def _get_csr(self, spkac_str):
"""
gets a NetscapeSPKI object from the spkac_str
or loads a PKCS10
"""
# TODO should figure out how to use this
# challenge thing (spkac is using md5, so
# I guess there should be some time bound)
# maybe linked to session or something???
# See https://www.w3.org/Bugs/Public/show_bug.cgi?id=13518
#http://www.w3.org/wiki/Foaf%2Bssl/Clients#Keygen
# We could der-decode the spkac and get the challenge from there.
spkac_str = re.sub('\s', '', spkac_str)
#print('SPKAC PUBKEY=%s' % spkac_str)
logging.debug('SPKAC PUBKEY=%s' % spkac_str)
if "BEGINIECERTIFICATEREQUEST" in spkac_str:
#XXX improve csr type detection (get a flag from view)
pkcs10 = spkac_str.replace('-----BEGINIECERTIFICATEREQUEST-----',
'').replace(
'-----ENDIECERTIFICATEREQUEST-----',
'')
der = base64.b64decode(pkcs10)
self.csr = crypto.load_certificate_request(crypto.FILETYPE_ASN1,
der)
self.csr_type = "msie"
else:
self.csr = crypto.NetscapeSPKI(spkac_str)
self.csr_type = "spki"
def create_x509_and_update_cert(user, uuid, pub_key):
try:
cert = Cert.objects.get(user=user, uuid=uuid, is_installed=False)
except Cert.DoesNotExist:
return None
regex = re.compile(r'[ \t\n\r\0\x0B]')
pub_key = regex.sub('', pub_key)
spki = crypto.NetscapeSPKI(pub_key)
cert.pub_key = pub_key
x509 = create_signed_client_cert(
client_public_key=spki.get_pubkey(),
country=cert.country,
state=cert.state,
locality=cert.locality,
organization=cert.organization,
organizational_unit=cert.organizational_unit,
common_name=cert.common_name,
email=cert.user.email,
valid_until=cert.valid_until)
cert.x509 = crypto.dump_certificate(crypto.FILETYPE_PEM, x509)
cert.is_installed = True
cert.save()
return x509
def spkac_x509(spki,
commonName,
days,
emailAddress=None,
altName=None,
userid=None):
spki = crypto.NetscapeSPKI(spki)
return sign(spki.get_pubkey(), None, None, commonName, days, emailAddress,
altName, userid)
def sign_spkac(spki,
commonName,
days,
emailAddress=None,
altName=None,
userid=None):
spki = crypto.NetscapeSPKI(spki)
x509 = sign(spki.get_pubkey(), None, None, commonName, days, emailAddress,
altName, userid)
return crypto.dump_certificate(crypto.FILETYPE_PEM, x509)
def gen_cert_spkac(addr, spkac_str, username):
"""Generate a certificate from SPKAC string."""
spki = c.NetscapeSPKI(spkac_str.encode())
if p.challenge != int(get_challenge_nspki(spkac_str.encode())):
raise Exception('Bad challenge')
if not spki.verify(spki.get_pubkey()):
raise Exception('Bad SPKAC pubkey')
pkey = spki.get_pubkey().to_cryptography_key()
cert_pem = gen_cert(pkey, username).public_bytes(sr.Encoding.PEM)
with open(CA_LOGFILE, 'ab') as logf:
logf.write(('{} {} {} SPKAC\n'.format(tm.time(), addr,
username)).encode())
logf.write(cert_pem)
return cert_pem