def _payload_process(self, payload):
""" process payload """
self.logger.debug('Trigger._payload_process()')
with self.cahandler(self.debug, self.logger) as ca_handler:
if payload:
(error, cert_bundle, cert_raw) = ca_handler.trigger(payload)
if cert_bundle and cert_raw:
# returned cert_raw is in dear format, convert to pem to lookup the pubic key
cert_pem = convert_byte_to_string(
cert_der2pem(b64_decode(self.logger, cert_raw)))
# lookup certificate_name by comparing public keys
cert_name_list = self._certname_lookup(cert_pem)
if cert_name_list:
for cert in cert_name_list:
data_dic = {
'cert': cert_bundle,
'name': cert['cert_name'],
'cert_raw': cert_raw
}
try:
self.dbstore.certificate_add(data_dic)
except BaseException as err_:
self.logger.critical(
'acme2certifier database error in trigger._payload_process() add: {0}'
.format(err_))
if 'order_name' in cert and cert['order_name']:
try:
# update order status to 5 (valid)
self.dbstore.order_update({
'name':
cert['order_name'],
'status':
'valid'
})
except BaseException as err_:
self.logger.critical(
'acme2certifier database error in trigger._payload_process() upd: {0}'
.format(err_))
code = 200
message = 'OK'
detail = None
else:
code = 400
message = 'certificate_name lookup failed'
detail = None
else:
code = 400
message = error
detail = None
else:
code = 400
message = 'payload malformed'
detail = None
self.logger.debug(
'Trigger._payload_process() ended with: {0} {1}'.format(
code, message))
return (code, message, detail)
def _ca_cert_load(self):
""" load ca key from database """
self.logger.debug('CAhandler._ca_cert_load({0})'.format(self.issuing_ca_name))
# query database for key
self._db_open()
pre_statement = '''SELECT * from view_certs WHERE name LIKE ?'''
self.cursor.execute(pre_statement, [self.issuing_ca_name])
try:
db_result = dict_from_row(self.cursor.fetchone())
except BaseException:
self.logger.error('cert lookup failed: {0}'.format(self.cursor.fetchone()))
db_result = {}
self._db_close()
ca_cert = None
ca_id = None
if 'cert' in db_result:
try:
ca_cert = crypto.load_certificate(crypto.FILETYPE_ASN1, b64_decode(self.logger, db_result['cert']))
ca_id = db_result['id']
except BaseException as err_:
self.logger.error('CAhandler._ca_cert_load() failed with error: {0}'.format(err_))
return (ca_cert, ca_id)
def simpleenroll(self, csr):
"""EST /simpleenroll request."""
# print(csr)
error = None
try:
headers = {'Content-Type': 'application/pkcs10'}
response = requests.post(self.est_host + '/simpleenroll', data=csr, cert=self.est_client_cert, headers=headers, verify=self.ca_bundle)
response.raise_for_status()
pem = self.pkcs7_to_pem(b64_decode(self.logger, response.text))
except BaseException as error:
pem = None
return(error, pem)
def cacerts_get(self):
""" get ca certs from cerver """
self.logger.debug('CAhandler.cacerts_get()')
error = None
try:
response = requests.get(self.est_host + '/cacerts', cert=self.est_client_cert, verify=self.ca_bundle)
response.raise_for_status()
pem = self.pkcs7_to_pem(b64_decode(self.logger, response.text))
except BaseException as error:
pem = None
self.logger.debug('CAhandler.cacerts_get() ended with err: {0}'.format(error))
return(error, pem)
def _pemcertchain_generate(self, ee_cert, issuer_cert):
""" build pem chain """
self.logger.debug('CAhandler._pemcertchain_generate()')
if issuer_cert:
pem_chain = '{0}{1}'.format(ee_cert, issuer_cert)
else:
pem_chain = ee_cert
for cert in self.ca_cert_chain_list:
cert_dic = self._cert_search('items.name', cert)
if cert_dic and 'cert' in cert_dic:
ca_cert = crypto.load_certificate(crypto.FILETYPE_ASN1, b64_decode(self.logger, cert_dic['cert']))
pem_chain = '{0}{1}'.format(pem_chain, convert_byte_to_string(crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert)))
self.logger.debug('CAhandler._pemcertchain_generate() ended')
