def mk_cert_valid(cert, days=3652): """Make a cert valid from now and til 'days' from now. :param cert: cert to make valid :param days: number of days cert is valid for from now. """ t = int(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + days * 24 * 60 * 60) cert.set_not_before(now) cert.set_not_after(expire)
def make_eecert(self, cacert): eecert = X509.X509() eecert.set_serial_number(2) eecert.set_version(2) t = long(time.time()) + time.timezone now = ASN1.ASN1_UTCTIME() now.set_time(t) now_plus_year = ASN1.ASN1_UTCTIME() now_plus_year.set_time(t + 60 * 60 * 24 * 365) eecert.set_not_before(now) eecert.set_not_after(now_plus_year) eecert.set_issuer(cacert.get_subject()) return eecert
def generate_certificate(self, cr, uid, ids, issuer, ext=None, serial_number=1, version=2, date_begin=None, date_end=None, expiration=365, context=None): """ Generate certificate """ for item in self.browse(cr, uid, ids): if item.status == 'valid_request': # Get request data pk = item.pairkey_id.as_pkey()[item.pairkey_id.id] req = item.get_request()[item.id] sub = req.get_subject() pkey = req.get_pubkey() # Building certificate cert = X509.X509() cert.set_serial_number(serial_number) cert.set_version(version) cert.set_subject(sub) now = ASN1.ASN1_UTCTIME() if date_begin is None: t = long(time.time()) + time.timezone now.set_time(t) else: now.set_datetime(date_begin) nowPlusYear = ASN1.ASN1_UTCTIME() if date_end is None: nowPlusYear.set_time(t + 60 * 60 * 24 * expiration) else: nowPlusYear.set_datetime(date_end) cert.set_not_before(now) cert.set_not_after(nowPlusYear) cert.set_issuer(issuer) cert.set_pubkey(pkey) cert.set_pubkey(cert.get_pubkey()) if ext: cert.add_ext(ext) cert.sign(pk, 'sha1') w = {'crt': cert.as_pem()} self.write(cr, uid, item.id, w)
def mk_cert_valid(cert, days=365): """ Make a cert valid from now and til 'days' from now. Args: cert -- cert to make valid days -- number of days cert is valid for from now. """ t = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + days * 24 * 60 * 60) cert.set_not_before(now) cert.set_not_after(expire)
def _set_times(self): """ Internal function that sets the time on the proxy certificate """ not_before = ASN1.ASN1_UTCTIME() not_after = ASN1.ASN1_UTCTIME() if self._start: not_before.set_time(self._start) else: not_before.set_time(int(time.time())) offset = (self._valid[0] * 3600) + (self._valid[1] * 60) not_after.set_time(int(time.time()) + offset) self._proxycert.set_not_before(not_before) self._proxycert.set_not_after(not_after)
def test_UTCTIME(self): asn1 = ASN1.ASN1_UTCTIME() assert str(asn1) == 'Bad time value' format = '%b %d %H:%M:%S %Y GMT' utcformat = '%y%m%d%H%M%SZ' s = '990807053011Z' asn1.set_string(s) #assert str(asn1) == 'Aug 7 05:30:11 1999 GMT' t1 = time.strptime(str(asn1), format) t2 = time.strptime(s, utcformat) self.assertEqual(t1, t2) asn1.set_time(500) #assert str(asn1) == 'Jan 1 00:08:20 1970 GMT' t1 = time.strftime(format, time.strptime(str(asn1), format)) t2 = time.strftime(format, time.gmtime(500)) self.assertEqual(t1, t2) t = long(time.time()) + time.timezone asn1.set_time(t) t1 = time.strftime(format, time.strptime(str(asn1), format)) t2 = time.strftime(format, time.gmtime(t)) self.assertEqual(t1, t2)
def _generate_mock_cert(): rsa_key = RSA.gen_key(512, 65537) pkey = EVP.PKey() pkey.assign_rsa(rsa_key) cert = X509.X509() cert.set_pubkey(pkey) not_before = ASN1.ASN1_UTCTIME() not_before.set_datetime(datetime.now(UTC)) not_after = ASN1.ASN1_UTCTIME() not_after.set_datetime(datetime.now(UTC) + timedelta(hours=24)) cert.set_not_before(not_before) cert.set_not_after(not_after) cert.sign(pkey, 'md5') return pkey, cert
