def init_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, ca_file, trust_flags): self.import_pkcs12(pkcs12_fname, pkcs12_passwd) server_certs = self.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_fname) if ca_file: try: with open(ca_file) as fd: certs = fd.read() except IOError as e: raise RuntimeError( "Failed to open %s: %s" % (ca_file, e.strerror)) st = 0 num = 1 while True: try: cert, st = find_cert_from_txt(certs, st) except RuntimeError: break self.add_cert(cert, 'CA %s' % num, EMPTY_TRUST_FLAGS) num += 1 # We only handle one server cert nickname = server_certs[0][0] ca_names = self.find_root_cert(nickname)[:-1] if len(ca_names) == 0: raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) self.cacert_name = ca_names[-1] self.trust_root_cert(self.cacert_name, trust_flags) self.export_ca_cert(nickname, False)
def create_from_cacert(self): """ Ensure that a CA chain is in the NSS database. If an NSS database already exists ensure that the CA chain we want to load is in there and if not add it. If there is no database then create an NSS database and load the CA chain. """ cacert_fname = paths.IPA_CA_CRT if self.nssdb.exists(): # We already have a cert db, see if it is for the same CA. # If it is we leave things as they are. with open(cacert_fname, "r") as f: newca = f.read() newca, _st = find_cert_from_txt(newca) cacert = self.get_cert_from_db(self.cacert_name) if newca == cacert: return # The CA certificates are different or something went wrong. Start with # a new certificate database. self.create_passwd_file() self.create_certdbs() self.load_cacert(cacert_fname, IPA_CA_TRUST_FLAGS)
def init_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, ca_file, trust_flags): self.import_pkcs12(pkcs12_fname, pkcs12_passwd) server_certs = self.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_fname) if ca_file: try: with open(ca_file) as fd: certs = fd.read() except IOError as e: raise RuntimeError( "Failed to open %s: %s" % (ca_file, e.strerror)) st = 0 num = 1 while True: try: cert, st = find_cert_from_txt(certs, st) except RuntimeError: break self.add_cert(cert, 'CA %s' % num, EMPTY_TRUST_FLAGS, pem=True) num += 1 # We only handle one server cert nickname = server_certs[0][0] ca_names = self.find_root_cert(nickname)[:-1] if len(ca_names) == 0: raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) self.cacert_name = ca_names[-1] self.trust_root_cert(self.cacert_name, trust_flags) self.export_ca_cert(nickname, False)
def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None, ca_file=None, trust_flags=None): """Create a new NSS database using the certificates in a PKCS#12 file. pkcs12_fname: the filename of the PKCS#12 file pkcs12_pwd_fname: the file containing the pin for the PKCS#12 file nickname: the nickname/friendly-name of the cert we are loading passwd: The password to use for the new NSS database we are creating The global CA may be added as well in case it wasn't included in the PKCS#12 file. Extra certs won't hurt in any case. The global CA may be specified in ca_file, as a PEM filename. """ self.create_noise_file() self.create_passwd_file(passwd) self.create_certdbs() self.import_pkcs12(pkcs12_fname, pkcs12_passwd) server_certs = self.find_server_certs() if len(server_certs) == 0: raise RuntimeError( "Could not find a suitable server cert in import in %s" % pkcs12_fname) if ca_file: try: with open(ca_file) as fd: certs = fd.read() except IOError as e: raise RuntimeError("Failed to open %s: %s" % (ca_file, e.strerror)) st = 0 num = 1 while True: try: cert, st = find_cert_from_txt(certs, st) except RuntimeError: break self.add_cert(cert, 'CA %s' % num, ',,', pem=True) num += 1 # We only handle one server cert nickname = server_certs[0][0] ca_names = self.find_root_cert(nickname)[:-1] if len(ca_names) == 0: raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) self.cacert_name = ca_names[-1] self.trust_root_cert(self.cacert_name, trust_flags) self.create_pin_file() self.export_ca_cert(nickname, False)
def nssdb_cert_to_basecertificate(cert_text): from ipapython import certdb from ipalib import x509 cert, _ = certdb.find_cert_from_txt(cert_text, start=0) cert = x509.strip_header(cert) cert = base64.b64decode(cert) cert = x509.load_certificate(cert, x509.DER) return cert
def create_from_cacert(self, cacert_fname, passwd=None): if ipautil.file_exists(self.certdb_fname): # We already have a cert db, see if it is for the same CA. # If it is we leave things as they are. f = open(cacert_fname, "r") newca = f.readlines() f.close() newca = "".join(newca) newca, _st = find_cert_from_txt(newca) cacert = self.get_cert_from_db(self.cacert_name) if cacert != '': cacert, _st = find_cert_from_txt(cacert) if newca == cacert: return # The CA certificates are different or something went wrong. Start with # a new certificate database. self.create_passwd_file(passwd) self.create_certdbs() self.load_cacert(cacert_fname, 'CT,C,C')
