def _parse_cert(dercert): try: subject = x509.get_subject(dercert, x509.DER) issuer = x509.get_issuer(dercert, x509.DER) serial_number = x509.get_serial_number(dercert, x509.DER) public_key_info = x509.get_der_public_key_info(dercert, x509.DER) except (NSPRError, PyAsn1Error), e: raise ValueError("failed to decode certificate: %s" % e)
def _parse_cert(dercert): try: subject = x509.get_subject(dercert, x509.DER) issuer = x509.get_issuer(dercert, x509.DER) serial_number = x509.get_serial_number(dercert, x509.DER) public_key_info = x509.get_der_public_key_info(dercert, x509.DER) except (NSPRError, PyAsn1Error) as e: raise ValueError("failed to decode certificate: %s" % e) subject = str(subject).replace('\\;', '\\3b') issuer = str(issuer).replace('\\;', '\\3b') issuer_serial = '%s;%s' % (issuer, serial_number) return subject, issuer_serial, public_key_info
def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT if os.path.exists(new_cacert_path): try: os.remove(new_cacert_path) except OSError as e: root_logger.error( "Could not remove %s: %s", new_cacert_path, e) return False new_cacert_path = paths.IPA_P11_KIT try: f = open(new_cacert_path, 'w') except IOError as e: root_logger.info("Failed to open %s: %s" % (new_cacert_path, e)) return False f.write("# This file was created by IPA. Do not edit.\n" "\n") has_eku = set() for cert, nickname, trusted, ext_key_usage in ca_certs: try: subject = x509.get_der_subject(cert, x509.DER) issuer = x509.get_der_issuer(cert, x509.DER) serial_number = x509.get_der_serial_number(cert, x509.DER) public_key_info = x509.get_der_public_key_info(cert, x509.DER) except (NSPRError, PyAsn1Error, ValueError) as e: root_logger.warning( "Failed to decode certificate \"%s\": %s", nickname, e) continue label = urllib.parse.quote(nickname) subject = urllib.parse.quote(subject) issuer = urllib.parse.quote(issuer) serial_number = urllib.parse.quote(serial_number) public_key_info = urllib.parse.quote(public_key_info) cert = base64.b64encode(cert) cert = x509.make_pem(cert) obj = ("[p11-kit-object-v1]\n" "class: certificate\n" "certificate-type: x-509\n" "certificate-category: authority\n" "label: \"%(label)s\"\n" "subject: \"%(subject)s\"\n" "issuer: \"%(issuer)s\"\n" "serial-number: \"%(serial_number)s\"\n" "x-public-key-info: \"%(public_key_info)s\"\n" % dict(label=label, subject=subject, issuer=issuer, serial_number=serial_number, public_key_info=public_key_info)) if trusted is True: obj += "trusted: true\n" elif trusted is False: obj += "x-distrusted: true\n" obj += "%s\n\n" % cert f.write(obj) if ext_key_usage is not None and public_key_info not in has_eku: if not ext_key_usage: ext_key_usage = {x509.EKU_PLACEHOLDER} try: ext_key_usage = x509.encode_ext_key_usage(ext_key_usage) except PyAsn1Error as e: root_logger.warning( "Failed to encode extended key usage for \"%s\": %s", nickname, e) continue value = urllib.parse.quote(ext_key_usage) obj = ("[p11-kit-object-v1]\n" "class: x-certificate-extension\n" "label: \"ExtendedKeyUsage for %(label)s\"\n" "x-public-key-info: \"%(public_key_info)s\"\n" "object-id: 2.5.29.37\n" "value: \"%(value)s\"\n\n" % dict(label=label, public_key_info=public_key_info, value=value)) f.write(obj) has_eku.add(public_key_info) f.close() # Add the CA to the systemwide CA trust database if not self.reload_systemwide_ca_store(): return False return True
