def setUp(self): CreateCaChain() self.rca = CertificateAuthority.objects.get(pk=1) self.ica = CertificateAuthority.objects.get(pk=2) self.eca = CertificateAuthority.objects.get(pk=3) openssl.refresh_pki_metadata([self.rca, self.ica, self.eca]) Certificate(common_name='Server Edge Certificate', name='Server_Edge_Certificate', description="unit test server edge certificate", country='DE', \ state='Bavaria', locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=365, \ key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \ der_encoded=False, pkcs12_encoded=False, pkcs12_passphrase=None, parent=self.eca, parent_passphrase="1234567890", passphrase=None, \ extension=x509Extension.objects.get(pk=3), subjaltname="IP:1.2.3.4, DNS:www1.company.com").save() Certificate(common_name='User Edge Certificate', name='User_Edge_Certificate', description="unit test user edge certificate", country='DE', \ state='Bavaria', locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=365, \ key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \ der_encoded=False, pkcs12_encoded=False, pkcs12_passphrase=None, parent=self.eca, parent_passphrase="1234567890", passphrase=None, \ extension=x509Extension.objects.get(pk=4), crl_dpoints="URI:https://ca.company.com/ca.crl").save() self.srv = Certificate.objects.get(pk=1) self.usr = Certificate.objects.get(pk=2) self.srv_openssl = openssl.Openssl(self.srv) self.usr_openssl = openssl.Openssl(self.usr)
def CreateCaChain(): """Create a 3 level CA chain""" ## Reset PKI_DIR openssl.refresh_pki_metadata([]) ## Root CA object CertificateAuthority(common_name='Root CA', name='Root_CA', description="unit test", country='DE', state='Bavaria', \ locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=1000, \ key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \ der_encoded=False, parent=None, passphrase='1234567890', extension=x509Extension.objects.get(pk=1)).save() rca = CertificateAuthority.objects.get(pk=1) ## Intermediate CA object CertificateAuthority(common_name='Intermediate CA', name='Intermediate_CA', description="unit test IM CA", country='DE', \ state='Bavaria', locality='Berlin', organization='Bozo Clown Inc.', OU=None, email='*****@*****.**', valid_days=365, \ key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \ der_encoded=False, parent=rca, parent_passphrase="1234567890", passphrase='1234567890', \ extension=x509Extension.objects.get(pk=1)).save() ica = CertificateAuthority.objects.get(pk=2) ## Edge CA object (RootCA->IntermediateCA->SubCA) CertificateAuthority(common_name='Edge CA', name='Edge_CA', description="unit test edge CA", country='DE', state='Bavaria', \ locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=365, \ key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \ der_encoded=False, parent=ica, parent_passphrase="1234567890", passphrase='1234567890', \ extension=x509Extension.objects.get(pk=2)).save()
def setUp(self): self.ca = CertificateAuthority(common_name='Root CA', name='Root_CA', description="unit test", country='DE', state='Bavaria', \ locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=1000, \ key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \ der_encoded=False, parent=None, passphrase='1234567890', extension=x509Extension.objects.get(pk=1)) self.ca_ssl = openssl.Openssl(self.ca) openssl.refresh_pki_metadata([self.ca,])
def setUp(self): '''Create a self-signed RootCA''' ## Root CA object self.rca = CertificateAuthority( common_name='Root CA', name='Root_CA', description="unit test", country='DE', state='Bavaria', \ locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=1000, \ key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \ pem_encoded=True, der_encoded=False, parent=None, passphrase='1234567890', subcas_allowed=True ) ## Intermediate CA object self.ica = CertificateAuthority( common_name='Intermediate CA', name='Intermediate_CA', description="unit test IM CA", country='DE', \ state='Bavaria', locality='Berlin', organization='Bozo Clown Inc.', OU=None, email='*****@*****.