def create_pkcs12(cert, chain, p12_tmp, key, alias, passphrase):
"""
Creates a pkcs12 formated file.
:param cert:
:param chain:
:param p12_tmp:
:param key:
:param alias:
:param passphrase:
"""
if isinstance(cert, bytes):
cert = cert.decode('utf-8')
if isinstance(chain, bytes):
chain = chain.decode('utf-8')
if isinstance(key, bytes):
key = key.decode('utf-8')
with mktempfile() as key_tmp:
with open(key_tmp, 'w') as f:
f.write(key)
# Create PKCS12 keystore from private key and public certificate
with mktempfile() as cert_tmp:
with open(cert_tmp, 'w') as f:
f.writelines([cert.strip() + "\n", chain.strip() + "\n"])
run_process([
"openssl", "pkcs12", "-export", "-name", alias, "-in",
cert_tmp, "-inkey", key_tmp, "-out", p12_tmp, "-password",
"pass:{}".format(passphrase)
])
def create_csr(cert, chain, csr_tmp, key):
"""
Creates a csr from key and cert file.
:param cert:
:param chain:
:param csr_tmp:
:param key:
"""
assert isinstance(cert, str)
assert isinstance(chain, str)
assert isinstance(key, str)
with mktempfile() as key_tmp:
with open(key_tmp, "w") as f:
f.write(key)
with mktempfile() as cert_tmp:
with open(cert_tmp, "w") as f:
if chain:
f.writelines([cert.strip() + "\n", chain.strip() + "\n"])
else:
f.writelines([cert.strip() + "\n"])
output = subprocess.check_output(
["openssl", "x509", "-x509toreq", "-in", cert_tmp, "-signkey", key_tmp]
)
subprocess.run(["openssl", "req", "-out", csr_tmp], input=output)
def create_truststore(cert, chain, jks_tmp, alias, passphrase):
if isinstance(cert, bytes):
cert = cert.decode('utf-8')
if isinstance(chain, bytes):
chain = chain.decode('utf-8')
with mktempfile() as cert_tmp:
with open(cert_tmp, 'w') as f:
f.write(cert)
run_process([
"keytool", "-importcert", "-file", cert_tmp, "-keystore", jks_tmp,
"-alias", "{0}_cert".format(alias), "-storepass", passphrase,
"-noprompt"
])
# Import the entire chain
for idx, cert in enumerate(split_chain(chain)):
with mktempfile() as c_tmp:
with open(c_tmp, 'w') as f:
f.write(cert)
# Import signed cert in to JKS keystore
run_process([
"keytool", "-importcert", "-file", c_tmp, "-keystore",
jks_tmp, "-alias", "{0}_cert_{1}".format(alias, idx),
"-storepass", passphrase, "-noprompt"
])
def create_keystore(cert, chain, jks_tmp, key, alias, passphrase):
if isinstance(cert, bytes):
cert = cert.decode('utf-8')
if isinstance(chain, bytes):
chain = chain.decode('utf-8')
if isinstance(key, bytes):
key = key.decode('utf-8')
# Create PKCS12 keystore from private key and public certificate
with mktempfile() as cert_tmp:
with open(cert_tmp, 'w') as f:
f.writelines([
key.strip() + "\n",
cert.strip() + "\n",
chain.strip() + "\n"
])
with mktempfile() as p12_tmp:
run_process([
"openssl", "pkcs12", "-export", "-nodes", "-name", alias,
"-in", cert_tmp, "-out", p12_tmp, "-password",
"pass:{}".format(passphrase)
])
# Convert PKCS12 keystore into a JKS keystore
run_process([
"keytool", "-importkeystore", "-destkeystore", jks_tmp,
"-srckeystore", p12_tmp, "-srcstoretype", "pkcs12",
"-deststoretype", "JKS", "-alias", alias, "-srcstorepass",
passphrase, "-deststorepass", passphrase
])
def create_pkcs12(cert, chain, p12_tmp, key, alias, passphrase):
"""
Creates a pkcs12 formated file.
