def sign_csr(csr,ca_cn,attrib,algorithm='sha512',expires=1825):
ca = CertificateAuthority.objects.get(cn=ca_cn)
# TODO: Check to see if the certificate already exists, and if so, is it the same user? Revoke the old one?
cert = Certificate(ca=ca, csr=csr)
expiry = datetime.datetime.now() + datetime.timedelta(expires)
cert.x509 = Certificate.objects.init(
ca=ca, csr=csr, algorithm=algorithm, expires=expiry, subject={'CN': attrib.get('CN'), },
subjectAltName=attrib['san'])
cert.save()
return cert.pub
def create_cert(cls, ca, csr, subject, san=None, **kwargs):
cert_kwargs = get_cert_profile_kwargs()
cert_kwargs.update(kwargs)
cert_kwargs.setdefault('subject', {})
cert_kwargs['subject'].update(subject)
x509 = Certificate.objects.init(ca=ca, csr=csr, algorithm='sha256', expires=720,
subjectAltName=san, **cert_kwargs)
expires = parse_date(x509.get_notAfter().decode('utf-8'))
cert = Certificate(ca=ca, csr=csr, expires=expires)
cert.x509 = x509
cert.save()
return cert
def create_cert(cls, ca, csr, subject, san=None, **kwargs):
cert_kwargs = get_cert_profile_kwargs()
cert_kwargs.update(kwargs)
cert_kwargs.setdefault('subject', {})
cert_kwargs['subject'].update(subject)
x509 = Certificate.objects.init(
ca=ca, csr=csr, algorithm='sha256', expires=cls.expires(720), subjectAltName=san,
**cert_kwargs)
expires = parse_date(x509.get_notAfter().decode('utf-8'))
cert = Certificate(ca=ca, csr=csr, expires=expires)
cert.x509 = x509
cert.save()
return cert
def handle(self, *args, **options):
if not options['CN'] and not options['alt']:
raise CommandError("Must give at least --CN or one or more --alt arguments.")
# construct subject
subject = OrderedDict()
for field in ['C', 'ST', 'L', 'O', 'OU', 'CN', ]:
if options.get(field):
subject[field] = options[field]
if options.get('E'):
subject['emailAddress'] = options['E']
if options['csr'] is None:
print('Please paste the CSR:')
csr = ''
while not csr.endswith('-----END CERTIFICATE REQUEST-----\n'):
csr += '%s\n' % six.moves.input()
csr = csr.strip()
else:
csr = open(options['csr']).read()
# get list of watchers
watchers = [Watcher.from_addr(addr) for addr in options['watch']]
# get keyUsage and extendedKeyUsage flags based on profiles
kwargs = get_cert_profile_kwargs(options['profile'])
if options['cn_in_san'] is not None:
kwargs['cn_in_san'] = options['cn_in_san']
if options['key_usage']:
kwargs['keyUsage'] = self.parse_extension(options['key_usage'])
if options['ext_key_usage']:
kwargs['extendedKeyUsage'] = self.parse_extension(options['ext_key_usage'])
if subject:
kwargs['subject'] = subject
expires = datetime.today() + timedelta(days=options['days'] + 1)
expires = expires.replace(hour=0, minute=0, second=0, microsecond=0)
x509 = get_cert(csr=csr, expires=expires, subjectAltName=options['alt'], **kwargs)
cert = Certificate(csr=csr, expires=expires)
cert.x509 = x509
cert.save()
cert.watchers.add(*watchers)
if options['out']:
with open(options['out'], 'w') as f:
f.write(cert.pub.decode('utf-8'))
else:
self.stdout.write(cert.pub.decode('utf-8'))
def handle(self, pub, **options):
pub_data = pub.read()
# load public key
try:
pub_loaded = x509.load_pem_x509_certificate(
pub_data, default_backend())
except:
try:
pub_loaded = x509.load_der_x509_certificate(
pub_data, default_backend())
except:
raise CommandError('Unable to load public key.')
