def test_03_errors(self): # unknown type self.assertRaises(Exception, save_caconnector, {"caconnector": "unknown", "type": "unknown"}) caobj = get_caconnector_object("not-existing") self.assertEqual(caobj, None)
def revoke(self): """ This revokes the token. We need to determine the CA, which issues the certificate, contact the connector and revoke the certificate Some token types may revoke a token without locking it. """ TokenClass.revoke(self) # determine the CA and its connector. ti = self.get_tokeninfo() ca_specifier = ti.get("CA") log.debug("Revoking certificate {0!s} on CA {1!s}.".format( self.token.serial, ca_specifier)) certificate_pem = ti.get("certificate") # call CAConnector.revoke_cert() ca_obj = get_caconnector_object(ca_specifier) revoked = ca_obj.revoke_cert(certificate_pem) log.info("Certificate {0!s} revoked on CA {1!s}.".format(revoked, ca_specifier)) # call CAConnector.create_crl() crl = ca_obj.create_crl() log.info("CRL {0!s} created.".format(crl)) return revoked
def test_03_errors(self): # unknown type self.assertRaises(Exception, save_caconnector, {"caconnector": "unknown", "type": "unknown"}) caobj = get_caconnector_object("not-existing") self.assertEqual(caobj, None)
def update(self, param): """ This method is called during the initialization process. :param param: parameters from the token init :type param: dict :return: None """ TokenClass.update(self, param) request = getParam(param, "request", optional) spkac = getParam(param, "spkac", optional) certificate = getParam(param, "certificate", optional) generate = getParam(param, "genkey", optional) if request or generate: # If we do not upload a user certificate, then we need a CA do # sign the uploaded request or generated certificate. ca = getParam(param, "ca", required) self.add_tokeninfo("CA", ca) cacon = get_caconnector_object(ca) if request: # During the initialization process, we need to create the # certificate x509object = cacon.sign_request(request, options={"spkac": spkac}) certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, x509object) elif generate: # Create the certificate on behalf of another user. # Now we need to create the key pair, # the request # and the certificate # We need the user for whom the certificate should be created user = get_user_from_param(param, optionalOrRequired=required) keysize = getParam(param, "keysize", optional, 2048) key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, keysize) req = crypto.X509Req() req.get_subject().CN = user.login # Add email to subject if user.info.get("email"): req.get_subject().emailAddress = user.info.get("email") req.get_subject().organizationalUnitName = user.realm # TODO: Add Country, Organization, Email # req.get_subject().countryName = 'xxx' # req.get_subject().stateOrProvinceName = 'xxx' # req.get_subject().localityName = 'xxx' # req.get_subject().organizationName = 'xxx' req.set_pubkey(key) req.sign(key, "sha256") x509object = cacon.sign_request(crypto.dump_certificate_request( crypto.FILETYPE_PEM, req)) certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, x509object) # Save the private key to the encrypted key field of the token s = crypto.dump_privatekey(crypto.FILETYPE_PEM, key) self.add_tokeninfo("privatekey", s, value_type="password") if certificate: self.add_tokeninfo("certificate", certificate)
def update(self, param): """ This method is called during the initialization process. :param param: parameters from the token init :type param: dict :return: None """ TokenClass.update(self, param) request = getParam(param, "request", optional) spkac = getParam(param, "spkac", optional) certificate = None if request: ca = getParam(param, "ca", required) self.add_tokeninfo("CA", ca) # During the initialization process, we need to create the # certificate cacon = get_caconnector_object(ca) x509object = cacon.sign_request(request, options={"spkac": spkac}) certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, x509object) else: certificate = getParam(param, "certificate", optional) if certificate: self.add_tokeninfo("certificate", certificate)
def update(self, param): """ This method is called during the initialization process. :param param: parameters from the token init :type param: dict :return: None """ TokenClass.update(self, param) request = getParam(param, "request", optional) spkac = getParam(param, "spkac", optional) certificate = None if request: ca = getParam(param, "ca", required) self.add_tokeninfo("CA", ca) # During the initialization process, we need to create the # certificate cacon = get_caconnector_object(ca) x509object = cacon.sign_request(request, options={"spkac": spkac}) certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, x509object) else: certificate = getParam(param, "certificate", optional) if certificate: self.add_tokeninfo("certificate", certificate)