:param cert:
:param chain:
:param p12_tmp:
:param key:
:param alias:
:param passphrase:
"""
with mktempfile() as key_tmp:
with open(key_tmp, 'w') as f:
f.write(key)
# Create PKCS12 keystore from private key and public certificate
with mktempfile() as cert_tmp:
with open(cert_tmp, 'w') as f:
f.writelines([cert + "\n", chain + "\n"])
run_process([
"openssl",
"pkcs12",
"-export",
"-name", alias,
"-in", cert_tmp,
"-inkey", key_tmp,
"-out", p12_tmp,
"-password", "pass:{}".format(passphrase)
])
def create_csr(cert, chain, csr_tmp, key):
"""
Creates a csr from key and cert file.
:param cert:
:param chain:
:param csr_tmp:
:param key:
"""
assert isinstance(cert, str)
assert isinstance(chain, str)
assert isinstance(key, str)
with mktempfile() as key_tmp:
with open(key_tmp, 'w') as f:
f.write(key)
with mktempfile() as cert_tmp:
with open(cert_tmp, 'w') as f:
if chain:
f.writelines([cert.strip() + "\n", chain.strip() + "\n"])
else:
f.writelines([cert.strip() + "\n"])
output = subprocess.check_output([
"openssl",
"x509",
"-x509toreq",
"-in", cert_tmp,
"-signkey", key_tmp,
])
subprocess.run([
"openssl",
"req",
"-out", csr_tmp
], input=output)
def create_keystore(cert, jks_tmp, key, alias, passphrase):
with mktempfile() as key_tmp:
with open(key_tmp, 'w') as f:
f.write(key)
# Create PKCS12 keystore from private key and public certificate
with mktempfile() as cert_tmp:
with open(cert_tmp, 'w') as f:
f.write(cert)
with mktempfile() as p12_tmp:
run_process([
"openssl",
"pkcs12",
"-export",
"-name", alias,
"-in", cert_tmp,
"-inkey", key_tmp,
"-out", p12_tmp,
"-password", "pass:{}".format(passphrase)
])
# Convert PKCS12 keystore into a JKS keystore
run_process([
"keytool",
"-importkeystore",
"-destkeystore", jks_tmp,
"-srckeystore", p12_tmp,
"-srcstoretype", "PKCS12",
"-alias", alias,
"-srcstorepass", passphrase,
"-deststorepass", passphrase
])
def create_keystore(cert, chain, jks_tmp, key, alias, passphrase):
if isinstance(cert, bytes):
cert = cert.decode("utf-8")
if isinstance(chain, bytes):
chain = chain.decode("utf-8")
if isinstance(key, bytes):
key = key.decode("utf-8")
# Create PKCS12 keystore from private key and public certificate
with mktempfile() as cert_tmp:
with open(cert_tmp, "w") as f:
f.writelines([key.strip() + "\n", cert.strip() + "\n", chain.strip() + "\n"])
with mktempfile() as p12_tmp:
run_process(
[
"openssl",
"pkcs12",
"-export",
"-nodes",
"-name",
alias,
"-in",
cert_tmp,
"-out",
p12_tmp,
"-password",
"pass:{}".format(passphrase),
]
)
# Convert PKCS12 keystore into a JKS keystore
run_process(
[
"keytool",
"-importkeystore",
"-destkeystore",
jks_tmp,
"-srckeystore",
p12_tmp,
"-srcstoretype",
"pkcs12",
"-deststoretype",
"JKS",
"-alias",
alias,
"-srcstorepass",
passphrase,
"-deststorepass",
passphrase,
]
)
def create_truststore(cert, chain, jks_tmp, alias, passphrase):
if isinstance(cert, bytes):
cert = cert.decode("utf-8")
if isinstance(chain, bytes):
chain = chain.decode("utf-8")
with mktempfile() as cert_tmp:
with open(cert_tmp, "w") as f:
f.write(cert)
run_process(
[
"keytool",
"-importcert",
"-file",
cert_tmp,
"-keystore",
jks_tmp,
"-alias",
"{0}_cert".format(alias),
"-storepass",
passphrase,
"-noprompt",
]
)
# Import the entire chain
for idx, cert in enumerate(split_chain(chain)):
with mktempfile() as c_tmp:
with open(c_tmp, "w") as f:
f.write(cert)
