def mk_cert_valid(cert, days=3652):
"""Make a cert valid from now and til 'days' from now.
:param cert: cert to make valid
:param days: number of days cert is valid for from now.
"""
t = int(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + days * 24 * 60 * 60)
cert.set_not_before(now)
cert.set_not_after(expire)
def make_eecert(self, cacert):
eecert = X509.X509()
eecert.set_serial_number(2)
eecert.set_version(2)
t = long(time.time()) + time.timezone
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
now_plus_year = ASN1.ASN1_UTCTIME()
now_plus_year.set_time(t + 60 * 60 * 24 * 365)
eecert.set_not_before(now)
eecert.set_not_after(now_plus_year)
eecert.set_issuer(cacert.get_subject())
return eecert
def generate_certificate(self,
cr,
uid,
ids,
issuer,
ext=None,
serial_number=1,
version=2,
date_begin=None,
date_end=None,
expiration=365,
context=None):
"""
Generate certificate
"""
for item in self.browse(cr, uid, ids):
if item.status == 'valid_request':
# Get request data
pk = item.pairkey_id.as_pkey()[item.pairkey_id.id]
req = item.get_request()[item.id]
sub = req.get_subject()
pkey = req.get_pubkey()
# Building certificate
cert = X509.X509()
cert.set_serial_number(serial_number)
cert.set_version(version)
cert.set_subject(sub)
now = ASN1.ASN1_UTCTIME()
if date_begin is None:
t = long(time.time()) + time.timezone
now.set_time(t)
else:
now.set_datetime(date_begin)
nowPlusYear = ASN1.ASN1_UTCTIME()
if date_end is None:
nowPlusYear.set_time(t + 60 * 60 * 24 * expiration)
else:
nowPlusYear.set_datetime(date_end)
cert.set_not_before(now)
cert.set_not_after(nowPlusYear)
cert.set_issuer(issuer)
cert.set_pubkey(pkey)
cert.set_pubkey(cert.get_pubkey())
if ext:
cert.add_ext(ext)
cert.sign(pk, 'sha1')
w = {'crt': cert.as_pem()}
self.write(cr, uid, item.id, w)
def mk_cert_valid(cert, days=365):
"""
Make a cert valid from now and til 'days' from now.
Args:
cert -- cert to make valid
days -- number of days cert is valid for from now.
"""
t = long(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + days * 24 * 60 * 60)
cert.set_not_before(now)
cert.set_not_after(expire)
def _set_times(self):
"""
Internal function that sets the time on the proxy
certificate
"""
not_before = ASN1.ASN1_UTCTIME()
not_after = ASN1.ASN1_UTCTIME()
if self._start:
not_before.set_time(self._start)
else:
not_before.set_time(int(time.time()))
offset = (self._valid[0] * 3600) + (self._valid[1] * 60)
not_after.set_time(int(time.time()) + offset)
self._proxycert.set_not_before(not_before)
self._proxycert.set_not_after(not_after)
def test_UTCTIME(self):
asn1 = ASN1.ASN1_UTCTIME()
assert str(asn1) == 'Bad time value'
format = '%b %d %H:%M:%S %Y GMT'
utcformat = '%y%m%d%H%M%SZ'
s = '990807053011Z'
asn1.set_string(s)
#assert str(asn1) == 'Aug 7 05:30:11 1999 GMT'
t1 = time.strptime(str(asn1), format)
t2 = time.strptime(s, utcformat)
self.assertEqual(t1, t2)
asn1.set_time(500)
#assert str(asn1) == 'Jan 1 00:08:20 1970 GMT'
t1 = time.strftime(format, time.strptime(str(asn1), format))
t2 = time.strftime(format, time.gmtime(500))
self.assertEqual(t1, t2)
t = long(time.time()) + time.timezone
asn1.set_time(t)
t1 = time.strftime(format, time.strptime(str(asn1), format))
