def delete(self, passphrase):
"""Delete the CertificateAuthority object"""
logger.info( "Certificate %s is going to be deleted" % self.name )
## Container for CA folders to delete
self.remove_chain = []
## Is a revoke required?
revoke_required = True
## Helper function for recusion
def chain_recursion(r_id):
ca = CertificateAuthority.objects.get(pk=r_id)
self.remove_chain.append(ca.name)
## Search for related CA's
child_cas = CertificateAuthority.objects.filter(parent=r_id)
if child_cas:
for ca in child_cas:
chain_recursion(ca.pk)
if not self.parent:
logger.info( "No revoking of certitifcates. %s is a toplevel CA" % self.name )
revoke_required = False
else:
## Collect child CA's and certificates
chain_recursion(self.pk)
logger.info( "Full chain is %s and pf is %s" % (self.remove_chain, self.passphrase))
## Remoke first ca in the chain
if revoke_required:
c_action = OpensslActions(CertificateAuthority.objects.get(pk=self.pk))
c_action.revoke_certificate(passphrase)
c_action.generate_crl(ca=self.parent.name, pf=passphrase)
## Rebuild the ca metadata
self.rebuild_ca_metadata(modify=True, task='exclude')
## Call the "real" delete function
super(CertificateAuthority, self).delete()
def delete(self, passphrase):
"""Delete the Certificate object"""
## Remoke first ca in the chain
c_action = OpensslActions(Certificate.objects.get(pk=self.pk))
c_action.revoke_certificate(passphrase)
c_action.generate_crl(ca=self.parent.name, pf=passphrase)
## Time for some rm action
a = OpensslActions(self)
a.remove_complete_certificate()
## Call the "real" delete function
super(Certificate, self).delete()
def save(self):
"""Save the Certificate object"""
if self.pk:
if self.action in ('update', 'revoke', 'renew'):
action = OpensslActions(self)
prev = Certificate.objects.get(pk=self.pk)
if self.action == 'update':
## Create or remove DER certificate
if self.der_encoded:
action.generate_der_encoded()
else:
action.remove_der_encoded()
## Create or remove PKCS12 certificate
if self.pkcs12_encoded:
if prev.pkcs12_encoded and prev.pkcs12_passphrase == self.pkcs12_passphrase:
logger.debug( 'PKCS12 passphrase is unchanged. Nothing to do' )
else:
action.generate_pkcs12_encoded()
else:
action.remove_pkcs12_encoded()
self.pkcs12_passphrase = None
prev.pkcs12_passphrase = None
if self.pkcs12_passphrase:
prev.pkcs12_passphrase = md5_constructor(self.pkcs12_passphrase).hexdigest()
else:
prev.pkcs12_passphrase = None
prev.description = self.description
prev.der_encoded = self.der_encoded
prev.pkcs12_encoded = self.pkcs12_encoded
prev.pem_encoded = True
elif self.action == 'revoke':
## Revoke and generate CRL
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Modify fields
prev.parent_passphrase = None
prev.active = False
prev.der_encoded = False
prev.pem_encoded = False
prev.pkcs12_encoded = False
prev.revoked = datetime.datetime.now()
elif self.action == 'renew':
## Revoke if certificate is active
if not action.get_revoke_status_from_cert():
action.revoke_certificate(self.parent_passphrase)
## Renew and update CRL
action.renew_certificate()
action.generate_crl(self.parent.name, self.parent_passphrase)
## Modify fields
prev.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
prev.expiry_date = datetime.datetime.now() + delta
prev.parent_passphrase = None
prev.active = True
prev.pem_encoded = True
prev.der_encoded = self.der_encoded
prev.pkcs12_encoded = self.pkcs12_encoded
prev.revoked = None
prev.valid_days = self.valid_days
## Get the new serial
prev.serial = action.get_serial_from_cert()
#prev.passphrase = md5_constructor(self.passphrase).hexdigest()
## Save the data
self = prev
self.action = 'update'
super(Certificate, self).save()
else:
## Set creation data
self.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
self.expiry_date = datetime.datetime.now() + delta
## Force instance to be active
self.active = True
logger.info( "***** { New certificate generation: %s } *****" % self.name )
## Generate key and certificate
action = OpensslActions(self)
action.generate_key()
action.generate_csr()
action.sign_csr()
## Get the serial from certificate
self.serial = action.get_serial_from_cert()
self.ca_chain = self.parent.ca_chain
if self.ca_chain == 'self-signed':
self.ca_chain = self.parent.name
self.pem_encoded = True
## Create or remove DER certificate
if self.der_encoded:
