def execute(self, serial_number, **options):
ca_enabled_check()
hostname = None
try:
self.check_access()
except errors.ACIError as acierr:
self.debug(
"Not granted by ACI to retrieve certificate, looking at principal"
)
bind_principal = getattr(context, 'principal')
if not bind_principal.startswith('host/'):
raise acierr
hostname = get_host_from_principal(bind_principal)
result = self.Backend.ra.get_certificate(serial_number)
cert = x509.load_certificate(result['certificate'])
result['subject'] = unicode(cert.subject)
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(
nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(
nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
if hostname:
# If we have a hostname we want to verify that the subject
# of the certificate matches it, otherwise raise an error
if hostname != cert.subject.common_name: #pylint: disable=E1101
raise acierr
return dict(result=result)
def set_certificate_attrs(entry_attrs):
"""
Set individual attributes from some values from a certificate.
entry_attrs is a dict of an entry
returns nothing
"""
if not 'usercertificate' in entry_attrs:
return
if type(entry_attrs['usercertificate']) in (list, tuple):
cert = entry_attrs['usercertificate'][0]
else:
cert = entry_attrs['usercertificate']
cert = x509.normalize_certificate(cert)
cert = x509.load_certificate(cert, datatype=x509.DER)
entry_attrs['subject'] = unicode(cert.subject)
entry_attrs['serial_number'] = unicode(cert.serial_number)
entry_attrs['serial_number_hex'] = u'0x%X' % cert.serial_number
entry_attrs['issuer'] = unicode(cert.issuer)
entry_attrs['valid_not_before'] = unicode(cert.valid_not_before_str)
entry_attrs['valid_not_after'] = unicode(cert.valid_not_after_str)
entry_attrs['md5_fingerprint'] = unicode(
nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
entry_attrs['sha1_fingerprint'] = unicode(
nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
def execute(self, serial_number, **options):
ca_enabled_check()
hostname = None
try:
self.check_access()
except errors.ACIError as acierr:
self.debug("Not granted by ACI to retrieve certificate, looking at principal")
bind_principal = getattr(context, 'principal')
if not bind_principal.startswith('host/'):
raise acierr
hostname = get_host_from_principal(bind_principal)
result=self.Backend.ra.get_certificate(serial_number)
cert = x509.load_certificate(result['certificate'])
result['subject'] = unicode(cert.subject)
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
if hostname:
# If we have a hostname we want to verify that the subject
# of the certificate matches it, otherwise raise an error
if hostname != cert.subject.common_name: #pylint: disable=E1101
raise acierr
return dict(result=result)
def test_string(self):
if verbose:
print("Plain Text:\n%s" % (plain_text))
# Encode the plain text by feeding it to cipher_op getting cipher text back.
# Append the final bit of cipher text by calling digest_final
cipher_text = self.encoding_ctx.cipher_op(plain_text)
cipher_text += self.encoding_ctx.digest_final()
if verbose:
print("Cipher Text:\n%s" %
(nss.data_to_hex(cipher_text, separator=":")))
# Decode the cipher text by feeding it to cipher_op getting plain text back.
# Append the final bit of plain text by calling digest_final
decoded_text = self.decoding_ctx.cipher_op(cipher_text)
decoded_text += self.decoding_ctx.digest_final()
if verbose:
print("Decoded Text:\n%s" % (decoded_text))
# Validate the encryption/decryption by comparing the decoded text with
# the original plain text, they should match.
self.assertEqual(decoded_text, plain_text)
self.assertNotEqual(cipher_text, plain_text)
def generate_sym_key():
""" This Function generate Symmetric key and nonce data """
## Initialize NSS Database opens temporary database and the internal PKCS #112 module
nss.nss_init_nodb()
## Mechanism to be used for symmetric key
mechanism = nss.CKM_DES_CBC_PAD
# From the Soft token that we initialized get slot to generate symmetric key
slot = nss.get_best_slot(mechanism)
# Generate a symmetric key on the pk11 slot, The sym_key is of type PK11SymKey
sym_key = slot.key_gen(mechanism, None, slot.get_best_key_length(mechanism))
# Generate Nonce
iv_length = nss.get_iv_length(mechanism)
if iv_length > 0:
# Generate Nonce
iv_data = nss.generate_random(iv_length)
# Pass this random data to NSS SecItem
iv_si = nss.SecItem(iv_data)
# Use the Data passed to SecItem for initialization Vector
iv_param = nss.param_from_iv(mechanism, iv_si)
# Random data is converted to hex
pki_nonce = nss.data_to_hex(data=iv_data, separator=":")
#print "generated %d bytes initialization vector: %s" % (iv_length, pki_nonce)
# Create a Symmetric key Context using the Symmetric key, nonce The context should be
# used for encrypt as well as decrypt
encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT, sym_key, iv_param)
decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT, sym_key, iv_param)
#return the symmetric key, nonce data, encoding context and decoding context to encrypt and
# decrypt
return sym_key, pki_nonce, encoding_ctx, decoding_ctx
def getKeyFromPassphrase(self, keylen):
pdialog = self.xml.get_widget("passphraseDialog")
phraseEntry = self.xml.get_widget("passphraseEntry")
phraseEntry.set_text('')
pdialog.show()
button = pdialog.run()
pdialog.hide()
if button != gtk.RESPONSE_OK and button != 0:
return None
phrase = phraseEntry.get_text()
try:
import nss.nss as nss
nss.nss_init_nodb()
shasum = nss.data_to_hex(nss.sha1_digest(phrase))
except:
import hashlib
shasum = hashlib.sha1(phrase).hexdigest()
if len(shasum) > keylen:
shasum = shasum[:keylen]
return shasum
def test_string(self):
if verbose:
print "Plain Text:\n%s" % (plain_text)
# Encode the plain text by feeding it to cipher_op getting cipher text back.
# Append the final bit of cipher text by calling digest_final
cipher_text = self.encoding_ctx.cipher_op(plain_text)
cipher_text += self.encoding_ctx.digest_final()
if verbose:
print "Cipher Text:\n%s" % (nss.data_to_hex(cipher_text, separator=":"))
# Decode the cipher text by feeding it to cipher_op getting plain text back.
# Append the final bit of plain text by calling digest_final
decoded_text = self.decoding_ctx.cipher_op(cipher_text)
decoded_text += self.decoding_ctx.digest_final()
if verbose:
print "Decoded Text:\n%s" % (decoded_text)
# Validate the encryption/decryption by comparing the decoded text with
# the original plain text, they should match.
self.assertEqual(decoded_text, plain_text)
self.assertNotEqual(cipher_text, plain_text)
def _parse(self, obj, full=True):
"""Extract certificate-specific data into a result object.
``obj``
Result object containing certificate, into which extracted
data will be inserted.
``full``
Whether to include all fields, or only the ones we guess
people want to see most of the time. Also add
recognised otherNames to the generic ``san_other``
attribute when ``True`` in addition to the specialised
attribute.
