def _issue_certificate(self, request): '''Issue a new certificate from the Certificate Signing Request passed in the POST'd request @param request: HTTP request @type request: webob.Request @return: new certificate @rtype: string ''' if request.method != 'POST': response = "HTTP Request method not recognised" log.error("HTTP Request method %r not recognised", request.method) raise HTTPMethodNotAllowed(response, headers=[('Allow', 'POST')]) # Extract cert request and convert to standard string - SSL library # will not accept unicode cert_req_key = self.__class__.CERT_REQ_POST_PARAM_KEYNAME str_cert_req = str(request.POST.get(cert_req_key)) if str_cert_req is None: response = ("No %r form variable set in POST message" % cert_req_key) log.error(response) raise HTTPBadRequest(response) log.debug("certificate request = %r", str_cert_req) # TODO: Deprecate PEM cert request support. # Support decoding based on PEM encoded request or similar, base64 # encoded request. The latter is a better approach, support both forms # for now until clients can be updated try: cert_req = crypto.load_certificate_request(crypto.FILETYPE_PEM, str_cert_req) except crypto.Error: # Re-try, this time interpreting the text as a base64 encoded value try: der_cert_req = base64.b64decode(str_cert_req) cert_req = crypto.load_certificate_request(crypto.FILETYPE_ASN1, der_cert_req) except crypto.Error: log.error("Error loading input certificate request: %r", str_cert_req) raise HTTPBadRequest("Error loading input certificate request") subject_name_tmpl = string.Template(self.cert_subject_name_template) subject_name_str = subject_name_tmpl.substitute(**request.environ) subject_name = X509SubjectName.from_string(subject_name_str) subject_name_ = subject_name.as_openssl_x509_subject_name() cert = self.__ca.issue_certificate(cert_req, subject_name_, request.environ) cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) return cert_pem
def lambda_handler(event, context): ca_cert_file = open('/Volumes/home/CA/ca/signing-ca.crt', 'r') ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert_file.read()) ca_cert_file.close() ca_key_file = open('/Volumes/home/CA/ca/root-ca/private/root-ca.key', 'r') ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_file.read(), b'test') ca_key_file.close() crt_req_file = open('asav-3.virl.lan.crt.csr') crt_req = crypto.load_certificate_request(crypto.FILETYPE_PEM, crt_req_file.read()) crt_req_file.close() new_crt_serial = 990099 new_crt = createCertificate(crt_req, ca_cert, ca_key, new_crt_serial, 0, 230400) msgCertificateParameters = crypto.dump_certificate(crypto.FILETYPE_TEXT, new_crt) print(msgCertificateParameters.decode('utf-8')) msgCertificateParameters = crypto.dump_certificate(crypto.FILETYPE_PEM, new_crt) print(msgCertificateParameters.decode('utf-8')) open('asav-3.virl.lan.crt', 'wb').write(crypto.dump_certificate(crypto.FILETYPE_PEM, new_crt)) return
class Handler(BaseHTTPRequestHandler): def do_GET(self): response = "" try: csrs = os.listdir(CSR_DIR) except Exception, e: print "Could not list CSRs (%s)..." % str(e) csrs = [] if len(csrs) == 0: print "No CSRs, waiting..." response += show_refresh() self.send_200() self.wfile.write(show_page(response)) return try: name = os.path.join(CSR_DIR, csrs[0]) print "Loading CSR (%s)..." % name cert = crypto.load_certificate_request(crypto.FILETYPE_PEM, file(name).read()) except Exception, e: print "Could not load CSR (%s)..." % str(e) self.send_404() return
def __init__(self, mixed=None): self.buf = None self.path = NotImplemented self.created = NotImplemented if isinstance(mixed, io.TextIOWrapper): self.path = mixed.name _, _, _, _, _, _, _, _, mtime, _ = os.stat(self.path) self.created = datetime.fromtimestamp(mtime) mixed = mixed.read() if isinstance(mixed, bytes): mixed = mixed.decode("ascii") if isinstance(mixed, str): try: self.buf = mixed mixed = crypto.load_certificate_request(crypto.FILETYPE_PEM, mixed) except crypto.Error: print("Failed to parse:", mixed) raise if isinstance(mixed, crypto.X509Req): self._obj = mixed else: raise ValueError("Can't parse %s as X.509 certificate signing request!" % mixed) assert not self.buf or self.buf == self.dump(), "%s is not %s" % (self.buf, self.dump())
def lambda_handler(event, context): # Whoami and Whatami is important for construction region sensitive ARNs region = context.invoked_function_arn.split(":")[3] account = context.invoked_function_arn.split(":")[4] csr = base64.b64decode(event['headers']['device-csr']) req = load_certificate_request( FILETYPE_PEM, csr ) device_id = req.get_subject().CN response = provision_certificate( csr ) certificate = response['Certificate'] # Send the certificate to AWS IoT. We assume the issuing CA has already # been registered. certificate_arn = deploy_certificate( certificate ) if ( certificate_arn == None ): return None # Create the Thing object and attach to the deployed certificate response = deploy_thing( device_id, certificate_arn ) if ( response == False ): return None # Create the Policy if necessary, and attach the created Policy (or # existing Policy) to the Thing. response = deploy_policy( certificate_arn, region, account ) if ( response == False ): return None # Return the certificate to API Gateway. iot = boto3.client('iot') endpoint = iot.describe_endpoint(endpointType = 'iot:Data-ATS') payload = { 'certificate': certificate, 'endpoint': endpoint['endpointAddress'] } return json.dumps(payload)
def issue_certificate_request(self, order_id, order_meta, plugin_meta, barbican_meta_dto): if barbican_meta_dto.generated_csr is not None: encoded_csr = barbican_meta_dto.generated_csr else: try: encoded_csr = base64.b64decode(order_meta['request_data']) except KeyError: return cert_manager.ResultDTO( cert_manager.CertificateStatus.CLIENT_DATA_ISSUE_SEEN, status_message=u._("No request_data specified")) csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, encoded_csr) ca_id = barbican_meta_dto.plugin_ca_id if ca_id: ca = self.cas.get(ca_id) if ca is None: raise cert_manager.CertificateGeneralException( "Invalid ca_id passed into snake oil plugin:" + ca_id) else: ca = self.ca cert_mgr = CertManager(ca) cert = cert_mgr.make_certificate(csr) cert_enc = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) return cert_manager.ResultDTO( cert_manager.CertificateStatus.CERTIFICATE_GENERATED, certificate=base64.b64encode(cert_enc), intermediates=base64.b64encode(ca.pkcs7))
