def _extract_cert_from_data(f,
password=None,
key_converter=None,
cert_converter=None):
certs = []
private_key = None
if isinstance(f, unicode):
f = StringIO(str(f))
elif isinstance(f, str):
f = StringIO(f)
if not hasattr(f, 'seek'):
raise TypeError(
"PEM lib (data must be a file like object, string or bytes")
if _is_cert_pem(f):
certs, private_key = _read_pem_cert_from_data(f, password,
key_converter,
cert_converter)
else:
cf = CertificateFactory.getInstance("X.509")
certs = list(cf.generateCertificates(ByteArrayInputStream(f.read())))
return certs, private_key
def _load_certificates(self, f):
cf = CertificateFactory.getInstance("X.509")
try:
for cert in cf.generateCertificates(BufferedInputStream(f)):
self._trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
except CertificateParsingException:
log.debug("Failed to parse certificate", exc_info=True)
raise
def _load_certificates(self, f):
cf = CertificateFactory.getInstance("X.509")
try:
for cert in cf.generateCertificates(BufferedInputStream(f)):
self._trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
except CertificateParsingException:
log.debug("Failed to parse certificate", exc_info=True)
raise
def _get_ca_certs_trust_manager(ca_certs):
trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
trust_store.load(None, None)
with open(ca_certs) as f:
cf = CertificateFactory.getInstance("X.509")
for cert in cf.generateCertificates(BufferedInputStream(f)):
trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(trust_store)
return tmf
def _get_ca_certs_trust_manager(ca_certs):
trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
trust_store.load(None, None)
num_certs_installed = 0
with open(ca_certs) as f:
cf = CertificateFactory.getInstance("X.509")
for cert in cf.generateCertificates(BufferedInputStream(f)):
trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
num_certs_installed += 1
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(trust_store)
log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"})
return tmf
def _get_ca_certs_trust_manager(ca_certs=None):
trust_store = KeyStore.getInstance(KeyStore.getDefaultType())
trust_store.load(None, None)
num_certs_installed = 0
if ca_certs is not None:
with open(ca_certs) as f:
cf = CertificateFactory.getInstance("X.509")
for cert in cf.generateCertificates(BufferedInputStream(f)):
trust_store.setCertificateEntry(str(uuid.uuid4()), cert)
num_certs_installed += 1
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(trust_store)
log.debug("Installed %s certificates", num_certs_installed, extra={"sock": "*"})
return tmf
def trustSpecificCertificate(self, pemCertificateFile, pemCertificateAlias):
from java.io import BufferedInputStream, FileInputStream
from java.security import KeyStore
from java.security.cert import CertificateFactory, X509Certificate
from javax.net.ssl import SSLContext, TrustManagerFactory
fis = FileInputStream(pemCertificateFile)
bis = BufferedInputStream(fis)
ca = CertificateFactory.getInstance("X.509").generateCertificate(bis)
ks = KeyStore.getInstance(KeyStore.getDefaultType())
ks.load(None, None)
ks.setCertificateEntry(pemCertificateAlias, ca)
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
tmf.init(ks)
context = SSLContext.getInstance("SSL")
context.init(None, tmf.getTrustManagers(), None)
SSLContext.setDefault(context)
def _extract_cert_from_data(f, password=None, key_converter=None, cert_converter=None):
certs = []
private_key = None
if isinstance(f, unicode):
f = StringIO(str(f))
elif isinstance(f, str):
f = StringIO(f)
if not hasattr(f, 'seek'):
raise TypeError("PEM lib (data must be a file like object, string or bytes")
if _is_cert_pem(f):
certs, private_key = _read_pem_cert_from_data(f, password, key_converter, cert_converter)
else:
cf = CertificateFactory.getInstance("X.509")
certs = list(cf.generateCertificates(ByteArrayInputStream(f.read())))
return certs, private_key
def trustSpecificCertificate(self, pemCertificateFile,
pemCertificateAlias):
from java.io import BufferedInputStream, FileInputStream
from java.security import KeyStore
from java.security.cert import CertificateFactory, X509Certificate
from javax.net.ssl import SSLContext, TrustManagerFactory
fis = FileInputStream(pemCertificateFile)
bis = BufferedInputStream(fis)
ca = CertificateFactory.getInstance("X.509").generateCertificate(bis)
ks = KeyStore.getInstance(KeyStore.getDefaultType())
ks.load(None, None)
ks.setCertificateEntry(pemCertificateAlias, ca)
tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm())
tmf.init(ks)
context = SSLContext.getInstance("SSL")
context.init(None, tmf.getTrustManagers(), None)
SSLContext.setDefault(context)
def __get_certificate_infos(self):
infos = []
es = EntityStoreAPI.wrap(self.__fed_archive.getEntityStore(),
self.__passphrase_in)
cert_entities = es.getAll(
"/[Certificates]name=Certificate Store/[Certificate]**")
cf = CertificateFactory.getInstance("X.509")
for cert_entity in cert_entities:
alias = cert_entity.getStringValue("dname")
subject = None
not_after = None
content = cert_entity.getBinaryValue("content")
if content:
cert = cf.generateCertificate(ByteArrayInputStream(content))
subject = cert.getSubjectDN().getName()
not_after = cert.getNotAfter()
infos.append(CertInfo(alias, subject, not_after))
return infos
print 'Install certificate %s to target %s' % (deployed.name, deployed.container.name)
