Beispiel #1
0
    def generate_x509_root(self, passphrase=None):
        """Generate x509 certificate with instance informations
        """
        # Generate CA Request
        ca_pkey = self.key.private

        subject = self.get_subject()

        ossl = Openssl()
        pem = ossl.generate_self_signed_cert(self.days, subject, ca_pkey, passphrase)
        self.pem = pem
        self.certhash = ossl.get_hash_from_cert(pem)
        x509 = X509.load_cert_string(pem, X509.FORMAT_PEM)
        self.serial = str(x509.get_serial_number())
        self.begin = x509.get_not_before().get_datetime()
        self.end = x509.get_not_after().get_datetime()
        # v3 extensions
        self.subject_kid = x509.get_ext("subjectKeyIdentifier").get_value().strip()
        auth_kid = x509.get_ext("authorityKeyIdentifier").get_value().split("\n")
        self.auth_kid = [keyid.lstrip("keyid:") for keyid in auth_kid if keyid.startswith("keyid:")][0].strip()
        self.ca_serial = 1
        self.is_ca = True
        self.trust = True
        # Add date
        self.created = datetime.now()
Beispiel #2
0
    def sign_text(self, text, passphrase):
        """Sign a text with cert's key and passphrase
        """
        if not self.key:
            raise Exception("No key for this certificate")

        ossl = Openssl()
        data_signed = ossl.sign_pkcs7(self.pem, text, self.key.private, passphrase)
        return data_signed
Beispiel #3
0
 def gen_crl(self, passphrase=""):
     """Generate CRL for this certificate
     """
     cakey = self.key.private
     issued = self.get_issued()
     crlnumber = self.crlnumber or 1
     ossl = Openssl()
     self.crl = ossl.generate_crl(self, cakey, crlnumber, self.crl, issued, passphrase=passphrase)
     self.crlnumber = crlnumber + 1
     self.save()
     return self.crl
Beispiel #4
0
    def verify_smime(self, smime, silent=False):
        """Verify an smime signed message
        """
        if not self.key:
            raise Exception("No key for this certificate")

        ossl = Openssl()
        if silent:
            try:
                data_signed = ossl.verify_pkcs7(self.pem, smime)
            except ossl.VerifyError:
                return False
        else:
            data_signed = ossl.verify_pkcs7(self.pem, smime)
        return data_signed
Beispiel #5
0
 def check_chain(self, chain=None, silent=False):
     """Check certificate chain
     """
     if not chain:
         chain = self.get_cert_chain()
     ossl = Openssl()
     result = False
     if silent:
         try:
             result = ossl.verify_ca_chain(chain)
         except ossl.VerifyError:
             return False
     else:
         result = ossl.verify_ca_chain(chain)
     return result
Beispiel #6
0
    def revoke(self, cert, passphrase=""):
        """Generate CRL for this certificate
        """
        if cert.issuer != self:
            raise Exception("I'm not the issuer.")

        cakey = self.key.private
        issued = self.get_issued()
        crlnumber = self.crlnumber or 1
        ossl = Openssl()
        self.crl, self.index = ossl.revoke_cert(self, cakey, crlnumber, self.crl, cert, issued, passphrase=passphrase)
        self.crlnumber = crlnumber + 1
        self.save()
        cert.revoked = True
        cert.save()
        return self.crl
Beispiel #7
0
    def check_crl(self, silent=False, quick=False):
        """Check CRL for this certificate

