def _issue_certificate(self, request):
'''Issue a new certificate from the Certificate Signing Request passed
in the POST'd request
@param request: HTTP request
@type request: webob.Request
@return: new certificate
@rtype: string
'''
if request.method != 'POST':
response = "HTTP Request method not recognised"
log.error("HTTP Request method %r not recognised", request.method)
raise HTTPMethodNotAllowed(response, headers=[('Allow', 'POST')])
# Extract cert request and convert to standard string - SSL library
# will not accept unicode
cert_req_key = self.__class__.CERT_REQ_POST_PARAM_KEYNAME
str_cert_req = str(request.POST.get(cert_req_key))
if str_cert_req is None:
response = ("No %r form variable set in POST message" %
cert_req_key)
log.error(response)
raise HTTPBadRequest(response)
log.debug("certificate request = %r", str_cert_req)
# TODO: Deprecate PEM cert request support.
# Support decoding based on PEM encoded request or similar, base64
# encoded request. The latter is a better approach, support both forms
# for now until clients can be updated
try:
cert_req = crypto.load_certificate_request(crypto.FILETYPE_PEM,
str_cert_req)
except crypto.Error:
# Re-try, this time interpreting the text as a base64 encoded value
try:
der_cert_req = base64.b64decode(str_cert_req)
cert_req = crypto.load_certificate_request(crypto.FILETYPE_ASN1,
der_cert_req)
except crypto.Error:
log.error("Error loading input certificate request: %r",
str_cert_req)
raise HTTPBadRequest("Error loading input certificate request")
subject_name_tmpl = string.Template(self.cert_subject_name_template)
subject_name_str = subject_name_tmpl.substitute(**request.environ)
subject_name = X509SubjectName.from_string(subject_name_str)
subject_name_ = subject_name.as_openssl_x509_subject_name()
cert = self.__ca.issue_certificate(cert_req, subject_name_,
request.environ)
cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
return cert_pem
def lambda_handler(event, context):
ca_cert_file = open('/Volumes/home/CA/ca/signing-ca.crt', 'r')
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert_file.read())
ca_cert_file.close()
ca_key_file = open('/Volumes/home/CA/ca/root-ca/private/root-ca.key', 'r')
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_file.read(),
b'test')
ca_key_file.close()
crt_req_file = open('asav-3.virl.lan.crt.csr')
crt_req = crypto.load_certificate_request(crypto.FILETYPE_PEM,
crt_req_file.read())
crt_req_file.close()
new_crt_serial = 990099
new_crt = createCertificate(crt_req, ca_cert, ca_key, new_crt_serial, 0,
230400)
msgCertificateParameters = crypto.dump_certificate(crypto.FILETYPE_TEXT,
new_crt)
print(msgCertificateParameters.decode('utf-8'))
msgCertificateParameters = crypto.dump_certificate(crypto.FILETYPE_PEM,
new_crt)
print(msgCertificateParameters.decode('utf-8'))
open('asav-3.virl.lan.crt',
'wb').write(crypto.dump_certificate(crypto.FILETYPE_PEM, new_crt))
return
class Handler(BaseHTTPRequestHandler):
def do_GET(self):
response = ""
try:
csrs = os.listdir(CSR_DIR)
except Exception, e:
print "Could not list CSRs (%s)..." % str(e)
csrs = []
if len(csrs) == 0:
print "No CSRs, waiting..."
response += show_refresh()
self.send_200()
self.wfile.write(show_page(response))
return
try:
name = os.path.join(CSR_DIR, csrs[0])
print "Loading CSR (%s)..." % name
cert = crypto.load_certificate_request(crypto.FILETYPE_PEM, file(name).read())
except Exception, e:
print "Could not load CSR (%s)..." % str(e)
self.send_404()
return
def __init__(self, mixed=None):
self.buf = None
self.path = NotImplemented
self.created = NotImplemented
if isinstance(mixed, io.TextIOWrapper):
self.path = mixed.name
_, _, _, _, _, _, _, _, mtime, _ = os.stat(self.path)
self.created = datetime.fromtimestamp(mtime)
mixed = mixed.read()
if isinstance(mixed, bytes):
mixed = mixed.decode("ascii")
if isinstance(mixed, str):
try:
self.buf = mixed
mixed = crypto.load_certificate_request(crypto.FILETYPE_PEM, mixed)
except crypto.Error:
print("Failed to parse:", mixed)
raise
if isinstance(mixed, crypto.X509Req):
self._obj = mixed
else:
raise ValueError("Can't parse %s as X.509 certificate signing request!" % mixed)
assert not self.buf or self.buf == self.dump(), "%s is not %s" % (self.buf, self.dump())
def lambda_handler(event, context):
# Whoami and Whatami is important for construction region sensitive ARNs
region = context.invoked_function_arn.split(":")[3]
account = context.invoked_function_arn.split(":")[4]
csr = base64.b64decode(event['headers']['device-csr'])
req = load_certificate_request( FILETYPE_PEM, csr )
device_id = req.get_subject().CN
response = provision_certificate( csr )
certificate = response['Certificate']
# Send the certificate to AWS IoT. We assume the issuing CA has already
# been registered.
certificate_arn = deploy_certificate( certificate )
if ( certificate_arn == None ): return None
# Create the Thing object and attach to the deployed certificate
response = deploy_thing( device_id, certificate_arn )
if ( response == False ): return None
# Create the Policy if necessary, and attach the created Policy (or
# existing Policy) to the Thing.
response = deploy_policy( certificate_arn, region, account )
if ( response == False ): return None
# Return the certificate to API Gateway.
iot = boto3.client('iot')
endpoint = iot.describe_endpoint(endpointType = 'iot:Data-ATS')
payload = { 'certificate': certificate,
'endpoint': endpoint['endpointAddress'] }
return json.dumps(payload)
def issue_certificate_request(self, order_id, order_meta, plugin_meta,
barbican_meta_dto):
if barbican_meta_dto.generated_csr is not None:
encoded_csr = barbican_meta_dto.generated_csr
else:
try:
encoded_csr = base64.b64decode(order_meta['request_data'])
except KeyError:
return cert_manager.ResultDTO(
cert_manager.CertificateStatus.CLIENT_DATA_ISSUE_SEEN,
status_message=u._("No request_data specified"))
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, encoded_csr)
ca_id = barbican_meta_dto.plugin_ca_id
if ca_id:
ca = self.cas.get(ca_id)
if ca is None:
raise cert_manager.CertificateGeneralException(
"Invalid ca_id passed into snake oil plugin:" + ca_id)
else:
ca = self.ca
cert_mgr = CertManager(ca)
cert = cert_mgr.make_certificate(csr)
cert_enc = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
return cert_manager.ResultDTO(
cert_manager.CertificateStatus.CERTIFICATE_GENERATED,
certificate=base64.b64encode(cert_enc),
intermediates=base64.b64encode(ca.pkcs7))
def test_dump_certificate_request(self):
"""
L{dump_certificate_request} writes a PEM, DER, and text.
