Beispiel #1
0
    def save(self, **kwargs):

        if not self.sha256_digest and self.revoke == False:
            """I'm a new certificate"""

            today = datetime.date.today()
            self.expiration_date = today + datetime.timedelta(
                days=self.expire_days)
            result = create_trust_anchor_certificate(
                common_name=self.common_name,
                email=self.email,
                dns=self.dns,
                expires=self.expire_days,
                organization=self.organization,
                city=self.city,
                state=self.state,
                country=self.country,
                rsakey=self.rsa_keysize,
                user=self.owner.username)

            self.sha256_digest = result['sha256_digest']
            self.serial_number = result['serial_number']
            self.sha1_fingerprint = result['sha1_fingerprint']
            self.notes = result['notes']
            self.private_zip_name = result['anchor_zip_download_file_name']
            self.status = result['status']
            self.private_key_path = result['private_key_path']
            self.public_key_path = result['public_key_path']
            self.completed_dir_path = result['completed_dir_path']

            #send the verifier an email notification
            msg = """
            <html>
            <head>
            </head>
            <body>
            A new Direct Trust Anchor was created by %s and requires your review.
            Here is a link for the domain %s:
            <ul>
            <li><a href="/admin/certificates/trustanchorcertificate/%s">%s</a></li>
            </ul>
            </body>
            </html>
            """ % (self.organization, self.domain, self.id, self.domain)
            if settings.SEND_CA_EMAIL:
                msg = EmailMessage(
                    '[DirectCA]A new Trust Anchor certificate requires verification',
                    msg, settings.EMAIL_HOST_USER, [
                        settings.CA_VERIFIER_EMAIL,
                    ])
                msg.content_subtype = "html"  # Main content is now text/html
                msg.send()

            # Create the CRL config file
            crl_result = create_crl_conf(
                common_name=self.common_name,
                email=self.email,
                dns=self.dns,
                anchor_dns=self.dns,
                expires=self.expire_days,
                organization=self.organization,
                city=self.city,
                state=self.state,
                country=self.country,
                rsakey=self.rsa_keysize,
                user=self.owner.username,
                public_key_path=result['public_key_path'],
                private_key_path=result['private_key_path'],
                completed_anchor_dir=result['completed_dir_path'])

            return super(TrustAnchorCertificate, self).save(**kwargs)




        if self.verified and not self.verified_message_sent and \
           self.status in  ('unverified', 'good'):
            """This is the verify routine"""

            self.status = "good"
            # Get the response
            rcsp_result = write_verification_message(
                self.serial_number,
                self.common_name,
                "good",
                self.sha1_fingerprint,
            )
            #Write it to db
            self.rcsp_response = rcsp_result
            fn = "%s.json" % (self.serial_number)
            #Write it to file
            fp = os.path.join(self.completed_dir_path, fn)

            f = open(fp, "w")
            f.write(str(rcsp_result))
            f.close()

            #Upload the RCSP file to S3
            if settings.USE_S3:
                s = SimpleS3()
                self.public_cert_status_url = s.store_in_s3(
                    fn, fp, bucket=settings.RCSP_BUCKET, public=True)
                self.public_cert_status_url = s.build_pretty_url(
                    self.public_cert_status_url, settings.RCSP_BUCKET)

            #"JOSE -------------------------------------------------------------"
            #get all the files
            certfilelist = [settings.CA_PUBLIC_CERT, self.public_key_path]

            fn = "%s-chain.pem" % (self.dns)
            chained_cert_path = os.path.join(self.completed_dir_path, fn)
            certlist = chain_keys_in_list(chained_cert_path, certfilelist)
            #write the json

            x5c_json = write_x5c_message(self.email, certlist)

            # set the filename ------------------------------------------------
            fn = "%s-x5c.json" % (self.serial_number)

            # Write it to file ------------------------------------------------
            fp = os.path.join(self.completed_dir_path, fn)

            f = open(fp, "w")
            f.write(str(x5c_json))
            f.close()

            #Upload the x5c file to S3
            s = SimpleS3()
            if settings.USE_S3:
                key = "x5c/" + fn
                self.public_cert_x5c_url = s.store_in_s3(
                    key, fp, bucket=settings.X5C_BUCKET, public=True)
                self.public_cert_x5c_url = s.build_pretty_url(
                    self.public_cert_x5c_url, settings.X5C_BUCKET)

            #Calculate the SHA1 fingerprint & write it to a file
            digestsha1 = json.dumps(sha.sha1_from_filepath(fp), indent=4)
            fn = "%s-sha1.json" % (self.serial_number)
            fp = os.path.join(self.completed_dir_path, fn)
            f = open(fp, "w")
            f.write(str(digestsha1))
            f.close()

            #Upload the RCSP SHA! Digest to S3
            if settings.USE_S3:
                self.public_cert_status_sha1_url = s.store_in_s3(
                    fn, fp, bucket=settings.RCSPSHA1_BUCKET, public=True)
                self.public_cert_status_sha1_url = s.build_pretty_url(
                    self.public_cert_status_sha1_url, settings.RCSPSHA1_BUCKET)

