def testRequestLoading(self): """Load Request loading """ m2rqst_text = X509.load_request_string(C_REQUEST, X509.FORMAT_PEM).as_text() rqst = CertificateRequest.new_from_pem(C_REQUEST) rqst.save() self.assertTrue(rqst.CN == "World Company") self.assertTrue(rqst.country == "FR") rqst_text = X509.load_request_string(rqst.pem, X509.FORMAT_PEM).as_text() self.assertTrue(rqst_text == m2rqst_text)
def test_load_request_bio(self): (req, _) = self.mkreq(512) r1 = X509.load_request_der_string(req.as_der()) r2 = X509.load_request_string(req.as_der(), X509.FORMAT_DER) r3 = X509.load_request_string(req.as_pem(), X509.FORMAT_PEM) r4 = X509.load_request_bio(BIO.MemoryBuffer(req.as_der()), X509.FORMAT_DER) r5 = X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), X509.FORMAT_PEM) for r in [r1, r2, r3, r4, r5]: assert req.as_der() == r.as_der() self.assertRaises(ValueError, X509.load_request_bio, BIO.MemoryBuffer(req.as_pem()), 345678)
def _getProxyRequest(self, delegationId): requestPEM = self.context.get('/delegation/' + delegationId + '/request') x509Request = X509.load_request_string(requestPEM) if x509Request.verify(x509Request.get_pubkey()) != 1: raise ServerError('Error verifying signature on the request') # Return return x509Request
def verify(certificate_path, ca_certificate_path, sign_request_path, output): certificate = None try: certificate = X509.load_cert(certificate_path) except (X509.X509Error, IOError): print('ERROR verify: Could not load certificate for verifying') exit(1) smime = SMIME.SMIME() stack = X509.X509_Stack() stack.push(certificate) smime.set_x509_stack(stack) store = X509.X509_Store() store.load_info(ca_certificate_path) smime.set_x509_store(store) pks7, data = SMIME.smime_load_pkcs7(sign_request_path) clear_text = smime.verify(pks7, data) if not output: output = path.abspath(path.curdir) + '/%s.csr' % DEFAULT_FIELDS['CN'] if clear_text: request = X509.load_request_string(clear_text) request.save(output) print('Verification OK') print('Request file was saved to %s' % output) else: print('Verification failed')
def sign_request(self, request, ca=False): if not isinstance(request, X509.Request): request = X509.load_request_string(str(request)) ca_priv_evp = EVP.PKey() ca_priv_evp.assign_rsa(self.get_key()) cert = X509.X509() cert.set_version(3) # Set Serial number serial = random.randrange(1, sys.maxint) cert.set_serial_number(serial) # Set Cert validity time cur_time = ASN1.ASN1_UTCTIME() cur_time.set_time(int(time.time())) expire_time = ASN1.ASN1_UTCTIME() expire_time.set_time(int(time.time()) + self.cert_exp_days*24*60*60) cert.set_not_before(cur_time) cert.set_not_after(expire_time) if ca: cert.set_issuer_name(request.get_subject()) cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE')) else: ca_cert = self.get_cert() cert.set_issuer_name(ca_cert.get_subject()) cert.set_subject(request.get_subject()) cert.set_pubkey(request.get_pubkey()) cert.sign(ca_priv_evp, md="sha256") return cert
def sign_request(self, request, ca=False): if not isinstance(request, X509.Request): request = X509.load_request_string(str(request)) ca_priv_evp = EVP.PKey() ca_priv_evp.assign_rsa(self.get_key()) cert = X509.X509() # X509 version field is 0-based cert.set_version(0x2) # set to X509v3 # Set Serial number serial = random.randrange(1, sys.maxint) cert.set_serial_number(serial) # Set Cert validity time cur_time = ASN1.ASN1_UTCTIME() cur_time.set_time(int(time.time())) expire_time = ASN1.ASN1_UTCTIME() expire_time.set_time( int(time.time()) + self.cert_exp_days * 24 * 60 * 60) cert.set_not_before(cur_time) cert.set_not_after(expire_time) if ca: cert.set_issuer_name(request.get_subject()) cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE')) else: ca_cert = self.get_cert() cert.set_issuer_name(ca_cert.get_subject()) cert.set_subject(request.get_subject()) cert.set_pubkey(request.get_pubkey()) cert.sign(ca_priv_evp, md="sha256") return cert
