def setUp(self):
CreateCaChain()
self.rca = CertificateAuthority.objects.get(pk=1)
self.ica = CertificateAuthority.objects.get(pk=2)
self.eca = CertificateAuthority.objects.get(pk=3)
openssl.refresh_pki_metadata([self.rca, self.ica, self.eca])
Certificate(common_name='Server Edge Certificate', name='Server_Edge_Certificate', description="unit test server edge certificate", country='DE', \
state='Bavaria', locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=365, \
key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \
der_encoded=False, pkcs12_encoded=False, pkcs12_passphrase=None, parent=self.eca, parent_passphrase="1234567890", passphrase=None, \
extension=x509Extension.objects.get(pk=3), subjaltname="IP:1.2.3.4, DNS:www1.company.com").save()
Certificate(common_name='User Edge Certificate', name='User_Edge_Certificate', description="unit test user edge certificate", country='DE', \
state='Bavaria', locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=365, \
key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \
der_encoded=False, pkcs12_encoded=False, pkcs12_passphrase=None, parent=self.eca, parent_passphrase="1234567890", passphrase=None, \
extension=x509Extension.objects.get(pk=4), crl_dpoints="URI:https://ca.company.com/ca.crl").save()
self.srv = Certificate.objects.get(pk=1)
self.usr = Certificate.objects.get(pk=2)
self.srv_openssl = openssl.Openssl(self.srv)
self.usr_openssl = openssl.Openssl(self.usr)
def CreateCaChain():
"""Create a 3 level CA chain"""
## Reset PKI_DIR
openssl.refresh_pki_metadata([])
## Root CA object
CertificateAuthority(common_name='Root CA', name='Root_CA', description="unit test", country='DE', state='Bavaria', \
locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=1000, \
key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \
der_encoded=False, parent=None, passphrase='1234567890', extension=x509Extension.objects.get(pk=1)).save()
rca = CertificateAuthority.objects.get(pk=1)
## Intermediate CA object
CertificateAuthority(common_name='Intermediate CA', name='Intermediate_CA', description="unit test IM CA", country='DE', \
state='Bavaria', locality='Berlin', organization='Bozo Clown Inc.', OU=None, email='*****@*****.**', valid_days=365, \
key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \
der_encoded=False, parent=rca, parent_passphrase="1234567890", passphrase='1234567890', \
extension=x509Extension.objects.get(pk=1)).save()
ica = CertificateAuthority.objects.get(pk=2)
## Edge CA object (RootCA->IntermediateCA->SubCA)
CertificateAuthority(common_name='Edge CA', name='Edge_CA', description="unit test edge CA", country='DE', state='Bavaria', \
locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=365, \
key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \
der_encoded=False, parent=ica, parent_passphrase="1234567890", passphrase='1234567890', \
extension=x509Extension.objects.get(pk=2)).save()
def setUp(self):
self.ca = CertificateAuthority(common_name='Root CA', name='Root_CA', description="unit test", country='DE', state='Bavaria', \
locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=1000, \
key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \
der_encoded=False, parent=None, passphrase='1234567890', extension=x509Extension.objects.get(pk=1))
self.ca_ssl = openssl.Openssl(self.ca)
openssl.refresh_pki_metadata([self.ca,])
def setUp(self):
'''Create a self-signed RootCA'''
## Root CA object
self.rca = CertificateAuthority( common_name='Root CA', name='Root_CA', description="unit test", country='DE', state='Bavaria', \
locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=1000, \
key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \
pem_encoded=True, der_encoded=False, parent=None, passphrase='1234567890', subcas_allowed=True )
## Intermediate CA object
self.ica = CertificateAuthority( common_name='Intermediate CA', name='Intermediate_CA', description="unit test IM CA", country='DE', \