            #Upload the PEM and DER public certificates
            fn = "%s.pem" % (self.dns)
            key = "%s/%s/%s" % (self.owner.username, self.dns, fn)
            fp = os.path.join(self.completed_dir_path, fn)
            if settings.USE_S3:
                self.public_cert_pem_url = s.store_in_s3(
                    key, fp, bucket=settings.PUBCERT_BUCKET, public=True)
                self.public_cert_pem_url = s.build_pretty_url(
                    self.public_cert_pem_url, settings.PUBCERT_BUCKET)

                self.public_cert_pem_s3 = json.dumps({
                    "bucket": settings.PUBCERT_BUCKET,
                    "key": key
                })

            fn = "%s.der" % (self.dns)
            key = "%s/%s/%s" % (self.owner.username, self.dns, fn)
            fp = os.path.join(self.completed_dir_path, fn)
            if settings.USE_S3:
                self.public_cert_der_url = s.store_in_s3(
                    key, fp, bucket=settings.PUBCERT_BUCKET, public=True)
                self.public_cert_der_url = s.build_pretty_url(
                    self.public_cert_der_url, settings.PUBCERT_BUCKET)
                self.public_cert_der_s3 = json.dumps({
                    "bucket": settings.PUBCERT_BUCKET,
                    "key": key
                })

            #Send the zip file and expire in one week
            fn = self.private_zip_name
            fp = os.path.join(self.completed_dir_path, self.private_zip_name)
            key = "%s/%s/%s" % (self.owner.username, self.dns, fn)
            if settings.USE_S3:
                self.presigned_zip_url = s.store_in_s3(
                    key, fp, bucket=settings.PUBCERT_BUCKET, public=True)

                self.presigned_zip_url = s.build_pretty_url(
                    self.presigned_zip_url, settings.PUBCERT_BUCKET)

                #We dont need this for trust anchos since there is no private key give.
                #self.presigned_zip_url = s.get_presignedurl(key, bucket = settings.PRIVCERT_BUCKET)

                self.presigned_zip_s3 = json.dumps({
                    "bucket": settings.PUBCERT_BUCKET,
                    "key": key
                })
            """ Mark th certificate as verified """
            self.verified = True

            #send the verification email.
            msg = """
            <html>
            <head>
            </head>
            <body>
            Congratulations. Your trust anchor has for %s been verified.
            Here are some links to your public certificates and related status
            information.
            
            <ul>
            <li><a href="%s">PEM File                             - %s</a></li>
            <li><a href="%s">DER File                             - %s</a></li>
            <li><a href="%s">Status                               - %s</a></li>
            <li><a href="%s">Status SHA1 Digest                   - %s</a></li>
            <li><a href="%s">Certificate Chain in JOSE x5c Format - %s</a></li>
            </ul>
            </body>
            </html>
            """ % (self.domain, self.public_cert_pem_url,
                   self.public_cert_pem_url, self.public_cert_der_url,
                   self.public_cert_der_url, self.public_cert_status_url,
                   self.public_cert_status_url,
                   self.public_cert_status_sha1_url,
                   self.public_cert_status_sha1_url, self.public_cert_x5c_url,
                   self.public_cert_x5c_url)
            if settings.SEND_CA_EMAIL:
                msg = EmailMessage(
                    '[DirectCA]Your Trust Anchor Certificate has been verified',
                    msg, settings.EMAIL_HOST_USER,
                    [self.owner.email, self.contact_email])
                msg.content_subtype = "html"  # Main content is now text/html
                msg.send()

            self.verified_message_sent = True

        if self.revoke and self.status != "revoked":
            self.status = "revoked"

            # Build the  RCSP response
            # Get the status
            self.rcsp_response = write_verification_message(
                self.serial_number,
                self.common_name,
                "revoked",
                self.sha1_fingerprint,
            )
            fn = "%s.json" % (self.serial_number)

            #Write it to file
            fp = os.path.join(self.completed_dir_path, fn)

            f = open(fp, "w")
            f.write(str(self.rcsp_response))
            f.close()

            #Upload the RCSP file to S3
            if settings.USE_S3:
                s = SimpleS3()
                url = s.store_in_s3(fn,
                                    fp,
                                    bucket=settings.RCSP_BUCKET,
                                    public=True)

            #Calculate the SHA1 fingerprint & write it to a file
            digestsha1 = json.dumps(sha.sha1_from_filepath(fp), indent=4)
            fn = "%s-sha1.json" % (self.serial_number)
            fp = os.path.join(self.completed_dir_path, fn)
            f = open(fp, "w")
            f.write(str(digestsha1))
            f.close()
            if settings.USE_S3:
                #Upload the RCSP SHA! Digest to S3
                url = s.store_in_s3(fn,
                                    fp,
                                    bucket=settings.RCSPSHA1_BUCKET,
                                    public=True)

                #Delete all the old files:
                #PEM, DIR, ZIP
                if self.presigned_zip_s3:
                    s3info = json.loads(self.presigned_zip_s3)
                    self.presigned_zip_url = s.delete_in_s3(
                        s3info['bucket'],
                        s3info['key'],
                    )

                if self.public_cert_der_s3:
                    s3info = json.loads(self.public_cert_der_s3)
                    self.public_cert_der_url = s.delete_in_s3(
                        s3info['bucket'],
                        s3info['key'],
                    )

                if self.public_cert_pem_s3:
                    s3info = json.loads(self.public_cert_pem_s3)
                    self.public_cert_pem_url = s.delete_in_s3(
                        s3info['bucket'],
                        s3info['key'],
                    )

            #revoke the cert
            revoke(self)

        super(TrustAnchorCertificate, self).save(**kwargs)