def generateProxyToString(self,
lifetime,
diracGroup=False,
strength=1024,
limited=False,
proxyKey=False,
rfc=True):
"""
Generate a proxy and get it as a string.
Check here: https://github.com/eventbrite/m2crypto/blob/master/demo/x509/ca.py#L45
Args:
lifetime (int): expected lifetime in seconds of proxy
diracGroup (str): diracGroup to add to the certificate
strength (int): length in bits of the pair if proxyKey not given (default 1024)
limited (bool): Create a limited proxy (default False)
proxyKey: M2Crypto.EVP.PKey instance with private and public key. If not given, generate one
rfc: placeholder for backward compatibility and ignored
:returns: S_OK(PEM encoded string), S_ERROR. The PEM string contains all the certificates in the chain
and the private key associated to the last X509Certificate just generated.
"""
issuerCert = self._certList[0]
if not proxyKey:
# Generating key is a two step process: create key object and then assign RSA key.
# This contains both the private and public key
proxyKey = M2Crypto.EVP.PKey()
proxyKey.assign_rsa(
M2Crypto.RSA.gen_key(
strength,
65537,
callback=M2Crypto.util.quiet_genparam_callback))
# Generate a new X509Certificate object
proxyExtensions = self.__getProxyExtensionList(diracGroup, limited)
res = X509Certificate.generateProxyCertFromIssuer(issuerCert,
proxyExtensions,
proxyKey,
lifetime=lifetime)
if not res["OK"]:
return res
proxyCert = res["Value"]
# Sign it with one owns key
proxyCert.sign(self._keyObj, "sha256")
# Generate the proxy string
proxyString = b"%s%s" % (
proxyCert.asPem(),
proxyKey.as_pem(cipher=None,
callback=M2Crypto.util.no_passphrase_callback),
)
for i in range(len(self._certList)):
crt = self._certList[i]
proxyString += crt.asPem()
return S_OK(proxyString)
def generateX509ChainFromSSLConnection(sslConnection):
"""Returns an instance of X509Chain from the SSL connection
:param sslConnection: ~M2Crypto.SSl.Connection instance
:returns: a X509Chain instance
"""
certList = []
certStack = sslConnection.get_peer_cert_chain()
for cert in certStack:
certList.append(X509Certificate(x509Obj=cert))
# Servers don't receive the whole chain, the last cert comes alone
# if not self.infoDict['clientMode']:
certList.insert(0, X509Certificate(x509Obj=sslConnection.get_peer_cert()))
peerChain = X509Chain(certList=certList)
return peerChain
def __certListFromPemString(certString):
"""
Create certificates list from string. String sould contain certificates, just like plain text proxy file.
"""
# To get list of X509 certificates (not X509 Certificate Chain) from string it has to be parsed like that
# (constructors are not able to deal with big string)
certList = []
for cert in re.findall(r"(-----BEGIN CERTIFICATE-----((.|\n)*?)-----END CERTIFICATE-----)", certString):
certList.append(X509Certificate(certString=cert[0]))
return certList
def __certListFromPemString(certString):
"""
Create certificates list from string. String should contain certificates, just like plain text proxy file.
"""
# To get list of X509 certificates (not X509 Certificate Chain) from string it has to be parsed like that
# (constructors are not able to deal with big string)
certList = []
# If the certificate is downloaded from the server it will be a str in Python 3
if six.PY3 and isinstance(certString, six.string_types):
certString = certString.encode()
pattern = r"(-----BEGIN CERTIFICATE-----((.|\n)*?)-----END CERTIFICATE-----)"
for cert in re.findall(pattern.encode("utf-8"), certString):
certList.append(X509Certificate(certString=cert[0]))
return certList