def generate_x509_root(self, passphrase=None): """Generate x509 certificate with instance informations """ # Generate CA Request ca_pkey = self.key.private subject = self.get_subject() ossl = Openssl() pem = ossl.generate_self_signed_cert(self.days, subject, ca_pkey, passphrase) self.pem = pem self.certhash = ossl.get_hash_from_cert(pem) x509 = X509.load_cert_string(pem, X509.FORMAT_PEM) self.serial = str(x509.get_serial_number()) self.begin = x509.get_not_before().get_datetime() self.end = x509.get_not_after().get_datetime() # v3 extensions self.subject_kid = x509.get_ext("subjectKeyIdentifier").get_value().strip() auth_kid = x509.get_ext("authorityKeyIdentifier").get_value().split("\n") self.auth_kid = [keyid.lstrip("keyid:") for keyid in auth_kid if keyid.startswith("keyid:")][0].strip() self.ca_serial = 1 self.is_ca = True self.trust = True # Add date self.created = datetime.now()
def sign_text(self, text, passphrase): """Sign a text with cert's key and passphrase """ if not self.key: raise Exception("No key for this certificate") ossl = Openssl() data_signed = ossl.sign_pkcs7(self.pem, text, self.key.private, passphrase) return data_signed
def gen_crl(self, passphrase=""): """Generate CRL for this certificate """ cakey = self.key.private issued = self.get_issued() crlnumber = self.crlnumber or 1 ossl = Openssl() self.crl = ossl.generate_crl(self, cakey, crlnumber, self.crl, issued, passphrase=passphrase) self.crlnumber = crlnumber + 1 self.save() return self.crl
def verify_smime(self, smime, silent=False): """Verify an smime signed message """ if not self.key: raise Exception("No key for this certificate") ossl = Openssl() if silent: try: data_signed = ossl.verify_pkcs7(self.pem, smime) except ossl.VerifyError: return False else: data_signed = ossl.verify_pkcs7(self.pem, smime) return data_signed
def check_chain(self, chain=None, silent=False): """Check certificate chain """ if not chain: chain = self.get_cert_chain() ossl = Openssl() result = False if silent: try: result = ossl.verify_ca_chain(chain) except ossl.VerifyError: return False else: result = ossl.verify_ca_chain(chain) return result
def revoke(self, cert, passphrase=""): """Generate CRL for this certificate """ if cert.issuer != self: raise Exception("I'm not the issuer.") cakey = self.key.private issued = self.get_issued() crlnumber = self.crlnumber or 1 ossl = Openssl() self.crl, self.index = ossl.revoke_cert(self, cakey, crlnumber, self.crl, cert, issued, passphrase=passphrase) self.crlnumber = crlnumber + 1 self.save() cert.revoked = True cert.save() return self.crl
def check_crl(self, silent=False, quick=False): """Check CRL for this certificate Quick only use database cache """ if self.revoked: return False elif quick: return True if self.issuer: if self.issuer.crl: ossl = Openssl() return not ossl.get_revoke_status_from_cert(self, self.issuer.crl) elif self.subject_kid != self.auth_kid: return False return True
def sign_request(self, rqst, days, passphrase=None, ca=False): """Sign a Request and return a Certificate instance """ ossl = Openssl() pem = ossl.sign_csr(rqst.pem, self.key.private, self.pem, self.ca_serial, days, passphrase, ca) self.ca_serial += 1 self.save() c_cert = Certificate() c_cert.pem = pem c_cert.certhash = ossl.get_hash_from_cert(pem) c_cert.user = rqst.user c_cert.issuer = self c_cert.key = rqst.key c_cert.country = rqst.country c_cert.CN = rqst.CN c_cert.locality = rqst.locality c_cert.email = rqst.email c_cert.organization = rqst.organization c_cert.OU = rqst.OU c_cert.state = rqst.state x509 = X509.load_cert_string(pem, X509.FORMAT_PEM) c_cert.serial = str(x509.get_serial_number()) c_cert.begin = x509.get_not_before().get_datetime() c_cert.end = x509.get_not_after().get_datetime() # v3 extensions c_cert.subject_kid = x509.get_ext("subjectKeyIdentifier").get_value().strip() auth_kid = x509.get_ext("authorityKeyIdentifier").get_value().split("\n") c_cert.auth_kid = [keyid.lstrip("keyid:") for keyid in auth_kid if keyid.startswith("keyid:")][0].strip() if ca: c_cert.ca_serial = 1 c_cert.is_ca = True # Add date c_cert.created = datetime.now() # And return new instance return c_cert
def new_from_pem(cls, pem, user=None, key=None): """Create a Certificate Instance with an existing PEM """ ossl = Openssl() cert = cls(user=user, key=key) x509 = X509.load_cert_string(pem, X509.FORMAT_PEM) cert.pem = x509.as_pem() cert.certhash = ossl.get_hash_from_cert(pem) issuer = x509.get_issuer() if issuer.C: cert.country = smart_unicode(issuer.C) cert.CN = smart_unicode(issuer.CN) if issuer.L: cert.locality = smart_unicode(issuer.L) if issuer.Email: cert.email = smart_unicode(issuer.Email) if issuer.O: cert.organization = smart_unicode(issuer.O) if issuer.OU: cert.OU = smart_unicode(issuer.OU) if issuer.SP: cert.state = smart_unicode(issuer.SP) cert.serial = str(x509.get_serial_number()) cert.begin = x509.get_not_before().get_datetime() cert.end = x509.get_not_after().get_datetime() # v3 extensions cert.subject_kid = x509.get_ext("subjectKeyIdentifier").get_value().strip() auth_kid = x509.get_ext("authorityKeyIdentifier").get_value().split("\n") cert.auth_kid = [keyid.lstrip("keyid:") for keyid in auth_kid if keyid.startswith("keyid:")][0].strip() # Search issuer try: ca_cert = Certificate.objects.get(subject_kid=cert.auth_kid) except Certificate.DoesNotExist: pass else: cert.issuer = ca_cert # Find Relations cert_pubkey = cert.get_pubkey() if key: cert.key = key else: if user: try: key = Key.objects.get(user=user, public=cert_pubkey) except Key.DoesNotExist: pass else: cert.key = key else: try: key = Key.objects.get(public=cert_pubkey) except Key.DoesNotExist: pass else: cert.key = key cert.user = key.user # Add date cert.created = datetime.now() if x509.check_ca(): cert.is_ca = True cert.save() # Search issued # XXX for c_cert in Certificate.objects.filter(auth_kid=cert.subject_kid, issuer__isnull=True): c_cert.issuer = cert c_cert.save() return cert