예제 #1
0
  def asciiprint(self):

    # Convert character sets
    subjectdatalist = []
    issuerdatalist = []
    for attr in X509v1_certattrlist:
      subjectdatalist.append('%-5s: %s' % (attr,string.strip(charset.asn12iso(self.subject.get(attr,'')))))
      issuerdatalist.append('%-5s: %s' % (attr,string.strip(charset.asn12iso(self.issuer.get(attr,'')))))

    return """This certificate belongs to:
%s

This certificate was issued by:
%s

Serial Number: %s

This certificate is valid
from %s until %s.

Certificate Fingerprint:
SHA-1: %s
MD5  : %s
""" % ( \
        string.join(subjectdatalist,'\n'),
        string.join(issuerdatalist,'\n'),
        self.serial,
	self.notBefore,
	self.notAfter,
	self.getfingerprint('sha1'),
	self.getfingerprint('md5'),
       )
예제 #2
0
def GetEntriesbyDN(db_filename,
                   DN=empty_DN_dict,
                   casesensitive=0,
                   onlyvalid=0):

    searchcounter = 0
    searchindex = []
    searchregex = {}

    for i in DN.keys():

        if DN[i] != '':
            searchindex.append(i)
            if not casesensitive:
                DN[i] = string.lower(DN[i])
            searchregex[i] = re.compile(DN[i])
            searchcounter = searchcounter + 1

    if searchcounter == 0:
        return []

    db_file = open(db_filename, 'r')

    found = []

    db_line = string.strip(db_file.readline())

    while db_line:

        db_entry = string.split(db_line, '\t')
        dnfield = SplitDN(db_entry[DB_name])

        matchcounter = 0
        for i in searchindex:
            if dnfield.has_key(i):
                dnfield[i] = charset.asn12iso(dnfield[i])
                if not casesensitive:
                    dnfield[i] = string.lower(dnfield[i])
                matchcounter = matchcounter + (searchregex[i].search(
                    dnfield[i]) != None)

        if matchcounter == searchcounter:
            if onlyvalid:
                if IsValid(db_entry):
                    found.append(db_entry)
            else:
                found.append(db_entry)

        db_line = db_file.readline()[:-1]

    return found
예제 #3
0
    def asciiprint(self):

        # Convert character sets
        subjectdatalist = []
        issuerdatalist = []
        for attr in X509v1_certattrlist:
            subjectdatalist.append(
                '%-5s: %s' %
                (attr,
                 string.strip(charset.asn12iso(self.subject.get(attr, '')))))
            issuerdatalist.append(
                '%-5s: %s' %
                (attr, string.strip(charset.asn12iso(self.issuer.get(attr,
                                                                     '')))))

        return """This certificate belongs to:
%s

This certificate was issued by:
%s

Serial Number: %s

This certificate is valid
from %s until %s.

Certificate Fingerprint:
SHA-1: %s
MD5  : %s
""" % ( \
            string.join(subjectdatalist,'\n'),
            string.join(issuerdatalist,'\n'),
            self.serial,
        self.notBefore,
        self.notAfter,
        self.getfingerprint('sha1'),
        self.getfingerprint('md5'),
           )
예제 #4
0
def GetEntriesbyDN(db_filename,DN=empty_DN_dict,casesensitive=0,onlyvalid=0):

  searchcounter = 0
  searchindex    = []
  searchregex    = {}

  for i in DN.keys():

    if DN[i]!='':
      searchindex.append(i)
      if not casesensitive:
        DN[i]=string.lower(DN[i])
      searchregex[i] = re.compile(DN[i])
      searchcounter  = searchcounter + 1

  if searchcounter==0:
    return[]

  db_file=open(db_filename,'r')

  found = []

  db_line=string.strip(db_file.readline())

  while db_line:

    db_entry = string.split(db_line,'\t')
    dnfield  = SplitDN(db_entry[DB_name])

    matchcounter = 0
    for i in searchindex:
      if dnfield.has_key(i):
        dnfield[i] = charset.asn12iso(dnfield[i])
        if not casesensitive:
	  dnfield[i] = string.lower(dnfield[i])
        matchcounter = matchcounter+(searchregex[i].search(dnfield[i])!=None)

    if matchcounter==searchcounter:
      if onlyvalid:
        if IsValid(db_entry):
          found.append(db_entry)
      else:
        found.append(db_entry)

    db_line=db_file.readline()[:-1]

  return found
예제 #5
0
  ######################################################################

  if not ca.database in processed_ca_databases:

    if os.path.isfile(ca.database):

      processed_ca_databases.append(ca.database)
      # Certificate database not processed up to now
      ca_db = openssl.db.OpenSSLcaDatabaseClass(ca.database)