t2 = time.strftime(format, time.gmtime(t))
self.assertEqual(t1, t2)
def _generate_mock_cert():
rsa_key = RSA.gen_key(512, 65537)
pkey = EVP.PKey()
pkey.assign_rsa(rsa_key)
cert = X509.X509()
cert.set_pubkey(pkey)
not_before = ASN1.ASN1_UTCTIME()
not_before.set_datetime(datetime.now(UTC))
not_after = ASN1.ASN1_UTCTIME()
not_after.set_datetime(datetime.now(UTC) + timedelta(hours=24))
cert.set_not_before(not_before)
cert.set_not_after(not_after)
cert.sign(pkey, 'md5')
return pkey, cert
def create_self_signed_RootCA_certificate(root_ca_info,
sign_method="sha256",
days=3650):
# Setp 1: Create RSA-key pair (public/private key)
rsa = generate_rsa_keypair(2048, 65537)
private_key = EVP.PKey()
private_key.assign_rsa(rsa)
# Step 2-1: Prepare X.509 Certificate Signed Request
req = X509.Request()
req.set_pubkey(private_key)
x509_name = req.get_subject()
x509_name.C = root_ca_info["C"]
x509_name.CN = root_ca_info["CN"]
x509_name.ST = root_ca_info["ST"]
x509_name.L = root_ca_info["L"]
x509_name.O = root_ca_info["O"]
x509_name.OU = root_ca_info["OU"]
req.sign(private_key, sign_method)
# Step 2-2: Prepare X.509 certificate
root_ca_cert = X509.X509()
serial = struct.unpack("<Q", os.urandom(8))[0]
root_ca_cert.set_serial_number(serial)
root_ca_cert.set_version(3)
# Setp 2-3: Set required information of RootCA certificate
root_ca_cert.set_issuer(x509_name)
root_ca_cert.set_subject(root_ca_cert.get_issuer())
root_ca_cert.set_pubkey(req.get_pubkey()) # Get the CSR's public key
# Step 2-4: Set Valid Date for RootCA certificate
t = int(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + days * 24 * 60 * 60)
root_ca_cert.set_not_before(now)
root_ca_cert.set_not_after(expire)
# Step 3: Add Extensions for this Root CA certificate
root_ca_cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE'))
root_ca_cert.add_ext(
X509.new_extension('subjectKeyIdentifier',
root_ca_cert.get_fingerprint()))
# Step 4: Use Root CA's RSA private key to sign this certificate
root_ca_cert.sign(private_key, sign_method)
return root_ca_cert, private_key
def __createCertM2Crypto(self):
"""Create new certificate for user
:return: S_OK(tuple)/S_ERROR() -- tuple contain certificate and pulic key as strings
"""
# Create public key
userPubKey = EVP.PKey()
userPubKey.assign_rsa(
RSA.gen_key(self.bits, 65537, util.quiet_genparam_callback))
# Create certificate
userCert = X509.X509()
userCert.set_pubkey(userPubKey)
userCert.set_version(2)
userCert.set_subject(self.__X509Name)
userCert.set_serial_number(int(random.random() * 10**10))
# Add extentionals
userCert.add_ext(
X509.new_extension("basicConstraints", "CA:" + str(False).upper()))
userCert.add_ext(
X509.new_extension("extendedKeyUsage", "clientAuth", critical=1))
# Set livetime
validityTime = datetime.timedelta(days=400)
notBefore = ASN1.ASN1_UTCTIME()
notBefore.set_time(int(time.time()))
notAfter = ASN1.ASN1_UTCTIME()
notAfter.set_time(int(time.time()) + int(validityTime.total_seconds()))
userCert.set_not_before(notBefore)
userCert.set_not_after(notAfter)
# Add subject from CA
with open(self.parameters["CertFile"]) as cf:
caCertStr = cf.read()
caCert = X509.load_cert_string(caCertStr)
userCert.set_issuer(caCert.get_subject())