def test_dump_certificate_request(self): """ L{dump_certificate_request} writes a PEM, DER, and text. """ req = load_certificate_request(FILETYPE_PEM, cleartextCertificateRequestPEM) dumped_pem = dump_certificate_request(FILETYPE_PEM, req) self.assertEqual(dumped_pem, cleartextCertificateRequestPEM) dumped_der = dump_certificate_request(FILETYPE_ASN1, req) good_der = self._runopenssl(dumped_pem, "req", "-outform", "DER") self.assertEqual(dumped_der, good_der) req2 = load_certificate_request(FILETYPE_ASN1, dumped_der) dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2) self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM) dumped_text = dump_certificate_request(FILETYPE_TEXT, req) good_text = self._runopenssl(dumped_pem, "req", "-noout", "-text") self.assertEqual(dumped_text, good_text)
def lambda_handler(event, context): csr = base64.b64decode(event['headers']['device-csr']) req = load_certificate_request( FILETYPE_PEM, csr ) device_id = req.get_subject().CN response = provision_certificate( csr ) region = context.invoked_function_arn.split(":")[3] account = context.invoked_function_arn.split(":")[4] # Send the certificate to AWS IoT. We assume the issuing CA has already # been registered. if response is None: return None certificate_body = response['certificatePem'] certificate_arn = response['certificateArn'] # Create the Thing object and attach to the deployed certificate response = deploy_thing( device_id, certificate_arn ) # The entire transaction failed, so report failure. if ( response == False ): return None # Create the Policy if necessary, and attach the created Policy (or # existing Policy) to the Thing. deploy_policy( certificate_arn, region, account ) if ( response == False ): return None # Return the certificate to API Gateway. return certificate_body
def req(self): req = _crypto.load_certificate_request(_crypto.FILETYPE_PEM, self.pem) try: req.verify(req.get_pubkey()) except _crypto.Error: raise ValueError("Invalid Request") return req
def handler_getCert(): # Get cert_request from Node serial = request.json['serial'] reqs = request.json['req'] if len(reqs) != 3: print "ERROR - Bad requests array len" return json.dumps({"status": "certError"}) else: obj_req = [] for dump_req in reqs: obj_req.append( crypto.load_certificate_request(crypto.FILETYPE_PEM, dump_req)) # Load CA key and cert ca_key = load_key("/ca.key") ca_cert = load_cert("/ca.cert") dump_ca_cert = crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert) # Create Node certificates dump_certs = [] for req in obj_req: cert = create_cert(req, ca_cert, ca_key, serial) dump_certs.append( crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) return json.dumps({ "status": "certOK", "ca_cert": dump_ca_cert, "certs": dump_certs })
def test_csr_generation(self): taxpayer = factories.TaxPayerFactory(key=None) taxpayer.generate_key() csr_file = taxpayer.generate_csr() csr = csr_file.read().decode() self.assertEqual( csr.splitlines()[0], '-----BEGIN CERTIFICATE REQUEST-----' ) self.assertEqual( csr.splitlines()[-1], '-----END CERTIFICATE REQUEST-----' ) loaded_csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr) self.assertIsInstance(loaded_csr, crypto.X509Req) expected_components = [ (b'O', b'John Smith'), (b'CN', b'djangoafip1489537017'), (b'serialNumber', b'CUIT 20329642330'), ] self.assertEqual( expected_components, loaded_csr.get_subject().get_components() )
def load_certificate_request(csr: str) -> dict: try: csr_obj = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr) except crypto.Error: return {} else: return get_x509_subject(csr_obj)
def register(): #### process node info content = request.get_json() control_address = content['control_network_ip'] data_address = content['data_network_ip'] # ssh management for netconf nfs_ssh_key = ssh_key.replace("CONTROL-IP", content['control_network_ip']) ssh_key_file = open("/root/.ssh/known_hosts", "a") ssh_key_file.write(nfs_ssh_key + "\n") ssh_key_file.close() # certificate for node req = "-----BEGIN CERTIFICATE REQUEST-----\n" + content[ 'cert_req'] + "\n-----END CERTIFICATE REQUEST-----" cert_req = crypto.load_certificate_request(crypto.FILETYPE_PEM, req) cert = createCertificate(cert_req, (cacert, cakey), len(registered_nodes), (0, 60 * 60 * 24 * 365 * 10)) # ten years node_cert = crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('ascii') node_cert = node_cert[node_cert.find("-----BEGIN CERTIFICATE-----") + 28:node_cert.find("-----END CERTIFICATE-----") - 1] node_certs[control_address] = node_cert registered_nodes.append((control_address, data_address)) app.logger.info(str(control_address) + ":" + str(data_address)) return 'OK'
def _validate_pkcs10_data(self, request_data): """Confirm that the request_data is valid base64 encoded PKCS#10. Base64 decode the request, if it fails raise PayloadDecodingError. Then parse data into the ASN.1 structure defined by PKCS10 and verify the signing information. If parsing of verifying fails, raise InvalidPKCS10Data. """ try: csr_pem = base64.b64decode(request_data) except Exception: raise exception.PayloadDecodingError() try: csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_pem) except Exception: reason = u._("Bad format") raise exception.InvalidPKCS10Data(reason=reason) try: pubkey = csr.get_pubkey() csr.verify(pubkey) except Exception: reason = u._("Signing key incorrect") raise exception.InvalidPKCS10Data(reason=reason)