action.generate_der_encoded()
else:
action.remove_der_encoded()
## Create or remove PKCS12 certificate
if self.pkcs12_encoded:
action.generate_pkcs12_encoded()
else:
action.remove_pkcs12_encoded()
if self.pkcs12_passphrase:
self.pkcs12_passphrase = md5_constructor(self.pkcs12_passphrase).hexdigest()
## Encrypt passphrase and blank parent's passphrase
if self.passphrase:
self.passphrase = md5_constructor(self.passphrase).hexdigest()
self.parent_passphrase = None
## Save the data
super(Certificate, self).save()
def save(self, force_insert=False, force_update=False):
"""Save the CertificateAuthority object"""
if self.pk:
### existing CA
if self.action in ('update', 'revoke', 'renew'):
action = OpensslActions(self)
prev = CertificateAuthority.objects.get(pk=self.pk)
if self.action == 'update':
## Create or remove DER certificate
if self.der_encoded:
action.generate_der_encoded()
else:
action.remove_der_encoded()
prev.description = self.description
prev.der_encoded = self.der_encoded
elif self.action == 'revoke':
## DB-revoke all related certs
garbage = []
id_dict = { 'cert': [], 'ca': [], }
from pki.views import chain_recursion as r_chain_recursion
r_chain_recursion(self.id, garbage, id_dict)
for i in id_dict['cert']:
x = Certificate.objects.get(pk=i)
x.active = False
x.der_encoded = False
x.pem_encoded = False
x.pkcs12_encoded = False
x.revoked = datetime.datetime.now()
super(Certificate, x).save()
for i in id_dict['ca']:
x = CertificateAuthority.objects.get(pk=i)
x.active = False
x.der_encoded = False
x.pem_encoded = False
x.revoked = datetime.datetime.now()
super(CertificateAuthority, x).save()
## Revoke and generate CRL
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Modify fields
prev.parent_passphrase = None
prev.active = False
prev.der_encoded = False
prev.pem_encoded = False
prev.revoked = datetime.datetime.now()
elif self.action == 'renew':
## Revoke if certificate is active
if self.parent and not action.get_revoke_status_from_cert():
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Rebuild the ca metadata
self.rebuild_ca_metadata(modify=True, task='replace')
## Renew certificate and update CRL
if self.parent == None:
action.generate_self_signed_cert()
action.generate_crl(self.name, self.passphrase)
else:
action.renew_certificate()
action.generate_crl(self.parent.name, self.parent_passphrase)
action.update_ca_chain_file()
## Modify fields
prev.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
prev.expiry_date = datetime.datetime.now() + delta
prev.valid_days = self.valid_days
prev.parent_passphrase = None
prev.active = True
prev.pem_encoded = True
prev.der_encoded = self.der_encoded
prev.revoked = None
## Get the new serial
prev.serial = action.get_serial_from_cert()
#prev.passphrase = md5_constructor(self.passphrase).hexdigest()
## Save the data
self = prev
self.action = 'update'
super(CertificateAuthority, self).save()
else:
raise Exception( 'Invalid action %s supplied' % self.action )
else:
## Set creation data
self.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
self.expiry_date = datetime.datetime.now() + delta
## Force instance to be active
self.active = True
## Reset the action
self.action = 'update'
## Rebuild the ca metadata
self.rebuild_ca_metadata(modify=True, task='append')
## Generate keys and certificates
action = OpensslActions(self)
action.generate_key()
if not self.parent:
action.generate_self_signed_cert()
else:
action.generate_csr()
action.sign_csr()
if self.der_encoded:
action.generate_der_encoded()
## Generate CRL
action.generate_crl(self.name, self.passphrase)
## Always enable pem encoded flag
self.pem_encoded = True
## Get the serial from certificate
self.serial = action.get_serial_from_cert()
## Generate ca chain (db field and chain file)
chain = []
chain_str = ''
p = self.parent
if self.parent == None:
chain.append('self-signed')
else:
chain.append( self.common_name )
while p != None:
chain.append(p.common_name)
p = p.parent
chain.reverse()
## Build chain string and file
for i in chain:
if chain_str == '':
chain_str += '%s' % i
else:
chain_str += ' → %s' % i
self.ca_chain = chain_str
action.update_ca_chain_file()
## Encrypt passphrase and blank parent's passphrase
self.passphrase = md5_constructor(self.passphrase).hexdigest()
self.parent_passphrase = None
## Save the data
super(CertificateAuthority, self).save()