"""
cert = obj.get('certificate')
if cert is not None:
cert = x509.load_certificate(cert)
obj['subject'] = DN(unicode(cert.subject))
obj['issuer'] = DN(unicode(cert.issuer))
obj['serial_number'] = cert.serial_number
if full:
obj['valid_not_before'] = unicode(cert.valid_not_before_str)
obj['valid_not_after'] = unicode(cert.valid_not_after_str)
obj['md5_fingerprint'] = unicode(
nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
obj['sha1_fingerprint'] = unicode(
nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
try:
ext_san = cert.get_extension(nss.SEC_OID_X509_SUBJECT_ALT_NAME)
general_names = x509.decode_generalnames(ext_san.value)
except KeyError:
general_names = []
for name_type, _desc, name, der_name in general_names:
try:
self._add_san_attribute(obj, full, name_type, name,
der_name)
except Exception:
# Invalid GeneralName (i.e. not a valid X.509 cert);
# don't fail but log something about it
root_logger.warning(
"Encountered bad GeneralName; skipping", exc_info=True)
serial_number = obj.get('serial_number')
if serial_number is not None:
obj['serial_number_hex'] = u'0x%X' % serial_number
def verify_sym_key(archived_key, archived_iv, algorithm, plain_text):
""" This function verifies whether archived key is usable, Actually
verifying this is senseless, reason any random data can be used for encryption,
but still just for the heck of it.
"""
# Initialize NSS
nss.nss_init_nodb()
# Decode the base64 string to binary
key = base64.decodestring(archived_data)
# Currently we are assuming the mechanism to AES
# Will need to add other mechanisms later, but
# this is just an example.
mechanism = nss.CKM_AES_CBC_PAD
# Get the best pkcs11 slot
slot = nss.get_best_slot(mechanism)
# convert the binary to hex with separtor as :
pki_key = nss.data_to_hex(data=key,separator=":")
# create a nssSecItem object out of it.
key_si = nss.SecItem(nss.read_hex(pki_key))
# Import the key to the slot
sym_key = nss.import_sym_key(slot, mechanism, nss.PK11_OriginUnwrap, nss.CKA_ENCRYPT, key_si)
# Same for the nonce data
iv = base64.decodestring(archived_iv)
iv_data = nss.data_to_hex(data=iv,separator=":")
iv_si = nss.SecItem(nss.read_hex(iv_data))
iv_param = nss.param_from_iv(mechanism, iv_si)
encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,sym_key, iv_param)
decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,sym_key, iv_param)
cipher_text = encoding_ctx.cipher_op(plain_text)
cipher_text += encoding_ctx.digest_final()
print cipher_text
decoded_text = decoding_ctx.cipher_op(cipher_text)
decoded_text += decoding_ctx.digest_final()
print decoded_text
def _parse(self, obj, full=True):
"""Extract certificate-specific data into a result object.
``obj``
Result object containing certificate, into which extracted
data will be inserted.
``full``
Whether to include all fields, or only the ones we guess
people want to see most of the time. Also add
recognised otherNames to the generic ``san_other``
attribute when ``True`` in addition to the specialised
attribute.
"""
cert = obj.get('certificate')
if cert is not None:
cert = x509.load_certificate(cert)
obj['subject'] = DN(unicode(cert.subject))
obj['issuer'] = DN(unicode(cert.issuer))
obj['serial_number'] = cert.serial_number
if full:
obj['valid_not_before'] = unicode(cert.valid_not_before_str)
obj['valid_not_after'] = unicode(cert.valid_not_after_str)
obj['md5_fingerprint'] = unicode(
nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
obj['sha1_fingerprint'] = unicode(
nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
try:
ext_san = cert.get_extension(nss.SEC_OID_X509_SUBJECT_ALT_NAME)
general_names = x509.decode_generalnames(ext_san.value)
except KeyError:
general_names = []
for name_type, desc, name, der_name in general_names:
try:
self._add_san_attribute(
obj, full, name_type, name, der_name)
except Exception as e:
# Invalid GeneralName (i.e. not a valid X.509 cert);
# don't fail but log something about it
root_logger.warning(
"Encountered bad GeneralName; skipping", exc_info=True)
serial_number = obj.get('serial_number')
if serial_number is not None:
obj['serial_number_hex'] = u'0x%X' % serial_number
def fmt_info(label, item, level=0, hex_data=False):
fmt_tuples = nss.make_line_fmt_tuples(level, label + ':')
if hex_data:
fmt_tuples.extend(
nss.make_line_fmt_tuples(level + 1, nss.data_to_hex(item, 16)))
elif isinstance(item, six.string_types):
fmt_tuples.extend(nss.make_line_fmt_tuples(level + 1, str(item)))
else:
fmt_tuples.extend(item.format_lines(level=level + 1))
return nss.indented_format(fmt_tuples)
def fmt_info(label, item, level=0, hex_data=False):
fmt_tuples = nss.make_line_fmt_tuples(level, label+':')
if hex_data:
fmt_tuples.extend(nss.make_line_fmt_tuples(level+1,
nss.data_to_hex(item, 16)))
elif isinstance(item, six.string_types):
fmt_tuples.extend(nss.make_line_fmt_tuples(level+1, str(item)))
else:
fmt_tuples.extend(item.format_lines(level=level+1))
return nss.indented_format(fmt_tuples)
def set_certificate_attrs(entry_attrs):
"""
Set individual attributes from some values from a certificate.
