def _generate_csr(self): csr = cryptography.x509.CertificateSigningRequestBuilder() try: csr = csr.subject_name(cryptography.x509.Name([ cryptography.x509.NameAttribute(crypto_utils.cryptography_name_to_oid(entry[0]), to_text(entry[1])) for entry in self.subject ])) except ValueError as e: raise CertificateSigningRequestError(e) if self.subjectAltName: csr = csr.add_extension(cryptography.x509.SubjectAlternativeName([ crypto_utils.cryptography_get_name(name) for name in self.subjectAltName ]), critical=self.subjectAltName_critical) if self.keyUsage: params = crypto_utils.cryptography_parse_key_usage_params(self.keyUsage) csr = csr.add_extension(cryptography.x509.KeyUsage(**params), critical=self.keyUsage_critical) if self.extendedKeyUsage: usages = [crypto_utils.cryptography_name_to_oid(usage) for usage in self.extendedKeyUsage] csr = csr.add_extension(cryptography.x509.ExtendedKeyUsage(usages), critical=self.extendedKeyUsage_critical) if self.basicConstraints: params = {} ca, path_length = crypto_utils.cryptography_get_basic_constraints(self.basicConstraints) csr = csr.add_extension(cryptography.x509.BasicConstraints(ca, path_length), critical=self.basicConstraints_critical) if self.ocspMustStaple: try: # This only works with cryptography >= 2.1 csr = csr.add_extension(cryptography.x509.TLSFeature([cryptography.x509.TLSFeatureType.status_request]), critical=self.ocspMustStaple_critical) except AttributeError as dummy: csr = csr.add_extension( cryptography.x509.UnrecognizedExtension(CRYPTOGRAPHY_MUST_STAPLE_NAME, CRYPTOGRAPHY_MUST_STAPLE_VALUE), critical=self.ocspMustStaple_critical ) digest = None if self.digest == 'sha256': digest = cryptography.hazmat.primitives.hashes.SHA256() elif self.digest == 'sha384': digest = cryptography.hazmat.primitives.hashes.SHA384() elif self.digest == 'sha512': digest = cryptography.hazmat.primitives.hashes.SHA512() elif self.digest == 'sha1': digest = cryptography.hazmat.primitives.hashes.SHA1() elif self.digest == 'md5': digest = cryptography.hazmat.primitives.hashes.MD5() # FIXME else: raise CertificateSigningRequestError('Unsupported digest "{0}"'.format(self.digest)) self.request = csr.sign(self.privatekey, digest, self.cryptography_backend) return self.request.public_bytes(cryptography.hazmat.primitives.serialization.Encoding.PEM)
def _check_extenededKeyUsage(extensions): current_usages_ext = _find_extension(extensions, cryptography.x509.ExtendedKeyUsage) current_usages = [str(usage) for usage in current_usages_ext.value] if current_usages_ext else [] usages = [str(crypto_utils.cryptography_name_to_oid(usage)) for usage in self.extendedKeyUsage] if self.extendedKeyUsage else [] if set(current_usages) != set(usages): return False if usages: if current_usages_ext.critical != self.extendedKeyUsage_critical: return False return True
def _generate_crl(self): backend = default_backend() crl = CertificateRevocationListBuilder() try: crl = crl.issuer_name( Name([ NameAttribute( crypto_utils.cryptography_name_to_oid(entry[0]), to_text(entry[1])) for entry in self.issuer ])) except ValueError as e: raise CRLError(e) crl = crl.last_update(self.last_update) crl = crl.next_update(self.next_update) if self.update and self.crl: new_entries = set([ self._compress_entry(entry) for entry in self.revoked_certificates ]) for entry in self.crl: decoded_entry = self._compress_entry( crypto_utils.cryptography_decode_revoked_certificate( entry)) if decoded_entry not in new_entries: crl = crl.add_revoked_certificate(entry) for entry in self.revoked_certificates: revoked_cert = RevokedCertificateBuilder() revoked_cert = revoked_cert.serial_number(entry['serial_number']) revoked_cert = revoked_cert.revocation_date( entry['revocation_date']) if entry['issuer'] is not None: revoked_cert = revoked_cert.add_extension( x509.CertificateIssuer([ crypto_utils.cryptography_get_name(name) for name in self.entry['issuer'] ]), entry['issuer_critical']) if entry['reason'] is not None: revoked_cert = revoked_cert.add_extension( x509.CRLReason(entry['reason']), entry['reason_critical']) if entry['invalidity_date'] is not None: revoked_cert = revoked_cert.add_extension( x509.InvalidityDate(entry['invalidity_date']), entry['invalidity_date_critical']) crl = crl.add_revoked_certificate(revoked_cert.build(backend)) self.crl = crl.sign(self.privatekey, self.digest, backend=backend) return self.crl.public_bytes(Encoding.PEM)
def check(self, perms_required=True): """Ensure the resource is in its desired state.""" state_and_perms = super(CRL, self).check(self.module, perms_required) if not state_and_perms: return False if self.crl is None: return False if self.last_update != self.crl.last_update and not self.ignore_timestamps: return False if self.next_update != self.crl.next_update and not self.ignore_timestamps: return False if self.digest.name != self.crl.signature_hash_algorithm.name: return False want_issuer = [(crypto_utils.cryptography_name_to_oid(entry[0]), entry[1]) for entry in self.issuer] if want_issuer != [(sub.oid, sub.value) for sub in self.crl.issuer]: return False old_entries = [ self._compress_entry( crypto_utils.cryptography_decode_revoked_certificate(cert)) for cert in self.crl ] new_entries = [ self._compress_entry(cert) for cert in self.revoked_certificates ] if self.update: # We don't simply use a set so that duplicate entries are treated correctly for entry in new_entries: try: old_entries.remove(entry) except ValueError: return False else: if old_entries != new_entries: return False return True
def _check_subject(csr): subject = [(crypto_utils.cryptography_name_to_oid(entry[0]), entry[1]) for entry in self.subject] current_subject = [(sub.oid, sub.value) for sub in csr.subject] return set(subject) == set(current_subject)