def sign(csr, ca_conf):
"""Generate an X.509 certificate and sign it.
:param csr: X509 certificate signing request
:param ca_conf: signing CA configuration
:return: signed certificate in PEM format
"""
try:
ca = certificate.X509Certificate.from_file(
ca_conf['cert_path'])
except Exception as e:
raise SigningError("Cannot load the signing CA: %s" % (e,))
try:
key = utils.get_private_key_from_file(ca_conf['key_path'])
except Exception as e:
raise SigningError("Cannot load the signing CA key: %s" % (e,))
new_cert = certificate.X509Certificate()
new_cert.set_version(2)
start_time = int(time.time())
end_time = start_time + (ca_conf['valid_hours'] * 60 * 60)
new_cert.set_not_before(start_time)
new_cert.set_not_after(end_time)
new_cert.set_pubkey(pkey=csr.get_pubkey())
new_cert.set_subject(csr.get_subject())
new_cert.set_issuer(ca.get_subject())
serial = int(uuid.uuid4().hex, 16)
new_cert.set_serial_number(serial)
exts = csr.get_extensions()
for i, ext in enumerate(exts):
# this check is separate from standards validator - the signing backend
# may know about more/fewer extensions than we do
if ext.get_oid() not in extension.EXTENSION_CLASSES.keys():
if ext.get_critical():
logger.warning("CSR submitted with unknown extension oid %s, "
"refusing to sign", ext.get_oid())
raise SigningError("Unknown critical extension %s" % (
ext.get_oid(),))
else:
logger.info("CSR submitted with non-critical unknown oid %s, "
"not including extension", (ext.get_oid(),))
else:
logger.info("Adding certificate extension: %i %s", i, str(ext))
new_cert.add_extension(ext, i)
logger.info("Signing certificate for <%s> with serial <%s>",
csr.get_subject(), serial)
new_cert.sign(key, ca_conf['signing_hash'])
cert_pem = new_cert.as_pem()
return cert_pem
def sign(csr, ca_conf):
try:
key = x509_utils.get_private_key_from_file(ca_conf['key_path'])
except Exception as e:
raise signers.SigningError("Cannot load the signing CA key: %s" % (e,))
if isinstance(key, rsa.RSAPrivateKey):
encryption = 'RSA'
elif isinstance(key, dsa.DSAPrivateKey):
encryption = 'DSA'
else:
raise signers.SigningError("Unknown key type: %s" % (key.__class__,))
signer = make_signer(key, encryption, ca_conf['signing_hash'])
return signers.sign_generic(csr, ca_conf, encryption, signer)
def sign(csr, ca_conf):
"""Generate an X.509 certificate and sign it.
:param csr: X509 certificate signing request
:param ca_conf: signing CA configuration
:return: signed certificate in PEM format
"""
try:
ca = certificate.X509Certificate.from_file(
ca_conf['cert_path'])
except Exception as e:
raise SigningError("Cannot load the signing CA: %s" % (e,))
try:
key = utils.get_private_key_from_file(ca_conf['key_path'])
except Exception as e:
raise SigningError("Cannot load the signing CA key: %s" % (e,))
new_cert = certificate.X509Certificate()
new_cert.set_version(2)
start_time = int(time.time())
end_time = start_time + (ca_conf['valid_hours'] * 60 * 60)
new_cert.set_not_before(start_time)
new_cert.set_not_after(end_time)
new_cert.set_pubkey(pkey=csr.get_pubkey())
new_cert.set_subject(csr.get_subject())
new_cert.set_issuer(ca.get_subject())
# NOTE(tkelsey): this needs to be in the range of an int
serial = int(int(uuid.uuid4().hex, 16) % sys.maxsize)
new_cert.set_serial_number(serial)
exts = csr.get_extensions()
for i, ext in enumerate(exts):
logger.info("Adding certificate extension: %i %s", i, str(ext))
new_cert.add_extension(ext, i)
logger.info("Signing certificate for <%s> with serial <%s>",
csr.get_subject(), serial)
new_cert.sign(key, ca_conf['signing_hash'])
cert_pem = new_cert.as_pem()
return cert_pem
def generate_crl():
dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"])
crl_builder = x509.CertificateRevocationListBuilder()
# find revoked certs, create revoked cert objects and
# add to the crl builder
for req in sorted(dbdata):
if dbdata[req] is None:
continue
if dbdata[req].getStatus() == "Revoked":
builder = x509.RevokedCertificateBuilder()
builder = builder.revocation_date(dbdata[req].revocation_date)
# todo. dg. check this is getting valid serial numbers
builder = builder.serial_number(dbdata[req].get_cert_serial())
revoked_certificate = builder.build(backends.default_backend())
crl_builder = crl_builder.add_revoked_certificate(revoked_certificate)