def update(self, param): """ This method is called during the initialization process. :param param: parameters from the token init :type param: dict :return: None """ TokenClass.update(self, param) request = getParam(param, "request", optional) spkac = getParam(param, "spkac", optional) certificate = getParam(param, "certificate", optional) generate = getParam(param, "genkey", optional) if request or generate: # If we do not upload a user certificate, then we need a CA do # sign the uploaded request or generated certificate. ca = getParam(param, "ca", required) self.add_tokeninfo("CA", ca) cacon = get_caconnector_object(ca) if request: # During the initialization process, we need to create the # certificate x509object = cacon.sign_request(request, options={"spkac": spkac}) certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, x509object) elif generate: # Create the certificate on behalf of another user. # Now we need to create the key pair, # the request # and the certificate # We need the user for whom the certificate should be created user = get_user_from_param(param, optionalOrRequired=required) keysize = getParam(param, "keysize", optional, 2048) key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, keysize) req = crypto.X509Req() req.get_subject().CN = user.login # Add email to subject if user.info.get("email"): req.get_subject().emailAddress = user.info.get("email") req.get_subject().organizationalUnitName = user.realm # TODO: Add Country, Organization, Email # req.get_subject().countryName = 'xxx' # req.get_subject().stateOrProvinceName = 'xxx' # req.get_subject().localityName = 'xxx' # req.get_subject().organizationName = 'xxx' req.set_pubkey(key) req.sign(key, "sha256") x509object = cacon.sign_request( crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)) certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, x509object) # Save the private key to the encrypted key field of the token s = crypto.dump_privatekey(crypto.FILETYPE_PEM, key) self.add_tokeninfo("privatekey", s, value_type="password") if certificate: self.add_tokeninfo("certificate", certificate)
def test_02_db_caconnector(self): pass # save a CA connector ca_id = save_caconnector({ "caconnector": "myCA", "type": "local", "cakey": "/opt/ca/key.pem", "cacert": "/opt/ca/cert.pem" }) self.assertTrue(ca_id > 0, ca_id) # Update the CA connector save_caconnector({ "caconnector": "myCA", "type": "local", "WorkingDir": "/opt/ca", "Password": "******", "type.Password": "******" }) # check if connector is in DB calist = get_caconnector_list() self.assertEqual(len(calist), 1) calist = get_caconnector_list(filter_caconnector_type="local") self.assertEqual(len(calist), 1) # check the config values of "myCA" self.assertEqual(calist[0].get("data").get("WorkingDir"), "/opt/ca") self.assertEqual(calist[0].get("data").get("cakey"), "/opt/ca/key.pem") # get the CA connector list without a config calist = get_caconnector_list(return_config=False) self.assertEqual(len(calist), 1) # check that there are no values self.assertEqual(calist[0].get("data"), {}) # test the CA connector: config = get_caconnector_config("myCA") self.assertEqual(config.get("WorkingDir"), "/opt/ca") self.assertEqual(config.get("cakey"), "/opt/ca/key.pem") # get_caconnector_object() ca_obj = get_caconnector_object("myCA") self.assertTrue(ca_obj.connector_type, "local") catype = get_caconnector_type("myCA") self.assertTrue(catype, "local") # delete the CA connector delete_caconnector("myCA") # check if connector is deleted from DB self.assertEqual(len(calist), 1)
