def testRequestLoading(self):
"""Load Request loading
"""
m2rqst_text = X509.load_request_string(C_REQUEST, X509.FORMAT_PEM).as_text()
rqst = CertificateRequest.new_from_pem(C_REQUEST)
rqst.save()
self.assertTrue(rqst.CN == "World Company")
self.assertTrue(rqst.country == "FR")
rqst_text = X509.load_request_string(rqst.pem, X509.FORMAT_PEM).as_text()
self.assertTrue(rqst_text == m2rqst_text)
def test_load_request_bio(self):
(req, _) = self.mkreq(512)
r1 = X509.load_request_der_string(req.as_der())
r2 = X509.load_request_string(req.as_der(), X509.FORMAT_DER)
r3 = X509.load_request_string(req.as_pem(), X509.FORMAT_PEM)
r4 = X509.load_request_bio(BIO.MemoryBuffer(req.as_der()), X509.FORMAT_DER)
r5 = X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), X509.FORMAT_PEM)
for r in [r1, r2, r3, r4, r5]:
assert req.as_der() == r.as_der()
self.assertRaises(ValueError, X509.load_request_bio, BIO.MemoryBuffer(req.as_pem()), 345678)
def test_load_request_bio(self):
(req, _) = self.mkreq(512)
r1 = X509.load_request_der_string(req.as_der())
r2 = X509.load_request_string(req.as_der(), X509.FORMAT_DER)
r3 = X509.load_request_string(req.as_pem(), X509.FORMAT_PEM)
r4 = X509.load_request_bio(BIO.MemoryBuffer(req.as_der()), X509.FORMAT_DER)
r5 = X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), X509.FORMAT_PEM)
for r in [r1, r2, r3, r4, r5]:
assert req.as_der() == r.as_der()
self.assertRaises(ValueError, X509.load_request_bio, BIO.MemoryBuffer(req.as_pem()), 345678)
def _getProxyRequest(self, delegationId):
requestPEM = self.context.get('/delegation/' + delegationId + '/request')
x509Request = X509.load_request_string(requestPEM)
if x509Request.verify(x509Request.get_pubkey()) != 1:
raise ServerError('Error verifying signature on the request')
# Return
return x509Request
def verify(certificate_path, ca_certificate_path, sign_request_path, output):
certificate = None
try:
certificate = X509.load_cert(certificate_path)
except (X509.X509Error, IOError):
print('ERROR verify: Could not load certificate for verifying')
exit(1)
smime = SMIME.SMIME()
stack = X509.X509_Stack()
stack.push(certificate)
smime.set_x509_stack(stack)
store = X509.X509_Store()
store.load_info(ca_certificate_path)
smime.set_x509_store(store)
pks7, data = SMIME.smime_load_pkcs7(sign_request_path)
clear_text = smime.verify(pks7, data)
if not output:
output = path.abspath(path.curdir) + '/%s.csr' % DEFAULT_FIELDS['CN']
if clear_text:
request = X509.load_request_string(clear_text)
request.save(output)
print('Verification OK')
print('Request file was saved to %s' % output)
else:
print('Verification failed')
def sign_request(self, request, ca=False):
if not isinstance(request, X509.Request):
request = X509.load_request_string(str(request))
ca_priv_evp = EVP.PKey()
ca_priv_evp.assign_rsa(self.get_key())
cert = X509.X509()
cert.set_version(3)
# Set Serial number
serial = random.randrange(1, sys.maxint)
cert.set_serial_number(serial)
# Set Cert validity time
cur_time = ASN1.ASN1_UTCTIME()
cur_time.set_time(int(time.time()))
expire_time = ASN1.ASN1_UTCTIME()
expire_time.set_time(int(time.time()) + self.cert_exp_days*24*60*60)
cert.set_not_before(cur_time)
cert.set_not_after(expire_time)
if ca:
cert.set_issuer_name(request.get_subject())
cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE'))
else:
ca_cert = self.get_cert()
cert.set_issuer_name(ca_cert.get_subject())
cert.set_subject(request.get_subject())
cert.set_pubkey(request.get_pubkey())
cert.sign(ca_priv_evp, md="sha256")
return cert
def verify(certificate_path, ca_certificate_path, sign_request_path, output):
certificate = None
try:
certificate = X509.load_cert(certificate_path)
except (X509.X509Error, IOError):
print('ERROR verify: Could not load certificate for verifying')
exit(1)
smime = SMIME.SMIME()
stack = X509.X509_Stack()
stack.push(certificate)
smime.set_x509_stack(stack)
store = X509.X509_Store()
store.load_info(ca_certificate_path)
smime.set_x509_store(store)
pks7, data = SMIME.smime_load_pkcs7(sign_request_path)
clear_text = smime.verify(pks7, data)
if not output:
output = path.abspath(path.curdir) + '/%s.csr' % DEFAULT_FIELDS['CN']
if clear_text:
request = X509.load_request_string(clear_text)
request.save(output)
print('Verification OK')
print('Request file was saved to %s' % output)
else:
print('Verification failed')
def sign_request(self, request, ca=False):
if not isinstance(request, X509.Request):
request = X509.load_request_string(str(request))
ca_priv_evp = EVP.PKey()
ca_priv_evp.assign_rsa(self.get_key())
