def save(self): """Save the Certificate object""" if self.pk: if self.action in ('update', 'revoke', 'renew'): action = OpensslActions(self) prev = Certificate.objects.get(pk=self.pk) if self.action == 'update': ## Create or remove DER certificate if self.der_encoded: action.generate_der_encoded() else: action.remove_der_encoded() ## Create or remove PKCS12 certificate if self.pkcs12_encoded: if prev.pkcs12_encoded and prev.pkcs12_passphrase == self.pkcs12_passphrase: logger.debug( 'PKCS12 passphrase is unchanged. Nothing to do' ) else: action.generate_pkcs12_encoded() else: action.remove_pkcs12_encoded() self.pkcs12_passphrase = None prev.pkcs12_passphrase = None if self.pkcs12_passphrase: prev.pkcs12_passphrase = md5_constructor(self.pkcs12_passphrase).hexdigest() else: prev.pkcs12_passphrase = None prev.description = self.description prev.der_encoded = self.der_encoded prev.pkcs12_encoded = self.pkcs12_encoded prev.pem_encoded = True elif self.action == 'revoke': ## Revoke and generate CRL action.revoke_certificate(self.parent_passphrase) action.generate_crl(self.parent.name, self.parent_passphrase) ## Modify fields prev.parent_passphrase = None prev.active = False prev.der_encoded = False prev.pem_encoded = False prev.pkcs12_encoded = False prev.revoked = datetime.datetime.now() elif self.action == 'renew': ## Revoke if certificate is active if not action.get_revoke_status_from_cert(): action.revoke_certificate(self.parent_passphrase) ## Renew and update CRL action.renew_certificate() action.generate_crl(self.parent.name, self.parent_passphrase) ## Modify fields prev.created = datetime.datetime.now() delta = datetime.timedelta(self.valid_days) prev.expiry_date = datetime.datetime.now() + delta prev.parent_passphrase = None prev.active = True prev.pem_encoded = True prev.der_encoded = self.der_encoded prev.pkcs12_encoded = self.pkcs12_encoded prev.revoked = None prev.valid_days = self.valid_days ## Get the new serial prev.serial = action.get_serial_from_cert() #prev.passphrase = md5_constructor(self.passphrase).hexdigest() ## Save the data self = prev self.action = 'update' super(Certificate, self).save() else: ## Set creation data self.created = datetime.datetime.now() delta = datetime.timedelta(self.valid_days) self.expiry_date = datetime.datetime.now() + delta ## Force instance to be active self.active = True logger.info( "***** { New certificate generation: %s } *****" % self.name ) ## Generate key and certificate action = OpensslActions(self) action.generate_key() action.generate_csr() action.sign_csr() ## Get the serial from certificate self.serial = action.get_serial_from_cert() self.ca_chain = self.parent.ca_chain if self.ca_chain == 'self-signed': self.ca_chain = self.parent.name self.pem_encoded = True ## Create or remove DER certificate if self.der_encoded: action.generate_der_encoded() else: action.remove_der_encoded() ## Create or remove PKCS12 certificate if self.pkcs12_encoded: action.generate_pkcs12_encoded() else: action.remove_pkcs12_encoded() if self.pkcs12_passphrase: self.pkcs12_passphrase = md5_constructor(self.pkcs12_passphrase).hexdigest() ## Encrypt passphrase and blank parent's passphrase if self.passphrase: self.passphrase = md5_constructor(self.passphrase).hexdigest() self.parent_passphrase = None ## Save the data super(Certificate, self).save()
def save(self, force_insert=False, force_update=False): """Save the CertificateAuthority object""" if self.pk: ### existing CA if self.action in ('update', 'revoke', 'renew'): action = OpensslActions(self) prev = CertificateAuthority.objects.get(pk=self.pk) if self.action == 'update': ## Create or remove DER certificate if self.der_encoded: action.generate_der_encoded() else: action.remove_der_encoded() prev.description = self.description prev.der_encoded = self.der_encoded elif self.action == 'revoke': ## DB-revoke all related certs garbage = [] id_dict = { 'cert': [], 'ca': [], } from pki.views import chain_recursion as r_chain_recursion r_chain_recursion(self.id, garbage, id_dict) for i in id_dict['cert']: x = Certificate.objects.get(pk=i) x.active = False x.der_encoded = False x.pem_encoded = False x.pkcs12_encoded = False x.revoked = datetime.datetime.now() super(Certificate, x).save() for i in id_dict['ca']: x = CertificateAuthority.objects.get(pk=i) x.active = False x.der_encoded = False x.pem_encoded = False x.revoked = datetime.datetime.now() super(CertificateAuthority, x).save() ## Revoke and generate CRL action.revoke_certificate(self.parent_passphrase) action.generate_crl(self.parent.name, self.parent_passphrase) ## Modify fields prev.parent_passphrase = None prev.active = False prev.der_encoded = False prev.pem_encoded = False prev.revoked = datetime.datetime.now() elif self.action == 'renew': ## Revoke if certificate is active if self.parent and not action.get_revoke_status_from_cert(): action.revoke_certificate(self.parent_passphrase) action.generate_crl(self.parent.name, self.parent_passphrase) ## Rebuild the ca metadata self.rebuild_ca_metadata(modify=True, task='replace') ## Renew certificate and update CRL if self.parent == None: action.generate_self_signed_cert() action.generate_crl(self.name, self.passphrase) else: action.renew_certificate() action.generate_crl(self.parent.name, self.parent_passphrase) action.update_ca_chain_file() ## Modify fields prev.created = datetime.datetime.now() delta = datetime.timedelta(self.valid_days) prev.expiry_date = datetime.datetime.now() + delta prev.valid_days = self.valid_days prev.parent_passphrase = None prev.active = True prev.pem_encoded = True prev.der_encoded = self.der_encoded prev.revoked = None ## Get the new serial prev.serial = action.get_serial_from_cert() #prev.passphrase = md5_constructor(self.passphrase).hexdigest() ## Save the data self = prev self.action = 'update' super(CertificateAuthority, self).save() else: raise Exception( 'Invalid action %s supplied' % self.action ) else: ## Set creation data self.created = datetime.datetime.now() delta = datetime.timedelta(self.valid_days) self.expiry_date = datetime.datetime.now() + delta ## Force instance to be active self.active = True ## Reset the action self.action = 'update' ## Rebuild the ca metadata self.rebuild_ca_metadata(modify=True, task='append') ## Generate keys and certificates action = OpensslActions(self) action.generate_key() if not self.parent: action.generate_self_signed_cert() else: action.generate_csr() action.sign_csr() if self.der_encoded: action.generate_der_encoded() ## Generate CRL action.generate_crl(self.name, self.passphrase) ## Always enable pem encoded flag self.pem_encoded = True ## Get the serial from certificate self.serial = action.get_serial_from_cert() ## Generate ca chain (db field and chain file) chain = [] chain_str = '' p = self.parent if self.parent == None: chain.append('self-signed') else: chain.append( self.common_name ) while p != None: chain.append(p.common_name) p = p.parent chain.reverse() ## Build chain string and file for i in chain: if chain_str == '': chain_str += '%s' % i else: chain_str += ' → %s' % i self.ca_chain = chain_str action.update_ca_chain_file() ## Encrypt passphrase and blank parent's passphrase self.passphrase = md5_constructor(self.passphrase).hexdigest() self.parent_passphrase = None ## Save the data super(CertificateAuthority, self).save()