def __init__(self, *args, **kargs):
CertificateFactory.__init__(self, *args, **kargs)
# Transform key/signature algorithm to suitable values for keytool
if not self.parent:
self.keyalg = self.keyalg.upper()
self.sigalg = self.sigalg.upper() + "with" + self.keyalg;
# Create the CA self-signed certificate
if not self.cacert.exists():
cacert = self.cacert
subAltName = cacert.getAlternativeName()
issuerAltName = self.parent.cacert.getAlternativeName() if self.parent else None
ext = "-ext bc:c" + \
((" -ext san=" + subAltName) if subAltName else "") + \
((" -ext ian=" + issuerAltName) if issuerAltName else "")
if not self.parent:
cacert.keyTool("genkeypair", ext, validity=self.validity, sigalg=self.sigalg)
else:
self.cacert = self.parent.cacert
cacert.keyTool("genkeypair")
pem = cacert.keyTool("gencert", ext, validity = self.validity, stdin=cacert.keyTool("certreq"))
chain = ""
parent = self.parent
while parent:
chain += d(read(parent.cacert.pem))
parent = parent.parent
cacert.keyTool("importcert", stdin=chain + d(pem))
self.cacert = cacert
self.cacert.generatePEM()
def _generateChild(self, cert, serial, validity):
subAltName = cert.getAlternativeName()
issuerAltName = self.cacert.getAlternativeName()
# Generate a certificate/key pair
cert.keyTool("genkeypair")
# Create a certificate signing request
req = cert.keyTool("certreq")
ext = "-ext ku:c=dig,keyEnc" + \
((" -ext san=" + subAltName) if subAltName else "") + \
((" -ext ian=" + issuerAltName) if issuerAltName else "")
# Sign the certificate with the CA
if validity is None or validity > 0:
pem = cert.keyTool("gencert", ext, validity = (validity or self.validity), stdin=req)
else:
pem = cert.keyTool("gencert", ext, startdate = "{validity}d".format(validity=validity), validity=-validity,
stdin=req)
# Concatenate the CA and signed certificate and re-import it into the keystore
chain = []
parent = self
while parent:
chain.append(d(read(parent.cacert.pem)))
parent = parent.parent
cert.keyTool("importcert", stdin="".join(chain) + d(pem))
return cert
def toText(self):
s = """Version: %s
Serial Number: %s
Signature Algorithm: %s
Issuer: %s
Validity:
Not before: %s
Not after: %s
Subject: %s
Subject Public Key Size: %s
X509v3 extensions:""" % (self.x509.get_version() + 1,
self.x509.get_serial_number(),
self.x509.get_signature_algorithm(),
str(self.x509.get_issuer()).replace(
"<X509Name object '", "").replace("'>", ""),
datetime.datetime.strptime(
d(self.x509.get_notBefore()), "%Y%m%d%H%M%SZ"),
datetime.datetime.strptime(
d(self.x509.get_notAfter()), "%Y%m%d%H%M%SZ"),
str(self.x509.get_subject()).replace(
"<X509Name object '", "").replace(
"'>", ""), str(self.x509.get_pubkey().bits()))
for i in range(0, self.x509.get_extension_count()):
ext = self.x509.get_extension(i)
s += "\n " + d(ext.get_short_name()).strip(
) + ":\n " + str(ext).replace("\n", "\n ")
return s
def __init__(self, *args, **kargs):
CertificateFactory.__init__(self, *args, **kargs)
# Transform key/signature algorithm to suitable values for keytool
if not self.parent:
self.keyalg = self.keyalg.upper()
self.sigalg = self.sigalg.upper() + "with" + self.keyalg;
# Create the CA self-signed certificate
if not self.cacert.exists():
cacert = self.cacert
subAltName = cacert.getAlternativeName()
issuerAltName = self.parent.cacert.getAlternativeName() if self.parent else None
ext = "-ext bc:c" + \
((" -ext san=" + subAltName) if subAltName else "") + \
((" -ext ian=" + issuerAltName) if issuerAltName else "")\
((" -ext eku=" + self.extendedKeyUsage) if self.extendedKeyUsage else "")
if not self.parent:
cacert.keyTool("genkeypair", ext, validity=self.validity, sigalg=self.sigalg)
else:
self.cacert = self.parent.cacert
cacert.keyTool("genkeypair")
pem = cacert.keyTool("gencert", ext, validity = self.validity, stdin=cacert.keyTool("certreq"))
chain = ""
parent = self.parent
while parent:
chain += d(read(parent.cacert.pem))
parent = parent.parent
cacert.keyTool("importcert", stdin=chain + d(pem))
self.cacert = cacert
self.cacert.generatePEM()