cert = X509.X509()
# X509 version field is 0-based
cert.set_version(0x2) # set to X509v3
# Set Serial number
serial = random.randrange(1, sys.maxint)
cert.set_serial_number(serial)
# Set Cert validity time
cur_time = ASN1.ASN1_UTCTIME()
cur_time.set_time(int(time.time()))
expire_time = ASN1.ASN1_UTCTIME()
expire_time.set_time(
int(time.time()) + self.cert_exp_days * 24 * 60 * 60)
cert.set_not_before(cur_time)
cert.set_not_after(expire_time)
if ca:
cert.set_issuer_name(request.get_subject())
cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE'))
else:
ca_cert = self.get_cert()
cert.set_issuer_name(ca_cert.get_subject())
cert.set_subject(request.get_subject())
cert.set_pubkey(request.get_pubkey())
cert.sign(ca_priv_evp, md="sha256")
return cert
def test_malformed_data(self):
with self.assertRaises(X509.X509Error):
X509.load_cert_string('Hello')
with self.assertRaises(X509.X509Error):
X509.load_cert_der_string('Hello')
with self.assertRaises(X509.X509Error):
X509.new_stack_from_der('Hello')
with self.assertRaises(X509.X509Error):
X509.load_cert('tests/alltests.py')
with self.assertRaises(X509.X509Error):
X509.load_request('tests/alltests.py')
with self.assertRaises(X509.X509Error):
X509.load_request_string('Hello')
with self.assertRaises(X509.X509Error):
X509.load_request_der_string('Hello')
with self.assertRaises(X509.X509Error):
X509.load_crl('tests/alltests.py')
def clean_csr(self):
data = self.cleaned_data
try:
# X509.load_request_string doesn't like unicode
data['csr'] = X509.load_request_string(data['csr'].encode('utf-8'))
except X509.X509Error:
raise forms.ValidationError(_('Invalid CSR.'))
return data['csr']
def test_load_request_bio(self):
(req, _) = self.mkreq(1024)
r1 = X509.load_request_der_string(req.as_der())
r2 = X509.load_request_string(req.as_der(), X509.FORMAT_DER)
r3 = X509.load_request_string(req.as_pem(), X509.FORMAT_PEM)
r4 = X509.load_request_bio(BIO.MemoryBuffer(req.as_der()),
X509.FORMAT_DER)
r5 = X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()),
X509.FORMAT_PEM)
for r in [r1, r2, r3, r4, r5]:
self.assertEqual(req.as_der(), r.as_der())
with self.assertRaises(ValueError):
X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), 345678)
def _get_proxy_request(self, delegation_id):
request_url = '/delegation/' + delegation_id + '/request'
request_pem = self.context.get(request_url)
x509_request = X509.load_request_string(request_pem)
if x509_request.verify(x509_request.get_pubkey()) != 1:
raise ServerError('Error verifying signature on the request')
# Return
return x509_request
def test_load_request_bio(self):
(req, _) = self.mkreq(1024)
r1 = X509.load_request_der_string(req.as_der())
r2 = X509.load_request_string(req.as_der(), X509.FORMAT_DER)
r3 = X509.load_request_string(req.as_pem(), X509.FORMAT_PEM)
r4 = X509.load_request_bio(BIO.MemoryBuffer(req.as_der()),
X509.FORMAT_DER)
r5 = X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()),
X509.FORMAT_PEM)
for r in [r1, r2, r3, r4, r5]:
self.assertEqual(req.as_der(), r.as_der())
with self.assertRaises(ValueError):
X509.load_request_bio(BIO.MemoryBuffer(req.as_pem()), 345678)
def _get_proxy_request(self, delegation_id):
request_url = '/delegation/' + delegation_id + '/request'
request_pem = self.context.get(request_url)
x509_request = X509.load_request_string(request_pem)
if x509_request.verify(x509_request.get_pubkey()) != 1:
raise ServerError('Error verifying signature on the request:', Err.get_error())
# Return
return x509_request
def _getProxyRequest(self, delegationId):
requestPEM = self.context.get('/delegation/' + delegationId +
'/request')
x509Request = X509.load_request_string(requestPEM)
if x509Request.verify(x509Request.get_pubkey()) != 1:
raise ServerError('Error verifying signature on the request')
# Return
return x509Request
def test_malformed_data(self):
with self.assertRaises(X509.X509Error):
X509.load_cert_string('Hello')
with self.assertRaises(X509.X509Error):
X509.load_cert_der_string('Hello')
with self.assertRaises(X509.X509Error):
X509.new_stack_from_der('Hello')
with self.assertRaises(X509.X509Error):
X509.load_cert('tests/alltests.py')
with self.assertRaises(X509.X509Error):
X509.load_request('tests/alltests.py')
with self.assertRaises(X509.X509Error):
X509.load_request_string('Hello')
with self.assertRaises(X509.X509Error):
X509.load_request_der_string('Hello')
with self.assertRaises(X509.X509Error):
X509.load_crl('tests/alltests.py')
def run(self):
"""Receive, verify and sign incoming CSRs."""
