def dispatch_sign(ra_name, csr):
"""Dispatch the sign call to the configured backend.
:param csr: X509 certificate signing request
:return: signed certificate in PEM format
"""
ca_conf = jsonloader.signing_ca_for_registration_authority(ra_name)
backend_name = ca_conf.get('backend', 'anchor')
sign_func = jsonloader.conf.get_signing_backend(backend_name)
try:
cert_pem = sign_func(csr, ca_conf)
except http_status.HTTPException:
logger.exception("Failed to sign certificate")
raise
except Exception:
logger.exception("Failed to sign the certificate")
pecan.abort(500, "certificate signing error")
fingerprint = certificate_fingerprint(cert_pem, 'sha256')
if ca_conf.get('output_path') is not None:
path = os.path.join(ca_conf['output_path'], '%s.crt' % fingerprint)
logger.info("Saving certificate to: %s", path)
with open(path, "w") as f:
f.write(cert_pem)
return cert_pem, fingerprint
def dispatch_sign(ra_name, csr):
"""Dispatch the sign call to the configured backend.
:param csr: X509 certificate signing request
:return: signed certificate in PEM format
"""
ca_conf = jsonloader.signing_ca_for_registration_authority(ra_name)
backend_name = ca_conf.get('backend', 'anchor')
sign_func = jsonloader.conf.get_signing_backend(backend_name)
try:
cert_pem = sign_func(csr, ca_conf)
except http_status.HTTPException:
logger.exception("Failed to sign certificate")
raise
except Exception:
logger.exception("Failed to sign the certificate")
pecan.abort(500, "certificate signing error")
fingerprint = certificate_fingerprint(cert_pem, 'sha256')
if ca_conf.get('output_path') is not None:
path = os.path.join(
ca_conf['output_path'],
'%s.crt' % fingerprint)
logger.info("Saving certificate to: %s", path)
with open(path, "w") as f:
f.write(cert_pem)
return cert_pem, fingerprint
def get_ca(ra_name):
ca_conf = jsonloader.signing_ca_for_registration_authority(ra_name)
ca_path = ca_conf.get('cert_path')
if not ca_path:
pecan.abort(404, "CA certificate not available")
with open(ca_path) as f:
return f.read()
def get_ca(ra_name):
ca_conf = jsonloader.signing_ca_for_registration_authority(ra_name)
ca_path = ca_conf.get('cert_path')
if not ca_path:
pecan.abort(404, "CA certificate not available")
with open(ca_path) as f:
return f.read()
def generate_crl():
dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"])
crl_builder = x509.CertificateRevocationListBuilder()
# find revoked certs, create revoked cert objects and
# add to the crl builder
for req in sorted(dbdata):
if dbdata[req] is None:
continue
if dbdata[req].getStatus() == "Revoked":
builder = x509.RevokedCertificateBuilder()
builder = builder.revocation_date(dbdata[req].revocation_date)
# todo. dg. check this is getting valid serial numbers
builder = builder.serial_number(dbdata[req].get_cert_serial())
revoked_certificate = builder.build(backends.default_backend())
crl_builder = crl_builder.add_revoked_certificate(revoked_certificate)
# set crl lifetimes #todo. dg. what about clock skew? validfrom date in
# past?
crl_builder = crl_builder.last_update(datetime.datetime.utcnow())
crl_lifetime = datetime.timedelta(int(jsonloader.conf.revocation_options["crl_lifetime_days"]), 0, 0)
crl_builder = crl_builder.next_update(datetime.datetime.utcnow() + crl_lifetime)
# get CA cert
ca_conf = jsonloader.signing_ca_for_registration_authority(jsonloader.conf.ra_options["ra_name"])
try:
ca_cert = anchor_certificate.X509Certificate.from_file(ca_conf["cert_path"])
except Exception as e:
logger.error("Cannot load the signing CA: %s" % (e,))
raise
# set CRL cn (issuer name) to that of the CA certificate
crl_builder = crl_builder.issuer_name(
x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, ca_cert.get_subject()[0].get_value())])
)
# get private key
try:
private_key = anchor_utils.get_private_key_from_file(ca_conf["key_path"])
except Exception as e:
logger.error("Cannot load the signing CA private key: %s" % (e,))
raise
# generate crl #todo get hash alg from config?
crl = crl_builder.sign(private_key, hashes.SHA256(), backends.default_backend())
return crl.public_bytes(serialization.Encoding(jsonloader.conf.revocation_options["crl_format"]))
