def gen_cert():
"""
Generate TLS certificate request for testing
"""
req, key = gen_req()
pub_key = req.get_pubkey()
subject = req.get_subject()
cert = X509.X509()
# noinspection PyTypeChecker
cert.set_serial_number(1)
cert.set_version(2)
cert.set_subject(subject)
t = int(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
now_plus_year = ASN1.ASN1_UTCTIME()
now_plus_year.set_time(t + 60 * 60 * 24 * 365)
cert.set_not_before(now)
cert.set_not_after(now_plus_year)
issuer = X509.X509_Name()
issuer.C = 'US'
issuer.CN = 'minifi-listen'
cert.set_issuer(issuer)
cert.set_pubkey(pub_key)
cert.sign(key, 'sha256')
return cert, key
def sign_request(self, request, ca=False):
if not isinstance(request, X509.Request):
request = X509.load_request_string(str(request))
ca_priv_evp = EVP.PKey()
ca_priv_evp.assign_rsa(self.get_key())
cert = X509.X509()
# X509 version field is 0-based
cert.set_version(0x2) # set to X509v3
# Set Serial number
serial = random.randrange(1, sys.maxint)
cert.set_serial_number(serial)
# Set Cert validity time
cur_time = ASN1.ASN1_UTCTIME()
cur_time.set_time(int(time.time()))
expire_time = ASN1.ASN1_UTCTIME()
expire_time.set_time(
int(time.time()) + self.cert_exp_days * 24 * 60 * 60)
cert.set_not_before(cur_time)
cert.set_not_after(expire_time)
if ca:
cert.set_issuer_name(request.get_subject())
cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE'))
else:
ca_cert = self.get_cert()
cert.set_issuer_name(ca_cert.get_subject())
cert.set_subject(request.get_subject())
cert.set_pubkey(request.get_pubkey())
cert.sign(ca_priv_evp, md="sha256")
return cert
def MakeCert(self, cn, req):
"""Make new cert for the client."""
# code inspired by M2Crypto unit tests
cert = X509.X509()
# Use the client CN for a cert serial_id. This will ensure we do
# not have clashing cert id.
cert.set_serial_number(int(cn.Basename().split(".")[1], 16))
cert.set_version(2)
cert.set_subject(req.get_subject())
t = long(time.time()) - 10
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
now_plus_year = ASN1.ASN1_UTCTIME()
now_plus_year.set_time(t + 60 * 60 * 24 * 365)
# TODO(user): Enforce certificate expiry time, and when close
# to expiry force client re-enrolment
cert.set_not_before(now)
cert.set_not_after(now_plus_year)
# Get the CA issuer:
ca_cert = config_lib.CONFIG["CA.certificate"].GetX509Cert()
cert.set_issuer(ca_cert.get_issuer())
cert.set_pubkey(req.get_pubkey())
ca_key = config_lib.CONFIG["PrivateKeys.ca_key"].GetPrivateKey()
key_pair = EVP.PKey(md="sha256")
key_pair.assign_rsa(ca_key)
# Sign the certificate
cert.sign(key_pair, "sha256")
return cert
def sign_proxy_request(req, icert, ikey, lifetime):
pkey = req.get_pubkey()
subject = req.get_subject()
cert = X509.X509()
cert.set_serial_number(1)
cert.set_version(2)
t = long(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + lifetime * 24 * 60 * 60)
cert.set_not_before(now)
cert.set_not_after(expire)
cert.set_issuer(subject)
cert.set_subject(subject)
cert.set_pubkey(pkey)
cert.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE', True))
#cert.add_ext(X509.new_extension('subjectKeyIdentifier', cert.get_fingerprint()))
cert.add_ext(X509.new_extension('authorityKeyIdentifier', "keyid"))
cert.add_ext(
X509.new_extension("proxyCertInfo",
"critical,language:id-ppl-anyLanguage,pathlen:00",
True))
cert.sign(issuer_key, 'sha1')
return cert, pkey
def make_proxycert(self, eecert):
proxycert = X509.X509()
pk2 = EVP.PKey()