def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): # pylint: disable=ipa-forbidden-import from ipalib import x509 # FixMe: break import cycle from ipalib.errors import CertificateError # pylint: enable=ipa-forbidden-import new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT if os.path.exists(new_cacert_path): try: os.remove(new_cacert_path) except OSError as e: root_logger.error("Could not remove %s: %s", new_cacert_path, e) return False new_cacert_path = paths.IPA_P11_KIT try: f = open(new_cacert_path, 'w') except IOError as e: root_logger.info("Failed to open %s: %s" % (new_cacert_path, e)) return False f.write("# This file was created by IPA. Do not edit.\n" "\n") has_eku = set() for cert, nickname, trusted, ext_key_usage in ca_certs: try: subject = x509.get_der_subject(cert, x509.DER) issuer = x509.get_der_issuer(cert, x509.DER) serial_number = x509.get_der_serial_number(cert, x509.DER) public_key_info = x509.get_der_public_key_info(cert, x509.DER) except (PyAsn1Error, ValueError, CertificateError) as e: root_logger.warning("Failed to decode certificate \"%s\": %s", nickname, e) continue label = urllib.parse.quote(nickname) subject = urllib.parse.quote(subject) issuer = urllib.parse.quote(issuer) serial_number = urllib.parse.quote(serial_number) public_key_info = urllib.parse.quote(public_key_info) cert = base64.b64encode(cert) cert = x509.make_pem(cert) obj = ("[p11-kit-object-v1]\n" "class: certificate\n" "certificate-type: x-509\n" "certificate-category: authority\n" "label: \"%(label)s\"\n" "subject: \"%(subject)s\"\n" "issuer: \"%(issuer)s\"\n" "serial-number: \"%(serial_number)s\"\n" "x-public-key-info: \"%(public_key_info)s\"\n" % dict(label=label, subject=subject, issuer=issuer, serial_number=serial_number, public_key_info=public_key_info)) if trusted is True: obj += "trusted: true\n" elif trusted is False: obj += "x-distrusted: true\n" obj += "%s\n\n" % cert f.write(obj) if ext_key_usage is not None and public_key_info not in has_eku: if not ext_key_usage: ext_key_usage = {x509.EKU_PLACEHOLDER} try: ext_key_usage = x509.encode_ext_key_usage(ext_key_usage) except PyAsn1Error as e: root_logger.warning( "Failed to encode extended key usage for \"%s\": %s", nickname, e) continue value = urllib.parse.quote(ext_key_usage) obj = ("[p11-kit-object-v1]\n" "class: x-certificate-extension\n" "label: \"ExtendedKeyUsage for %(label)s\"\n" "x-public-key-info: \"%(public_key_info)s\"\n" "object-id: 2.5.29.37\n" "value: \"%(value)s\"\n\n" % dict(label=label, public_key_info=public_key_info, value=value)) f.write(obj) has_eku.add(public_key_info) f.close() # Add the CA to the systemwide CA trust database if not self.reload_systemwide_ca_store(): return False return True
try: f = open(new_cacert_path, 'w') except IOError, e: root_logger.info("Failed to open %s: %s" % (new_cacert_path, e)) return False f.write("# This file was created by IPA. Do not edit.\n" "\n") has_eku = set() for cert, nickname, trusted, ext_key_usage in ca_certs: try: subject = x509.get_der_subject(cert, x509.DER) issuer = x509.get_der_issuer(cert, x509.DER) serial_number = x509.get_der_serial_number(cert, x509.DER) public_key_info = x509.get_der_public_key_info(cert, x509.DER) except (NSPRError, PyAsn1Error), e: root_logger.warning( "Failed to decode certificate \"%s\": %s", nickname, e) continue label = urllib.quote(nickname) subject = urllib.quote(subject) issuer = urllib.quote(issuer) serial_number = urllib.quote(serial_number) public_key_info = urllib.quote(public_key_info) cert = base64.b64encode(cert) cert = x509.make_pem(cert) obj = ("[p11-kit-object-v1]\n"
try: f = open(new_cacert_path, 'w') except IOError, e: root_logger.info("Failed to open %s: %s" % (new_cacert_path, e)) return False f.write("# This file was created by IPA. Do not edit.\n" "\n") has_eku = set() for cert, nickname, trusted, ext_key_usage in ca_certs: try: subject = x509.get_der_subject(cert, x509.DER) issuer = x509.get_der_issuer(cert, x509.DER) serial_number = x509.get_der_serial_number(cert, x509.DER) public_key_info = x509.get_der_public_key_info(cert, x509.DER) except (NSPRError, PyAsn1Error), e: root_logger.warning("Failed to decode certificate \"%s\": %s", nickname, e) continue label = urllib.quote(nickname) subject = urllib.quote(subject) issuer = urllib.quote(issuer) serial_number = urllib.quote(serial_number) public_key_info = urllib.quote(public_key_info) cert = base64.b64encode(cert) cert = x509.make_pem(cert) obj = ("[p11-kit-object-v1]\n"