def test_mkreq(self): (req, _) = self.mkreq(1024) req.save_pem('tests/tmp_request.pem') req2 = X509.load_request('tests/tmp_request.pem') os.remove('tests/tmp_request.pem') req.save('tests/tmp_request.pem') req3 = X509.load_request('tests/tmp_request.pem') os.remove('tests/tmp_request.pem') req.save('tests/tmp_request.der', format=X509.FORMAT_DER) req4 = X509.load_request('tests/tmp_request.der', format=X509.FORMAT_DER) os.remove('tests/tmp_request.der') assert req.as_pem() == req2.as_pem() assert req.as_text() == req2.as_text() assert req.as_der() == req2.as_der() assert req.as_pem() == req3.as_pem() assert req.as_text() == req3.as_text() assert req.as_der() == req3.as_der() assert req.as_pem() == req4.as_pem() assert req.as_text() == req4.as_text() assert req.as_der() == req4.as_der() self.assertEqual(req.get_version(), 0) req.set_version(1) self.assertEqual(req.get_version(), 1) req.set_version(0) self.assertEqual(req.get_version(), 0)
def test_mkreq(self): (req, _) = self.mkreq(1024) req.save_pem('tests/tmp_request.pem') req2 = X509.load_request('tests/tmp_request.pem') os.remove('tests/tmp_request.pem') req.save('tests/tmp_request.pem') req3 = X509.load_request('tests/tmp_request.pem') os.remove('tests/tmp_request.pem') req.save('tests/tmp_request.der', format=X509.FORMAT_DER) req4 = X509.load_request('tests/tmp_request.der', format=X509.FORMAT_DER) os.remove('tests/tmp_request.der') self.assertEqual(req.as_pem(), req2.as_pem()) self.assertEqual(req.as_text(), req2.as_text()) self.assertEqual(req.as_der(), req2.as_der()) self.assertEqual(req.as_pem(), req3.as_pem()) self.assertEqual(req.as_text(), req3.as_text()) self.assertEqual(req.as_der(), req3.as_der()) self.assertEqual(req.as_pem(), req4.as_pem()) self.assertEqual(req.as_text(), req4.as_text()) self.assertEqual(req.as_der(), req4.as_der()) self.assertEqual(req.get_version(), 0) req.set_version(1) self.assertEqual(req.get_version(), 1) req.set_version(0) self.assertEqual(req.get_version(), 0)
def _get_signing_request(self, der_blob): """ Extracts signing request from MyProxy response. der_blob -- sequence with PKCS10 encoded CSR string raise -- MyProxyError if no CSR could be extracted """ ind = der_blob.find(MyProxy.ASN1_START) if ind < 0: raise MyProxyError("CSR missing", "Could not extract any CSR from ASN1 sequence") _len = 256*ord(der_blob[ind+2]) + ord(der_blob[ind+3]) c = der_blob[ind:ind+_len+4] # get CSR if version.LooseVersion(m2_version) < '0.20': # little hack to overcome missing method in versions < 0.20 import tempfile tmp_fd, tmp_name = tempfile.mkstemp(suffix='.csr') f = os.fdopen(tmp_fd,'wb') f.write(c) f.close() req = X509.load_request(tmp_name, X509.FORMAT_DER) os.remove(tmp_name) else: req = X509.load_request_der_string(c) return req
def verify(certificate_path, signature_path, request_path): certificate = None try: certificate = X509.load_cert(certificate_path) except (X509.X509Error, IOError): print('ERROR verify: Could not load certificate for verification') exit(1) signature = None try: signature = open(signature_path, 'r').read() except IOError: print('ERROR verify: Could not load signature for verification') exit(1) request = None try: request = X509.load_request(request_path) except (X509.X509Error, IOError): print('ERROR verify: Could not load request for verification') exit(1) digest = EVP.MessageDigest('sha1') digest.update(request.as_pem()) public_key = certificate.get_pubkey().get_rsa() status = public_key.verify_rsassa_pss(digest.digest(), signature) if status: print('Verification OK') else: print('Verification failed') exit(1)
def print_request(request_file_path): request = None try: request = X509.load_request(request_file_path) except X509.X509Error: print('ERROR print: Could not load request from %s' % request_file_path) exit(1) print(request.as_text())