proxykey = RSA.gen_key(1024, 65537, self.callback)
pk2.assign_rsa(proxykey)
proxycert.set_pubkey(pk2)
proxycert.set_version(2)
not_before = ASN1.ASN1_UTCTIME()
not_after = ASN1.ASN1_UTCTIME()
not_before.set_time(int(time.time()))
offset = 12 * 3600
not_after.set_time(int(time.time()) + offset)
proxycert.set_not_before(not_before)
proxycert.set_not_after(not_after)
proxycert.set_issuer_name(eecert.get_subject())
proxycert.set_serial_number(12345678)
issuer_name_string = eecert.get_subject().as_text()
seq = issuer_name_string.split(",")
subject_name = X509.X509_Name()
for entry in seq:
l = entry.split("=")
subject_name.add_entry_by_txt(field=l[0].strip(),
type=ASN1.MBSTRING_ASC,
entry=l[1], len=-1, loc=-1, set=0)
subject_name.add_entry_by_txt(field="CN", type=ASN1.MBSTRING_ASC,
entry="Proxy", len=-1, loc=-1, set=0)
proxycert.set_subject_name(subject_name)
# XXX leaks 8 bytes
pci_ext = X509.new_extension("proxyCertInfo",
"critical,language:Inherit all", 1)
proxycert.add_ext(pci_ext)
return proxycert
def _gen_certificate(type):
from M2Crypto import EVP, RSA, X509, ASN1
import time
# create a key pair
k = EVP.PKey()
k.assign_rsa(RSA.gen_key(2048, m2.RSA_F4, lambda: None))
# create a self-signed cert
cert = X509.X509()
cert.get_subject().C = "FR"
cert.get_subject().O = "SFR"
cert.get_subject().CN = _get_cn(type)
cert.set_serial_number(1000)
now = ASN1.ASN1_UTCTIME()
now.set_time(long(time.time()))
cert.set_not_before(now)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(long(time.time()) + 10 * 365 * 24 * 60 * 60)
cert.set_not_after(expire)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
return cert, k
def generate_certificate(csr, serial, cn):
"""Generate a certificate and sign it with CA.
:param csr: Certificate Signing Request. See :class:`M2Crypto.X509.Request`.
:param serial: Serial number of the certificate as long int.
:param cn: Common Name of the certificate.
:return: Generated + signed certificate. See :class:`M2Crypto.X509.X509`.
"""
ca_key = EVP.load_key(settings.PKI_CA_KEYFILE, lambda *args: None)
ca_cert = X509.load_cert(settings.PKI_CA_CERTFILE)
cert = X509.X509()
cert.set_serial_number(serial)
cert.set_version(2)
csr_subject = csr.get_subject()
subject = X509.X509_Name()
for key in ('C', 'ST', 'L', 'O', 'OU'):
original_value = getattr(csr_subject, key)
if original_value:
setattr(subject, key, original_value)
subject.CN = cn
cert.set_subject(subject)
t = long(time.time()) + time.timezone
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
now_plus_year = ASN1.ASN1_UTCTIME()
now_plus_year.set_time(t + 60 * 60 * 24 * 365)
cert.set_not_before(now)
cert.set_not_after(now_plus_year)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(csr.get_pubkey())
cert.sign(ca_key, 'sha1')
return cert
def generate_certificate(
self,
aca_cert,
btc_address=None,
pkey=None,
):
if pkey is None and btc_address is None:
pkey, btc_address = self.generate_keys()
self.btc_address = btc_address
issuer = aca_cert.get_issuer()
# Creating a certificate
cert = X509.X509()
# Set issuer
cert.set_issuer(issuer)
# Generate CS information
cert_name = X509.X509_Name()
cert_name.C = 'CT'
cert_name.ST = 'Barcelona'
cert_name.L = 'Bellaterra'
cert_name.O = 'UAB'
cert_name.OU = 'DEIC'
cert_name.CN = btc_address
cert.set_subject_name(cert_name)
# Set public_key
cert.set_pubkey(pkey)
# Time for certificate to stay valid
cur_time = ASN1.ASN1_UTCTIME()
cur_time.set_time(int(time()))