# Import signed cert in to JKS keystore
run_process(
[
"keytool",
"-importcert",
"-file",
c_tmp,
"-keystore",
jks_tmp,
"-alias",
"{0}_cert_{1}".format(alias, idx),
"-storepass",
passphrase,
"-noprompt",
]
)
def verify_string(cert_string, issuer_string):
"""
Verify a certificate given only it's string value
:param cert_string:
:param issuer_string:
:return: True if valid, False otherwise
"""
with mktempfile() as cert_tmp:
with open(cert_tmp, "w") as f:
f.write(cert_string)
with mktempfile() as issuer_tmp:
with open(issuer_tmp, "w") as f:
f.write(issuer_string)
status = verify(cert_tmp, issuer_tmp)
return status
def verify_string(cert_string, issuer_string):
"""
Verify a certificate given only it's string value
:param cert_string:
:param issuer_string:
:return: True if valid, False otherwise
"""
with mktempfile() as cert_tmp:
with open(cert_tmp, 'w') as f:
f.write(cert_string)
with mktempfile() as issuer_tmp:
with open(issuer_tmp, 'w') as f:
f.write(issuer_string)
status = verify(cert_tmp, issuer_tmp)
return status
def create_pkcs12(cert, chain, p12_tmp, key, alias, passphrase):
"""
Creates a pkcs12 formated file.
:param cert:
:param chain:
:param p12_tmp:
:param key:
:param alias:
:param passphrase:
"""
if isinstance(cert, bytes):
cert = cert.decode('utf-8')
if isinstance(chain, bytes):
chain = chain.decode('utf-8')
if isinstance(key, bytes):
key = key.decode('utf-8')
with mktempfile() as key_tmp:
with open(key_tmp, 'w') as f:
f.write(key)
# Create PKCS12 keystore from private key and public certificate
with mktempfile() as cert_tmp:
with open(cert_tmp, 'w') as f:
if chain:
f.writelines([cert.strip() + "\n", chain.strip() + "\n"])
else:
f.writelines([cert.strip() + "\n"])
run_process([
"openssl",
"pkcs12",
"-export",
"-name", alias,
"-in", cert_tmp,
"-inkey", key_tmp,
"-out", p12_tmp,
"-password", "pass:{}".format(passphrase)
])
def create_csr(cert, chain, csr_tmp, key):
"""
Creates a csr from key and cert file.
:param cert:
:param chain:
:param csr_tmp:
:param key:
"""
if isinstance(cert, bytes):
cert = cert.decode('utf-8')
if isinstance(chain, bytes):
chain = chain.decode('utf-8')
if isinstance(key, bytes):
key = key.decode('utf-8')
with mktempfile() as key_tmp:
with open(key_tmp, 'w') as f:
f.write(key)
with mktempfile() as cert_tmp:
with open(cert_tmp, 'w') as f:
if chain:
f.writelines([cert.strip() + "\n", chain.strip() + "\n"])
else:
f.writelines([cert.strip() + "\n"])
output = subprocess.check_output([
"openssl",
"x509",
"-x509toreq",
"-in", cert_tmp,
"-signkey", key_tmp,
])
subprocess.run([
"openssl",
"req",
"-out", csr_tmp
], input=output)
def test_verify_crl_unreachable(cert_builder, private_key):
"""Unreachable CRL distribution point results in error."""
ldap_uri = 'http://invalid.example.org/crl/foobar.crl'
crl_dp = x509.DistributionPoint([UniformResourceIdentifier(ldap_uri)],
relative_name=None, reasons=None, crl_issuer=None)
cert = (cert_builder
.add_extension(x509.CRLDistributionPoints([crl_dp]), critical=False)
.sign(private_key, hashes.SHA256(), default_backend()))
with mktempfile() as cert_tmp:
with open(cert_tmp, 'wb') as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
with pytest.raises(Exception, match="Unable to retrieve CRL:"):
crl_verify(cert_tmp)
def test_verify_crl_unknown_scheme(cert_builder, private_key):
"""Unknown distribution point URI schemes should be ignored."""
