Esempio n. 1
0
def sign(csr, ca_conf):
    """Generate an X.509 certificate and sign it.

    :param csr: X509 certificate signing request
    :param ca_conf: signing CA configuration
    :return: signed certificate in PEM format
    """
    try:
        ca = certificate.X509Certificate.from_file(
            ca_conf['cert_path'])
    except Exception as e:
        raise SigningError("Cannot load the signing CA: %s" % (e,))

    try:
        key = utils.get_private_key_from_file(ca_conf['key_path'])
    except Exception as e:
        raise SigningError("Cannot load the signing CA key: %s" % (e,))

    new_cert = certificate.X509Certificate()
    new_cert.set_version(2)

    start_time = int(time.time())
    end_time = start_time + (ca_conf['valid_hours'] * 60 * 60)
    new_cert.set_not_before(start_time)
    new_cert.set_not_after(end_time)

    new_cert.set_pubkey(pkey=csr.get_pubkey())
    new_cert.set_subject(csr.get_subject())
    new_cert.set_issuer(ca.get_subject())

    serial = int(uuid.uuid4().hex, 16)
    new_cert.set_serial_number(serial)

    exts = csr.get_extensions()
    for i, ext in enumerate(exts):
        # this check is separate from standards validator - the signing backend
        # may know about more/fewer extensions than we do
        if ext.get_oid() not in extension.EXTENSION_CLASSES.keys():
            if ext.get_critical():
                logger.warning("CSR submitted with unknown extension oid %s, "
                               "refusing to sign", ext.get_oid())
                raise SigningError("Unknown critical extension %s" % (
                    ext.get_oid(),))
            else:
                logger.info("CSR submitted with non-critical unknown oid %s, "
                            "not including extension", (ext.get_oid(),))
        else:
            logger.info("Adding certificate extension: %i %s", i, str(ext))
            new_cert.add_extension(ext, i)

    logger.info("Signing certificate for <%s> with serial <%s>",
                csr.get_subject(), serial)

    new_cert.sign(key, ca_conf['signing_hash'])

    cert_pem = new_cert.as_pem()

    return cert_pem
Esempio n. 2
0
def sign(csr, ca_conf):
    try:
        key = x509_utils.get_private_key_from_file(ca_conf['key_path'])
    except Exception as e:
        raise signers.SigningError("Cannot load the signing CA key: %s" % (e,))

    if isinstance(key, rsa.RSAPrivateKey):
        encryption = 'RSA'
    elif isinstance(key, dsa.DSAPrivateKey):
        encryption = 'DSA'
    else:
        raise signers.SigningError("Unknown key type: %s" % (key.__class__,))

    signer = make_signer(key, encryption, ca_conf['signing_hash'])
    return signers.sign_generic(csr, ca_conf, encryption, signer)
Esempio n. 3
0
def sign(csr, ca_conf):
    """Generate an X.509 certificate and sign it.

    :param csr: X509 certificate signing request
    :param ca_conf: signing CA configuration
    :return: signed certificate in PEM format
    """
    try:
        ca = certificate.X509Certificate.from_file(
            ca_conf['cert_path'])
    except Exception as e:
        raise SigningError("Cannot load the signing CA: %s" % (e,))

    try:
        key = utils.get_private_key_from_file(ca_conf['key_path'])
    except Exception as e:
        raise SigningError("Cannot load the signing CA key: %s" % (e,))

    new_cert = certificate.X509Certificate()
    new_cert.set_version(2)

    start_time = int(time.time())
    end_time = start_time + (ca_conf['valid_hours'] * 60 * 60)
    new_cert.set_not_before(start_time)
    new_cert.set_not_after(end_time)

    new_cert.set_pubkey(pkey=csr.get_pubkey())
    new_cert.set_subject(csr.get_subject())
    new_cert.set_issuer(ca.get_subject())

    # NOTE(tkelsey): this needs to be in the range of an int
    serial = int(int(uuid.uuid4().hex, 16) % sys.maxsize)
    new_cert.set_serial_number(serial)

    exts = csr.get_extensions()
    for i, ext in enumerate(exts):
        logger.info("Adding certificate extension: %i %s", i, str(ext))
        new_cert.add_extension(ext, i)

    logger.info("Signing certificate for <%s> with serial <%s>",
                csr.get_subject(), serial)

    new_cert.sign(key, ca_conf['signing_hash'])

    cert_pem = new_cert.as_pem()

    return cert_pem
def generate_crl():
    dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"])
    crl_builder = x509.CertificateRevocationListBuilder()

