def test_revocation_list_builder_serialization(self):
crl = revocation_list_builder([], self.root_certificate)
pem = serialize(crl)
self.assertIn("-----BEGIN X509 CRL-----", pem)
crl_deserialized = x509.load_pem_x509_crl(pem.encode("utf8"),
backend=default_backend())
self.assert_subject(crl_deserialized.issuer, self.root_certificate)
def test_revocation_list_builder_one_cert_passphrase(self):
subject = DistinguishedNameFactory(
countryName=self.root_certificate.dn.countryName,
stateOrProvinceName=self.root_certificate.dn.stateOrProvinceName,
organizationName=self.root_certificate.dn.organizationName,
commonName="BounCA test Int passphrase CA",
)
int_certificate = CertificateFactory(
expires_at=arrow.get(timezone.now()).shift(days=+5).date(),
name="test_server_intermediate_certificate_pass",
type=CertificateTypes.INTERMEDIATE,
parent=self.root_certificate,
dn=subject,
)
with mute_signals(signals.post_save):
int_certificate.save()
int_key = Key().create_key("rsa", 4096)
int_certhandler = Certificate()
int_certhandler.create_certificate(int_certificate,
int_key.serialize())
keystore = KeyStore(certificate=int_certificate)
keystore.crt = int_certhandler.serialize()
keystore.key = int_key.serialize(passphrase="testphrase")
keystore.save()
crl = revocation_list_builder([], int_certificate, "testphrase")
self.assert_subject(crl.issuer, int_certificate)
def generate_certificate_revocation_list(sender, instance, created, **kwargs):
update_fields = kwargs["update_fields"]
if not created and "revoked_uuid" in update_fields:
if instance.type == CertificateTypes.ROOT:
return
if not instance.parent:
RuntimeError(
f"Cannot build revoke list of certificate {instance} without parent"
)
revoked_certs = Certificate.objects.filter(parent=instance.parent,
revoked_at__isnull=False)
crl_list = [(rc.keystore.crt, rc.revoked_at) for rc in revoked_certs
if hasattr(rc, "keystore")]
last_update = instance.parent.crlstore.last_update if hasattr(
instance.parent, "crlstore") else timezone.now()
crl = revocation_list_builder(
crl_list,
instance.parent,
instance.passphrase_issuer,
last_update,
)
if not hasattr(instance.parent, "crlstore"):
crlstore = CrlStore(certificate=instance.parent)
crlstore.crl = serialize(crl)
crlstore.save()
else:
instance.parent.crlstore.crl = serialize(crl)
instance.parent.crlstore.save()
def test_revocation_list_builder_one_cert(self):
cert, pem = self.make_intermediate_certificate()
revoke_date = datetime.today().replace(microsecond=0) - timedelta(
3, 0, 0)
crl = revocation_list_builder([(pem, revoke_date)],
self.root_certificate)
self.assert_subject(crl.issuer, self.root_certificate)
self.assertEqual(
crl.get_revoked_certificate_by_serial_number(
cert.serial_number).revocation_date, revoke_date)
def test_revocation_list_builder_empty(self):
last_update = datetime.today().replace(microsecond=0) - timedelta(
3, 0, 0)
next_update = datetime.today().replace(microsecond=0) + timedelta(
2, 0, 0)
crl = revocation_list_builder(
[],
self.root_certificate,
last_update=last_update,
next_update=next_update,
)
cert, pem = self.make_intermediate_certificate()
self.assert_subject(crl.issuer, self.root_certificate)
self.assertEqual(crl.last_update, last_update)
self.assertEqual(crl.next_update, next_update)
self.assertIsNone(
crl.get_revoked_certificate_by_serial_number(cert.serial_number))
def generate_certificate(sender, instance, created, **kwargs):
if created:
keystore = KeyStore(certificate=instance)
key_size = None
if settings.KEY_ALGORITHM == "rsa":
key_size = 4096 if instance.type in [
CertificateTypes.ROOT, CertificateTypes.INTERMEDIATE
] else 2048
key = KeyGenerator().create_key(settings.KEY_ALGORITHM, key_size)
keystore.key = key.serialize(instance.passphrase_out)
certhandler = CertificateGenerator()
certhandler.create_certificate(instance, keystore.key,
instance.passphrase_out,
instance.passphrase_issuer)
keystore.crt = certhandler.serialize()
if instance.type not in [
CertificateTypes.ROOT, CertificateTypes.INTERMEDIATE
]:
root_certificate = CertificateGenerator().load(
instance.parent.keystore.crt).certificate
int_certificate = CertificateGenerator().load(
instance.parent.keystore.crt).certificate
keystore.p12 = key.serialize_pkcs12(
instance.name,
certhandler.certificate,
instance.passphrase_out,
cas=[int_certificate, root_certificate])
keystore.save()
if instance.type in [
CertificateTypes.ROOT, CertificateTypes.INTERMEDIATE
]:
crl = revocation_list_builder([], instance,
instance.passphrase_out)
crlstore = CrlStore(certificate=instance)
crlstore.crl = serialize(crl)
crlstore.save()