# Load the keystore
print 'Loading keystore %s' % (deployed.container.keystore)
ks = KeyStore.getInstance(deployed.container.keystoreType)
ksfi = FileInputStream(deployed.container.keystore)
try:
ks.load(ksfi, deployed.container.passphrase)
# Load certificates (base64 encoded DER/PEM-encoded certificates)
# http://docs.oracle.com/javase/7/docs/api/java/security/cert/CertificateFactory.html#generateCertificates(java.io.InputStream)
print 'Loading the certificate(chain)'
inStream = ByteArrayInputStream(DatatypeConverter.parseBase64Binary(String(deployed.certificate)))
cf = CertificateFactory.getInstance("X.509")
chain = cf.generateCertificates(inStream).toArray(jarray.zeros(0, java.security.cert.Certificate))
# Save the private key entry (base64 PKCS8 DER encoded)
print 'Storing key/certificate %s (alias=%s) in keystore %s' % (deployed.name, deployed.alias, deployed.container.keystore)
kf = KeyFactory.getInstance(deployed.keyAlgorithm)
key = kf.generatePrivate(PKCS8EncodedKeySpec(DatatypeConverter.parseBase64Binary(String(deployed.key))))
ks.setEntry(deployed.alias, KeyStore.PrivateKeyEntry(key, chain), KeyStore.PasswordProtection(deployed.keyPassword))
ksfo = FileOutputStream(deployed.container.keystore)
try:
ks.store(ksfo, deployed.container.passphrase)
print 'Stored key/certificate %s (alias=%s) in keystore %s' % (deployed.name, deployed.alias, deployed.container.keystore)
finally:
ksfo.close()
finally:
def __configure_certificates(self):
if self.__cert_config is not None:
# determine existing certificates
logging.info("Determine existing certificates")
cert_infos = self.__get_certificate_infos()
self.__cert_config.set_cert_infos(cert_infos)
self.__cert_config.update_config_file()
# apply configured certificates
logging.info("Configure certificates")
certs = self.__cert_config.get_certificates()
es = EntityStoreAPI.wrap(self.__fed_archive.getEntityStore(),
self.__passphrase_in)
cert_infos = []
cert = None
for cert_ref in certs:
file = self.__resolve_file_path(cert_ref.get_file())
logging.info("Process alias '%s' (%s): %s" %
(cert_ref.get_alias(), cert_ref.get_type(), file))
if cert_ref.get_type() == "crt":
cf = CertificateFactory.getInstance("X.509")
if os.path.isfile(file):
fis = FileInputStream(file)
cert = cf.generateCertificate(fis)
self.__add_or_replace_certificate(
es, cert_ref.get_alias(), cert)
else:
if self.__simulation_mode:
logging.warning(
"[SIMULATION_MODE] Certificate file not found, certificate (CRT) ignored: alias=%s"
% (cert_ref.get_alias()))
continue
else:
raise ValueError(
"Certificate file not found for alias '%s': %s"
% (cert_ref.get_alias(), file))
elif cert_ref.get_type() == "p12":
if os.path.isfile(file):
key = self.__get_key_from_p12(file,
cert_ref.get_password())
cert = self.__get_cert_from_p12(
file, cert_ref.get_password())
self.__add_or_replace_certificate(
es, cert_ref.get_alias(), cert, key)
else:
if self.__simulation_mode:
logging.warning(
"[SIMULATION_MODE] Certificate file not found, certificate (P12) ignored: alias=%s"
% (cert_ref.get_alias()))
continue
else:
raise ValueError(
"Certificate file not found for alias '%s': %s"
% (cert_ref.get_alias(), file))
elif cert_ref.get_type() == "empty":
self.__remove_certificate(es, cert_ref.get_alias())
logging.info("Certificate removed: %s" %
(cert_ref.get_alias()))
continue
else:
raise ValueError("Unsupported certificate type: %s" %
(cert_ref.get_type()))
subject = cert.getSubjectDN().getName()
not_after = cert.getNotAfter()
cert_info = CertInfo(cert_ref.get_alias(), subject, not_after)
logging.info(
"Certificate (%s) added/replaced: %s [%s] - %s" %
(cert_ref.get_type(), cert_info.get_alias(),
cert_info.format_not_after(), cert_info.get_subject()))
cert_infos.append(cert_info)
if self.__update_cert_config:
self.__cert_config.set_update_cert_infos(cert_infos)
self.__cert_config.update_config_file()
if self.__expiration_days >= 0:
logging.info(
"Checking for certificate expiration within %i days." %
(self.__expiration_days))
has_expired = False
for cert_info in cert_infos:
expiration_days = cert_info.expiration_in_days()
if self.__expiration_days > expiration_days:
logging.error("Certificate '%s' expires in %i days!" %
(cert_info.get_alias(), expiration_days))
has_expired = True
if has_expired:
raise ValueError(
"At least one certificate expires in less than %i days; check log file!"
% (self.__expiration_days))
if not self.__simulation_mode:
DeploymentArchive.updateConfiguration(self.__fed_archive,
es.es)
logging.info("Certificates updated.")
else:
logging.info(
"[SIMULATION_MODE] Certificates simulation succeeded.")
return True
from etld import get_eTLD_service
from base64 import b64decode
from java.security.cert import X509Certificate, CertificateFactory
from java.io import StringBufferInputStream
from javax.naming.ldap import LdapName
cert_factory = CertificateFactory.getInstance('X.509')
svc = get_eTLD_service()
class CertChainFilter:
def redact_ee(self, ee):
cert_data = b64decode(ee)
x509_cert = cert_factory.generateCertificate(
StringBufferInputStream(cert_data))
dn = x509_cert.getSubjectDN().getName()
LDAP_dn = LdapName(dn)
redacted_ee = {}
cn = ''
for rdn in LDAP_dn.getRdns():
if rdn.getType() == 'CN':
cn = rdn.getValue()
redacted_ee['redactedCN'] = svc.get_base_domain(cn)
return redacted_ee
def filter_document(self, document):
failedCertChain = document['failedCertChain']
try:
if failedCertChain:
document['failedCertChain'] = None