def finalize(self, CSR_PEM): ''' Retrieve certificate from CA on successful validation :param CSR_PEM: CSR containing all validated domains :param authorization_obj: unnecessary on v1 :return: dictionary containing PEM String of signed certificate and status ''' csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, CSR_PEM) DER_STRING = crypto.dump_certificate_request(crypto.FILETYPE_ASN1, csr) payload = {"resource": "new-cert", "csr": _b64e(DER_STRING)} code, headers, result = self.__sendSignedRequest( CA + "/acme/new-cert", payload) # todo: read response headers, follow for links to other required certificates for chain try: cert_der = crypto.load_certificate(crypto.FILETYPE_ASN1, result) cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert_der) for i in headers['Link'].split(','): cert_der = crypto.load_certificate( crypto.FILETYPE_ASN1, requests.get(_getstringbetweentwostrings(i, '<', '>')[0], timeout=self.__t).content) cert_pem += "\n%s" % crypto.dump_certificate( crypto.FILETYPE_PEM, cert_der) return (True, cert_pem) # return cert_pem; except: return (False, json.loads(result)["detail"])
def load_certificate_request(self, csr): try: csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr) except crypto.Error: return {} else: return self.get_x509_subject(csr)
def _validate_pkcs10_data(self, request_data): """Confirm that the request_data is valid base64 encoded PKCS#10. Base64 decode the request, if it fails raise PayloadDecodingError. Then parse data into the ASN.1 structure defined by PKCS10 and verify the signing information. If parsing of verifying fails, raise InvalidPKCS10Data. """ try: csr_pem = base64.b64decode(request_data) except Exception: raise exception.PayloadDecodingError() try: csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_pem) except Exception: reason = u._("Bad format") raise exception.InvalidPKCS10Data(reason=reason) try: pubkey = csr.get_pubkey() csr.verify(pubkey) except Exception: reason = u._("Signing key incorrect") raise exception.InvalidPKCS10Data(reason=reason)
def req(self): req = _crypto.load_certificate_request(_crypto.FILETYPE_PEM, self.pem) try: req.verify(req.get_pubkey()) except _crypto.Error: raise ValueError("Invalid Request") return req
def _get_csr(self, spkac_str): """ gets a NetscapeSPKI object from the spkac_str or loads a PKCS10 """ # TODO should figure out how to use this # challenge thing (spkac is using md5, so # I guess there should be some time bound) # maybe linked to session or something??? # See https://www.w3.org/Bugs/Public/show_bug.cgi?id=13518 #http://www.w3.org/wiki/Foaf%2Bssl/Clients#Keygen # We could der-decode the spkac and get the challenge from there. spkac_str = re.sub('\s', '', spkac_str) #print('SPKAC PUBKEY=%s' % spkac_str) logging.debug('SPKAC PUBKEY=%s' % spkac_str) if "BEGINIECERTIFICATEREQUEST" in spkac_str: #XXX improve csr type detection (get a flag from view) pkcs10 = spkac_str.replace('-----BEGINIECERTIFICATEREQUEST-----', '').replace( '-----ENDIECERTIFICATEREQUEST-----', '') der = base64.b64decode(pkcs10) self.csr = crypto.load_certificate_request(crypto.FILETYPE_ASN1, der) self.csr_type = "msie" else: self.csr = crypto.NetscapeSPKI(spkac_str) self.csr_type = "spki"
def test_csr_generation(self): taxpayer = fixtures.TaxPayerFactory(key=None) taxpayer.generate_key() csr_file = taxpayer.generate_csr() csr = csr_file.read().decode() self.assertEqual( csr.splitlines()[0], '-----BEGIN CERTIFICATE REQUEST-----' ) self.assertEqual( csr.splitlines()[-1], '-----END CERTIFICATE REQUEST-----' ) loaded_csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr) self.assertIsInstance(loaded_csr, crypto.X509Req) expected_components = [ (b'O', b'John Smith'), (b'CN', b'djangoafip1489537017'), (b'serialNumber', b'CUIT 20329642330'), ] self.assertEqual( expected_components, loaded_csr.get_subject().get_components() )
def __init__(self, csr, index_db_path): """ Create instance of CertificateAuthority and validate CSR :param csr: certificate request :raise CAError: raised in CSR invalid """ self._csr = None try: self.index_db = IndexDB(index_db_path) except DatabaseError as exc: raise CAError(exc) try: self._csr = crypto.load_certificate_request( crypto.FILETYPE_PEM, csr) email = self._csr.get_subject().emailAddress if not email or not email.endswith( DOMAIN): # TODO: improve validation raise CAError( 'Incorrect certificate! Email not found or incorrect!\n' 'Expected [username]{}; Got: {}\n' 'Generate certificate using ca_client.py!'.format( DOMAIN, email)) except crypto.Error as exc: raise CAError(exc)
def requestCertificate(self, token, req): req = crypto.load_certificate_request(crypto.FILETYPE_PEM, req) with self.lock: with self.db: if token: if not self.config.prefix_length: raise HTTPError(httplib.FORBIDDEN) try: token, email, prefix_len, _ = self.db.execute( "SELECT * FROM token WHERE token = ?", (token,)).next() except StopIteration: return self.db.execute("DELETE FROM token WHERE token = ?", (token,)) else: prefix_len = self.config.anonymous_prefix_length if not prefix_len: raise HTTPError(httplib.FORBIDDEN) email = None prefix = self.newPrefix(prefix_len) self.db.execute("UPDATE cert SET email = ? WHERE prefix = ?", (email, prefix)) if self.prefix is None: self.prefix = prefix self.setConfig('prefix', prefix) self.updateNetworkConfig() subject = req.get_subject() subject.serialNumber = str(self.getSubjectSerial()) return self.createCertificate(prefix, subject, req.get_pubkey())