ldap_uri = 'ldap://ldap.example.org/cn=Example%20Certificate%20Authority?certificateRevocationList;binary'
crl_dp = x509.DistributionPoint([UniformResourceIdentifier(ldap_uri)],
relative_name=None, reasons=None, crl_issuer=None)
cert = (cert_builder
.add_extension(x509.CRLDistributionPoints([crl_dp]), critical=False)
.sign(private_key, hashes.SHA256(), default_backend()))
with mktempfile() as cert_tmp:
with open(cert_tmp, 'wb') as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
# Must not raise exception
crl_verify(cert_tmp)
def test_verify_crl_unknown_scheme(cert_builder, private_key):
"""Unknown distribution point URI schemes should be ignored."""
ldap_uri = 'ldap://ldap.example.org/cn=Example%20Certificate%20Authority?certificateRevocationList;binary'
crl_dp = x509.DistributionPoint([UniformResourceIdentifier(ldap_uri)],
relative_name=None, reasons=None, crl_issuer=None)
cert = (cert_builder
.add_extension(x509.CRLDistributionPoints([crl_dp]), critical=False)
.sign(private_key, hashes.SHA256(), default_backend()))
with mktempfile() as cert_tmp:
with open(cert_tmp, 'wb') as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
# Must not raise exception
crl_verify(cert, cert_tmp)
def test_verify_crl_unreachable(cert_builder, private_key):
"""Unreachable CRL distribution point results in error."""
ldap_uri = 'http://invalid.example.org/crl/foobar.crl'
crl_dp = x509.DistributionPoint([UniformResourceIdentifier(ldap_uri)],
relative_name=None, reasons=None, crl_issuer=None)
cert = (cert_builder
.add_extension(x509.CRLDistributionPoints([crl_dp]), critical=False)
.sign(private_key, hashes.SHA256(), default_backend()))
with mktempfile() as cert_tmp:
with open(cert_tmp, 'wb') as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
with pytest.raises(Exception, match="Unable to retrieve CRL:"):
crl_verify(cert, cert_tmp)
def export(self, body, chain, key, options, **kwargs):
"""
Generates a Java Keystore or Truststore
:param key:
:param chain:
:param body:
:param options:
:param kwargs:
"""
if self.get_option('passphrase', options):
passphrase = self.get_option('passphrase', options)
else:
passphrase = get_psuedo_random_string()
if self.get_option('alias', options):
alias = self.get_option('alias', options)
else:
alias = "blah"
if not key:
raise Exception("Unable to export, no private key found.")
with mktempfile() as cert_tmp:
with open(cert_tmp, 'w') as f:
f.write(body)
with mktempfile() as key_tmp:
with open(key_tmp, 'w') as f:
f.write(key)
# Create PKCS12 keystore from private key and public certificate
with mktempfile() as p12_tmp:
run_process([
"openssl",
"pkcs12",
"-export",
"-name", alias,
"-in", cert_tmp,
"-inkey", key_tmp,
"-out", p12_tmp,
"-password", "pass:{}".format(passphrase)
])
# Convert PKCS12 keystore into a JKS keystore
with mktemppath() as jks_tmp:
run_process([
"keytool",
"-importkeystore",
"-destkeystore", jks_tmp,
"-srckeystore", p12_tmp,
"-srcstoretype", "PKCS12",
"-alias", alias,
"-srcstorepass", passphrase,
"-deststorepass", passphrase
])
# Import leaf cert in to JKS keystore
run_process([
"keytool",
"-importcert",
"-file", cert_tmp,
"-keystore", jks_tmp,
"-alias", "{0}_cert".format(alias),
"-storepass", passphrase,
"-noprompt"
])
# Import the entire chain
for idx, cert in enumerate(split_chain(chain)):
with mktempfile() as c_tmp:
with open(c_tmp, 'w') as f:
f.write(cert)
# Import signed cert in to JKS keystore
run_process([
"keytool",
"-importcert",
"-file", c_tmp,
"-keystore", jks_tmp,
"-alias", "{0}_cert_{1}".format(alias, idx),
"-storepass", passphrase,
"-noprompt"
])
with open(jks_tmp, 'rb') as f:
raw = f.read()
return "jks", passphrase, raw