# Use CA key
with open(self.parameters["KeyFile"], "rb") as cf:
caKeyStr = cf.read()
pkey = EVP.PKey()
pkey.assign_rsa(
RSA.load_key_string(caKeyStr,
callback=util.no_passphrase_callback))
# Sign
userCert.sign(pkey, self.algoritm)
userCertStr = userCert.as_pem().decode("ascii")
userPubKeyStr = userPubKey.as_pem(
cipher=None, callback=util.no_passphrase_callback).decode("ascii")
return S_OK((userCertStr, userPubKeyStr))
def make_proxycert(self, eecert, utc):
proxycert = X509.X509()
pk2 = EVP.PKey()
proxykey = RSA.gen_key(1024, 65537, self.callback)
pk2.assign_rsa(proxykey)
proxycert.set_pubkey(pk2)
proxycert.set_version(2)
if utc:
not_before = ASN1.ASN1_UTCTIME()
not_after = ASN1.ASN1_UTCTIME()
else:
not_before = ASN1.ASN1_TIME()
not_after = ASN1.ASN1_TIME()
not_before.set_time(int(time.time()))
offset = 12 * 3600
not_after.set_time(int(time.time()) + offset)
proxycert.set_not_before(not_before)
proxycert.set_not_after(not_after)
proxycert.set_issuer_name(eecert.get_subject())
proxycert.set_serial_number(12345678)
issuer_name_string = eecert.get_subject().as_text()
seq = issuer_name_string.split(",")
subject_name = X509.X509_Name()
for entry in seq:
l = entry.split("=")
subject_name.add_entry_by_txt(field=l[0].strip(),
type=ASN1.MBSTRING_ASC,
entry=l[1],
len=-1,
loc=-1,
set=0)
subject_name.add_entry_by_txt(field="CN",
type=ASN1.MBSTRING_ASC,
entry="Proxy",
len=-1,
loc=-1,
set=0)
proxycert.set_subject_name(subject_name)
# XXX leaks 8 bytes
pci_ext = X509.new_extension("proxyCertInfo",
"critical,language:Inherit all", 1)
proxycert.add_ext(pci_ext)
return proxycert
def _create_cert(key, webid_uri, time_len=365):
key_dir = jongau.settings.key_dir
key_path = os.path.join(key_dir, key['filename'])
rsa = RSA.load_key(key_path)
pk = EVP.PKey()
pk.assign_rsa(rsa)
parsed = urlparse.urlparse(webid_uri)
issuer = X509.X509_Name()
issuer.CN = parsed[1]
subject = X509.X509_Name()
subject.CN = parsed[1]
cert = X509.X509()
cert.set_serial_number(long(time.time()))
cert.set_version(2)
cert.set_issuer(issuer)
cert.set_subject(subject)
cert.set_pubkey(pk)
now = long(key['created'])
time_start = ASN1.ASN1_UTCTIME()
time_start.set_time(now)
time_end = ASN1.ASN1_UTCTIME()
time_end.set_time(now + time_len * 24 * 60 * 60)
cert.set_not_before(time_start)
cert.set_not_after(time_end)
cert.add_ext(X509.new_extension('basicContraints', 'CA:FALSE'))
cert.add_ext(X509.new_extension('subjectAltName', "URI:" + webid_uri))
cert.add_ext(
X509.new_extension('subjectKeyIdentifier', cert.get_fingerprint()))
cert.sign(pk, 'sha1')
filename = '%s_%s_%s' % (key['filename'], parsed[1], long(time.time()))
pathname = os.path.join(key_dir, filename)
cert.save_pem(pathname)
certificate = {}
certificate['filename'] = filename
certificate['keyname'] = key['filename']
certificate['created'] = key['created']
certificate['expiration'] = key['created'] + time_len * 24 * 60 * 60
return certificate
def get_not_after(self):
assert m2.x509_type_check(self.x509), "'x509' type error"
out = ASN1.ASN1_UTCTIME(m2.x509_get_not_after(self.x509))
if 'Bad time value' in str(out):
raise X509Error('''M2Crypto cannot handle dates after year 2050.
See RFC 5280 4.1.2.5 for more information.
