def asciiprint(self):
# Convert character sets
subjectdatalist = []
issuerdatalist = []
for attr in X509v1_certattrlist:
subjectdatalist.append('%-5s: %s' % (attr,string.strip(charset.asn12iso(self.subject.get(attr,'')))))
issuerdatalist.append('%-5s: %s' % (attr,string.strip(charset.asn12iso(self.issuer.get(attr,'')))))
return """This certificate belongs to:
%s
This certificate was issued by:
%s
Serial Number: %s
This certificate is valid
from %s until %s.
Certificate Fingerprint:
SHA-1: %s
MD5 : %s
""" % ( \
string.join(subjectdatalist,'\n'),
string.join(issuerdatalist,'\n'),
self.serial,
self.notBefore,
self.notAfter,
self.getfingerprint('sha1'),
self.getfingerprint('md5'),
)
def GetEntriesbyDN(db_filename,
DN=empty_DN_dict,
casesensitive=0,
onlyvalid=0):
searchcounter = 0
searchindex = []
searchregex = {}
for i in DN.keys():
if DN[i] != '':
searchindex.append(i)
if not casesensitive:
DN[i] = string.lower(DN[i])
searchregex[i] = re.compile(DN[i])
searchcounter = searchcounter + 1
if searchcounter == 0:
return []
db_file = open(db_filename, 'r')
found = []
db_line = string.strip(db_file.readline())
while db_line:
db_entry = string.split(db_line, '\t')
dnfield = SplitDN(db_entry[DB_name])
matchcounter = 0
for i in searchindex:
if dnfield.has_key(i):
dnfield[i] = charset.asn12iso(dnfield[i])
if not casesensitive:
dnfield[i] = string.lower(dnfield[i])
matchcounter = matchcounter + (searchregex[i].search(
dnfield[i]) != None)
if matchcounter == searchcounter:
if onlyvalid:
if IsValid(db_entry):
found.append(db_entry)
else:
found.append(db_entry)
db_line = db_file.readline()[:-1]
return found
def asciiprint(self):
# Convert character sets
subjectdatalist = []
issuerdatalist = []
for attr in X509v1_certattrlist:
subjectdatalist.append(
'%-5s: %s' %
(attr,
string.strip(charset.asn12iso(self.subject.get(attr, '')))))
issuerdatalist.append(
'%-5s: %s' %
(attr, string.strip(charset.asn12iso(self.issuer.get(attr,
'')))))
return """This certificate belongs to:
%s
This certificate was issued by:
%s
Serial Number: %s
This certificate is valid
from %s until %s.
Certificate Fingerprint:
SHA-1: %s
MD5 : %s
""" % ( \
string.join(subjectdatalist,'\n'),
string.join(issuerdatalist,'\n'),
self.serial,
self.notBefore,
self.notAfter,
self.getfingerprint('sha1'),
self.getfingerprint('md5'),
)
def GetEntriesbyDN(db_filename,DN=empty_DN_dict,casesensitive=0,onlyvalid=0):
searchcounter = 0
searchindex = []
searchregex = {}
for i in DN.keys():
if DN[i]!='':
searchindex.append(i)
if not casesensitive:
DN[i]=string.lower(DN[i])
searchregex[i] = re.compile(DN[i])
searchcounter = searchcounter + 1
if searchcounter==0:
return[]
db_file=open(db_filename,'r')
found = []
db_line=string.strip(db_file.readline())
while db_line:
db_entry = string.split(db_line,'\t')
dnfield = SplitDN(db_entry[DB_name])
matchcounter = 0
for i in searchindex:
if dnfield.has_key(i):
dnfield[i] = charset.asn12iso(dnfield[i])
if not casesensitive:
dnfield[i] = string.lower(dnfield[i])
matchcounter = matchcounter+(searchregex[i].search(dnfield[i])!=None)
if matchcounter==searchcounter:
if onlyvalid:
if IsValid(db_entry):
found.append(db_entry)
else:
found.append(db_entry)
db_line=db_file.readline()[:-1]
return found
######################################################################
if not ca.database in processed_ca_databases:
if os.path.isfile(ca.database):
processed_ca_databases.append(ca.database)
