def cmd_ca_sign(self, data):
cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, base64.b64decode(data['cert']))
cert.add_extensions([
OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always", issuer=SSL.get_ca())
])
capriv = SSL.get_ca_privatekey()
certsigned = SSL.sign(cert, capriv, str(data['digest']))
return 'OK', OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, certsigned)
def show_ca_detail(self):
self.show_ca()
if SSL.check_ca_exist():
print "##################################################"
print "### Detail"
SSL.display_cert(SSL.get_ca())
else:
print "Cannot get details. CA not created yet"
def do_test(self, line):
print LDAP().get_password()
try:
if LDAP().check_dn_exist(SSL.get_ca()):
print "BaseDN : " + LDAP().get_basedn()
print "Connection and require object successful"
elif LDAP().check_dn_exist(SSL.get_ca(), depth=1):
print "Connection successful. Required object need to be created"
else:
print "Connection OK. Require Base DN not exist"
except ldap.CONNECT_ERROR:
print "Unable to connect"
def display_profile(self, profile):
keys = str(Config().config.get("profile_" + profile, "keyusage")).split("|")
print "\tKey Usage"
for (k, v) in SSL.get_key_usage().iteritems():
if k in keys:
print "\t\t%s" % v
keys = str(Config().config.get("profile_" + profile, "extended")).split("|")
print "\tExtended Key Usage"
for (k, v) in SSL.get_extended_key_usage().iteritems():
if k in keys:
print "\t\t%s" % v
def do_generate(self, line):
if " " in line and len(line.split(" ")) == 4:
(proto, port, fqdn, certid) = line.split(" ")
if proto in ("tcp", "udp"):
if 1 < int(port) < 65535:
if SSL.check_cert_exist(certid):
hash = hashlib.sha256(SSL.get_asn_cert_raw(certid)).hexdigest()
print "_%s._%s.%s.\tIN\tTLSA\t3 0 1 ( %s )" % (port, proto, fqdn, hash)
else:
print "*** Certificate does not exist"
else:
print "*** Invalid port number"
else:
print "*** Invalid protocol"
else:
print "generate <proto> <port> <fqdn> <certid>"
def show_ca(self):
for name in Config().config.options("ca"):
value = Config().config.get("ca", name)
print ' %-12s : %s' % (name.title(), value)
if SSL.check_ca_exist():
print "Status : OK"
else:
print "Status : Not Created"
def do_cert(self, line):
if SSL.check_cert_exist(line):
cert = SSL.get_cert(line)
keyusage = ["digitalSignature", "nonRepudiation", "keyEncipherment"]
extendedkeys = ["1.3.6.1.5.5.7.3.9"]
if SSL.cert_equal_to_key_and_extended_key(cert, keyusage, extendedkeys, strict=False):
Config().config.set("ocsp", "cert", line)
else:
print "Certificate is not valid to use with OCSP Responder"
else:
profile = Render.select_profile()
certid = Render.select_cert(profile=profile)
Config().config.set("ocsp", "cert", certid)
if Config().config.getboolean("ocsp", "enable") and len(Config().config.get("ocsp", "cert")) > 0:
Daemons.start_daemon("ocsp")
else:
print "OCSP must be enable and valid certificate for responder must be present"
def do_create(self, line):
if not SSL.check_ca_exist():
self.create_ca()
else:
if raw_input("Do you want to erase current CA ? (y/n) :").lower() == "y":
print "All sub certificates will be resigned"
self.create_ca(force=True)
else:
print "*** CA already created !"