def create_self_signed_RootCA_certificate(root_ca_info, sign_method="sha256", days=3650): # Setp 1: Create RSA-key pair (public/private key) rsa = generate_rsa_keypair(2048, 65537) private_key = EVP.PKey() private_key.assign_rsa(rsa) # Step 2-1: Prepare X.509 Certificate Signed Request req = X509.Request() req.set_pubkey(private_key) x509_name = req.get_subject() x509_name.C = root_ca_info["C"] x509_name.CN = root_ca_info["CN"] x509_name.ST = root_ca_info["ST"] x509_name.L = root_ca_info["L"] x509_name.O = root_ca_info["O"] x509_name.OU = root_ca_info["OU"] req.sign(private_key, sign_method) # Step 2-2: Prepare X.509 certificate root_ca_cert = X509.X509() serial = struct.unpack("<Q", os.urandom(8))[0] root_ca_cert.set_serial_number(serial) root_ca_cert.set_version(3) # Setp 2-3: Set required information of RootCA certificate root_ca_cert.set_issuer(x509_name) root_ca_cert.set_subject(root_ca_cert.get_issuer()) root_ca_cert.set_pubkey(req.get_pubkey()) # Get the CSR's public key # Step 2-4: Set Valid Date for RootCA certificate t = int(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + days * 24 * 60 * 60) root_ca_cert.set_not_before(now) root_ca_cert.set_not_after(expire) # Step 3: Add Extensions for this Root CA certificate root_ca_cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE')) root_ca_cert.add_ext( X509.new_extension('subjectKeyIdentifier', root_ca_cert.get_fingerprint())) # Step 4: Use Root CA's RSA private key to sign this certificate root_ca_cert.sign(private_key, sign_method) return root_ca_cert, private_key
def __createCertM2Crypto(self): """Create new certificate for user :return: S_OK(tuple)/S_ERROR() -- tuple contain certificate and pulic key as strings """ # Create public key userPubKey = EVP.PKey() userPubKey.assign_rsa( RSA.gen_key(self.bits, 65537, util.quiet_genparam_callback)) # Create certificate userCert = X509.X509() userCert.set_pubkey(userPubKey) userCert.set_version(2) userCert.set_subject(self.__X509Name) userCert.set_serial_number(int(random.random() * 10**10)) # Add extentionals userCert.add_ext( X509.new_extension("basicConstraints", "CA:" + str(False).upper())) userCert.add_ext( X509.new_extension("extendedKeyUsage", "clientAuth", critical=1)) # Set livetime validityTime = datetime.timedelta(days=400) notBefore = ASN1.ASN1_UTCTIME() notBefore.set_time(int(time.time())) notAfter = ASN1.ASN1_UTCTIME() notAfter.set_time(int(time.time()) + int(validityTime.total_seconds())) userCert.set_not_before(notBefore) userCert.set_not_after(notAfter) # Add subject from CA with open(self.parameters["CertFile"]) as cf: caCertStr = cf.read() caCert = X509.load_cert_string(caCertStr) userCert.set_issuer(caCert.get_subject()) # Use CA key with open(self.parameters["KeyFile"], "rb") as cf: caKeyStr = cf.read() pkey = EVP.PKey() pkey.assign_rsa( RSA.load_key_string(caKeyStr, callback=util.no_passphrase_callback)) # Sign userCert.sign(pkey, self.algoritm) userCertStr = userCert.as_pem().decode("ascii") userPubKeyStr = userPubKey.as_pem( cipher=None, callback=util.no_passphrase_callback).decode("ascii") return S_OK((userCertStr, userPubKeyStr))