sockfile = self.sock.makefile('rw', 0)
msg = sockfile.readlines()
sig = msg[0]
pem = ''.join(msg[1:])
if pem[-1:] == '\n':
pem = pem[:-1]
csr = X509.load_request_string(pem)
CN = csr.get_subject().CN
if CN != self.src:
error_message = "Hostname: %s doesn't match certificate CN: %s" % (
self.src, CN)
if config.getboolean('master', 'HostVerify'):
log.error(error_message)
self.sock.send("FAIL\n" + error_message + "\n")
return
else:
log.warn(error_message)
verified = False
try:
pub = cert_from_file(cert_store_file(CN)).get_pubkey()
except (IOError, X509.X509Error):
pass
else:
if not verify_data(sig, pem, pub):
log.error("Signature verification failed reading CSR from %s.",
self.src)
self.sock.send("FAIL\nSignature verification failed.\n")
return
verified = True
if verified or config.getboolean('master', 'AutoSign'):
log.info("Signing certificate")
try:
certobj = sign_csr(self.cakey, self.cacert, csr,
config.getint('cert', 'CertLifetime'))
except X509.X509Error:
log.exception("Signing failed. Will save for later signing.")
else:
log.info("Storing Signed Cert")
self.store.write(certobj)
self.store.checkpoint()
self.sock.send('OK\n' + certobj.as_pem())
return
#Just save the CSR for later signing
with tempfile.NamedTemporaryFile(
dir=os.path.dirname(csr_cache_file(self.src)),
delete=False) as f_csr:
log.info("Writing CSR to cache: %s", csr_cache_file(self.src))
f_csr.write(pem)
os.rename(f_csr.name, csr_cache_file(self.src))
self.sock.send('OK\n')
def get_request(self, cr, uid, ids, context=None):
"""
Return Request object.
"""
r = {}
for cert in self.browse(cr, uid, ids):
if cert.csr:
r[cert.id] = X509.load_request_string(cert.csr.encode("ascii"))
return r
def get_request(self, cr, uid, ids, context=None):
"""
Return Request object.
"""
r = {}
for cert in self.browse(cr, uid, ids):
if cert.csr:
r[cert.id] = X509.load_request_string(cert.csr.encode('ascii'))
return r
def request(self, dlg_id, start_response):
"""
First step of the delegation process: get a certificate request
The returned certificate request must be signed with the user's original
credentials.
"""
user = request.environ['fts3.User.Credentials']
if dlg_id != user.delegation_id:
raise HTTPForbidden(
'The requested ID and the credentials ID do not match')
credential_cache = Session.query(CredentialCache)\
.get((user.delegation_id, user.user_dn))
user_cert = self.certificate()
request_key_len = 2048
if user_cert:
user_key = X509.load_cert_string(user_cert)
request_key_len = user_key.get_pubkey().size() * 8
cached = credential_cache is not None and credential_cache.cert_request is not None
if cached:
cached_key_len = X509.load_request_string(
credential_cache.cert_request).get_pubkey().size() * 8
if cached_key_len != request_key_len:
cached = False
log.debug(
"Invalidating cache due to key length missmatch between client and cached certificates"
)
if not cached:
(x509_request,
private_key) = _generate_proxy_request(request_key_len)
credential_cache = CredentialCache(
dlg_id=user.delegation_id,
dn=user.user_dn,
cert_request=x509_request.as_pem(),
priv_key=private_key.as_pem(cipher=None),
voms_attrs=' '.join(user.voms_cred))
try:
Session.merge(credential_cache)
Session.commit()
except Exception:
Session.rollback()
raise
log.debug("Generated new credential request for %s" % dlg_id)
else:
log.debug("Using cached request for %s" % dlg_id)
start_response('200 Ok',
[('X-Delegation-ID', str(credential_cache.dlg_id)),
('Content-Type', 'text/plain')])
return [credential_cache.cert_request]
def Start(self):
"""Sign the CSR from the client."""
client = aff4.FACTORY.Create(self.client_id,
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token)
if self.args.csr.type != rdf_crypto.Certificate.Type.CSR:
raise IOError("Must be called with CSR")
req = X509.load_request_string(self.args.csr.pem)
# Verify the CSR. This is not strictly necessary but doesn't harm either.
if req.verify(req.get_pubkey()) != 1:
raise flow.FlowError("CSR for client %s did not verify: %s" %
(self.client_id, req.as_pem()))
# Verify that the CN is of the correct form. The common name should refer
# to a client URN.
public_key = req.get_pubkey().get_rsa().pub()[1]
self.cn = rdf_client.ClientURN.FromPublicKey(public_key)
if self.cn != rdf_client.ClientURN(req.get_subject().CN):
raise IOError(
"CSR CN %s does not match public key %s." %
(rdf_client.ClientURN(req.get_subject().CN), self.cn))
logging.info("Will sign CSR for: %s", self.cn)
cert = self.MakeCert(self.cn, req)
