def slcs_handler(slcsResp):
"""
Take a response from a SLCS Login URL and return the cert,keys
:rtype: (key, pubkey, certifcate)
"""
token, dn, reqURL, elements = parse_req_response(slcsResp)
certreq, k = generate_certificate(dn=str(dn),
extensions=elements)
certreq.sign(k, 'sha1')
# POST the Token and CertReq back to the slcs server
data = urlencode({'AuthorizationToken': token,
'CertificateSigningRequest': certreq.as_pem()})
log.info('Request Signing by SLCS')
log.debug('POST: %s' % reqURL)
certResp = urllib2.urlopen(reqURL, data)
cert = parse_cert_response(certResp)
return generate_certificate(str(cert), key=k)
def generate_proxy(certificate, proxykey=None, full=True,
lifetime=43200, extensions=[]):
"""
generate a new proxy certificate
:param certificate: the parent certificate
:param proxykey: the key used to sign the proxy
:param full: whether this is a full proxy or not
"""
_certificate = certificate
_full = full
_proxy, _key = generate_certificate(key=proxykey)
_proxy.set_version(2)
# generate serial
message_digest = EVP.MessageDigest('sha1')
pubkey = _proxy.get_pubkey()
der_encoding = pubkey.as_der()
message_digest.update(der_encoding)
digest = message_digest.final()
digest_tuple = struct.unpack('BBBB', digest[:4])
sub_hash = long(digest_tuple[0] +
(digest_tuple[1] +
(digest_tuple[2] +
(digest_tuple[3] >> 1) * 256) * 256) * 256)
_proxy.set_serial_number(sub_hash)
# set issuer
issuer = _certificate.get_subject()
# set subject
subject = X509.X509_Name()
for n in issuer:
m2.x509_name_add_entry(subject.x509_name, n.x509_name_entry, -1, 0)
subject.add_entry_by_txt(field='CN', type=MBSTRING_ASC,
entry=str(_proxy.get_serial_number()),
len=-1, loc=-1, set=0)
_proxy.set_subject_name(subject)
# set times
not_before = ASN1.ASN1_UTCTIME()
not_after = ASN1.ASN1_UTCTIME()
not_before.set_time(int(time.time()) - 300)
not_after.set_time(int(time.time()) + lifetime)
_proxy.set_not_before(not_before)
_proxy.set_not_after(not_after)
_proxy.set_issuer_name(_certificate.get_subject())
# add extensions
try:
key_usage = _certificate.get_ext('keyUsage')
except LookupError:
pass
else:
r = []
for v in key_usage.get_value().split(', '):
if v in ['Non Repudiation', 'keyCertSign']:
continue
r.append(v)
if 'Digital Signature' not in r:
r.append('Digital Signature')
key_usage_value = ', '.join(r)
extensions.append({'name': key_usage.get_name(),
'critical': key_usage.get_critical(),
'value': key_usage_value})
if _full:
extensions.append({'name': "proxyCertInfo",
'value': PCI_VALUE_FULL,
'critical': 1})
else:
extensions.append({'name': "proxyCertInfo",
'value': PCI_VALUE_LIMITED,
'critical': 1})
if extensions:
sslower = lambda s: s.lower().replace(' ', '')
for e in extensions:
name = e['name']
key = sslower(name)
critical = e['critical']
if key in multi_attrs:
e['value'] = ', '.join([multi_attrs[key][sslower(v)]
for v in e['value'].split(',')])
_proxy.add_ext(X509.new_extension(Att_map[key],
e['value'],
critical=int(critical)))
return _proxy, _key