def setup(self):
"""
Configure the RA with its own certificates.
:return:
"""
if CertificateManager.cert_file_exists("ra.cert"):
# Certificate exists
self.cert = CertificateManager.load_cert("ra.cert")
else:
# Not found, create new certificate for the RA
if self.verbose:
print("Generating new RA certificate.")
if self.ca is None or not isinstance(self.ca, CA):
raise ValueError("The \"ca\" field must be defined and instance of CA to setup an RA.")
# Create certificate own certificate on behalf of the CA
keys = CertificateManager.create_key_pair(self.default_key_type, self.default_key_size)
csr = CertificateManager.create_csr(keys, C="NO", ST="Oslo", L="Oslo", O=self.organisation, OU="RA",
CN="RA")
issuer = self.ca.get_root_certificate().get_issuer() # Issuer of root certificate (i.e. root CA)
cert = CertificateManager.create_cert(csr, self.get_next_serial(), issuer, self.ca.get_keys(), ca=True)
# Save certificate, keys and files
CertificateManager.save_cert(cert, CONFIG["pki"]["ra-cert-name"])
CertificateManager.save_pkey(keys, CONFIG["pki"]["ra-pkey-name"])
self.cert = cert
def get_context(self):
context = SSL.Context(SSL.TLSv1_2_METHOD)
context.set_options(SSL.OP_NO_TLSv1_2)
context.set_verify(SSL.VERIFY_PEER|SSL.VERIFY_FAIL_IF_NO_PEER_CERT, self.ssl_verify_cb)
context.set_ocsp_server_callback(self.ocsp_server_callback)
try:
context.use_privatekey_file(CertificateManager.get_cert_path(self.private_key))
context.use_certificate_file(CertificateManager.get_cert_path(self.certificate))
context.load_verify_locations(CertificateManager.get_cert_path(self.ca_certificate))
except SSL.Error:
print("Error: Could not load key and certificate files. Please make sure that you have run the setup.py"
"script before starting Server_old.py.")
return context
def __init__(self, ca):
self.ca = ca
self.private_key = CertificateManager.load_pkey(CONFIG["pki"]["server-pkey-name"])
self.certificate = CertificateManager.load_cert(CONFIG["pki"]["server-cert-name"])
self.ca_certificate = ca.get_root_certificate()
self.ra = ca.get_ra()
self.context = self.get_context()
self.connection = None
self.clients = {}
self.writers = {}
atexit.register(self.shutdown)
super(Server, self).__init__()
def request_certificate(self, request):
"""
This method checks if a certificate is allowed by the PSA and issues it if that is the case. The RA currently
issues certificates using the CA key for simplicity. The RA could have its own key with signing permission (i.e.
the ca flag set to true) and use that instead.
:param request: CertificateRequest object (AC-PKI model)
:return: Certificate or None
"""
# Validate request type
if not isinstance(request, CertificateRequest):
raise RequestError("Certificate request invalid. Must be of type CertificateRequest!")
# Check if connection is allowed
if self.psa.connection_allowed(request.origin, request.destination):
# Connection allowed
ou = self.register_ou((request.origin.epg.name, request.destination.epg.name))
subject = request.csr.get_subject()
# Override attributes in the CSR (if they are defined)
setattr(subject, "C", "NO")
setattr(subject, "ST", "Oslo")
setattr(subject, "L", "Oslo")
setattr(subject, "O", "AC-PKI Corp")
setattr(subject, "OU", ou)
setattr(subject, "CN", request.origin.name)
crt = CertificateManager.create_cert(request.csr, self.get_next_serial(), self.ca.get_issuer(),
self.ca.get_keys())
return crt
else:
# Connection not allowed
print("Connection not allowed between {0} and {1}. Certificate refused."
.format(request.origin, request.destination))
return None
def __init__(self):
self.revoked_file_path = os.path.join(CertificateManager.get_cert_path(), "revoked.txt")
# Create the file if it does not exist
try:
if not os.path.exists(self.revoked_file_path):
revoked_file = open(self.revoked_file_path, "w")
revoked_file.close()
except IOError:
self.revoked_file_path = None
print("Error: OCSP responder could not be initiated.")
def get_root_certificate():
"""
Get the certificate for the root CA
:return:
"""
if CertificateManager.cert_file_exists(CONFIG["pki"]["ca-cert-name"]):
# Certificate exists
return CertificateManager.load_cert(CONFIG["pki"]["ca-cert-name"])
else:
# Create CA certificate
pkey = CertificateManager.create_key_pair()
csr = CertificateManager.create_csr(pkey, O="AC-PKI", OU="CA", C="NO", ST="Oslo", L="Oslo",
CN="Root CA")
cert = CertificateManager.create_self_signed_cert(csr, pkey, RA.get_next_serial())
# Save files and return
CertificateManager.save_pkey(pkey, CONFIG["pki"]["ca-pkey-name"])
CertificateManager.save_cert(cert, CONFIG["pki"]["ca-cert-name"])
return cert
def __init__(self, ca, psa):
# Arguments
self.ca = ca
self.ocsp_responder = ca.ocsp_responder
self.psa = psa(self)
self.cert = None
self.verbose = CONFIG["verbose"]
# Config
self.cert_dir = CertificateManager.get_cert_path()
self.default_key_type = crypto.TYPE_RSA
self.default_key_size = 2048
self.organisation = "Corporation Ltd"
self.setup()
def get_keys():
pkey_name = CONFIG["pki"]["ca-pkey-name"]
if CertificateManager.cert_file_exists(pkey_name):
return CertificateManager.load_pkey(pkey_name)
from OpenSSL import crypto
from acpki.pki import CertificateManager
import os
"""
This file creates the basic certificates needed to use the AC-PKI system. The program should be called from the general
config script. If files already exist, this script WILL NOT replace them by default. Note that certificate files ARE NOT
shared via Git and will therefore need to be created on each individual system.