entry_attrs is a dict of an entry
returns nothing
"""
if not 'usercertificate' in entry_attrs:
return
if type(entry_attrs['usercertificate']) in (list, tuple):
cert = entry_attrs['usercertificate'][0]
else:
cert = entry_attrs['usercertificate']
cert = x509.normalize_certificate(cert)
cert = x509.load_certificate(cert, datatype=x509.DER)
entry_attrs['subject'] = unicode(cert.subject)
entry_attrs['serial_number'] = unicode(cert.serial_number)
entry_attrs['serial_number_hex'] = u'0x%X' % cert.serial_number
entry_attrs['issuer'] = unicode(cert.issuer)
entry_attrs['valid_not_before'] = unicode(cert.valid_not_before_str)
entry_attrs['valid_not_after'] = unicode(cert.valid_not_after_str)
entry_attrs['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
entry_attrs['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
def setup_contexts(mechanism, key, iv):
# Get a PK11 slot based on the cipher
slot = nss.get_best_slot(mechanism)
# If key was supplied use it, otherwise generate one
if key:
if verbose:
print("using supplied key data")
print("key:\n%s" % (key))
key_si = nss.SecItem(nss.read_hex(key))
sym_key = nss.import_sym_key(slot, mechanism, nss.PK11_OriginUnwrap,
nss.CKA_ENCRYPT, key_si)
else:
if verbose:
print("generating key data")
sym_key = slot.key_gen(mechanism, None,
slot.get_best_key_length(mechanism))
# If initialization vector was supplied use it, otherwise set it to None
if iv:
if verbose:
print("supplied iv:\n%s" % (iv))
iv_data = nss.read_hex(iv)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
else:
iv_length = nss.get_iv_length(mechanism)
if iv_length > 0:
iv_data = nss.generate_random(iv_length)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
if verbose:
print("generated %d byte initialization vector: %s" %
(iv_length, nss.data_to_hex(iv_data, separator=":")))
else:
iv_param = None
# Create an encoding context
encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,
sym_key, iv_param)
# Create a decoding context
decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,
sym_key, iv_param)
return encoding_ctx, decoding_ctx
def setup_contexts(mechanism, key, iv):
# Get a PK11 slot based on the cipher
slot = nss.get_best_slot(mechanism)
# If key was supplied use it, otherwise generate one
if key:
if verbose:
print "using supplied key data"
print "key:\n%s" % (key)
key_si = nss.SecItem(nss.read_hex(key))
sym_key = nss.import_sym_key(slot, mechanism, nss.PK11_OriginUnwrap,
nss.CKA_ENCRYPT, key_si)
else:
if verbose:
print "generating key data"
sym_key = slot.key_gen(mechanism, None, slot.get_best_key_length(mechanism))
# If initialization vector was supplied use it, otherwise set it to None
if iv:
if verbose:
print "supplied iv:\n%s" % (iv)
iv_data = nss.read_hex(iv)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
else:
iv_length = nss.get_iv_length(mechanism)
if iv_length > 0:
iv_data = nss.generate_random(iv_length)
iv_si = nss.SecItem(iv_data)
iv_param = nss.param_from_iv(mechanism, iv_si)
if verbose:
print "generated %d byte initialization vector: %s" % \
(iv_length, nss.data_to_hex(iv_data, separator=":"))
else:
iv_param = None
# Create an encoding context
encoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_ENCRYPT,
sym_key, iv_param)
# Create a decoding context
decoding_ctx = nss.create_context_by_sym_key(mechanism, nss.CKA_DECRYPT,
sym_key, iv_param)
return encoding_ctx, decoding_ctx
def generate_sym_key():
""" This Function generate Symmetric key and nonce data """
## Initialize NSS Database opens temporary database and the internal PKCS #112 module
nss.nss_init_nodb()
## Mechanism to be used for symmetric key
mechanism = nss.CKM_DES_CBC_PAD
# From the Soft token that we initialized get slot to generate symmetric key
slot = nss.get_best_slot(mechanism)
# Generate a symmetric key on the pk11 slot, The sym_key is of type PK11SymKey
sym_key = slot.key_gen(mechanism, None,
slot.get_best_key_length(mechanism))
# Generate Nonce
iv_length = nss.get_iv_length(mechanism)
if iv_length > 0:
# Generate Nonce
iv_data = nss.generate_random(iv_length)
# Pass this random data to NSS SecItem
iv_si = nss.SecItem(iv_data)
# Use the Data passed to SecItem for initialization Vector
iv_param = nss.param_from_iv(mechanism, iv_si)
# Random data is converted to hex
pki_nonce = nss.data_to_hex(data=iv_data, separator=":")
#print "generated %d bytes initialization vector: %s" % (iv_length, pki_nonce)
# Create a Symmetric key Context using the Symmetric key, nonce The context should be
# used for encrypt as well as decrypt
encoding_ctx = nss.create_context_by_sym_key(mechanism,
nss.CKA_ENCRYPT, sym_key,
iv_param)
decoding_ctx = nss.create_context_by_sym_key(mechanism,
nss.CKA_DECRYPT, sym_key,
iv_param)
#return the symmetric key, nonce data, encoding context and decoding context to encrypt and
# decrypt
return sym_key, pki_nonce, encoding_ctx, decoding_ctx
def retrieve_security_data(self, recovery_request_id, passphrase=None):
"""
:param recovery_request_id: identifier of key recovery request
:param passphrase: passphrase to be used to wrap the data
Recover the passphrase or symmetric key. We require an approved
recovery request.
If a passphrase is provided, the DRM will return a blob that can be decrypted
with the passphrase. If not, then a symmetric key will be created to wrap the
data for transport to this server. Upon receipt, the data will be unwrapped
and returned unencrypted.
The command returns a dict with the values described in parse_key_data_xml(),
as well as the following field
+-----------------+---------------+-------------------------------------- +
|result name |result type |comments |
+=================+===============+=======================================+
|data |String | Key data (either wrapped using |
| | | passphrase or unwrapped) |
+-----------------+---------------+---------------------------------------+
"""
self.debug('%s.retrieve_security_data()', self.fullname)
if recovery_request_id is None:
raise CertificateOperationError(
error=_('Bad arguments to retrieve_security_data'))
# generate symmetric key
slot = nss.get_best_slot(self.mechanism)
session_key = slot.key_gen(
self.mechanism,
None,
slot.get_best_key_length(
self.mechanism))
# wrap this key with the transport cert
public_key = self.transport_cert.subject_public_key_info.public_key
wrapped_session_key = b64encode(
nss.pub_wrap_sym_key(
self.mechanism,
public_key,
session_key))
wrapped_passphrase = None
if passphrase is not None:
# wrap passphrase with session key
wrapped_session_key = b64encode(
self.symmetric_wrap(
passphrase,
session_key))
request = self.create_recovery_request(None, recovery_request_id,
wrapped_session_key,
wrapped_passphrase)
# Call CMS
http_status, http_reason_phrase, _http_headers, http_body = \
self._request('/kra/rest/agent/keys/retrieve',
self.kra_agent_port,
self.POST,
etree.tostring(request.getroot(), encoding='UTF-8'))
# Parse and handle errors
if (http_status != 200):
raise CertificateOperationError(error=_('Error in retrieving security data (%s)') %
http_reason_phrase)
parse_result = self.get_parse_result_xml(http_body, parse_key_data_xml)
if passphrase is None:
iv = nss.data_to_hex(
b64decode(
parse_result['nonce_data']))
parse_result['data'] = self.symmetric_unwrap(
b64decode(parse_result['wrapped_data']),
session_key, iv)
return parse_result
def retrieve_security_data(self, recovery_request_id, passphrase=None):
"""
:param recovery_request_id: identifier of key recovery request
:param passphrase: passphrase to be used to wrap the data
Recover the passphrase or symmetric key. We require an approved
recovery request.
If a passphrase is provided, the DRM will return a blob that can be decrypted
with the passphrase. If not, then a symmetric key will be created to wrap the
data for transport to this server. Upon receipt, the data will be unwrapped
and returned unencrypted.