def test_02_db_caconnector(self): pass # save a CA connector ca_id = save_caconnector({"caconnector": "myCA", "type": "local", "cakey": "/opt/ca/key.pem", "cacert": "/opt/ca/cert.pem"}) self.assertTrue(ca_id > 0, ca_id) # Update the CA connector save_caconnector({"caconnector": "myCA", "type": "local", "WorkingDir": "/opt/ca", "Password": "******", "type.Password": "******"}) # check if connector is in DB calist = get_caconnector_list() self.assertEqual(len(calist), 1) calist = get_caconnector_list(filter_caconnector_type="local") self.assertEqual(len(calist), 1) # check the config values of "myCA" self.assertEqual(calist[0].get("data").get("WorkingDir"), "/opt/ca") self.assertEqual(calist[0].get("data").get("cakey"), "/opt/ca/key.pem") # get the CA connector list without a config calist = get_caconnector_list(return_config=False) self.assertEqual(len(calist), 1) # check that there are no values self.assertEqual(calist[0].get("data"), {}) # test the CA connector: config = get_caconnector_config("myCA") self.assertEqual(config.get("WorkingDir"), "/opt/ca") self.assertEqual(config.get("cakey"), "/opt/ca/key.pem") # get_caconnector_object() ca_obj = get_caconnector_object("myCA") self.assertTrue(ca_obj.connector_type, "local") catype = get_caconnector_type("myCA") self.assertTrue(catype, "local") # delete the CA connector delete_caconnector("myCA") # check if connector is deleted from DB self.assertEqual(len(calist), 1)
def update(self, param): """ This method is called during the initialization process. :param param: parameters from the token init :type param: dict :return: None """ TokenClass.update(self, param) request = getParam(param, "request", optional) spkac = getParam(param, "spkac", optional) certificate = getParam(param, "certificate", optional) generate = getParam(param, "genkey", optional) template_name = getParam(param, "template", optional) if request or generate: # If we do not upload a user certificate, then we need a CA do # sign the uploaded request or generated certificate. ca = getParam(param, "ca", required) self.add_tokeninfo("CA", ca) cacon = get_caconnector_object(ca) if request: if not spkac: # We only do the whole attestation checking in case we have no SPKAC request_csr = load_pem_x509_csr(to_byte_string(request), default_backend()) if not request_csr.is_signature_valid: raise privacyIDEAError("request has invalid signature.") # If a request is sent, we can have an attestation certificate attestation = getParam(param, "attestation", optional) verify_attestation = getParam(param, "verify_attestation", optional) if attestation: request_numbers = request_csr.public_key().public_numbers() attestation_cert = load_pem_x509_certificate( to_byte_string(attestation), default_backend()) attestation_numbers = attestation_cert.public_key( ).public_numbers() if request_numbers != attestation_numbers: log.warning( "certificate request does not match attestation certificate." ) raise privacyIDEAError( "certificate request does not match attestation certificate." ) try: verified = verify_certificate_path( attestation, param.get(ACTION.TRUSTED_CA_PATH)) except Exception as exx: # We could have file system errors during verification. log.debug("{0!s}".format(traceback.format_exc())) verified = False if not verified: log.warning( "Failed to verify certificate chain of attestation certificate." ) if verify_attestation: raise privacyIDEAError( "Failed to verify certificate chain of attestation certificate." ) # During the initialization process, we need to create the # certificate x509object = cacon.sign_request(request, options={ "spkac": spkac, "template": template_name }) certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, x509object) elif generate: # Create the certificate on behalf of another user. # Now we need to create the key pair, # the request # and the certificate # We need the user for whom the certificate should be created user = get_user_from_param(param, optionalOrRequired=required) keysize = getParam(param, "keysize", optional, 2048) key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, keysize) req = crypto.X509Req() req.get_subject().CN = user.login # Add email to subject if user.info.get("email"): req.get_subject().emailAddress = user.info.get("email") req.get_subject().organizationalUnitName = user.realm # TODO: Add Country, Organization, Email # req.get_subject().countryName = 'xxx' # req.get_subject().stateOrProvinceName = 'xxx' # req.get_subject().localityName = 'xxx' # req.get_subject().organizationName = 'xxx' req.set_pubkey(key) req.sign(key, "sha256") csr = to_unicode( crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)) x509object = cacon.sign_request( csr, options={"template": template_name}) certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, x509object) # Save the private key to the encrypted key field of the token s = crypto.dump_privatekey(crypto.FILETYPE_PEM, key) self.add_tokeninfo("privatekey", s, value_type="password") if "pin" in param: self.set_pin(param.get("pin"), encrypt=True) if certificate: self.add_tokeninfo("certificate", certificate)