"""
print("Setting up certificates...")
# Create certs directory if it does not already exist
if not os.path.exists(CertificateManager.get_cert_path()):
os.makedirs(CertificateManager.get_cert_path())
print("Created certs directory")
# Create CA certificate
if CertificateManager.cert_file_exists(
"ca.cert") and CertificateManager.cert_file_exists("ca.pkey"):
# Load existing
print("Loading existing CA certificate from file")
ca_cert = CertificateManager.load_cert("ca.cert")
ca_key_pair = CertificateManager.load_pkey("ca.pkey")
else:
# Generate new
print("Generating CA certificate")
ca_key_pair = CertificateManager.create_key_pair(crypto.TYPE_RSA, 2048)
csr = CertificateManager.create_csr(ca_key_pair,
C="NO",
ST="Oslo",
O="Corp",
def setup(self, peer=None, epg=None):
# Load config
self.name = CONFIG["endpoints"]["server-name"]
self.address = CONFIG["endpoints"]["server-addr"]
self.port = CONFIG["endpoints"]["server-port"]
self.verbose = CONFIG["verbose"]
self.epg = epg
self.peer = peer
# Create Client peer
self.peer = EP(name=CONFIG["endpoints"]["client-name"],
address=CONFIG["endpoints"]["client-addr"],
port=CONFIG["endpoints"]["client-port"],
epg=CONFIG["endpoints"]["client-epg"])
# Load key material to create or request connection-specific certificate
server_pkey_name = CONFIG["pki"]["server-pkey-name"]
server_cert_name = CONFIG["pki"]["server-cert-name"]
if not CM.cert_file_exists(
server_pkey_name) or not CM.cert_file_exists(server_cert_name):
# Request certificate from RA
keys = CM.create_key_pair()
csr = CM.create_csr(keys)
request = CertificateRequest(self, self.peer, csr)
cert = self.ra.request_certificate(request)
if cert is None:
raise ConnectionError(
"Could not retrieve certificate needed to establish TLS connection."
)
# Save keys and certificate
CM.save_pkey(keys, server_pkey_name)
CM.save_cert(cert, server_cert_name)
self.cert = cert
self.keys = keys
else:
self.keys = CM.load_pkey(server_pkey_name)
self.cert = CM.load_cert(server_cert_name)
# Create context
self.context = SSL.Context(SSL.TLSv1_2_METHOD)
self.context.set_options(SSL.OP_NO_TLSv1_2)
self.context.set_verify(
SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
self.ssl_verify_cb)
self.context.set_ocsp_server_callback(self.ocsp_server_cb,
data=self.name)
self.context.use_privatekey(self.keys)
self.context.use_certificate(self.cert)
self.context.load_verify_locations(
CM.get_cert_path(CONFIG["pki"]["ca-cert-name"]))
def setup(self, peer, epg=None):
# Load config
self.name = CONFIG["endpoints"]["client-name"]
self.address = CONFIG["endpoints"]["client-addr"]
self.port = CONFIG["endpoints"]["client-port"]
self.verbose = CONFIG["verbose"]
self.epg = epg
self.peer = peer
# Load or request keys and certificate
client_pkey_name = CONFIG["pki"]["client-pkey-name"]
client_cert_name = CONFIG["pki"]["client-cert-name"]
self.ca_cert_name = CONFIG["pki"]["ca-cert-name"]
if not CM.cert_file_exists(
client_pkey_name) or not CM.cert_file_exists(client_cert_name):
# Request certificate from RA
keys = CM.create_key_pair()
csr = CM.create_csr(keys)
request = CertificateRequest(self, self.peer, csr)
cert = self.ra.request_certificate(request)
if cert is None:
raise ConnectionError(
"Could not retrieve certificate needed to establish TLS connection. "
"RA returned None.")
# Save keys and certificate
CM.save_pkey(keys, client_pkey_name)
CM.save_cert(cert, client_cert_name)
self.keys = keys
self.cert = cert
else:
self.keys = CM.load_pkey(client_pkey_name)
self.cert = CM.load_cert(client_cert_name)
# Define context
ctx = SSL.Context(SSL.TLSv1_2_METHOD)
ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
self.ssl_verify_cb)
ctx.set_verify_depth(2)
ctx.use_privatekey(self.keys)
ctx.use_certificate(self.cert)
ctx.load_verify_locations(
CM.get_cert_path(CONFIG["pki"]["ca-cert-name"]))
ctx.set_ocsp_client_callback(self.ocsp_client_callback, data=self.name)
self.context = ctx