def generate_certificate(sender, instance, created, **kwargs):
if created:
keystore = KeyStore(certificate=instance)
key_size = None
if settings.KEY_ALGORITHM == "rsa":
key_size = 4096 if instance.type in [
CertificateTypes.ROOT, CertificateTypes.INTERMEDIATE
] else 2048
key = KeyGenerator().create_key(settings.KEY_ALGORITHM, key_size)
keystore.key = key.serialize(instance.passphrase_out)
certhandler = CertificateGenerator()
certhandler.create_certificate(instance, keystore.key,
instance.passphrase_out,
instance.passphrase_issuer)
keystore.crt = certhandler.serialize()
if instance.type not in [
CertificateTypes.ROOT, CertificateTypes.INTERMEDIATE
]:
root_certificate = CertificateGenerator().load(
instance.parent.keystore.crt).certificate
int_certificate = CertificateGenerator().load(
instance.parent.keystore.crt).certificate
keystore.p12 = key.serialize_pkcs12(
instance.name,
certhandler.certificate,
instance.passphrase_out,
cas=[int_certificate, root_certificate])
keystore.save()
if instance.type in [
CertificateTypes.ROOT, CertificateTypes.INTERMEDIATE
]:
crl = revocation_list_builder([], instance,
instance.passphrase_out)
crlstore = CrlStore(certificate=instance)
crlstore.crl = serialize(crl)
crlstore.save()
def test_serialize_pkcs12_nopassphrase(self):
subject = DistinguishedNameFactory(
localityName="Amsterdam",
organizationalUnitName="BounCA Root",
)
key = Key()
key.create_key("rsa", 4096)
certificate_request = CertificateFactory(dn=subject)
certhandler = Certificate()
certhandler.create_certificate(certificate_request, key.serialize())
crt = certhandler.certificate
pkcs12 = key.serialize_pkcs12("test_pkcs12", crt)
pkcs12_obj = load_pkcs12(pkcs12, None)
self.assertEqual(pkcs12_obj.key.key_size, 4096)
self.assertEqual(pkcs12_obj.cert.friendly_name.decode("utf-8"),
"test_pkcs12")
self.assertEqual(pkcs12_obj.cert.certificate.serial_number,
crt.serial_number)
def test_serialize_pkcs12_no_certificate(self):
key = Key()
key.create_key("rsa", 4096)
with self.assertRaisesMessage(ValueError, "No certificate provided"):
key.serialize_pkcs12("test_pkcs12", None)
def test_serialize_pkcs12_no_key(self):
key = Key()
with self.assertRaisesMessage(RuntimeError, "No key object"):
key.serialize_pkcs12("test_pkcs12", None)
def test_serialize_pkcs12_cas_nopassphrase(self):
root_key = Key().create_key("ed25519", None)
subject = DistinguishedNameFactory(countryName="NL",
stateOrProvinceName="Noord Holland",
organizationName="Repleo")
root_certificate = CertificateFactory(
dn=subject,
name="test_server_root_certificate",
expires_at=arrow.get(timezone.now()).shift(days=+30).date())
with mute_signals(signals.post_save):
root_certificate.save()
root_certhandler = Certificate()
root_certhandler.create_certificate(root_certificate,
root_key.serialize())
keystore = KeyStore(certificate=root_certificate)
keystore.crt = root_certhandler.serialize()
keystore.key = root_key.serialize()
keystore.save()
int_key = Key().create_key("rsa", 2048)
subject = DistinguishedNameFactory(
countryName=root_certificate.dn.countryName,
stateOrProvinceName=root_certificate.dn.stateOrProvinceName,
organizationName=root_certificate.dn.organizationName,
)
int_certificate = CertificateFactory(
expires_at=arrow.get(timezone.now()).shift(days=+5).date(),
name="test_server_intermediate_certificate",
type=CertificateTypes.INTERMEDIATE,
parent=root_certificate,
dn=subject,
crl_distribution_url="https://example.com/crl/cert.crl.pem",
ocsp_distribution_host="https://example.com/ocsp/",
)
with mute_signals(signals.post_save):
int_certificate.save()
int_certhandler = Certificate()
int_certhandler.create_certificate(int_certificate,
int_key.serialize())
keystore = KeyStore(certificate=int_certificate)
keystore.crt = int_certhandler.serialize()
keystore.key = int_key.serialize()
keystore.save()
pkcs12 = int_key.serialize_pkcs12("test_pkcs12_cas",
int_certhandler.certificate,
cas=[root_certhandler.certificate])
pkcs12_obj = load_pkcs12(pkcs12, None)
self.assertEqual(pkcs12_obj.key.key_size, 2048)
self.assertEqual(pkcs12_obj.cert.friendly_name.decode("utf-8"),
"test_pkcs12_cas")
self.assertEqual(pkcs12_obj.cert.certificate.serial_number,
int_certhandler.certificate.serial_number)
self.assertEqual(
pkcs12_obj.additional_certs[0].certificate.serial_number,
root_certhandler.certificate.serial_number)