def do_profile(self, line):
if line:
profile = line.split(' ')[0]
else:
profile = raw_input("Profile name : ")
keys_usage = []
extended_keys = []
if Config().config.has_section("profile_" + profile):
keys_usage = str(Config().config.get("profile_" + profile, "keyusage")).split('|')
extended_keys = str(Config().config.get("profile_" + profile, "extended")).split('|')
else:
Config().config.add_section("profile_"+profile)
keys_usage = Render.print_selector(SSL.get_key_usage(), keys_usage)
extended_keys = Render.print_selector(SSL.get_extended_key_usage(), extended_keys)
Config().config.set("profile_" + profile, "keyusage", '|'.join(keys_usage))
Config().config.set("profile_" + profile, "extended", '|'.join(extended_keys))
rep = raw_input("Use LDAP if enable to search subject (y/n) : ")
if "y" in rep:
filter = raw_input("LDAP Filter : ")
Config().config.set("profile_" + profile, "ldap", filter)
else:
Config().config.set("profile_" + profile, "ldap", "false")
def do_revoke(self, line):
if line:
i=0
for cert in SSL.get_all_certificates():
if line == cert['id']:
i = 1
print "Reason : "
reasons = crypto.Revoked().all_reasons()
for (k, v) in enumerate(reasons):
print " %s: %s" % (k, v)
res = raw_input("Select reason : ")
if res.isdigit() and 0 <= int(res) < len(reasons):
revoked = crypto.Revoked()
revoked.set_reason(reasons[int(res)])
revoked.set_serial(hex(cert['cert'].get_serial_number())[2:-1])
revoked.set_rev_date(datetime.utcnow().strftime("%Y%m%d%H%M%S%Z")+"Z")
SSL.add_revoked(revoked)
else:
print "*** Reason is not valid"
if i == 0:
print "*** Certificate not found"
else:
print "revoke <certid>"
def show_cert(self, certid=None):
list = []
if certid:
rawmode = False
if "_" in certid and certid.split("_")[1] == "raw":
rawmode = True
certid = certid.split("_")[0]
i=0
for cert in SSL.get_all_certificates():
if certid == cert['id']:
i = 1
SSL.display_cert(cert['cert'])
if rawmode:
print crypto.dump_certificate(crypto.FILETYPE_PEM, cert['cert'])
if i == 0:
print "*** Certificate not found"
else:
for cert in SSL.get_all_certificates():
state = SSL.get_state_cert(cert['cert'])
list.append((cert['id'], SSL.get_x509_name(cert['cert'].get_subject()), state))
Render.print_table(('ID', 'Subject', 'State'), list)
def do_POST(self):
parsed_path = urlparse.urlparse(self.path)
if self.headers['content-type'] in "application/ocsp-request":
content = self.rfile.read(int(self.headers['content-length']))
request, rest = decoder.decode(content, asn1Spec=rfc2560.OCSPRequest())
tbsRequest = request.getComponentByName('tbsRequest')
reqExt = tbsRequest.getComponentByName('requestExtensions')
#TODO manage multiple request cert
certRequest = tbsRequest.getComponentByName('requestList').getComponentByPosition(0)
reqCert = certRequest.getComponentByName('reqCert')
ocsp_cert_path = SSL.get_cert_path(Config().config.get("ocsp", "cert"))
ocsp_cert_privatekey_path = SSL.get_cert_privatekey_path(Config().config.get("ocsp", "cert"))
ocsp_cert, rt = decoder.decode(
pem.readPemBlocksFromFile(
open(ocsp_cert_path, 'r'), ('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----')
)[1],
asn1Spec=rfc2459.Certificate()
)
pkey = open(ocsp_cert_privatekey_path, "rt").read()
ocsp_key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, pkey)
str_pub_key = pem_publickey(ocsp_key)
rsa_key = RSA.importKey(str_pub_key).exportKey(format='DER')
hexrsa = hashlib.sha1(rsa_key).hexdigest()
basic_ocsp_response = rfc2560.BasicOCSPResponse()
tbs_response_data = basic_ocsp_response.setComponentByName('tbsResponseData').getComponentByName('tbsResponseData')
responderid = tbs_response_data.setComponentByName('responderID').getComponentByName('responderID')
responderid.setComponentByName('byKey', hexrsa.decode('hex'))