      # Mark expired certificates in OpenSSL certificate database
      expired_db_entries = ca_db.Expire()
      if expired_db_entries:
        sys.stdout.write('The following entries were marked as expired:\n')
	for db_entry in expired_db_entries:
          sys.stdout.write('%s\n' % (charset.asn12iso(db_entry[DB_name])))

      # Mark expired certificates in OpenSSL certificate database
      expire_treshold=7*86400
      expired_db_entries = ca_db.ExpireWarning(expire_treshold)
      if expired_db_entries:
        sys.stdout.write('The following entries will expire soon:\n')
	for db_entry in expired_db_entries:
          sys.stdout.write('%s, %s, %s\n' % (
	      db_entry[DB_serial],
	      strftime('%Y-%m-%d %H:%M',localtime(mktime(dbtime2tuple(db_entry[DB_exp_date])))),
	      charset.asn12iso(db_entry[DB_name])
	    )
	  )

    else:
예제 #6
0
  sys.stdout.write('*** Processing %s ***\n\n' % (ca_name))

  ca = opensslcnf.getcadata(ca_name)

  if ca.isclientcert() and \
     not ca.database in old_db_filenames and \
     os.path.isfile(ca.database):

    old_db_filenames.append(ca.database)

    certs_found = openssl.db.GetEntriesbyDN(ca.database,certdnfilter,casesensitive=1,onlyvalid=0)

    for cert_entry in certs_found:

      certdn = charset.asn12iso(cert_entry[openssl.db.DB_name])
      certdndict = openssl.db.SplitDN(charset.iso2utf(certdn))
      ldap_filter = filtertemplate % certdndict
      try:
        ldap_result = l.search_s(
	  basedn,
	  ldap.SCOPE_SUBTREE,
	  ldap_filter,
	  ['objectclass','userCertificate;binary','userSMIMECertificate;binary'],
	  0
	)
      except ldap.NO_SUCH_OBJECT:
  	sys.stdout.write('Certificate subject "%s" not found with filter "%s".\n' % (certdn,ldap_filter))
	ldap_result=[]
      except:
	exc_obj,exc_value,exc_traceback = sys.exc_info()
예제 #7
0
    ca_name = ca_names[ca_num]

    ca = opensslcnf.getcadata(ca_name)

    if os.path.isfile(ca.certificate):

        cacert = openssl.cert.X509CertificateClass(ca.certificate)

        # Copy the CA certificate file to directory
        if certdir:

            # Convert character sets
            for dict in [cacert.issuer, cacert.subject]:
                for attr in dict.keys():
                    dict[attr] = charset.asn12iso(dict[attr])

            # New filename for CA cert
            cacert_filename = '%(CN)s_%(OU)s_%(O)s_%(L)s_%(ST)s_%(C)s' % (
                cacert.subject) + os.path.splitext(ca.certificate)[1]
            # Copy the file
            shutil.copyfile(ca.certificate,
                            os.path.join(certdir, cacert_filename))
            # Create appropriate symlink
            symlinkname = os.path.join(certdir, '%s.0' % (cacert.hash))
            try:
                os.symlink(cacert_filename, symlinkname)
            except OSError:
                sys.stderr.write('Warning: Could not create symbolic link.\n')

        # Append CA certificate file to single certificate file
예제 #8
0
    if not (filenotvalid(ca.certificate)
            or filenotvalid(parentca.certificate)):

        sys.stdout.write(
            'Verifying sub-CA certificate %s with issuer certificate %s.\n' %
            (ca.certificate, parentca.certificate))
        rc = os.system('%s verify -verbose -CAfile %s %s' % \
                       (OpenSSLExec,parentca.certificate,ca.certificate))
        if rc:
            sys.stderr.write('Error %d verifying CA cert %s.\n' %
                             (rc, ca.certificate))

        ca_cert = openssl.cert.X509CertificateClass(ca.certificate)

        if not ca_cert.subject.has_key('CN'):
            sys.stderr.write(
                'CA certificate %s has no CN attribute.\nThis might cause weird problems with some software.\n'
                % (ca.certificate))

        for subject_attr in ca_cert.subject.keys():
            if not charset.is_ascii(
                    charset.asn12iso(ca_cert.subject[subject_attr])):
                sys.stderr.write(
                    'CA certificate %s has NON-ASCII attribute %s.\nThis might cause weird problems with some software.\n'
                    % (ca.certificate, subject_attr))

    else:
        sys.stderr.write('Certificate file %s or %s not found.\n' %
                         (ca.certificate, parentca.certificate))
예제 #9
0
    # Text mode

    for ca_name in ca_names:

        ca = opensslcnf.getcadata(ca_name)

        if os.path.isfile(ca.certificate):