"""
req = load_certificate_request(FILETYPE_PEM, cleartextCertificateRequestPEM)
dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
self.assertEqual(dumped_pem, cleartextCertificateRequestPEM)
dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
good_der = self._runopenssl(dumped_pem, "req", "-outform", "DER")
self.assertEqual(dumped_der, good_der)
req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM)
dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
good_text = self._runopenssl(dumped_pem, "req", "-noout", "-text")
self.assertEqual(dumped_text, good_text)
def lambda_handler(event, context):
csr = base64.b64decode(event['headers']['device-csr'])
req = load_certificate_request( FILETYPE_PEM, csr )
device_id = req.get_subject().CN
response = provision_certificate( csr )
region = context.invoked_function_arn.split(":")[3]
account = context.invoked_function_arn.split(":")[4]
# Send the certificate to AWS IoT. We assume the issuing CA has already
# been registered.
if response is None:
return None
certificate_body = response['certificatePem']
certificate_arn = response['certificateArn']
# Create the Thing object and attach to the deployed certificate
response = deploy_thing( device_id, certificate_arn )
# The entire transaction failed, so report failure.
if ( response == False ):
return None
# Create the Policy if necessary, and attach the created Policy (or
# existing Policy) to the Thing.
deploy_policy( certificate_arn, region, account )
if ( response == False ):
return None
# Return the certificate to API Gateway.
return certificate_body
def req(self):
req = _crypto.load_certificate_request(_crypto.FILETYPE_PEM, self.pem)
try:
req.verify(req.get_pubkey())
except _crypto.Error:
raise ValueError("Invalid Request")
return req
def handler_getCert():
# Get cert_request from Node
serial = request.json['serial']
reqs = request.json['req']
if len(reqs) != 3:
print "ERROR - Bad requests array len"
return json.dumps({"status": "certError"})
else:
obj_req = []
for dump_req in reqs:
obj_req.append(
crypto.load_certificate_request(crypto.FILETYPE_PEM, dump_req))
# Load CA key and cert
ca_key = load_key("/ca.key")
ca_cert = load_cert("/ca.cert")
dump_ca_cert = crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert)
# Create Node certificates
dump_certs = []
for req in obj_req:
cert = create_cert(req, ca_cert, ca_key, serial)
dump_certs.append(
crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
return json.dumps({
"status": "certOK",
"ca_cert": dump_ca_cert,
"certs": dump_certs
})
def test_csr_generation(self):
taxpayer = factories.TaxPayerFactory(key=None)
taxpayer.generate_key()
csr_file = taxpayer.generate_csr()
csr = csr_file.read().decode()
self.assertEqual(
csr.splitlines()[0],
'-----BEGIN CERTIFICATE REQUEST-----'
)
self.assertEqual(
csr.splitlines()[-1],
'-----END CERTIFICATE REQUEST-----'
)
loaded_csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr)
self.assertIsInstance(loaded_csr, crypto.X509Req)
expected_components = [
(b'O', b'John Smith'),
(b'CN', b'djangoafip1489537017'),
(b'serialNumber', b'CUIT 20329642330'),
]
self.assertEqual(
expected_components,
loaded_csr.get_subject().get_components()
)
def load_certificate_request(csr: str) -> dict:
try:
csr_obj = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr)
except crypto.Error:
return {}
else:
return get_x509_subject(csr_obj)
def register():
#### process node info
content = request.get_json()
control_address = content['control_network_ip']
data_address = content['data_network_ip']
# ssh management for netconf
nfs_ssh_key = ssh_key.replace("CONTROL-IP",
content['control_network_ip'])
ssh_key_file = open("/root/.ssh/known_hosts", "a")
ssh_key_file.write(nfs_ssh_key + "\n")
ssh_key_file.close()
# certificate for node
req = "-----BEGIN CERTIFICATE REQUEST-----\n" + content[
'cert_req'] + "\n-----END CERTIFICATE REQUEST-----"
cert_req = crypto.load_certificate_request(crypto.FILETYPE_PEM, req)
cert = createCertificate(cert_req, (cacert, cakey),
len(registered_nodes),
(0, 60 * 60 * 24 * 365 * 10)) # ten years
node_cert = crypto.dump_certificate(crypto.FILETYPE_PEM,
cert).decode('ascii')
node_cert = node_cert[node_cert.find("-----BEGIN CERTIFICATE-----") +
28:node_cert.find("-----END CERTIFICATE-----") -
1]
node_certs[control_address] = node_cert
registered_nodes.append((control_address, data_address))
app.logger.info(str(control_address) + ":" + str(data_address))
return 'OK'
def _validate_pkcs10_data(self, request_data):
"""Confirm that the request_data is valid base64 encoded PKCS#10.
Base64 decode the request, if it fails raise PayloadDecodingError.
Then parse data into the ASN.1 structure defined by PKCS10 and
verify the signing information.
If parsing of verifying fails, raise InvalidPKCS10Data.
