def _create(self, certs, purpose, desc, issuer=None, common=None): """Create and store one certificate.""" if purpose in certs: return cu = self.db.cursor() subject = X509.X509_Name() subject.O = desc subject.OU = 'Created at ' + time.strftime('%F %T%z') if common is not None: subject.CN = common issuer_pkey = issuer_subject = issuer_fingerprint = serial = None if issuer is None: isCA = True else: isCA = False issuer_x509 = X509.load_cert_string(issuer[0]) issuer_pkey = EVP.load_key_string(issuer[1]) issuer_subject = issuer_x509.get_subject() issuer_fingerprint = digestlib.sha1( issuer_x509.as_der()).hexdigest() cu.execute("""UPDATE pki_certificates SET ca_serial_index = ca_serial_index + 1 WHERE fingerprint = %s RETURNING ca_serial_index """, (issuer_fingerprint,)) serial, = cu.fetchone() # Create certificates with a 'not before' date 1 day in the past, just # in case initial setup sets the clock backwards. rsa, x509 = gencert.new_cert(KEY_LENGTH, subject, EXPIRY, issuer=issuer_subject, issuer_evp=issuer_pkey, isCA=isCA, serial=serial, timestamp_offset=-86400) fingerprint = digestlib.sha1(x509.as_der()).hexdigest() pkey_pem = rsa.as_pem(None) x509_pem = x509.as_pem() cu.execute("""INSERT INTO pki_certificates ( fingerprint, purpose, is_ca, x509_pem, pkey_pem, issuer_fingerprint, ca_serial_index, time_issued, time_expired ) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s)""", (fingerprint, purpose, isCA, x509_pem, pkey_pem, issuer_fingerprint, 0, str(x509.get_not_before()), str(x509.get_not_after()), )) log.info("Created certificate %s for purpose %r%s%s", fingerprint, purpose, (issuer_fingerprint and (" (issuer %s)" % issuer_fingerprint) or ""), self.dry_run and " (dry run)" or "") certs[purpose] = x509_pem, pkey_pem
def new(cls, subject=None, keyLength=None, serial=None, expiry=None, timestampOffset=None, issuer_x509=None, issuer_pkey=None, isCA=False): keyLength = (keyLength is not None and keyLength) or cls.KEY_LENGTH expiry = (expiry is not None and expiry) or cls.EXPIRY timestampOffset = (timestampOffset is not None and timestampOffset) \ or cls.TIMESTAMP_OFFSET if subject is None: subject = cls.Subject(CN="Test Certificate") issuer_subject = None if issuer_x509 is not None: issuer_subject = issuer_x509.get_subject() rsa, x509 = gencert.new_cert(keyLength, subject, expiry, issuer=issuer_subject, issuer_evp=issuer_pkey, isCA=isCA, serial=serial, timestamp_offset=timestampOffset) return cls(x509, rsa)
def createCertificate(self, purpose, desc, issuer=None, common=None): """Create and store one certificate. @param purpose: Machine-readable string identifying the purpose of this certificate. @param desc: Human-readable description to put into the certificate. @param issuer: Optional tuple C{(x509, pkey)} of issuer cert pair. @param common: Optional common name (hostname) for subject. """ # Don't let anyone else even read the table while we work. We wouldn't # want two processes to read in the same CA serial index, generate # different certificates using the same serial, write them out to disk, # then blow up when they try to commit. cu = self.db.cursor() cu.execute("LOCK TABLE pki_certificates") subject = X509.X509_Name() subject.O = desc subject.OU = 'Created at ' + time.strftime('%F %T%z') if common is not None: subject.CN = common issuer_pkey = issuer_subject = issuer_fingerprint = serial = None if issuer is None: isCA = True else: isCA = False if isinstance(issuer, basestring): # Look up CA by purpose issuer_x509, issuer_pkey = self.getCertificatePair(issuer) else: # Tuple provided issuer_x509, issuer_pkey = issuer issuer_x509 = X509.load_cert_string(issuer_x509) issuer_pkey = EVP.load_key_string(issuer_pkey) issuer_subject = issuer_x509.get_subject() issuer_fingerprint = digestlib.sha1( issuer_x509.as_der()).hexdigest() cu.execute("""UPDATE pki_certificates SET ca_serial_index = ca_serial_index + 1 WHERE fingerprint = ? RETURNING ca_serial_index """, issuer_fingerprint) serial, = cu.fetchone() # Create certificates with a 'not before' date 1 day in the past, just # in case initial setup sets the clock backwards. rsa, x509 = gencert.new_cert(KEY_LENGTH, subject, EXPIRY, issuer=issuer_subject, issuer_evp=issuer_pkey, isCA=isCA, serial=serial, timestamp_offset=-86400) fingerprint = digestlib.sha1(x509.as_der()).hexdigest() pkey_pem = rsa.as_pem(None) x509_pem = x509.as_pem() cu.execute("""INSERT INTO pki_certificates ( fingerprint, purpose, is_ca, x509_pem, pkey_pem, issuer_fingerprint, ca_serial_index, time_issued, time_expired ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)""", fingerprint, purpose, isCA, x509_pem, pkey_pem, issuer_fingerprint, 0, str(x509.get_not_before()), str(x509.get_not_after()), ) log.info("Created certificate %s for purpose %r%s", fingerprint, purpose, (issuer_fingerprint and (" (issuer %s)" % issuer_fingerprint) or "")) return x509_pem, pkey_pem