def make_proxycert(self, eecert, utc): proxycert = X509.X509() pk2 = EVP.PKey() proxykey = RSA.gen_key(1024, 65537, self.callback) pk2.assign_rsa(proxykey) proxycert.set_pubkey(pk2) proxycert.set_version(2) if utc: not_before = ASN1.ASN1_UTCTIME() not_after = ASN1.ASN1_UTCTIME() else: not_before = ASN1.ASN1_TIME() not_after = ASN1.ASN1_TIME() not_before.set_time(int(time.time())) offset = 12 * 3600 not_after.set_time(int(time.time()) + offset) proxycert.set_not_before(not_before) proxycert.set_not_after(not_after) proxycert.set_issuer_name(eecert.get_subject()) proxycert.set_serial_number(12345678) issuer_name_string = eecert.get_subject().as_text() seq = issuer_name_string.split(",") subject_name = X509.X509_Name() for entry in seq: l = entry.split("=") subject_name.add_entry_by_txt(field=l[0].strip(), type=ASN1.MBSTRING_ASC, entry=l[1], len=-1, loc=-1, set=0) subject_name.add_entry_by_txt(field="CN", type=ASN1.MBSTRING_ASC, entry="Proxy", len=-1, loc=-1, set=0) proxycert.set_subject_name(subject_name) # XXX leaks 8 bytes pci_ext = X509.new_extension("proxyCertInfo", "critical,language:Inherit all", 1) proxycert.add_ext(pci_ext) return proxycert
def _create_cert(key, webid_uri, time_len=365): key_dir = jongau.settings.key_dir key_path = os.path.join(key_dir, key['filename']) rsa = RSA.load_key(key_path) pk = EVP.PKey() pk.assign_rsa(rsa) parsed = urlparse.urlparse(webid_uri) issuer = X509.X509_Name() issuer.CN = parsed[1] subject = X509.X509_Name() subject.CN = parsed[1] cert = X509.X509() cert.set_serial_number(long(time.time())) cert.set_version(2) cert.set_issuer(issuer) cert.set_subject(subject) cert.set_pubkey(pk) now = long(key['created']) time_start = ASN1.ASN1_UTCTIME() time_start.set_time(now) time_end = ASN1.ASN1_UTCTIME() time_end.set_time(now + time_len * 24 * 60 * 60) cert.set_not_before(time_start) cert.set_not_after(time_end) cert.add_ext(X509.new_extension('basicContraints', 'CA:FALSE')) cert.add_ext(X509.new_extension('subjectAltName', "URI:" + webid_uri)) cert.add_ext( X509.new_extension('subjectKeyIdentifier', cert.get_fingerprint())) cert.sign(pk, 'sha1') filename = '%s_%s_%s' % (key['filename'], parsed[1], long(time.time())) pathname = os.path.join(key_dir, filename) cert.save_pem(pathname) certificate = {} certificate['filename'] = filename certificate['keyname'] = key['filename'] certificate['created'] = key['created'] certificate['expiration'] = key['created'] + time_len * 24 * 60 * 60 return certificate
def get_not_after(self): assert m2.x509_type_check(self.x509), "'x509' type error" out = ASN1.ASN1_UTCTIME(m2.x509_get_not_after(self.x509)) if 'Bad time value' in str(out): raise X509Error('''M2Crypto cannot handle dates after year 2050. See RFC 5280 4.1.2.5 for more information. ''') return out
def mkcacert(self, utc): req, pk = self.mkreq(1024, ca=1) pkey = req.get_pubkey() sub = req.get_subject() cert = X509.X509() cert.set_serial_number(1) cert.set_version(2) cert.set_subject(sub) t = int(time.time()) + time.timezone if utc: now = ASN1.ASN1_UTCTIME() else: now = ASN1.ASN1_TIME() now.set_time(t) now_plus_year = ASN1.ASN1_TIME() now_plus_year.set_time(t + 60 * 60 * 24 * 365) cert.set_not_before(now) cert.set_not_after(now_plus_year) issuer = X509.X509_Name() issuer.C = "UK" issuer.CN = "OpenSSL Group" cert.set_issuer(issuer) cert.set_pubkey(pkey) ext = X509.new_extension('basicConstraints', 'CA:TRUE') cert.add_ext(ext) cert.sign(pk, 'sha1') if m2.OPENSSL_VERSION_NUMBER >= 0x0090800f: self.assertTrue(cert.check_ca()) self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER, 1)) self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER, 1)) self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_ANY, 1)) self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER, 0)) self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER, 0)) self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_ANY, 0)) else: with self.assertRaises(AttributeError): cert.check_ca() return cert, pk, pkey