def test_malformed_data(self): with self.assertRaises(X509.X509Error): X509.load_cert_string('Hello') with self.assertRaises(X509.X509Error): X509.load_cert_der_string('Hello') with self.assertRaises(X509.X509Error): X509.new_stack_from_der('Hello') with self.assertRaises(X509.X509Error): X509.load_cert('tests/alltests.py') with self.assertRaises(X509.X509Error): X509.load_request('tests/alltests.py') with self.assertRaises(X509.X509Error): X509.load_request_string('Hello') with self.assertRaises(X509.X509Error): X509.load_request_der_string('Hello') with self.assertRaises(X509.X509Error): X509.load_crl('tests/alltests.py')
def clean_csr(self): data = self.cleaned_data try: # X509.load_request_string doesn't like unicode data['csr'] = X509.load_request_string(data['csr'].encode('utf-8')) except X509.X509Error: raise forms.ValidationError(_('Invalid CSR.')) return data['csr']
def test_load_request_bio(self): (req, _) = self.mkreq(1024) r1 = X509.load_request_der_string(req.as_der()) r2 = X509.load_request_string(req.as_der(), X509.FORMAT_DER) r3 = X509.load_request_string(req.as_pem(), X509.FORMAT_PEM) r4 = X509.load_request_bio(BIO.MemoryBuffer(req.as_der()), X509.FORMAT_DER) r5 = X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), X509.FORMAT_PEM) for r in [r1, r2, r3, r4, r5]: self.assertEqual(req.as_der(), r.as_der()) with self.assertRaises(ValueError): X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), 345678)
def _get_proxy_request(self, delegation_id): request_url = '/delegation/' + delegation_id + '/request' request_pem = self.context.get(request_url) x509_request = X509.load_request_string(request_pem) if x509_request.verify(x509_request.get_pubkey()) != 1: raise ServerError('Error verifying signature on the request') # Return return x509_request
def _get_proxy_request(self, delegation_id): request_url = '/delegation/' + delegation_id + '/request' request_pem = self.context.get(request_url) x509_request = X509.load_request_string(request_pem) if x509_request.verify(x509_request.get_pubkey()) != 1: raise ServerError('Error verifying signature on the request:', Err.get_error()) # Return return x509_request
def run(self): """Receive, verify and sign incoming CSRs.""" sockfile = self.sock.makefile('rw', 0) msg = sockfile.readlines() sig = msg[0] pem = ''.join(msg[1:]) if pem[-1:] == '\n': pem = pem[:-1] csr = X509.load_request_string(pem) CN = csr.get_subject().CN if CN != self.src: error_message = "Hostname: %s doesn't match certificate CN: %s" % ( self.src, CN) if config.getboolean('master', 'HostVerify'): log.error(error_message) self.sock.send("FAIL\n" + error_message + "\n") return else: log.warn(error_message) verified = False try: pub = cert_from_file(cert_store_file(CN)).get_pubkey() except (IOError, X509.X509Error): pass else: if not verify_data(sig, pem, pub): log.error("Signature verification failed reading CSR from %s.", self.src) self.sock.send("FAIL\nSignature verification failed.\n") return verified = True if verified or config.getboolean('master', 'AutoSign'): log.info("Signing certificate") try: certobj = sign_csr(self.cakey, self.cacert, csr, config.getint('cert', 'CertLifetime')) except X509.X509Error: log.exception("Signing failed. Will save for later signing.") else: log.info("Storing Signed Cert") self.store.write(certobj) self.store.checkpoint() self.sock.send('OK\n' + certobj.as_pem()) return #Just save the CSR for later signing with tempfile.NamedTemporaryFile( dir=os.path.dirname(csr_cache_file(self.src)), delete=False) as f_csr: log.info("Writing CSR to cache: %s", csr_cache_file(self.src)) f_csr.write(pem) os.rename(f_csr.name, csr_cache_file(self.src)) self.sock.send('OK\n')