# set crl lifetimes #todo. dg. what about clock skew? validfrom date in
# past?
crl_builder = crl_builder.last_update(datetime.datetime.utcnow())
crl_lifetime = datetime.timedelta(int(jsonloader.conf.revocation_options["crl_lifetime_days"]), 0, 0)
crl_builder = crl_builder.next_update(datetime.datetime.utcnow() + crl_lifetime)
# get CA cert
ca_conf = jsonloader.signing_ca_for_registration_authority(jsonloader.conf.ra_options["ra_name"])
try:
ca_cert = anchor_certificate.X509Certificate.from_file(ca_conf["cert_path"])
except Exception as e:
logger.error("Cannot load the signing CA: %s" % (e,))
raise
# set CRL cn (issuer name) to that of the CA certificate
crl_builder = crl_builder.issuer_name(
x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, ca_cert.get_subject()[0].get_value())])
)
# get private key
try:
private_key = anchor_utils.get_private_key_from_file(ca_conf["key_path"])
except Exception as e:
logger.error("Cannot load the signing CA private key: %s" % (e,))
raise
# generate crl #todo get hash alg from config?
crl = crl_builder.sign(private_key, hashes.SHA256(), backends.default_backend())
return crl.public_bytes(serialization.Encoding(jsonloader.conf.revocation_options["crl_format"]))
def sign(csr, ca_conf):
"""Generate an X.509 certificate and sign it.
:param csr: X509 certificate signing request
:param ca_conf: signing CA configuration
:return: signed certificate in PEM format
"""
try:
ca = certificate.X509Certificate.from_file(ca_conf['cert_path'])
except Exception as e:
raise SigningError("Cannot load the signing CA: %s" % (e, ))
try:
key = x509_utils.get_private_key_from_file(ca_conf['key_path'])
except Exception as e:
raise SigningError("Cannot load the signing CA key: %s" % (e, ))
new_cert = certificate.X509Certificate()
new_cert.set_version(2)
start_time = int(time.time())
end_time = start_time + (ca_conf['valid_hours'] * 60 * 60)
new_cert.set_not_before(start_time)
new_cert.set_not_after(end_time)
new_cert.set_pubkey(pkey=csr.get_pubkey())
new_cert.set_subject(csr.get_subject())
new_cert.set_issuer(ca.get_subject())
serial = int(uuid.uuid4().hex, 16)
new_cert.set_serial_number(serial)
exts = csr.get_extensions()
ext_i = 0
for ext in exts:
# this check is separate from standards validator - the signing backend
# may know about more/fewer extensions than we do
if ext.get_oid() not in extension.EXTENSION_CLASSES.keys():
if ext.get_critical():
logger.warning(
"CSR submitted with unknown extension oid %s, "
"refusing to sign", ext.get_oid())
raise SigningError("Unknown critical extension %s" %
(ext.get_oid(), ))
else:
logger.info(
"CSR submitted with non-critical unknown oid %s, "
"not including extension", (ext.get_oid(), ))
else:
logger.info("Adding certificate extension: %i %s", ext_i, str(ext))
new_cert.add_extension(ext, ext_i)
ext_i += 1
logger.info("Signing certificate for <%s> with serial <%s>",
csr.get_subject(), serial)
new_cert.sign(key, ca_conf['signing_hash'])
cert_pem = new_cert.as_pem()
return cert_pem