def _generate_ssl_keypair(self, rsa_key, ca_key, ca_cert, role='CONTROL', client=False, serial=2): t = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + 365 * 24 * 60 * 60) pk = EVP.PKey() pk.assign_rsa(rsa_key) cert = X509.X509() cert.get_subject().O = self._generate_id(10) cert.get_subject().OU = role cert.set_serial_number(serial) cert.set_version(3) cert.set_not_before(now) cert.set_not_after(expire) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(pk) cert.add_ext( X509.new_extension('basicConstraints', 'critical,CA:FALSE')) cert.add_ext( X509.new_extension('subjectKeyIdentifier', str(cert.get_fingerprint()))) if client: cert.add_ext( X509.new_extension('keyUsage', 'critical,digitalSignature')) cert.add_ext(X509.new_extension('nsCertType', 'client')) else: cert.add_ext( X509.new_extension('keyUsage', 'critical,keyEncipherment')) cert.add_ext(X509.new_extension('nsCertType', 'server')) cert.sign(ca_key, 'sha256') return pk.as_pem(cipher=None), cert.as_pem()
def make_ss_cert(key_file, domains): """ Returns new self-signed cert in PEM form using key_file containing all domains """ assert domains, "Must provide one or more hostnames for the CSR." rsa_key = M2Crypto.RSA.load_key(key_file) pk = EVP.PKey() pk.assign_rsa(rsa_key) x = X509.X509() x.set_pubkey(pk) x.set_serial_number(1337) x.set_version(2) t = long(time.time()) current = ASN1.ASN1_UTCTIME() current.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time((7 * 24 * 60 * 60) + t) x.set_not_before(current) x.set_not_after(expire) name = x.get_subject() name.C = "US" name.ST = "Michigan" name.L = "Ann Arbor" name.O = "University of Michigan and the EFF" name.CN = domains[0] x.set_issuer(x.get_subject()) x.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE')) #x.add_ext(X509.new_extension('extendedKeyUsage', 'TLS Web Server Authentication')) x.add_ext(X509.new_extension('subjectAltName', ", ".join(["DNS:%s" % d for d in domains]))) x.sign(pk, 'sha256') assert x.verify(pk) assert x.verify() #print check_purpose(,0 return x.as_pem()
def _signRequest(self, x509Request, lifetime): notBefore = ASN1.ASN1_UTCTIME() notBefore.set_datetime(datetime.now(pytz.UTC)) notAfter = ASN1.ASN1_UTCTIME() notAfter.set_datetime(datetime.now(pytz.UTC) + lifetime) proxySubject = X509.X509_Name() for c in self.context.x509.get_subject(): m2.x509_name_add_entry(proxySubject._ptr(), c._ptr(), -1, 0) proxySubject.add_entry_by_txt('commonName', 0x1000, 'proxy', -1, -1, 0) proxy = X509.X509() proxy.set_version(2) proxy.set_subject(proxySubject) proxy.set_serial_number(long(time.time())) proxy.set_version(x509Request.get_version()) proxy.set_issuer(self.context.x509.get_subject()) proxy.set_pubkey(x509Request.get_pubkey()) # Make sure the proxy is not longer than any other inside the chain any_rfc_proxies = False for cert in self.context.x509List: if cert.get_not_after() < notAfter: notAfter = cert.get_not_after() try: cert.get_ext('1.3.6.1.5.5.7.1.14') any_rfc_proxies = True except: pass proxy.set_not_after(notAfter) proxy.set_not_before(notBefore) if any_rfc_proxies: raise NotImplementedError('RFC proxies not supported yet') proxy.sign(self.context.evpKey, 'sha1') return proxy
