def _get_signing_request(self, der_blob): """ Extracts signing request from MyProxy response. der_blob -- sequence with PKCS10 encoded CSR string raise -- MyProxyError if no CSR could be extracted """ ind = der_blob.find(MyProxy.ASN1_START) if ind < 0: raise MyProxyError("CSR missing", "Could not extract any CSR from ASN1 sequence") _len = 256*ord(der_blob[ind+2]) + ord(der_blob[ind+3]) c = der_blob[ind:ind+_len+4] # get CSR if version.LooseVersion(m2_version) < '0.20': # little hack to overcome missing method in versions < 0.20 import tempfile tmp_fd, tmp_name = tempfile.mkstemp(suffix='.csr') f = os.fdopen(tmp_fd,'wb') f.write(c) f.close() req = X509.load_request(tmp_name, X509.FORMAT_DER) os.remove(tmp_name) else: req = X509.load_request_der_string(c) return req
def test_delegation_get_pubkey_csr(self): empty_db() response = self.app.put(url('delegation', delegation_id='test'), params='{ "renewable": false }') delegation = Session.query(model.Delegation).first() response = self.app.get(url('delegation_pubkey', delegation_id='test')) pubkey1 = response.body response = self.app.get(url('delegation_pubkey', delegation_id='test')) pubkey2 = response.body response = self.app.get(url('delegation_pubkey', delegation_id='test'), headers={'Accept': 'application/x-pkcs1'}) pubkey3 = response.body key1 = RSA.load_pub_key_bio(BIO.MemoryBuffer(pubkey1)) key3 = certlib.rsa_load_pub_key_der(pubkey3) assert key1.pub() == delegation.new_key.pub() assert pubkey1 == pubkey2 assert key1.pub() == key3.pub() response = self.app.get(url('delegation_request', delegation_id='test'), headers={'Accept': 'application/x-pkcs10+der'}) req = X509.load_request_der_string(response.body) assert key1.pub() == req.get_pubkey().get_rsa().pub()
def test_malformed_data(self): with self.assertRaises(X509.X509Error): X509.load_cert_string('Hello') with self.assertRaises(X509.X509Error): X509.load_cert_der_string('Hello') with self.assertRaises(X509.X509Error): X509.new_stack_from_der('Hello') with self.assertRaises(X509.X509Error): X509.load_cert('tests/alltests.py') with self.assertRaises(X509.X509Error): X509.load_request('tests/alltests.py') with self.assertRaises(X509.X509Error): X509.load_request_string('Hello') with self.assertRaises(X509.X509Error): X509.load_request_der_string('Hello') with self.assertRaises(X509.X509Error): X509.load_crl('tests/alltests.py')
def test_load_request_bio(self): (req, _) = self.mkreq(512) r1 = X509.load_request_der_string(req.as_der()) r2 = X509.load_request_string(req.as_der(), X509.FORMAT_DER) r3 = X509.load_request_string(req.as_pem(), X509.FORMAT_PEM) r4 = X509.load_request_bio(BIO.MemoryBuffer(req.as_der()), X509.FORMAT_DER) r5 = X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), X509.FORMAT_PEM) for r in [r1, r2, r3, r4, r5]: assert req.as_der() == r.as_der() self.assertRaises(ValueError, X509.load_request_bio, BIO.MemoryBuffer(req.as_pem()), 345678)
def test_load_request_bio(self): (req, _) = self.mkreq(1024) r1 = X509.load_request_der_string(req.as_der()) r2 = X509.load_request_string(req.as_der(), X509.FORMAT_DER) r3 = X509.load_request_string(req.as_pem(), X509.FORMAT_PEM) r4 = X509.load_request_bio(BIO.MemoryBuffer(req.as_der()), X509.FORMAT_DER) r5 = X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), X509.FORMAT_PEM) for r in [r1, r2, r3, r4, r5]: self.assertEqual(req.as_der(), r.as_der()) with self.assertRaises(ValueError): X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), 345678)
