def revoke_certificate(self, certificate, comments): """Revoke an EJBCA certificate.""" base_url = current_app.config.get("EJBCA_URL") authority = get_authority(certificate.authority_id) authority_const = authority.name.upper().replace('-', '_') cert_body = certificate.body x509 = load_certificate(FILETYPE_PEM, cert_body) issuer = x509.get_issuer() issuer_dn = get_subject_dn_string(issuer.get_components()) # create certificate revocation request hex_serial = hex(int(certificate.serial))[2:] cert_serial_hex = str(hex_serial) create_url = "{0}/ejbca/ejbca-rest-api/v1/certificate/{1}/{2}/revoke".format( base_url, issuer_dn, cert_serial_hex) # print(create_url) session = requests.Session() session.mount('https://', HttpsAdapter()) session.cert = current_app.config.get( f'EJBCA_PEM_PATH_{authority_const}') session.verify = current_app.config.get("EJBCA_TRUSTSTORE") session.hooks = dict(response=log_status_code) metrics.send("ejbca_revoke_certificate", "counter", 1) reason = comments.get('crl_reason') or comments.get( 'crlReason', 'unspecified') reason_dict = { 'unspecified': 'UNSPECIFIED', 'keyCompromise': 'KEY_COMPROMISE', 'cACompromise': 'CA_COMPROMISE', 'affiliationChanged': 'AFFILIATION_CHANGED', 'superseded': 'SUPERSEDED', 'cessationOfOperation': 'CESSATION_OF_OPERATION', 'certificateHold': 'CERTIFICATE_HOLD', 'removeFromCRL': 'REMOVE_FROM_CRL', 'privilegeWithdrawn': 'PRIVILEGES_WITHDRAWN', 'aACompromise': 'AA_COMPROMISE', } reason = reason_dict.get(reason, reason) response = session.put(create_url, params={'reason': reason}) # print(response) extra_logger.info(f'{certificate} was revoked with reason {reason}') return handle_response(response)
def main(): module = AnsibleModule(argument_spec=dict( ca_cert=dict(type='path'), host=dict(type='str', required=True), port=dict(type='int', required=True), proxy_host=dict(type='str'), proxy_port=dict(type='int', default=8080), timeout=dict(type='int', default=10), select_crypto_backend=dict( type='str', choices=['auto', 'pyopenssl', 'cryptography'], default='auto'), ), ) ca_cert = module.params.get('ca_cert') host = module.params.get('host') port = module.params.get('port') proxy_host = module.params.get('proxy_host') proxy_port = module.params.get('proxy_port') timeout = module.params.get('timeout') backend = module.params.get('select_crypto_backend') if backend == 'auto': # Detection what is possible can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion( MINIMAL_CRYPTOGRAPHY_VERSION) can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion( MINIMAL_PYOPENSSL_VERSION) # First try cryptography, then pyOpenSSL if can_use_cryptography: backend = 'cryptography' elif can_use_pyopenssl: backend = 'pyopenssl' # Success? if backend == 'auto': module.fail_json(msg=( "Can't detect any of the required Python libraries " "cryptography (>= {0}) or PyOpenSSL (>= {1})" ).format(MINIMAL_CRYPTOGRAPHY_VERSION, MINIMAL_PYOPENSSL_VERSION)) if backend == 'pyopenssl': if not PYOPENSSL_FOUND: module.fail_json(msg=missing_required_lib( 'pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)), exception=PYOPENSSL_IMP_ERR) module.deprecate( 'The module is using the PyOpenSSL backend. This backend has been deprecated', version='2.13') elif backend == 'cryptography': if not CRYPTOGRAPHY_FOUND: module.fail_json(msg=missing_required_lib( 'cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)), exception=CRYPTOGRAPHY_IMP_ERR) result = dict(changed=False, ) if not PYOPENSSL_FOUND: module.fail_json(msg=missing_required_lib('pyOpenSSL >= 0.15'), exception=PYOPENSSL_IMP_ERR) if timeout: setdefaulttimeout(timeout) if ca_cert: if not isfile(ca_cert): module.fail_json(msg="ca_cert file does not exist") if proxy_host: if not HAS_CREATE_DEFAULT_CONTEXT: module.fail_json( msg= 'To use proxy_host, you must run the get_certificate module with Python 2.7 or newer.', exception=CREATE_DEFAULT_CONTEXT_IMP_ERR) try: connect = "CONNECT %s:%s HTTP/1.0\r\n\r\n" % (host, port) sock = socket() atexit.register(sock.close) sock.connect((proxy_host, proxy_port)) sock.send(connect.encode()) sock.recv(8192) ctx = create_default_context() ctx.check_hostname = False ctx.verify_mode = CERT_NONE if ca_cert: ctx.verify_mode = CERT_OPTIONAL ctx.load_verify_locations(cafile=ca_cert) cert = ctx.wrap_socket(sock, server_hostname=host).getpeercert(True) cert = DER_cert_to_PEM_cert(cert) except Exception as e: module.fail_json( msg="Failed to get cert from port with error: {0}".format(e)) else: try: cert = get_server_certificate((host, port), ca_certs=ca_cert) except Exception as e: module.fail_json( msg="Failed to get cert from port with error: {0}".format(e)) result['cert'] = cert if backend == 'pyopenssl': x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert) result['subject'] = {} for component in x509.get_subject().get_components(): result['subject'][component[0]] = component[1] result['expired'] = x509.has_expired() result['extensions'] = [] extension_count = x509.get_extension_count() for index in range(0, extension_count): extension = x509.get_extension(index) result['extensions'].append({ 'critical': extension.get_critical(), 'asn1_data': extension.get_data(), 'name': extension.get_short_name(), }) result['issuer'] = {} for component in x509.get_issuer().get_components(): result['issuer'][component[0]] = component[1] result['not_after'] = x509.get_notAfter() result['not_before'] = x509.get_notBefore() result['serial_number'] = x509.get_serial_number() result['signature_algorithm'] = x509.get_signature_algorithm() result['version'] = x509.get_version() elif backend == 'cryptography': x509 = cryptography.x509.load_pem_x509_certificate( to_bytes(cert), cryptography_backend()) result['subject'] = {} for attribute in x509.subject: result['subject'][crypto_utils.cryptography_oid_to_name( attribute.oid, short=True)] = attribute.value result['expired'] = x509.not_valid_after < datetime.datetime.utcnow() result['extensions'] = [] for dotted_number, entry in crypto_utils.cryptography_get_extensions_from_cert( x509).items(): oid = cryptography.x509.oid.ObjectIdentifier(dotted_number) result['extensions'].append({ 'critical': entry['critical'], 'asn1_data': base64.b64decode(entry['value']), 'name': crypto_utils.cryptography_oid_to_name(oid, short=True), }) result['issuer'] = {} for attribute in x509.issuer: result['issuer'][crypto_utils.cryptography_oid_to_name( attribute.oid, short=True)] = attribute.value result['not_after'] = x509.not_valid_after.strftime('%Y%m%d%H%M%SZ') result['not_before'] = x509.not_valid_before.strftime('%Y%m%d%H%M%SZ') result['serial_number'] = x509.serial_number result['signature_algorithm'] = crypto_utils.cryptography_oid_to_name( x509.signature_algorithm_oid) # We need the -1 offset to get the same values as pyOpenSSL if x509.version == cryptography.x509.Version.v1: result['version'] = 1 - 1 elif x509.version == cryptography.x509.Version.v3: result['version'] = 3 - 1 else: result['version'] = "unknown" module.exit_json(**result)