''')
return out
def mkcacert(self, utc):
req, pk = self.mkreq(1024, ca=1)
pkey = req.get_pubkey()
sub = req.get_subject()
cert = X509.X509()
cert.set_serial_number(1)
cert.set_version(2)
cert.set_subject(sub)
t = int(time.time()) + time.timezone
if utc:
now = ASN1.ASN1_UTCTIME()
else:
now = ASN1.ASN1_TIME()
now.set_time(t)
now_plus_year = ASN1.ASN1_TIME()
now_plus_year.set_time(t + 60 * 60 * 24 * 365)
cert.set_not_before(now)
cert.set_not_after(now_plus_year)
issuer = X509.X509_Name()
issuer.C = "UK"
issuer.CN = "OpenSSL Group"
cert.set_issuer(issuer)
cert.set_pubkey(pkey)
ext = X509.new_extension('basicConstraints', 'CA:TRUE')
cert.add_ext(ext)
cert.sign(pk, 'sha1')
if m2.OPENSSL_VERSION_NUMBER >= 0x0090800f:
self.assertTrue(cert.check_ca())
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER,
1))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER,
1))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_ANY, 1))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER,
0))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER,
0))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_ANY, 0))
else:
with self.assertRaises(AttributeError):
cert.check_ca()
return cert, pk, pkey
def _generate_ssl_keypair(self,
rsa_key,
ca_key,
ca_cert,
role='CONTROL',
client=False,
serial=2):
t = long(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + 365 * 24 * 60 * 60)
pk = EVP.PKey()
pk.assign_rsa(rsa_key)
cert = X509.X509()
cert.get_subject().O = self._generate_id(10)
cert.get_subject().OU = role
cert.set_serial_number(serial)
cert.set_version(3)
cert.set_not_before(now)
cert.set_not_after(expire)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(pk)
cert.add_ext(
X509.new_extension('basicConstraints', 'critical,CA:FALSE'))
cert.add_ext(
X509.new_extension('subjectKeyIdentifier',
str(cert.get_fingerprint())))
if client:
cert.add_ext(
X509.new_extension('keyUsage', 'critical,digitalSignature'))
cert.add_ext(X509.new_extension('nsCertType', 'client'))
else:
cert.add_ext(
X509.new_extension('keyUsage', 'critical,keyEncipherment'))
cert.add_ext(X509.new_extension('nsCertType', 'server'))
cert.sign(ca_key, 'sha256')
return pk.as_pem(cipher=None), cert.as_pem()
def make_ss_cert(key_file, domains):
"""
Returns new self-signed cert in PEM form using key_file containing all domains
"""
assert domains, "Must provide one or more hostnames for the CSR."
rsa_key = M2Crypto.RSA.load_key(key_file)
pk = EVP.PKey()
pk.assign_rsa(rsa_key)
x = X509.X509()
x.set_pubkey(pk)
x.set_serial_number(1337)
x.set_version(2)
t = long(time.time())
current = ASN1.ASN1_UTCTIME()
current.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time((7 * 24 * 60 * 60) + t)
x.set_not_before(current)
x.set_not_after(expire)
name = x.get_subject()
name.C = "US"
name.ST = "Michigan"
name.L = "Ann Arbor"
name.O = "University of Michigan and the EFF"
name.CN = domains[0]
x.set_issuer(x.get_subject())
x.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE'))
#x.add_ext(X509.new_extension('extendedKeyUsage', 'TLS Web Server Authentication'))
x.add_ext(X509.new_extension('subjectAltName', ", ".join(["DNS:%s" % d for d in domains])))
x.sign(pk, 'sha256')
assert x.verify(pk)
assert x.verify()
#print check_purpose(,0
return x.as_pem()
def _signRequest(self, x509Request, lifetime):
notBefore = ASN1.ASN1_UTCTIME()
notBefore.set_datetime(datetime.now(pytz.UTC))
notAfter = ASN1.ASN1_UTCTIME()
notAfter.set_datetime(datetime.now(pytz.UTC) + lifetime)
proxySubject = X509.X509_Name()
for c in self.context.x509.get_subject():
m2.x509_name_add_entry(proxySubject._ptr(), c._ptr(), -1, 0)
proxySubject.add_entry_by_txt('commonName', 0x1000, 'proxy', -1, -1, 0)
proxy = X509.X509()
proxy.set_version(2)
proxy.set_subject(proxySubject)
proxy.set_serial_number(long(time.time()))
proxy.set_version(x509Request.get_version())
proxy.set_issuer(self.context.x509.get_subject())
proxy.set_pubkey(x509Request.get_pubkey())
# Make sure the proxy is not longer than any other inside the chain
any_rfc_proxies = False
for cert in self.context.x509List:
if cert.get_not_after() < notAfter:
notAfter = cert.get_not_after()
try:
cert.get_ext('1.3.6.1.5.5.7.1.14')
any_rfc_proxies = True
except:
pass
proxy.set_not_after(notAfter)
proxy.set_not_before(notBefore)
if any_rfc_proxies:
raise NotImplementedError('RFC proxies not supported yet')
proxy.sign(self.context.evpKey, 'sha1')
return proxy
def _gen(self):
def keygen_cb(*args):
pass
def passphrase_cb(*args):
return ''
self.cert = X509.X509()
pubkey = EVP.PKey()
rsa = RSA.gen_key(1024, 65537, keygen_cb)
pubkey.assign_rsa(rsa)
self._key = rsa.as_pem(None, callback=passphrase_cb)
rsa = None
# Set a serial number that is unlikely to repeat
sn = int(time.time()) % (2**32 - 1)
self.cert.set_serial_number(sn)
self.cert.set_version(2)
subject = self.cert.get_subject()
subject.C = 'US'
subject.CN = 'kimchi'
subject.O = 'kimchi-project.org'
t = long(time.time()) + time.timezone
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
nowPlusYear = ASN1.ASN1_UTCTIME()
nowPlusYear.set_time(t + 60 * 60 * 24 * 365)
self.cert.set_not_before(now)
self.cert.set_not_after(nowPlusYear)
issuer = X509.X509_Name()
issuer.CN = 'kimchi'
issuer.O = 'kimchi-project.org'
self.cert.set_issuer(issuer)
self.cert.set_pubkey(pubkey)
self.cert.sign(pubkey, 'sha1')
def test_String(self):
asn1ptr = m2.asn1_string_new()
text = 'hello there'
# In RFC2253 format:
# #040B68656C6C6F207468657265
# h e l l o t h e r e
m2.asn1_string_set(asn1ptr, text)
a = ASN1.ASN1_String(asn1ptr, 1)
assert a.as_text() == 'hello there', a.as_text()
assert a.as_text(flags=m2.ASN1_STRFLGS_RFC2253
) == '#040B68656C6C6F207468657265', a.as_text(
flags=m2.ASN1_STRFLGS_RFC2253)
self.assertEqual(a.as_text(), str(a))
def verify(certstring, open_access=False):
crt = X509.load_cert_string(certstring)
# Create datetime objects
now = ASN1.ASN1_UTCTIME()
now.set_datetime(datetime.datetime.now())
now = now.get_datetime()
not_before = crt.get_not_before().get_datetime()
not_after = crt.get_not_after().get_datetime()
# Check time.
if not not_before <= now <= not_after:
return False
issuer = crt.get_issuer().CN.lower().replace(" ","-")
logging.debug("Certificate issuer: %s"%(issuer))
# only suport eID certificates
if issuer not in ("esteid-sk", "esteid-sk-2007", "eid-sk", "eid-sk-2007", "eid-sk-2011", "esteid-sk-2011"):
return False
with tempfile.NamedTemporaryFile(prefix="ocsp") as tmp:
# write the cert to tmp storage
tmp.write(certstring)
tmp.flush()
# construct validation command
cmdstr = ["openssl", "ocsp", "-nonce",
"-url", "http://ocsp.sk.ee:80",
"-issuer", resource_filename(__name__, "certs/%s.pem" %(issuer)),
"-VAfile", resource_filename(__name__, "certs/sk-ocsp-responder-certificates.pem")]
if not open_access:
cmdstr.extend(["-signer", os.path.join(expanduser("~"), '.python-esteid', 'ocsp.pem')])
cmdstr.extend(["-signkey", os.path.join(expanduser("~"), '.python-esteid', 'ocsp.key')])
cmdstr.extend(["-cert", tmp.name])
logging.debug(" ".join(cmdstr))
process = subprocess.Popen(cmdstr, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
process.wait()
(ch_out, ch_err) = (process.stdout.read(), process.stderr.read())
# TODO: M2Crypto OCSP code
if ch_err != "Response verify OK\n":
return False
logging.debug("Command out: %s\nCommand err:%s" %(ch_out, ch_err))
if process.returncode == 0:
if ch_err.startswith("Response verify OK"):
if ch_out.find("revoked") == -1 and ch_out.find("good") != -1:
return True
return False
def create_certificate_from_CSR(rootCA_cert,
rootCA_private_key,
csr,
days=365):
# Step 1: Prepare X.509 Certificate
cert = X509.X509()
serial = struct.unpack("<Q", os.urandom(8))[0]
cert.set_serial_number(serial)
cert.set_version(3)
# Step 2: Set Expired Date
t = int(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + days * 24 * 60 * 60)
cert.set_not_before(now)
cert.set_not_after(expire)
# Step 3: Set X.509 Extensions
cert.add_ext(X509.new_extension('nsComment', 'SSL sever'))
cert.add_ext(X509.new_extension('keyUsage', 'Digital Signature'))
cert.add_ext(X509.new_extension('keyUsage', 'Key Encipherment',