def write(self, data): if self.context_established: return self.sock.write(data) if self.key is None: self.context_established = True self.sock.write("0"+data) else: # Now here goes something really weird. If there is NO # delegation after the context establishment phase # (previous if clause), any cipher suite works. If there # is a delegation after context establishment, it fails # with any cipher suite except NULL cipher. # # This is probably a bug in globus GSI implementation. if not str(self.sock.get_cipher()).startswith("NULL"): self.sock.set_cipher_list("NULL-SHA") self.sock.renegotiate() self.sock.write("D") request = "" while True: request += self.sock.read(100*1024) if asn1_sequence_length(request) == len(request): break if len(request) > 100*1024: raise IOError("GSI context error: no cert request in delegation phase") try: request = X509.load_request_der_string(request) except X509.X509Error: return IOError("GSI context error: bad certificate request received from server") proxy = proxylib.generate_proxycert(request.get_pubkey(), self.chain[0], self.key, globus_bug=False) self.sock.write(proxy.as_der()) # Even more strange is the fact that switching back to a # strong cipher after delegation does NOT work also. So # these lines are commented out: # # self.sock.set_cipher_list("ALL:!LOW:!SSLv2") # self.sock.renegotiate() self.context_established = True self.sock.write(data)
def post(self): if not self.app.config['AUTHORITY_CERTIFICATE']: return 'The server lacks an authority certificate. Unable to sign the certificate request.', 403 if not self.app.config['AUTHORITY_PRIVATE_KEY']: return 'The server lacks a private key. Unable to sign the certificate request.', 403 certificate_request_der = base64.b64decode(request.json.get('certificate_request')); certificate_request = X509.load_request_der_string(certificate_request_der); if not (certificate_request.get_subject().CN == current_user.username): return 'I will not a sign certificate request for a different user ! (Got "%s" while "%s" was expected)' % (certificate_request.get_subject().CN, current_user.username), 403 # Create a new certificate certificate = X509.X509() # Set the certificate version certificate.set_version(2) # Copy the certificate public key from the certificate request certificate.set_pubkey(certificate_request.get_pubkey()) # Set the certificate issuer certificate.set_issuer(self.app.config['AUTHORITY_CERTIFICATE'].get_subject()) # Set the certificate subject subject_name = X509.X509_Name() subject_name.CN = certificate_request.get_subject().CN or '' subject_name.OU = self.app.config['AUTHORITY_CERTIFICATE'].get_subject().OU or '' subject_name.O = self.app.config['AUTHORITY_CERTIFICATE'].get_subject().O or '' subject_name.L = self.app.config['AUTHORITY_CERTIFICATE'].get_subject().L or '' subject_name.ST = self.app.config['AUTHORITY_CERTIFICATE'].get_subject().ST or '' subject_name.C = self.app.config['AUTHORITY_CERTIFICATE'].get_subject().C or '' certificate.set_subject(subject_name) # Set the certificate "not before" timestamp not_before = ASN1.ASN1_UTCTIME() not_before.set_datetime(datetime.today() + timedelta(days=-1)) certificate.set_not_before(not_before) # Set the certificate "not after" timestamp not_after = ASN1.ASN1_UTCTIME() not_after.set_datetime(datetime.today() + self.app.config['CERTIFICATE_VALIDITY_DURATION']) certificate.set_not_after(not_after) # The issued certificate shall not be used as a certificate authority certificate.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE')) # Sign the certificate pkey = EVP.PKey() pkey.assign_rsa(self.app.config['AUTHORITY_PRIVATE_KEY'], capture=False) certificate.sign(pkey, 'sha1') current_user.certificate = certificate DATABASE.session.commit() result = { 'certificate': current_user.certificate_string, } return jsonify(result)
def post(self): if not self.app.config['AUTHORITY_CERTIFICATE']: return 'The server lacks an authority certificate. Unable to sign the certificate request.', 403 if not self.app.config['AUTHORITY_PRIVATE_KEY']: return 'The server lacks a private key. Unable to sign the certificate request.', 403 certificate_request_der = base64.b64decode( request.json.get('certificate_request')) certificate_request = X509.load_request_der_string( certificate_request_der) if not (certificate_request.get_subject().CN == current_user.username): return 'I will not a sign certificate request for a different user ! (Got "%s" while "%s" was expected)' % ( certificate_request.get_subject().CN, current_user.username), 403 # Create a new certificate certificate = X509.X509() # Set the certificate version certificate.set_version(2) # Copy