# Expire certs in 1 year.
expire_time = ASN1.ASN1_UTCTIME()
expire_time.set_time(int(time()) + 60 * 60 * 24 * 365)
# Set the validity
cert.set_not_before(cur_time)
cert.set_not_after(expire_time)
# Sign the certificate using the same key type the CA is going to use later
# The resulting signature will not be used, it is only for setting the corresponding field into the certificate
rsa_keys = RSA.gen_key(2046, 65537, callback=lambda x, y, z: None)
rsa_pkey = EVP.PKey()
rsa_pkey.assign_rsa(rsa_keys)
cert.sign(rsa_pkey, md='sha256')
# Load the Certificate as a ASN.1 object and extract the TBS Certificate (special thanks to Alex <*****@*****.**>)
asn1_cert = decoder.decode(cert.as_der(), asn1Spec=Certificate())[0]
tbs = asn1_cert.getComponentByName("tbsCertificate")
# Compute the sha256 of the TBS Certificate
tbs_der = encoder.encode(tbs)
digest = sha256()
digest.update(tbs_der)
cert_hash = digest.digest()
return asn1_cert, cert_hash
def helper_generate_certificate(self, pkey):
"""Create a self-signed x509 certificate."""
name = X509.X509_Name()
name.C = 'NO'
name.ST = 'Oslo'
name.L = 'Oslo'
name.O = 'University of Oslo'
name.OU = 'Cerebrumtesting'
name.CN = '127.0.0.1'
name.emailAddress = '*****@*****.**'
cert = X509.X509()
cert.set_version(2)
cert.set_serial_number(1)
cert.set_subject(name)
t = long(time.time()) + time.timezone
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
end = ASN1.ASN1_UTCTIME()
end.set_time(t + 60 * 60 * 24 * 365 * 10)
cert.set_not_before(now)
cert.set_not_after(end)
cert.set_issuer(name)
cert.set_pubkey(pkey)
#ext = X509.new_extension('subjectAltName', 'DNS:localhost')
#ext.set_critical(0)
#cert.add_ext(ext)
cert.sign(pkey, 'sha1')
return cert
def create_self_signed_cert(rsa, subject={'CN': 'Testing'}, san=None):
""" Creates a self-signed cert
Pass in an RSA private key object
Pass in a dictionary of subject name data, using C ST L O OU CN keys
Pass in an optional san like 'DNS:example.com'
Returns a X509.X509 object
"""
pk = EVP.PKey()
pk.assign_rsa(rsa)
name = X509.X509_Name()
for key in ['C', 'ST', 'L', 'O', 'OU', 'CN']:
if subject.get(key, None):
setattr(name, key, subject[key])
cert = X509.X509()
cert.set_serial_number(1)
cert.set_version(2)
t = long(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + 365 * 24 * 60 * 60)
cert.set_not_before(now)
cert.set_not_after(expire)
cert.set_issuer(name)
cert.set_subject(name)
cert.set_pubkey(pk)
cert.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE'))
if san:
cert.add_ext(X509.new_extension('subjectAltName', san))
cert.add_ext(
X509.new_extension('subjectKeyIdentifier', cert.get_fingerprint()))
cert.sign(pk, 'sha1')
return cert
def _generate_ssl_ca():
ca_key_pem, ca_cert_pem, ca_key = _generate_rsa_keypair()
t = long(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + 365 * 24 * 60 * 60)
pk = EVP.PKey()
pk.assign_rsa(ca_key)
cert = X509.X509()
cert.get_subject().O = _generate_id(10)
cert.set_serial_number(1)
cert.set_version(3)
cert.set_not_before(now)
cert.set_not_after(expire)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(pk)
cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE'))
cert.add_ext(
X509.new_extension('subjectKeyIdentifier',
str(cert.get_fingerprint())))
