def generate_x509_root(self, passphrase=None):
"""Generate x509 certificate with instance informations
"""
# Generate CA Request
ca_pkey = self.key.private
subject = self.get_subject()
ossl = Openssl()
pem = ossl.generate_self_signed_cert(self.days, subject, ca_pkey, passphrase)
self.pem = pem
self.certhash = ossl.get_hash_from_cert(pem)
x509 = X509.load_cert_string(pem, X509.FORMAT_PEM)
self.serial = str(x509.get_serial_number())
self.begin = x509.get_not_before().get_datetime()
self.end = x509.get_not_after().get_datetime()
# v3 extensions
self.subject_kid = x509.get_ext("subjectKeyIdentifier").get_value().strip()
auth_kid = x509.get_ext("authorityKeyIdentifier").get_value().split("\n")
self.auth_kid = [keyid.lstrip("keyid:") for keyid in auth_kid if keyid.startswith("keyid:")][0].strip()
self.ca_serial = 1
self.is_ca = True
self.trust = True
# Add date
self.created = datetime.now()
def sign_request(self, rqst, days, passphrase=None, ca=False):
"""Sign a Request and return a Certificate instance
"""
ossl = Openssl()
pem = ossl.sign_csr(rqst.pem, self.key.private, self.pem, self.ca_serial, days, passphrase, ca)
self.ca_serial += 1
self.save()
c_cert = Certificate()
c_cert.pem = pem
c_cert.certhash = ossl.get_hash_from_cert(pem)
c_cert.user = rqst.user
c_cert.issuer = self
c_cert.key = rqst.key
c_cert.country = rqst.country
c_cert.CN = rqst.CN
c_cert.locality = rqst.locality
c_cert.email = rqst.email
c_cert.organization = rqst.organization
c_cert.OU = rqst.OU
c_cert.state = rqst.state
x509 = X509.load_cert_string(pem, X509.FORMAT_PEM)
c_cert.serial = str(x509.get_serial_number())
c_cert.begin = x509.get_not_before().get_datetime()
c_cert.end = x509.get_not_after().get_datetime()
# v3 extensions
c_cert.subject_kid = x509.get_ext("subjectKeyIdentifier").get_value().strip()
auth_kid = x509.get_ext("authorityKeyIdentifier").get_value().split("\n")
c_cert.auth_kid = [keyid.lstrip("keyid:") for keyid in auth_kid if keyid.startswith("keyid:")][0].strip()
if ca:
c_cert.ca_serial = 1
c_cert.is_ca = True
# Add date
c_cert.created = datetime.now()
# And return new instance
return c_cert
def new_from_pem(cls, pem, user=None, key=None):
"""Create a Certificate Instance with an existing PEM
"""
ossl = Openssl()
cert = cls(user=user, key=key)
x509 = X509.load_cert_string(pem, X509.FORMAT_PEM)
cert.pem = x509.as_pem()
cert.certhash = ossl.get_hash_from_cert(pem)
issuer = x509.get_issuer()
if issuer.C:
cert.country = smart_unicode(issuer.C)
cert.CN = smart_unicode(issuer.CN)
if issuer.L:
cert.locality = smart_unicode(issuer.L)
if issuer.Email:
cert.email = smart_unicode(issuer.Email)
if issuer.O:
cert.organization = smart_unicode(issuer.O)
if issuer.OU:
cert.OU = smart_unicode(issuer.OU)
if issuer.SP:
cert.state = smart_unicode(issuer.SP)
cert.serial = str(x509.get_serial_number())
cert.begin = x509.get_not_before().get_datetime()
cert.end = x509.get_not_after().get_datetime()
# v3 extensions
cert.subject_kid = x509.get_ext("subjectKeyIdentifier").get_value().strip()
auth_kid = x509.get_ext("authorityKeyIdentifier").get_value().split("\n")
cert.auth_kid = [keyid.lstrip("keyid:") for keyid in auth_kid if keyid.startswith("keyid:")][0].strip()
# Search issuer
try:
ca_cert = Certificate.objects.get(subject_kid=cert.auth_kid)
except Certificate.DoesNotExist:
pass
else:
cert.issuer = ca_cert
# Find Relations
cert_pubkey = cert.get_pubkey()
if key:
cert.key = key
else:
if user:
try:
key = Key.objects.get(user=user, public=cert_pubkey)
except Key.DoesNotExist:
pass
else:
cert.key = key
else:
try:
key = Key.objects.get(public=cert_pubkey)
except Key.DoesNotExist:
pass
else:
cert.key = key
cert.user = key.user
# Add date
cert.created = datetime.now()
if x509.check_ca():
cert.is_ca = True
cert.save()
# Search issued # XXX
for c_cert in Certificate.objects.filter(auth_kid=cert.subject_kid, issuer__isnull=True):
c_cert.issuer = cert
c_cert.save()
return cert