def get_request(self, cr, uid, ids, context=None): """ Return Request object. """ r = {} for cert in self.browse(cr, uid, ids): if cert.csr: r[cert.id] = X509.load_request_string(cert.csr.encode("ascii")) return r
def get_request(self, cr, uid, ids, context=None): """ Return Request object. """ r = {} for cert in self.browse(cr, uid, ids): if cert.csr: r[cert.id] = X509.load_request_string(cert.csr.encode('ascii')) return r
def request(self, dlg_id, start_response): """ First step of the delegation process: get a certificate request The returned certificate request must be signed with the user's original credentials. """ user = request.environ['fts3.User.Credentials'] if dlg_id != user.delegation_id: raise HTTPForbidden( 'The requested ID and the credentials ID do not match') credential_cache = Session.query(CredentialCache)\ .get((user.delegation_id, user.user_dn)) user_cert = self.certificate() request_key_len = 2048 if user_cert: user_key = X509.load_cert_string(user_cert) request_key_len = user_key.get_pubkey().size() * 8 cached = credential_cache is not None and credential_cache.cert_request is not None if cached: cached_key_len = X509.load_request_string( credential_cache.cert_request).get_pubkey().size() * 8 if cached_key_len != request_key_len: cached = False log.debug( "Invalidating cache due to key length missmatch between client and cached certificates" ) if not cached: (x509_request, private_key) = _generate_proxy_request(request_key_len) credential_cache = CredentialCache( dlg_id=user.delegation_id, dn=user.user_dn, cert_request=x509_request.as_pem(), priv_key=private_key.as_pem(cipher=None), voms_attrs=' '.join(user.voms_cred)) try: Session.merge(credential_cache) Session.commit() except Exception: Session.rollback() raise log.debug("Generated new credential request for %s" % dlg_id) else: log.debug("Using cached request for %s" % dlg_id) start_response('200 Ok', [('X-Delegation-ID', str(credential_cache.dlg_id)), ('Content-Type', 'text/plain')]) return [credential_cache.cert_request]
def Start(self): """Sign the CSR from the client.""" client = aff4.FACTORY.Create(self.client_id, aff4_grr.VFSGRRClient, mode="rw", token=self.token) if self.args.csr.type != rdf_crypto.Certificate.Type.CSR: raise IOError("Must be called with CSR") req = X509.load_request_string(self.args.csr.pem) # Verify the CSR. This is not strictly necessary but doesn't harm either. if req.verify(req.get_pubkey()) != 1: raise flow.FlowError("CSR for client %s did not verify: %s" % (self.client_id, req.as_pem())) # Verify that the CN is of the correct form. The common name should refer # to a client URN. public_key = req.get_pubkey().get_rsa().pub()[1] self.cn = rdf_client.ClientURN.FromPublicKey(public_key) if self.cn != rdf_client.ClientURN(req.get_subject().CN): raise IOError( "CSR CN %s does not match public key %s." % (rdf_client.ClientURN(req.get_subject().CN), self.cn)) logging.info("Will sign CSR for: %s", self.cn) cert = self.MakeCert(self.cn, req) # This check is important to ensure that the client id reported in the # source of the enrollment request is the same as the one in the # certificate. We use the ClientURN to ensure this is also of the correct # form for a client name. if self.cn != self.client_id: raise flow.FlowError("Certificate name %s mismatch for client %s", self.cn, self.client_id) # Set and write the certificate to the client record. certificate_attribute = rdf_crypto.RDFX509Cert(cert.as_pem()) client.Set(client.Schema.CERT, certificate_attribute) client.Set(client.Schema.FIRST_SEEN, rdfvalue.RDFDatetime().Now()) index = aff4.FACTORY.Create(client_index.MAIN_INDEX, aff4_type=client_index.ClientIndex, object_exists=True, mode="rw", token=self.token) index.AddClient(client) client.Close(sync=True) # Publish the client enrollment message. self.Publish("ClientEnrollment", certificate_attribute.common_name) self.Log("Enrolled %s successfully", self.client_id)
def Start(self): """Sign the CSR from the client.""" client = aff4.FACTORY.Create(self.client_id, aff4_grr.VFSGRRClient, mode="rw", token=self.token) if self.args.csr.type != rdf_crypto.Certificate.Type.CSR: raise IOError("Must be called with CSR") req = X509.load_request_string(self.args.csr.pem) # Verify the CSR. This is not strictly necessary but doesn't harm either. if req.verify(req.get_pubkey()) != 1: raise flow.FlowError("CSR for client %s did not verify: %s" % (self.client_id, req.as_pem())) # Verify that the CN is of the correct form. The common name should refer # to a client URN. public_key = req.get_pubkey().get_rsa().pub()[1] self.cn = rdf_client.ClientURN.FromPublicKey(public_key) if self.cn != rdf_client.ClientURN(req.get_subject().CN): raise IOError("CSR CN %s does not match public key %s." % (rdf_client.ClientURN(req.get_subject().CN), self.cn)) logging.info("Will sign CSR for: %s", self.cn) cert = self.MakeCert(self.cn, req) # This check is important to ensure that the client id reported in the # source of the enrollment request is the same as the one in the # certificate. We use the ClientURN to ensure this is also of the correct # form for a client name. if self.cn != self.client_id: raise flow.FlowError("Certificate name %s mismatch for client %s", self.cn, self.client_id) # Set and write the certificate to the client record. certificate_attribute = rdf_crypto.RDFX509Cert(cert.as_pem()) client.Set(client.Schema.CERT, certificate_attribute) client.Set(client.Schema.FIRST_SEEN, rdfvalue.RDFDatetime().Now()) index = aff4.FACTORY.Create(client_index.MAIN_INDEX, aff4_type=client_index.ClientIndex, object_exists=True, mode="rw", token=self.token) index.AddClient(client) client.Close(sync=True) # Publish the client enrollment message. self.Publish("ClientEnrollment", certificate_attribute.common_name) self.Log("Enrolled %s successfully", self.client_id)
def get_x509_proxy(self, request_pem, issuer=None, subject=None, private_key=None): """ Generate a X509 proxy based on the request Args: requestPEM: The request PEM encoded issuer: The issuer user subject: The subject of the proxy. If None, issuer/CN=proxy will be used Returns: A X509 proxy PEM encoded """ if issuer is None: issuer = [('DC', 'ch'), ('DC', 'cern'), ('CN', 'Test User')] if subject is None: subject = issuer + [('CN', 'proxy')] x509_request = X509.load_request_string(str(request_pem)) not_before = ASN1.ASN1_UTCTIME() not_before.set_datetime(datetime.now(UTC)) not_after = ASN1.ASN1_UTCTIME() not_after.set_datetime(datetime.now(UTC) + timedelta(hours=3)) issuer_subject = X509.X509_Name() for c in issuer: issuer_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0) proxy_subject = X509.X509_Name() for c in subject: proxy_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0) proxy = X509.X509() proxy.set_version(2) proxy.set_subject(proxy_subject) proxy.set_serial_number(int(time.time())) proxy.set_version(x509_request.get_version()) proxy.set_issuer(issuer_subject) proxy.set_pubkey(x509_request.get_pubkey()) proxy.set_not_after(not_after) proxy.set_not_before(not_before) if not private_key: proxy.sign(self.pkey, 'sha1') else: proxy.sign(private_key, 'sha1') return proxy.as_pem() + self.cert.as_pem()
