def sign(csr, ca_conf): """Generate an X.509 certificate and sign it. :param csr: X509 certificate signing request :param ca_conf: signing CA configuration :return: signed certificate in PEM format """ try: ca = certificate.X509Certificate.from_file( ca_conf['cert_path']) except Exception as e: raise SigningError("Cannot load the signing CA: %s" % (e,)) try: key = utils.get_private_key_from_file(ca_conf['key_path']) except Exception as e: raise SigningError("Cannot load the signing CA key: %s" % (e,)) new_cert = certificate.X509Certificate() new_cert.set_version(2) start_time = int(time.time()) end_time = start_time + (ca_conf['valid_hours'] * 60 * 60) new_cert.set_not_before(start_time) new_cert.set_not_after(end_time) new_cert.set_pubkey(pkey=csr.get_pubkey()) new_cert.set_subject(csr.get_subject()) new_cert.set_issuer(ca.get_subject()) serial = int(uuid.uuid4().hex, 16) new_cert.set_serial_number(serial) exts = csr.get_extensions() for i, ext in enumerate(exts): # this check is separate from standards validator - the signing backend # may know about more/fewer extensions than we do if ext.get_oid() not in extension.EXTENSION_CLASSES.keys(): if ext.get_critical(): logger.warning("CSR submitted with unknown extension oid %s, " "refusing to sign", ext.get_oid()) raise SigningError("Unknown critical extension %s" % ( ext.get_oid(),)) else: logger.info("CSR submitted with non-critical unknown oid %s, " "not including extension", (ext.get_oid(),)) else: logger.info("Adding certificate extension: %i %s", i, str(ext)) new_cert.add_extension(ext, i) logger.info("Signing certificate for <%s> with serial <%s>", csr.get_subject(), serial) new_cert.sign(key, ca_conf['signing_hash']) cert_pem = new_cert.as_pem() return cert_pem
def sign(csr, ca_conf): try: key = x509_utils.get_private_key_from_file(ca_conf['key_path']) except Exception as e: raise signers.SigningError("Cannot load the signing CA key: %s" % (e,)) if isinstance(key, rsa.RSAPrivateKey): encryption = 'RSA' elif isinstance(key, dsa.DSAPrivateKey): encryption = 'DSA' else: raise signers.SigningError("Unknown key type: %s" % (key.__class__,)) signer = make_signer(key, encryption, ca_conf['signing_hash']) return signers.sign_generic(csr, ca_conf, encryption, signer)
def sign(csr, ca_conf): """Generate an X.509 certificate and sign it. :param csr: X509 certificate signing request :param ca_conf: signing CA configuration :return: signed certificate in PEM format """ try: ca = certificate.X509Certificate.from_file( ca_conf['cert_path']) except Exception as e: raise SigningError("Cannot load the signing CA: %s" % (e,)) try: key = utils.get_private_key_from_file(ca_conf['key_path']) except Exception as e: raise SigningError("Cannot load the signing CA key: %s" % (e,)) new_cert = certificate.X509Certificate() new_cert.set_version(2) start_time = int(time.time()) end_time = start_time + (ca_conf['valid_hours'] * 60 * 60) new_cert.set_not_before(start_time) new_cert.set_not_after(end_time) new_cert.set_pubkey(pkey=csr.get_pubkey()) new_cert.set_subject(csr.get_subject()) new_cert.set_issuer(ca.get_subject()) # NOTE(tkelsey): this needs to be in the range of an int serial = int(int(uuid.uuid4().hex, 16) % sys.maxsize) new_cert.set_serial_number(serial) exts = csr.get_extensions() for i, ext in enumerate(exts): logger.info("Adding certificate extension: %i %s", i, str(ext)) new_cert.add_extension(ext, i) logger.info("Signing certificate for <%s> with serial <%s>", csr.get_subject(), serial) new_cert.sign(key, ca_conf['signing_hash']) cert_pem = new_cert.as_pem() return cert_pem