cert.sign(pk, 'sha256')
return pk.as_pem(cipher=None), cert.as_pem(), pk, cert
def _generate_ssl_keypair(self, rsa_key, ca_key, ca_cert, role='CONTROL', client=False, serial=2):
t = long(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + 365 * 24 * 60 * 60)
pk = EVP.PKey()
pk.assign_rsa(rsa_key)
cert = X509.X509()
cert.get_subject().O = self._generate_id(10)
cert.get_subject().OU = role
cert.set_serial_number(serial)
cert.set_version(3)
cert.set_not_before(now)
cert.set_not_after(expire)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(pk)
cert.add_ext(X509.new_extension('basicConstraints', 'critical,CA:FALSE'))
cert.add_ext(X509.new_extension('subjectKeyIdentifier', cert.get_fingerprint()))
if client:
cert.add_ext(X509.new_extension('keyUsage', 'critical,digitalSignature'))
cert.add_ext(X509.new_extension('nsCertType', 'client'))
else:
cert.add_ext(X509.new_extension('keyUsage', 'critical,keyEncipherment'))
cert.add_ext(X509.new_extension('nsCertType', 'server'))
cert.sign(ca_key, 'sha256')
return pk.as_pem(cipher=None), cert.as_pem()
def _generate_apk_keypair():
priv, pub, key = _generate_rsa_keypair(2048)
t = long(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + 365 * 24 * 60 * 60 * 5)
pk = EVP.PKey()
pk.assign_rsa(key)
cert = X509.X509()
cert.get_subject().O = _generate_id(10)
cert.set_serial_number(1337)
cert.set_version(2)
cert.set_not_before(now)
cert.set_not_after(expire)
cert.set_pubkey(pk)
cert.set_issuer(cert.get_subject())
cert.add_ext(
X509.new_extension('subjectKeyIdentifier',
str(cert.get_fingerprint())))
cert.sign(pk, 'sha256')
return {
'CONTROL_APK_PRIV_KEY': pk.as_pem(cipher=None),
'CONTROL_APK_PUB_KEY': cert.as_pem(),
}
def set_validity_period(self, cert):
now = long(time.time())
asn1 = ASN1.ASN1_UTCTIME()
asn1.set_time(now)
cert.set_not_before(asn1)
asn1 = ASN1.ASN1_UTCTIME()
asn1.set_time(now + self.settings['cert_validity_lifetime'] * 24 * 60 * 60)
cert.set_not_after(asn1)
def mk_cert_valid(cert, days=180):
t = long(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t - 24 * 60 * 60)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + days * 24 * 60 * 60)
cert.set_not_before(now)
cert.set_not_after(expire)
def validate_cert(self, cert, days=365):
t = long(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + days * 24 * 60 * 60)
cert.set_not_before(now)
cert.set_not_after(expire)
def SetCertValidityDate(cert, days=365): """Set validity on a cert to specific number of days.""" now_epoch = long(time.time()) now = ASN1.ASN1_UTCTIME() now.set_time(now_epoch) expire = ASN1.ASN1_UTCTIME() expire.set_time(now_epoch + days * 24 * 60 * 60) cert.set_not_before(now) cert.set_not_after(expire)
def _set_asn1_time(cert, days):
now = int(time.time())
asn1 = ASN1.ASN1_UTCTIME()
asn1.set_time(now)
cert.set_not_before(asn1)
asn1 = ASN1.ASN1_UTCTIME()
asn1.set_time(now + 86400 * days)
cert.set_not_after(asn1)
def generate_certificate(self,
cr,
uid,
ids,
issuer,
ext=None,
serial_number=1,
version=2,
date_begin=None,
date_end=None,
expiration=365,
context=None):
"""
Generate certificate
"""
r_ids = []
for item in self.browse(cr, uid, ids):
if item.status == 'valid_request':
# Get request data
pk = item.pairkey_id.as_pkey()[item.pairkey_id.id]