**', valid_days=365, \ key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \ pem_encoded=True, der_encoded=False, parent=self.rca, parent_passphrase="1234567890", \ passphrase='1234567890', subcas_allowed=True) ## Sub CA object (RootCA->IntermediateCA->SubCA) self.sca = CertificateAuthority( common_name='Sub CA', name='Sub_CA', description="unit test sub CA", country='DE', state='Bavaria', \ locality='Munich', organization='Bozo Clown Inc.', OU='IT', email='*****@*****.**', valid_days=365, \ key_length=1024, expiry_date='', created='', revoked=None, active=None, serial=None, ca_chain=None, \ pem_encoded=True, der_encoded=False, parent=self.ica, parent_passphrase="1234567890", \ passphrase='1234567890', subcas_allowed=False) openssl.refresh_pki_metadata([self.rca, self.ica, self.sca]) self.rca_action = openssl.OpensslActions(self.rca) self.ica_action = openssl.OpensslActions(self.ica) self.sca_action = openssl.OpensslActions(self.sca)
def forwards(self, orm): from pki.models import CertificateAuthority, Certificate, x509Extension from pki.openssl import refresh_pki_metadata ## CertificateAuthority migration cas = [] for obj in orm.CertificateAuthority.objects.all(): as_saved = orm.CertificateAuthority.objects.get(pk=obj.pk) if not obj.parent or as_saved.subcas_allowed: ## RootCA or IntermediateCA obj.extension = orm.x509Extension.objects.get(pk=1) else: ## Edge CA obj.extension = orm.x509Extension.objects.get(pk=2) obj.save() cas.append(obj) refresh_pki_metadata(cas) ## Certificate migration for obj in orm.Certificate.objects.all(): if obj.parent: ## Not self-signed as_saved = orm.Certificate.objects.get(pk=obj.pk) if as_saved.cert_extension == "v3_server_cert": ## Server cert obj.extension = orm.x509Extension.objects.get(pk=3) elif as_saved.cert_extension == "v3_client_cert": ## Client cert obj.extension = orm.x509Extension.objects.get(pk=4) else: ## Self-signed obj.extension = orm.x509Extension.objects.get(pk=5) obj.save()
def pki_refresh_metadata(request): """Rebuild PKI metadate. Renders openssl.conf template and cleans PKI_DIR. """ ca_objects = list(CertificateAuthority.objects.all()) refresh_pki_metadata(ca_objects) messages.info(request, 'Successfully refreshed PKI metadata (%d certificate authorities)' % len(ca_objects)) back = request.META.get('HTTP_REFERER', None) or '/' return HttpResponseRedirect(back)
def setUp(self): '''Create a self-signed RootCA''' CreateCaChain() self.rca = CertificateAuthority.objects.get(pk=1) self.ica = CertificateAuthority.objects.get(pk=2) self.eca = CertificateAuthority.objects.get(pk=3) self.rca_openssl = openssl.Openssl(self.rca) self.ica_openssl = openssl.Openssl(self.ica) self.eca_openssl = openssl.Openssl(self.eca) openssl.refresh_pki_metadata([self.rca, self.ica, self.eca])
def pki_refresh_metadata(request): """Rebuild PKI metadate. Renders openssl.conf template and cleans PKI_DIR. """ ca_objects = list(CertificateAuthority.objects.all()) refresh_pki_metadata(ca_objects) messages.info( request, 'Successfully refreshed PKI metadata (%d certificate authorities)' % len(ca_objects)) back = request.META.get('HTTP_REFERER', None) or '/' return HttpResponseRedirect(back)
def setUp(self): openssl.refresh_pki_metadata([]) self.post_data_rca = {'action':'create', 'common_name':'Root CA', 'name':'Root_CA', 'description':"unit test", \ 'country':'DE', 'state':'Bavaria', 'locality':'Munich', 'organization':'Bozo Clown Inc.', \ 'OU':'IT', 'email':'*****@*****.**', 'valid_days':1000, 'key_length':1024, 'der_encoded':False, \ 'parent':'', 'passphrase':'1234567890', 'passphrase_verify':'1234567890', 'policy':'policy_anything', \ 'extension':x509Extension.objects.get(name="v3_root_or_intermediate_ca").pk,} self.post_data_ica = {'action':'create', 'common_name':'Intermediate CA', 'name':'Intermediate_CA', 'description':"unit test", \ 'country':'DE', 'state':'Bavaria', 'locality':'Munich', 'organization':'Bozo Clown Inc.', \ 'OU':'IT', 'email':'*****@*****.