The command returns a dict with the values described in parse_key_data_xml(),
as well as the following field
+-----------------+---------------+-------------------------------------- +
|result name |result type |comments |
+=================+===============+=======================================+
|data |String | Key data (either wrapped using |
| | | passphrase or unwrapped) |
+-----------------+---------------+---------------------------------------+
"""
self.debug('%s.retrieve_security_data()', self.fullname)
if recovery_request_id is None:
raise CertificateOperationError(
error=_('Bad arguments to retrieve_security_data'))
# generate symmetric key
slot = nss.get_best_slot(self.mechanism)
session_key = slot.key_gen(self.mechanism, None,
slot.get_best_key_length(self.mechanism))
# wrap this key with the transport cert
public_key = self.transport_cert.subject_public_key_info.public_key
wrapped_session_key = b64encode(
nss.pub_wrap_sym_key(self.mechanism, public_key, session_key))
wrapped_passphrase = None
if passphrase is not None:
# wrap passphrase with session key
wrapped_session_key = b64encode(
self.symmetric_wrap(passphrase, session_key))
request = self.create_recovery_request(None, recovery_request_id,
wrapped_session_key,
wrapped_passphrase)
# Call CMS
http_status, http_reason_phrase, _http_headers, http_body = \
self._request('/kra/rest/agent/keys/retrieve',
self.kra_agent_port,
self.POST,
etree.tostring(request.getroot(), encoding='UTF-8'))
# Parse and handle errors
if (http_status != 200):
raise CertificateOperationError(
error=_('Error in retrieving security data (%s)') %
http_reason_phrase)
parse_result = self.get_parse_result_xml(http_body, parse_key_data_xml)
if passphrase is None:
iv = nss.data_to_hex(b64decode(parse_result['nonce_data']))
parse_result['data'] = self.symmetric_unwrap(
b64decode(parse_result['wrapped_data']), session_key, iv)
return parse_result
pass
if not principal.startswith('host/'):
api.Command['service_mod'](principal, usercertificate=None)
else:
hostname = get_host_from_principal(principal)
api.Command['host_mod'](hostname, usercertificate=None)
# Request the certificate
result = self.Backend.ra.request_certificate(csr,
request_type=request_type)
cert = x509.load_certificate(result['certificate'])
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(
nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(
nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
# Success? Then add it to the service entry.
if 'certificate' in result:
if not principal.startswith('host/'):
skw = {"usercertificate": str(result.get('certificate'))}
api.Command['service_mod'](principal, **skw)
else:
hostname = get_host_from_principal(principal)
skw = {"usercertificate": str(result.get('certificate'))}
api.Command['host_mod'](hostname, **skw)
return dict(result=result)
def execute(self, csr, **kw):
ca_enabled_check()
ldap = self.api.Backend.ldap2
add = kw.get('add')
request_type = kw.get('request_type')
profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE)
ca = '.' # top-level CA hardcoded until subca plugin implemented
"""
Access control is partially handled by the ACI titled
'Hosts can modify service userCertificate'. This is for the case
where a machine binds using a host/ prinicpal. It can only do the
request if the target hostname is in the managedBy attribute which
is managed using the add/del member commands.
Binding with a user principal one needs to be in the request_certs
taskgroup (directly or indirectly via role membership).
"""
principal_string = kw.get('principal')
principal = split_any_principal(principal_string)
servicename, principal_name, realm = principal
if servicename is None:
principal_type = USER
elif servicename == 'host':
principal_type = HOST
else:
principal_type = SERVICE
bind_principal = split_any_principal(getattr(context, 'principal'))
bind_service, bind_name, bind_realm = bind_principal
if bind_service is None:
bind_principal_type = USER
elif bind_service == 'host':
bind_principal_type = HOST
else:
bind_principal_type = SERVICE
if bind_principal != principal and bind_principal_type != HOST:
# Can the bound principal request certs for another principal?
self.check_access()
try:
self.check_access("request certificate ignore caacl")
bypass_caacl = True
except errors.ACIError:
bypass_caacl = False
if not bypass_caacl:
caacl_check(principal_type, principal_string, ca, profile_id)
try:
subject = pkcs10.get_subject(csr)
extensions = pkcs10.get_extensions(csr)
subjectaltname = pkcs10.get_subjectaltname(csr) or ()
except (NSPRError, PyAsn1Error) as e:
raise errors.CertificateOperationError(
error=_("Failure decoding Certificate Signing Request: %s") % e)
# self-service and host principals may bypass SAN permission check
if bind_principal != principal and bind_principal_type != HOST:
if '2.5.29.17' in extensions:
self.check_access('request certificate with subjectaltname')
dn = None
principal_obj = None
# See if the service exists and punt if it doesn't and we aren't
# going to add it
try:
if principal_type == SERVICE:
principal_obj = api.Command['service_show'](principal_string, all=True)
elif principal_type == HOST:
principal_obj = api.Command['host_show'](principal_name, all=True)
elif principal_type == USER:
principal_obj = api.Command['user_show'](principal_name, all=True)
except errors.NotFound as e:
if principal_type == SERVICE and add:
principal_obj = api.Command['service_add'](principal_string, force=True)
else:
raise errors.NotFound(
reason=_("The principal for this request doesn't exist."))
principal_obj = principal_obj['result']
dn = principal_obj['dn']
# Ensure that the DN in the CSR matches the principal
cn = subject.common_name #pylint: disable=E1101
if not cn:
raise errors.ValidationError(name='csr',
error=_("No Common Name was found in subject of request."))
if principal_type in (SERVICE, HOST):
if cn.lower() != principal_name.lower():
raise errors.ACIError(
info=_("hostname in subject of request '%(cn)s' "
"does not match principal hostname '%(hostname)s'")
% dict(cn=cn, hostname=principal_name))
elif principal_type == USER:
# check user name
if cn != principal_name:
raise errors.ValidationError(
name='csr',
error=_("DN commonName does not match user's login")
)
# check email address
mail = subject.email_address #pylint: disable=E1101
if mail is not None and mail not in principal_obj.get('mail', []):
raise errors.ValidationError(
name='csr',
error=_(
"DN emailAddress does not match "
"any of user's email addresses")
)
# We got this far so the principal entry exists, can we write it?
if not ldap.can_write(dn, "usercertificate"):
raise errors.ACIError(info=_("Insufficient 'write' privilege "
"to the 'userCertificate' attribute of entry '%s'.") % dn)
# Validate the subject alt name, if any
for name_type, name in subjectaltname:
if name_type == pkcs10.SAN_DNSNAME:
name = unicode(name)
alt_principal_obj = None
alt_principal_string = None
try:
if principal_type == HOST:
alt_principal_string = 'host/%s@%s' % (name, realm)
alt_principal_obj = api.Command['host_show'](name, all=True)
elif principal_type == SERVICE:
alt_principal_string = '%s/%s@%s' % (servicename, name, realm)
alt_principal_obj = api.Command['service_show'](
alt_principal_string, all=True)
elif principal_type == USER:
raise errors.ValidationError(
name='csr',
error=_("subject alt name type %s is forbidden "
"for user principals") % name_type
)
except errors.NotFound:
# We don't want to issue any certificates referencing
# machines we don't know about. Nothing is stored in this
# host record related to this certificate.
raise errors.NotFound(reason=_('The service principal for '
'subject alt name %s in certificate request does not '
'exist') % name)
if alt_principal_obj is not None:
altdn = alt_principal_obj['result']['dn']
if not ldap.can_write(altdn, "usercertificate"):
raise errors.ACIError(info=_(
"Insufficient privilege to create a certificate "
"with subject alt name '%s'.") % name)
if alt_principal_string is not None and not bypass_caacl:
caacl_check(
principal_type, alt_principal_string, ca, profile_id)
elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
pkcs10.SAN_OTHERNAME_UPN):
if split_any_principal(name) != principal:
raise errors.ACIError(
info=_("Principal '%s' in subject alt name does not "
"match requested principal") % name)
elif name_type == pkcs10.SAN_RFC822NAME:
if principal_type == USER:
if name not in principal_obj.get('mail', []):
raise errors.ValidationError(
name='csr',
error=_(
"RFC822Name does not match "
"any of user's email addresses")
)
else:
raise errors.ValidationError(
name='csr',
error=_("subject alt name type %s is forbidden "
"for non-user principals") % name_type
)
else:
raise errors.ACIError(
info=_("Subject alt name type %s is forbidden") %
name_type)
# Request the certificate
result = self.Backend.ra.request_certificate(
csr, profile_id, request_type=request_type)
cert = x509.load_certificate(result['certificate'])
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
# Success? Then add it to the principal's entry
# (unless the profile tells us not to)
profile = api.Command['certprofile_show'](profile_id)
store = profile['result']['ipacertprofilestoreissued'][0] == 'TRUE'
if store and 'certificate' in result:
cert = str(result.get('certificate'))
kwargs = dict(addattr=u'usercertificate={}'.format(cert))
if principal_type == SERVICE:
api.Command['service_mod'](principal_string, **kwargs)
elif principal_type == HOST:
api.Command['host_mod'](principal_name, **kwargs)
elif principal_type == USER:
api.Command['user_mod'](principal_name, **kwargs)
return dict(
result=result
)
if tblast and len(tblast) > 3:
ll = []
ll.extend(tblast[:3])
ll[0] = os.path.basename(tblast[0])
tblast = ll
ntext = ""
try:
import nss.nss as nss
nss.nss_init_nodb()
context = nss.create_digest_context(nss.SEC_OID_MD5)
context.digest_begin()
for t in tblast:
ntext += str(t) + ":"
context.digest_op(str(t))
hexdigest = nss.data_to_hex(context.digest_final())
except:
import hashlib
m = hashlib.md5()
for t in tblast:
ntext += str(t) + ":"
m.update(str(t))
hexdigest = m.hexdigest()
text += str(hexdigest)[:8] + " " + ntext
text += extxt[0]
text += "\n"
text += "".join(elist)
trace = tb
class cert_request(VirtualCommand):
__doc__ = _('Submit a certificate signing request.')
takes_args = (File(
'csr',
validate_csr,
label=_('CSR'),
cli_name='csr_file',
normalizer=normalize_csr,
), )
operation = "request certificate"
takes_options = (
Str(
'principal',
label=_('Principal'),
doc=
_('Service principal for this certificate (e.g. HTTP/test.example.com)'
),
),
Str(
'request_type',
default=u'pkcs10',
autofill=True,
),
Flag('add',
doc=_("automatically add the principal if it doesn't exist"),
default=False,
autofill=True),
)
has_output_params = (
Str(
'certificate',
label=_('Certificate'),
),
Str(
'subject',
label=_('Subject'),
),
Str(
'issuer',
label=_('Issuer'),
),
Str(
'valid_not_before',
label=_('Not Before'),
),
Str(
'valid_not_after',
label=_('Not After'),
),
Str(
'md5_fingerprint',
label=_('Fingerprint (MD5)'),
),
Str(
'sha1_fingerprint',
label=_('Fingerprint (SHA1)'),
),
Str(
'serial_number',
label=_('Serial number'),
),
Str(
'serial_number_hex',
label=_('Serial number (hex)'),
),
)
has_output = (Output(
'result',
type=dict,
doc=_('Dictionary mapping variable name to value'),
), )
def execute(self, csr, **kw):
ldap = self.api.Backend.ldap2
principal = kw.get('principal')
add = kw.get('add')
del kw['principal']
del kw['add']
service = None
"""
Access control is partially handled by the ACI titled
'Hosts can modify service userCertificate'. This is for the case
where a machine binds using a host/ prinicpal. It can only do the
request if the target hostname is in the managedBy attribute which
is managed using the add/del member commands.
Binding with a user principal one needs to be in the request_certs
taskgroup (directly or indirectly via role membership).
"""
bind_principal = getattr(context, 'principal')
# Can this user request certs?
if not bind_principal.startswith('host/'):
self.check_access()
# FIXME: add support for subject alt name
# Ensure that the hostname in the CSR matches the principal
subject_host = get_csr_hostname(csr)
(servicename, hostname, realm) = split_principal(principal)
if subject_host.lower() != hostname.lower():
raise errors.ACIError(
info=_("hostname in subject of request '%(subject_host)s' "
"does not match principal hostname '%(hostname)s'") %
dict(subject_host=subject_host, hostname=hostname))
dn = None
service = None
# See if the service exists and punt if it doesn't and we aren't
# going to add it
try:
if not principal.startswith('host/'):
service = api.Command['service_show'](principal,
all=True,
raw=True)['result']
dn = service['dn']
else:
hostname = get_host_from_principal(principal)
service = api.Command['host_show'](hostname,
all=True,
raw=True)['result']
dn = service['dn']
except errors.NotFound, e:
if not add:
raise errors.NotFound(reason=_("The service principal for "
"this request doesn't exist."))
try:
service = api.Command['service_add'](principal, **{
'force': True
})['result']
dn = service['dn']
except errors.ACIError:
raise errors.ACIError(
info=_('You need to be a member of '
'the serviceadmin role to add services'))
# We got this far so the service entry exists, can we write it?
if not ldap.can_write(dn, "usercertificate"):
raise errors.ACIError(
info=_("Insufficient 'write' privilege "
"to the 'userCertificate' attribute of entry '%s'.") %
dn)
# Validate the subject alt name, if any
request = pkcs10.load_certificate_request(csr)
subjectaltname = pkcs10.get_subjectaltname(request)
if subjectaltname is not None:
for name in subjectaltname:
name = unicode(name)
try:
hostentry = api.Command['host_show'](name,
all=True,
raw=True)['result']
hostdn = hostentry['dn']
except errors.NotFound:
# We don't want to issue any certificates referencing
# machines we don't know about. Nothing is stored in this
# host record related to this certificate.
raise errors.NotFound(reason=_(
'no host record for '
'subject alt name %s in certificate request') % name)
authprincipal = getattr(context, 'principal')
if authprincipal.startswith("host/"):
if not hostdn in service.get('managedby', []):
raise errors.ACIError(info=_(
"Insufficient privilege to create a certificate "
"with subject alt name '%s'.") % name)
if 'usercertificate' in service:
serial = x509.get_serial_number(service['usercertificate'][0],
datatype=x509.DER)
# revoke the certificate and remove it from the service
# entry before proceeding. First we retrieve the certificate to
# see if it is already revoked, if not then we revoke it.
try:
result = api.Command['cert_show'](unicode(serial))['result']
if 'revocation_reason' not in result:
try:
api.Command['cert_revoke'](unicode(serial),
revocation_reason=4)
except errors.NotImplementedError:
# some CA's might not implement revoke
pass
except errors.NotImplementedError:
# some CA's might not implement get
pass
if not principal.startswith('host/'):
api.Command['service_mod'](principal, usercertificate=None)
else:
hostname = get_host_from_principal(principal)
api.Command['host_mod'](hostname, usercertificate=None)
# Request the certificate
result = self.Backend.ra.request_certificate(csr, **kw)
cert = x509.load_certificate(result['certificate'])