"""
try:
csr_pem = base64.b64decode(request_data)
except Exception:
raise exception.PayloadDecodingError()
try:
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_pem)
except Exception:
reason = u._("Bad format")
raise exception.InvalidPKCS10Data(reason=reason)
try:
pubkey = csr.get_pubkey()
csr.verify(pubkey)
except Exception:
reason = u._("Signing key incorrect")
raise exception.InvalidPKCS10Data(reason=reason)
def finalize(self, CSR_PEM):
'''
Retrieve certificate from CA on successful validation
:param CSR_PEM: CSR containing all validated domains
:param authorization_obj: unnecessary on v1
:return: dictionary containing PEM String of signed certificate and status
'''
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, CSR_PEM)
DER_STRING = crypto.dump_certificate_request(crypto.FILETYPE_ASN1, csr)
payload = {"resource": "new-cert", "csr": _b64e(DER_STRING)}
code, headers, result = self.__sendSignedRequest(
CA + "/acme/new-cert", payload)
# todo: read response headers, follow for links to other required certificates for chain
try:
cert_der = crypto.load_certificate(crypto.FILETYPE_ASN1, result)
cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert_der)
for i in headers['Link'].split(','):
cert_der = crypto.load_certificate(
crypto.FILETYPE_ASN1,
requests.get(_getstringbetweentwostrings(i, '<', '>')[0],
timeout=self.__t).content)
cert_pem += "\n%s" % crypto.dump_certificate(
crypto.FILETYPE_PEM, cert_der)
return (True, cert_pem)
# return cert_pem;
except:
return (False, json.loads(result)["detail"])
def load_certificate_request(self, csr):
try:
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr)
except crypto.Error:
return {}
else:
return self.get_x509_subject(csr)
def _validate_pkcs10_data(self, request_data):
"""Confirm that the request_data is valid base64 encoded PKCS#10.
Base64 decode the request, if it fails raise PayloadDecodingError.
Then parse data into the ASN.1 structure defined by PKCS10 and
verify the signing information.
If parsing of verifying fails, raise InvalidPKCS10Data.
"""
try:
csr_pem = base64.b64decode(request_data)
except Exception:
raise exception.PayloadDecodingError()
try:
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM,
csr_pem)
except Exception:
reason = u._("Bad format")
raise exception.InvalidPKCS10Data(reason=reason)
try:
pubkey = csr.get_pubkey()
csr.verify(pubkey)
except Exception:
reason = u._("Signing key incorrect")
raise exception.InvalidPKCS10Data(reason=reason)
def req(self):
req = _crypto.load_certificate_request(_crypto.FILETYPE_PEM, self.pem)
try:
req.verify(req.get_pubkey())
except _crypto.Error:
raise ValueError("Invalid Request")
return req
def _get_csr(self, spkac_str):
"""
gets a NetscapeSPKI object from the spkac_str
or loads a PKCS10
"""
# TODO should figure out how to use this
# challenge thing (spkac is using md5, so
# I guess there should be some time bound)
# maybe linked to session or something???
# See https://www.w3.org/Bugs/Public/show_bug.cgi?id=13518
#http://www.w3.org/wiki/Foaf%2Bssl/Clients#Keygen
# We could der-decode the spkac and get the challenge from there.
spkac_str = re.sub('\s', '', spkac_str)
#print('SPKAC PUBKEY=%s' % spkac_str)
logging.debug('SPKAC PUBKEY=%s' % spkac_str)
if "BEGINIECERTIFICATEREQUEST" in spkac_str:
#XXX improve csr type detection (get a flag from view)
pkcs10 = spkac_str.replace('-----BEGINIECERTIFICATEREQUEST-----',
'').replace(
'-----ENDIECERTIFICATEREQUEST-----',
'')
der = base64.b64decode(pkcs10)
self.csr = crypto.load_certificate_request(crypto.FILETYPE_ASN1,
der)
self.csr_type = "msie"
else:
self.csr = crypto.NetscapeSPKI(spkac_str)
self.csr_type = "spki"
def test_csr_generation(self):
taxpayer = fixtures.TaxPayerFactory(key=None)
taxpayer.generate_key()
csr_file = taxpayer.generate_csr()
csr = csr_file.read().decode()
self.assertEqual(
csr.splitlines()[0],
'-----BEGIN CERTIFICATE REQUEST-----'
)
self.assertEqual(
csr.splitlines()[-1],
'-----END CERTIFICATE REQUEST-----'
)
loaded_csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr)
self.assertIsInstance(loaded_csr, crypto.X509Req)
expected_components = [
(b'O', b'John Smith'),
(b'CN', b'djangoafip1489537017'),
(b'serialNumber', b'CUIT 20329642330'),
]
self.assertEqual(
expected_components,
loaded_csr.get_subject().get_components()
)
def __init__(self, csr, index_db_path):
"""
Create instance of CertificateAuthority and validate CSR
:param csr: certificate request
:raise CAError: raised in CSR invalid
"""
self._csr = None
try:
self.index_db = IndexDB(index_db_path)
except DatabaseError as exc:
raise CAError(exc)
try:
self._csr = crypto.load_certificate_request(
crypto.FILETYPE_PEM, csr)
email = self._csr.get_subject().emailAddress
if not email or not email.endswith(
DOMAIN): # TODO: improve validation
raise CAError(
'Incorrect certificate! Email not found or incorrect!\n'
'Expected [username]{}; Got: {}\n'
'Generate certificate using ca_client.py!'.format(
DOMAIN, email))
except crypto.Error as exc:
raise CAError(exc)
def requestCertificate(self, token, req):
req = crypto.load_certificate_request(crypto.FILETYPE_PEM, req)
with self.lock:
with self.db:
if token:
if not self.config.prefix_length:
raise HTTPError(httplib.FORBIDDEN)
try:
token, email, prefix_len, _ = self.db.execute(
"SELECT * FROM token WHERE token = ?",
(token,)).next()
except StopIteration:
return
self.db.execute("DELETE FROM token WHERE token = ?",
(token,))
else:
prefix_len = self.config.anonymous_prefix_length
if not prefix_len:
raise HTTPError(httplib.FORBIDDEN)
email = None
prefix = self.newPrefix(prefix_len)
self.db.execute("UPDATE cert SET email = ? WHERE prefix = ?",
(email, prefix))
if self.prefix is None:
self.prefix = prefix
self.setConfig('prefix', prefix)
self.updateNetworkConfig()
subject = req.get_subject()
subject.serialNumber = str(self.getSubjectSerial())
return self.createCertificate(prefix, subject, req.get_pubkey())
def test_merge_certificate(self, client, **kwargs):
cert_name = "mergeCertificate"
cert_policy = CertificatePolicy(
issuer_name=WellKnownIssuerNames.unknown, subject="CN=MyCert", certificate_transparency=False
)
dirname = os.path.dirname(os.path.abspath(__file__))
with open(os.path.abspath(os.path.join(dirname, "ca.key")), "rt") as f:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
with open(os.path.abspath(os.path.join(dirname, "ca.crt")), "rt") as f:
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
client.begin_create_certificate(certificate_name=cert_name, policy=cert_policy).wait()
csr = (
"-----BEGIN CERTIFICATE REQUEST-----\n"
+ base64.b64encode(client.get_certificate_operation(certificate_name=cert_name).csr).decode()
+ "\n-----END CERTIFICATE REQUEST-----"
)
req = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr)
cert = crypto.X509()
cert.set_serial_number(1)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60) # Testing certificates need not be long lived
cert.set_issuer(ca_cert.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(pkey, "sha256")
signed_certificate_bytes = crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode().replace("\n", "")
signed_certificate_bytes = signed_certificate_bytes.lstrip("-----BEGIN CERTIFICATE-----")
signed_certificate_bytes = signed_certificate_bytes.rstrip("-----END CERTIFICATE-----")
client.merge_certificate(certificate_name=cert_name, x509_certificates=[signed_certificate_bytes.encode()])
def get_manager_cert():
log('Certificate request from manager %s (user %s)' % (
g.cert['serviceLocator'], g.cert['UID']))
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM,
request.files['csr'].read())
return x509cert.create_x509_cert(config_parser.get('conpaas', 'CERT_DIR'), csr)
def test_key_and_csr(self):
"""
Will write the key an csr on local filesystem.
