Example #1
0
 def create_certificate(self, csr, issuer_options):
     adcs_server = current_app.config.get('ADCS_SERVER')
     adcs_user = current_app.config.get('ADCS_USER')
     adcs_pwd = current_app.config.get('ADCS_PWD')
     adcs_auth_method = current_app.config.get('ADCS_AUTH_METHOD')
     adcs_template = current_app.config.get('ADCS_TEMPLATE')
     ca_server = Certsrv(adcs_server, adcs_user, adcs_pwd, auth_method=adcs_auth_method)
     current_app.logger.info("Requesting CSR: {0}".format(csr))
     current_app.logger.info("Issuer options: {0}".format(issuer_options))
     cert, req_id = ca_server.get_cert(csr, adcs_template, encoding='b64').decode('utf-8').replace('\r\n', '\n')
     chain = ca_server.get_ca_cert(encoding='b64').decode('utf-8').replace('\r\n', '\n')
     return cert, chain, req_id
    def enroll(self, csr):
        """ enroll certificate from via MS certsrv """
        self.logger.debug('CAhandler.enroll({0})'.format(self.template))
        cert_bundle = None
        error = None
        cert_raw = None

        if self.host and self.user and self.password and self.template:
            # setup certserv
            ca_server = Certsrv(self.host, self.user, self.password, self.auth_method, self.ca_bundle)

            # check connection and credentials
            auth_check = self._check_credentials(ca_server)
            if auth_check:
                # recode csr
                csr = textwrap.fill(b64_url_recode(self.logger, csr), 64) + '\n'

                # get ca_chain
                try:
                    ca_pkcs7 = convert_byte_to_string(ca_server.get_chain(encoding='b64'))
                    ca_pem = self._pkcs7_to_pem(ca_pkcs7)
                    # replace crlf with lf
                    # ca_pem = ca_pem.replace('\r\n', '\n')
                except BaseException as err_:
                    ca_pem = None
                    self.logger.error('ca_server.get_chain() failed with error: {0}'.format(err_))

                try:
                    cert_raw = convert_byte_to_string(ca_server.get_cert(csr, self.template))
                    # replace crlf with lf
                    cert_raw = cert_raw.replace('\r\n', '\n')
                except BaseException as err_:
                    cert_raw = None
                    self.logger.error('ca_server.get_cert() failed with error: {0}'.format(err_))

                if ca_pem and cert_raw:
                    cert_bundle = cert_raw + ca_pem
                    cert_raw = cert_raw.replace('-----BEGIN CERTIFICATE-----\n', '')
                    cert_raw = cert_raw.replace('-----END CERTIFICATE-----\n', '')
                    cert_raw = cert_raw.replace('\n', '')
                else:
                    self.logger.error('cert bundling failed')
                    error = 'cert bundling failed'
            else:
                self.logger.error('Connection or Credentialcheck failed')
                error = 'Connection or Credentialcheck failed.'
        else:
            self.logger.error('Config incomplete')
            error = 'Config incomplete'

        self.logger.debug('Certificate.enroll() ended')
        return(error, cert_bundle, cert_raw, None)
Example #3
0
 def create_certificate(self, csr, issuer_options):
     adcs_server = current_app.config.get("ADCS_SERVER")
     adcs_user = current_app.config.get("ADCS_USER")
     adcs_pwd = current_app.config.get("ADCS_PWD")
     adcs_auth_method = current_app.config.get("ADCS_AUTH_METHOD")
     adcs_template = current_app.config.get("ADCS_TEMPLATE")
     ca_server = Certsrv(adcs_server,
                         adcs_user,
                         adcs_pwd,
                         auth_method=adcs_auth_method)
     current_app.logger.info("Requesting CSR: {0}".format(csr))
     current_app.logger.info("Issuer options: {0}".format(issuer_options))
     cert = (ca_server.get_cert(csr, adcs_template,
                                encoding="b64").decode("utf-8").replace(
                                    "\r\n", "\n"))
     chain = (ca_server.get_ca_cert(encoding="b64").decode("utf-8").replace(
         "\r\n", "\n"))
     return cert, chain, None
Example #4
0
    def enroll(self, csr):
        """ enroll certificate from via MS certsrv """
        self.logger.debug('CAhandler.enroll()')
        cert_bundle = None
        error = None
        cert_raw = None

        if self.host and self.user and self.password and self.template:
            # setup certserv
            ca_server = Certsrv(self.host, self.user, self.password,
                                self.auth_method, self.ca_bundle)