cert = Certificate(ca=options['ca'])
cert.x509 = pub_loaded
cert.save()
cert_data["key_filename"]), "rb") as stream:
pkey = stream.read()
c = CertificateAuthority(name=name, private_key_path=path)
loaded_cas[c.name] = c
else:
if cert_data["cat"] != "generated":
continue # Imported cert
with open(
os.path.join(ca_settings.CA_DIR,
cert_data["csr_filename"]), "r") as stream:
csr = stream.read()
profile = cert_data.get("profile", ca_settings.CA_DEFAULT_PROFILE)
c = Certificate(ca=loaded_cas[cert_data["ca"]],
csr=csr,
profile=profile)
with open(os.path.join(ca_settings.CA_DIR, cert_data["pub_filename"]),
"rb") as stream:
pem = stream.read()
c.update_certificate(
x509.load_pem_x509_certificate(pem, default_backend()))
c.save()
if cert_data["type"] == "ca":
password = cert_data.get("password")
if password is not None:
password = password.encode("utf-8")
c.generate_ocsp_key(password=password)
force_text(data[name]["cn"]))
])
builder = x509.CertificateBuilder()
builder = builder.not_valid_before(no_ext_now)
builder = builder.not_valid_after(no_ext_now +
data[name]["expires"])
builder = builder.serial_number(x509.random_serial_number())
builder = builder.subject_name(subject)
builder = builder.issuer_name(ca.pub.loaded.subject)
builder = builder.public_key(parsed_csr.public_key())
x509_cert = builder.sign(private_key=ca.key(pwd),
algorithm=hashes.SHA256(),
backend=default_backend())
cert = Certificate(ca=ca)
cert.update_certificate(x509_cert)
copy_cert(cert, data[name], key_path, csr_path)
# create a cert with all extensions that we know
# NOTE: This certificate is not really a meaningful certificate:
# * NameConstraints is only valid for CAs
# * KeyUsage and ExtendedKeyUsage are not meaningful
# TODO: missing: unsupported extensions
# * Certificate Policies
# * Policy Constraints
# * Inhibit anyPolicy
# * Freshest CRL
# * PrecertificateSignedCertificateTimestamps (cannot be generated by cryptography 2.6:
# https://github.com/pyca/cryptography/issues/4531)
# * Policy Mappings (not supported by cryptography 2.6:
if not cert_data['key_filename']:
continue # CA without private key (e.g. real-world CA)
name = cert_data['name']
path = '%s.key' % name
with open(os.path.join(ca_settings.CA_DIR, cert_data['key_filename']), 'rb') as stream:
pkey = stream.read()
c = CertificateAuthority(name=name, private_key_path=path)
loaded_cas[c.name] = c
else:
if cert_data['cat'] != 'generated':
continue # Imported cert
c = Certificate(ca=loaded_cas[cert_data['ca']])
with open(os.path.join(ca_settings.CA_DIR, cert_data['pub_filename']), 'rb') as stream:
pem = stream.read()
c.x509 = x509.load_pem_x509_certificate(pem, default_backend())
c.save()
if cert_data['type'] == 'ca':
password = cert_data.get('password')
if password is not None:
password = password.encode('utf-8')
c.generate_ocsp_key(password=password)
# create admin user for login
User.objects.create_superuser('user', '*****@*****.**', 'nopass')
def load_cert(cls, ca, x509):
cert = Certificate(ca=ca, csr='none')
cert.x509 = x509
cert.save()
return cert
def load_cert(cls, ca, x509):
cert = Certificate(ca=ca, csr='none')
cert.x509 = x509
cert.save()
return cert
force_text(data[name]['cn']))
])
builder = x509.CertificateBuilder()
builder = builder.not_valid_before(no_ext_now)
builder = builder.not_valid_after(no_ext_now +
data[name]['expires'])
builder = builder.serial_number(x509.random_serial_number())
builder = builder.subject_name(subject)
builder = builder.issuer_name(ca.x509.subject)
builder = builder.public_key(parsed_csr.public_key())
x509_cert = builder.sign(private_key=ca.key(pwd),
algorithm=hashes.SHA256(),
backend=default_backend())
cert = Certificate(ca=ca)
cert.x509 = x509_cert
copy_cert(cert, data[name], key_path, csr_path)
# create a cert with all extensions that we know
# NOTE: This certificate is not really a meaningful certificate:
# * NameConstraints is only valid for CAs
# * KeyUsage and ExtendedKeyUsage are not meaningful
# TODO: missing: unsupported extensions
# * Certificate Policies
# * Policy Constraints
# * Inhibit anyPolicy
# * Freshest CRL
# * PrecertificateSignedCertificateTimestamps (cannot be generated by cryptography 2.6:
# https://github.com/pyca/cryptography/issues/4531)
# * Policy Mappings (not supported by cryptography 2.6: