def create_cert(urn, issuer_key=None, issuer_cert=None, intermediate=False): '''Create a new certificate and return it and the associated keys. If issuer cert and key are given, they sign the certificate. Otherwise it is a self-signed certificate. If intermediate then mark this as an intermediate CA certificate (can sign). Certificate URN must be supplied. CN of the cert will be dotted notation authority.type.name from the URN. ''' # Note the below throws a ValueError if it wasnt a valid URN c_urn = URN(urn=urn) dotted = '%s.%s.%s' % (c_urn.getAuthority(), c_urn.getType(), c_urn.getName()) newgid = GID(create=True, subject=dotted[:64], urn=urn) keys = Keypair(create=True) newgid.set_pubkey(keys) if intermediate: # This cert will be able to sign certificates newgid.set_intermediate_ca(intermediate) if issuer_key and issuer_cert: # the given issuer will issue this cert if isinstance(issuer_key,str): issuer_key = Keypair(filename=issuer_key) if isinstance(issuer_cert,str): issuer_cert = GID(filename=issuer_cert) newgid.set_issuer(issuer_key, cert=issuer_cert) newgid.set_parent(issuer_cert) else: # create a self-signed cert newgid.set_issuer(keys, subject=dotted) newgid.encode() newgid.sign() return newgid, keys
def create_cert(urn, issuer_key=None, issuer_cert=None, intermediate=False): '''Create a new certificate and return it and the associated keys. If issuer cert and key are given, they sign the certificate. Otherwise it is a self-signed certificate. If intermediate then mark this as an intermediate CA certificate (can sign). Certificate URN must be supplied. CN of the cert will be dotted notation authority.type.name from the URN. ''' # Note the below throws a ValueError if it wasnt a valid URN c_urn = URN(urn=urn) dotted = '%s.%s.%s' % (c_urn.getAuthority(), c_urn.getType(), c_urn.getName()) newgid = GID(create=True, subject=dotted[:64], urn=urn) keys = Keypair(create=True) newgid.set_pubkey(keys) if intermediate: # This cert will be able to sign certificates newgid.set_intermediate_ca(intermediate) if issuer_key and issuer_cert: # the given issuer will issue this cert if isinstance(issuer_key, str): issuer_key = Keypair(filename=issuer_key) if isinstance(issuer_cert, str): issuer_cert = GID(filename=issuer_cert) newgid.set_issuer(issuer_key, cert=issuer_cert) newgid.set_parent(issuer_cert) else: # create a self-signed cert newgid.set_issuer(keys, subject=dotted) newgid.encode() newgid.sign() return newgid, keys
def create_gid(self, xrn, uuid, pkey, CA=False, email=None): hrn, type = urn_to_hrn(xrn) if not type: type = 'authority' parent_hrn = get_authority(hrn) # Using hrn_to_urn() here to make sure the urn is in the right format # If xrn was a hrn instead of a urn, then the gid's urn will be # of type None urn = hrn_to_urn(hrn, type) gid = GID(subject=hrn, uuid=uuid, hrn=hrn, urn=urn, email=email) # is this a CA cert if hrn == self.config.SFA_INTERFACE_HRN or not parent_hrn: # root or sub authority gid.set_intermediate_ca(True) elif type and 'authority' in type: # authority type gid.set_intermediate_ca(True) elif CA: gid.set_intermediate_ca(True) else: gid.set_intermediate_ca(False) # set issuer if not parent_hrn or hrn == self.config.SFA_INTERFACE_HRN: # if there is no parent hrn, then it must be self-signed. this # is where we terminate the recursion gid.set_issuer(pkey, hrn) else: # we need the parent's private key in order to sign this GID parent_auth_info = self.get_auth_info(parent_hrn) gid.set_issuer(parent_auth_info.get_pkey_object(), parent_auth_info.hrn) gid.set_parent(parent_auth_info.get_gid_object()) gid.set_pubkey(pkey) gid.encode() gid.sign() return gid