            # check connection and credentials
            auth_check = ca_server.check_credentials()
            if auth_check:
                # recode csr
                csr = textwrap.fill(b64_url_recode(self.logger, csr),
                                    64) + '\n'

                # get ca_chain
                ca_pem = ca_server.get_chain(encoding='b64')
                cert_raw = ca_server.get_cert(csr, self.template)
                if cert_raw:
                    cert_bundle = cert_raw + ca_pem
                    cert_raw = cert_raw.replace(
                        '-----BEGIN CERTIFICATE-----\n', '')
                    cert_raw = cert_raw.replace('-----END CERTIFICATE-----\n',
                                                '')
                    cert_raw = cert_raw.replace('\n', '')
                else:
                    error = 'Enrollment failed'
            else:
                error = 'Connection or Credentialcheck failed.'
        else:
            error = 'Config incomplete'

        self.logger.debug('Certificate.enroll() ended')
        return (error, cert_bundle, cert_raw)
Example #5
0
 def create_certificate(self, csr, issuer_options):
     adcs_server = current_app.config.get("ADCS_SERVER")
     adcs_user = current_app.config.get("ADCS_USER")
     adcs_pwd = current_app.config.get("ADCS_PWD")
     adcs_auth_method = current_app.config.get("ADCS_AUTH_METHOD")
     # if there is a config variable ADCS_TEMPLATE_<upper(authority.name)> take the value as Cert template
     # else default to ADCS_TEMPLATE to be compatible with former versions
     authority = issuer_options.get("authority").name.upper()
     adcs_template = current_app.config.get(
         "ADCS_TEMPLATE_{0}".format(authority),
         current_app.config.get("ADCS_TEMPLATE"))
     ca_server = Certsrv(adcs_server,
                         adcs_user,
                         adcs_pwd,
                         auth_method=adcs_auth_method)
     current_app.logger.info("Requesting CSR: {0}".format(csr))
     current_app.logger.info("Issuer options: {0}".format(issuer_options))
     cert = (ca_server.get_cert(csr, adcs_template,
                                encoding="b64").decode("utf-8").replace(
                                    "\r\n", "\n"))
     chain = (ca_server.get_ca_cert(encoding="b64").decode("utf-8").replace(
         "\r\n", "\n"))
     return cert, chain, None
Example #6
0
    def install_msca_signed(self, ca_server: str, ca_user: str, ca_pass: str):

        # Create folder
        date = datetime.now().strftime('%Y%m%d%H%M%S')
        cert_dir = self.output_folder / date
        if not cert_dir.exists():
            cert_dir.mkdir(parents=True)

        # File names
        cert_cfg_file = 'rui.cfg'
        cert_key_file = 'rui.key'
        cert_csr_file = 'rui.csr'
        cert_crt_file = 'rui.crt'
        cert_chain_file = 'rui-chain.crt'
        cert_crt_bak_file = 'rui.crt.bak'
        cert_key_bak_file = 'rui.key.bak'
        ca_crt_file = '../ca.crt'

        # Create local paths
        local_cfg = cert_dir / cert_cfg_file
        local_csr = cert_dir / cert_csr_file
        local_key = cert_dir / cert_key_file
        local_crt = cert_dir / cert_crt_file
        local_chain = cert_dir / cert_chain_file
        local_crt_bak = cert_dir / cert_crt_bak_file
        local_key_bak = cert_dir / cert_key_bak_file
        local_ca_crt = cert_dir / ca_crt_file

        # Remote temporary files
        remote_cfg = str(self.remote_tmp / cert_cfg_file)
        remote_csr = str(self.remote_tmp / cert_csr_file)
        remote_crt = str(self.remote_tmp / cert_crt_file)
        remote_chain = str(self.remote_tmp / cert_chain_file)
        remote_key = str(self.remote_tmp / cert_key_file)
        remote_ca_crt = str(self.remote_tmp / ca_crt_file)

        # Get the Microsoft Certificate Authority file
        ca_crt = get_msca_root_cert(hostname=ca_server, username=ca_user, password=ca_pass)
        local_ca_crt.write_bytes(ca_crt.public_bytes(encoding=serialization.Encoding.PEM))

