def generateProxyToString(self, lifeTime, diracGroup=False, strength=1024, limited=False, rfc=False, proxyKey=False):
"""
Generate a proxy and get it as a string
Args:
lifeTime (int): expected lifetime in seconds of proxy
diracGroup (str): diracGroup to add to the certificate
strength (int): length in bits of the pair
limited (bool): Create a limited proxy
"""
if not self.__loadedChain:
return S_ERROR(DErrno.ENOCHAIN)
if not self.__loadedPKey:
return S_ERROR(DErrno.ENOPKEY)
if self.__isProxy:
rfc = self.isRFC().get('Value', False)
issuerCert = self.__certList[0]
if not proxyKey:
proxyKey = crypto.PKey()
proxyKey.generate_key(crypto.TYPE_RSA, strength)
proxyCert = crypto.X509()
if rfc:
proxyCert.set_serial_number(str(int(random.random() * 10 ** 10)))
cloneSubject = issuerCert.get_subject().clone()
cloneSubject.insert_entry("CN", str(int(random.random() * 10 ** 10)))
proxyCert.set_subject(cloneSubject)
proxyCert.add_extensions(self.__getProxyExtensionList(diracGroup, rfc and not limited, rfc and limited))
else:
proxyCert.set_serial_number(issuerCert.get_serial_number())
cloneSubject = issuerCert.get_subject().clone()
if limited:
cloneSubject.insert_entry("CN", "limited proxy")
else:
cloneSubject.insert_entry("CN", "proxy")
proxyCert.set_subject(cloneSubject)
proxyCert.add_extensions(self.__getProxyExtensionList(diracGroup))
proxyCert.set_issuer(issuerCert.get_subject())
proxyCert.set_version(issuerCert.get_version())
proxyCert.set_pubkey(proxyKey)
proxyCert.gmtime_adj_notBefore(-900)
proxyCert.gmtime_adj_notAfter(int(lifeTime))
proxyCert.sign(self.__keyObj, 'sha256')
proxyString = "%s%s" % (crypto.dump_certificate(crypto.FILETYPE_PEM, proxyCert),
crypto.dump_privatekey(crypto.FILETYPE_PEM, proxyKey))
for i in range(len(self.__certList)):
proxyString += crypto.dump_certificate(crypto.FILETYPE_PEM, self.__certList[i])
return S_OK(proxyString)
def generateProxyToString(self,
lifeTime,
diracGroup=False,
strength=1024,
limited=False):
"""
Generate a proxy and get it as a string
Args:
- lifeTime : expected lifetime in seconds of proxy
- diracGroup : diracGroup to add to the certificate
- strength : length in bits of the pair
- limited : Create a limited proxy
"""
if not self.__loadedChain:
return S_ERROR("No chain loaded")
if not self.__loadedPKey:
return S_ERROR("No pkey loaded")
issuerCert = self.__certList[0]
proxyKey = crypto.PKey()
proxyKey.generate_key(crypto.TYPE_RSA, strength)
proxyCert = crypto.X509()
cloneSubject = issuerCert.get_subject().clone()
if limited:
cloneSubject.insert_entry("CN", "limited proxy")
else:
cloneSubject.insert_entry("CN", "proxy")
proxyCert.set_subject(cloneSubject)
proxyCert.set_serial_number(issuerCert.get_serial_number())
proxyCert.set_issuer(issuerCert.get_subject())
proxyCert.set_version(issuerCert.get_version())
proxyCert.set_pubkey(proxyKey)
proxyCert.add_extensions(self.__getProxyExtensionList(diracGroup))
proxyCert.gmtime_adj_notBefore(-900)
proxyCert.gmtime_adj_notAfter(lifeTime)
proxyCert.sign(self.__keyObj, 'sha1')
proxyString = "%s%s" % (crypto.dump_certificate(
crypto.FILETYPE_PEM,
proxyCert), crypto.dump_privatekey(crypto.FILETYPE_PEM, proxyKey))
for i in range(len(self.__certList)):
proxyString += crypto.dump_certificate(crypto.FILETYPE_PEM,
self.__certList[i])
return S_OK(proxyString)
if lastEntry[0] == "CN" and lastEntry[1] == "limited proxy":
isLimited = True
for entryTuple in reqSubj.get_components():
if isLimited and entryTuple[0] == "CN" and entryTuple[1] == "proxy":
return S_ERROR(
"Request is for a full proxy and chain is a limited one")
if entryTuple[0] == "CN" and entryTuple[1] == "limited proxy":
isLimited = True
newSubj.insert_entry(entryTuple[0], entryTuple[1])
if requireLimited and not isLimited:
return S_ERROR(
"Only limited proxies are allowed to be delegated but request was for a full one"
)
childCert = crypto.X509()
childCert.set_subject(newSubj)
childCert.set_issuer(issuerCert.get_subject())
childCert.set_serial_number(issuerCert.get_serial_number())
childCert.set_version(issuerCert.get_version())
childCert.set_pubkey(req.get_pubkey())
childCert.add_extensions(self.__getProxyExtensionList(diracGroup))
childCert.gmtime_adj_notBefore(-900)
childCert.gmtime_adj_notAfter(lifetime)
childCert.sign(self.__keyObj, 'md5')
childString = crypto.dump_certificate(crypto.FILETYPE_PEM, childCert)
for i in range(len(self.__certList)):
childString += crypto.dump_certificate(crypto.FILETYPE_PEM,
self.__certList[i])