def new_from_pem(cls, pem, user=None, key=None): """Create a Request Instance with an existing PEM """ rqst = cls(user=user, key=key) m2rqst = X509.load_request_string(pem, X509.FORMAT_PEM) rqst.pem = m2rqst.as_pem() subject = m2rqst.get_subject() rqst.country = subject.C rqst.CN = subject.CN # Add date rqst.created = datetime.now() return rqst
def get_request(self): """ Return Request object. """ if self.csr: try: request = X509.load_request_string(self.csr.encode('ascii')) except X509.X509Error as detail: _logger.warn(detail) request = None else: request = None return request
def testEnrollingCommunicator(self): """Test that the ClientCommunicator generates good keys.""" self.client_communicator = comms.ClientCommunicator(certificate="") self.client_communicator.LoadServerCertificate( self.server_certificate, config_lib.CONFIG["CA.certificate"]) req = X509.load_request_string(self.client_communicator.GetCSR()) # Verify that the CN is of the correct form public_key = req.get_pubkey().get_rsa().pub()[1] cn = rdfvalue.ClientURN.FromPublicKey(public_key) self.assertEqual(cn, req.get_subject().CN)
def testEnrollingCommunicator(self): """Test that the ClientCommunicator generates good keys.""" self.client_communicator = comms.ClientCommunicator(certificate="") self.client_communicator.LoadServerCertificate( self.server_certificate, config_lib.CONFIG["CA.certificate"]) req = X509.load_request_string(self.client_communicator.GetCSR()) # Verify that the CN is of the correct form public_key = req.get_pubkey().get_rsa().pub()[1] cn = rdf_client.ClientURN.FromPublicKey(public_key) self.assertEqual(cn, req.get_subject().CN)
def parseSignature(signature): if not signature: return "", "", "", "", "" # 返回一个X509.Request类型代表证书请求文件 req = X509.load_request_string(signature) #首先验证一下,是不是真的是使用它本身的私钥签名的。 #如果是,返回非0值。如果不是,说明这是一个非法的证书请求文件。 is_verify = req.verify(req.get_pubkey()) is_verify = is_verify and True or False S = req.get_subject() return is_verify, dict( zip(("sig_domain", "sig_depart", "sig_organization", "sig_province", "sig_locale", "sig_contry"), getCertParm(S)))
def get_request(self, cr, uid, ids, context=None): """ Return Request object. """ r = {} for cert in self.browse(cr, uid, ids): if cert.csr: try: r[cert.id] = X509.load_request_string(cert.csr.encode('ascii')) except X509.X509Error as detail: _logger.warn(detail) r[cert.id] = None else: r[cert.id] = None return r
def get_request(self, cr, uid, ids, context=None): """ Return Request object. """ r = {} for cert in self.browse(cr, uid, ids): if cert.csr: try: r[cert.id] = X509.load_request_string(cert.csr.encode("ascii")) except X509.X509Error as detail: _logger.warn(detail) r[cert.id] = None else: r[cert.id] = None return r
def Start(self): """Sign the CSR from the client.""" client = aff4.FACTORY.Create(self.client_id, "VFSGRRClient", token=self.token) if self.args.csr.type != rdfvalue.Certificate.Type.CSR: raise IOError("Must be called with CSR") req = X509.load_request_string(self.args.csr.pem) # Verify that the CN is of the correct form. The common name should refer to # a client URN. public_key = req.get_pubkey().get_rsa().pub()[1] self.cn = rdfvalue.ClientURN.FromPublicKey(public_key) if self.cn != rdfvalue.ClientURN(req.get_subject().CN): raise IOError("CSR CN does not match public key.") logging.info("Will