the certificate public key from the certificate request certificate.set_pubkey(certificate_request.get_pubkey()) # Set the certificate issuer certificate.set_issuer( self.app.config['AUTHORITY_CERTIFICATE'].get_subject()) # Set the certificate subject subject_name = X509.X509_Name() subject_name.CN = certificate_request.get_subject().CN or '' subject_name.OU = self.app.config['AUTHORITY_CERTIFICATE'].get_subject( ).OU or '' subject_name.O = self.app.config['AUTHORITY_CERTIFICATE'].get_subject( ).O or '' subject_name.L = self.app.config['AUTHORITY_CERTIFICATE'].get_subject( ).L or '' subject_name.ST = self.app.config['AUTHORITY_CERTIFICATE'].get_subject( ).ST or '' subject_name.C = self.app.config['AUTHORITY_CERTIFICATE'].get_subject( ).C or '' certificate.set_subject(subject_name) # Set the certificate "not before" timestamp not_before = ASN1.ASN1_UTCTIME() not_before.set_datetime(datetime.today() + timedelta(days=-1)) certificate.set_not_before(not_before) # Set the certificate "not after" timestamp not_after = ASN1.ASN1_UTCTIME() not_after.set_datetime( datetime.today() + self.app.config['CERTIFICATE_VALIDITY_DURATION']) certificate.set_not_after(not_after) # The issued certificate shall not be used as a certificate authority certificate.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE')) # Sign the certificate pkey = EVP.PKey() pkey.assign_rsa(self.app.config['AUTHORITY_PRIVATE_KEY'], capture=False) certificate.sign(pkey, 'sha1') current_user.certificate = certificate DATABASE.session.commit() result = { 'certificate': current_user.certificate_string, } return jsonify(result)
def pkioperation(data): input_bio = BIO.MemoryBuffer(data) signer = SMIME.SMIME() cert_store = X509.X509_Store() cert_store.load_info(certstore_path) signer.set_x509_store(cert_store) p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(input_bio._ptr()), 1) signers = p7.get0_signers(X509.X509_Stack()) f = open('p7signers.pem', 'w') f.write(signers.pop().as_pem()) f.close() signer.set_x509_stack(signers) data = signer.verify(p7, flags=SMIME.PKCS7_NOVERIFY) ########################### #Decrypt #### s = SMIME.SMIME() # Load private key and cert. s.load_key(key_path, certstore_path) input_der = BIO.MemoryBuffer(data) p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(input_der._ptr()), 1) # Decrypt p7. out = s.decrypt(p7) #f = open('csr.der', 'w') #f.write(out) #f.close() #### #Convert the certificate to pem ##### #openssl_convert = 'openssl req -in csr.der -inform der -out csr.pem' #call(cmd(openssl_convert)) x509_request = X509.load_request_der_string(out) x509_request.save_pem('csr.pem') ################################# # After decryption, we will get csr # and generate cert. For now, we will use an existing certificate ################################# openssl_create_cert = 'openssl x509 -req -in csr.pem \ -extensions v3_ios -CA {} -CAkey {} -CAserial {} -out device_cert.pem \ -extfile {}'.format( certstore_path, key_path, serial_path, PKI_DIR + '/openssl.cnf') print openssl_create_cert call(cmd(openssl_create_cert)) ###### #Create degenerate pkcs7 der from the cert file #### openssl_degenerate = 'openssl crl2pkcs7 -nocrl -certfile device_cert.pem \ -out degenerate_cert.p7b -outform der' print openssl_degenerate call(cmd(openssl_degenerate)) degen_der = open('degenerate_cert.p7b').read() ##### # Encrypt openssl_encrypt = 'openssl smime -encrypt -des3 \ -in degenerate_cert.p7b -out enc_cert.der -outform der -binary p7signers.pem' print openssl_encrypt call(cmd(openssl_encrypt)) ###Sign openssl_sign = 'openssl smime -sign -signer ra_cert.pem \ -in enc_cert.der -binary -out final_response_python.der -outform der -inkey ra_private.pem' #call(cmd(openssl_sign)) sign_data = open('enc_cert.der').read() buf = BIO.MemoryBuffer(sign_data) s = SMIME.SMIME() s.load_key(key_path, certstore_path) p7 = s.sign(buf, flags=SMIME.PKCS7_BINARY) f = BIO.File(open('final_response_python.der', 'w')) p7.write_der(f) f.close() f = open('final_response_python.der') data = f.read() print "Goodbye" return data