"""
key_path, self.test_segments = mk.fs.makePathInTemp()
csr_segments = self.test_segments[:]
csr_segments[-1] = u'%s.csr' % csr_segments[-1]
self.addCleanup(mk.fs.deleteFile, csr_segments)
options = self.parseArguments([
self.command_name,
'--common-name=domain.com',
'--key-file', key_path,
'--key-size=512',
])
generate_and_store_csr(options)
key_content = mk.fs.getFileContent(self.test_segments)
key = crypto.load_privatekey(
crypto.FILETYPE_PEM, key_content)
self.assertEqual(512, key.bits())
csr_content = mk.fs.getFileContent(csr_segments)
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_content)
self.assertEqual(u'domain.com', csr.get_subject().CN)
def issue_certificate(cafile, cakey, digest, server_ip):
private_key = generate_private_key(crypto.TYPE_RSA, 2048)
csr = generate_request(private_key, digest, CN=server_ip)
private_key_str = crypto.dump_privatekey(crypto.FILETYPE_PEM, private_key)
csr_str = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
with open(cafile) as cafile:
cafile_str = cafile.read()
with open(cakey) as cakey:
cakey_str = cakey.read()
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, cafile_str)
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, cakey_str)
req_cert = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_str)
cert = crypto.X509()
cert.set_subject(req_cert.get_subject())
cert.set_serial_number(1)
# before one year ago
cert.gmtime_adj_notBefore(-31536000)
# after 10 years
cert.gmtime_adj_notAfter(315360000)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(req_cert.get_pubkey())
cert.sign(ca_key, digest)
server_cert_str = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
with open(server_crt, "w") as server_crt_fd:
server_crt_fd.write(server_cert_str)
with open(server_key, "w") as server_key_fd:
server_key_fd.write(private_key_str)
os.system("systemctl daemon-reload")
os.system("systemctl restart itpserver")
def _get_csr(self, spkac_str):
"""
gets a NetscapeSPKI object from the spkac_str
or loads a PKCS10
"""
# TODO should figure out how to use this
# challenge thing (spkac is using md5, so
# I guess there should be some time bound)
# maybe linked to session or something???
# See https://www.w3.org/Bugs/Public/show_bug.cgi?id=13518
#http://www.w3.org/wiki/Foaf%2Bssl/Clients#Keygen
# We could der-decode the spkac and get the challenge from there.
spkac_str = re.sub('\s', '', spkac_str)
#print('SPKAC PUBKEY=%s' % spkac_str)
logging.debug('SPKAC PUBKEY=%s' % spkac_str)
if "BEGINIECERTIFICATEREQUEST" in spkac_str:
#XXX improve csr type detection (get a flag from view)
pkcs10 = spkac_str.replace(
'-----BEGINIECERTIFICATEREQUEST-----', '').replace(
'-----ENDIECERTIFICATEREQUEST-----', '')
der = base64.b64decode(pkcs10)
self.csr = crypto.load_certificate_request(
crypto.FILETYPE_ASN1, der)
self.csr_type = "msie"
else:
self.csr = crypto.NetscapeSPKI(spkac_str)
self.csr_type = "spki"
def load(Class, requestData, requestFormat=crypto.FILETYPE_ASN1):
req = crypto.load_certificate_request(requestFormat, requestData)
dn = DistinguishedName()
dn._copyFrom(req.get_subject())
if not req.verify(req.get_pubkey()):
raise VerifyError("Can't verify that request for %r is self-signed." % (dn,))
return Class(req)
def load(Class, requestData, requestFormat=crypto.FILETYPE_ASN1):
req = crypto.load_certificate_request(requestFormat, requestData)
dn = DistinguishedName()
dn._copyFrom(req.get_subject())
if not req.verify(req.get_pubkey()):
raise VerifyError("Can't verify that request for %r is self-signed." % (dn,))
return Class(req)
def post(self):
logRequestInfo(self.request)
action = paramFormat(json.loads(self.request.body))
# check arguments existing
if 'csr_body' not in action.keys():
self.write(jsonMessage(-1, "[Request error]: Missing parameters!"))
return
try:
action['csr_body'] = aesCipher.decrypt(action['csr_body'])
# 将req中的CommonName作为标识该Req的字段
req = load_certificate_request(FILETYPE_PEM,
action['csr_body'])
subject = req.get_subject()
components = dict(subject.get_components())
action['csr_name'] = components[b'CN'].decode('utf8')
except base64.binascii.Error:
self.write(
jsonMessage(
-1,
"[Request error]: 'csr_body' field must be base64 type!"))
self.finish()
return
except OpenSSL.crypto.Error:
self.write(
jsonMessage(
-1,
"[ERROR]: Wrong certificate request (X509Req) format!"))