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(
nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(
nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
# Success? Then add it to the service entry.
if 'certificate' in result:
if not principal.startswith('host/'):
skw = {"usercertificate": str(result.get('certificate'))}
api.Command['service_mod'](principal, **skw)
else:
hostname = get_host_from_principal(principal)
skw = {"usercertificate": str(result.get('certificate'))}
api.Command['host_mod'](hostname, **skw)
return dict(result=result)
(1, 'Data:')])
print nss.indented_format([(2, 'Version: %d (%#x)' % (cert.version+1, cert.version))])
print nss.indented_format([(2, 'Serial Number: %d (%#x)' % (cert.serial_number, cert.serial_number))])
print nss.indented_format([(2, 'Signature Algorithm:')])
print nss.indented_format(cert.signature_algorithm.format_lines(3))
print nss.indented_format([(2, 'Issuer: "%s"' % cert.issuer)])
print nss.indented_format([(2, 'Validity:'),
(3, 'Not Before: %s' % cert.valid_not_before_str),
(3, 'Not After: %s' % cert.valid_not_after_str)])
print nss.indented_format([(2, 'Subject: "%s"' % cert.subject)])
print nss.indented_format([(2, 'Subject Public Key Info:')])
print nss.indented_format(cert.subject_public_key_info.format_lines(3))
if len(extensions) > 0:
print nss.indented_format([(1, 'Signed Extensions: (%d)' % len(extensions))])
for extension in extensions:
print_extension(2, extension)
print nss.indented_format(cert.signed_data.format_lines(1))
print nss.indented_format([(1, 'Fingerprint (MD5):')])
print nss.indented_format(nss.make_line_fmt_tuples(2,
nss.data_to_hex(nss.md5_digest(cert.der_data),
nss.OCTETS_PER_LINE_DEFAULT)))
print nss.indented_format([(1, 'Fingerprint (SHA1):')])
print nss.indented_format(nss.make_line_fmt_tuples(2,
nss.data_to_hex(nss.sha1_digest(cert.der_data),
nss.OCTETS_PER_LINE_DEFAULT)))
def do_test(self, name, ref_cmd, nss_digest_func, hash_oid):
hash_oid_name = nss.oid_str(hash_oid)
if verbose:
print(
'running test %s: nss_digest_func=%s hash_oid=%s in_filename=%s'
% (name, nss_digest_func.__name__, hash_oid_name, in_filename))
# read binary data in from the file
with open(in_filename, "rb") as f:
ref_data = f.read()
# Run the system hash function to get a reference result.
# Since we're testing the python-nss binding we assume
# the system command is entirely independent and correct.
#
# Because our digest routines return binary data (e.g. a buffer
# of octets) and the system hash command returns a hex string
# which we need to compare against, and because we sometimes
# want to print the result of our digest functions always
# convert our results to a hex string via nss.data_to_hex()
#
# We want to read the reference result from the subprocess as text
# not binary, thus universal_newlines must be True.
proc = subprocess.Popen([ref_cmd, in_filename],
stdout=subprocess.PIPE,
universal_newlines=True)
stdout, stderr = proc.communicate()
reference_digest = stdout.split()[0]
if verbose:
print('reference_digest\n%s' % (reference_digest))
# Run the test with convenience digest function (e.g. nss.sha256_digest, etc.).
test_digest = nss.data_to_hex(nss_digest_func(ref_data),
separator=None)
if verbose:
print('nss %s\n%s' % (nss_digest_func.__name__, test_digest))
self.assertEqual(
test_digest,
reference_digest,
msg='nss %s test failed reference=%s test=%s' %
(nss_digest_func.__name__, reference_digest, test_digest),
)
# Run the test using the generic hash_buf function specifying the hash algorithm.
test_digest = nss.data_to_hex(nss.hash_buf(hash_oid, ref_data),
separator=None)
if verbose:
print('nss.hash_buf %s\n%s' % (hash_oid_name, test_digest))
self.assertEqual(
test_digest,
reference_digest,
msg='nss.hash_buf %s test failed reference=%s test=%s' %
(hash_oid_name, reference_digest, test_digest),
)
# Run the test using the lowest level hashing functions by specifying the hash algorithm.
# The entire input data is supplied all at once in a single call.
context = nss.create_digest_context(hash_oid)
context.digest_begin()
context.digest_op(ref_data)
test_digest = nss.data_to_hex(context.digest_final(), separator=None)
if verbose:
print('nss.digest_context %s\n%s' % (hash_oid_name, test_digest))
self.assertEqual(
test_digest,
reference_digest,
msg='nss.digest_context %s test failed reference=%s test=%s' %
(hash_oid_name, reference_digest, test_digest),
)
# Run the test using the lowest level hashing functions by specifying the hash algorithm
# and feeding 'chunks' of data one at a time to be consumed.
with open(in_filename, 'rb') as in_file:
context = nss.create_digest_context(hash_oid)
context.digest_begin()
while True:
in_data = in_file.read(chunk_size)
if len(in_data) == 0:
break
context.digest_op(in_data)
test_digest = nss.data_to_hex(context.digest_final(), separator=None)
if verbose:
print('chunked nss.digest_context %s\n%s' %
(hash_oid_name, test_digest))
self.assertEqual(
test_digest,
reference_digest,
msg='chunked nss.digest_context %s test failed reference=%s test=%s'
% (hash_oid_name, reference_digest, test_digest),
)
# some CA's might not implement get
pass
if not principal.startswith('host/'):
api.Command['service_mod'](principal, usercertificate=None)
else:
hostname = get_host_from_principal(principal)
api.Command['host_mod'](hostname, usercertificate=None)
# Request the certificate
result = self.Backend.ra.request_certificate(
csr, request_type=request_type)
cert = x509.load_certificate(result['certificate'])
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
# Success? Then add it to the service entry.
if 'certificate' in result:
if not principal.startswith('host/'):
skw = {"usercertificate": str(result.get('certificate'))}
api.Command['service_mod'](principal, **skw)
else:
hostname = get_host_from_principal(principal)
skw = {"usercertificate": str(result.get('certificate'))}
api.Command['host_mod'](hostname, **skw)
return dict(
result=result
)
class cert_show(VirtualCommand):
__doc__ = _('Retrieve an existing certificate.')
takes_args = _serial_number
has_output_params = (
Str(
'certificate',
label=_('Certificate'),
),
Str(
'subject',
label=_('Subject'),
),
Str(
'issuer',
label=_('Issuer'),
),
Str(
'valid_not_before',
label=_('Not Before'),
),
Str(
'valid_not_after',
label=_('Not After'),
),
Str(
'md5_fingerprint',
label=_('Fingerprint (MD5)'),
),
Str(
'sha1_fingerprint',
label=_('Fingerprint (SHA1)'),
),
Str(
'revocation_reason',
label=_('Revocation reason'),
),
Str(
'serial_number_hex',
label=_('Serial number (hex)'),
),
)
takes_options = (Str(
'out?',
label=_('Output filename'),
doc=_('File to store the certificate in.'),
exclude='webui',
), )
operation = "retrieve certificate"
def execute(self, serial_number, **options):
hostname = None
try:
self.check_access()
except errors.ACIError, acierr:
self.debug(
"Not granted by ACI to retrieve certificate, looking at principal"
)
bind_principal = getattr(context, 'principal')
if not bind_principal.startswith('host/'):
raise acierr
hostname = get_host_from_principal(bind_principal)
result = self.Backend.ra.get_certificate(serial_number)
cert = x509.load_certificate(result['certificate'])
result['subject'] = unicode(cert.subject)
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(
nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(
nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
if hostname:
# If we have a hostname we want to verify that the subject
# of the certificate matches it, otherwise raise an error
if hostname != cert.subject.common_name: #pylint: disable=E1101
raise acierr
return dict(result=result)
def do_test(self, name, ref_cmd, nss_digest_func, hash_oid):
hash_oid_name = nss.oid_str(hash_oid)
if verbose:
print 'running test %s: nss_digest_func=%s hash_oid=%s in_filename=%s' % \
(name, nss_digest_func.__name__, hash_oid_name, in_filename)
# read the data in from the file
ref_data = open(in_filename).read()