def test_malformed_data(self): with self.assertRaises(X509.X509Error): X509.load_cert_string('Hello') with self.assertRaises(X509.X509Error): X509.load_cert_der_string('Hello') with self.assertRaises(X509.X509Error): X509.new_stack_from_der('Hello') with self.assertRaises(X509.X509Error): X509.load_cert('tests/alltests.py') with self.assertRaises(X509.X509Error): X509.load_request('tests/alltests.py') with self.assertRaises(X509.X509Error): X509.load_request_string('Hello') with self.assertRaises(X509.X509Error): X509.load_request_der_string('Hello') with self.assertRaises(X509.X509Error): X509.load_crl('tests/alltests.py')
def _verify(self): """Verify a certificate request; return True (0) or False (1)""" try: req = X509.load_request(self.req_file) except: msg = 'Certificate request file %s not found' % self.req_file raise error.NotFound(msg) pkey = req.get_pubkey() return req.verify(pkey)
def make_certificate(request_path, ca_private_key_file, ca_certificate_file, output, is_digital, is_printed): request = None try: request = X509.load_request(request_path) except X509.X509Error: print('ERROR certificate: Could not load request from %s' % request_path) exit(1) public_key = request.get_pubkey() subject = request.get_subject() ca_certificate = None try: ca_certificate = X509.load_cert(ca_certificate_file) except (IOError, BIO.BIOError): print('ERROR certificate: Could not load ca certificate file. Check permissions and try again') exit(1) ca_private_key = None try: ca_private_key = RSA.load_key(ca_private_key_file, callback=password) except (IOError, BIO.BIOError): print('ERROR certificate: Could not load ca private key file. Check permissions and try again') exit(1) certificate = X509.X509() certificate.set_serial_number(time().as_integer_ratio()[0]) certificate.set_version(2) certificate.set_subject(subject) issuer = ca_certificate.get_issuer() not_before = ASN1.ASN1_UTCTIME() now = int(time() - timezone) not_before.set_time(now) not_after = ASN1.ASN1_UTCTIME() not_after.set_time(now + 60 * 60 * 24 * 365) certificate.set_not_before(not_before) certificate.set_not_after(not_after) certificate.set_issuer(issuer) certificate.set_pubkey(public_key) selinux_extension = request.get_extension_by_name('selinuxContext') if not selinux_extension: print('ERROR certificate: No extension selinuxContext in request %s' % request_path) exit(1) if not is_digital: if not verify_user_context(subject.CN, selinux_extension.get_value()): print('ERROR certificate: Invalid SELinux context in request file %s' % request_path) exit(1) certificate.add_ext(selinux_extension) certificate.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE', 1)) if is_digital: certificate.add_ext(X509.new_extension('keyUsage', 'Digital Signature', 1)) if not output: output = path.abspath(path.curdir) + '/%s.crt' % DEFAULT_FIELDS['CN'] certificate.sign(ca_private_key, 'sha1') certificate.save(output) if is_printed: print(certificate.as_text()) print('Certificate was saved to %s' % output)
def test_mkreq(self): (req, _) = self.mkreq(512) req.save_pem('tests/tmp_request.pem') req2 = X509.load_request('tests/tmp_request.pem') os.remove('tests/tmp_request.pem') req.save('tests/tmp_request.pem') req3 = X509.load_request('tests/tmp_request.pem') os.remove('tests/tmp_request.pem') req.save('tests/tmp_request.der', format=X509.FORMAT_DER) req4 = X509.load_request('tests/tmp_request.der', format=X509.FORMAT_DER) os.remove('tests/tmp_request.der') assert req.as_pem() == req2.as_pem() assert req.as_text() == req2.as_text() assert req.as_der() == req2.as_der() assert req.as_pem() == req3.as_pem() assert req.as_text() == req3.as_text() assert req.as_der() == req3.as_der() assert req.as_pem() == req4.as_pem() assert req.as_text() == req4.as_text() assert req.as_der() == req4.as_der()
def csr_from_file(csrfilename): """Read a certificate request from file. :type csrfilename: string :param csrfilename: Name of certificate file to read :rtype: M2Crypto.X509.Request :return: Certificate request object """ return X509.load_request(csrfilename)