sign CSR for: %s", self.cn) cert = self.MakeCert(self.cn, req) # This check is important to ensure that the client id reported in the # source of the enrollment request is the same as the one in the # certificate. We use the ClientURN to ensure this is also of the correct # form for a client name. if self.cn != self.client_id: raise flow.FlowError("Certificate name %s mismatch for client %s", self.cn, self.client_id) # Set and write the certificate to the client record. certificate_attribute = rdfvalue.RDFX509Cert(cert.as_pem()) client.Set(client.Schema.CERT, certificate_attribute) client.Set(client.Schema.FIRST_SEEN, rdfvalue.RDFDatetime().Now()) client.Close(sync=True) # Publish the client enrollment message. self.Publish("ClientEnrollment", certificate_attribute.common_name) self.Log("Enrolled %s successfully", self.client_id) # This is needed for backwards compatibility. # TODO(user): Remove this once all clients are > 2200. self.CallClient("SaveCert", pem=cert.as_pem(), type=rdfvalue.Certificate.Type.CRT, next_state="End")
def validate_csr(csr, addr): """ Validate Certificate Signing Request (CSR) """ try: csr = X509.load_request_string(str(csr)) except: raise ValidationError('Not a valid CSR') subject = csr.get_subject() if not subject.CN: raise ValidationError("Required subject Common Name (CN) not provided") try: cnip = IP(subject.CN) except ValueError: msg = "Subject Common Name (CN) '%s' is not a valid IP address" raise ValidationError(msg % subject.CN) if addr != cnip: msg = "Common Name (CN) must be equal to node management address: '%s' != '%s'" raise ValidationError(msg % (subject.CN, addr))
def generate_certificate(self, activation_key, cert_req_pem, unique_cn=False): cert_info = self.certificates_collection.find_one({DBK_CERT_ACTKEY: activation_key}) if not cert_info: raise NotFound('Certificate with key=%s does not found!'%activation_key) rqst = X509.load_request_string(cert_req_pem) issuer = rqst.get_subject() role = cert_info[DBK_CERT_ROLE] if issuer.OU != role: raise InvalidCertRequest('Invalid certificate request OU=%s. "%s" value expected'%(issuer.OU, role)) if not issuer.CN: raise InvalidCertRequest('Invalid CN! REQ: %s'%rqst.as_text()) issuer_cn = str(issuer.CN) if len(issuer_cn) == 0 or len(issuer_cn) > 64: raise InvalidRegistration('Invalid CN size. Maximum is 64 bytes, but %s occured!'%len(issuer_cn)) if cert_info[DBK_CERT_STATUS] == STATUS_ACTIVE: if issuer_cn == cert_info[DBK_CERT_CN]: return cert_info[DBK_CERT_PEM] raise AlreadyGenerated('Certificate with activation key=%s is already processed!'%activation_key) if unique_cn: cert_with_cn = self.certificates_collection.find_one({DBK_CERT_CN: issuer_cn}) if cert_with_cn: raise InvalidRegistration('Certificate with CN=%s is already exists!'%issuer_cn) #generating certificate serial_id = cert_info[DBK_CERT_SERIALID] cert_period = int(cert_info[DBK_CERT_TERM]) revoke_dt = datetime.now() + timedelta(cert_period) cert_pem = sign_request(cert_req_pem, self.ca_private, self.ca_pem, serial_id, cert_period, 'test') cert_info[DBK_CERT_PEM] = cert_pem cert_info[DBK_CERT_MODDATE] = datetime.now() cert_info[DBK_CERT_REVOKE_DT] = revoke_dt cert_info[DBK_CERT_STATUS] = STATUS_ACTIVE cert_info[DBK_CERT_CN] = issuer_cn self.certificates_collection.update({DBK_CERT_ACTKEY: activation_key}, cert_info) return cert_pem