1)) # 1 means critical
cert.add_ext(X509.new_extension('keyUsage', 'Data Encipherment', 1))
cert.add_ext(X509.new_extension('keyUsage', 'Key Agreement', 1))
cert.add_ext(X509.new_extension('extendedKeyUsage', 'clientAuth'))
cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE'))
ext = X509.new_extension('1.2.3.412',
'ASN1:UTF8String:My custom extension\'s value')
# If required: ext.set_critical(1)
cert.add_ext(ext)
# Step 4: Set Subject and Public Key from CSR
cert.set_issuer(rootCA_cert.get_issuer())
cert.set_subject(csr.get_subject())
cert.set_pubkey(csr.get_pubkey())
# Step 5: Use Private Key of Root CA or CA to sign this X.509 certificate
cert.sign(rootCA_private_key, 'sha256')
return cert
def generate_and_sign_cert(req, pk, sign_key, issuer_cn, issuer_c):
pkey = req.get_pubkey()
sub = req.get_subject()
cert = X509.X509()
cert.set_serial_number(1)
cert.set_version(2)
cert.set_subject(sub)
t = long(time.time()) + time.timezone
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
nowPlusYear = ASN1.ASN1_UTCTIME()
nowPlusYear.set_time(t + 60 * 60 * 24 * 365)
cert.set_not_before(now)
cert.set_not_after(nowPlusYear)
issuer = X509.X509_Name()
issuer.C = issuer_c
issuer.CN = issuer_cn
cert.set_issuer(issuer)
cert.set_pubkey(pkey)
ext = X509.new_extension('basicConstraints', 'CA:TRUE')
cert.add_ext(ext)
cert.sign(sign_key, 'sha256')
return cert, pk, pkey
def set_valtime(cert, years=1):
"""Set certificate valid time
:param cert: certificate
:type cert: X509.X509
:param years: number of years the certificate is going to be valid
:type years: int
"""
days = years * 365
# t = long(time.time()) + time.timezone
t = int(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
logging.debug(now.get_datetime())
nowPlusYear = ASN1.ASN1_UTCTIME()
nowPlusYear.set_time(t + 60 * 60 * 24 * days)
# later.set_time(int(time.time()+3600*24*7))
# return now, nowPlusYear
cert.set_not_before(now)
logging.debug(cert.get_not_before())
cert.set_not_after(nowPlusYear)
logging.debug(cert.get_not_after())
def helper_sign_certificate(self, cakey, cacert, request):
"""Sign a certificate request by the given ca key and ca certificate."""
cert = X509.X509()
cert.set_version(2)
cert.set_serial_number(1)
cert.set_subject(request.get_subject())
t = long(time.time()) + time.timezone
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
end = ASN1.ASN1_UTCTIME()
end.set_time(t + 60 * 60 * 24 * 365 * 10)
cert.set_not_before(now)
cert.set_not_after(end)
cert.set_issuer(cacert.get_subject())
cert.set_pubkey(request.get_pubkey())
#ext = X509.new_extension('subjectAltName', 'DNS:localhost')
#ext.set_critical(0)
#cert.add_ext(ext)
cert.sign(cakey, 'sha1')
return cert
def mk_certreq_n_keys(self, cn, v3_exts=[]):
'''
This function creates a certificate request with following attributes:
* given common name, organization, and country
* maximum validity period
* given extensions
Returns the certificate request and the keys as a tuple (X509, EVP, RSA)
'''
bits = DEFAULT_BITS
# subject
subj = X509.X509_Name()
subj.CN = cn
subj.C = DEFAULT_X509_C
subj.O = DEFAULT_X509_ORG
# maximum possible validity time frame
not_before = ASN1.ASN1_UTCTIME()
not_before.set_time(0)
not_after = ASN1.ASN1_UTCTIME()
not_after.set_time(2**31 - 1)
return self.dododo(bits, subj, not_before, not_after, v3_exts)
def test_UTCTIME_datetime(self):
asn1 = ASN1.ASN1_UTCTIME()
# Test get_datetime and set_datetime
t = time.time()
dt = datetime.datetime.fromtimestamp(int(t))
udt = dt.replace(tzinfo=ASN1.LocalTimezone()).astimezone(ASN1.UTC)
asn1.set_time(int(t))
t1 = str(asn1)
asn1.set_datetime(dt)
t2 = str(asn1)
self.assertEqual(t1, t2)
self.assertEqual(str(udt), str(asn1.get_datetime()))
dt = dt.replace(tzinfo=ASN1.LocalTimezone())
asn1.set_datetime(dt)
t2 = str(asn1)
self.assertEqual(t1, t2)
self.assertEqual(str(udt), str(asn1.get_datetime()))
dt = dt.astimezone(ASN1.UTC)
asn1.set_datetime(dt)
t2 = str(asn1)
self.assertEqual(t1, t2)
self.assertEqual(str(udt), str(asn1.get_datetime()))
def test_String(self):
asn1ptr = m2.asn1_string_new()