def __init__(self, req_data = None, req_file = None): self._path = None self._data = None self._req = None self._is_temp = False if req_file and not os.path.exists(req_file): raise ActivationException("Certificate request file %s doesn't exists." % req_file) if req_data and req_file: raise ActivationException("Cannot use file data and file path at the same time.") elif req_file and not req_data: self._path = req_file self._req = X509.load_request(self._path) self._data = self._req.as_pem().strip() elif req_data and not req_file: self._path = tempfile.mktemp() write_file(self._path, req_data) self._req = X509.load_request(self._path) self._data = self._req.as_pem().strip() self._is_temp = True
def get(self): """Retrieve a certificate request; return results object.""" # TODO Put this in a dir walk loop so it supports multiple reqs data = [] item = {} try: req = X509.load_request(self.req_file) except IOError: result = common.process_results(data, 'Request') return result item['req_cn'] = req.get_subject().CN item['req_as_pem'] = req.as_pem() pkey = req.get_pubkey() if req.verify(pkey): item['verify'] = 'success' data.append(item) result = common.process_results(data, 'Request') return result
def pki_ca_issue_certificate(cert_req_loc, ca_pk_loc, serial_number, cert_loc): """ Issue certificate based on the request and save it as a file. Serial number must not repeat in issued certificates. Parameters: cert_req_loc = location of file with certificate request ca_pk_loc = location of file with CA private key serial_number = serial number for the issued certificate cert_loc = location of file to store issued certificate Return: none """ ca_pk = EVP.load_key(ca_pk_loc) # load EVP for signing certificates cert_req = X509.load_request(cert_req_loc) cert = make_certificate(serial_number) cert.set_subject(cert_req.get_subject()) cert.set_pubkey(cert_req.get_pubkey()) cert.sign(ca_pk, 'sha256') cert.save_pem(cert_loc)
def _get_ca_info(self): ca_info = {} try: ca_cert = X509.load_cert(self.ca_cert_file, format=1) ca_info['ca_cn'] = ca_cert.get_subject().CN ca_info['ca_cert_as_pem'] = ca_cert.as_pem() msg = 'Retrieved CN and pem from CA cert file %s' % self.ca_cert_file self.log.debug(msg) except: msg = 'CA cert file %s does not exist' % self.ca_cert_file self.log.debug(msg) try: ca_req = X509.load_request(self.ca_req_file) ca_info['ca_cn'] = ca_req.get_subject().CN msg = 'Retrieved CN from CA req file %s' % self.ca_req_file self.log.debug(msg) except: msg = 'CA req file %s does not exist' % self.ca_req_file self.log.debug(msg) return ca_info
def sign(private_key_path, certificate_path, request_path): if not get_extension(certificate_path, 'keyUsage') == 'Digital Signature': print('ERROR sign: key pair %s and %s could not be used for signing file because policy' % (private_key_path, certificate_path)) exit(1) request = None try: request = X509.load_request(request_path) except (IOError, X509.X509Error): print('ERROR sign: Could not load request from %s' % request_path) exit(1) private_key = None try: private_key = RSA.load_key(private_key_path, password) except (IOError, EVP.EVPError): print('ERROR sign: Could not load private key') exit(1) digest = EVP.MessageDigest('sha1') digest.update(request.as_pem()) signature = private_key.sign_rsassa_pss(digest.digest()) open('%s.signature' % request_path, 'w').write(signature) print('Signature was saved to %s.signature' % request_path)
def sign(private_key_path, certificate_path, request_path): if not get_extension(certificate_path, 'keyUsage') == 'Digital Signature': print('ERROR sign: key pair %s and %s could not be used for signing file because policy' % (private_key_path, certificate_path)) exit(1) request = None try: request = X509.load_request(request_path) except (IOError, X509.X509Error): print('ERROR sign: Could not load request from %s' % request_path) exit(1) text = BIO.MemoryBuffer(request.as_pem()) smime = SMIME.SMIME() try: smime.load_key(private_key_path, certificate_path) except (ValueError, IOError, X509.X509Error): print('ERROR sign: Could not load digital signature') exit(1) sign_request = smime.sign(text) sign_request_file = BIO.openfile(request_path + '.sign', 'w') smime.write(sign_request_file, sign_request) sign_request_file.close() print('Signing request was saved to %s' % request_path + '.sign')