# Run the system hash function to get a reference result.
# Since we're testing the python-nss binding we assume
# the system command is entirely independent and correct.
#
# Because our digest routines return raw data (e.g. a buffer of octets)
# and the system hash command returns a hex string which we need to compare agains,
# and because we sometimes want to print the result of our digest functions
# always convert our results to a hex string via nss.data_to_hex()
proc = subprocess.Popen([ref_cmd, in_filename], stdout=subprocess.PIPE)
status = proc.wait()
reference_digest = proc.stdout.read().split()[0]
if verbose:
print 'reference_digest\n%s' % (reference_digest)
# Run the test with convenience digest function (e.g. nss.sha256_digest, etc.).
test_digest = nss.data_to_hex(nss_digest_func(ref_data),
separator=None)
if verbose:
print 'nss %s\n%s' % (nss_digest_func.__name__, test_digest)
self.assertEqual(test_digest, reference_digest,
msg='nss %s test failed reference=%s test=%s' % \
(nss_digest_func.__name__, reference_digest, test_digest))
# Run the test using the generic hash_buf function specifying the hash algorithm.
test_digest = nss.data_to_hex(nss.hash_buf(hash_oid, ref_data),
separator=None)
if verbose: print 'nss.hash_buf %s\n%s' % (hash_oid_name, test_digest)
self.assertEqual(test_digest, reference_digest,
msg='nss.hash_buf %s test failed reference=%s test=%s' % \
(hash_oid_name, reference_digest, test_digest))
# Run the test using the lowest level hashing functions by specifying the hash algorithm.
# The entire input data is supplied all at once in a single call.
context = nss.create_digest_context(hash_oid)
context.digest_begin()
context.digest_op(ref_data)
test_digest = nss.data_to_hex(context.digest_final(), separator=None)
if verbose:
print 'nss.digest_context %s\n%s' % (hash_oid_name, test_digest)
self.assertEqual(test_digest, reference_digest,
msg='nss.digest_context %s test failed reference=%s test=%s' % \
(hash_oid_name, reference_digest, test_digest))
# Run the test using the lowest level hashing functions by specifying the hash algorithm
# and feeding 'chunks' of data one at a time to be consumed.
in_file = open(in_filename, 'r')
context = nss.create_digest_context(hash_oid)
context.digest_begin()
while True:
in_data = in_file.read(chunk_size)
if len(in_data) == 0:
break
context.digest_op(in_data)
test_digest = nss.data_to_hex(context.digest_final(), separator=None)
if verbose:
print 'chunked nss.digest_context %s\n%s' % (hash_oid_name,
test_digest)
self.assertEqual(test_digest, reference_digest,
msg='chunked nss.digest_context %s test failed reference=%s test=%s' % \
(hash_oid_name, reference_digest, test_digest))
def execute(self, csr, **kw):
ca_enabled_check()
ldap = self.api.Backend.ldap2
add = kw.get('add')
request_type = kw.get('request_type')
profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE)
ca = '.' # top-level CA hardcoded until subca plugin implemented
"""
Access control is partially handled by the ACI titled
'Hosts can modify service userCertificate'. This is for the case
where a machine binds using a host/ prinicpal. It can only do the
request if the target hostname is in the managedBy attribute which
is managed using the add/del member commands.
Binding with a user principal one needs to be in the request_certs
taskgroup (directly or indirectly via role membership).
"""
principal_string = kw.get('principal')
principal = split_any_principal(principal_string)
servicename, principal_name, realm = principal
if servicename is None:
principal_type = USER
elif servicename == 'host':
principal_type = HOST
else:
principal_type = SERVICE
bind_principal = split_any_principal(getattr(context, 'principal'))
bind_service, bind_name, bind_realm = bind_principal
if bind_service is None:
bind_principal_type = USER
elif bind_service == 'host':
bind_principal_type = HOST
else:
bind_principal_type = SERVICE
if bind_principal != principal and bind_principal_type != HOST:
# Can the bound principal request certs for another principal?
self.check_access()
try:
self.check_access("request certificate ignore caacl")
bypass_caacl = True
except errors.ACIError:
bypass_caacl = False
if not bypass_caacl:
caacl_check(principal_type, principal_string, ca, profile_id)
try:
subject = pkcs10.get_subject(csr)
extensions = pkcs10.get_extensions(csr)
subjectaltname = pkcs10.get_subjectaltname(csr) or ()
except (NSPRError, PyAsn1Error, ValueError) as e:
raise errors.CertificateOperationError(
error=_("Failure decoding Certificate Signing Request: %s") %
e)
# self-service and host principals may bypass SAN permission check
if bind_principal != principal and bind_principal_type != HOST:
if '2.5.29.17' in extensions:
self.check_access('request certificate with subjectaltname')
dn = None
principal_obj = None
# See if the service exists and punt if it doesn't and we aren't
# going to add it
try:
if principal_type == SERVICE:
principal_obj = api.Command['service_show'](principal_string,
all=True)
elif principal_type == HOST:
principal_obj = api.Command['host_show'](principal_name,
all=True)
elif principal_type == USER:
principal_obj = api.Command['user_show'](principal_name,
all=True)
except errors.NotFound as e:
if principal_type == SERVICE and add:
principal_obj = api.Command['service_add'](principal_string,
force=True)
else:
raise errors.NotFound(
reason=_("The principal for this request doesn't exist."))
principal_obj = principal_obj['result']
dn = principal_obj['dn']
# Ensure that the DN in the CSR matches the principal
cn = subject.common_name #pylint: disable=E1101
if not cn:
raise errors.ValidationError(
name='csr',
error=_("No Common Name was found in subject of request."))
