Exemplo n.º 1
0
Arquivo: slcs.py Projeto: grith/gsindl
    def slcs_handler(slcsResp):
        """
        Take a response from a SLCS Login URL and return the cert,keys

        :rtype: (key, pubkey, certifcate)
        """
        token, dn, reqURL, elements = parse_req_response(slcsResp)

        certreq, k = generate_certificate(dn=str(dn),
                                          extensions=elements)
        certreq.sign(k, 'sha1')
        # POST the Token and CertReq back to the slcs server
        data = urlencode({'AuthorizationToken': token,
                          'CertificateSigningRequest': certreq.as_pem()})
        log.info('Request Signing by SLCS')
        log.debug('POST: %s' % reqURL)
        certResp = urllib2.urlopen(reqURL, data)
        cert = parse_cert_response(certResp)
        return generate_certificate(str(cert), key=k)
Exemplo n.º 2
0
def generate_proxy(certificate, proxykey=None, full=True,
                   lifetime=43200, extensions=[]):
    """
    generate a new proxy certificate

    :param certificate: the parent certificate
    :param proxykey: the key used to sign the proxy
    :param full: whether this is a full proxy or not
    """
    _certificate = certificate
    _full = full

    _proxy, _key = generate_certificate(key=proxykey)

    _proxy.set_version(2)

    # generate serial
    message_digest = EVP.MessageDigest('sha1')
    pubkey = _proxy.get_pubkey()
    der_encoding = pubkey.as_der()
    message_digest.update(der_encoding)
    digest = message_digest.final()
    digest_tuple = struct.unpack('BBBB', digest[:4])
    sub_hash = long(digest_tuple[0] +
                    (digest_tuple[1] +
                     (digest_tuple[2] +
                       (digest_tuple[3] >> 1) * 256) * 256) * 256)
    _proxy.set_serial_number(sub_hash)

    # set issuer
    issuer = _certificate.get_subject()

    # set subject
    subject = X509.X509_Name()
    for n in issuer:
        m2.x509_name_add_entry(subject.x509_name, n.x509_name_entry, -1, 0)
    subject.add_entry_by_txt(field='CN', type=MBSTRING_ASC,
                             entry=str(_proxy.get_serial_number()),
                             len=-1, loc=-1, set=0)
    _proxy.set_subject_name(subject)

    # set times
    not_before = ASN1.ASN1_UTCTIME()
    not_after = ASN1.ASN1_UTCTIME()
    not_before.set_time(int(time.time()) - 300)
    not_after.set_time(int(time.time()) + lifetime)
    _proxy.set_not_before(not_before)
    _proxy.set_not_after(not_after)

    _proxy.set_issuer_name(_certificate.get_subject())

    # add extensions
    try:
        key_usage = _certificate.get_ext('keyUsage')
    except LookupError:
        pass
    else:
        r = []
        for v in key_usage.get_value().split(', '):
            if v in ['Non Repudiation', 'keyCertSign']:
                continue
            r.append(v)
        if 'Digital Signature' not in r:
            r.append('Digital Signature')
        key_usage_value = ', '.join(r)
        extensions.append({'name': key_usage.get_name(),
                           'critical': key_usage.get_critical(),
                           'value': key_usage_value})

    if _full:
        extensions.append({'name': "proxyCertInfo",
                           'value': PCI_VALUE_FULL,
                           'critical': 1})
    else:
        extensions.append({'name': "proxyCertInfo",
                           'value': PCI_VALUE_LIMITED,
                           'critical': 1})
    if extensions:
        sslower = lambda s: s.lower().replace(' ', '')

        for e in extensions:
            name = e['name']
            key = sslower(name)
            critical = e['critical']
            if key in multi_attrs:
                e['value'] = ', '.join([multi_attrs[key][sslower(v)]
                               for v in e['value'].split(',')])
            _proxy.add_ext(X509.new_extension(Att_map[key],
                                              e['value'],
                                              critical=int(critical)))

    return _proxy, _key