def upload(pending_certificate_id, **kwargs): """ Uploads a (signed) pending certificate. The allowed fields are validated by PendingCertificateUploadInputSchema. The certificate is also validated to be signed by the correct authority. """ pending_cert = get(pending_certificate_id) partial_cert = kwargs uploaded_chain = partial_cert["chain"] authority = authorities_service.get(pending_cert.authority.id) # Construct the chain for cert validation if uploaded_chain: chain = uploaded_chain + "\n" + authority.authority_certificate.body else: chain = authority.authority_certificate.body parsed_chain = parse_cert_chain(chain) # Check that the certificate is actually signed by the CA to avoid incorrect cert pasting validators.verify_cert_chain([parse_certificate(partial_cert["body"])] + parsed_chain) final_cert = create_certificate(pending_cert, partial_cert, pending_cert.user) pending_cert_final_result = update(pending_cert.id, resolved_cert_id=final_cert.id) update(pending_cert.id, resolved=True) log_service.audit_log("resolve_pending_certificate", pending_cert.name, "Resolved the pending certificate") return pending_cert_final_result
def validate_cert_private_key_chain(self, data): cert = None key = None if data.get("body"): try: cert = utils.parse_certificate(data["body"]) except ValueError: raise ValidationError( "Public certificate presented is not valid.", field_names=["body"]) if data.get("private_key"): try: key = utils.parse_private_key(data["private_key"]) except ValueError: raise ValidationError("Private key presented is not valid.", field_names=["private_key"]) if cert and key: # Throws ValidationError validators.verify_private_key_match(key, cert) if data.get("chain"): try: chain = utils.parse_cert_chain(data["chain"]) except ValueError: raise ValidationError( "Invalid certificate in certificate chain.", field_names=["chain"]) # Throws ValidationError validators.verify_cert_chain([cert] + chain)
def validate_cert_private_key_chain(self, data): cert = None key = None if data.get('body'): try: cert = utils.parse_certificate(data['body']) except ValueError: raise ValidationError("Public certificate presented is not valid.", field_names=['body']) if data.get('private_key'): try: key = utils.parse_private_key(data['private_key']) except ValueError: raise ValidationError("Private key presented is not valid.", field_names=['private_key']) if cert and key: # Throws ValidationError validators.verify_private_key_match(key, cert) if data.get('chain'): try: chain = utils.parse_cert_chain(data['chain']) except ValueError: raise ValidationError("Invalid certificate in certificate chain.", field_names=['chain']) # Throws ValidationError validators.verify_cert_chain([cert] + chain)
def upload(pending_certificate_id, **kwargs): """ Uploads a (signed) pending certificate. The allowed fields are validated by PendingCertificateUploadInputSchema. The certificate is also validated to be signed by the correct authoritity. """ pending_cert = get(pending_certificate_id) partial_cert = kwargs uploaded_chain = partial_cert['chain'] authority = authorities_service.get(pending_cert.authority.id) # Construct the chain for cert validation if uploaded_chain: chain = uploaded_chain + '\n' + authority.authority_certificate.body else: chain = authority.authority_certificate.body parsed_chain = parse_cert_chain(chain) # Check that the certificate is actually signed by the CA to avoid incorrect cert pasting validators.verify_cert_chain([parse_certificate(partial_cert['body'])] + parsed_chain) final_cert = create_certificate(pending_cert, partial_cert, pending_cert.user) update( pending_cert.id, resolved=True ) pending_cert_final_result = update( pending_cert.id, resolved_cert_id=final_cert.id ) return pending_cert_final_result
def cert_chain_as_der(cert, chain): """Return a certificate and its chain in a list format, as expected by pyjks.""" certs = [parse_certificate(cert)] certs.extend(parse_cert_chain(chain)) # certs (list) – A list of certificates, as byte strings. The first one should be the one belonging to the private # key, the others the chain (in correct order). return [cert.public_bytes(encoding=serialization.Encoding.DER) for cert in certs]
def cert_chain_as_der(cert, chain): """Return a certificate and its chain in a list format, as expected by pyjks.""" certs = [parse_certificate(cert)] certs.extend(parse_cert_chain(chain)) # certs (list) – A list of certificates, as byte strings. The first one should be the one belonging to the private # key, the others the chain (in correct order). return [ cert.public_bytes(encoding=serialization.Encoding.DER) for cert in certs ]
def check_integrity(self): """ Integrity checks: Does the cert have a valid chain and matching private key? """ if self.private_key: validators.verify_private_key_match(utils.parse_private_key(self.private_key), self.parsed_cert, error_class=AssertionError) if self.chain: chain = [self.parsed_cert] + utils.parse_cert_chain(self.chain) validators.verify_cert_chain(chain, error_class=AssertionError)
def check_integrity(self): """ Integrity checks: Does the cert have a valid chain and matching private key? """ if self.private_key: validators.verify_private_key_match(utils.parse_private_key( self.private_key), self.parsed_cert, error_class=AssertionError) if self.chain: chain = [self.parsed_cert] + utils.parse_cert_chain(self.chain) validators.verify_cert_chain(chain, error_class=AssertionError)
def validate_cert_chain(self, data): cert = None if data.get('body'): try: cert = utils.parse_certificate(data['body']) except ValueError: raise ValidationError( "Public certificate presented is not valid.", field_names=['body']) if data.get('chain'): try: chain = utils.parse_cert_chain(data['chain']) except ValueError: raise ValidationError( "Invalid certificate in certificate chain.", field_names=['chain']) # Throws ValidationError validators.verify_cert_chain([cert] + chain)