def setup(self):
"""
Configure the RA with its own certificates.
:return:
"""
if CertificateManager.cert_file_exists("ra.cert"):
# Certificate exists
self.cert = CertificateManager.load_cert("ra.cert")
else:
# Not found, create new certificate for the RA
if self.verbose:
print("Generating new RA certificate.")
if self.ca is None or not isinstance(self.ca, CA):
raise ValueError("The \"ca\" field must be defined and instance of CA to setup an RA.")
# Create certificate own certificate on behalf of the CA
keys = CertificateManager.create_key_pair(self.default_key_type, self.default_key_size)
csr = CertificateManager.create_csr(keys, C="NO", ST="Oslo", L="Oslo", O=self.organisation, OU="RA",
CN="RA")
issuer = self.ca.get_root_certificate().get_issuer() # Issuer of root certificate (i.e. root CA)
cert = CertificateManager.create_cert(csr, self.get_next_serial(), issuer, self.ca.get_keys(), ca=True)
# Save certificate, keys and files
CertificateManager.save_cert(cert, CONFIG["pki"]["ra-cert-name"])
CertificateManager.save_pkey(keys, CONFIG["pki"]["ra-pkey-name"])
self.cert = cert
def request_certificate(self, request):
"""
This method checks if a certificate is allowed by the PSA and issues it if that is the case. The RA currently
issues certificates using the CA key for simplicity. The RA could have its own key with signing permission (i.e.
the ca flag set to true) and use that instead.
:param request: CertificateRequest object (AC-PKI model)
:return: Certificate or None
"""
# Validate request type
if not isinstance(request, CertificateRequest):
raise RequestError("Certificate request invalid. Must be of type CertificateRequest!")
# Check if connection is allowed
if self.psa.connection_allowed(request.origin, request.destination):
# Connection allowed
ou = self.register_ou((request.origin.epg.name, request.destination.epg.name))
subject = request.csr.get_subject()
# Override attributes in the CSR (if they are defined)
setattr(subject, "C", "NO")
setattr(subject, "ST", "Oslo")
setattr(subject, "L", "Oslo")
setattr(subject, "O", "AC-PKI Corp")
setattr(subject, "OU", ou)
setattr(subject, "CN", request.origin.name)
crt = CertificateManager.create_cert(request.csr, self.get_next_serial(), self.ca.get_issuer(),
self.ca.get_keys())
return crt
else:
# Connection not allowed
print("Connection not allowed between {0} and {1}. Certificate refused."
.format(request.origin, request.destination))
return None
# Create client certificate
if CertificateManager.cert_file_exists(
"client.cert") and CertificateManager.cert_file_exists("client.pkey"):
# Load existing
print("Loading existing client certificate from file")
client_cert = CertificateManager.load_cert("client.cert")
else:
# Generate new
print("Generating client certificate")
client_key_pair = CertificateManager.create_key_pair(crypto.TYPE_RSA, 2048)
csr = CertificateManager.create_csr(client_key_pair,
C="NO",
ST="Oslo",
O="Corp",
OU="abc123")
client_cert = CertificateManager.create_cert(csr, 1, ca_cert.get_subject(),
ca_key_pair)
CertificateManager.save_cert(client_cert, "client.cert")
CertificateManager.save_pkey(client_key_pair, "client.pkey")
# Create server certificate
if CertificateManager.cert_file_exists(
"server.cert") and CertificateManager.cert_file_exists("server.pkey"):
# Load existing
print("Loading existing server certificate from file")
server_cert = CertificateManager.load_cert("server.cert")
else:
# Generate new
print("Generating server certificate")
server_key_pair = CertificateManager.create_key_pair(crypto.TYPE_RSA, 2048)
csr = CertificateManager.create_csr(server_key_pair,
C="NO",