def test_merge_certificate(self, client, **kwargs): cert_name = "mergeCertificate" cert_policy = CertificatePolicy( issuer_name=WellKnownIssuerNames.unknown, subject="CN=MyCert", certificate_transparency=False ) dirname = os.path.dirname(os.path.abspath(__file__)) with open(os.path.abspath(os.path.join(dirname, "ca.key")), "rt") as f: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read()) with open(os.path.abspath(os.path.join(dirname, "ca.crt")), "rt") as f: ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, f.read()) client.begin_create_certificate(certificate_name=cert_name, policy=cert_policy).wait() csr = ( "-----BEGIN CERTIFICATE REQUEST-----\n" + base64.b64encode(client.get_certificate_operation(certificate_name=cert_name).csr).decode() + "\n-----END CERTIFICATE REQUEST-----" ) req = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr) cert = crypto.X509() cert.set_serial_number(1) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60) # Testing certificates need not be long lived cert.set_issuer(ca_cert.get_subject()) cert.set_subject(req.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(pkey, "sha256") signed_certificate_bytes = crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode().replace("\n", "") signed_certificate_bytes = signed_certificate_bytes.lstrip("-----BEGIN CERTIFICATE-----") signed_certificate_bytes = signed_certificate_bytes.rstrip("-----END CERTIFICATE-----") client.merge_certificate(certificate_name=cert_name, x509_certificates=[signed_certificate_bytes.encode()])
def get_manager_cert(): log('Certificate request from manager %s (user %s)' % ( g.cert['serviceLocator'], g.cert['UID'])) csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, request.files['csr'].read()) return x509cert.create_x509_cert(config_parser.get('conpaas', 'CERT_DIR'), csr)
def test_key_and_csr(self): """ Will write the key an csr on local filesystem. """ key_path, self.test_segments = mk.fs.makePathInTemp() csr_segments = self.test_segments[:] csr_segments[-1] = u'%s.csr' % csr_segments[-1] self.addCleanup(mk.fs.deleteFile, csr_segments) options = self.parseArguments([ self.command_name, '--common-name=domain.com', '--key-file', key_path, '--key-size=512', ]) generate_and_store_csr(options) key_content = mk.fs.getFileContent(self.test_segments) key = crypto.load_privatekey( crypto.FILETYPE_PEM, key_content) self.assertEqual(512, key.bits()) csr_content = mk.fs.getFileContent(csr_segments) csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_content) self.assertEqual(u'domain.com', csr.get_subject().CN)
def issue_certificate(cafile, cakey, digest, server_ip): private_key = generate_private_key(crypto.TYPE_RSA, 2048) csr = generate_request(private_key, digest, CN=server_ip) private_key_str = crypto.dump_privatekey(crypto.FILETYPE_PEM, private_key) csr_str = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr) with open(cafile) as cafile: cafile_str = cafile.read() with open(cakey) as cakey: cakey_str = cakey.read() ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, cafile_str) ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, cakey_str) req_cert = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_str) cert = crypto.X509() cert.set_subject(req_cert.get_subject()) cert.set_serial_number(1) # before one year ago cert.gmtime_adj_notBefore(-31536000) # after 10 years cert.gmtime_adj_notAfter(315360000) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(req_cert.get_pubkey()) cert.sign(ca_key, digest) server_cert_str = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) with open(server_crt, "w") as server_crt_fd: server_crt_fd.write(server_cert_str) with open(server_key, "w") as server_key_fd: server_key_fd.write(private_key_str) os.system("systemctl daemon-reload") os.system("systemctl restart itpserver")
def _get_csr(self, spkac_str): """ gets a NetscapeSPKI object from the spkac_str or loads a PKCS10 """ # TODO should figure out how to use this # challenge thing (spkac is using md5, so # I guess there should be some time bound) # maybe linked to session or something??? # See https://www.w3.org/Bugs/Public/show_bug.cgi?id=13518 #http://www.w3.org/wiki/Foaf%2Bssl/Clients#Keygen # We could der-decode the spkac and get the challenge from there. spkac_str = re.sub('\s', '', spkac_str) #print('SPKAC PUBKEY=%s' % spkac_str) logging.debug('SPKAC PUBKEY=%s' % spkac_str) if "BEGINIECERTIFICATEREQUEST" in spkac_str: #XXX improve csr type detection (get a flag from view) pkcs10 = spkac_str.replace( '-----BEGINIECERTIFICATEREQUEST-----', '').replace( '-----ENDIECERTIFICATEREQUEST-----', '') der = base64.b64decode(pkcs10) self.csr = crypto.load_certificate_request( crypto.FILETYPE_ASN1, der) self.csr_type = "msie" else: self.csr = crypto.NetscapeSPKI(spkac_str) self.csr_type = "spki"
def load(Class, requestData, requestFormat=crypto.FILETYPE_ASN1): req = crypto.load_certificate_request(requestFormat, requestData) dn = DistinguishedName() dn._copyFrom(req.get_subject()) if not req.verify(req.get_pubkey()): raise VerifyError("Can't verify that request for %r is self-signed." % (dn,)) return Class(req)
def load(Class, requestData, requestFormat=crypto.FILETYPE_ASN1): req = crypto.load_certificate_request(requestFormat, requestData) dn = DistinguishedName() dn._copyFrom(req.get_subject()) if not req.verify(req.get_pubkey()): raise VerifyError("Can't verify that request for %r is self-signed." % (dn,)) return Class(req)
def post(self): logRequestInfo(self.request) action = paramFormat(json.loads(self.request.body)) # check arguments existing if 'csr_body' not in action.keys(): self.write(jsonMessage(-1, "[Request error]: Missing parameters!")) return try: action['csr_body'] = aesCipher.decrypt(action['csr_body']) # 将req中的CommonName作为标识该Req的字段 req = load_certificate_request(FILETYPE_PEM, action['csr_body']) subject = req.get_subject() components = dict(subject.get_components()) action['csr_name'] = components[b'CN'].decode('utf8') except base64.binascii.Error: self.write( jsonMessage( -1, "[Request error]: 'csr_body' field must be base64 type!")) self.finish() return except OpenSSL.crypto.Error: self.write( jsonMessage( -1, "[ERROR]: Wrong certificate request (X509Req) format!")) self.finish() return # 调用生成证书函数 ret = gencert(365, action['csr_name'], action['csr_body']) self.write(ret) self.finish()