        Quick only use database cache
        """
        if self.revoked:
            return False
        elif quick:
            return True
        if self.issuer:
            if self.issuer.crl:
                ossl = Openssl()
                return not ossl.get_revoke_status_from_cert(self, self.issuer.crl)
        elif self.subject_kid != self.auth_kid:
            return False
        return True
Beispiel #8
0
    def sign_request(self, rqst, days, passphrase=None, ca=False):
        """Sign a Request and return a Certificate instance
        """
        ossl = Openssl()

        pem = ossl.sign_csr(rqst.pem, self.key.private, self.pem, self.ca_serial, days, passphrase, ca)
        self.ca_serial += 1
        self.save()

        c_cert = Certificate()
        c_cert.pem = pem
        c_cert.certhash = ossl.get_hash_from_cert(pem)
        c_cert.user = rqst.user
        c_cert.issuer = self
        c_cert.key = rqst.key
        c_cert.country = rqst.country
        c_cert.CN = rqst.CN
        c_cert.locality = rqst.locality
        c_cert.email = rqst.email
        c_cert.organization = rqst.organization
        c_cert.OU = rqst.OU
        c_cert.state = rqst.state

        x509 = X509.load_cert_string(pem, X509.FORMAT_PEM)
        c_cert.serial = str(x509.get_serial_number())
        c_cert.begin = x509.get_not_before().get_datetime()
        c_cert.end = x509.get_not_after().get_datetime()
        # v3 extensions
        c_cert.subject_kid = x509.get_ext("subjectKeyIdentifier").get_value().strip()
        auth_kid = x509.get_ext("authorityKeyIdentifier").get_value().split("\n")
        c_cert.auth_kid = [keyid.lstrip("keyid:") for keyid in auth_kid if keyid.startswith("keyid:")][0].strip()
        if ca:
            c_cert.ca_serial = 1
            c_cert.is_ca = True
        # Add date
        c_cert.created = datetime.now()

        # And return new instance
        return c_cert
Beispiel #9
0
    def new_from_pem(cls, pem, user=None, key=None):
        """Create a Certificate Instance with an existing PEM
        """
        ossl = Openssl()
        cert = cls(user=user, key=key)
        x509 = X509.load_cert_string(pem, X509.FORMAT_PEM)
        cert.pem = x509.as_pem()
        cert.certhash = ossl.get_hash_from_cert(pem)
        issuer = x509.get_issuer()
        if issuer.C:
            cert.country = smart_unicode(issuer.C)
        cert.CN = smart_unicode(issuer.CN)
        if issuer.L:
            cert.locality = smart_unicode(issuer.L)
        if issuer.Email:
            cert.email = smart_unicode(issuer.Email)
        if issuer.O:
            cert.organization = smart_unicode(issuer.O)
        if issuer.OU:
            cert.OU = smart_unicode(issuer.OU)
        if issuer.SP:
            cert.state = smart_unicode(issuer.SP)
        cert.serial = str(x509.get_serial_number())
        cert.begin = x509.get_not_before().get_datetime()
        cert.end = x509.get_not_after().get_datetime()
        # v3 extensions
        cert.subject_kid = x509.get_ext("subjectKeyIdentifier").get_value().strip()
        auth_kid = x509.get_ext("authorityKeyIdentifier").get_value().split("\n")
        cert.auth_kid = [keyid.lstrip("keyid:") for keyid in auth_kid if keyid.startswith("keyid:")][0].strip()

        # Search issuer
        try:
            ca_cert = Certificate.objects.get(subject_kid=cert.auth_kid)
        except Certificate.DoesNotExist:
            pass
        else:
            cert.issuer = ca_cert

        # Find Relations
        cert_pubkey = cert.get_pubkey()
        if key:
            cert.key = key
        else:
            if user:
                try:
                    key = Key.objects.get(user=user, public=cert_pubkey)
                except Key.DoesNotExist:
                    pass
                else:
                    cert.key = key
            else:
                try:
                    key = Key.objects.get(public=cert_pubkey)
                except Key.DoesNotExist:
                    pass
                else:
                    cert.key = key
                    cert.user = key.user
        # Add date
        cert.created = datetime.now()
        if x509.check_ca():
            cert.is_ca = True
        cert.save()

        # Search issued # XXX
        for c_cert in Certificate.objects.filter(auth_kid=cert.subject_kid, issuer__isnull=True):
            c_cert.issuer = cert
            c_cert.save()

        return cert