**', 'valid_days':1000, 'key_length':1024, 'der_encoded':False, \ 'parent':'1', 'passphrase':'1234567890', 'passphrase_verify':'1234567890', 'parent_passphrase':'1234567890', \ 'policy':'policy_anything', 'extension':x509Extension.objects.get(name="v3_root_or_intermediate_ca").pk,} self.post_data_eca = {'action':'create', 'common_name':'Edge CA', 'name':'Edge', 'description':"unit test", \ 'country':'DE', 'state':'Bavaria', 'locality':'Munich', 'organization':'Bozo Clown Inc.', \ 'OU':'IT', 'email':'*****@*****.**', 'valid_days':1000, 'key_length':1024, 'der_encoded':False, \ 'parent':'2', 'passphrase':'1234567890', 'passphrase_verify':'1234567890', 'parent_passphrase':'1234567890', \ 'policy':'policy_anything', 'extension':x509Extension.objects.get(name="v3_edge_ca").pk,} self.post_data_srv = {'action':'create', 'common_name':'Server cert', 'name':'Server_cert', 'description':"unit test", \ 'country':'DE', 'state':'Bavaria', 'locality':'Munich', 'organization':'Bozo Clown Inc.', \ 'OU':'IT', 'email':'*****@*****.**', 'valid_days':1000, 'key_length':1024, 'der_encoded':False, \ 'parent':'3', 'passphrase':'1234567890', 'passphrase_verify':'1234567890', 'parent_passphrase':'1234567890', \ 'extension':x509Extension.objects.get(name="v3_edge_cert_server").pk,} self.post_data_usr = {'action':'create', 'common_name':'User cert', 'name':'User_cert', 'description':"unit test", \ 'country':'DE', 'state':'Bavaria', 'locality':'Munich', 'organization':'Bozo Clown Inc.', \ 'OU':'IT', 'email':'*****@*****.**', 'valid_days':1000, 'key_length':1024, 'der_encoded':False, \ 'parent':'3', 'passphrase':'1234567890', 'passphrase_verify':'1234567890', 'parent_passphrase':'1234567890', \ 'extension':x509Extension.objects.get(name="v3_edge_cert_client").pk,} self.c = Client() self.assertTrue(self.c.login(username="******", password="******")) r = self.c.post('/admin/pki/certificateauthority/add/', self.post_data_rca, follow=True) self.assertContains(r, 'was added successfully') self.failUnlessEqual(r.status_code, 200) r = self.c.post('/admin/pki/certificateauthority/add/', self.post_data_ica, follow=True) self.assertContains(r, 'was added successfully') self.failUnlessEqual(r.status_code, 200) r = self.c.post('/admin/pki/certificateauthority/add/', self.post_data_eca, follow=True) self.assertContains(r, 'was added successfully') self.failUnlessEqual(r.status_code, 200) r = self.c.post('/admin/pki/certificate/add/', self.post_data_srv, follow=True) self.assertContains(r, 'was added successfully') self.failUnlessEqual(r.status_code, 200)
def rebuild_ca_metadata(self, modify, task): """Wrapper around refresh_pki_metadata""" if modify: if task == 'append': ## Get list of all defined CA's known_cas = list(CertificateAuthority.objects.all()) known_cas.append(self) elif task == 'replace': known_cas = list(CertificateAuthority.objects.exclude(pk=self.pk)) known_cas.append(self) elif task == 'exclude': known_cas = list(CertificateAuthority.objects.exclude(pk=self.pk)) else: known_cas = list(CertificateAuthority.objects.all()) ## Rebuild the CA store metadata refresh_pki_metadata(known_cas)
def rebuild_ca_metadata(self, modify, task, skip_list=[]): """Wrapper around refresh_pki_metadata""" if modify: if task == 'append': ## Get list of all defined CA's known_cas = list(CertificateAuthority.objects.all()) known_cas.append(self) elif task == 'replace': known_cas = list(CertificateAuthority.objects.exclude(pk=self.pk)) known_cas.append(self) elif task == 'exclude': known_cas = list(CertificateAuthority.objects.exclude(pk__in=skip_list)) else: known_cas = list(CertificateAuthority.objects.all()) ## Rebuild the CA store metadata refresh_pki_metadata(known_cas)
def tearDown(self): self.c.logout() openssl.refresh_pki_metadata([])
def tearDown(self): openssl.refresh_pki_metadata([])
def save(self, *args, **kwargs): """Save the x509 Extension object""" if not self.pk: super(x509Extension, self).save(*args, **kwargs) refresh_pki_metadata(CertificateAuthority.objects.all())