req = item.get_request()[item.id]
sub = req.get_subject()
pkey = req.get_pubkey()
# Building certificate
cert = X509.X509()
cert.set_serial_number(serial_number)
cert.set_version(version)
cert.set_subject(sub)
now = ASN1.ASN1_UTCTIME()
if date_begin is None:
t = long(time.time()) + time.timezone
now.set_time(t)
else:
now.set_datetime(date_begin)
nowPlusYear = ASN1.ASN1_UTCTIME()
if date_end is None:
nowPlusYear.set_time(t + 60 * 60 * 24 * expiration)
else:
nowPlusYear.set_datetime(date_end)
cert.set_not_before(now)
cert.set_not_after(nowPlusYear)
cert.set_issuer(issuer)
cert.set_pubkey(pkey)
cert.set_pubkey(cert.get_pubkey())
if ext:
cert.add_ext(ext)
cert.sign(pk, 'sha1')
w = {'crt': cert.as_pem()}
self.write(cr, uid, item.id, w)
r_ids.append(item.id)
return r_ids
def get_x509_proxy(self,
request_pem,
issuer=None,
subject=None,
private_key=None):
"""
Generate a X509 proxy based on the request
Args:
requestPEM: The request PEM encoded
issuer: The issuer user
subject: The subject of the proxy. If None, issuer/CN=proxy will be used
Returns:
A X509 proxy PEM encoded
"""
if issuer is None:
issuer = [('DC', 'ch'), ('DC', 'cern'), ('CN', 'Test User')]
if subject is None:
subject = issuer + [('CN', 'proxy')]
x509_request = X509.load_request_string(str(request_pem))
not_before = ASN1.ASN1_UTCTIME()
not_before.set_datetime(datetime.now(UTC))
not_after = ASN1.ASN1_UTCTIME()
not_after.set_datetime(datetime.now(UTC) + timedelta(hours=3))
issuer_subject = X509.X509_Name()
for c in issuer:
issuer_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0)
proxy_subject = X509.X509_Name()
for c in subject:
proxy_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0)
proxy = X509.X509()
proxy.set_version(2)
proxy.set_subject(proxy_subject)
proxy.set_serial_number(int(time.time()))
proxy.set_version(x509_request.get_version())
proxy.set_issuer(issuer_subject)
proxy.set_pubkey(x509_request.get_pubkey())
proxy.set_not_after(not_after)
proxy.set_not_before(not_before)
if not private_key:
proxy.sign(self.pkey, 'sha1')
else:
proxy.sign(private_key, 'sha1')
return proxy.as_pem() + self.cert.as_pem()
def _set_times(self):
"""
Internal function that sets the time on the proxy
certificate
"""
not_before = ASN1.ASN1_UTCTIME()
not_after = ASN1.ASN1_UTCTIME()
not_before.set_time(int(time.time()))
offset = (self._valid[0] * 3600) + (self._valid[1] * 60)
not_after.set_time(int(time.time()) + offset)
self._proxycert.set_not_before(not_before)
self._proxycert.set_not_after(not_after)
def test_mkcert(self):
req, pk = self.mkreq(1024)
pkey = req.get_pubkey()
assert (req.verify(pkey))
sub = req.get_subject()
assert len(sub) == 2, len(sub)
cert = X509.X509()
cert.set_serial_number(1)
cert.set_version(2)
cert.set_subject(sub)
t = long(time.time()) + time.timezone
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
nowPlusYear = ASN1.ASN1_UTCTIME()
nowPlusYear.set_time(t + 60 * 60 * 24 * 365)
cert.set_not_before(now)
cert.set_not_after(nowPlusYear)
assert str(cert.get_not_before()) == str(now)
assert str(cert.get_not_after()) == str(nowPlusYear)
issuer = X509.X509_Name()
issuer.CN = 'The Issuer Monkey'
issuer.O = 'The Organization Otherwise Known as My CA, Inc.'
