def __setattr__(self, attr, value):
if attr in self.nid:
assert m2.x509_name_type_check(self.x509_name), \
"'x509_name' type error"
return m2.x509_name_set_by_nid(self.x509_name, self.nid[attr],
value)
self.__dict__[attr] = value
def __setattr__(self, attr, value):
if attr in self.nid:
assert m2.x509_name_type_check(self.x509_name), \
"'x509_name' type error"
return m2.x509_name_set_by_nid(self.x509_name, self.nid[attr],
value)
self.__dict__[attr] = value
def __setattr__(self, attr, value):
# type: (str, AnyStr) -> int
"""
:return: 1 for success of 0 if an error occurred.
"""
if attr in self.nid:
assert m2.x509_name_type_check(self.x509_name), \
"'x509_name' type error"
return m2.x509_name_set_by_nid(self.x509_name, self.nid[attr],
util.py3bytes(value))
self.__dict__[attr] = value
def __setattr__(self, attr, value):
# type: (str, AnyStr) -> int
"""
:return: 1 for success of 0 if an error occurred.
"""
if attr in self.nid:
assert m2.x509_name_type_check(self.x509_name), \
"'x509_name' type error"
return m2.x509_name_set_by_nid(self.x509_name, self.nid[attr],
six.ensure_binary(value))
self.__dict__[attr] = value
def __fillX509Name(self, field, value):
""" Fill x509_Name object by M2Crypto
:param basestring field: DN field name
:param basestring value: value of field
:return: S_OK()/S_ERROR()
"""
if value and m2.x509_name_set_by_nid(self.__X509Name.x509_name, # pylint: disable=no-member
self.fs2nid[field], value) == 0:
if not self.__X509Name.add_entry_by_txt(field=field, type=ASN1.MBSTRING_ASC,
entry=value, len=-1, loc=-1, set=0) == 1:
return S_ERROR('Cannot set "%s" field.' % field)
return S_OK()
def __fillX509Name(self, field, values):
"""Fill x509_Name object by M2Crypto
:param str field: DN field name
:param list values: values of field, order important
:return: S_OK()/S_ERROR()
"""
for value in values:
if (value and m2.x509_name_set_by_nid( # pylint: disable=no-member
self.__X509Name.x509_name, self.fields2nid[field],
value.encode()) == 0):
if (not self.__X509Name.add_entry_by_txt(
field=field,
type=ASN1.MBSTRING_ASC,
entry=value,
len=-1,
loc=-1,
set=0) == 1):
return S_ERROR('Cannot set "%s" field.' % field)
return S_OK()
def _sign_request(self, x509_request, lifetime):
not_before = ASN1.ASN1_UTCTIME()
not_before.set_datetime(datetime.now(UTC))
not_after = ASN1.ASN1_UTCTIME()
not_after.set_datetime(datetime.now(UTC) + lifetime)
proxy_subject = X509.X509_Name()
for key, value in map(lambda e: e.split('='), self.context.x509.get_subject().as_text().split(',')):
key = key.strip()
value = value.strip()
m2.x509_name_set_by_nid(proxy_subject._ptr(), Delegator.nid[key], value)
proxy = X509.X509()
proxy.set_serial_number(self.context.x509.get_serial_number())
proxy.set_version(x509_request.get_version())
proxy.set_issuer(self.context.x509.get_subject())
proxy.set_pubkey(x509_request.get_pubkey())
# Extensions are broken in SL5!!
if _m2crypto_extensions_broken():
log.warning("X509v3 extensions disabled!")
else:
# X509v3 Basic Constraints
proxy.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE', critical=True))
# X509v3 Key Usage
proxy.add_ext(X509.new_extension('keyUsage', 'Digital Signature, Key Encipherment', critical=True))
#X509v3 Authority Key Identifier
identifier_ext = _workaround_new_extension(
'authorityKeyIdentifier', 'keyid', critical=False, issuer=self.context.x509
)
proxy.add_ext(identifier_ext)
# Make sure the proxy is not longer than any other inside the chain, and look for RFC 3820
any_rfc_proxies = False
for cert in self.context.x509_list:
if cert.get_not_after().get_datetime() < not_after.get_datetime():
not_after = cert.get_not_after()
try:
cert.get_ext('proxyCertInfo')
any_rfc_proxies = True
except:
pass
proxy.set_not_after(not_after)
proxy.set_not_before(not_before)
if any_rfc_proxies:
if _m2crypto_extensions_broken():
raise NotImplementedError("X509v3 extensions are disabled, so RFC proxies can not be generated!")
else:
_add_rfc3820_extensions(proxy)
if any_rfc_proxies:
m2.x509_name_set_by_nid(proxy_subject._ptr(), X509.X509_Name.nid['commonName'], str(int(time.time())))
else:
m2.x509_name_set_by_nid(proxy_subject._ptr(), X509.X509_Name.nid['commonName'], 'proxy')
proxy.set_subject(proxy_subject)
proxy.set_version(2)
proxy.sign(self.context.evp_key, 'sha1')
return proxy
def _sign_request(self, x509_request, lifetime):
not_before = ASN1.ASN1_UTCTIME()
not_before.set_datetime(datetime.now(UTC))
not_after = ASN1.ASN1_UTCTIME()
not_after.set_datetime(datetime.now(UTC) + lifetime)
proxy_subject = X509.X509_Name()
for entry in self.context.x509.get_subject():
ret = m2.x509_name_add_entry(proxy_subject._ptr(), entry._ptr(), -1, 0)
if ret == 0:
raise Exception(
"%s: '%s'" % (m2.err_reason_error_string(m2.err_get_error()), entry)
)
proxy = X509.X509()
proxy.set_serial_number(self.context.x509.get_serial_number())
proxy.set_version(x509_request.get_version())
proxy.set_issuer(self.context.x509.get_subject())
proxy.set_pubkey(x509_request.get_pubkey())
# Extensions are broken in SL5!!
if _m2crypto_extensions_broken():
log.warning("X509v3 extensions disabled!")
else:
# X509v3 Basic Constraints
proxy.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE', critical=True))
# X509v3 Key Usage
proxy.add_ext(X509.new_extension('keyUsage', 'Digital Signature, Key Encipherment', critical=True))
#X509v3 Authority Key Identifier
identifier_ext = _workaround_new_extension(
'authorityKeyIdentifier', 'keyid', critical=False, issuer=self.context.x509
)
proxy.add_ext(identifier_ext)
any_rfc_proxies = False
# FTS-1217 Ignore the user input and select the min proxy lifetime available on the list
min_cert_lifetime = self.context.x509_list[0].get_not_after()
for cert in self.context.x509_list:
if cert.get_not_after().get_datetime() < min_cert_lifetime.get_datetime():
not_after = cert.get_not_after()
min_cert_lifetime = cert.get_not_after()
try:
cert.get_ext('proxyCertInfo')
any_rfc_proxies = True
except:
pass
proxy.set_not_after(not_after)
proxy.set_not_before(not_before)
if any_rfc_proxies:
if _m2crypto_extensions_broken():
raise NotImplementedError("X509v3 extensions are disabled, so RFC proxies can not be generated!")
else:
_add_rfc3820_extensions(proxy)
if any_rfc_proxies:
m2.x509_name_set_by_nid(proxy_subject._ptr(), X509.X509_Name.nid['commonName'], str(int(time.time())))
else:
m2.x509_name_set_by_nid(proxy_subject._ptr(), X509.X509_Name.nid['commonName'], 'proxy')
proxy.set_subject(proxy_subject)
proxy.set_version(2)
proxy.sign(self.context.evp_key, 'sha1')
return proxy