    # find revoked certs, create revoked cert objects and
    # add to the crl builder
    for req in sorted(dbdata):
        if dbdata[req] is None:
            continue
        if dbdata[req].getStatus() == "Revoked":
            builder = x509.RevokedCertificateBuilder()
            builder = builder.revocation_date(dbdata[req].revocation_date)
            # todo. dg. check this is getting valid serial numbers
            builder = builder.serial_number(dbdata[req].get_cert_serial())
            revoked_certificate = builder.build(backends.default_backend())
            crl_builder = crl_builder.add_revoked_certificate(revoked_certificate)

    # set crl lifetimes #todo. dg. what about clock skew? validfrom date in
    # past?
    crl_builder = crl_builder.last_update(datetime.datetime.utcnow())
    crl_lifetime = datetime.timedelta(int(jsonloader.conf.revocation_options["crl_lifetime_days"]), 0, 0)
    crl_builder = crl_builder.next_update(datetime.datetime.utcnow() + crl_lifetime)

    # get CA cert
    ca_conf = jsonloader.signing_ca_for_registration_authority(jsonloader.conf.ra_options["ra_name"])
    try:
        ca_cert = anchor_certificate.X509Certificate.from_file(ca_conf["cert_path"])
    except Exception as e:
        logger.error("Cannot load the signing CA: %s" % (e,))
        raise

    # set CRL cn (issuer name) to that of the CA certificate
    crl_builder = crl_builder.issuer_name(
        x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, ca_cert.get_subject()[0].get_value())])
    )

    # get private key
    try:
        private_key = anchor_utils.get_private_key_from_file(ca_conf["key_path"])
    except Exception as e:
        logger.error("Cannot load the signing CA private key: %s" % (e,))
        raise
    # generate crl #todo get hash alg from config?
    crl = crl_builder.sign(private_key, hashes.SHA256(), backends.default_backend())

    return crl.public_bytes(serialization.Encoding(jsonloader.conf.revocation_options["crl_format"]))
Esempio n. 5
0
def sign(csr, ca_conf):
    """Generate an X.509 certificate and sign it.

    :param csr: X509 certificate signing request
    :param ca_conf: signing CA configuration
    :return: signed certificate in PEM format
    """
    try:
        ca = certificate.X509Certificate.from_file(ca_conf['cert_path'])
    except Exception as e:
        raise SigningError("Cannot load the signing CA: %s" % (e, ))

    try:
        key = x509_utils.get_private_key_from_file(ca_conf['key_path'])
    except Exception as e:
        raise SigningError("Cannot load the signing CA key: %s" % (e, ))

    new_cert = certificate.X509Certificate()
    new_cert.set_version(2)

    start_time = int(time.time())
    end_time = start_time + (ca_conf['valid_hours'] * 60 * 60)
    new_cert.set_not_before(start_time)
    new_cert.set_not_after(end_time)

    new_cert.set_pubkey(pkey=csr.get_pubkey())
    new_cert.set_subject(csr.get_subject())
    new_cert.set_issuer(ca.get_subject())

    serial = int(uuid.uuid4().hex, 16)
    new_cert.set_serial_number(serial)

    exts = csr.get_extensions()

    ext_i = 0
    for ext in exts:
        # this check is separate from standards validator - the signing backend
        # may know about more/fewer extensions than we do
        if ext.get_oid() not in extension.EXTENSION_CLASSES.keys():
            if ext.get_critical():
                logger.warning(
                    "CSR submitted with unknown extension oid %s, "
                    "refusing to sign", ext.get_oid())
                raise SigningError("Unknown critical extension %s" %
                                   (ext.get_oid(), ))
            else:
                logger.info(
                    "CSR submitted with non-critical unknown oid %s, "
                    "not including extension", (ext.get_oid(), ))
        else:
            logger.info("Adding certificate extension: %i %s", ext_i, str(ext))
            new_cert.add_extension(ext, ext_i)
            ext_i += 1

    logger.info("Signing certificate for <%s> with serial <%s>",
                csr.get_subject(), serial)

    new_cert.sign(key, ca_conf['signing_hash'])

    cert_pem = new_cert.as_pem()

    return cert_pem