def testCertificateVerification(self): private_key = rdf_crypto.RSAPrivateKey.GenerateKey() csr = rdf_crypto.CertificateSigningRequest( common_name="C.0000000000000001", private_key=private_key) client_cert = rdf_crypto.RDFX509Cert.ClientCertFromCSR(csr) ca_signing_key = config.CONFIG["PrivateKeys.ca_key"] csr.Verify(private_key.GetPublicKey()) client_cert.Verify(ca_signing_key.GetPublicKey()) wrong_key = rdf_crypto.RSAPrivateKey.GenerateKey() with self.assertRaises(rdf_crypto.VerificationError): csr.Verify(wrong_key.GetPublicKey()) with self.assertRaises(rdf_crypto.VerificationError): client_cert.Verify(wrong_key.GetPublicKey())
def Start(self): """Sign the CSR from the client.""" if self.args.csr.type != rdf_crypto.Certificate.Type.CSR: raise ValueError("Must be called with CSR") csr = rdf_crypto.CertificateSigningRequest(self.args.csr.pem) # Verify the CSR. This is not strictly necessary but doesn't harm either. try: csr.Verify(csr.GetPublicKey()) except rdf_crypto.VerificationError: raise flow_base.FlowError("CSR for client %s did not verify: %s" % (self.client_id, csr.AsPEM())) # Verify that the CN is of the correct form. The common name should refer # to a client URN. self.cn = rdf_client.ClientURN.FromPublicKey(csr.GetPublicKey()) if self.cn != csr.GetCN(): raise ValueError("CSR CN %s does not match public key %s." % (csr.GetCN(), self.cn)) logging.info("Will sign CSR for: %s", self.cn) cert = rdf_crypto.RDFX509Cert.ClientCertFromCSR(csr) # This check is important to ensure that the client id reported in the # source of the enrollment request is the same as the one in the # certificate. We use the ClientURN to ensure this is also of the correct # form for a client name. if self.cn != self.client_id: raise flow_base.FlowError( "Certificate name %s mismatch for client %s" % (self.cn, self.client_id)) data_store.REL_DB.WriteClientMetadata(self.client_id, certificate=cert, fleetspeak_enabled=False) index = client_index.ClientIndex() index.AddClient(rdf_objects.ClientSnapshot(client_id=self.client_id)) # Publish the client enrollment message. events.Events.PublishEvent("ClientEnrollment", self.client_urn, username=self.creator) self.Log("Enrolled %s successfully", self.client_id)
def ClientCertFromPrivateKey(self, private_key): common_name = rdf_client.ClientURN.FromPrivateKey(private_key) csr = rdf_crypto.CertificateSigningRequest( common_name=common_name, private_key=private_key) return rdf_crypto.RDFX509Cert.ClientCertFromCSR(csr)
def GetCSR(self): """Return our CSR.""" return rdf_crypto.CertificateSigningRequest( common_name=self.common_name, private_key=self.private_key)