def sign(private_key_path, certificate_path, request_path): if not get_extension(certificate_path, 'keyUsage') == 'Digital Signature': print( 'ERROR sign: key pair %s and %s could not be used for signing file because policy' % (private_key_path, certificate_path)) exit(1) request = None try: request = X509.load_request(request_path) except (IOError, X509.X509Error): print('ERROR sign: Could not load request from %s' % request_path) exit(1) private_key = None try: private_key = RSA.load_key(private_key_path, password) except (IOError, EVP.EVPError): print('ERROR sign: Could not load private key') exit(1) digest = EVP.MessageDigest('sha1') digest.update(request.as_pem()) signature = private_key.sign_rsassa_pss(digest.digest()) open('%s.signature' % request_path, 'w').write(signature) print('Signature was saved to %s.signature' % request_path)
def sign(private_key_path, certificate_path, request_path): if not get_extension(certificate_path, 'keyUsage') == 'Digital Signature': print( 'ERROR sign: key pair %s and %s could not be used for signing file because policy' % (private_key_path, certificate_path)) exit(1) request = None try: request = X509.load_request(request_path) except (IOError, X509.X509Error): print('ERROR sign: Could not load request from %s' % request_path) exit(1) text = BIO.MemoryBuffer(request.as_pem()) smime = SMIME.SMIME() try: smime.load_key(private_key_path, certificate_path) except (ValueError, IOError, X509.X509Error): print('ERROR sign: Could not load digital signature') exit(1) sign_request = smime.sign(text) sign_request_file = BIO.openfile(request_path + '.sign', 'w') smime.write(sign_request_file, sign_request) sign_request_file.close() print('Signing request was saved to %s' % request_path + '.sign')
def make_certificate(request_path, ca_private_key_file, ca_certificate_file, output, is_printed): check_path(request_path) request = X509.load_request(request_path) public_key = request.get_pubkey() if not request.verify(public_key): print('Error verifying request') exit(1) subject = request.get_subject() ca_certificate = X509.load_cert(ca_certificate_file) ca_private_key = EVP.load_key(ca_private_key_file, callback=password) certificate = X509.X509() certificate.set_serial_number(time().as_integer_ratio()[0]) certificate.set_version(2) certificate.set_subject(subject) issuer = ca_certificate.get_issuer() not_before = ASN1.ASN1_UTCTIME() not_before.set_datetime(datetime.today()) not_after = ASN1.ASN1_UTCTIME() not_after.set_datetime(datetime(datetime.today().year + 1, datetime.today().month, datetime.today().day)) certificate.set_not_before(not_before) certificate.set_not_after(not_after) certificate.set_issuer(issuer) certificate.set_pubkey(public_key) selinux_extension = request.get_extension_by_name("selinuxContext") if not selinux_extension: print("No extension selinuxContext in request %s" % request_path) exit(1) certificate.add_ext(selinux_extension) certificate.add_ext(X509.new_extension("basicConstraints", "CA:FALSE", 1)) if not output: output = path.abspath(path.curdir) + '/%s.crt' % DEFAULT_FIELDS['CN'] certificate.sign(ca_private_key, 'sha1') certificate.save(output) if is_printed: print(certificate.as_text()) print('Certificate was saved to %s' % output)
def print_request(request_file_path): check_path(request_file_path) request = X509.load_request(request_file_path) print(request.as_text())
def _do_req(self): """Create a certificate request; return a certificate request object.""" req = X509.load_request(self.req_file, format=1) return req
def _do_req(self): """Create a certificate request; return a certificate request object.""" csr = SpokeCSR(self.cn, self.reqca.ca_name) csr.create() req = X509.load_request(self.req_file, format=1) return req
