def load(self):
cert = crypto.load_certificate(crypto.FILETYPE_PEM, read(self.pem))
key = crypto.load_privatekey(crypto.FILETYPE_PEM, read(self.key),
b(self.parent.password))
subject = cert.get_subject()
self.dn = DistinguishedName(subject.commonName,
subject.organizationalUnitName,
subject.organizationName,
subject.localityName,
subject.stateOrProvinceName,
subject.countryName, subject.emailAddress)
return self.init(key, cert)
def load(self):
cert = crypto.load_certificate(crypto.FILETYPE_PEM, read(self.pem))
key = crypto.load_privatekey(crypto.FILETYPE_PEM, read(self.key), b(self.parent.password))
subject = cert.get_subject()
self.dn = DistinguishedName(subject.commonName,
subject.organizationalUnitName,
subject.organizationName,
subject.localityName,
subject.stateOrProvinceName,
subject.countryName,
subject.emailAddress)
return self.init(key, cert)
def __init__(self, *args, **kargs):
CertificateFactory.__init__(self, *args, **kargs)
# Transform key/signature algorithm to suitable values for keytool
if not self.parent:
self.keyalg = self.keyalg.upper()
self.sigalg = self.sigalg.upper() + "with" + self.keyalg;
# Create the CA self-signed certificate
if not self.cacert.exists():
cacert = self.cacert
subAltName = cacert.getAlternativeName()
issuerAltName = self.parent.cacert.getAlternativeName() if self.parent else None
ext = "-ext bc:c" + \
((" -ext san=" + subAltName) if subAltName else "") + \
((" -ext ian=" + issuerAltName) if issuerAltName else "")
if not self.parent:
cacert.keyTool("genkeypair", ext, validity=self.validity, sigalg=self.sigalg)
else:
self.cacert = self.parent.cacert
cacert.keyTool("genkeypair")
pem = cacert.keyTool("gencert", ext, validity = self.validity, stdin=cacert.keyTool("certreq"))
chain = ""
parent = self.parent
while parent:
chain += d(read(parent.cacert.pem))
parent = parent.parent
cacert.keyTool("importcert", stdin=chain + d(pem))
self.cacert = cacert
self.cacert.generatePEM()
def _generateChild(self, cert, serial, validity):
subAltName = cert.getAlternativeName()
issuerAltName = self.cacert.getAlternativeName()
# Generate a certificate/key pair
cert.keyTool("genkeypair")
# Create a certificate signing request
req = cert.keyTool("certreq")
ext = "-ext ku:c=dig,keyEnc" + \
((" -ext san=" + subAltName) if subAltName else "") + \
((" -ext ian=" + issuerAltName) if issuerAltName else "")
# Sign the certificate with the CA
if validity is None or validity > 0:
pem = cert.keyTool("gencert", ext, validity = (validity or self.validity), stdin=req)
else:
pem = cert.keyTool("gencert", ext, startdate = "{validity}d".format(validity=validity), validity=-validity,
stdin=req)
# Concatenate the CA and signed certificate and re-import it into the keystore
chain = []
parent = self
while parent:
chain.append(d(read(parent.cacert.pem)))
parent = parent.parent
cert.keyTool("importcert", stdin="".join(chain) + d(pem))
return cert
def savePKCS12(self,
path,
password=None,
chain=True,
root=False,
addkey=None):
if addkey is None:
addkey = self != self.parent.cacert
chainfile = None
if chain:
# Save the certificate chain to PKCS12
certs = ""
parent = self.parent
while parent if root else parent.parent:
certs += d(read(parent.cacert.pem))
parent = parent.parent
if len(certs) > 0:
(f, chainfile) = tempfile.mkstemp()
os.write(f, b(certs))
os.close(f)
key = "-inkey={0}".format(self.key) if addkey else "-nokeys"
try:
self.openSSL("pkcs12",
out=path,
inkey=self.key,
certfile=chainfile,
password=password or "password")
finally:
if chainfile:
os.remove(chainfile)
return self
def __init__(self, *args, **kargs):
CertificateFactory.__init__(self, *args, **kargs)
# Transform key/signature algorithm to suitable values for keytool
if not self.parent:
self.keyalg = self.keyalg.upper()
self.sigalg = self.sigalg.upper() + "with" + self.keyalg;
# Create the CA self-signed certificate
if not self.cacert.exists():
cacert = self.cacert
subAltName = cacert.getAlternativeName()
issuerAltName = self.parent.cacert.getAlternativeName() if self.parent else None
ext = "-ext bc:c" + \
((" -ext san=" + subAltName) if subAltName else "") + \
((" -ext ian=" + issuerAltName) if issuerAltName else "")\
((" -ext eku=" + self.extendedKeyUsage) if self.extendedKeyUsage else "")
if not self.parent:
cacert.keyTool("genkeypair", ext, validity=self.validity, sigalg=self.sigalg)
else:
self.cacert = self.parent.cacert
cacert.keyTool("genkeypair")
pem = cacert.keyTool("gencert", ext, validity = self.validity, stdin=cacert.keyTool("certreq"))
chain = ""
parent = self.parent
while parent:
chain += d(read(parent.cacert.pem))
parent = parent.parent
cacert.keyTool("importcert", stdin=chain + d(pem))
self.cacert = cacert
self.cacert.generatePEM()
def _generateChild(self, cert, serial, validity):
subAltName = cert.getAlternativeName()
issuerAltName = self.cacert.getAlternativeName()
extendedKeyUsage = cert.getExtendedKeyUsage()
# Generate a certificate/key pair
cert.keyTool("genkeypair")
# Create a certificate signing request
req = cert.keyTool("certreq")
ext = "-ext ku:c=dig,keyEnc" + \
((" -ext san=" + subAltName) if subAltName else "") + \
((" -ext ian=" + issuerAltName) if issuerAltName else "") + \
((" -ext eku=" + extendedKeyUsage) if extendedKeyUsage else "")
# Sign the certificate with the CA
if validity is None or validity > 0:
pem = cert.keyTool("gencert", ext, validity = (validity or self.validity), stdin=req)
else:
pem = cert.keyTool("gencert", ext, startdate = "{validity}d".format(validity=validity), validity=-validity,
stdin=req)
# Concatenate the CA and signed certificate and re-import it into the keystore
chain = []
parent = self
while parent:
chain.append(d(read(parent.cacert.pem)))
parent = parent.parent
cert.keyTool("importcert", stdin="".join(chain) + d(pem))
return cert
def savePKCS12(self, path, password=None, chain=True, root=False, addkey=None):
if addkey is None:
addkey = self != self.parent.cacert
chainfile = None
if chain:
# Save the certificate chain to PKCS12
certs = ""
parent = self.parent
while parent if root else parent.parent:
certs += d(read(parent.cacert.pem))
parent = parent.parent
if len(certs) > 0:
(f, chainfile) = tempfile.mkstemp()
os.write(f, b(certs))
os.close(f)
key = "-inkey={0}".format(self.key) if addkey else "-nokeys"
try:
self.openSSL("pkcs12", out=path, inkey=self.key, certfile=chainfile, password=password or "password")
finally:
if chainfile:
os.remove(chainfile)
return self