def __init__(self, mixed=None): self.buf = None self.path = NotImplemented self.created = NotImplemented if isinstance(mixed, io.TextIOWrapper): self.path = mixed.name _, _, _, _, _, _, _, _, mtime, _ = os.stat(self.path) self.created = datetime.fromtimestamp(mtime) mixed = mixed.read() if isinstance(mixed, bytes): mixed = mixed.decode("ascii") if isinstance(mixed, str): try: self.buf = mixed mixed = crypto.load_certificate_request(crypto.FILETYPE_PEM, mixed) except crypto.Error: print("Failed to parse:", mixed) raise if isinstance(mixed, crypto.X509Req): self._obj = mixed else: raise ValueError("Can't parse %s as X.509 certificate signing request!" % mixed) assert not self.buf or self.buf == self.dump(), "%s is not %s" % (self.buf, self.dump())
def issue_certificate_request(self, order_id, order_meta, plugin_meta, barbican_meta_dto): if barbican_meta_dto.generated_csr is not None: encoded_csr = barbican_meta_dto.generated_csr else: try: encoded_csr = base64.b64decode(order_meta['request_data']) except KeyError: return cert_manager.ResultDTO( cert_manager.CertificateStatus.CLIENT_DATA_ISSUE_SEEN, status_message=u._("No request_data specified")) csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, encoded_csr) ca_id = barbican_meta_dto.plugin_ca_id if ca_id: ca = self.cas.get(ca_id) if ca is None: raise cert_manager.CertificateGeneralException( "Invalid ca_id passed into snake oil plugin:" + ca_id) else: ca = self.ca cert_mgr = CertManager(ca) cert = cert_mgr.make_certificate(csr) cert_enc = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) return cert_manager.ResultDTO( cert_manager.CertificateStatus.CERTIFICATE_GENERATED, certificate=base64.b64encode(cert_enc), intermediates=base64.b64encode(ca.pkcs7))
def __init__(self, country=None, state=None, locality=None, organization=None, organization_unit=None, name=None, email=None, digest="sha1", filename=None): if filename is None: req = crypto.X509Req() subject = req.get_subject() if country: subject.C = country if state: subject.ST = state if locality: subject.L = locality if organization: subject.O = organization if organization_unit: subject.OU = organization_unit if name: subject.CN = name if email: subject.emailAddress = email else: ftype, text = get_type_and_text(filename) req = crypto.load_certificate_request(ftype, text) self._req = req
def create_certificate(issuerKeyPem, issuerCertPem, csrPem, validForDays, serial, version = 0, digest = 'sha1'): """ Create a certificate and return certificate (PEM, text, fingerprint). :param subjectPrivKey: Subject private RSA key in PEM format. :type subjectPrivKey: str :param subjectInfo: Subject information. :type subjectInfo: dict :returns tuple -- (CSR in PEM format, CSR as text). """ issuerKey = crypto.load_privatekey(crypto.FILETYPE_PEM, issuerKeyPem) issuerCert = crypto.load_certificate(crypto.FILETYPE_PEM, issuerCertPem) csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csrPem) cert = crypto.X509() cert.set_serial_number(serial) cert.set_version(version) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * validForDays) cert.set_issuer(issuerCert.get_subject()) cert.set_subject(csr.get_subject()) cert.set_pubkey(csr.get_pubkey()) cert.sign(issuerKey, digest) certPem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) certText = '???' certFingerprint = cert.digest(digest) return (certPem, certText, certFingerprint)
def test_post(self): n = 'csr' valid_setup = test_tls.get_valid_setup() yield set_init_params(valid_setup) yield https.PrivKeyFileRes.create_file(1, valid_setup['key']) State.tenant_cache[1].hostname = 'notreal.ns.com' d = { 'country': 'it', 'province': 'regione', 'city': 'citta', 'company': 'azienda', 'department': 'reparto', 'email': 'indrizzio@email', } body = {'name': 'csr', 'content': d} handler = self.request(body, role='admin') yield handler.post(n) response = yield handler.get(n) pem_csr = crypto.load_certificate_request(SSL.FILETYPE_PEM, response) comps = pem_csr.get_subject().get_components() self.assertIn((b'CN', b'notreal.ns.com'), comps) self.assertIn((b'C', b'IT'), comps) self.assertIn((b'L', b'citta'), comps)
def test_key_and_csr(self): """ Will write the key an csr on local filesystem. """ key_path, self.test_segments = mk.fs.makePathInTemp() csr_segments = self.test_segments[:] csr_segments[-1] = u'%s.csr' % csr_segments[-1] self.addCleanup(mk.fs.deleteFile, csr_segments) options = self.parseArguments([ self.command_name, '--common-name=domain.com', '--key-file', key_path, '--key-size=512', ]) generate_and_store_csr(options) key_content = mk.fs.getFileContent(self.test_segments) key = crypto.load_privatekey(crypto.FILETYPE_PEM, key_content) self.assertEqual(512, key.bits()) csr_content = mk.fs.getFileContent(csr_segments) csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_content) self.assertEqual(u'domain.com', csr.get_subject().CN)
def create_cert_signed_certificate(self, sign_cert_str, sign_key_str, request_cert_str, hash_alg="sha256", valid_from=0, valid_to=315360000, sn=1, passphrase=None): """ Will sign a certificate request with a give certificate. :param sign_cert_str: This certificate will be used to sign with. Must be a string representation of the certificate. If you only have a file use the method read_str_from_file to get a string representation. :param sign_key_str: This is the key for the ca_cert_str represented as a string. If you only have a file use the method read_str_from_file to get a string representation. :param request_cert_str: This is the prepared certificate to be signed. Must be a string representation of the requested certificate. If you only have a file use the method read_str_from_file to get a string representation. :param hash_alg: Hash algorithm to use for the key. Default is sha256. :param valid_from: When the certificate starts to be valid. Amount of seconds from when the certificate is generated. :param valid_to: How long the certificate will be valid from when it is generated. The value is in seconds. Default is 315360000 seconds, a.k.a 10 years. :param