return pem_chain
def trigger(self, payload):
""" process trigger message and return certificate """
self.logger.debug('CAhandler.trigger()')
error = None
cert_bundle = None
cert_raw = None
if payload:
# decode payload
cert = b64_decode(self.logger, payload)
try:
# cert is a base64 encoded pem object
cert_raw = b64_encode(self.logger, cert_pem2der(cert))
except BaseException:
# cert is a binary der encoded object
cert_raw = b64_encode(self.logger, cert)
# lookup REST-PATH of issuing CA
ca_dic = self._ca_get_properties('name', self.ca_name)
if 'href' in ca_dic:
# get serial from pem file
serial = cert_serial_get(self.logger, cert_raw)
if serial:
# get certificate information via rest by search for ca+ serial
cert_list = self._cert_get_properties(
serial, ca_dic['href'])
# the first entry is the cert we are looking for
if 'certificates' in cert_list and len(
cert_list['certificates'][0]) > 0:
cert_dic = cert_list['certificates'][0]
cert_bundle = self._pem_cert_chain_generate(cert_dic)
else:
error = 'no certifcates found in rest query'
else:
error = 'serial number lookup via rest failed'
else:
error = 'CA could not be found'
else:
error = 'No payload given'
self.logger.debug(
'CAhandler.trigger() ended with error: {0}'.format(error))
return (error, cert_bundle, cert_raw)
def _simpleenroll(self, csr):
"""EST /simpleenroll request."""
self.logger.debug('CAhandler._simpleenroll()')
error = None
try:
headers = {'Content-Type': 'application/pkcs10'}
if self.est_client_cert:
# client auth
response = requests.post(self.est_host + '/simpleenroll', data=csr, cert=self.est_client_cert, headers=headers, verify=self.ca_bundle)
else:
response = requests.post(self.est_host + '/simpleenroll', data=csr, auth=HTTPBasicAuth(self.est_user, self.est_password), headers=headers, verify=self.ca_bundle)
# response.raise_for_status()
pem = self._pkcs7_to_pem(b64_decode(self.logger, response.text))
except BaseException as err_:
self.logger.error('CAhandler._simpleenroll() returned an error: {0}'.format(err_))
error = str(err_)
pem = None
self.logger.debug('CAhandler._simpleenroll() ended with err: {0}'.format(error))
return(error, pem)
def _template_load(self):
""" load template from database """
self.logger.debug('CAhandler._template_load({0})'.format(self.template_name))
# query database for template
self._db_open()
pre_statement = '''SELECT * from view_templates WHERE name LIKE ?'''
self.cursor.execute(pre_statement, [self.template_name])
try:
db_result = dict_from_row(self.cursor.fetchone())
except BaseException:
self.logger.error('template lookup failed: {0}'.format(self.cursor.fetchone()))
db_result = {}
# parse template
dn_dic = {}
template_dic = {}
if 'template' in db_result:
byte_stream = b64_decode(self.logger, db_result['template'])
(dn_dic, template_dic) = self._template_parse(byte_stream)
self._db_close()
self.logger.debug('CAhandler._template_load() ended')
return(dn_dic, template_dic)
def _cacerts_get(self):
""" get ca certs from cerver """
self.logger.debug('CAhandler._cacerts_get()')
error = None
if self.est_host:
try:
if self.est_client_cert:
# client auth
response = requests.get(self.est_host + '/cacerts', cert=self.est_client_cert, verify=self.ca_bundle)
else:
response = requests.get(self.est_host + '/cacerts', auth=HTTPBasicAuth(self.est_user, self.est_password), verify=self.ca_bundle)
pem = self._pkcs7_to_pem(b64_decode(self.logger, response.text))
except BaseException as err_:
self.logger.error('CAhandler._cacerts_get() returned an error: {0}'.format(err_))
error = err_
pem = None
else:
self.logger.error('CAhandler._cacerts_get() configuration incomplete: "est_host" parameter is missing')
error = None
pem = None
self.logger.debug('CAhandler._cacerts_get() ended with err: {0}'.format(error))
return(error, pem)