# Certificate database not processed up to now
ca_db = openssl.db.OpenSSLcaDatabaseClass(ca.database)
# Mark expired certificates in OpenSSL certificate database
expired_db_entries = ca_db.Expire()
if expired_db_entries:
sys.stdout.write('The following entries were marked as expired:\n')
for db_entry in expired_db_entries:
sys.stdout.write('%s\n' % (charset.asn12iso(db_entry[DB_name])))
# Mark expired certificates in OpenSSL certificate database
expire_treshold=7*86400
expired_db_entries = ca_db.ExpireWarning(expire_treshold)
if expired_db_entries:
sys.stdout.write('The following entries will expire soon:\n')
for db_entry in expired_db_entries:
sys.stdout.write('%s, %s, %s\n' % (
db_entry[DB_serial],
strftime('%Y-%m-%d %H:%M',localtime(mktime(dbtime2tuple(db_entry[DB_exp_date])))),
charset.asn12iso(db_entry[DB_name])
)
)
else:
sys.stdout.write('*** Processing %s ***\n\n' % (ca_name))
ca = opensslcnf.getcadata(ca_name)
if ca.isclientcert() and \
not ca.database in old_db_filenames and \
os.path.isfile(ca.database):
old_db_filenames.append(ca.database)
certs_found = openssl.db.GetEntriesbyDN(ca.database,certdnfilter,casesensitive=1,onlyvalid=0)
for cert_entry in certs_found:
certdn = charset.asn12iso(cert_entry[openssl.db.DB_name])
certdndict = openssl.db.SplitDN(charset.iso2utf(certdn))
ldap_filter = filtertemplate % certdndict
try:
ldap_result = l.search_s(
basedn,
ldap.SCOPE_SUBTREE,
ldap_filter,
['objectclass','userCertificate;binary','userSMIMECertificate;binary'],
0
)
except ldap.NO_SUCH_OBJECT:
sys.stdout.write('Certificate subject "%s" not found with filter "%s".\n' % (certdn,ldap_filter))
ldap_result=[]
except:
exc_obj,exc_value,exc_traceback = sys.exc_info()
ca_name = ca_names[ca_num]
ca = opensslcnf.getcadata(ca_name)
if os.path.isfile(ca.certificate):
cacert = openssl.cert.X509CertificateClass(ca.certificate)
# Copy the CA certificate file to directory
if certdir:
# Convert character sets
for dict in [cacert.issuer, cacert.subject]:
for attr in dict.keys():
dict[attr] = charset.asn12iso(dict[attr])
# New filename for CA cert
cacert_filename = '%(CN)s_%(OU)s_%(O)s_%(L)s_%(ST)s_%(C)s' % (
cacert.subject) + os.path.splitext(ca.certificate)[1]
# Copy the file
shutil.copyfile(ca.certificate,
os.path.join(certdir, cacert_filename))
# Create appropriate symlink
symlinkname = os.path.join(certdir, '%s.0' % (cacert.hash))
try:
os.symlink(cacert_filename, symlinkname)
except OSError:
sys.stderr.write('Warning: Could not create symbolic link.\n')
# Append CA certificate file to single certificate file
if not (filenotvalid(ca.certificate)
or filenotvalid(parentca.certificate)):
sys.stdout.write(
'Verifying sub-CA certificate %s with issuer certificate %s.\n' %
(ca.certificate, parentca.certificate))
rc = os.system('%s verify -verbose -CAfile %s %s' % \
(OpenSSLExec,parentca.certificate,ca.certificate))
if rc:
sys.stderr.write('Error %d verifying CA cert %s.\n' %
(rc, ca.certificate))
ca_cert = openssl.cert.X509CertificateClass(ca.certificate)
if not ca_cert.subject.has_key('CN'):
sys.stderr.write(
'CA certificate %s has no CN attribute.\nThis might cause weird problems with some software.\n'
% (ca.certificate))
for subject_attr in ca_cert.subject.keys():
if not charset.is_ascii(
charset.asn12iso(ca_cert.subject[subject_attr])):
sys.stderr.write(
'CA certificate %s has NON-ASCII attribute %s.\nThis might cause weird problems with some software.\n'
