def _find_certificate_in_store(self, thumbprint_str, machine_keyset=True, store_name=STORE_NAME_MY): store_handle = None thumbprint = self._get_thumbprint_buffer(thumbprint_str) hash_blob = cryptoapi.CRYPTOAPI_BLOB() hash_blob.cbData = len(thumbprint) hash_blob.pbData = thumbprint try: flags = cryptoapi.CERT_STORE_OPEN_EXISTING_FLAG if machine_keyset: flags |= cryptoapi.CERT_SYSTEM_STORE_LOCAL_MACHINE else: flags |= cryptoapi.CERT_SYSTEM_STORE_CURRENT_USER store_handle = cryptoapi.CertOpenStore( cryptoapi.CERT_STORE_PROV_SYSTEM, 0, 0, flags, six.text_type(store_name)) if not store_handle: raise cryptoapi.CryptoAPIException() cert_context_p = cryptoapi.CertFindCertificateInStore( store_handle, cryptoapi.X509_ASN_ENCODING | cryptoapi.PKCS_7_ASN_ENCODING, 0, cryptoapi.CERT_FIND_SHA1_HASH, ctypes.pointer(hash_blob), None) if not cert_context_p: raise cryptoapi.CryptoAPIException() return cert_context_p finally: if store_handle: cryptoapi.CertCloseStore(store_handle, 0)
def import_pfx_certificate(self, pfx_data, pfx_password=None, machine_keyset=True, store_name=STORE_NAME_MY): cert_context_p = None import_store_handle = None store_handle = None try: pfx_blob = cryptoapi.CRYPTOAPI_BLOB() pfx_blob.cbData = len(pfx_data) pfx_blob.pbData = ctypes.cast(pfx_data, ctypes.POINTER(wintypes.BYTE)) import_store_handle = cryptoapi.PFXImportCertStore( ctypes.pointer(pfx_blob), pfx_password, 0) if not import_store_handle: raise cryptoapi.CryptoAPIException() cert_context_p = cryptoapi.CertFindCertificateInStore( import_store_handle, cryptoapi.X509_ASN_ENCODING | cryptoapi.PKCS_7_ASN_ENCODING, 0, cryptoapi.CERT_FIND_ANY, None, None) if not cert_context_p: raise cryptoapi.CryptoAPIException() if machine_keyset: flags = cryptoapi.CERT_SYSTEM_STORE_LOCAL_MACHINE else: flags = cryptoapi.CERT_SYSTEM_STORE_CURRENT_USER store_handle = cryptoapi.CertOpenStore( cryptoapi.CERT_STORE_PROV_SYSTEM, 0, 0, flags, six.text_type(store_name)) if not store_handle: raise cryptoapi.CryptoAPIException() if not cryptoapi.CertAddCertificateContextToStore( store_handle, cert_context_p, cryptoapi.CERT_STORE_ADD_REPLACE_EXISTING, None): raise cryptoapi.CryptoAPIException() finally: if import_store_handle: cryptoapi.CertCloseStore(import_store_handle, 0) if cert_context_p: cryptoapi.CertFreeCertificateContext(cert_context_p) if store_handle: cryptoapi.CertCloseStore(store_handle, 0)
def create_self_signed_cert(self, subject, validity_years=10, machine_keyset=True, store_name=STORE_NAME_MY): subject_encoded = None cert_context_p = None store_handle = None container_name = str(uuid.uuid4()) self._generate_key(container_name, machine_keyset) try: subject_encoded_len = wintypes.DWORD() if not cryptoapi.CertStrToName(cryptoapi.X509_ASN_ENCODING, subject, cryptoapi.CERT_X500_NAME_STR, None, None, ctypes.byref(subject_encoded_len), None): raise cryptoapi.CryptoAPIException() size = ctypes.c_size_t(subject_encoded_len.value) subject_encoded = ctypes.cast(malloc(size), ctypes.POINTER(wintypes.BYTE)) if not cryptoapi.CertStrToName(cryptoapi.X509_ASN_ENCODING, subject, cryptoapi.CERT_X500_NAME_STR, None, subject_encoded, ctypes.byref(subject_encoded_len), None): raise cryptoapi.CryptoAPIException() subject_blob = cryptoapi.CRYPTOAPI_BLOB() subject_blob.cbData = subject_encoded_len subject_blob.pbData = subject_encoded key_prov_info = cryptoapi.CRYPT_KEY_PROV_INFO() key_prov_info.pwszContainerName = container_name key_prov_info.pwszProvName = None key_prov_info.dwProvType = cryptoapi.PROV_RSA_FULL key_prov_info.cProvParam = None key_prov_info.rgProvParam = None key_prov_info.dwKeySpec = cryptoapi.AT_SIGNATURE if machine_keyset: key_prov_info.dwFlags = cryptoapi.CRYPT_MACHINE_KEYSET else: key_prov_info.dwFlags = 0 sign_alg = cryptoapi.CRYPT_ALGORITHM_IDENTIFIER() sign_alg.pszObjId = cryptoapi.szOID_RSA_SHA1RSA start_time = cryptoapi.SYSTEMTIME() cryptoapi.GetSystemTime(ctypes.byref(start_time)) end_time = copy.copy(start_time) end_time.wYear += validity_years cert_context_p = cryptoapi.CertCreateSelfSignCertificate( None, ctypes.byref(subject_blob), 0, ctypes.byref(key_prov_info), ctypes.byref(sign_alg), ctypes.byref(start_time), ctypes.byref(end_time), None) if not cert_context_p: raise cryptoapi.CryptoAPIException() if not cryptoapi.CertAddEnhancedKeyUsageIdentifier( cert_context_p, cryptoapi.szOID_PKIX_KP_SERVER_AUTH): raise cryptoapi.CryptoAPIException() if machine_keyset: flags = cryptoapi.CERT_SYSTEM_STORE_LOCAL_MACHINE else: flags = cryptoapi.CERT_SYSTEM_STORE_CURRENT_USER store_handle = cryptoapi.CertOpenStore( cryptoapi.CERT_STORE_PROV_SYSTEM, 0, 0, flags, six.text_type(store_name)) if not store_handle: raise cryptoapi.CryptoAPIException() if not cryptoapi.CertAddCertificateContextToStore( store_handle, cert_context_p, cryptoapi.CERT_STORE_ADD_REPLACE_EXISTING, None): raise cryptoapi.CryptoAPIException() return self._get_cert_thumprint(cert_context_p) finally: if store_handle: cryptoapi.CertCloseStore(store_handle, 0) if cert_context_p: cryptoapi.CertFreeCertificateContext(cert_context_p) if subject_encoded: free(subject_encoded)