state='Bavaria', locality='Berlin', organization='Bozo Clown Inc.', OU=None, email='*****@*****.**', valid_days=365, \
key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \
pem_encoded=True, der_encoded=False, parent=self.rca, parent_passphrase="1234567890", \
passphrase='1234567890', subcas_allowed=True)
## Sub CA object (RootCA->IntermediateCA->SubCA)
self.sca = CertificateAuthority( common_name='Sub CA', name='Sub_CA', description="unit test sub CA", country='DE', state='Bavaria', \
locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=365, \
key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \
pem_encoded=True, der_encoded=False, parent=self.ica, parent_passphrase="1234567890", \
passphrase='1234567890', subcas_allowed=False)
openssl.refresh_pki_metadata([self.rca, self.ica, self.sca])
self.rca_action = openssl.OpensslActions(self.rca)
self.ica_action = openssl.OpensslActions(self.ica)
self.sca_action = openssl.OpensslActions(self.sca)
def forwards(self, orm):
from pki.models import CertificateAuthority, Certificate, x509Extension
from pki.openssl import refresh_pki_metadata
## CertificateAuthority migration
cas = []
for obj in orm.CertificateAuthority.objects.all():
as_saved = orm.CertificateAuthority.objects.get(pk=obj.pk)
if not obj.parent or as_saved.subcas_allowed: ## RootCA or IntermediateCA
obj.extension = orm.x509Extension.objects.get(pk=1)
else: ## Edge CA
obj.extension = orm.x509Extension.objects.get(pk=2)
obj.save()
cas.append(obj)
refresh_pki_metadata(cas)
## Certificate migration
for obj in orm.Certificate.objects.all():
if obj.parent: ## Not self-signed
as_saved = orm.Certificate.objects.get(pk=obj.pk)
if as_saved.cert_extension == "v3_server_cert": ## Server cert
obj.extension = orm.x509Extension.objects.get(pk=3)
elif as_saved.cert_extension == "v3_client_cert": ## Client cert
obj.extension = orm.x509Extension.objects.get(pk=4)
else: ## Self-signed
obj.extension = orm.x509Extension.objects.get(pk=5)
obj.save()
def forwards(self, orm):
from pki.models import CertificateAuthority, Certificate, x509Extension
from pki.openssl import refresh_pki_metadata
## CertificateAuthority migration
cas = []
for obj in orm.CertificateAuthority.objects.all():
as_saved = orm.CertificateAuthority.objects.get(pk=obj.pk)
if not obj.parent or as_saved.subcas_allowed: ## RootCA or IntermediateCA
obj.extension = orm.x509Extension.objects.get(pk=1)
else: ## Edge CA
obj.extension = orm.x509Extension.objects.get(pk=2)
obj.save()
cas.append(obj)
refresh_pki_metadata(cas)
## Certificate migration
for obj in orm.Certificate.objects.all():
if obj.parent: ## Not self-signed
as_saved = orm.Certificate.objects.get(pk=obj.pk)
if as_saved.cert_extension == "v3_server_cert": ## Server cert
obj.extension = orm.x509Extension.objects.get(pk=3)
elif as_saved.cert_extension == "v3_client_cert": ## Client cert
obj.extension = orm.x509Extension.objects.get(pk=4)
else: ## Self-signed
obj.extension = orm.x509Extension.objects.get(pk=5)
obj.save()
def pki_refresh_metadata(request):
"""Rebuild PKI metadate.
Renders openssl.conf template and cleans PKI_DIR.
"""
ca_objects = list(CertificateAuthority.objects.all())
refresh_pki_metadata(ca_objects)
messages.info(request, 'Successfully refreshed PKI metadata (%d certificate authorities)' % len(ca_objects))
back = request.META.get('HTTP_REFERER', None) or '/'
return HttpResponseRedirect(back)
def setUp(self):
'''Create a self-signed RootCA'''
CreateCaChain()
self.rca = CertificateAuthority.objects.get(pk=1)
self.ica = CertificateAuthority.objects.get(pk=2)
self.eca = CertificateAuthority.objects.get(pk=3)
self.rca_openssl = openssl.Openssl(self.rca)
self.ica_openssl = openssl.Openssl(self.ica)
self.eca_openssl = openssl.Openssl(self.eca)
openssl.refresh_pki_metadata([self.rca, self.ica, self.eca])
def pki_refresh_metadata(request):
"""Rebuild PKI metadate.
Renders openssl.conf template and cleans PKI_DIR.