% (ca.certificate, subject_attr))
else:
sys.stderr.write('Certificate file %s or %s not found.\n' %
(ca.certificate, parentca.certificate))
# Text mode
for ca_name in ca_names:
ca = opensslcnf.getcadata(ca_name)
if os.path.isfile(ca.certificate):
# Parse certificate textual output
cacert = openssl.cert.X509CertificateClass(ca.certificate)
# Convert character sets
subject, issuer = {}, {}
for attr in ['CN', 'Email', 'OU', 'O', 'L', 'ST', 'C']:
subject[attr] = string.strip(
charset.asn12iso(cacert.subject.get(attr, '')))
issuer[attr] = string.strip(
charset.asn12iso(cacert.issuer.get(attr, '')))
sys.stdout.write(
'Subject:\nCommon Name: "%(CN)s"\nOrganizational Unit: "%(OU)s"\nOrganization: "%(O)s"\nLocation: "%(L)s"\nState/Province: "%(ST)s"\nCountry: "%(C)s"\n\n'
% (subject))
sys.stdout.write(
'Issuer:\nCommon Name: "%(CN)s"\nOrganizational Unit: "%(OU)s"\nOrganization: "%(O)s"\nLocation: "%(L)s"\nState/Province: "%(ST)s"\nCountry: "%(C)s"\n\n'
% (issuer))
sys.stdout.write('Serial: %s\n' % (cacert.serial))
sys.stdout.write('Validity: from %s until %s\n' %
(cacert.notBefore, cacert.notAfter))
sys.stdout.write('Hash: %s\n' % (cacert.hash))
sys.stdout.write('SHA-1 Fingerprint: %s\n' %
(cacert.getfingerprint('sha1')))
if ca.signedby:
if ca.signedby in ca_names:
parentca = opensslcnf.getcadata(ca.signedby)
else:
parentca = None
sys.stderr.write('CA name "%s" given in signedby parameter of section [%s] not found.\n' % (subca.signedby,subca.sectionname))
else:
parentca = ca
if not (filenotvalid(ca.certificate) or filenotvalid(parentca.certificate)):
sys.stdout.write('Verifying sub-CA certificate %s with issuer certificate %s.\n' % (ca.certificate,parentca.certificate))
rc = os.system('%s verify -verbose -CAfile %s %s' % \
(OpenSSLExec,parentca.certificate,ca.certificate))
if rc:
sys.stderr.write('Error %d verifying CA cert %s.\n' % (rc,ca.certificate))
ca_cert = openssl.cert.X509CertificateClass(ca.certificate)
if not ca_cert.subject.has_key('CN'):
sys.stderr.write('CA certificate %s has no CN attribute.\nThis might cause weird problems with some software.\n' % (ca.certificate))
for subject_attr in ca_cert.subject.keys():
if not charset.is_ascii(charset.asn12iso(ca_cert.subject[subject_attr])):
sys.stderr.write('CA certificate %s has NON-ASCII attribute %s.\nThis might cause weird problems with some software.\n' % (ca.certificate,subject_attr))
else:
sys.stderr.write('Certificate file %s or %s not found.\n' % (ca.certificate,parentca.certificate))
ca_name = ca_names[ca_num]
ca = opensslcnf.getcadata(ca_name)
if os.path.isfile(ca.certificate):
cacert = openssl.cert.X509CertificateClass(ca.certificate)
# Copy the CA certificate file to directory
if certdir:
# Convert character sets
for dict in [cacert.issuer,cacert.subject]:
for attr in dict.keys():
dict[attr] = charset.asn12iso(dict[attr])
# New filename for CA cert
cacert_filename = '%(CN)s_%(OU)s_%(O)s_%(L)s_%(ST)s_%(C)s' % (cacert.subject) + os.path.splitext(ca.certificate)[1]
# Copy the file
shutil.copyfile(ca.certificate,os.path.join(certdir,cacert_filename))
# Create appropriate symlink
symlinkname = os.path.join(certdir,'%s.0' % (cacert.hash))
try:
os.symlink(cacert_filename,symlinkname)
except OSError:
sys.stderr.write('Warning: Could not create symbolic link.\n')
# Append CA certificate file to single certificate file
if certfilename:
cacertfile = open(ca.certificate,'r')
sys.stdout.write('</CENTER>\n</BODY>\n</HTML>\n')