# This check is important to ensure that the client id reported in the
# source of the enrollment request is the same as the one in the
# certificate. We use the ClientURN to ensure this is also of the correct
# form for a client name.
if self.cn != self.client_id:
raise flow.FlowError("Certificate name %s mismatch for client %s",
self.cn, self.client_id)
# Set and write the certificate to the client record.
certificate_attribute = rdf_crypto.RDFX509Cert(cert.as_pem())
client.Set(client.Schema.CERT, certificate_attribute)
client.Set(client.Schema.FIRST_SEEN, rdfvalue.RDFDatetime().Now())
index = aff4.FACTORY.Create(client_index.MAIN_INDEX,
aff4_type=client_index.ClientIndex,
object_exists=True,
mode="rw",
token=self.token)
index.AddClient(client)
client.Close(sync=True)
# Publish the client enrollment message.
self.Publish("ClientEnrollment", certificate_attribute.common_name)
self.Log("Enrolled %s successfully", self.client_id)
def Start(self):
"""Sign the CSR from the client."""
client = aff4.FACTORY.Create(self.client_id,
aff4_grr.VFSGRRClient,
mode="rw",
token=self.token)
if self.args.csr.type != rdf_crypto.Certificate.Type.CSR:
raise IOError("Must be called with CSR")
req = X509.load_request_string(self.args.csr.pem)
# Verify the CSR. This is not strictly necessary but doesn't harm either.
if req.verify(req.get_pubkey()) != 1:
raise flow.FlowError("CSR for client %s did not verify: %s" %
(self.client_id, req.as_pem()))
# Verify that the CN is of the correct form. The common name should refer
# to a client URN.
public_key = req.get_pubkey().get_rsa().pub()[1]
self.cn = rdf_client.ClientURN.FromPublicKey(public_key)
if self.cn != rdf_client.ClientURN(req.get_subject().CN):
raise IOError("CSR CN %s does not match public key %s." %
(rdf_client.ClientURN(req.get_subject().CN), self.cn))
logging.info("Will sign CSR for: %s", self.cn)
cert = self.MakeCert(self.cn, req)
# This check is important to ensure that the client id reported in the
# source of the enrollment request is the same as the one in the
# certificate. We use the ClientURN to ensure this is also of the correct
# form for a client name.
if self.cn != self.client_id:
raise flow.FlowError("Certificate name %s mismatch for client %s",
self.cn, self.client_id)
# Set and write the certificate to the client record.
certificate_attribute = rdf_crypto.RDFX509Cert(cert.as_pem())
client.Set(client.Schema.CERT, certificate_attribute)
client.Set(client.Schema.FIRST_SEEN, rdfvalue.RDFDatetime().Now())
index = aff4.FACTORY.Create(client_index.MAIN_INDEX,
aff4_type=client_index.ClientIndex,
object_exists=True,
mode="rw",
token=self.token)
index.AddClient(client)
client.Close(sync=True)
# Publish the client enrollment message.
self.Publish("ClientEnrollment", certificate_attribute.common_name)
self.Log("Enrolled %s successfully", self.client_id)
def get_x509_proxy(self,
request_pem,
issuer=None,
subject=None,
private_key=None):
"""
Generate a X509 proxy based on the request
Args:
requestPEM: The request PEM encoded
issuer: The issuer user
subject: The subject of the proxy. If None, issuer/CN=proxy will be used
Returns:
A X509 proxy PEM encoded
"""
if issuer is None:
issuer = [('DC', 'ch'), ('DC', 'cern'), ('CN', 'Test User')]
if subject is None:
subject = issuer + [('CN', 'proxy')]
x509_request = X509.load_request_string(str(request_pem))
not_before = ASN1.ASN1_UTCTIME()
not_before.set_datetime(datetime.now(UTC))
not_after = ASN1.ASN1_UTCTIME()
not_after.set_datetime(datetime.now(UTC) + timedelta(hours=3))
issuer_subject = X509.X509_Name()
for c in issuer:
issuer_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0)
proxy_subject = X509.X509_Name()
for c in subject:
proxy_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0)
proxy = X509.X509()
proxy.set_version(2)
proxy.set_subject(proxy_subject)
proxy.set_serial_number(int(time.time()))
proxy.set_version(x509_request.get_version())
proxy.set_issuer(issuer_subject)
proxy.set_pubkey(x509_request.get_pubkey())
proxy.set_not_after(not_after)
proxy.set_not_before(not_before)
if not private_key:
proxy.sign(self.pkey, 'sha1')
else:
proxy.sign(private_key, 'sha1')
return proxy.as_pem() + self.cert.as_pem()
def new_from_pem(cls, pem, user=None, key=None):
"""Create a Request Instance with an existing PEM
"""
rqst = cls(user=user, key=key)
m2rqst = X509.load_request_string(pem, X509.FORMAT_PEM)
rqst.pem = m2rqst.as_pem()
subject = m2rqst.get_subject()
rqst.country = subject.C
rqst.CN = subject.CN
# Add date
rqst.created = datetime.now()
return rqst
def get_request(self):
"""
Return Request object.
