def _create(self, certs, purpose, desc, issuer=None, common=None):
"""Create and store one certificate."""
if purpose in certs:
return
cu = self.db.cursor()
subject = X509.X509_Name()
subject.O = desc
subject.OU = 'Created at ' + time.strftime('%F %T%z')
if common is not None:
subject.CN = common
issuer_pkey = issuer_subject = issuer_fingerprint = serial = None
if issuer is None:
isCA = True
else:
isCA = False
issuer_x509 = X509.load_cert_string(issuer[0])
issuer_pkey = EVP.load_key_string(issuer[1])
issuer_subject = issuer_x509.get_subject()
issuer_fingerprint = digestlib.sha1(
issuer_x509.as_der()).hexdigest()
cu.execute("""UPDATE pki_certificates
SET ca_serial_index = ca_serial_index + 1
WHERE fingerprint = %s
RETURNING ca_serial_index
""", (issuer_fingerprint,))
serial, = cu.fetchone()
# Create certificates with a 'not before' date 1 day in the past, just
# in case initial setup sets the clock backwards.
rsa, x509 = gencert.new_cert(KEY_LENGTH, subject, EXPIRY,
issuer=issuer_subject, issuer_evp=issuer_pkey, isCA=isCA,
serial=serial, timestamp_offset=-86400)
fingerprint = digestlib.sha1(x509.as_der()).hexdigest()
pkey_pem = rsa.as_pem(None)
x509_pem = x509.as_pem()
cu.execute("""INSERT INTO pki_certificates (
fingerprint, purpose, is_ca, x509_pem, pkey_pem,
issuer_fingerprint, ca_serial_index, time_issued, time_expired
)
VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s)""",
(fingerprint, purpose, isCA, x509_pem, pkey_pem,
issuer_fingerprint, 0,
str(x509.get_not_before()), str(x509.get_not_after()),
))
log.info("Created certificate %s for purpose %r%s%s",
fingerprint, purpose,
(issuer_fingerprint and (" (issuer %s)" % issuer_fingerprint)
or ""),
self.dry_run and " (dry run)" or "")
certs[purpose] = x509_pem, pkey_pem
def new(cls, subject=None, keyLength=None, serial=None, expiry=None,
timestampOffset=None, issuer_x509=None, issuer_pkey=None,
isCA=False):
keyLength = (keyLength is not None and keyLength) or cls.KEY_LENGTH
expiry = (expiry is not None and expiry) or cls.EXPIRY
timestampOffset = (timestampOffset is not None and timestampOffset) \
or cls.TIMESTAMP_OFFSET
if subject is None:
subject = cls.Subject(CN="Test Certificate")
issuer_subject = None
if issuer_x509 is not None:
issuer_subject = issuer_x509.get_subject()
rsa, x509 = gencert.new_cert(keyLength, subject, expiry,
issuer=issuer_subject, issuer_evp=issuer_pkey, isCA=isCA,
serial=serial, timestamp_offset=timestampOffset)
return cls(x509, rsa)
def createCertificate(self, purpose, desc, issuer=None, common=None):
"""Create and store one certificate.
@param purpose: Machine-readable string identifying the purpose of this
certificate.
@param desc: Human-readable description to put into the certificate.
@param issuer: Optional tuple C{(x509, pkey)} of issuer cert pair.
@param common: Optional common name (hostname) for subject.
"""
# Don't let anyone else even read the table while we work. We wouldn't
# want two processes to read in the same CA serial index, generate
# different certificates using the same serial, write them out to disk,
# then blow up when they try to commit.
cu = self.db.cursor()
cu.execute("LOCK TABLE pki_certificates")
subject = X509.X509_Name()
subject.O = desc
subject.OU = 'Created at ' + time.strftime('%F %T%z')
if common is not None:
subject.CN = common
issuer_pkey = issuer_subject = issuer_fingerprint = serial = None
if issuer is None:
isCA = True
else:
isCA = False
if isinstance(issuer, basestring):
# Look up CA by purpose
issuer_x509, issuer_pkey = self.getCertificatePair(issuer)
else:
# Tuple provided
issuer_x509, issuer_pkey = issuer
issuer_x509 = X509.load_cert_string(issuer_x509)
issuer_pkey = EVP.load_key_string(issuer_pkey)
issuer_subject = issuer_x509.get_subject()
issuer_fingerprint = digestlib.sha1(
issuer_x509.as_der()).hexdigest()
cu.execute("""UPDATE pki_certificates
SET ca_serial_index = ca_serial_index + 1
WHERE fingerprint = ?
RETURNING ca_serial_index
""", issuer_fingerprint)
serial, = cu.fetchone()
# Create certificates with a 'not before' date 1 day in the past, just
# in case initial setup sets the clock backwards.
rsa, x509 = gencert.new_cert(KEY_LENGTH, subject, EXPIRY,
issuer=issuer_subject, issuer_evp=issuer_pkey, isCA=isCA,
serial=serial, timestamp_offset=-86400)
fingerprint = digestlib.sha1(x509.as_der()).hexdigest()
pkey_pem = rsa.as_pem(None)
x509_pem = x509.as_pem()
cu.execute("""INSERT INTO pki_certificates (
fingerprint, purpose, is_ca, x509_pem, pkey_pem,
issuer_fingerprint, ca_serial_index, time_issued, time_expired
)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)""",
fingerprint, purpose, isCA, x509_pem, pkey_pem,
issuer_fingerprint, 0,
str(x509.get_not_before()), str(x509.get_not_after()),
)
log.info("Created certificate %s for purpose %r%s",
fingerprint, purpose,
(issuer_fingerprint and (" (issuer %s)" % issuer_fingerprint)
or ""))
return x509_pem, pkey_pem