tbs_response_data.setComponentByName('producedAt', useful.GeneralizedTime("20150728210000Z"))
response_list = tbs_response_data.setComponentByName('responses').getComponentByName('responses')
response = response_list.setComponentByPosition(0).getComponentByPosition(0)
response.setComponentByName('certID', reqCert)
certStatus = response.setComponentByName('certStatus').getComponentByName('certStatus')
certStatus.setComponentByName('good')
response.setComponentByName('thisUpdate', useful.GeneralizedTime("20150728211000Z"))
signalgorithm = basic_ocsp_response.setComponentByName('signatureAlgorithm').getComponentByName('signatureAlgorithm')
signalgorithm.setComponentByName('algorithm', rfc2459.sha1WithRSAEncryption)
signalgorithm.setComponentByName('parameters', b'\x05\x00')
hashsha1 = hashlib.sha1(encoder.encode(tbs_response_data))
sign = OpenSSL.crypto.sign(ocsp_key, hashsha1.digest(), 'sha1')
basic_ocsp_response.setComponentByName('signature', ("'%s'B" % BytesToBin(sign)))
ocsp_response = rfc2560.OCSPResponse()
ocsp_response.setComponentByName('responseStatus', rfc2560.OCSPResponseStatus('successful'))
response_bytes = ocsp_response.setComponentByName('responseBytes').getComponentByName('responseBytes')
response_bytes.setComponentByName('responseType', rfc2560.id_pkix_ocsp_basic)
response_bytes.setComponentByName('response', encoder.encode(basic_ocsp_response))
status_code = 200
else:
ocsp_response = rfc2560.OCSPResponse()
ocsp_response.setComponentByName('responseStatus', rfc2560.OCSPResponseStatus('malformedRequest'))
status_code = 400
self.send_response(status_code)
self.send_header('Content-type', 'application/ocsp-response')
self.end_headers()
self.wfile.write(encoder.encode(ocsp_response))
def show_ca_raw(self):
if SSL.check_ca_exist():
print crypto.dump_certificate(crypto.FILETYPE_PEM, SSL.get_ca())
else:
print "Cannot get details. CA not created yet"
def resigned_all_cert(self):
for certhash in SSL.get_all_certificates():
cert_signed = SSL.sign(certhash['cert'], SSL.get_ca_privatekey(), Config().config.get("cert", "digest"))
SSL.delete_cert(certhash['id'])
SSL.set_cert(cert_signed)
def create_ca(self, force=False):
if Config().config.get("ca", "type") == "subca":
api = API(Config().config.get("ca", "parentca"))
before = datetime.utcnow()
after = before + timedelta(days=Config().config.getint("ca", "validity"))
pkey = SSL.create_key(Config().config.getint("ca", "key_size"))
ca = SSL.create_cert(pkey)
subject = Config().config.get("ca", "base_cn") + "/CN=" + Config().config.get("ca", "name")
subject_x509 = SSL.parse_str_to_x509Name(subject, ca.get_subject())
if Config().config.get("ca", "type") == "rootca":
issuer_x509 = SSL.parse_str_to_x509Name(subject, ca.get_issuer())
if Config().config.get("ca", "email"):
subject_x509.emailAddress = Config().config.get("ca", "email")
if Config().config.get("ca", "type") == "rootca":
issuer_x509.emailAddress = Config().config.get("ca", "email")
ca.set_subject(subject_x509)
if Config().config.get("ca", "type") == "rootca":
ca.set_issuer(issuer_x509)
ca.set_notBefore(before.strftime("%Y%m%d%H%M%S%Z")+"Z")
ca.set_notAfter(after.strftime("%Y%m%d%H%M%S%Z")+"Z")
ca.set_serial_number(int(time() * 1000000))
ca.set_version(2)
bsConst = "CA:TRUE"
if Config().config.getboolean("ca", "isfinal"):
bsConst += ", pathlen:0"
ca.add_extensions([
crypto.X509Extension("basicConstraints", True, bsConst),
crypto.X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=ca),
])
if Config().config.get("ca", "type") == "rootca":
ca.add_extensions([
crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always", issuer=ca)
])
# if EventManager.hasEvent("new_cert"):
# ca = EventManager.new_cert(ca)
if Config().config.getboolean("crl", "enable"):
crlUri = "URI:" + Config().config.get("crl", "uri")
ca.add_extensions([