"""
if self.csr:
try:
request = X509.load_request_string(self.csr.encode('ascii'))
except X509.X509Error as detail:
_logger.warn(detail)
request = None
else:
request = None
return request
def testEnrollingCommunicator(self):
"""Test that the ClientCommunicator generates good keys."""
self.client_communicator = comms.ClientCommunicator(certificate="")
self.client_communicator.LoadServerCertificate(
self.server_certificate, config_lib.CONFIG["CA.certificate"])
req = X509.load_request_string(self.client_communicator.GetCSR())
# Verify that the CN is of the correct form
public_key = req.get_pubkey().get_rsa().pub()[1]
cn = rdfvalue.ClientURN.FromPublicKey(public_key)
self.assertEqual(cn, req.get_subject().CN)
def testEnrollingCommunicator(self):
"""Test that the ClientCommunicator generates good keys."""
self.client_communicator = comms.ClientCommunicator(certificate="")
self.client_communicator.LoadServerCertificate(
self.server_certificate, config_lib.CONFIG["CA.certificate"])
req = X509.load_request_string(self.client_communicator.GetCSR())
# Verify that the CN is of the correct form
public_key = req.get_pubkey().get_rsa().pub()[1]
cn = rdf_client.ClientURN.FromPublicKey(public_key)
self.assertEqual(cn, req.get_subject().CN)
def get_x509_proxy(self, request_pem, issuer=None, subject=None, private_key=None):
"""
Generate a X509 proxy based on the request
Args:
requestPEM: The request PEM encoded
issuer: The issuer user
subject: The subject of the proxy. If None, issuer/CN=proxy will be used
Returns:
A X509 proxy PEM encoded
"""
if issuer is None:
issuer = [('DC', 'ch'), ('DC', 'cern'), ('CN', 'Test User')]
if subject is None:
subject = issuer + [('CN', 'proxy')]
x509_request = X509.load_request_string(str(request_pem))
not_before = ASN1.ASN1_UTCTIME()
not_before.set_datetime(datetime.now(UTC))
not_after = ASN1.ASN1_UTCTIME()
not_after.set_datetime(datetime.now(UTC) + timedelta(hours=3))
issuer_subject = X509.X509_Name()
for c in issuer:
issuer_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0)
proxy_subject = X509.X509_Name()
for c in subject:
proxy_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0)
proxy = X509.X509()
proxy.set_version(2)
proxy.set_subject(proxy_subject)
proxy.set_serial_number(int(time.time()))
proxy.set_version(x509_request.get_version())
proxy.set_issuer(issuer_subject)
proxy.set_pubkey(x509_request.get_pubkey())
proxy.set_not_after(not_after)
proxy.set_not_before(not_before)
if not private_key:
proxy.sign(self.pkey, 'sha1')
else:
proxy.sign(private_key, 'sha1')
return proxy.as_pem() + self.cert.as_pem()
def parseSignature(signature):
if not signature:
return "", "", "", "", ""
# 返回一个X509.Request类型代表证书请求文件
req = X509.load_request_string(signature)
#首先验证一下,是不是真的是使用它本身的私钥签名的。
#如果是,返回非0值。如果不是,说明这是一个非法的证书请求文件。
is_verify = req.verify(req.get_pubkey())
is_verify = is_verify and True or False
S = req.get_subject()
return is_verify, dict(
zip(("sig_domain", "sig_depart", "sig_organization", "sig_province",
"sig_locale", "sig_contry"), getCertParm(S)))
def get_request(self, cr, uid, ids, context=None):
"""
Return Request object.
"""
r = {}
for cert in self.browse(cr, uid, ids):
if cert.csr:
try:
r[cert.id] = X509.load_request_string(cert.csr.encode('ascii'))
except X509.X509Error as detail:
_logger.warn(detail)
r[cert.id] = None
else:
r[cert.id] = None
return r
def get_request(self, cr, uid, ids, context=None):
"""
Return Request object.
"""
r = {}
for cert in self.browse(cr, uid, ids):
if cert.csr:
try:
r[cert.id] = X509.load_request_string(cert.csr.encode("ascii"))
except X509.X509Error as detail:
_logger.warn(detail)
r[cert.id] = None
else:
r[cert.id] = None
return r
def Start(self):
"""Sign the CSR from the client."""
client = aff4.FACTORY.Create(self.client_id,
"VFSGRRClient",
token=self.token)
if self.args.csr.type != rdfvalue.Certificate.Type.CSR:
raise IOError("Must be called with CSR")
req = X509.load_request_string(self.args.csr.pem)
# Verify that the CN is of the correct form. The common name should refer to
# a client URN.
public_key = req.get_pubkey().get_rsa().pub()[1]
self.cn = rdfvalue.ClientURN.FromPublicKey(public_key)
if self.cn != rdfvalue.ClientURN(req.get_subject().CN):
raise IOError("CSR CN does not match public key.")