# FIXME this is probably wrong ... asn1_string_set should have
# Python string as its parameter.
text = b'hello there'
# In RFC2253 format:
# #040B68656C6C6F207468657265
# h e l l o t h e r e
m2.asn1_string_set(asn1ptr, text)
a = ASN1.ASN1_String(asn1ptr, 1)
self.assertEqual(a.as_text(), 'hello there', a.as_text())
self.assertEqual(a.as_text(flags=m2.ASN1_STRFLGS_RFC2253),
'#040B68656C6C6F207468657265',
a.as_text(flags=m2.ASN1_STRFLGS_RFC2253))
self.assertEqual(a.as_text(), str(a))
def get_not_before(self):
# type: () -> ASN1.ASN1_TIME
assert m2.x509_type_check(self.x509), "'x509' type error"
return ASN1.ASN1_TIME(m2.x509_get_not_before(self.x509))
def get_data(self):
# type: () -> ASN1.ASN1_String
return ASN1.ASN1_String(
m2.x509_name_entry_get_data(self.x509_name_entry))
def get_object(self):
# type: () -> ASN1.ASN1_Object
return ASN1.ASN1_Object(
m2.x509_name_entry_get_object(self.x509_name_entry))
def test_mkcert(self):
req, pk = self.mkreq(1024)
pkey = req.get_pubkey()
self.assertTrue(req.verify(pkey))
sub = req.get_subject()
self.assertEqual(len(sub), 2,
'Subject should be long 2 items not %d' % len(sub))
cert = X509.X509()
cert.set_serial_number(1)
cert.set_version(2)
cert.set_subject(sub)
t = long(time.time()) + time.timezone
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
now_plus_year = ASN1.ASN1_UTCTIME()
now_plus_year.set_time(t + 60 * 60 * 24 * 365)
cert.set_not_before(now)
cert.set_not_after(now_plus_year)
self.assertEqual(str(cert.get_not_before()), str(now))
self.assertEqual(str(cert.get_not_after()), str(now_plus_year))
issuer = X509.X509_Name()
issuer.CN = 'The Issuer Monkey'
issuer.O = 'The Organization Otherwise Known as My CA, Inc.'
cert.set_issuer(issuer)
cert.set_pubkey(pkey)
cert.set_pubkey(cert.get_pubkey()) # Make sure get/set work
ext = X509.new_extension('subjectAltName', 'DNS:foobar.example.com')
ext.set_critical(0)
self.assertEqual(ext.get_critical(), 0)
cert.add_ext(ext)
cert.sign(pk, 'sha1')
with self.assertRaises(ValueError):
cert.sign(pk, 'nosuchalgo')
self.assertTrue(
cert.get_ext('subjectAltName').get_name(), 'subjectAltName')
self.assertTrue(cert.get_ext_at(0).get_name(), 'subjectAltName')
self.assertTrue(
cert.get_ext_at(0).get_value(), 'DNS:foobar.example.com')
self.assertEqual(
cert.get_ext_count(), 1,
'Certificate should have now 1 extension not %d' %
cert.get_ext_count())
with self.assertRaises(IndexError):
cert.get_ext_at(1)
self.assertTrue(cert.verify())
self.assertTrue(cert.verify(pkey))
self.assertTrue(cert.verify(cert.get_pubkey()))
self.assertEqual(cert.get_version(), 2)
self.assertEqual(cert.get_serial_number(), 1)
self.assertEqual(cert.get_issuer().CN, 'The Issuer Monkey')
if m2.OPENSSL_VERSION_NUMBER >= 0x90800f:
self.assertFalse(cert.check_ca())
self.assertFalse(cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER, 1))
self.assertFalse(
cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER, 1))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER, 0))
self.assertTrue(
cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER, 0))
self.assertTrue(cert.check_purpose(m2.X509_PURPOSE_ANY, 0))
else:
with self.assertRaises(AttributeError):
cert.check_ca()