self.finish()
return
# 调用生成证书函数
ret = gencert(365, action['csr_name'], action['csr_body'])
self.write(ret)
self.finish()
def __init__(self, mixed=None):
self.buf = None
self.path = NotImplemented
self.created = NotImplemented
if isinstance(mixed, io.TextIOWrapper):
self.path = mixed.name
_, _, _, _, _, _, _, _, mtime, _ = os.stat(self.path)
self.created = datetime.fromtimestamp(mtime)
mixed = mixed.read()
if isinstance(mixed, bytes):
mixed = mixed.decode("ascii")
if isinstance(mixed, str):
try:
self.buf = mixed
mixed = crypto.load_certificate_request(crypto.FILETYPE_PEM, mixed)
except crypto.Error:
print("Failed to parse:", mixed)
raise
if isinstance(mixed, crypto.X509Req):
self._obj = mixed
else:
raise ValueError("Can't parse %s as X.509 certificate signing request!" % mixed)
assert not self.buf or self.buf == self.dump(), "%s is not %s" % (self.buf, self.dump())
def issue_certificate_request(self, order_id, order_meta, plugin_meta,
barbican_meta_dto):
if barbican_meta_dto.generated_csr is not None:
encoded_csr = barbican_meta_dto.generated_csr
else:
try:
encoded_csr = base64.b64decode(order_meta['request_data'])
except KeyError:
return cert_manager.ResultDTO(
cert_manager.CertificateStatus.CLIENT_DATA_ISSUE_SEEN,
status_message=u._("No request_data specified"))
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, encoded_csr)
ca_id = barbican_meta_dto.plugin_ca_id
if ca_id:
ca = self.cas.get(ca_id)
if ca is None:
raise cert_manager.CertificateGeneralException(
"Invalid ca_id passed into snake oil plugin:" + ca_id)
else:
ca = self.ca
cert_mgr = CertManager(ca)
cert = cert_mgr.make_certificate(csr)
cert_enc = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
return cert_manager.ResultDTO(
cert_manager.CertificateStatus.CERTIFICATE_GENERATED,
certificate=base64.b64encode(cert_enc),
intermediates=base64.b64encode(ca.pkcs7))
def __init__(self,
country=None,
state=None,
locality=None,
organization=None,
organization_unit=None,
name=None,
email=None,
digest="sha1",
filename=None):
if filename is None:
req = crypto.X509Req()
subject = req.get_subject()
if country:
subject.C = country
if state:
subject.ST = state
if locality:
subject.L = locality
if organization:
subject.O = organization
if organization_unit:
subject.OU = organization_unit
if name:
subject.CN = name
if email:
subject.emailAddress = email
else:
ftype, text = get_type_and_text(filename)
req = crypto.load_certificate_request(ftype, text)
self._req = req
def create_certificate(issuerKeyPem,
issuerCertPem,
csrPem,
validForDays,
serial,
version = 0,
digest = 'sha1'):
"""
Create a certificate and return certificate (PEM, text, fingerprint).
:param subjectPrivKey: Subject private RSA key in PEM format.
:type subjectPrivKey: str
:param subjectInfo: Subject information.
:type subjectInfo: dict
:returns tuple -- (CSR in PEM format, CSR as text).
"""
issuerKey = crypto.load_privatekey(crypto.FILETYPE_PEM, issuerKeyPem)
issuerCert = crypto.load_certificate(crypto.FILETYPE_PEM, issuerCertPem)
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csrPem)
cert = crypto.X509()
cert.set_serial_number(serial)
cert.set_version(version)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * validForDays)
cert.set_issuer(issuerCert.get_subject())
cert.set_subject(csr.get_subject())
cert.set_pubkey(csr.get_pubkey())
cert.sign(issuerKey, digest)
certPem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
certText = '???'
certFingerprint = cert.digest(digest)
return (certPem, certText, certFingerprint)
def test_post(self):
n = 'csr'
valid_setup = test_tls.get_valid_setup()
yield set_init_params(valid_setup)
yield https.PrivKeyFileRes.create_file(1, valid_setup['key'])
State.tenant_cache[1].hostname = 'notreal.ns.com'
d = {
'country': 'it',
'province': 'regione',
'city': 'citta',
'company': 'azienda',
'department': 'reparto',
'email': 'indrizzio@email',
}
body = {'name': 'csr', 'content': d}
handler = self.request(body, role='admin')
yield handler.post(n)
response = yield handler.get(n)
pem_csr = crypto.load_certificate_request(SSL.FILETYPE_PEM, response)
comps = pem_csr.get_subject().get_components()
self.assertIn((b'CN', b'notreal.ns.com'), comps)
self.assertIn((b'C', b'IT'), comps)
self.assertIn((b'L', b'citta'), comps)
def test_key_and_csr(self):
"""
Will write the key an csr on local filesystem.
"""
key_path, self.test_segments = mk.fs.makePathInTemp()
csr_segments = self.test_segments[:]
csr_segments[-1] = u'%s.csr' % csr_segments[-1]
self.addCleanup(mk.fs.deleteFile, csr_segments)
options = self.parseArguments([
self.command_name,
'--common-name=domain.com',
'--key-file',
key_path,
'--key-size=512',
])
generate_and_store_csr(options)
key_content = mk.fs.getFileContent(self.test_segments)
key = crypto.load_privatekey(crypto.FILETYPE_PEM, key_content)
self.assertEqual(512, key.bits())
csr_content = mk.fs.getFileContent(csr_segments)
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_content)
self.assertEqual(u'domain.com', csr.get_subject().CN)
def create_cert_signed_certificate(self, sign_cert_str, sign_key_str,
request_cert_str, hash_alg="sha256",
valid_from=0, valid_to=315360000, sn=1,
passphrase=None):
"""
Will sign a certificate request with a give certificate.
:param sign_cert_str: This certificate will be used to sign with.
Must be a string representation of
the certificate. If you only have a file
use the method read_str_from_file to
get a string representation.
:param sign_key_str: This is the key for the ca_cert_str
represented as a string.
If you only have a file use the method
read_str_from_file to get a string
representation.
:param request_cert_str: This is the prepared certificate to be
signed. Must be a string representation of
the requested certificate. If you only have
a file use the method read_str_from_file
to get a string representation.
