def slcs_handler(slcsResp): """ Take a response from a SLCS Login URL and return the cert,keys :rtype: (key, pubkey, certifcate) """ token, dn, reqURL, elements = parse_req_response(slcsResp) certreq, k = generate_certificate(dn=str(dn), extensions=elements) certreq.sign(k, 'sha1') # POST the Token and CertReq back to the slcs server data = urlencode({'AuthorizationToken': token, 'CertificateSigningRequest': certreq.as_pem()}) log.info('Request Signing by SLCS') log.debug('POST: %s' % reqURL) certResp = urllib2.urlopen(reqURL, data) cert = parse_cert_response(certResp) return generate_certificate(str(cert), key=k)
def generate_proxy(certificate, proxykey=None, full=True, lifetime=43200, extensions=[]): """ generate a new proxy certificate :param certificate: the parent certificate :param proxykey: the key used to sign the proxy :param full: whether this is a full proxy or not """ _certificate = certificate _full = full _proxy, _key = generate_certificate(key=proxykey) _proxy.set_version(2) # generate serial message_digest = EVP.MessageDigest('sha1') pubkey = _proxy.get_pubkey() der_encoding = pubkey.as_der() message_digest.update(der_encoding) digest = message_digest.final() digest_tuple = struct.unpack('BBBB', digest[:4]) sub_hash = long(digest_tuple[0] + (digest_tuple[1] + (digest_tuple[2] + (digest_tuple[3] >> 1) * 256) * 256) * 256) _proxy.set_serial_number(sub_hash) # set issuer issuer = _certificate.get_subject() # set subject subject = X509.X509_Name() for n in issuer: m2.x509_name_add_entry(subject.x509_name, n.x509_name_entry, -1, 0) subject.add_entry_by_txt(field='CN', type=MBSTRING_ASC, entry=str(_proxy.get_serial_number()), len=-1, loc=-1, set=0) _proxy.set_subject_name(subject) # set times not_before = ASN1.ASN1_UTCTIME() not_after = ASN1.ASN1_UTCTIME() not_before.set_time(int(time.time()) - 300) not_after.set_time(int(time.time()) + lifetime) _proxy.set_not_before(not_before) _proxy.set_not_after(not_after) _proxy.set_issuer_name(_certificate.get_subject()) # add extensions try: key_usage = _certificate.get_ext('keyUsage') except LookupError: pass else: r = [] for v in key_usage.get_value().split(', '): if v in ['Non Repudiation', 'keyCertSign']: continue r.append(v) if 'Digital Signature' not in r: r.append('Digital Signature') key_usage_value = ', '.join(r) extensions.append({'name': key_usage.get_name(), 'critical': key_usage.get_critical(), 'value': key_usage_value}) if _full: extensions.append({'name': "proxyCertInfo", 'value': PCI_VALUE_FULL, 'critical': 1}) else: extensions.append({'name': "proxyCertInfo", 'value': PCI_VALUE_LIMITED, 'critical': 1}) if extensions: sslower = lambda s: s.lower().replace(' ', '') for e in extensions: name = e['name'] key = sslower(name) critical = e['critical'] if key in multi_attrs: e['value'] = ', '.join([multi_attrs[key][sslower(v)] for v in e['value'].split(',')]) _proxy.add_ext(X509.new_extension(Att_map[key], e['value'], critical=int(critical))) return _proxy, _key