def _gen(self): def keygen_cb(*args): pass def passphrase_cb(*args): return '' self.cert = X509.X509() pubkey = EVP.PKey() rsa = RSA.gen_key(1024, 65537, keygen_cb) pubkey.assign_rsa(rsa) self._key = rsa.as_pem(None, callback=passphrase_cb) rsa = None # Set a serial number that is unlikely to repeat sn = int(time.time()) % (2**32 - 1) self.cert.set_serial_number(sn) self.cert.set_version(2) subject = self.cert.get_subject() subject.C = 'US' subject.CN = 'kimchi' subject.O = 'kimchi-project.org' t = long(time.time()) + time.timezone now = ASN1.ASN1_UTCTIME() now.set_time(t) nowPlusYear = ASN1.ASN1_UTCTIME() nowPlusYear.set_time(t + 60 * 60 * 24 * 365) self.cert.set_not_before(now) self.cert.set_not_after(nowPlusYear) issuer = X509.X509_Name() issuer.CN = 'kimchi' issuer.O = 'kimchi-project.org' self.cert.set_issuer(issuer) self.cert.set_pubkey(pubkey) self.cert.sign(pubkey, 'sha1')
def test_String(self): asn1ptr = m2.asn1_string_new() text = 'hello there' # In RFC2253 format: # #040B68656C6C6F207468657265 # h e l l o t h e r e m2.asn1_string_set(asn1ptr, text) a = ASN1.ASN1_String(asn1ptr, 1) assert a.as_text() == 'hello there', a.as_text() assert a.as_text(flags=m2.ASN1_STRFLGS_RFC2253 ) == '#040B68656C6C6F207468657265', a.as_text( flags=m2.ASN1_STRFLGS_RFC2253) self.assertEqual(a.as_text(), str(a))
def verify(certstring, open_access=False): crt = X509.load_cert_string(certstring) # Create datetime objects now = ASN1.ASN1_UTCTIME() now.set_datetime(datetime.datetime.now()) now = now.get_datetime() not_before = crt.get_not_before().get_datetime() not_after = crt.get_not_after().get_datetime() # Check time. if not not_before <= now <= not_after: return False issuer = crt.get_issuer().CN.lower().replace(" ","-") logging.debug("Certificate issuer: %s"%(issuer)) # only suport eID certificates if issuer not in ("esteid-sk", "esteid-sk-2007", "eid-sk", "eid-sk-2007", "eid-sk-2011", "esteid-sk-2011"): return False with tempfile.NamedTemporaryFile(prefix="ocsp") as tmp: # write the cert to tmp storage tmp.write(certstring) tmp.flush() # construct validation command cmdstr = ["openssl", "ocsp", "-nonce", "-url", "http://ocsp.sk.ee:80", "-issuer", resource_filename(__name__, "certs/%s.pem" %(issuer)), "-VAfile", resource_filename(__name__, "certs/sk-ocsp-responder-certificates.pem")] if not open_access: cmdstr.extend(["-signer", os.path.join(expanduser("~"), '.python-esteid', 'ocsp.pem')]) cmdstr.extend(["-signkey", os.path.join(expanduser("~"), '.python-esteid', 'ocsp.key')]) cmdstr.extend(["-cert", tmp.name]) logging.debug(" ".join(cmdstr)) process = subprocess.Popen(cmdstr, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE) process.wait() (ch_out, ch_err) = (process.stdout.read(), process.stderr.read()) # TODO: M2Crypto OCSP code if ch_err != "Response verify OK\n": return False logging.debug("Command out: %s\nCommand err:%s" %(ch_out, ch_err)) if process.returncode == 0: if ch_err.startswith("Response verify OK"): if ch_out.find("revoked") == -1 and ch_out.find("good") != -1: return True return False
def create_certificate_from_CSR(rootCA_cert, rootCA_private_key, csr, days=365): # Step 1: Prepare X.509 Certificate cert = X509.X509() serial = struct.unpack("<Q", os.urandom(8))[0] cert.set_serial_number(serial) cert.set_version(3) # Step 2: Set Expired Date t = int(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) expire = ASN1.ASN1_UTCTIME() expire.set_time(t + days * 24 * 60 * 60) cert.set_not_before(now) cert.set_not_after(expire) # Step 3: Set X.509 Extensions cert.add_ext(X509.new_extension('nsComment', 'SSL sever')) cert.add_ext(X509.new_extension('keyUsage', 'Digital Signature')) cert.add_ext(X509.new_extension('keyUsage', 'Key Encipherment', 1)) # 1 means critical cert.add_ext(X509.new_extension('keyUsage', 'Data Encipherment', 