"""
ca_objects = list(CertificateAuthority.objects.all())
refresh_pki_metadata(ca_objects)
messages.info(
request,
'Successfully refreshed PKI metadata (%d certificate authorities)' %
len(ca_objects))
back = request.META.get('HTTP_REFERER', None) or '/'
return HttpResponseRedirect(back)
def setUp(self):
openssl.refresh_pki_metadata([])
self.post_data_rca = {'action':'create', 'common_name':'Root CA', 'name':'Root_CA', 'description':"unit test", \
'country':'DE', 'state':'Bavaria', 'locality':'Munich', 'organization':'Bozo Clown Inc.', \
'OU':'IT', 'email':'*****@*****.**', 'valid_days':1000, 'key_length':1024, 'der_encoded':False, \
'parent':'', 'passphrase':'1234567890', 'passphrase_verify':'1234567890', 'policy':'policy_anything', \
'extension':x509Extension.objects.get(name="v3_root_or_intermediate_ca").pk,}
self.post_data_ica = {'action':'create', 'common_name':'Intermediate CA', 'name':'Intermediate_CA', 'description':"unit test", \
'country':'DE', 'state':'Bavaria', 'locality':'Munich', 'organization':'Bozo Clown Inc.', \
'OU':'IT', 'email':'*****@*****.**', 'valid_days':1000, 'key_length':1024, 'der_encoded':False, \
'parent':'1', 'passphrase':'1234567890', 'passphrase_verify':'1234567890', 'parent_passphrase':'1234567890', \
'policy':'policy_anything', 'extension':x509Extension.objects.get(name="v3_root_or_intermediate_ca").pk,}
self.post_data_eca = {'action':'create', 'common_name':'Edge CA', 'name':'Edge', 'description':"unit test", \
'country':'DE', 'state':'Bavaria', 'locality':'Munich', 'organization':'Bozo Clown Inc.', \
'OU':'IT', 'email':'*****@*****.**', 'valid_days':1000, 'key_length':1024, 'der_encoded':False, \
'parent':'2', 'passphrase':'1234567890', 'passphrase_verify':'1234567890', 'parent_passphrase':'1234567890', \
'policy':'policy_anything', 'extension':x509Extension.objects.get(name="v3_edge_ca").pk,}
self.post_data_srv = {'action':'create', 'common_name':'Server cert', 'name':'Server_cert', 'description':"unit test", \
'country':'DE', 'state':'Bavaria', 'locality':'Munich', 'organization':'Bozo Clown Inc.', \
'OU':'IT', 'email':'*****@*****.**', 'valid_days':1000, 'key_length':1024, 'der_encoded':False, \
'parent':'3', 'passphrase':'1234567890', 'passphrase_verify':'1234567890', 'parent_passphrase':'1234567890', \
'extension':x509Extension.objects.get(name="v3_edge_cert_server").pk,}
self.post_data_usr = {'action':'create', 'common_name':'User cert', 'name':'User_cert', 'description':"unit test", \
'country':'DE', 'state':'Bavaria', 'locality':'Munich', 'organization':'Bozo Clown Inc.', \
'OU':'IT', 'email':'*****@*****.**', 'valid_days':1000, 'key_length':1024, 'der_encoded':False, \
'parent':'3', 'passphrase':'1234567890', 'passphrase_verify':'1234567890', 'parent_passphrase':'1234567890', \
'extension':x509Extension.objects.get(name="v3_edge_cert_client").pk,}
self.c = Client()
self.assertTrue(self.c.login(username="******", password="******"))
r = self.c.post('/admin/pki/certificateauthority/add/', self.post_data_rca, follow=True)
self.assertContains(r, 'was added successfully')
self.failUnlessEqual(r.status_code, 200)
r = self.c.post('/admin/pki/certificateauthority/add/', self.post_data_ica, follow=True)
self.assertContains(r, 'was added successfully')
self.failUnlessEqual(r.status_code, 200)
r = self.c.post('/admin/pki/certificateauthority/add/', self.post_data_eca, follow=True)
self.assertContains(r, 'was added successfully')
self.failUnlessEqual(r.status_code, 200)
r = self.c.post('/admin/pki/certificate/add/', self.post_data_srv, follow=True)
self.assertContains(r, 'was added successfully')
self.failUnlessEqual(r.status_code, 200)
def rebuild_ca_metadata(self, modify, task):
"""Wrapper around refresh_pki_metadata"""
if modify:
if task == 'append':
## Get list of all defined CA's
known_cas = list(CertificateAuthority.objects.all())
known_cas.append(self)
elif task == 'replace':
known_cas = list(CertificateAuthority.objects.exclude(pk=self.pk))
known_cas.append(self)
elif task == 'exclude':
known_cas = list(CertificateAuthority.objects.exclude(pk=self.pk))
else:
known_cas = list(CertificateAuthority.objects.all())
## Rebuild the CA store metadata
refresh_pki_metadata(known_cas)
def rebuild_ca_metadata(self, modify, task, skip_list=[]):
"""Wrapper around refresh_pki_metadata"""
if modify:
if task == 'append':
## Get list of all defined CA's
known_cas = list(CertificateAuthority.objects.all())
known_cas.append(self)
elif task == 'replace':
known_cas = list(CertificateAuthority.objects.exclude(pk=self.pk))
known_cas.append(self)
elif task == 'exclude':
known_cas = list(CertificateAuthority.objects.exclude(pk__in=skip_list))
else:
known_cas = list(CertificateAuthority.objects.all())
## Rebuild the CA store metadata
refresh_pki_metadata(known_cas)
def tearDown(self):
self.c.logout()
openssl.refresh_pki_metadata([])
def tearDown(self):
openssl.refresh_pki_metadata([])
def save(self, *args, **kwargs):
"""Save the x509 Extension object"""
if not self.pk:
super(x509Extension, self).save(*args, **kwargs)
refresh_pki_metadata(CertificateAuthority.objects.all())
def save(self, *args, **kwargs):
"""Save the x509 Extension object"""
if not self.pk:
super(x509Extension, self).save(*args, **kwargs)
refresh_pki_metadata(CertificateAuthority.objects.all())