crypto.X509Extension("crlDistributionPoints", False, crlUri)
])
if Config().config.getboolean("ocsp", "enable"):
ocspUri = "OCSP;URI:" + Config().config.get("ocsp", "uri")
ca.add_extensions([
crypto.X509Extension("authorityInfoAccess", False, ocspUri)
])
if Config().config.get("ca", "type") == "subca":
data = api.push("ca_sign", {
"digest": Config().config.get("ca", "digest"),
"cert": api.encode_cert(ca)
})
if data['state'] == 'OK':
ca_signed = api.decode_cert(data['response'])
else:
print "Error during sign from remote API of Parent CA"
return False
else:
ca_signed = SSL.sign(ca, pkey, Config().config.get("ca", "digest"))
SSL.set_ca(ca_signed)
SSL.set_ca_privatekey(pkey)
if Config().config.getboolean("ldap", "enable"):
LDAP.add_queue(ca_signed)
if force:
self.resigned_all_cert()
__author__ = 'ferezgaetan'
from Tools import Mailer, SSL
if SSL.generate_crl():
ca = SSL.get_ca()
if ca.get_subject().emailAddress:
mail = Mailer()
mail.to(ca.get_subject().emailAddress)
mail.subject("CRL Creation")
mail.send("CRL file has been created")
def create_cert(self, profile):
before = datetime.utcnow()
after = before + timedelta(days=Config().config.getint("cert", "validity"))
pkey = SSL.create_key(Config().config.getint("cert", "key_size"))
ca = SSL.get_ca()
cert = SSL.create_cert(pkey)
if Config().config.get("ldap", "enable") and "false" not in Config().config.get("profile_" + profile, "ldap"):
print "Search in LDAP"
l = LDAP()
filter = Config().config.get("profile_" + profile, "ldap")
res = l.get_dn(l.get_basedn(), filter, ['cn', 'mail', 'uid'])
listSearch = {}
users = {}
for elt in res:
key = elt[0]
val = elt[1]['cn'][0]
mail = None
if 'mail' in elt[1].keys():
mail = elt[1]['mail'][0]
val = val + " (mail : " + elt[1]['mail'][0] + ")"
listSearch.update({key: val})
users.update({key: {'mail': mail, 'cn': elt[1]['cn'][0]}})
nbr_select = 0
while nbr_select != 1:
userList = Render.print_selector(listSearch)
nbr_select = len(userList)
email = users[userList[0]]['mail']
cn = users[userList[0]]['cn']
subject_array = userList[0].split(',')
subject_array.reverse()
subject_array.pop()
subject = '/'.join(subject_array) + "/CN=" + cn
else:
cn = raw_input("Common Name : ")
email = raw_input("Mail address : ")
subject = Config().config.get("ca", "base_cn") + "/CN=" + cn
subject_x509 = SSL.parse_str_to_x509Name(subject, cert.get_subject())
issuer_x509 = ca.get_subject()
if email:
subject_x509.emailAddress = email
cert.set_subject(subject_x509)
cert.set_issuer(issuer_x509)
cert.set_notBefore(before.strftime("%Y%m%d%H%M%S%Z")+"Z")
cert.set_notAfter(after.strftime("%Y%m%d%H%M%S%Z")+"Z")
cert.set_serial_number(int(time() * 1000000))
cert.set_version(2)
bsConst = "CA:FALSE"
cert.add_extensions([
crypto.X509Extension("basicConstraints", True, bsConst),
crypto.X509Extension("keyUsage", True, SSL.get_key_usage_from_profile(profile)),
crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=cert),
])
cert.add_extensions([
crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always", issuer=ca)
])
cert.add_extensions([
crypto.X509Extension("extendedKeyUsage", False, SSL.get_extended_key_usage_from_profile(profile))
])
if Config().config.getboolean("crl", "enable"):
crlUri = "URI:" + Config().config.get("crl", "uri")
cert.add_extensions([
crypto.X509Extension("crlDistributionPoints", False, crlUri)
])
if Config().config.getboolean("ocsp", "enable"):
ocspUri = "OCSP;URI:" + Config().config.get("ocsp", "uri")
cert.add_extensions([
crypto.X509Extension("authorityInfoAccess", False, ocspUri)
])
cert_signed = SSL.sign(cert, SSL.get_ca_privatekey(), Config().config.get("cert", "digest"))
SSL.set_cert(cert_signed)
SSL.set_cert_privatekey(cert_signed, pkey)
if Config().config.getboolean("ldap", "enable"):
LDAP.add_queue(cert_signed)