1)) cert.add_ext(X509.new_extension('keyUsage', 'Key Agreement', 1)) cert.add_ext(X509.new_extension('extendedKeyUsage', 'clientAuth')) cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE')) ext = X509.new_extension('1.2.3.412', 'ASN1:UTF8String:My custom extension\'s value') # If required: ext.set_critical(1) cert.add_ext(ext) # Step 4: Set Subject and Public Key from CSR cert.set_issuer(rootCA_cert.get_issuer()) cert.set_subject(csr.get_subject()) cert.set_pubkey(csr.get_pubkey()) # Step 5: Use Private Key of Root CA or CA to sign this X.509 certificate cert.sign(rootCA_private_key, 'sha256') return cert
def generate_and_sign_cert(req, pk, sign_key, issuer_cn, issuer_c): pkey = req.get_pubkey() sub = req.get_subject() cert = X509.X509() cert.set_serial_number(1) cert.set_version(2) cert.set_subject(sub) t = long(time.time()) + time.timezone now = ASN1.ASN1_UTCTIME() now.set_time(t) nowPlusYear = ASN1.ASN1_UTCTIME() nowPlusYear.set_time(t + 60 * 60 * 24 * 365) cert.set_not_before(now) cert.set_not_after(nowPlusYear) issuer = X509.X509_Name() issuer.C = issuer_c issuer.CN = issuer_cn cert.set_issuer(issuer) cert.set_pubkey(pkey) ext = X509.new_extension('basicConstraints', 'CA:TRUE') cert.add_ext(ext) cert.sign(sign_key, 'sha256') return cert, pk, pkey
def set_valtime(cert, years=1): """Set certificate valid time :param cert: certificate :type cert: X509.X509 :param years: number of years the certificate is going to be valid :type years: int """ days = years * 365 # t = long(time.time()) + time.timezone t = int(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(t) logging.debug(now.get_datetime()) nowPlusYear = ASN1.ASN1_UTCTIME() nowPlusYear.set_time(t + 60 * 60 * 24 * days) # later.set_time(int(time.time()+3600*24*7)) # return now, nowPlusYear cert.set_not_before(now) logging.debug(cert.get_not_before()) cert.set_not_after(nowPlusYear) logging.debug(cert.get_not_after())
def helper_sign_certificate(self, cakey, cacert, request): """Sign a certificate request by the given ca key and ca certificate.""" cert = X509.X509() cert.set_version(2) cert.set_serial_number(1) cert.set_subject(request.get_subject()) t = long(time.time()) + time.timezone now = ASN1.ASN1_UTCTIME() now.set_time(t) end = ASN1.ASN1_UTCTIME() end.set_time(t + 60 * 60 * 24 * 365 * 10) cert.set_not_before(now) cert.set_not_after(end) cert.set_issuer(cacert.get_subject()) cert.set_pubkey(request.get_pubkey()) #ext = X509.new_extension('subjectAltName', 'DNS:localhost') #ext.set_critical(0) #cert.add_ext(ext) cert.sign(cakey, 'sha1') return cert
def mk_certreq_n_keys(self, cn, v3_exts=[]): ''' This function creates a certificate request with following attributes: * given common name, organization, and country * maximum validity period * given extensions Returns the certificate request and the keys as a tuple (X509, EVP, RSA) ''' bits = DEFAULT_BITS # subject subj = X509.X509_Name() subj.CN = cn subj.C = DEFAULT_X509_C subj.O = DEFAULT_X509_ORG # maximum possible validity time frame not_before = ASN1.ASN1_UTCTIME() not_before.set_time(0) not_after = ASN1.ASN1_UTCTIME() not_after.set_time(2**31 - 1) return self.dododo(bits, subj, not_before, not_after, v3_exts)
def test_UTCTIME_datetime(self): asn1 = ASN1.ASN1_UTCTIME() # Test get_datetime and set_datetime t = time.time() dt = datetime.datetime.fromtimestamp(int(t)) udt = dt.replace(tzinfo=ASN1.LocalTimezone()).astimezone(ASN1.UTC) asn1.set_time(int(t)) t1 = str(asn1) asn1.set_datetime(dt) t2 = str(asn1) self.assertEqual(t1, t2) self.assertEqual(str(udt), str(asn1.get_datetime())) dt = dt.replace(tzinfo=ASN1.LocalTimezone()) asn1.set_datetime(dt) t2 = str(asn1) self.assertEqual(t1, t2) self.assertEqual(str(udt), str(asn1.get_datetime())) dt = dt.astimezone(ASN1.UTC) asn1.set_datetime(dt) t2 = str(asn1) self.assertEqual(t1, t2) self.assertEqual(str(udt), str(asn1.get_datetime()))