def genCertificate(privkey, signature, certificate): #首先读取证书请求文件。 # signature=file("req.pem", "rb").read() #返回一个X509.Request类型代表证书请求文件 req=X509.load_request_string(signature) #首先验证一下,是不是真的是使用它本身的私钥签名的。 #如果是,返回非0值。如果不是,说明这是一个非法的证书请求文件。 is_verify = req.verify(req.get_pubkey()) if not is_verify: return False, False, None #接下来载入CA的电子证书。与CA的密钥不一样,CA的电子证书包含了CA的身份信息。 #CA的电子证书会分发给各个通信节点。 # certificate=file("ca.pem", "rb").read() ca=X509.load_cert_string(certificate) #可以使用check_ca()方法判断这个证书文件是不是CA。 #本质是判断它是不是自签名。如果是的话,就返回非0值。如果不是的话就返回0。 is_ca = ca.check_ca() # if not is_ca: # return True, False, None #接下来载入CA的密钥 # cakey_str=file("cakey.pem", "rb").read() #一般CA的密钥要加密保存。回调函数返回密码 # cakey=EVP.load_key_string(privkey, lambda *args: "1234") cakey=EVP.load_key_string(privkey, util.no_passphrase_callback) #接下来开始生成电子证书 cert=X509.X509() #首先,设定开始生效时间与结束生效时间 t = long(time.time()) + time.timezone #当前时间,单位是秒 #开始生效时间。证书的时间类型不是普通的Python datetime类型。 now = ASN1.ASN1_UTCTIME() now.set_time(t) nowPlusYear = ASN1.ASN1_UTCTIME() #结束生效时间 nowPlusYear.set_time(t + 60 * 60 * 24 * 365) #一年以后。 cert.set_not_before(now) cert.set_not_after(nowPlusYear) # 把证书请求附带的身份信息复制过来 cert.set_subject(req.get_subject()) #设置颁发者的身份信息,把CA电子证书内身份信息复制过来 cert.set_issuer(ca.get_subject()) #序列号是指,CA颁发的第几个电子证书文件 cert.set_serial_number(2) #把证书请求内的公钥复制过来 cert.set_pubkey(req.get_pubkey()) #使用CA的秘钥进行签名。 cert.sign(cakey, "sha1") certificateT = cert.as_pem() return True, True, certificateT #保存文件。 file("cert.pem", "wb").write(cert.as_pem())
def sign(request): """ method dedicated to sign an external certificate request :param request: Django POST request object :param POST['csr']: The PEM certificate request """ cert = SSLCertificate() cert.cert = "" cert.key = "" cert.chain = "" cert.csr = "" if request.method == 'POST': dataPosted = request.POST error = dict() err = None try: cert.csr = str(dataPosted['csr']) except: err = True error['csr'] = "PEM Certificate request required" pass if err: return render_to_response('cert_sign.html', { 'cert': cert, 'error': error }, context_instance=RequestContext(request)) # Check the request try: x509Request = X509.load_request_string(cert.csr) except: error['csr'] = "Invalid PEM Certificate Request" return render_to_response('cert_sign.html', { 'cert': cert, 'error': error }, context_instance=RequestContext(request)) # Get cluster cluster = Cluster.objects.get() # Find the internal CA's certificate and private key internal = cluster.ca_certificate ca_key = RSA.load_key_string(internal.key.encode('utf8')) ca_cert = X509.load_cert_string(internal.cert.encode('utf8')) # Get PKI next serial number serial = cluster.ca_serial serial += 1 # Create a certificate from the request crt = mk_cert(serial) crt.set_pubkey(x509Request.get_pubkey()) pk = EVP.PKey() pk.assign_rsa(ca_key) issuer = X509.X509_Name() subject = X509.X509_Name() fields = str(x509Request.get_subject()).split('/') for field in fields: tmp = field.split('=') if str(tmp[0]) == "CN": subject.CN = tmp[1] cert.cn = tmp[1] elif str(tmp[0]) == "C": subject.C = tmp[1] cert.c = tmp[1] elif str(tmp[0]) == "ST": subject.ST = tmp[1] cert.st = tmp[1] elif str(tmp[0]) == "L": subject.L = tmp[1] cert.l = tmp[1] elif str(tmp[0]) == "O": subject.O = tmp[1] cert.o = tmp[1] elif str(tmp[0]) == "OU": subject.OU = tmp[1] cert.ou = tmp[1] fields = str(ca_cert.get_subject()).split('/') for field in fields: tmp = field.split('=') if str(tmp[0]) == "CN": issuer.CN = tmp[1] elif str(tmp[0]) == "C": issuer.C = tmp[1] elif str(tmp[0]) == "ST": issuer.ST = tmp[1] elif str(tmp[0]) == "L": issuer.L = tmp[1] elif str(tmp[0]) == "O": issuer.O = tmp[1] elif str(tmp[0]) == "OU": issuer.OU = tmp[1] crt.set_subject(subject) crt.set_issuer(issuer) crt.