def generate_crl(): dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"]) crl_builder = x509.CertificateRevocationListBuilder() # find revoked certs, create revoked cert objects and # add to the crl builder for req in sorted(dbdata): if dbdata[req] is None: continue if dbdata[req].getStatus() == "Revoked": builder = x509.RevokedCertificateBuilder() builder = builder.revocation_date(dbdata[req].revocation_date) # todo. dg. check this is getting valid serial numbers builder = builder.serial_number(dbdata[req].get_cert_serial()) revoked_certificate = builder.build(backends.default_backend()) crl_builder = crl_builder.add_revoked_certificate(revoked_certificate) # set crl lifetimes #todo. dg. what about clock skew? validfrom date in # past? crl_builder = crl_builder.last_update(datetime.datetime.utcnow()) crl_lifetime = datetime.timedelta(int(jsonloader.conf.revocation_options["crl_lifetime_days"]), 0, 0) crl_builder = crl_builder.next_update(datetime.datetime.utcnow() + crl_lifetime) # get CA cert ca_conf = jsonloader.signing_ca_for_registration_authority(jsonloader.conf.ra_options["ra_name"]) try: ca_cert = anchor_certificate.X509Certificate.from_file(ca_conf["cert_path"]) except Exception as e: logger.error("Cannot load the signing CA: %s" % (e,)) raise # set CRL cn (issuer name) to that of the CA certificate crl_builder = crl_builder.issuer_name( x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, ca_cert.get_subject()[0].get_value())]) ) # get private key try: private_key = anchor_utils.get_private_key_from_file(ca_conf["key_path"]) except Exception as e: logger.error("Cannot load the signing CA private key: %s" % (e,)) raise # generate crl #todo get hash alg from config? crl = crl_builder.sign(private_key, hashes.SHA256(), backends.default_backend()) return crl.public_bytes(serialization.Encoding(jsonloader.conf.revocation_options["crl_format"]))
def sign(csr, ca_conf): """Generate an X.509 certificate and sign it. :param csr: X509 certificate signing request :param ca_conf: signing CA configuration :return: signed certificate in PEM format """ try: ca = certificate.X509Certificate.from_file(ca_conf['cert_path']) except Exception as e: raise SigningError("Cannot load the signing CA: %s" % (e, )) try: key = x509_utils.get_private_key_from_file(ca_conf['key_path']) except Exception as e: raise SigningError("Cannot load the signing CA key: %s" % (e, )) new_cert = certificate.X509Certificate() new_cert.set_version(2) start_time = int(time.time()) end_time = start_time + (ca_conf['valid_hours'] * 60 * 60) new_cert.set_not_before(start_time) new_cert.set_not_after(end_time) new_cert.set_pubkey(pkey=csr.get_pubkey()) new_cert.set_subject(csr.get_subject()) new_cert.set_issuer(ca.get_subject()) serial = int(uuid.uuid4().hex, 16) new_cert.set_serial_number(serial) exts = csr.get_extensions() ext_i = 0 for ext in exts: # this check is separate from standards validator - the signing backend # may know about more/fewer extensions than we do if ext.get_oid() not in extension.EXTENSION_CLASSES.keys(): if ext.get_critical(): logger.warning( "CSR submitted with unknown extension oid %s, " "refusing to sign", ext.get_oid()) raise SigningError("Unknown critical extension %s" % (ext.get_oid(), )) else: logger.info( "CSR submitted with non-critical unknown oid %s, " "not including extension", (ext.get_oid(), )) else: logger.info("Adding certificate extension: %i %s", ext_i, str(ext)) new_cert.add_extension(ext, ext_i) ext_i += 1 logger.info("Signing certificate for <%s> with serial <%s>", csr.get_subject(), serial) new_cert.sign(key, ca_conf['signing_hash']) cert_pem = new_cert.as_pem() return cert_pem