if principal_type in (SERVICE, HOST):
if cn.lower() != principal_name.lower():
raise errors.ACIError(info=_(
"hostname in subject of request '%(cn)s' "
"does not match principal hostname '%(hostname)s'") %
dict(cn=cn, hostname=principal_name))
elif principal_type == USER:
# check user name
if cn != principal_name:
raise errors.ValidationError(
name='csr',
error=_("DN commonName does not match user's login"))
# check email address
mail = subject.email_address #pylint: disable=E1101
if mail is not None and mail not in principal_obj.get('mail', []):
raise errors.ValidationError(
name='csr',
error=_("DN emailAddress does not match "
"any of user's email addresses"))
# We got this far so the principal entry exists, can we write it?
if not ldap.can_write(dn, "usercertificate"):
raise errors.ACIError(
info=_("Insufficient 'write' privilege "
"to the 'userCertificate' attribute of entry '%s'.") %
dn)
# Validate the subject alt name, if any
for name_type, name in subjectaltname:
if name_type == pkcs10.SAN_DNSNAME:
name = unicode(name)
alt_principal_obj = None
alt_principal_string = None
try:
if principal_type == HOST:
alt_principal_string = 'host/%s@%s' % (name, realm)
alt_principal_obj = api.Command['host_show'](name,
all=True)
elif principal_type == SERVICE:
alt_principal_string = '%s/%s@%s' % (servicename, name,
realm)
alt_principal_obj = api.Command['service_show'](
alt_principal_string, all=True)
elif principal_type == USER:
raise errors.ValidationError(
name='csr',
error=_("subject alt name type %s is forbidden "
"for user principals") % name_type)
except errors.NotFound:
# We don't want to issue any certificates referencing
# machines we don't know about. Nothing is stored in this
# host record related to this certificate.
raise errors.NotFound(reason=_(
'The service principal for '
'subject alt name %s in certificate request does not '
'exist') % name)
if alt_principal_obj is not None:
altdn = alt_principal_obj['result']['dn']
if not ldap.can_write(altdn, "usercertificate"):
raise errors.ACIError(info=_(
"Insufficient privilege to create a certificate "
"with subject alt name '%s'.") % name)
if alt_principal_string is not None and not bypass_caacl:
caacl_check(principal_type, alt_principal_string, ca,
profile_id)
elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
pkcs10.SAN_OTHERNAME_UPN):
if split_any_principal(name) != principal:
raise errors.ACIError(
info=_("Principal '%s' in subject alt name does not "
"match requested principal") % name)
elif name_type == pkcs10.SAN_RFC822NAME:
if principal_type == USER:
if name not in principal_obj.get('mail', []):
raise errors.ValidationError(
name='csr',
error=_("RFC822Name does not match "
"any of user's email addresses"))
else:
raise errors.ValidationError(
name='csr',
error=_("subject alt name type %s is forbidden "
"for non-user principals") % name_type)
else:
raise errors.ACIError(
info=_("Subject alt name type %s is forbidden") %
name_type)
# Request the certificate
result = self.Backend.ra.request_certificate(csr,
profile_id,
request_type=request_type)
cert = x509.load_certificate(result['certificate'])
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(
nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(
nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
# Success? Then add it to the principal's entry
# (unless the profile tells us not to)
profile = api.Command['certprofile_show'](profile_id)
store = profile['result']['ipacertprofilestoreissued'][0] == 'TRUE'
if store and 'certificate' in result:
cert = str(result.get('certificate'))
kwargs = dict(addattr=u'usercertificate={}'.format(cert))
if principal_type == SERVICE:
api.Command['service_mod'](principal_string, **kwargs)
elif principal_type == HOST:
api.Command['host_mod'](principal_name, **kwargs)
elif principal_type == USER:
api.Command['user_mod'](principal_name, **kwargs)
return dict(result=result)
def do_test(self, name, ref_cmd, nss_digest_func, hash_oid):
hash_oid_name = nss.oid_str(hash_oid)
if verbose:
print 'running test %s: nss_digest_func=%s hash_oid=%s in_filename=%s' % \
(name, nss_digest_func.__name__, hash_oid_name, in_filename)
# read the data in from the file
ref_data = open(in_filename).read()
# Run the system hash function to get a reference result.
# Since we're testing the python-nss binding we assume
# the system command is entirely independent and correct.
#
# Because our digest routines return raw data (e.g. a buffer of octets)
# and the system hash command returns a hex string which we need to compare agains,
# and because we sometimes want to print the result of our digest functions
# always convert our results to a hex string via nss.data_to_hex()
proc = subprocess.Popen([ref_cmd, in_filename], stdout=subprocess.PIPE)
status = proc.wait();
reference_digest = proc.stdout.read().split()[0]
if verbose:
print 'reference_digest\n%s' % (reference_digest)
# Run the test with convenience digest function (e.g. nss.sha256_digest, etc.).
test_digest = nss.data_to_hex(nss_digest_func(ref_data), separator=None)
if verbose: print 'nss %s\n%s' % (nss_digest_func.__name__, test_digest)
self.assertEqual(test_digest, reference_digest,
msg='nss %s test failed reference=%s test=%s' % \
(nss_digest_func.__name__, reference_digest, test_digest))
# Run the test using the generic hash_buf function specifying the hash algorithm.
test_digest = nss.data_to_hex(nss.hash_buf(hash_oid, ref_data), separator=None)
if verbose: print 'nss.hash_buf %s\n%s' % (hash_oid_name, test_digest)
self.assertEqual(test_digest, reference_digest,
msg='nss.hash_buf %s test failed reference=%s test=%s' % \
(hash_oid_name, reference_digest, test_digest))
# Run the test using the lowest level hashing functions by specifying the hash algorithm.
# The entire input data is supplied all at once in a single call.
context = nss.create_digest_context(hash_oid)
context.digest_begin()
context.digest_op(ref_data)
test_digest = nss.data_to_hex(context.digest_final(), separator=None)
if verbose: print 'nss.digest_context %s\n%s' % (hash_oid_name, test_digest)
self.assertEqual(test_digest, reference_digest,
msg='nss.digest_context %s test failed reference=%s test=%s' % \
(hash_oid_name, reference_digest, test_digest))
# Run the test using the lowest level hashing functions by specifying the hash algorithm
# and feeding 'chunks' of data one at a time to be consumed.
in_file = open(in_filename, 'r')
context = nss.create_digest_context(hash_oid)
context.digest_begin()
while True:
in_data = in_file.read(chunk_size)
if len(in_data) == 0:
break
context.digest_op(in_data)
test_digest = nss.data_to_hex(context.digest_final(), separator=None)
if verbose: print 'chunked nss.digest_context %s\n%s' % (hash_oid_name, test_digest)
self.assertEqual(test_digest, reference_digest,
msg='chunked nss.digest_context %s test failed reference=%s test=%s' % \
(hash_oid_name, reference_digest, test_digest))
(3, 'Not Before: %s' % cert.valid_not_before_str),
(3, 'Not After: %s' % cert.valid_not_after_str)]))
print(nss.indented_format([(2, 'Subject: "%s"' % cert.subject)]))
print(nss.indented_format([(2, 'Subject Public Key Info:')]))
print(nss.indented_format(cert.subject_public_key_info.format_lines(3)))
if len(extensions) > 0:
print(
nss.indented_format([(1, 'Signed Extensions: (%d)' % len(extensions))
]))
for extension in extensions:
print_extension(2, extension)
print(nss.indented_format(cert.signed_data.format_lines(1)))
print(nss.indented_format([(1, 'Fingerprint (MD5):')]))
print(
nss.indented_format(
nss.make_line_fmt_tuples(
2,
nss.data_to_hex(nss.md5_digest(cert.der_data),
nss.OCTETS_PER_LINE_DEFAULT))))
print(nss.indented_format([(1, 'Fingerprint (SHA1):')]))
print(
nss.indented_format(
nss.make_line_fmt_tuples(
2,
nss.data_to_hex(nss.sha1_digest(cert.der_data),
nss.OCTETS_PER_LINE_DEFAULT))))
