Exemple #1
0
def create_pkcs12(cert, chain, p12_tmp, key, alias, passphrase):
    """
    Creates a pkcs12 formated file.
    :param cert:
    :param chain:
    :param p12_tmp:
    :param key:
    :param alias:
    :param passphrase:
    """
    if isinstance(cert, bytes):
        cert = cert.decode('utf-8')

    if isinstance(chain, bytes):
        chain = chain.decode('utf-8')

    if isinstance(key, bytes):
        key = key.decode('utf-8')

    with mktempfile() as key_tmp:
        with open(key_tmp, 'w') as f:
            f.write(key)

        # Create PKCS12 keystore from private key and public certificate
        with mktempfile() as cert_tmp:
            with open(cert_tmp, 'w') as f:
                f.writelines([cert.strip() + "\n", chain.strip() + "\n"])

            run_process([
                "openssl", "pkcs12", "-export", "-name", alias, "-in",
                cert_tmp, "-inkey", key_tmp, "-out", p12_tmp, "-password",
                "pass:{}".format(passphrase)
            ])
Exemple #2
0
def create_csr(cert, chain, csr_tmp, key):
    """
    Creates a csr from key and cert file.
    :param cert:
    :param chain:
    :param csr_tmp:
    :param key:
    """
    assert isinstance(cert, str)
    assert isinstance(chain, str)
    assert isinstance(key, str)

    with mktempfile() as key_tmp:
        with open(key_tmp, "w") as f:
            f.write(key)

        with mktempfile() as cert_tmp:
            with open(cert_tmp, "w") as f:
                if chain:
                    f.writelines([cert.strip() + "\n", chain.strip() + "\n"])
                else:
                    f.writelines([cert.strip() + "\n"])

            output = subprocess.check_output(
                ["openssl", "x509", "-x509toreq", "-in", cert_tmp, "-signkey", key_tmp]
            )
            subprocess.run(["openssl", "req", "-out", csr_tmp], input=output)
Exemple #3
0
def create_truststore(cert, chain, jks_tmp, alias, passphrase):
    if isinstance(cert, bytes):
        cert = cert.decode('utf-8')

    if isinstance(chain, bytes):
        chain = chain.decode('utf-8')

    with mktempfile() as cert_tmp:
        with open(cert_tmp, 'w') as f:
            f.write(cert)

        run_process([
            "keytool", "-importcert", "-file", cert_tmp, "-keystore", jks_tmp,
            "-alias", "{0}_cert".format(alias), "-storepass", passphrase,
            "-noprompt"
        ])

        # Import the entire chain
        for idx, cert in enumerate(split_chain(chain)):
            with mktempfile() as c_tmp:
                with open(c_tmp, 'w') as f:
                    f.write(cert)

                # Import signed cert in to JKS keystore
                run_process([
                    "keytool", "-importcert", "-file", c_tmp, "-keystore",
                    jks_tmp, "-alias", "{0}_cert_{1}".format(alias, idx),
                    "-storepass", passphrase, "-noprompt"
                ])
Exemple #4
0
def create_keystore(cert, chain, jks_tmp, key, alias, passphrase):
    if isinstance(cert, bytes):
        cert = cert.decode('utf-8')

    if isinstance(chain, bytes):
        chain = chain.decode('utf-8')

    if isinstance(key, bytes):
        key = key.decode('utf-8')
    # Create PKCS12 keystore from private key and public certificate
    with mktempfile() as cert_tmp:
        with open(cert_tmp, 'w') as f:
            f.writelines([
                key.strip() + "\n",
                cert.strip() + "\n",
                chain.strip() + "\n"
            ])

        with mktempfile() as p12_tmp:
            run_process([
                "openssl", "pkcs12", "-export", "-nodes", "-name", alias,
                "-in", cert_tmp, "-out", p12_tmp, "-password",
                "pass:{}".format(passphrase)
            ])

            # Convert PKCS12 keystore into a JKS keystore
            run_process([
                "keytool", "-importkeystore", "-destkeystore", jks_tmp,
                "-srckeystore", p12_tmp, "-srcstoretype", "pkcs12",
                "-deststoretype", "JKS", "-alias", alias, "-srcstorepass",
                passphrase, "-deststorepass", passphrase
            ])
Exemple #5
0
def create_pkcs12(cert, chain, p12_tmp, key, alias, passphrase):
    """
    Creates a pkcs12 formated file.
    :param cert:
    :param chain:
    :param p12_tmp:
    :param key:
    :param alias:
    :param passphrase:
    """
    with mktempfile() as key_tmp:
        with open(key_tmp, 'w') as f:
            f.write(key)

        # Create PKCS12 keystore from private key and public certificate
        with mktempfile() as cert_tmp:
            with open(cert_tmp, 'w') as f:
                f.writelines([cert + "\n", chain + "\n"])

            run_process([
                "openssl",
                "pkcs12",
                "-export",
                "-name", alias,
                "-in", cert_tmp,
                "-inkey", key_tmp,
                "-out", p12_tmp,
                "-password", "pass:{}".format(passphrase)
            ])
Exemple #6
0
def create_csr(cert, chain, csr_tmp, key):
    """
    Creates a csr from key and cert file.
    :param cert:
    :param chain:
    :param csr_tmp:
    :param key:
    """
    assert isinstance(cert, str)
    assert isinstance(chain, str)
    assert isinstance(key, str)

    with mktempfile() as key_tmp:
        with open(key_tmp, 'w') as f:
            f.write(key)

        with mktempfile() as cert_tmp:
            with open(cert_tmp, 'w') as f:
                if chain:
                    f.writelines([cert.strip() + "\n", chain.strip() + "\n"])
                else:
                    f.writelines([cert.strip() + "\n"])

            output = subprocess.check_output([
                "openssl",
                "x509",
                "-x509toreq",
                "-in", cert_tmp,
                "-signkey", key_tmp,
            ])
            subprocess.run([
                "openssl",
                "req",
                "-out", csr_tmp
            ], input=output)
Exemple #7
0
def create_keystore(cert, jks_tmp, key, alias, passphrase):
    with mktempfile() as key_tmp:
        with open(key_tmp, 'w') as f:
            f.write(key)

        # Create PKCS12 keystore from private key and public certificate
        with mktempfile() as cert_tmp:
            with open(cert_tmp, 'w') as f:
                f.write(cert)

            with mktempfile() as p12_tmp:
                run_process([
                    "openssl",
                    "pkcs12",
                    "-export",
                    "-name", alias,
                    "-in", cert_tmp,
                    "-inkey", key_tmp,
                    "-out", p12_tmp,
                    "-password", "pass:{}".format(passphrase)
                ])

                # Convert PKCS12 keystore into a JKS keystore
                run_process([
                    "keytool",
                    "-importkeystore",
                    "-destkeystore", jks_tmp,
                    "-srckeystore", p12_tmp,
                    "-srcstoretype", "PKCS12",
                    "-alias", alias,
                    "-srcstorepass", passphrase,
                    "-deststorepass", passphrase
                ])
Exemple #8
0
def create_keystore(cert, chain, jks_tmp, key, alias, passphrase):
    if isinstance(cert, bytes):
        cert = cert.decode("utf-8")

    if isinstance(chain, bytes):
        chain = chain.decode("utf-8")

    if isinstance(key, bytes):
        key = key.decode("utf-8")
    # Create PKCS12 keystore from private key and public certificate
    with mktempfile() as cert_tmp:
        with open(cert_tmp, "w") as f:
            f.writelines([key.strip() + "\n", cert.strip() + "\n", chain.strip() + "\n"])

        with mktempfile() as p12_tmp:
            run_process(
                [
                    "openssl",
                    "pkcs12",
                    "-export",
                    "-nodes",
                    "-name",
                    alias,
                    "-in",
                    cert_tmp,
                    "-out",
                    p12_tmp,
                    "-password",
                    "pass:{}".format(passphrase),
                ]
            )

            # Convert PKCS12 keystore into a JKS keystore
            run_process(
                [
                    "keytool",
                    "-importkeystore",
                    "-destkeystore",
                    jks_tmp,
                    "-srckeystore",
                    p12_tmp,
                    "-srcstoretype",
                    "pkcs12",
                    "-deststoretype",
                    "JKS",
                    "-alias",
                    alias,
                    "-srcstorepass",
                    passphrase,
                    "-deststorepass",
                    passphrase,
                ]
            )
Exemple #9
0
def create_truststore(cert, chain, jks_tmp, alias, passphrase):
    if isinstance(cert, bytes):
        cert = cert.decode("utf-8")

    if isinstance(chain, bytes):
        chain = chain.decode("utf-8")

    with mktempfile() as cert_tmp:
        with open(cert_tmp, "w") as f:
            f.write(cert)

        run_process(
            [
                "keytool",
                "-importcert",
                "-file",
                cert_tmp,
                "-keystore",
                jks_tmp,
                "-alias",
                "{0}_cert".format(alias),
                "-storepass",
                passphrase,
                "-noprompt",
            ]
        )

        # Import the entire chain
        for idx, cert in enumerate(split_chain(chain)):
            with mktempfile() as c_tmp:
                with open(c_tmp, "w") as f:
                    f.write(cert)

                # Import signed cert in to JKS keystore
                run_process(
                    [
                        "keytool",
                        "-importcert",
                        "-file",
                        c_tmp,
                        "-keystore",
                        jks_tmp,
                        "-alias",
                        "{0}_cert_{1}".format(alias, idx),
                        "-storepass",
                        passphrase,
                        "-noprompt",
                    ]
                )
Exemple #10
0
def verify_string(cert_string, issuer_string):
    """
    Verify a certificate given only it's string value

    :param cert_string:
    :param issuer_string:
    :return: True if valid, False otherwise
    """
    with mktempfile() as cert_tmp:
        with open(cert_tmp, "w") as f:
            f.write(cert_string)
        with mktempfile() as issuer_tmp:
            with open(issuer_tmp, "w") as f:
                f.write(issuer_string)
            status = verify(cert_tmp, issuer_tmp)
    return status
Exemple #11
0
def verify_string(cert_string, issuer_string):
    """
    Verify a certificate given only it's string value

    :param cert_string:
    :param issuer_string:
    :return: True if valid, False otherwise
    """
    with mktempfile() as cert_tmp:
        with open(cert_tmp, 'w') as f:
            f.write(cert_string)
        with mktempfile() as issuer_tmp:
            with open(issuer_tmp, 'w') as f:
                f.write(issuer_string)
            status = verify(cert_tmp, issuer_tmp)
    return status
Exemple #12
0
def create_pkcs12(cert, chain, p12_tmp, key, alias, passphrase):
    """
    Creates a pkcs12 formated file.
    :param cert:
    :param chain:
    :param p12_tmp:
    :param key:
    :param alias:
    :param passphrase:
    """
    if isinstance(cert, bytes):
        cert = cert.decode('utf-8')

    if isinstance(chain, bytes):
        chain = chain.decode('utf-8')

    if isinstance(key, bytes):
        key = key.decode('utf-8')

    with mktempfile() as key_tmp:
        with open(key_tmp, 'w') as f:
            f.write(key)

        # Create PKCS12 keystore from private key and public certificate
        with mktempfile() as cert_tmp:
            with open(cert_tmp, 'w') as f:
                if chain:
                    f.writelines([cert.strip() + "\n", chain.strip() + "\n"])
                else:
                    f.writelines([cert.strip() + "\n"])

            run_process([
                "openssl",
                "pkcs12",
                "-export",
                "-name", alias,
                "-in", cert_tmp,
                "-inkey", key_tmp,
                "-out", p12_tmp,
                "-password", "pass:{}".format(passphrase)
            ])
Exemple #13
0
def create_csr(cert, chain, csr_tmp, key):
    """
    Creates a csr from key and cert file.
    :param cert:
    :param chain:
    :param csr_tmp:
    :param key:
    """
    if isinstance(cert, bytes):
        cert = cert.decode('utf-8')

    if isinstance(chain, bytes):
        chain = chain.decode('utf-8')

    if isinstance(key, bytes):
        key = key.decode('utf-8')

    with mktempfile() as key_tmp:
        with open(key_tmp, 'w') as f:
            f.write(key)

        with mktempfile() as cert_tmp:
            with open(cert_tmp, 'w') as f:
                if chain:
                    f.writelines([cert.strip() + "\n", chain.strip() + "\n"])
                else:
                    f.writelines([cert.strip() + "\n"])

            output = subprocess.check_output([
                "openssl",
                "x509",
                "-x509toreq",
                "-in", cert_tmp,
                "-signkey", key_tmp,
            ])
            subprocess.run([
                "openssl",
                "req",
                "-out", csr_tmp
            ], input=output)
Exemple #14
0
def test_verify_crl_unreachable(cert_builder, private_key):
    """Unreachable CRL distribution point results in error."""
    ldap_uri = 'http://invalid.example.org/crl/foobar.crl'
    crl_dp = x509.DistributionPoint([UniformResourceIdentifier(ldap_uri)],
                                    relative_name=None, reasons=None, crl_issuer=None)
    cert = (cert_builder
            .add_extension(x509.CRLDistributionPoints([crl_dp]), critical=False)
            .sign(private_key, hashes.SHA256(), default_backend()))

    with mktempfile() as cert_tmp:
        with open(cert_tmp, 'wb') as f:
            f.write(cert.public_bytes(serialization.Encoding.PEM))

        with pytest.raises(Exception, match="Unable to retrieve CRL:"):
            crl_verify(cert_tmp)
Exemple #15
0
def test_verify_crl_unknown_scheme(cert_builder, private_key):
    """Unknown distribution point URI schemes should be ignored."""
    ldap_uri = 'ldap://ldap.example.org/cn=Example%20Certificate%20Authority?certificateRevocationList;binary'
    crl_dp = x509.DistributionPoint([UniformResourceIdentifier(ldap_uri)],
                                    relative_name=None, reasons=None, crl_issuer=None)
    cert = (cert_builder
            .add_extension(x509.CRLDistributionPoints([crl_dp]), critical=False)
            .sign(private_key, hashes.SHA256(), default_backend()))

    with mktempfile() as cert_tmp:
        with open(cert_tmp, 'wb') as f:
            f.write(cert.public_bytes(serialization.Encoding.PEM))

        # Must not raise exception
        crl_verify(cert_tmp)
Exemple #16
0
def test_verify_crl_unknown_scheme(cert_builder, private_key):
    """Unknown distribution point URI schemes should be ignored."""
    ldap_uri = 'ldap://ldap.example.org/cn=Example%20Certificate%20Authority?certificateRevocationList;binary'
    crl_dp = x509.DistributionPoint([UniformResourceIdentifier(ldap_uri)],
                                    relative_name=None, reasons=None, crl_issuer=None)
    cert = (cert_builder
            .add_extension(x509.CRLDistributionPoints([crl_dp]), critical=False)
            .sign(private_key, hashes.SHA256(), default_backend()))

    with mktempfile() as cert_tmp:
        with open(cert_tmp, 'wb') as f:
            f.write(cert.public_bytes(serialization.Encoding.PEM))

        # Must not raise exception
        crl_verify(cert, cert_tmp)
Exemple #17
0
def test_verify_crl_unreachable(cert_builder, private_key):
    """Unreachable CRL distribution point results in error."""
    ldap_uri = 'http://invalid.example.org/crl/foobar.crl'
    crl_dp = x509.DistributionPoint([UniformResourceIdentifier(ldap_uri)],
                                    relative_name=None, reasons=None, crl_issuer=None)
    cert = (cert_builder
            .add_extension(x509.CRLDistributionPoints([crl_dp]), critical=False)
            .sign(private_key, hashes.SHA256(), default_backend()))

    with mktempfile() as cert_tmp:
        with open(cert_tmp, 'wb') as f:
            f.write(cert.public_bytes(serialization.Encoding.PEM))

        with pytest.raises(Exception, match="Unable to retrieve CRL:"):
            crl_verify(cert, cert_tmp)
Exemple #18
0
    def export(self, body, chain, key, options, **kwargs):
        """
        Generates a Java Keystore or Truststore

        :param key:
        :param chain:
        :param body:
        :param options:
        :param kwargs:
        """

        if self.get_option('passphrase', options):
            passphrase = self.get_option('passphrase', options)
        else:
            passphrase = get_psuedo_random_string()

        if self.get_option('alias', options):
            alias = self.get_option('alias', options)
        else:
            alias = "blah"

        if not key:
            raise Exception("Unable to export, no private key found.")

        with mktempfile() as cert_tmp:
            with open(cert_tmp, 'w') as f:
                f.write(body)

            with mktempfile() as key_tmp:
                with open(key_tmp, 'w') as f:
                    f.write(key)

                # Create PKCS12 keystore from private key and public certificate
                with mktempfile() as p12_tmp:
                    run_process([
                        "openssl",
                        "pkcs12",
                        "-export",
                        "-name", alias,
                        "-in", cert_tmp,
                        "-inkey", key_tmp,
                        "-out", p12_tmp,
                        "-password", "pass:{}".format(passphrase)
                    ])

                    # Convert PKCS12 keystore into a JKS keystore
                    with mktemppath() as jks_tmp:
                        run_process([
                            "keytool",
                            "-importkeystore",
                            "-destkeystore", jks_tmp,
                            "-srckeystore", p12_tmp,
                            "-srcstoretype", "PKCS12",
                            "-alias", alias,
                            "-srcstorepass", passphrase,
                            "-deststorepass", passphrase
                        ])

                        # Import leaf cert in to JKS keystore
                        run_process([
                            "keytool",
                            "-importcert",
                            "-file", cert_tmp,
                            "-keystore", jks_tmp,
                            "-alias", "{0}_cert".format(alias),
                            "-storepass", passphrase,
                            "-noprompt"
                        ])

                        # Import the entire chain
                        for idx, cert in enumerate(split_chain(chain)):
                            with mktempfile() as c_tmp:
                                with open(c_tmp, 'w') as f:
                                    f.write(cert)
                                # Import signed cert in to JKS keystore
                                run_process([
                                    "keytool",
                                    "-importcert",
                                    "-file", c_tmp,
                                    "-keystore", jks_tmp,
                                    "-alias", "{0}_cert_{1}".format(alias, idx),
                                    "-storepass", passphrase,
                                    "-noprompt"
                                ])

                        with open(jks_tmp, 'rb') as f:
                            raw = f.read()

                        return "jks", passphrase, raw