else:
# Text mode
for ca_name in ca_names:
ca = opensslcnf.getcadata(ca_name)
if os.path.isfile(ca.certificate):
# Parse certificate textual output
cacert = openssl.cert.X509CertificateClass(ca.certificate)
# Convert character sets
subject,issuer = {},{}
for attr in ['CN','Email','OU','O','L','ST','C']:
subject[attr] = string.strip(charset.asn12iso(cacert.subject.get(attr,'')))
issuer[attr] = string.strip(charset.asn12iso(cacert.issuer.get(attr,'')))
sys.stdout.write('Subject:\nCommon Name: "%(CN)s"\nOrganizational Unit: "%(OU)s"\nOrganization: "%(O)s"\nLocation: "%(L)s"\nState/Province: "%(ST)s"\nCountry: "%(C)s"\n\n' % (subject))
sys.stdout.write('Issuer:\nCommon Name: "%(CN)s"\nOrganizational Unit: "%(OU)s"\nOrganization: "%(O)s"\nLocation: "%(L)s"\nState/Province: "%(ST)s"\nCountry: "%(C)s"\n\n' % (issuer))
sys.stdout.write('Serial: %s\n' % (cacert.serial))
sys.stdout.write('Validity: from %s until %s\n' % (cacert.notBefore,cacert.notAfter))
sys.stdout.write('Hash: %s\n' % (cacert.hash))
sys.stdout.write('SHA-1 Fingerprint: %s\n' % (cacert.getfingerprint('sha1')))
sys.stdout.write('MD5 Fingerprint: %s\n' % (cacert.getfingerprint('md5')))
sys.stdout.write('\n%s\n\n' % (72*'-'))
PrintUsage('No valid serial number.')
else:
PrintUsage('You have to provide the serial number of the certificate you want to revoke.')
ca = opensslcnf.getcadata(ca_name)
sys.stdout.write('Searching database %s for certificate %x...\n' % (ca.database,serial))
ca_db = openssl.db.OpenSSLcaDatabaseClass(ca.database)
result = ca_db.GetEntrybySerial(serial)
if result:
sys.stdout.write("""Found the following certificate:
Serial number: %s
Distinguished Name: %s
""" % (result[DB_serial],charset.asn12iso(result[DB_name])))
if result[DB_type]==DB_TYPE_REV:
sys.stdout.write('Certificate already revoked since %s.\n' % strftime('%d.%m.%Y',localtime(mktime(dbtime2tuple(result[DB_rev_date])))))
sys.exit(0)
elif result[DB_type]==DB_TYPE_EXP:
sys.stdout.write('Certificate already expired since %s.\n' % strftime('%d.%m.%Y',localtime(mktime(dbtime2tuple(result[DB_exp_date])))))
sys.exit(0)
elif result[DB_type]==DB_TYPE_VAL:
sys.stdout.write('Valid until %s.\n\nRevoke the certificate? (y/n) ' % strftime('%d.%m.%Y',localtime(mktime(dbtime2tuple(result[DB_exp_date])))))
answer = sys.stdin.readline()
if string.lower(string.strip(answer))=='y':
ca_db.Revoke(serial)
sys.stdout.write('Certificate %x in %s marked as revoked.\n' % (serial,ca_name))
# CA's private key present <=> we are on the private CA system
if os.path.isfile(ca.certificate) and os.path.isfile(ca.private_key):
ca = opensslcnf.getcadata(ca_name)
if ca.isclientcert() and \
not ca.database in old_db_filenames and \
os.path.isfile(ca.database):
old_db_filenames.append(ca.database)
certs_found = openssl.db.GetEntriesbyDN(ca.database,
certdnfilter,
casesensitive=1,
onlyvalid=0)
for cert_entry in certs_found:
certdn = charset.asn12iso(cert_entry[openssl.db.DB_name])
certdndict = openssl.db.SplitDN(charset.iso2utf(certdn))
ldap_filter = filtertemplate % certdndict
try:
ldap_result = l.search_s(
basedn, ldap.SCOPE_SUBTREE, ldap_filter, [
'objectclass', 'userCertificate;binary',
'userSMIMECertificate;binary'
], 0)
except ldap.NO_SUCH_OBJECT:
sys.stdout.write(
'Certificate subject "%s" not found with filter "%s".\n' %
(certdn, ldap_filter))
ldap_result = []
except:
exc_obj, exc_value, exc_traceback = sys.exc_info()