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE')) crt.add_ext( X509.new_extension('subjectKeyIdentifier', str(crt.get_fingerprint()))) try: crt.sign(pk, 'sha256') except Exception as e: print(e) # Save serial number cluster.ca_serial = serial cluster.save() # Store the certificate cert.cert = crt.as_pem().decode('utf8') cert.name = str(crt.get_subject()) cert.status = 'V' cert.issuer = str(internal.issuer) cert.validfrom = str(crt.get_not_before().get_datetime()) cert.validtill = str(crt.get_not_after().get_datetime()) cert.is_ca = False cert.chain = str(internal.cert) cert.serial = str(serial) cert.save() return HttpResponseRedirect('/system/cert/') return render_to_response('cert_sign.html', { 'cert': cert, }, context_instance=RequestContext(request))
def m2_request(self): """Return M2Crypto's Request instance """ rqst = X509.load_request_string(self.pem, X509.FORMAT_PEM) return rqst
def from_pem(cls, data): newcls = cls.__new__(cls) newcls._req = X509.load_request_string(str(data), format=X509.FORMAT_PEM) assert newcls._req.verify(newcls._req.get_pubkey()) == 1 return newcls
def main(): form = cgi.FieldStorage() # form hasn't been submitted yet if not form: message = """ <form action="/cgi-bin/sendcert/index.cgi" method="POST" enctype="multipart/form-data"> <input type="file" name="file"> <input type="submit"> <input type="reset"> </form> """ htmlOutput(message) # form has ben submitted elif "file" in form: joiner = os.environ.get('REMOTE_USER',None) if not joiner: htmlOutput("ERROR: You must authenticate to use this script.") exit(0) # can be either a 'file submit' from a browser, or a urlencoded string fileitem = form["file"] if fileitem.file: csrdata = fileitem.file.read() else: csrdata = fileitem.value try: csr = X509.load_request_string(csrdata) except X509.X509Error: htmlOutput("ERROR: No valid CSR data received.") exit(0) # get object type and name subject_name = csr.get_subject() obj_typename, obj_name = subject_name.split(":") obj_id = int(wc.call('EntityId', obj_typename, obj_name)) if obj_id < 1: # object does not exist - should have been created by # client script htmlOutput("ERROR: object {} does not exist.". format(subject_name)) exit(0) # Now we need to start looking up things in the hierarchy - # make a Webclient. wcurl = context.desired_status.xpath(wxpath + '/webclient/@url')[0] # TODO(colin): change over to cert or user+pass wc = WebClient(wcurl, 'eggy') # We'll need settext permission on the object's 'reset_trust' field req = { 'channel_id': wc.call('HierarchyChannel'), 'op': 'settext' 'mpath': '/contents/{}[{}]/field[reset_trust]'.format(obj_typename, obj_id), 'owner': joiner, 'approval': [] } allowed = wc.call('ActionAllowed', req, '/system/special/authz/objects') if allowed != 1: htmlOutput('ERROR: user "{}" is not alowed to reset the trust link for {}:{}'.format(joiner, obj_typename, obj_name)) exit(0) # check that csr conforms to our certificate policy check_csr(csr) # now we've got permission to do something dbcon = psycopg2.connect(host=dcon_elt['host'], port=dcon_elt['port'], database=dcon_elt['database'], user=cred_elt.xpath('/cred/db/username/text()'), password=cred_elt.xpath('/cred/db/password/text()')) # This script should not live long enough to worry about # more than one cursor - just create a global one. cur = dbcon.cursor() cur.execute("select nextval(%s)", ('certs')) serial = cur.fetchone()[0] cert = sign_csr(csr, serial) # revoke old row/cert cur.execute("update certs set type='R' where name=%s and type='V'", (subject_name)) # add new row/cert cur.execute("insert into certs (serial, name, type, expiry_date) " + "values (%s,%s,'V',%s)", (serial, subject_name, cert.get_not_before())) cur.commit() # hand the signed certificate back fileOutput(csr.get_subject().CN, cert.as_pem())