def create_from_cacert(self, cacert_fname, passwd=None): if ipautil.file_exists(self.certdb_fname): # We already have a cert db, see if it is for the same CA. # If it is we leave things as they are. f = open(cacert_fname, "r") newca = f.readlines() f.close() newca = "".join(newca) (newca, st) = find_cert_from_txt(newca) cacert = self.get_cert_from_db(self.cacert_name) if cacert != '': (cacert, st) = find_cert_from_txt(cacert) if newca == cacert: return # The CA certificates are different or something went wrong. Start with # a new certificate database. self.create_passwd_file(passwd) self.create_certdbs() self.load_cacert(cacert_fname, 'CT,C,C')
def create_from_cacert(self): cacert_fname = paths.IPA_CA_CRT if ipautil.file_exists(self.certdb_fname): # We already have a cert db, see if it is for the same CA. # If it is we leave things as they are. with open(cacert_fname, "r") as f: newca = f.read() newca, _st = find_cert_from_txt(newca) cacert = self.get_cert_from_db(self.cacert_name) if cacert != '': cacert, _st = find_cert_from_txt(cacert) if newca == cacert: return # The CA certificates are different or something went wrong. Start with # a new certificate database. self.create_passwd_file() self.create_certdbs() self.load_cacert(cacert_fname, IPA_CA_TRUST_FLAGS)
def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None, ca_file=None, trust_flags=None): """Create a new NSS database using the certificates in a PKCS#12 file. pkcs12_fname: the filename of the PKCS#12 file pkcs12_pwd_fname: the file containing the pin for the PKCS#12 file nickname: the nickname/friendly-name of the cert we are loading passwd: The password to use for the new NSS database we are creating The global CA may be added as well in case it wasn't included in the PKCS#12 file. Extra certs won't hurt in any case. The global CA may be specified in ca_file, as a PEM filename. """ self.create_noise_file() self.create_passwd_file(passwd) self.create_certdbs() self.import_pkcs12(pkcs12_fname, pkcs12_passwd) server_certs = self.find_server_certs() if len(server_certs) == 0: raise RuntimeError("Could not find a suitable server cert in import in %s" % pkcs12_fname) if ca_file: try: with open(ca_file) as fd: certs = fd.read() except IOError as e: raise RuntimeError( "Failed to open %s: %s" % (ca_file, e.strerror)) st = 0 num = 1 while True: try: cert, st = find_cert_from_txt(certs, st) except RuntimeError: break self.add_cert(cert, 'CA %s' % num, ',,', pem=True) num += 1 # We only handle one server cert nickname = server_certs[0][0] ca_names = self.find_root_cert(nickname)[:-1] if len(ca_names) == 0: raise RuntimeError("Could not find a CA cert in %s" % pkcs12_fname) self.cacert_name = ca_names[-1] self.trust_root_cert(self.cacert_name, trust_flags) self.create_pin_file() self.export_ca_cert(nickname, False)
def get_cert_from_db(self, nickname, pem=True): """ Retrieve a certificate from the current NSS database for nickname. pem controls whether the value returned PEM or DER-encoded. The default is the data straight from certutil -a. """ try: args = ["-L", "-n", nickname, "-a"] (cert, err, returncode) = self.run_certutil(args) if pem: return cert else: (cert, start) = find_cert_from_txt(cert, start=0) cert = x509.strip_header(cert) dercert = base64.b64decode(cert) return dercert except ipautil.CalledProcessError: return ''
def load_cacert(self, cacert_fname, trust_flags): """ Load all the certificates from a given file. It is assumed that this file creates CA certificates. """ with open(cacert_fname) as f: certs = f.read() st = 0 while True: try: (cert, st) = find_cert_from_txt(certs, st) _rdn, subject_dn = get_cert_nickname(cert) if subject_dn == self.ca_subject: nick = get_ca_nickname(self.realm) else: nick = str(subject_dn) self.nssdb.add_cert(cert, nick, trust_flags) except RuntimeError: break
def load_cacert(self, cacert_fname, trust_flags): """ Load all the certificates from a given file. It is assumed that this file creates CA certificates. """ with open(cacert_fname) as f: certs = f.read() st = 0 while True: try: (cert, st) = find_cert_from_txt(certs, st) _rdn, subject_dn = get_cert_nickname(cert) if subject_dn == self.ca_subject: nick = get_ca_nickname(self.realm) else: nick = str(subject_dn) self.nssdb.add_cert(cert, nick, trust_flags, pem=True) except RuntimeError: break
def load_cacert(self, cacert_fname, trust_flags): """ Load all the certificates from a given file. It is assumed that this file creates CA certificates. """ fd = open(cacert_fname) certs = fd.read() fd.close() ca_dn = DN(('CN', 'Certificate Authority'), self.subject_base) st = 0 while True: try: (cert, st) = find_cert_from_txt(certs, st) _rdn, subject_dn = get_cert_nickname(cert) if subject_dn == ca_dn: nick = get_ca_nickname(self.realm) else: nick = str(subject_dn) self.nssdb.add_cert(cert, nick, trust_flags, pem=True) except RuntimeError: break
def load_cacert(self, cacert_fname, trust_flags): """ Load all the certificates from a given file. It is assumed that this file creates CA certificates. """ fd = open(cacert_fname) certs = fd.read() fd.close() ca_dn = DN(('CN','Certificate Authority'), self.subject_base) st = 0 while True: try: (cert, st) = find_cert_from_txt(certs, st) (rdn, subject_dn) = get_cert_nickname(cert) if subject_dn == ca_dn: nick = get_ca_nickname(self.realm) else: nick = str(subject_dn) self.nssdb.add_cert(cert, nick, trust_flags, pem=True) except RuntimeError: break