistributionPoints", False, crlUri)
])
if Config().config.getboolean("ocsp", "enable"):
ocspUri = "OCSP;URI:" + Config().config.get("ocsp", "uri")
cert.add_extensions([
crypto.X509Extension("authorityInfoAccess", False, ocspUri)
])
cert_signed = SSL.sign(cert, SSL.get_ca_privatekey(), Config().config.get("cert", "digest"))
SSL.set_cert(cert_signed)
SSL.set_cert_privatekey(cert_signed, pkey)
if Config().config.getboolean("ldap", "enable"):
LDAP.add_queue(cert_signed)