:param hash_alg: Hash algorithm to use for the key. Default
is sha256.
:param valid_from: When the certificate starts to be valid.
Amount of seconds from when the
certificate is generated.
:param valid_to: How long the certificate will be valid from
when it is generated.
The value is in seconds. Default is
315360000 seconds, a.k.a 10 years.
:param sn: Serial number for the certificate. Default
is 1.
:param passphrase: Password for the private key in sign_key_str.
:return: String representation of the signed
certificate.
"""
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, sign_cert_str)
ca_key = None
if passphrase is not None:
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str,
passphrase)
else:
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str)
req_cert = crypto.load_certificate_request(crypto.FILETYPE_PEM,
request_cert_str)
cert = crypto.X509()
cert.set_subject(req_cert.get_subject())
cert.set_serial_number(sn)
cert.gmtime_adj_notBefore(valid_from)
cert.gmtime_adj_notAfter(valid_to)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(req_cert.get_pubkey())
cert.sign(ca_key, hash_alg)
cert_dump = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
if isinstance(cert_dump, six.string_types):
return cert_dump
return cert_dump.decode('utf-8')
def load_pending_requests(host=None):
result = []
# open each file in the CSR directory - any CSR here has yet to be signed
for item in os.listdir(CSR_DIR):
try:
# make sure it is a CSR
filename = "%s/%s" % (CSR_DIR, item)
csrstr = open(filename).read()
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csrstr)
# ignore it if it doesn't match the host we are interested in
if host is not None and host != csr.get_subject().commonName:
continue
result.append({
"host": csr.get_subject().commonName,
"filename": filename,
"subject": csr.get_subject(),
"bits": csr.get_pubkey().bits(),
"md5": MD5.new(csrstr.encode()).hexdigest(),
"sha256": SHA256.new(csrstr.encode()).hexdigest(),
})
except crypto.Error as e:
#print(e)
pass
# sort alphabetically by hostname
result.sort(key=lambda x: x["host"])
return result
async def test_merge_certificate(self, vault_client, **kwargs):
import base64
from OpenSSL import crypto
import os
self.assertIsNotNone(vault_client)
client = vault_client.certificates
cert_name = "mergeCertificate"
issuer_name = "Unknown"
cert_policy = CertificatePolicyGenerated(
issuer_parameters=IssuerParameters(name=issuer_name,
certificate_transparency=False),
x509_certificate_properties=X509CertificateProperties(
subject="CN=MyCert"),
)
dirname = os.path.dirname(os.path.abspath(__file__))
with open(os.path.abspath(os.path.join(dirname, "ca.key")), "rt") as f:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
with open(os.path.abspath(os.path.join(dirname, "ca.crt")), "rt") as f:
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
polling_interval = 0 if self.is_playback() else None
# the poller will stop immediately because the issuer is `Unknown`
await client.create_certificate(
certificate_name=cert_name,
policy=CertificatePolicy._from_certificate_policy_bundle(
cert_policy),
_polling_interval=polling_interval)
certificate_operation = await client.get_certificate_operation(
certificate_name=cert_name)
csr = ("-----BEGIN CERTIFICATE REQUEST-----\n" +
base64.b64encode(certificate_operation.csr).decode() +
"\n-----END CERTIFICATE REQUEST-----")
req = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr)
cert = crypto.X509()
cert.set_serial_number(1)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(
60) # Testing certificates need not be long lived
cert.set_issuer(ca_cert.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(pkey, "sha256")
signed_certificate_bytes = crypto.dump_certificate(
crypto.FILETYPE_PEM, cert).decode().replace("\n", "")
signed_certificate_bytes = signed_certificate_bytes.lstrip(
"-----BEGIN CERTIFICATE-----")
signed_certificate_bytes = signed_certificate_bytes.rstrip(
"-----END CERTIFICATE-----")
await client.merge_certificate(
certificate_name=cert_name,
x509_certificates=[signed_certificate_bytes.encode()])
def main(event, context):
s3 = boto3.resource('s3')
try:
ca_cert_s3obj = s3.Object('certsigninglambdabucket', 'signing-ca.crt')
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
ca_cert_s3obj.get()['Body'].read())
except ClientError as e:
print(e.message)
try:
ca_key_s3obj = s3.Object('certsigninglambdabucket', 'root-ca.key')
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM,
ca_key_s3obj.get()['Body'].read(),
b'test')
except ClientError as e:
print(e.message)
try:
crt_req_s3obj = s3.Object(
'certsigninglambdabucket',
urllib.unquote_plus(event['Records'][0]['s3']['object']['key']))
crt_req = crypto.load_certificate_request(
crypto.FILETYPE_PEM,
crt_req_s3obj.get()['Body'].read())
except ClientError as e:
print(e.message)
new_crt_serial = 990099
new_crt = createCertificate(crt_req, ca_cert, ca_key, new_crt_serial, 0,
230400)
msgCertificateParameters = crypto.dump_certificate(crypto.FILETYPE_TEXT,
new_crt)
print(msgCertificateParameters.decode('utf-8'))
msgCertificateParameters = crypto.dump_certificate(crypto.FILETYPE_PEM,
new_crt)
print(msgCertificateParameters.decode('utf-8'))
try:
s3.Object(
'certsigninglambdabucket',
urllib.unquote_plus(
event['Records'][0]['s3']['object']['key'])[:-4]).put(
Body=crypto.dump_certificate(crypto.FILETYPE_PEM, new_crt))
except ClientError as e:
print(e.message)
else:
try:
crt_req_s3obj = s3.Object(
'certsigninglambdabucket',
urllib.unquote_plus(
event['Records'][0]['s3']['object']['key']))
crt_req_s3obj.delete()
except ClientError as e:
print(e.message)
return
def get_CSR(self):
CSR = None
if self.cert_CSR:
CSR = crypto.load_certificate_request(
crypto.FILETYPE_PEM,
self.cert_CSR
)
return CSR
def get_CSR(self):
CSR = None
if self.cert_CSR:
CSR = crypto.load_certificate_request(
crypto.FILETYPE_PEM,
self.cert_CSR
)
return CSR
def csr_match_crt(csr, crt):
try:
x509 = crypto.load_certificate(crypto.FILETYPE_ASN1, crt)
except crypto.Error:
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, crt)
x509req = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr)
return crypto.dump_privatekey(crypto.FILETYPE_PEM, x509.get_pubkey()) == \
crypto.dump_privatekey(crypto.FILETYPE_PEM, x509req.get_pubkey())
def load_certificate_request(path):
"""Load the specified certificate signing request."""
