def generateProxyToString(self, lifetime, diracGroup=False, strength=1024, limited=False, proxyKey=False, rfc=True): """ Generate a proxy and get it as a string. Check here: https://github.com/eventbrite/m2crypto/blob/master/demo/x509/ca.py#L45 Args: lifetime (int): expected lifetime in seconds of proxy diracGroup (str): diracGroup to add to the certificate strength (int): length in bits of the pair if proxyKey not given (default 1024) limited (bool): Create a limited proxy (default False) proxyKey: M2Crypto.EVP.PKey instance with private and public key. If not given, generate one rfc: placeholder for backward compatibility and ignored :returns: S_OK(PEM encoded string), S_ERROR. The PEM string contains all the certificates in the chain and the private key associated to the last X509Certificate just generated. """ issuerCert = self._certList[0] if not proxyKey: # Generating key is a two step process: create key object and then assign RSA key. # This contains both the private and public key proxyKey = M2Crypto.EVP.PKey() proxyKey.assign_rsa( M2Crypto.RSA.gen_key( strength, 65537, callback=M2Crypto.util.quiet_genparam_callback)) # Generate a new X509Certificate object proxyExtensions = self.__getProxyExtensionList(diracGroup, limited) res = X509Certificate.generateProxyCertFromIssuer(issuerCert, proxyExtensions, proxyKey, lifetime=lifetime) if not res["OK"]: return res proxyCert = res["Value"] # Sign it with one owns key proxyCert.sign(self._keyObj, "sha256") # Generate the proxy string proxyString = b"%s%s" % ( proxyCert.asPem(), proxyKey.as_pem(cipher=None, callback=M2Crypto.util.no_passphrase_callback), ) for i in range(len(self._certList)): crt = self._certList[i] proxyString += crt.asPem() return S_OK(proxyString)
def generateX509ChainFromSSLConnection(sslConnection): """Returns an instance of X509Chain from the SSL connection :param sslConnection: ~M2Crypto.SSl.Connection instance :returns: a X509Chain instance """ certList = [] certStack = sslConnection.get_peer_cert_chain() for cert in certStack: certList.append(X509Certificate(x509Obj=cert)) # Servers don't receive the whole chain, the last cert comes alone # if not self.infoDict['clientMode']: certList.insert(0, X509Certificate(x509Obj=sslConnection.get_peer_cert())) peerChain = X509Chain(certList=certList) return peerChain
def __certListFromPemString(certString): """ Create certificates list from string. String sould contain certificates, just like plain text proxy file. """ # To get list of X509 certificates (not X509 Certificate Chain) from string it has to be parsed like that # (constructors are not able to deal with big string) certList = [] for cert in re.findall(r"(-----BEGIN CERTIFICATE-----((.|\n)*?)-----END CERTIFICATE-----)", certString): certList.append(X509Certificate(certString=cert[0])) return certList
def __certListFromPemString(certString): """ Create certificates list from string. String should contain certificates, just like plain text proxy file. """ # To get list of X509 certificates (not X509 Certificate Chain) from string it has to be parsed like that # (constructors are not able to deal with big string) certList = [] # If the certificate is downloaded from the server it will be a str in Python 3 if six.PY3 and isinstance(certString, six.string_types): certString = certString.encode() pattern = r"(-----BEGIN CERTIFICATE-----((.|\n)*?)-----END CERTIFICATE-----)" for cert in re.findall(pattern.encode("utf-8"), certString): certList.append(X509Certificate(certString=cert[0])) return certList