logging.info("Will sign CSR for: %s", self.cn)
cert = self.MakeCert(self.cn, req)
# This check is important to ensure that the client id reported in the
# source of the enrollment request is the same as the one in the
# certificate. We use the ClientURN to ensure this is also of the correct
# form for a client name.
if self.cn != self.client_id:
raise flow.FlowError("Certificate name %s mismatch for client %s",
self.cn, self.client_id)
# Set and write the certificate to the client record.
certificate_attribute = rdfvalue.RDFX509Cert(cert.as_pem())
client.Set(client.Schema.CERT, certificate_attribute)
client.Set(client.Schema.FIRST_SEEN, rdfvalue.RDFDatetime().Now())
client.Close(sync=True)
# Publish the client enrollment message.
self.Publish("ClientEnrollment", certificate_attribute.common_name)
self.Log("Enrolled %s successfully", self.client_id)
# This is needed for backwards compatibility.
# TODO(user): Remove this once all clients are > 2200.
self.CallClient("SaveCert",
pem=cert.as_pem(),
type=rdfvalue.Certificate.Type.CRT,
next_state="End")
def validate_csr(csr, addr):
""" Validate Certificate Signing Request (CSR) """
try:
csr = X509.load_request_string(str(csr))
except:
raise ValidationError('Not a valid CSR')
subject = csr.get_subject()
if not subject.CN:
raise ValidationError("Required subject Common Name (CN) not provided")
try:
cnip = IP(subject.CN)
except ValueError:
msg = "Subject Common Name (CN) '%s' is not a valid IP address"
raise ValidationError(msg % subject.CN)
if addr != cnip:
msg = "Common Name (CN) must be equal to node management address: '%s' != '%s'"
raise ValidationError(msg % (subject.CN, addr))
def Start(self):
"""Sign the CSR from the client."""
client = aff4.FACTORY.Create(self.client_id, "VFSGRRClient",
token=self.token)
if self.args.csr.type != rdfvalue.Certificate.Type.CSR:
raise IOError("Must be called with CSR")
req = X509.load_request_string(self.args.csr.pem)
# Verify that the CN is of the correct form. The common name should refer to
# a client URN.
public_key = req.get_pubkey().get_rsa().pub()[1]
self.cn = rdfvalue.ClientURN.FromPublicKey(public_key)
if self.cn != rdfvalue.ClientURN(req.get_subject().CN):
raise IOError("CSR CN does not match public key.")
logging.info("Will sign CSR for: %s", self.cn)
cert = self.MakeCert(self.cn, req)
# This check is important to ensure that the client id reported in the
# source of the enrollment request is the same as the one in the
# certificate. We use the ClientURN to ensure this is also of the correct
# form for a client name.
if self.cn != self.client_id:
raise flow.FlowError("Certificate name %s mismatch for client %s",
self.cn, self.client_id)
# Set and write the certificate to the client record.
certificate_attribute = rdfvalue.RDFX509Cert(cert.as_pem())
client.Set(client.Schema.CERT, certificate_attribute)
client.Set(client.Schema.FIRST_SEEN, rdfvalue.RDFDatetime().Now())
client.Close(sync=True)
# Publish the client enrollment message.
self.Publish("ClientEnrollment", certificate_attribute.common_name)
self.Log("Enrolled %s successfully", self.client_id)
# This is needed for backwards compatibility.
# TODO(user): Remove this once all clients are > 2200.
self.CallClient("SaveCert", pem=cert.as_pem(),
type=rdfvalue.Certificate.Type.CRT, next_state="End")
def generate_certificate(self, activation_key, cert_req_pem, unique_cn=False):
cert_info = self.certificates_collection.find_one({DBK_CERT_ACTKEY: activation_key})
if not cert_info:
raise NotFound('Certificate with key=%s does not found!'%activation_key)
rqst = X509.load_request_string(cert_req_pem)
issuer = rqst.get_subject()
role = cert_info[DBK_CERT_ROLE]
if issuer.OU != role:
raise InvalidCertRequest('Invalid certificate request OU=%s. "%s" value expected'%(issuer.OU, role))
if not issuer.CN:
raise InvalidCertRequest('Invalid CN! REQ: %s'%rqst.as_text())
issuer_cn = str(issuer.CN)
if len(issuer_cn) == 0 or len(issuer_cn) > 64:
raise InvalidRegistration('Invalid CN size. Maximum is 64 bytes, but %s occured!'%len(issuer_cn))
if cert_info[DBK_CERT_STATUS] == STATUS_ACTIVE:
if issuer_cn == cert_info[DBK_CERT_CN]:
return cert_info[DBK_CERT_PEM]
raise AlreadyGenerated('Certificate with activation key=%s is already processed!'%activation_key)