try:
csr_content = open(path, 'rb').read()
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_content)
return csr
except (IOError, OSError) as exc:
raise OpenSSLObjectError(exc)
def createIntermediateCertificate(csr_buffer, CA_CERT_FILE, CA_KEY_FILE):
print 'createIntermediateCertificate()'
# Load the certificate request, which contains public key and CN
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_buffer)
ca_cert = load_cert_from_file(CA_CERT_FILE)
ca_key = load_key_from_file(CA_KEY_FILE)
cert = createCertificate(csr, (ca_cert, ca_key), 1000, (0, 10 * 365 * 24 * 60 * 60), digest='sha1')
return cert
def parseCertReqStr(req):
""" Parse a certificate request which is in string form.
@param cert: Key in string form, i.e. content of certificate in file
form.
@type cert: str
@return: Parsed certificate request.
@rtype: OpenSSL.crypto.X509Req
"""
return crypto.load_certificate_request(crypto.FILETYPE_PEM, req)
def wait_for_cert(self, csrbuf, with_triggers=True):
"""
takes csr as a string
returns True, caller_cert, ca_cert
returns False, '', ''
"""
try:
csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csrbuf)
except crypto.Error, e:
#XXX need to raise a fault here and document it - but false is just as good
return False, '', ''
def test_generate_csr(self):
cn = "test_cn"
# Attempt to generate a CSR
csr = local_cert_gen.LocalCertGenerator._generate_csr(
cn=cn, private_key=self.ca_private_key, passphrase=self.ca_private_key_passphrase
)
# Attempt to load the generated CSR
csro = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr)
# Make sure the CN is correct
self.assertEqual(csro.get_subject().CN, cn)
def signCSR(self, csrData):
# Load the CSR from binary input
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, self.data_string)
print 'CSR loaded from subject: ', csr.get_subject()
# Get data from CSR and insert it into new cert
cert = crypto.X509()
cert.set_subject(csr.get_subject())
cert.set_serial_number(index_list.next_serial_number())
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(365*24*60*60)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(csr.get_pubkey())
extensions = []
# Set the user certificate to a 'No CA Certificate'
basic_constraints_ext = crypto.X509Extension("basicConstraints", False, "CA:FALSE")
extensions.append(basic_constraints_ext)
cert_type_ext = crypto.X509Extension("nsCertType", False, "server")
extensions.append(cert_type_ext)
ns_comment_ext = crypto.X509Extension("nsComment", False, "OpenSSL Generated Server Certificate")
extensions.append(ns_comment_ext)
subj_key_ident_ext = crypto.X509Extension("subjectKeyIdentifier", False, "hash")
extensions.append(subj_key_ident_ext)
auth_key_ident_ext = crypto.X509Extension("authorityKeyIdentifier", False, "keyid, issuer:always")
extensions.append(auth_key_ident_ext)
# Set the key usage of the user certificate to 'digitalSignature and keyEncipherment'
key_usage_ext = crypto.X509Extension("keyUsage", True, "digitalSignature, keyEncipherment")
extensions.append(key_usage_ext)
# Set the extended key usage of the user certificate to 'clientAuthentication'
extended_key_usage_ext = crypto.X509Extension("extendedKeyUsage", False, "serverAuth")
extensions.append(extended_key_usage_ext)
# Set the info access path to the OCSP URL
authority_info_access_ext = crypto.X509Extension("authorityInfoAccess", False, "OCSP;URI:http://vm02.srvhub.de:3000")
extensions.append(authority_info_access_ext)
# Add all extensions to the new certificate
x509.add_extensions(extensions)
# Sign this new cert with the CA
cert.sign(ca_key, 'sha512')
# Add the new cert to index.txt databse
index_list.add_entry(cert)
def __init__(self):
cert_buf = resource_string(__name__, self.master_cert_file)
cert_req_buf = resource_string(__name__, self.master_cert_req_file)
key_buf = resource_string(__name__, self.master_key_file)
ft = self.default_filetype
key = crypto.load_privatekey(ft, key_buf, self.master_key_password)
self.master_key = key
crt = crypto.load_certificate(ft, cert_buf)
self.master_cert = crt
csr = crypto.load_certificate_request(ft, cert_req_buf)
self.master_cert_req = csr
def parse_command(self, cmd, body=""):
if cmd == "export-crl":
"""
Generate CRL object based on certificate serial number and revocation timestamp
"""
crl = crypto.CRL()
if body:
for line in body.split("\n"):
serial_number, timestamp = line.split(":")
# TODO: Assert serial against regex
revocation = crypto.Revoked()
revocation.set_rev_date(datetime.fromtimestamp(int(timestamp)).strftime("%Y%m%d%H%M%SZ").encode("ascii"))
revocation.set_reason(b"keyCompromise")
revocation.set_serial(serial_number.encode("ascii"))
crl.add_revoked(revocation)
self.send(crl.export(
self.server.certificate,
self.server.private_key,
crypto.FILETYPE_PEM,
self.server.revocation_list_lifetime))
elif cmd == "ocsp-request":
NotImplemented # TODO: Implement OCSP
elif cmd == "sign-request":
request = crypto.load_certificate_request(crypto.FILETYPE_PEM, body)
for e in request.get_extensions():
key = e.get_short_name().decode("ascii")
if key not in EXTENSION_WHITELIST:
raise ValueError("Certificte Signing Request contains extension '%s' which is not whitelisted" % key)
# TODO: Potential exploits during PEM parsing?
cert = raw_sign(
self.server.private_key,
self.server.certificate,
request,
basic_constraints=self.server.basic_constraints,
key_usage=self.server.key_usage,
extended_key_usage=self.server.extended_key_usage,
lifetime=self.server.lifetime)
self.send(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
else:
raise NotImplementedError("Unknown command: %s" % cmd)
self.close_when_done()
def create_certificate(target_dir, ip_address):
"""Generate a cert and key file incl. IP SAN for `ip_address`
Creates a cert.pem and key.pem file signed with a known ca cert.