sn: Serial number for the certificate. Default is 1. :param passphrase: Password for the private key in sign_key_str. :return: String representation of the signed certificate. """ ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, sign_cert_str) ca_key = None if passphrase is not None: ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str, passphrase) else: ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str) req_cert = crypto.load_certificate_request(crypto.FILETYPE_PEM, request_cert_str) cert = crypto.X509() cert.set_subject(req_cert.get_subject()) cert.set_serial_number(sn) cert.gmtime_adj_notBefore(valid_from) cert.gmtime_adj_notAfter(valid_to) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(req_cert.get_pubkey()) cert.sign(ca_key, hash_alg) cert_dump = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) if isinstance(cert_dump, six.string_types): return cert_dump return cert_dump.decode('utf-8')
def load_pending_requests(host=None): result = [] # open each file in the CSR directory - any CSR here has yet to be signed for item in os.listdir(CSR_DIR): try: # make sure it is a CSR filename = "%s/%s" % (CSR_DIR, item) csrstr = open(filename).read() csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csrstr) # ignore it if it doesn't match the host we are interested in if host is not None and host != csr.get_subject().commonName: continue result.append({ "host": csr.get_subject().commonName, "filename": filename, "subject": csr.get_subject(), "bits": csr.get_pubkey().bits(), "md5": MD5.new(csrstr.encode()).hexdigest(), "sha256": SHA256.new(csrstr.encode()).hexdigest(), }) except crypto.Error as e: #print(e) pass # sort alphabetically by hostname result.sort(key=lambda x: x["host"]) return result
async def test_merge_certificate(self, vault_client, **kwargs): import base64 from OpenSSL import crypto import os self.assertIsNotNone(vault_client) client = vault_client.certificates cert_name = "mergeCertificate" issuer_name = "Unknown" cert_policy = CertificatePolicyGenerated( issuer_parameters=IssuerParameters(name=issuer_name, certificate_transparency=False), x509_certificate_properties=X509CertificateProperties( subject="CN=MyCert"), ) dirname = os.path.dirname(os.path.abspath(__file__)) with open(os.path.abspath(os.path.join(dirname, "ca.key")), "rt") as f: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read()) with open(os.path.abspath(os.path.join(dirname, "ca.crt")), "rt") as f: ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, f.read()) polling_interval = 0 if self.is_playback() else None # the poller will stop immediately because the issuer is `Unknown` await client.create_certificate( certificate_name=cert_name, policy=CertificatePolicy._from_certificate_policy_bundle( cert_policy), _polling_interval=polling_interval) certificate_operation = await client.get_certificate_operation( certificate_name=cert_name) csr = ("-----BEGIN CERTIFICATE REQUEST-----\n" + base64.b64encode(certificate_operation.csr).decode() + "\n-----END CERTIFICATE REQUEST-----") req = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr) cert = crypto.X509() cert.set_serial_number(1) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter( 60) # Testing certificates need not be long lived cert.set_issuer(ca_cert.get_subject()) cert.set_subject(req.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(pkey, "sha256") signed_certificate_bytes = crypto.dump_certificate( crypto.FILETYPE_PEM, cert).decode().replace("\n", "") signed_certificate_bytes = signed_certificate_bytes.lstrip( "-----BEGIN CERTIFICATE-----") signed_certificate_bytes = signed_certificate_bytes.rstrip( "-----END CERTIFICATE-----") await client.merge_certificate( certificate_name=cert_name, x509_certificates=[signed_certificate_bytes.encode()])
def main(event, context): s3 = boto3.resource('s3') try: ca_cert_s3obj = s3.Object('certsigninglambdabucket', 'signing-ca.crt') ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert_s3obj.get()['Body'].read()) except ClientError as e: print(e.message) try: ca_key_s3obj = s3.Object('certsigninglambdabucket', 'root-ca.key') ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_s3obj.get()['Body'].read(), b'test') except ClientError as e: print(e.message) try: crt_req_s3obj = s3.Object( 'certsigninglambdabucket', urllib.unquote_plus(event['Records'][0]['s3']['object']['key'])) crt_req = crypto.load_certificate_request( crypto.FILETYPE_PEM, crt_req_s3obj.get()['Body'].read()) except ClientError as e: print(e.message) new_crt_serial = 990099 new_crt = createCertificate(crt_req, ca_cert, ca_key, new_crt_serial, 0, 230400) msgCertificateParameters = crypto.dump_certificate(crypto.FILETYPE_TEXT, new_crt) print(msgCertificateParameters.decode('utf-8')) msgCertificateParameters = crypto.dump_certificate(crypto.FILETYPE_PEM, new_crt) print(msgCertificateParameters.decode('utf-8')) try: s3.Object( 'certsigninglambdabucket', urllib.unquote_plus( event['Records'][0]['s3']['object']['key'])[:-4]).put( Body=crypto.dump_certificate(crypto.FILETYPE_PEM, new_crt)) except ClientError as e: print(e.message) else: try: crt_req_s3obj = s3.Object( 'certsigninglambdabucket', urllib.unquote_plus( event['Records'][0]['s3']['object']['key'])) crt_req_s3obj.delete() except ClientError as e: print(e.message) return
def get_CSR(self): CSR = None if self.cert_CSR: CSR = crypto.load_certificate_request( crypto.FILETYPE_PEM, self.cert_CSR ) return CSR
def get_CSR(self): CSR = None if self.cert_CSR: CSR = crypto.load_certificate_request( crypto.FILETYPE_PEM, self.cert_CSR ) return CSR
def csr_match_crt(csr, crt): try: x509 = crypto.load_certificate(crypto.FILETYPE_ASN1, crt) except crypto.Error: x509 = crypto.load_certificate(crypto.FILETYPE_PEM, crt) x509req = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr) return crypto.dump_privatekey(crypto.FILETYPE_PEM, x509.get_pubkey()) == \ crypto.dump_privatekey(crypto.FILETYPE_PEM, x509req.get_pubkey())