cert.set_issuer(issuer)
cert.set_pubkey(pkey)
cert.set_pubkey(cert.get_pubkey()) # Make sure get/set work
ext = X509.new_extension('subjectAltName', 'DNS:foobar.example.com')
ext.set_critical(0)
assert ext.get_critical() == 0
cert.add_ext(ext)
cert.sign(pk, 'sha1')
self.assertRaises(ValueError, cert.sign, pk, 'nosuchalgo')
assert (cert.get_ext('subjectAltName').get_name() == 'subjectAltName')
assert (cert.get_ext_at(0).get_name() == 'subjectAltName')
assert (cert.get_ext_at(0).get_value() == 'DNS:foobar.example.com')
assert cert.get_ext_count() == 1, cert.get_ext_count()
self.assertRaises(IndexError, cert.get_ext_at, 1)
assert cert.verify()
assert cert.verify(pkey)
assert cert.verify(cert.get_pubkey())
assert cert.get_version() == 2
assert cert.get_serial_number() == 1
assert cert.get_issuer().CN == 'The Issuer Monkey'
if m2.OPENSSL_VERSION_NUMBER >= 0x90800f:
assert not cert.check_ca()
assert not cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER, 1)
assert not cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER, 1)
assert cert.check_purpose(m2.X509_PURPOSE_SSL_SERVER, 0)
assert cert.check_purpose(m2.X509_PURPOSE_NS_SSL_SERVER, 0)
assert cert.check_purpose(m2.X509_PURPOSE_ANY, 0)
else:
self.assertRaises(AttributeError, cert.check_ca)
def make_eecert(self, cacert):
eecert = X509.X509()
eecert.set_serial_number(2)
eecert.set_version(2)
t = long(time.time()) + time.timezone
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
now_plus_year = ASN1.ASN1_UTCTIME()
now_plus_year.set_time(t + 60 * 60 * 24 * 365)
eecert.set_not_before(now)
eecert.set_not_after(now_plus_year)
eecert.set_issuer(cacert.get_subject())
return eecert
def mk_cert_valid(cert, days=3652):
"""Make a cert valid from now and til 'days' from now.
:param cert: cert to make valid
:param days: number of days cert is valid for from now.
"""
t = int(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + days * 24 * 60 * 60)
cert.set_not_before(now)
cert.set_not_after(expire)
def mk_cert_valid(cert, days=365):
"""
Make a cert valid from now and til 'days' from now.
Args:
cert -- cert to make valid
days -- number of days cert is valid for from now.
"""
t = long(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + days * 24 * 60 * 60)
cert.set_not_before(now)
cert.set_not_after(expire)
def test_UTCTIME(self):
asn1 = ASN1.ASN1_UTCTIME()
assert str(asn1) == 'Bad time value'
format = '%b %d %H:%M:%S %Y GMT'
utcformat = '%y%m%d%H%M%SZ'
s = '990807053011Z'
asn1.set_string(s)
#assert str(asn1) == 'Aug 7 05:30:11 1999 GMT'
t1 = time.strptime(str(asn1), format)
t2 = time.strptime(s, utcformat)
self.assertEqual(t1, t2)
asn1.set_time(500)
#assert str(asn1) == 'Jan 1 00:08:20 1970 GMT'
t1 = time.strftime(format, time.strptime(str(asn1), format))
t2 = time.strftime(format, time.gmtime(500))
self.assertEqual(t1, t2)
t = long(time.time()) + time.timezone
asn1.set_time(t)
t1 = time.strftime(format, time.strptime(str(asn1), format))
t2 = time.strftime(format, time.gmtime(t))
self.assertEqual(t1, t2)
def _generate_mock_cert():
rsa_key = RSA.gen_key(512, 65537)
pkey = EVP.PKey()
pkey.assign_rsa(rsa_key)
cert = X509.X509()
cert.set_pubkey(pkey)
not_before = ASN1.ASN1_UTCTIME()
not_before.set_datetime(datetime.now(UTC))
not_after = ASN1.ASN1_UTCTIME()
not_after.set_datetime(datetime.now(UTC) + timedelta(hours=24))
cert.set_not_before(not_before)
cert.set_not_after(not_after)
cert.sign(pkey, 'md5')
return pkey, cert
