def generate_x509_root(self, passphrase=None):
"""Generate x509 certificate with instance informations
"""
# Generate CA Request
ca_pkey = self.key.private
subject = self.get_subject()
ossl = Openssl()
pem = ossl.generate_self_signed_cert(self.days, subject, ca_pkey, passphrase)
self.pem = pem
self.certhash = ossl.get_hash_from_cert(pem)
x509 = X509.load_cert_string(pem, X509.FORMAT_PEM)
self.serial = str(x509.get_serial_number())
self.begin = x509.get_not_before().get_datetime()
self.end = x509.get_not_after().get_datetime()
# v3 extensions
self.subject_kid = x509.get_ext("subjectKeyIdentifier").get_value().strip()
auth_kid = x509.get_ext("authorityKeyIdentifier").get_value().split("\n")
self.auth_kid = [keyid.lstrip("keyid:") for keyid in auth_kid if keyid.startswith("keyid:")][0].strip()
self.ca_serial = 1
self.is_ca = True
self.trust = True
# Add date
self.created = datetime.now()
def sign_text(self, text, passphrase):
"""Sign a text with cert's key and passphrase
"""
if not self.key:
raise Exception("No key for this certificate")
ossl = Openssl()
data_signed = ossl.sign_pkcs7(self.pem, text, self.key.private, passphrase)
return data_signed
def gen_crl(self, passphrase=""):
"""Generate CRL for this certificate
"""
cakey = self.key.private
issued = self.get_issued()
crlnumber = self.crlnumber or 1
ossl = Openssl()
self.crl = ossl.generate_crl(self, cakey, crlnumber, self.crl, issued, passphrase=passphrase)
self.crlnumber = crlnumber + 1
self.save()
return self.crl
def verify_smime(self, smime, silent=False):
"""Verify an smime signed message
"""
if not self.key:
raise Exception("No key for this certificate")
ossl = Openssl()
if silent:
try:
data_signed = ossl.verify_pkcs7(self.pem, smime)
except ossl.VerifyError:
return False
else:
data_signed = ossl.verify_pkcs7(self.pem, smime)
return data_signed
def check_chain(self, chain=None, silent=False):
"""Check certificate chain
"""
if not chain:
chain = self.get_cert_chain()
ossl = Openssl()
result = False
if silent:
try:
result = ossl.verify_ca_chain(chain)
except ossl.VerifyError:
return False
else:
result = ossl.verify_ca_chain(chain)
return result
def revoke(self, cert, passphrase=""):
"""Generate CRL for this certificate
"""
if cert.issuer != self:
raise Exception("I'm not the issuer.")
cakey = self.key.private
issued = self.get_issued()
crlnumber = self.crlnumber or 1
ossl = Openssl()
self.crl, self.index = ossl.revoke_cert(self, cakey, crlnumber, self.crl, cert, issued, passphrase=passphrase)
self.crlnumber = crlnumber + 1
self.save()
cert.revoked = True
cert.save()
return self.crl
def check_crl(self, silent=False, quick=False):
"""Check CRL for this certificate
Quick only use database cache
"""
if self.revoked:
return False
elif quick:
return True
if self.issuer:
if self.issuer.crl:
ossl = Openssl()
return not ossl.get_revoke_status_from_cert(self, self.issuer.crl)
elif self.subject_kid != self.auth_kid:
return False
return True
def sign_request(self, rqst, days, passphrase=None, ca=False):
"""Sign a Request and return a Certificate instance
"""
ossl = Openssl()
pem = ossl.sign_csr(rqst.pem, self.key.private, self.pem, self.ca_serial, days, passphrase, ca)
self.ca_serial += 1
self.save()
c_cert = Certificate()
c_cert.pem = pem
c_cert.certhash = ossl.get_hash_from_cert(pem)
c_cert.user = rqst.user
c_cert.issuer = self
c_cert.key = rqst.key
c_cert.country = rqst.country
c_cert.CN = rqst.CN
c_cert.locality = rqst.locality
c_cert.email = rqst.email
c_cert.organization = rqst.organization
c_cert.OU = rqst.OU
c_cert.state = rqst.state
x509 = X509.load_cert_string(pem, X509.FORMAT_PEM)
c_cert.serial = str(x509.get_serial_number())
c_cert.begin = x509.get_not_before().get_datetime()
c_cert.end = x509.get_not_after().get_datetime()
# v3 extensions
c_cert.subject_kid = x509.get_ext("subjectKeyIdentifier").get_value().strip()
auth_kid = x509.get_ext("authorityKeyIdentifier").get_value().split("\n")
c_cert.auth_kid = [keyid.lstrip("keyid:") for keyid in auth_kid if keyid.startswith("keyid:")][0].strip()
if ca:
c_cert.ca_serial = 1
c_cert.is_ca = True
# Add date
c_cert.created = datetime.now()
# And return new instance
return c_cert
def new_from_pem(cls, pem, user=None, key=None):
"""Create a Certificate Instance with an existing PEM
"""
ossl = Openssl()
cert = cls(user=user, key=key)
x509 = X509.load_cert_string(pem, X509.FORMAT_PEM)
cert.pem = x509.as_pem()
cert.certhash = ossl.get_hash_from_cert(pem)
issuer = x509.get_issuer()
if issuer.C:
cert.country = smart_unicode(issuer.C)
cert.CN = smart_unicode(issuer.CN)
if issuer.L:
cert.locality = smart_unicode(issuer.L)
if issuer.Email:
cert.email = smart_unicode(issuer.Email)
if issuer.O:
cert.organization = smart_unicode(issuer.O)
if issuer.OU:
cert.OU = smart_unicode(issuer.OU)
if issuer.SP:
cert.state = smart_unicode(issuer.SP)
cert.serial = str(x509.get_serial_number())
cert.begin = x509.get_not_before().get_datetime()
cert.end = x509.get_not_after().get_datetime()
# v3 extensions
cert.subject_kid = x509.get_ext("subjectKeyIdentifier").get_value().strip()
auth_kid = x509.get_ext("authorityKeyIdentifier").get_value().split("\n")
cert.auth_kid = [keyid.lstrip("keyid:") for keyid in auth_kid if keyid.startswith("keyid:")][0].strip()
# Search issuer
try:
ca_cert = Certificate.objects.get(subject_kid=cert.auth_kid)
except Certificate.DoesNotExist:
pass
else:
cert.issuer = ca_cert
# Find Relations
cert_pubkey = cert.get_pubkey()
if key:
cert.key = key
else:
if user:
try:
key = Key.objects.get(user=user, public=cert_pubkey)
except Key.DoesNotExist:
pass
else:
cert.key = key
else:
try:
key = Key.objects.get(public=cert_pubkey)
except Key.DoesNotExist:
pass
else:
cert.key = key
cert.user = key.user
# Add date
cert.created = datetime.now()
if x509.check_ca():
cert.is_ca = True
cert.save()
# Search issued # XXX
for c_cert in Certificate.objects.filter(auth_kid=cert.subject_kid, issuer__isnull=True):
c_cert.issuer = cert
c_cert.save()
return cert