def load_certificate_request(path): """Load the specified certificate signing request.""" try: csr_content = open(path, 'rb').read() csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_content) return csr except (IOError, OSError) as exc: raise OpenSSLObjectError(exc)
def createIntermediateCertificate(csr_buffer, CA_CERT_FILE, CA_KEY_FILE): print 'createIntermediateCertificate()' # Load the certificate request, which contains public key and CN csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_buffer) ca_cert = load_cert_from_file(CA_CERT_FILE) ca_key = load_key_from_file(CA_KEY_FILE) cert = createCertificate(csr, (ca_cert, ca_key), 1000, (0, 10 * 365 * 24 * 60 * 60), digest='sha1') return cert
def parseCertReqStr(req): """ Parse a certificate request which is in string form. @param cert: Key in string form, i.e. content of certificate in file form. @type cert: str @return: Parsed certificate request. @rtype: OpenSSL.crypto.X509Req """ return crypto.load_certificate_request(crypto.FILETYPE_PEM, req)
def wait_for_cert(self, csrbuf, with_triggers=True): """ takes csr as a string returns True, caller_cert, ca_cert returns False, '', '' """ try: csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csrbuf) except crypto.Error, e: #XXX need to raise a fault here and document it - but false is just as good return False, '', ''
def test_generate_csr(self): cn = "test_cn" # Attempt to generate a CSR csr = local_cert_gen.LocalCertGenerator._generate_csr( cn=cn, private_key=self.ca_private_key, passphrase=self.ca_private_key_passphrase ) # Attempt to load the generated CSR csro = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr) # Make sure the CN is correct self.assertEqual(csro.get_subject().CN, cn)
def signCSR(self, csrData): # Load the CSR from binary input csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, self.data_string) print 'CSR loaded from subject: ', csr.get_subject() # Get data from CSR and insert it into new cert cert = crypto.X509() cert.set_subject(csr.get_subject()) cert.set_serial_number(index_list.next_serial_number()) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(365*24*60*60) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(csr.get_pubkey()) extensions = [] # Set the user certificate to a 'No CA Certificate' basic_constraints_ext = crypto.X509Extension("basicConstraints", False, "CA:FALSE") extensions.append(basic_constraints_ext) cert_type_ext = crypto.X509Extension("nsCertType", False, "server") extensions.append(cert_type_ext) ns_comment_ext = crypto.X509Extension("nsComment", False, "OpenSSL Generated Server Certificate") extensions.append(ns_comment_ext) subj_key_ident_ext = crypto.X509Extension("subjectKeyIdentifier", False, "hash") extensions.append(subj_key_ident_ext) auth_key_ident_ext = crypto.X509Extension("authorityKeyIdentifier", False, "keyid, issuer:always") extensions.append(auth_key_ident_ext) # Set the key usage of the user certificate to 'digitalSignature and keyEncipherment' key_usage_ext = crypto.X509Extension("keyUsage", True, "digitalSignature, keyEncipherment") extensions.append(key_usage_ext) # Set the extended key usage of the user certificate to 'clientAuthentication' extended_key_usage_ext = crypto.X509Extension("extendedKeyUsage", False, "serverAuth") extensions.append(extended_key_usage_ext) # Set the info access path to the OCSP URL authority_info_access_ext = crypto.X509Extension("authorityInfoAccess", False, "OCSP;URI:http://vm02.srvhub.de:3000") extensions.append(authority_info_access_ext) # Add all extensions to the new certificate x509.add_extensions(extensions) # Sign this new cert with the CA cert.sign(ca_key, 'sha512') # Add the new cert to index.txt databse index_list.add_entry(cert)
def __init__(self): cert_buf = resource_string(__name__, self.master_cert_file) cert_req_buf = resource_string(__name__, self.master_cert_req_file) key_buf = resource_string(__name__, self.master_key_file) ft = self.default_filetype key = crypto.load_privatekey(ft, key_buf, self.master_key_password) self.master_key = key crt = crypto.load_certificate(ft, cert_buf) self.master_cert = crt csr = crypto.load_certificate_request(ft, cert_req_buf) self.master_cert_req = csr
def parse_command(self, cmd, body=""): if cmd == "export-crl": """ Generate CRL object based on certificate serial number and revocation timestamp """ crl = crypto.CRL() if body: for line in body.split("\n"): serial_number, timestamp = line.split(":") # TODO: Assert serial against regex revocation = crypto.Revoked() revocation.set_rev_date(datetime.fromtimestamp(int(timestamp)).strftime("%Y%m%d%H%M%SZ").encode("ascii")) revocation.set_reason(b"keyCompromise") revocation.set_serial(serial_number.encode("ascii")) crl.add_revoked(revocation) self.send(crl.export( self.server.certificate, self.server.private_key, crypto.FILETYPE_PEM, self.server.revocation_list_lifetime)) elif cmd == "ocsp-request": NotImplemented # TODO: Implement OCSP elif cmd == "sign-request": request = crypto.load_certificate_request(crypto.FILETYPE_PEM, body) for e in request.get_extensions(): key = e.get_short_name().decode("ascii") if key not in EXTENSION_WHITELIST: raise ValueError("Certificte Signing Request contains extension '%s' which is not whitelisted" % key) # TODO: Potential exploits during PEM parsing? cert = raw_sign( self.server.private_key, self.server.certificate, request, basic_constraints=self.server.basic_constraints, key_usage=self.server.key_usage, extended_key_usage=self.server.extended_key_usage, lifetime=self.server.lifetime) self.send(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) else: raise NotImplementedError("Unknown command: %s" % cmd) self.close_when_done()