def __createCertM2Crypto(self):
"""Create new certificate for user
:return: S_OK(tuple)/S_ERROR() -- tuple contain certificate and pulic key as strings
"""
# Create public key
userPubKey = EVP.PKey()
userPubKey.assign_rsa(
RSA.gen_key(self.bits, 65537, util.quiet_genparam_callback))
# Create certificate
userCert = X509.X509()
userCert.set_pubkey(userPubKey)
userCert.set_version(2)
userCert.set_subject(self.__X509Name)
userCert.set_serial_number(int(random.random() * 10**10))
# Add extentionals
userCert.add_ext(
X509.new_extension("basicConstraints", "CA:" + str(False).upper()))
userCert.add_ext(
X509.new_extension("extendedKeyUsage", "clientAuth", critical=1))
# Set livetime
validityTime = datetime.timedelta(days=400)
notBefore = ASN1.ASN1_UTCTIME()
notBefore.set_time(int(time.time()))
notAfter = ASN1.ASN1_UTCTIME()
notAfter.set_time(int(time.time()) + int(validityTime.total_seconds()))
userCert.set_not_before(notBefore)
userCert.set_not_after(notAfter)
# Add subject from CA
with open(self.parameters["CertFile"]) as cf:
caCertStr = cf.read()
caCert = X509.load_cert_string(caCertStr)
userCert.set_issuer(caCert.get_subject())
# Use CA key
with open(self.parameters["KeyFile"], "rb") as cf:
caKeyStr = cf.read()
pkey = EVP.PKey()
pkey.assign_rsa(
RSA.load_key_string(caKeyStr,
callback=util.no_passphrase_callback))
# Sign
userCert.sign(pkey, self.algoritm)
userCertStr = userCert.as_pem().decode("ascii")
userPubKeyStr = userPubKey.as_pem(
cipher=None, callback=util.no_passphrase_callback).decode("ascii")
return S_OK((userCertStr, userPubKeyStr))
def create_self_signed_RootCA_certificate(root_ca_info,
sign_method="sha256",
days=3650):
# Setp 1: Create RSA-key pair (public/private key)
rsa = generate_rsa_keypair(2048, 65537)
private_key = EVP.PKey()
private_key.assign_rsa(rsa)
# Step 2-1: Prepare X.509 Certificate Signed Request
req = X509.Request()
req.set_pubkey(private_key)
x509_name = req.get_subject()
x509_name.C = root_ca_info["C"]
x509_name.CN = root_ca_info["CN"]
x509_name.ST = root_ca_info["ST"]
x509_name.L = root_ca_info["L"]
x509_name.O = root_ca_info["O"]
x509_name.OU = root_ca_info["OU"]
req.sign(private_key, sign_method)
# Step 2-2: Prepare X.509 certificate
root_ca_cert = X509.X509()
serial = struct.unpack("<Q", os.urandom(8))[0]
root_ca_cert.set_serial_number(serial)
root_ca_cert.set_version(3)
# Setp 2-3: Set required information of RootCA certificate
root_ca_cert.set_issuer(x509_name)
root_ca_cert.set_subject(root_ca_cert.get_issuer())
root_ca_cert.set_pubkey(req.get_pubkey()) # Get the CSR's public key
# Step 2-4: Set Valid Date for RootCA certificate
t = int(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + days * 24 * 60 * 60)
root_ca_cert.set_not_before(now)
root_ca_cert.set_not_after(expire)
# Step 3: Add Extensions for this Root CA certificate
root_ca_cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE'))
root_ca_cert.add_ext(
X509.new_extension('subjectKeyIdentifier',
root_ca_cert.get_fingerprint()))
# Step 4: Use Root CA's RSA private key to sign this certificate
root_ca_cert.sign(private_key, sign_method)
return root_ca_cert, private_key
def get_not_after(self):
assert m2.x509_type_check(self.x509), "'x509' type error"
out = ASN1.ASN1_UTCTIME(m2.x509_get_not_after(self.x509))
if 'Bad time value' in str(out):
raise X509Error('''M2Crypto cannot handle dates after year 2050.
See RFC 5280 4.1.2.5 for more information.
''')
return out