def test_String(self): asn1ptr = m2.asn1_string_new() # FIXME this is probably wrong ... asn1_string_set should have # Python string as its parameter. text = b'hello there' # In RFC2253 format: # #040B68656C6C6F207468657265 # h e l l o t h e r e m2.asn1_string_set(asn1ptr, text) a = ASN1.ASN1_String(asn1ptr, 1) self.assertEqual(a.as_text(), 'hello there', a.as_text()) self.assertEqual(a.as_text(flags=m2.ASN1_STRFLGS_RFC2253), '#040B68656C6C6F207468657265', a.as_text(flags=m2.ASN1_STRFLGS_RFC2253)) self.assertEqual(a.as_text(), str(a))
def get_not_before(self): # type: () -> ASN1.ASN1_TIME assert m2.x509_type_check(self.x509), "'x509' type error" return ASN1.ASN1_TIME(m2.x509_get_not_before(self.x509))
def get_data(self): # type: () -> ASN1.ASN1_String return ASN1.ASN1_String( m2.x509_name_entry_get_data(self.x509_name_entry))
def get_object(self): # type: () -> ASN1.ASN1_Object return ASN1.ASN1_Object( m2.x509_name_entry_get_object(self.x509_name_entry))
def test_mkcert(self): req, pk = self.mkreq(1024) pkey = req.get_pubkey() self.assertTrue(req.verify(pkey)) sub = req.get_subject() self.assertEqual(len(sub), 2, 'Subject should be long 2 items not %d' % len(sub)) cert = X509.X509() cert.set_serial_number(1) cert.set_version(2) cert.set_subject(sub) t = long(time.time()) + time.timezone now = ASN1.ASN1_UTCTIME() now.set_time(t) now_plus_year = ASN1.ASN1_UTCTIME() now_plus_year.set_time(t + 60 * 60 * 24 * 365) cert.set_not_before(now) cert.set_not_after(now_plus_year) self.assertEqual(str(cert.get_not_before()), str(now)) self.assertEqual(str(cert.get_not_after()), str(now_plus_year)) issuer = X509.X509_Name() issuer.CN = 'The Issuer Monkey' issuer.O = 'The Organization Otherwise Known as My CA, Inc.' cert.set_issuer(issuer) cert.set_pubkey(pkey) cert.set_pubkey(cert.get_pubkey()) # Make sure get/set work ext = X509.new_extension('subjectAltName', 'DNS:foobar.example.com') ext.set_critical(0) self.assertEqual(ext.get_critical(), 0) cert.add_ext(ext) cert.sign(pk, 'sha1') with self.assertRaises(ValueError): cert.sign(pk, 'nosuchalgo') self.assertTrue( cert.get_ext('subjectAltName').get_name(), 'subjectAltName') self.assertTrue(cert.get_ext_at(0).get_name(), 'subjectAltName') self.assertTrue( cert.get_ext_at(0).get_value(), 'DNS:foobar.example.com') self.assertEqual( cert.get_ext_count(), 1, 'Certificate should have now 1 extension not %d' % cert.get_ext_count()) with self.assertRaises(IndexError): cert.get_ext_at(1) self.assertTrue(cert.verify()) self.assertTrue(cert.verify(pkey)) self.assertTrue(cert.verify(cert.get_pubkey())) self.assertEqual(cert.get_version(), 2) self.assertEqual(cert.get_serial_number(), 1) self.assertEqual(cert.get_issuer().CN, 'The Issuer Monkey') if m2.OPENSSL_VERSION_NUMBER >= 0x90800f: self.assertFalse(cert.check_ca()) self.assertFalse(cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER, 1)) self.assertFalse( cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER, 1)) self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER, 0)) self.assertTrue( cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER, 0)) self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_ANY, 0)) else: with self.assertRaises(AttributeError): cert.check_ca()