if unique_cn:
cert_with_cn = self.certificates_collection.find_one({DBK_CERT_CN: issuer_cn})
if cert_with_cn:
raise InvalidRegistration('Certificate with CN=%s is already exists!'%issuer_cn)
#generating certificate
serial_id = cert_info[DBK_CERT_SERIALID]
cert_period = int(cert_info[DBK_CERT_TERM])
revoke_dt = datetime.now() + timedelta(cert_period)
cert_pem = sign_request(cert_req_pem, self.ca_private, self.ca_pem, serial_id, cert_period, 'test')
cert_info[DBK_CERT_PEM] = cert_pem
cert_info[DBK_CERT_MODDATE] = datetime.now()
cert_info[DBK_CERT_REVOKE_DT] = revoke_dt
cert_info[DBK_CERT_STATUS] = STATUS_ACTIVE
cert_info[DBK_CERT_CN] = issuer_cn
self.certificates_collection.update({DBK_CERT_ACTKEY: activation_key}, cert_info)
return cert_pem
def genCertificate(privkey, signature, certificate):
#首先读取证书请求文件。
# signature=file("req.pem", "rb").read()
#返回一个X509.Request类型代表证书请求文件
req=X509.load_request_string(signature)
#首先验证一下,是不是真的是使用它本身的私钥签名的。
#如果是,返回非0值。如果不是,说明这是一个非法的证书请求文件。
is_verify = req.verify(req.get_pubkey())
if not is_verify:
return False, False, None
#接下来载入CA的电子证书。与CA的密钥不一样,CA的电子证书包含了CA的身份信息。
#CA的电子证书会分发给各个通信节点。
# certificate=file("ca.pem", "rb").read()
ca=X509.load_cert_string(certificate)
#可以使用check_ca()方法判断这个证书文件是不是CA。
#本质是判断它是不是自签名。如果是的话,就返回非0值。如果不是的话就返回0。
is_ca = ca.check_ca()
# if not is_ca:
# return True, False, None
#接下来载入CA的密钥
# cakey_str=file("cakey.pem", "rb").read()
#一般CA的密钥要加密保存。回调函数返回密码
# cakey=EVP.load_key_string(privkey, lambda *args: "1234")
cakey=EVP.load_key_string(privkey, util.no_passphrase_callback)
#接下来开始生成电子证书
cert=X509.X509()
#首先,设定开始生效时间与结束生效时间
t = long(time.time()) + time.timezone #当前时间,单位是秒
#开始生效时间。证书的时间类型不是普通的Python datetime类型。
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
nowPlusYear = ASN1.ASN1_UTCTIME() #结束生效时间
nowPlusYear.set_time(t + 60 * 60 * 24 * 365) #一年以后。
cert.set_not_before(now)
cert.set_not_after(nowPlusYear)
# 把证书请求附带的身份信息复制过来
cert.set_subject(req.get_subject())
#设置颁发者的身份信息,把CA电子证书内身份信息复制过来
cert.set_issuer(ca.get_subject())
#序列号是指,CA颁发的第几个电子证书文件
cert.set_serial_number(2)
#把证书请求内的公钥复制过来
cert.set_pubkey(req.get_pubkey())
#使用CA的秘钥进行签名。
cert.sign(cakey, "sha1")
certificateT = cert.as_pem()
return True, True, certificateT
#保存文件。
file("cert.pem", "wb").write(cert.as_pem())
def sign(request):
""" method dedicated to sign an external certificate request
:param request: Django POST request object
:param POST['csr']: The PEM certificate request
"""
cert = SSLCertificate()
cert.cert = ""
cert.key = ""
cert.chain = ""
cert.csr = ""
if request.method == 'POST':
dataPosted = request.POST
error = dict()
err = None
try:
cert.csr = str(dataPosted['csr'])
except:
err = True
error['csr'] = "PEM Certificate request required"
pass
if err:
return render_to_response('cert_sign.html', {
'cert': cert,
'error': error
},
context_instance=RequestContext(request))
# Check the request
try:
x509Request = X509.load_request_string(cert.csr)
except:
error['csr'] = "Invalid PEM Certificate Request"
return render_to_response('cert_sign.html', {
'cert': cert,
'error': error
},
context_instance=RequestContext(request))
# Get cluster
cluster = Cluster.objects.get()
# Find the internal CA's certificate and private key
internal = cluster.ca_certificate
ca_key = RSA.load_key_string(internal.key.encode('utf8'))
ca_cert = X509.load_cert_string(internal.cert.encode('utf8'))
# Get PKI next serial number
serial = cluster.ca_serial
serial += 1
# Create a certificate from the request
crt = mk_cert(serial)
crt.set_pubkey(x509Request.get_pubkey())
pk = EVP.PKey()
pk.assign_rsa(ca_key)
issuer = X509.X509_Name()
subject = X509.X509_Name()
fields = str(x509Request.get_subject()).split('/')
for field in fields:
tmp = field.split('=')
if str(tmp[0]) == "CN":
subject.CN = tmp[1]
cert.cn = tmp[1]
elif str(tmp[0]) == "C":
subject.C = tmp[1]
cert.c = tmp[1]
elif str(tmp[0]) == "ST":
subject.ST = tmp[1]
cert.st = tmp[1]
elif str(tmp[0]) == "L":
subject.L = tmp[1]
cert.l = tmp[1]
elif str(tmp[0]) == "O":
subject.O = tmp[1]
cert.o = tmp[1]
elif str(tmp[0]) == "OU":
subject.OU = tmp[1]
cert.ou = tmp[1]
fields = str(ca_cert.get_subject()).split('/')
for field in fields:
tmp = field.split('=')
if str(tmp[0]) == "CN":
issuer.CN = tmp[1]