The generated cert will contain a IP SAN (subject alternative name) that
includes the ip address of the server. This is required for log-forwarding.
:return: tuple containing generated cert, key filepath pair
"""
ip_address = 'IP:{}'.format(ip_address)
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
csr_contents = generate_csr(target_dir, key, ip_address)
req = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_contents)
ca_cert = crypto.load_certificate(
crypto.FILETYPE_PEM, ca_pem_contents)
ca_key = crypto.load_privatekey(
crypto.FILETYPE_PEM, ca_key_pem_contents)
cert = crypto.X509()
cert.set_version(0x2)
cert.set_subject(req.get_subject())
cert.set_serial_number(1)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(24 * 60 * 60)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.add_extensions([
crypto.X509Extension('subjectAltName', False, ip_address),
crypto.X509Extension(
'extendedKeyUsage', False, 'clientAuth, serverAuth'),
crypto.X509Extension(
'keyUsage', True, 'keyEncipherment'),
])
cert.sign(ca_key, "sha256")
cert_filepath = os.path.join(target_dir, 'cert.pem')
with open(cert_filepath, 'wt') as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
key_filepath = os.path.join(target_dir, 'key.pem')
with open(key_filepath, 'wt') as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
return (cert_filepath, key_filepath)
def store_request(self, buf, overwrite=False):
request = crypto.load_certificate_request(crypto.FILETYPE_PEM, buf)
common_name = request.get_subject().CN
request_path = os.path.join(self.request_dir, common_name + ".pem")
# If there is cert, check if it's the same
if os.path.exists(request_path):
if open(request_path, "rb").read() != buf:
print("Request already exists, not creating new request")
raise FileExistsError("Request already exists")
else:
with open(request_path + ".part", "wb") as fh:
fh.write(buf)
os.rename(request_path + ".part", request_path)
return Request(open(request_path))
def csr_details_view(self, request):
try:
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, request.POST['csr'])
except Exception as e:
return HttpResponseBadRequest(json.dumps({
'message': str(e),
}), content_type='application/json')
csr_subject = csr.get_subject()
subject = {}
for attr in ['C', 'ST', 'L', 'O', 'OU', 'CN', 'E', ]:
if hasattr(csr_subject, attr):
subject[attr] = getattr(csr_subject, attr)
return HttpResponse(json.dumps({
'subject': subject,
}), content_type='application/json')
def _myProxylogon(environ, start_response, username, password):
"""Wrap MyProxy logon method as a WSGI app
@type environ: dict
@param environ: WSGI environment variables dictionary
@type start_response: function
@param start_response: standard WSGI start response function
@type username: basestring
@param username: username credential to MyProxy logon
@type password: basestring
@param password: pass-phrase for MyProxy logon call
@raise HttpBasicAuthResponseException: invalid client request
@raise MyProxyClientMiddlewareError: socket error for backend
MyProxy server
"""
request = Request(environ)
requestMethod = environ.get('REQUEST_METHOD')
if requestMethod != 'POST':
response = "HTTP Request method not recognised"
log.error("HTTP Request method %r not recognised",
requestMethod)
raise HttpBasicAuthResponseException(response,
httplib.METHOD_NOT_ALLOWED)
# Extract cert request and convert to standard string - SSL library
# will not accept unicode
cert_req_key = self.__class__.CERT_REQ_POST_PARAM_KEYNAME
pem_cert_req = str(request.POST.get(cert_req_key))
if pem_cert_req is None:
response = ("No %r form variable set in POST message" %
cert_req_key)
log.error(response)
raise HttpBasicAuthResponseException(response,
httplib.BAD_REQUEST)
log.debug("cert req = %r", pem_cert_req)
# Expecting PEM encoded request
try:
cert_req = crypto.load_certificate_request(crypto.FILETYPE_PEM,
pem_cert_req)
except crypto.Error, e:
log.error("Error loading input certificate request: %r",
pem_cert_req)
raise HttpBasicAuthResponseException("Error loading input "
"certificate request",
httplib.BAD_REQUEST)
def issue_certificate_request(self, order_id, order_meta, plugin_meta,
barbican_meta_dto):
try:
encoded_csr = order_meta['request_data']
except KeyError:
return cert_manager.ResultDTO(
cert_manager.CertificateStatus.CLIENT_DATA_ISSUE_SEEN,
status_message="No request_data specified")
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, encoded_csr)
cert = self.cert_manager.make_certificate(csr)
cert_enc = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
ca_enc = crypto.dump_certificate(crypto.FILETYPE_PEM, self.ca.cert)
return cert_manager.ResultDTO(
cert_manager.CertificateStatus.CERTIFICATE_GENERATED,
certificate=cert_enc,
intermediates=ca_enc)
def load_certificate_signing_request(buf):
cert = crypto.load_certificate_request(crypto.FILETYPE_PEM, buf)
cert_info = {}
cert_info['country'] = cert.get_subject().C
cert_info['state'] = cert.get_subject().ST
cert_info['city'] = cert.get_subject().L
cert_info['organization'] = cert.get_subject().O
cert_info['common'] = cert.get_subject().CN
cert_info['email'] = cert.get_subject().emailAddress
signature_algorithm = cert.get_signature_algorithm()
m = re.match('^(.+)[Ww]ith', signature_algorithm)
if m:
cert_info['digest_algorithm'] = m.group(1).upper()
return cert_info
def generate_cert(req_csr_txt, ca_key_txt, ca_crt_txt):
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_txt)
ca_crt = crypto.load_certificate(crypto.FILETYPE_PEM, ca_crt_txt)
req_csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, req_csr_txt)
req_crt = crypto.X509()
req_crt.gmtime_adj_notBefore(0)
req_crt.gmtime_adj_notAfter(60*60*24*365)
req_crt.set_serial_number(1)
req_crt.set_issuer(ca_crt.get_subject())
req_crt.set_pubkey(req_csr.get_pubkey())
subj = req_csr.get_subject()
subj.commonName = str(uuid.uuid4())
req_crt.set_subject(subj)
req_crt.sign(ca_key, 'sha256')
return crypto.dump_certificate(crypto.FILETYPE_PEM, req_crt).decode()