def create_certificate(target_dir, ip_address): """Generate a cert and key file incl. IP SAN for `ip_address` Creates a cert.pem and key.pem file signed with a known ca cert. The generated cert will contain a IP SAN (subject alternative name) that includes the ip address of the server. This is required for log-forwarding. :return: tuple containing generated cert, key filepath pair """ ip_address = 'IP:{}'.format(ip_address) key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 2048) csr_contents = generate_csr(target_dir, key, ip_address) req = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_contents) ca_cert = crypto.load_certificate( crypto.FILETYPE_PEM, ca_pem_contents) ca_key = crypto.load_privatekey( crypto.FILETYPE_PEM, ca_key_pem_contents) cert = crypto.X509() cert.set_version(0x2) cert.set_subject(req.get_subject()) cert.set_serial_number(1) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(24 * 60 * 60) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.add_extensions([ crypto.X509Extension('subjectAltName', False, ip_address), crypto.X509Extension( 'extendedKeyUsage', False, 'clientAuth, serverAuth'), crypto.X509Extension( 'keyUsage', True, 'keyEncipherment'), ]) cert.sign(ca_key, "sha256") cert_filepath = os.path.join(target_dir, 'cert.pem') with open(cert_filepath, 'wt') as f: f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) key_filepath = os.path.join(target_dir, 'key.pem') with open(key_filepath, 'wt') as f: f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key)) return (cert_filepath, key_filepath)
def store_request(self, buf, overwrite=False): request = crypto.load_certificate_request(crypto.FILETYPE_PEM, buf) common_name = request.get_subject().CN request_path = os.path.join(self.request_dir, common_name + ".pem") # If there is cert, check if it's the same if os.path.exists(request_path): if open(request_path, "rb").read() != buf: print("Request already exists, not creating new request") raise FileExistsError("Request already exists") else: with open(request_path + ".part", "wb") as fh: fh.write(buf) os.rename(request_path + ".part", request_path) return Request(open(request_path))
def csr_details_view(self, request): try: csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, request.POST['csr']) except Exception as e: return HttpResponseBadRequest(json.dumps({ 'message': str(e), }), content_type='application/json') csr_subject = csr.get_subject() subject = {} for attr in ['C', 'ST', 'L', 'O', 'OU', 'CN', 'E', ]: if hasattr(csr_subject, attr): subject[attr] = getattr(csr_subject, attr) return HttpResponse(json.dumps({ 'subject': subject, }), content_type='application/json')
def _myProxylogon(environ, start_response, username, password): """Wrap MyProxy logon method as a WSGI app @type environ: dict @param environ: WSGI environment variables dictionary @type start_response: function @param start_response: standard WSGI start response function @type username: basestring @param username: username credential to MyProxy logon @type password: basestring @param password: pass-phrase for MyProxy logon call @raise HttpBasicAuthResponseException: invalid client request @raise MyProxyClientMiddlewareError: socket error for backend MyProxy server """ request = Request(environ) requestMethod = environ.get('REQUEST_METHOD') if requestMethod != 'POST': response = "HTTP Request method not recognised" log.error("HTTP Request method %r not recognised", requestMethod) raise HttpBasicAuthResponseException(response, httplib.METHOD_NOT_ALLOWED) # Extract cert request and convert to standard string - SSL library # will not accept unicode cert_req_key = self.__class__.CERT_REQ_POST_PARAM_KEYNAME pem_cert_req = str(request.POST.get(cert_req_key)) if pem_cert_req is None: response = ("No %r form variable set in POST message" % cert_req_key) log.error(response) raise HttpBasicAuthResponseException(response, httplib.BAD_REQUEST) log.debug("cert req = %r", pem_cert_req) # Expecting PEM encoded request try: cert_req = crypto.load_certificate_request(crypto.FILETYPE_PEM, pem_cert_req) except crypto.Error, e: log.error("Error loading input certificate request: %r", pem_cert_req) raise HttpBasicAuthResponseException("Error loading input " "certificate request", httplib.BAD_REQUEST)
def issue_certificate_request(self, order_id, order_meta, plugin_meta, barbican_meta_dto): try: encoded_csr = order_meta['request_data'] except KeyError: return cert_manager.ResultDTO( cert_manager.CertificateStatus.CLIENT_DATA_ISSUE_SEEN, status_message="No request_data specified") csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, encoded_csr) cert = self.cert_manager.make_certificate(csr) cert_enc = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) ca_enc = crypto.dump_certificate(crypto.FILETYPE_PEM, self.ca.cert) return cert_manager.ResultDTO( cert_manager.CertificateStatus.CERTIFICATE_GENERATED, certificate=cert_enc, intermediates=ca_enc)
def load_certificate_signing_request(buf): cert = crypto.load_certificate_request(crypto.FILETYPE_PEM, buf) cert_info = {} cert_info['country'] = cert.get_subject().C cert_info['state'] = cert.get_subject().ST cert_info['city'] = cert.get_subject().L cert_info['organization'] = cert.get_subject().O cert_info['common'] = cert.get_subject().CN cert_info['email'] = cert.get_subject().emailAddress signature_algorithm = cert.get_signature_algorithm() m = re.match('^(.+)[Ww]ith', signature_algorithm) if m: cert_info['digest_algorithm'] = m.group(1).upper() return cert_info
def generate_cert(req_csr_txt, ca_key_txt, ca_crt_txt): ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_txt) ca_crt = crypto.load_certificate(crypto.FILETYPE_PEM, ca_crt_txt) req_csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, req_csr_txt) req_crt = crypto.X509() req_crt.gmtime_adj_notBefore(0) req_crt.gmtime_adj_notAfter(60*60*24*365) req_crt.set_serial_number(1) req_crt.set_issuer(ca_crt.get_subject()) req_crt.set_pubkey(req_csr.get_pubkey()) subj = req_csr.get_subject() subj.commonName = str(uuid.uuid4()) req_crt.set_subject(subj) req_crt.sign(ca_key, 'sha256') return crypto.dump_certificate(crypto.FILETYPE_PEM, req_crt).decode()