def _generateChild(self, cert, serial, validity):
subAltName = cert.getAlternativeName()
issuerAltName = self.cacert.getAlternativeName()
extendedKeyUsage = cert.getExtendedKeyUsage()
# Generate a certificate/key pair
cert.keyTool("genkeypair")
# Create a certificate signing request
req = cert.keyTool("certreq")
ext = "-ext ku:c=dig,keyEnc" + \
((" -ext san=" + subAltName) if subAltName else "") + \
((" -ext ian=" + issuerAltName) if issuerAltName else "") + \
((" -ext eku=" + extendedKeyUsage) if extendedKeyUsage else "")
# Sign the certificate with the CA
if validity is None or validity > 0:
pem = cert.keyTool("gencert", ext, validity = (validity or self.validity), stdin=req)
else:
pem = cert.keyTool("gencert", ext, startdate = "{validity}d".format(validity=validity), validity=-validity,
stdin=req)
# Concatenate the CA and signed certificate and re-import it into the keystore
chain = []
parent = self
while parent:
chain.append(d(read(parent.cacert.pem)))
parent = parent.parent
cert.keyTool("importcert", stdin="".join(chain) + d(pem))
return cert
def savePKCS12(self,
path,
password=None,
chain=True,
root=False,
addkey=None):
if addkey is None:
addkey = self != self.parent.cacert
chainfile = None
if chain:
# Save the certificate chain to PKCS12
certs = ""
parent = self.parent
while parent if root else parent.parent:
certs += d(read(parent.cacert.pem))
parent = parent.parent
if len(certs) > 0:
(f, chainfile) = tempfile.mkstemp()
os.write(f, b(certs))
os.close(f)
key = "-inkey={0}".format(self.key) if addkey else "-nokeys"
try:
self.openSSL("pkcs12",
out=path,
inkey=self.key,
certfile=chainfile,
password=password or "password")
finally:
if chainfile:
os.remove(chainfile)
return self
def toText(self):
s = """Version: %s
Serial Number: %s
Signature Algorithm: %s
Issuer: %s
Validity:
Not before: %s
Not after: %s
Subject: %s
X509v3 extensions:""" % (self.x509.get_version() + 1,
self.x509.get_serial_number(),
self.x509.get_signature_algorithm(),
str(self.x509.get_issuer()).replace("<X509Name object '", "").replace("'>", ""),
datetime.datetime.strptime(d(self.x509.get_notBefore()), "%Y%m%d%H%M%SZ"),
datetime.datetime.strptime(d(self.x509.get_notAfter()), "%Y%m%d%H%M%SZ"),
str(self.x509.get_subject()).replace("<X509Name object '", "").replace("'>", ""))
for i in range(0, self.x509.get_extension_count()):
ext = self.x509.get_extension(i)
s += "\n " + d(ext.get_short_name()).strip() + ":\n " + str(ext).replace("\n", "\n ")
return s
def savePKCS12(self, path, password=None, chain=True, root=False, addkey=None):
if addkey is None:
addkey = self != self.parent.cacert
chainfile = None
if chain:
# Save the certificate chain to PKCS12
certs = ""
parent = self.parent
while parent if root else parent.parent:
certs += d(read(parent.cacert.pem))
parent = parent.parent
if len(certs) > 0:
(f, chainfile) = tempfile.mkstemp()
os.write(f, b(certs))
os.close(f)
key = "-inkey={0}".format(self.key) if addkey else "-nokeys"
try:
self.openSSL("pkcs12", out=path, inkey=self.key, certfile=chainfile, password=password or "password")
finally:
if chainfile:
os.remove(chainfile)
return self
def toText(self):
return d(self.parent.keyTool("printcert", "-v", stdin = self.keyTool("exportcert")))
def getSubjectHash(self):
return d(self.openSSL("x509", "-noout", "-subject_hash"))
def toText(self):
return d(self.openSSL("x509", "-noout", "-text"))
def load(self):
subject = d(self.openSSL("x509", "-noout", "-subject"))
if subject:
self.dn = DistinguishedName.parse(subject[subject.find("=") +
1:].replace("/", ","))
return self
def toText(self):
return d(self.parent.keyTool("printcert", "-v", stdin = self.keyTool("exportcert")))
def getSubjectHash(self):
return d(self.openSSL("x509", "-noout", "-subject_hash"))
def toText(self):
return d(self.openSSL("x509", "-noout", "-text"))
def load(self):
subject = d(self.openSSL("x509", "-noout", "-subject"))
if subject:
self.dn = DistinguishedName.parse(subject[subject.find("=") + 1:].replace("/", ","))
return self