        # Connect to Microsoft Certificate Authority
        cert_srv = Certsrv(server=ca_server, username=ca_user, password=ca_pass, cafile=str(local_ca_crt))
        cert_srv.check_credentials()
        self.connection.put(local=local_ca_crt, remote=remote_ca_crt)

        # Create host cfg
        config = create_cert_config(host=self.esx_server)
        local_cfg.write_text(config)
        self.connection.put(local=local_cfg, remote=remote_cfg)

        # Create certificate request
        cmd = f'openssl req -new -nodes -out {remote_csr} -keyout {remote_key} -config {remote_cfg}'
        result = self.connection.run(f"{cmd}", pty=True, hide=True)
        self.connection.get(local=local_csr, remote=remote_csr)
        self.connection.get(local=local_key, remote=remote_key)

        # Get signed certificate
        csr_bytes = local_csr.read_bytes()
        crt_bytes = cert_srv.get_cert(csr_bytes, 'WebServer')
        local_crt.write_bytes(crt_bytes)
        self.connection.put(local=local_crt, remote=remote_crt)

        # Create certificate chain
        cmd = f'cat {remote_crt} {remote_ca_crt} > {remote_chain}'
        result = self.connection.run(f'{cmd}', pty=True, hide=True)
        self.connection.get(local=local_chain, remote=remote_chain)

        # Backup current crt and key
        self.connection.get(local=local_crt_bak, remote=self.esx_crt)
        self.connection.get(local=local_key_bak, remote=self.esx_key)

        # Deploy new crt and key
        self.connection.put(local=local_chain, remote=self.esx_crt)
        self.connection.put(local=local_key, remote=self.esx_key)

        # Reboot host
        self.__reboot()
Example #7
0
def generateCsr(email, dn):
    # get UPN and dn
    t = dn.split('|')
    # Add stop to dn
    dn = t[0] + ',end=end'
    userupn = t[1].encode()

    # browse UPN to generate CSR
    unit = dn.split(',')
    csr_cn_parts = []
    csr_cn_partstmp = []
    last = ''
    for u in unit:
        t = u.split('=')
        (name, value) = (t[0], t[1])
        print((name, value))

        # the x509 lib need to inverse OU orders, don't knwo why
        if name != last and len(csr_cn_partstmp) > 0:
            for element in reversed(csr_cn_partstmp):
                csr_cn_parts.append(element)
            csr_cn_partstmp = []
        last = name
        if name == 'OU':
            csr_cn_partstmp.append(
                x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, value))
        elif name == 'DC':
            csr_cn_partstmp.append(
                x509.NameAttribute(NameOID.DOMAIN_COMPONENT, value))
        elif name == 'CN':
            csr_cn_partstmp.append(
                x509.NameAttribute(NameOID.COMMON_NAME, value))
    csr_cn_parts = [x509.NameAttribute(NameOID.EMAIL_ADDRESS, email)
                    ] + csr_cn_parts

    # Generate a key
    key = rsa.generate_private_key(public_exponent=65537,
                                   key_size=2048,
                                   backend=default_backend())
    bupn = b"\x0C" + bytes([len(userupn)]) + userupn

    # generate csr
    custom_oid_user_principal_name = x509.ObjectIdentifier(
        "1.3.6.1.4.1.311.20.2.3")
    csr = x509.CertificateSigningRequestBuilder(
    ).subject_name(x509.Name(csr_cn_parts)).add_extension(
        x509.SubjectAlternativeName([
            x509.OtherName(
                custom_oid_user_principal_name, bupn
            ),  # ASN.1 encoded string= (bytes) \x0C (UTF 8 String) + len(ASCII) + ASCII en hex
        ]),
        critical=False,
    ).sign(key, hashes.SHA256(), default_backend())
    pem_req = csr.public_bytes(serialization.Encoding.PEM)

    # Get the cert from the ADCS server
    pem_req = csr.public_bytes(serialization.Encoding.PEM)

    ca_server = Certsrv("XXXXX", "XXXXXX", PASSWORD, auth_method="ntlm")
    pem_cert = ca_server.get_cert(pem_req, "User_ADFS_Script")

    # Print the key
    pem_key = key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.TraditionalOpenSSL,
        encryption_algorithm=serialization.NoEncryption(),
    )
    print(pem_key.decode())
    print(pem_cert.decode())