def testCertificateVerification(self):
private_key = rdf_crypto.RSAPrivateKey.GenerateKey()
csr = rdf_crypto.CertificateSigningRequest(
common_name="C.0000000000000001", private_key=private_key)
client_cert = rdf_crypto.RDFX509Cert.ClientCertFromCSR(csr)
ca_signing_key = config.CONFIG["PrivateKeys.ca_key"]
csr.Verify(private_key.GetPublicKey())
client_cert.Verify(ca_signing_key.GetPublicKey())
wrong_key = rdf_crypto.RSAPrivateKey.GenerateKey()
with self.assertRaises(rdf_crypto.VerificationError):
csr.Verify(wrong_key.GetPublicKey())
with self.assertRaises(rdf_crypto.VerificationError):
client_cert.Verify(wrong_key.GetPublicKey())
def Start(self):
"""Sign the CSR from the client."""
if self.args.csr.type != rdf_crypto.Certificate.Type.CSR:
raise ValueError("Must be called with CSR")
csr = rdf_crypto.CertificateSigningRequest(self.args.csr.pem)
# Verify the CSR. This is not strictly necessary but doesn't harm either.
try:
csr.Verify(csr.GetPublicKey())
except rdf_crypto.VerificationError:
raise flow_base.FlowError("CSR for client %s did not verify: %s" %
(self.client_id, csr.AsPEM()))
# Verify that the CN is of the correct form. The common name should refer
# to a client URN.
self.cn = rdf_client.ClientURN.FromPublicKey(csr.GetPublicKey())
if self.cn != csr.GetCN():
raise ValueError("CSR CN %s does not match public key %s." %
(csr.GetCN(), self.cn))
logging.info("Will sign CSR for: %s", self.cn)
cert = rdf_crypto.RDFX509Cert.ClientCertFromCSR(csr)
# This check is important to ensure that the client id reported in the
# source of the enrollment request is the same as the one in the
# certificate. We use the ClientURN to ensure this is also of the correct
# form for a client name.
if self.cn != self.client_id:
raise flow_base.FlowError(
"Certificate name %s mismatch for client %s" %
(self.cn, self.client_id))
data_store.REL_DB.WriteClientMetadata(self.client_id,
certificate=cert,
fleetspeak_enabled=False)
index = client_index.ClientIndex()
index.AddClient(rdf_objects.ClientSnapshot(client_id=self.client_id))
# Publish the client enrollment message.
events.Events.PublishEvent("ClientEnrollment",
self.client_urn,
username=self.creator)
self.Log("Enrolled %s successfully", self.client_id)
def ClientCertFromPrivateKey(self, private_key):
common_name = rdf_client.ClientURN.FromPrivateKey(private_key)
csr = rdf_crypto.CertificateSigningRequest(
common_name=common_name, private_key=private_key)
return rdf_crypto.RDFX509Cert.ClientCertFromCSR(csr)
def GetCSR(self):
"""Return our CSR."""
return rdf_crypto.CertificateSigningRequest(
common_name=self.common_name, private_key=self.private_key)