            # Parse certificate textual output
            cacert = openssl.cert.X509CertificateClass(ca.certificate)

            # Convert character sets
            subject, issuer = {}, {}
            for attr in ['CN', 'Email', 'OU', 'O', 'L', 'ST', 'C']:
                subject[attr] = string.strip(
                    charset.asn12iso(cacert.subject.get(attr, '')))
                issuer[attr] = string.strip(
                    charset.asn12iso(cacert.issuer.get(attr, '')))

            sys.stdout.write(
                'Subject:\nCommon Name: "%(CN)s"\nOrganizational Unit: "%(OU)s"\nOrganization: "%(O)s"\nLocation: "%(L)s"\nState/Province: "%(ST)s"\nCountry: "%(C)s"\n\n'
                % (subject))
            sys.stdout.write(
                'Issuer:\nCommon Name: "%(CN)s"\nOrganizational Unit: "%(OU)s"\nOrganization: "%(O)s"\nLocation: "%(L)s"\nState/Province: "%(ST)s"\nCountry: "%(C)s"\n\n'
                % (issuer))
            sys.stdout.write('Serial: %s\n' % (cacert.serial))
            sys.stdout.write('Validity: from %s until %s\n' %
                             (cacert.notBefore, cacert.notAfter))
            sys.stdout.write('Hash: %s\n' % (cacert.hash))
            sys.stdout.write('SHA-1 Fingerprint: %s\n' %
                             (cacert.getfingerprint('sha1')))
예제 #10
0
  if ca.signedby:
    if ca.signedby in ca_names:
      parentca = opensslcnf.getcadata(ca.signedby)
    else:
      parentca = None
      sys.stderr.write('CA name "%s" given in signedby parameter of section [%s] not found.\n' % (subca.signedby,subca.sectionname))
  else:
    parentca = ca

  if not (filenotvalid(ca.certificate) or filenotvalid(parentca.certificate)):

    sys.stdout.write('Verifying sub-CA certificate %s with issuer certificate %s.\n' % (ca.certificate,parentca.certificate))
    rc = os.system('%s verify -verbose -CAfile %s %s' % \
                   (OpenSSLExec,parentca.certificate,ca.certificate))
    if rc:
      sys.stderr.write('Error %d verifying CA cert %s.\n' % (rc,ca.certificate))

    ca_cert = openssl.cert.X509CertificateClass(ca.certificate)

    if not ca_cert.subject.has_key('CN'):
      sys.stderr.write('CA certificate %s has no CN attribute.\nThis might cause weird problems with some software.\n' % (ca.certificate))

    for subject_attr in ca_cert.subject.keys():
      if not charset.is_ascii(charset.asn12iso(ca_cert.subject[subject_attr])):
        sys.stderr.write('CA certificate %s has NON-ASCII attribute %s.\nThis might cause weird problems with some software.\n' % (ca.certificate,subject_attr))

  else:
    sys.stderr.write('Certificate file %s or %s not found.\n' % (ca.certificate,parentca.certificate))

예제 #11
0
  ca_name = ca_names[ca_num]

  ca = opensslcnf.getcadata(ca_name)

  if os.path.isfile(ca.certificate):

    cacert = openssl.cert.X509CertificateClass(ca.certificate)

    # Copy the CA certificate file to directory
    if certdir:

      # Convert character sets
      for dict in [cacert.issuer,cacert.subject]:
	for attr in dict.keys():
          dict[attr] = charset.asn12iso(dict[attr])

      # New filename for CA cert
      cacert_filename = '%(CN)s_%(OU)s_%(O)s_%(L)s_%(ST)s_%(C)s' % (cacert.subject) + os.path.splitext(ca.certificate)[1]
      # Copy the file
      shutil.copyfile(ca.certificate,os.path.join(certdir,cacert_filename))
      # Create appropriate symlink
      symlinkname = os.path.join(certdir,'%s.0' % (cacert.hash))
      try:      
        os.symlink(cacert_filename,symlinkname)
      except OSError:
        sys.stderr.write('Warning: Could not create symbolic link.\n')

    # Append CA certificate file to single certificate file
    if certfilename:
      cacertfile = open(ca.certificate,'r')
예제 #12
0
  sys.stdout.write('</CENTER>\n</BODY>\n</HTML>\n')


else:

  # Text mode

  for ca_name in ca_names:

    ca = opensslcnf.getcadata(ca_name)

    if os.path.isfile(ca.certificate):

      # Parse certificate textual output
      cacert = openssl.cert.X509CertificateClass(ca.certificate)

      # Convert character sets
      subject,issuer = {},{}
      for attr in ['CN','Email','OU','O','L','ST','C']:
        subject[attr] = string.strip(charset.asn12iso(cacert.subject.get(attr,'')))
        issuer[attr]  = string.strip(charset.asn12iso(cacert.issuer.get(attr,'')))

      sys.stdout.write('Subject:\nCommon Name: "%(CN)s"\nOrganizational Unit: "%(OU)s"\nOrganization: "%(O)s"\nLocation: "%(L)s"\nState/Province: "%(ST)s"\nCountry: "%(C)s"\n\n' % (subject))
      sys.stdout.write('Issuer:\nCommon Name: "%(CN)s"\nOrganizational Unit: "%(OU)s"\nOrganization: "%(O)s"\nLocation: "%(L)s"\nState/Province: "%(ST)s"\nCountry: "%(C)s"\n\n' % (issuer))
      sys.stdout.write('Serial: %s\n' % (cacert.serial))
      sys.stdout.write('Validity: from %s until %s\n' % (cacert.notBefore,cacert.notAfter))
      sys.stdout.write('Hash: %s\n' % (cacert.hash))
      sys.stdout.write('SHA-1 Fingerprint: %s\n' % (cacert.getfingerprint('sha1')))
      sys.stdout.write('MD5   Fingerprint: %s\n' % (cacert.getfingerprint('md5')))
      sys.stdout.write('\n%s\n\n' % (72*'-'))
예제 #13
0
    PrintUsage('No valid serial number.')

else:
  PrintUsage('You have to provide the serial number of the certificate you want to revoke.')

ca = opensslcnf.getcadata(ca_name)

sys.stdout.write('Searching database %s for certificate %x...\n' % (ca.database,serial))
ca_db = openssl.db.OpenSSLcaDatabaseClass(ca.database)
result = ca_db.GetEntrybySerial(serial)

if result:
  sys.stdout.write("""Found the following certificate:
Serial number: %s
Distinguished Name: %s
""" % (result[DB_serial],charset.asn12iso(result[DB_name])))

  if result[DB_type]==DB_TYPE_REV:
    sys.stdout.write('Certificate already revoked since %s.\n' % strftime('%d.%m.%Y',localtime(mktime(dbtime2tuple(result[DB_rev_date])))))
    sys.exit(0)
  elif result[DB_type]==DB_TYPE_EXP:
    sys.stdout.write('Certificate already expired since %s.\n' % strftime('%d.%m.%Y',localtime(mktime(dbtime2tuple(result[DB_exp_date])))))
    sys.exit(0)
  elif result[DB_type]==DB_TYPE_VAL:
    sys.stdout.write('Valid until %s.\n\nRevoke the certificate? (y/n) ' % strftime('%d.%m.%Y',localtime(mktime(dbtime2tuple(result[DB_exp_date])))))
    answer = sys.stdin.readline()
    if string.lower(string.strip(answer))=='y':
      ca_db.Revoke(serial)
      sys.stdout.write('Certificate %x in %s marked as revoked.\n' % (serial,ca_name))
      # CA's private key present <=> we are on the private CA system
      if os.path.isfile(ca.certificate) and os.path.isfile(ca.private_key):
예제 #14
0
    ca = opensslcnf.getcadata(ca_name)

    if ca.isclientcert() and \
       not ca.database in old_db_filenames and \
       os.path.isfile(ca.database):

        old_db_filenames.append(ca.database)

        certs_found = openssl.db.GetEntriesbyDN(ca.database,
                                                certdnfilter,
                                                casesensitive=1,
                                                onlyvalid=0)

        for cert_entry in certs_found:

            certdn = charset.asn12iso(cert_entry[openssl.db.DB_name])
            certdndict = openssl.db.SplitDN(charset.iso2utf(certdn))
            ldap_filter = filtertemplate % certdndict
            try:
                ldap_result = l.search_s(
                    basedn, ldap.SCOPE_SUBTREE, ldap_filter, [
                        'objectclass', 'userCertificate;binary',
                        'userSMIMECertificate;binary'
                    ], 0)
            except ldap.NO_SUCH_OBJECT:
                sys.stdout.write(
                    'Certificate subject "%s" not found with filter "%s".\n' %
                    (certdn, ldap_filter))
                ldap_result = []
            except:
                exc_obj, exc_value, exc_traceback = sys.exc_info()