def _get_csr(self, spkac_str): """ gets a NetscapeSPKI object from the spkac_str or loads a PKCS10 """ # TODO should figure out how to use this # challenge thing (spkac is using md5, so # I guess there should be some time bound) # maybe linked to session or something??? # See https://www.w3.org/Bugs/Public/show_bug.cgi?id=13518 #http://www.w3.org/wiki/Foaf%2Bssl/Clients#Keygen # We could der-decode the spkac and get the challenge from there. spkac_str = re.sub('\s', '', spkac_str) #print('SPKAC PUBKEY=%s' % spkac_str) logging.debug('SPKAC PUBKEY=%s' % spkac_str) if "BEGINIECERTIFICATEREQUEST" in spkac_str: #XXX improve csr type detection (get a flag from view) pkcs10 = spkac_str.replace('-----BEGINIECERTIFICATEREQUEST-----', '').replace( '-----ENDIECERTIFICATEREQUEST-----', '') der = base64.b64decode(pkcs10) self.csr = crypto.load_certificate_request(crypto.FILETYPE_ASN1, der) self.csr_type = "msie" else: self.csr = crypto.NetscapeSPKI(spkac_str) self.csr_type = "spki"
def create_x509_and_update_cert(user, uuid, pub_key): try: cert = Cert.objects.get(user=user, uuid=uuid, is_installed=False) except Cert.DoesNotExist: return None regex = re.compile(r'[ \t\n\r\0\x0B]') pub_key = regex.sub('', pub_key) spki = crypto.NetscapeSPKI(pub_key) cert.pub_key = pub_key x509 = create_signed_client_cert( client_public_key=spki.get_pubkey(), country=cert.country, state=cert.state, locality=cert.locality, organization=cert.organization, organizational_unit=cert.organizational_unit, common_name=cert.common_name, email=cert.user.email, valid_until=cert.valid_until) cert.x509 = crypto.dump_certificate(crypto.FILETYPE_PEM, x509) cert.is_installed = True cert.save() return x509
def spkac_x509(spki, commonName, days, emailAddress=None, altName=None, userid=None): spki = crypto.NetscapeSPKI(spki) return sign(spki.get_pubkey(), None, None, commonName, days, emailAddress, altName, userid)
def sign_spkac(spki, commonName, days, emailAddress=None, altName=None, userid=None): spki = crypto.NetscapeSPKI(spki) x509 = sign(spki.get_pubkey(), None, None, commonName, days, emailAddress, altName, userid) return crypto.dump_certificate(crypto.FILETYPE_PEM, x509)
def gen_cert_spkac(addr, spkac_str, username): """Generate a certificate from SPKAC string.""" spki = c.NetscapeSPKI(spkac_str.encode()) if p.challenge != int(get_challenge_nspki(spkac_str.encode())): raise Exception('Bad challenge') if not spki.verify(spki.get_pubkey()): raise Exception('Bad SPKAC pubkey') pkey = spki.get_pubkey().to_cryptography_key() cert_pem = gen_cert(pkey, username).public_bytes(sr.Encoding.PEM) with open(CA_LOGFILE, 'ab') as logf: logf.write(('{} {} {} SPKAC\n'.format(tm.time(), addr, username)).encode()) logf.write(cert_pem) return cert_pem