elif str(tmp[0]) == "C":
issuer.C = tmp[1]
elif str(tmp[0]) == "ST":
issuer.ST = tmp[1]
elif str(tmp[0]) == "L":
issuer.L = tmp[1]
elif str(tmp[0]) == "O":
issuer.O = tmp[1]
elif str(tmp[0]) == "OU":
issuer.OU = tmp[1]
crt.set_subject(subject)
crt.set_issuer(issuer)
crt.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE'))
crt.add_ext(
X509.new_extension('subjectKeyIdentifier',
str(crt.get_fingerprint())))
try:
crt.sign(pk, 'sha256')
except Exception as e:
print(e)
# Save serial number
cluster.ca_serial = serial
cluster.save()
# Store the certificate
cert.cert = crt.as_pem().decode('utf8')
cert.name = str(crt.get_subject())
cert.status = 'V'
cert.issuer = str(internal.issuer)
cert.validfrom = str(crt.get_not_before().get_datetime())
cert.validtill = str(crt.get_not_after().get_datetime())
cert.is_ca = False
cert.chain = str(internal.cert)
cert.serial = str(serial)
cert.save()
return HttpResponseRedirect('/system/cert/')
return render_to_response('cert_sign.html', {
'cert': cert,
},
context_instance=RequestContext(request))
def m2_request(self):
"""Return M2Crypto's Request instance
"""
rqst = X509.load_request_string(self.pem, X509.FORMAT_PEM)
return rqst
def from_pem(cls, data):
newcls = cls.__new__(cls)
newcls._req = X509.load_request_string(str(data), format=X509.FORMAT_PEM)
assert newcls._req.verify(newcls._req.get_pubkey()) == 1
return newcls
def main():
form = cgi.FieldStorage()
# form hasn't been submitted yet
if not form:
message = """
<form action="/cgi-bin/sendcert/index.cgi"
method="POST" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit">
<input type="reset">
</form>
"""
htmlOutput(message)
# form has ben submitted
elif "file" in form:
joiner = os.environ.get('REMOTE_USER',None)
if not joiner:
htmlOutput("ERROR: You must authenticate to use this script.")
exit(0)
# can be either a 'file submit' from a browser, or a urlencoded string
fileitem = form["file"]
if fileitem.file:
csrdata = fileitem.file.read()
else:
csrdata = fileitem.value
try:
csr = X509.load_request_string(csrdata)
except X509.X509Error:
htmlOutput("ERROR: No valid CSR data received.")
exit(0)
# get object type and name
subject_name = csr.get_subject()
obj_typename, obj_name = subject_name.split(":")
obj_id = int(wc.call('EntityId', obj_typename, obj_name))
if obj_id < 1:
# object does not exist - should have been created by
# client script
htmlOutput("ERROR: object {} does not exist.".
format(subject_name))
exit(0)
# Now we need to start looking up things in the hierarchy -
# make a Webclient.
wcurl = context.desired_status.xpath(wxpath + '/webclient/@url')[0]
# TODO(colin): change over to cert or user+pass
wc = WebClient(wcurl, 'eggy')
# We'll need settext permission on the object's 'reset_trust' field
req = {
'channel_id': wc.call('HierarchyChannel'),
'op': 'settext'
'mpath': '/contents/{}[{}]/field[reset_trust]'.format(obj_typename, obj_id),
'owner': joiner,
'approval': []
}
allowed = wc.call('ActionAllowed', req, '/system/special/authz/objects')
if allowed != 1:
htmlOutput('ERROR: user "{}" is not alowed to reset the trust link for {}:{}'.format(joiner, obj_typename, obj_name))
exit(0)
# check that csr conforms to our certificate policy
check_csr(csr)
# now we've got permission to do something
dbcon = psycopg2.connect(host=dcon_elt['host'],
port=dcon_elt['port'],
database=dcon_elt['database'],
user=cred_elt.xpath('/cred/db/username/text()'),
password=cred_elt.xpath('/cred/db/password/text()'))
# This script should not live long enough to worry about
# more than one cursor - just create a global one.
cur = dbcon.cursor()
cur.execute("select nextval(%s)", ('certs'))
serial = cur.fetchone()[0]
cert = sign_csr(csr, serial)
# revoke old row/cert
cur.execute("update certs set type='R' where name=%s and type='V'",
(subject_name))
# add new row/cert
cur.execute("insert into certs (serial, name, type, expiry_date) " +
"values (%s,%s,'V',%s)",
(serial, subject_name, cert.get_not_before()))
cur.commit()
# hand the signed certificate back
fileOutput(csr.get_subject().CN, cert.as_pem())
def from_pem(cls, data):
newcls = cls.__new__(cls)
newcls._req = X509.load_request_string(str(data),
format=X509.FORMAT_PEM)
assert newcls._req.verify(newcls._req.get_pubkey()) == 1
return newcls