def sing_req_by_server(id_client_req, cert_path, data_path, auto = False): server_cert = cert_path + '/root.crt' server_key = cert_path + '/root.key' if id_client_req: try: int (id_client_req) except: print _("The certificate number must be int") return 1 cl_req = data_path + '/client_certs/%s.csr' %id_client_req cl_cert = data_path + '/client_certs/%s.crt' %id_client_req if not os.path.exists(cl_req): print _("Signature request %s not found") %cl_req return 1 if os.path.exists(cl_cert): print _("Certificate %s now exists") %cl_cert return 1 if auto: group_name = "all" else: group_name = "%s" %raw_input \ (_("Enter the group of the new certificate "\ "(group name or 'all'): ")) config = data_path + '/client_certs/ssl-client.cfg' if os.path.exists(config): os.unlink(config) from M2Crypto import X509, EVP sr_cert = X509.load_cert(server_cert) sr_key_inst = EVP.load_key(server_key) cl_req_inst = X509.load_request(cl_req) from create_cert import makeCert cl_cert_inst = makeCert(cl_req_inst, sr_key_inst, sr_cert.get_issuer(), client_cert = True, group = group_name) cl_cert_inst.save_pem(cl_cert) #print 'startdate = ', startdate #cfg_text = (#"[ ssl_client ]\n" #"basicConstraints = CA:FALSE\n" #"nsCertType = client\n" #"keyUsage = digitalSignature, keyEncipherment\n" #"extendedKeyUsage = clientAuth\n" #"nsComment = %s\n" %group) #print 'config = ', cfg_text #fc = open(config, 'w') #fc.write(cfg_text) #fc.close() #cmd=("openssl x509 -req -days 11000 -CA %s -CAkey %s -CAcreateserial " #"-extfile %s -extensions ssl_client -in %s -out %s") \ #%(server_cert, server_key, config, cl_req, cl_cert) #print cmd #PIPE = subprocess.PIPE #p = subprocess.Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, #stderr=subprocess.STDOUT, close_fds=True) #p.wait() if os.path.exists(cl_cert): print _("Certificate %s is signed") %cl_cert else: print _("Certificate %s has not been signed") %cl_cert return 0
def make_certificate(request_path, ca_private_key_file, ca_certificate_file, output, is_digital, is_printed): request = None try: request = X509.load_request(request_path) except X509.X509Error: print('ERROR certificate: Could not load request from %s' % request_path) exit(1) public_key = request.get_pubkey() subject = request.get_subject() ca_certificate = None try: ca_certificate = X509.load_cert(ca_certificate_file) except (IOError, BIO.BIOError): print( 'ERROR certificate: Could not load ca certificate file. Check permissions and try again' ) exit(1) ca_private_key = None try: ca_private_key = RSA.load_key(ca_private_key_file, callback=password) except (IOError, BIO.BIOError): print( 'ERROR certificate: Could not load ca private key file. Check permissions and try again' ) exit(1) certificate = X509.X509() certificate.set_serial_number(time().as_integer_ratio()[0]) certificate.set_version(2) certificate.set_subject(subject) issuer = ca_certificate.get_issuer() not_before = ASN1.ASN1_UTCTIME() now = int(time() - timezone) not_before.set_time(now) not_after = ASN1.ASN1_UTCTIME() not_after.set_time(now + 60 * 60 * 24 * 365) certificate.set_not_before(not_before) certificate.set_not_after(not_after) certificate.set_issuer(issuer) certificate.set_pubkey(public_key) selinux_extension = request.get_extension_by_name('selinuxContext') if not selinux_extension: print('ERROR certificate: No extension selinuxContext in request %s' % request_path) exit(1) if not is_digital: if not verify_user_context(subject.CN, selinux_extension.get_value()): print( 'ERROR certificate: Invalid SELinux context in request file %s' % request_path) exit(1) certificate.add_ext(selinux_extension) certificate.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE', 1)) if is_digital: certificate.add_ext( X509.new_extension('keyUsage', 'Digital Signature', 1)) if not output: output = path.abspath(path.curdir) + '/%s.crt' % DEFAULT_FIELDS['CN'] certificate.sign(ca_private_key, 'sha1') certificate.save(output) if is_printed: print(certificate.as_text()) print('Certificate was saved to %s' % output)