def info(reqid):
dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"])
try:
return_str = dbdata[reqid].toInfoString() + "\n"
return_str += dbdata[reqid].validationResultToString() + "\n"
return return_str
except Exception:
return "Cannot find reqid %d in cert DB\n" % reqid
def deny(reqid):
dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"])
try:
if dbdata[reqid].getStatus() == "Revoked":
return "Cannot deny, certificate already Revoked"
elif dbdata[reqid].getStatus() == "Issued":
return "Cannot deny, certificate already Issued"
elif dbdata[reqid].getStatus() == "Pending":
dbdata[reqid].Denied = True
elif dbdata[reqid].getStatus() == "Denied":
return "Cannot deny, certificate already Denied"
else:
return "Cannot deny, Unkown state error"
util.write_db(dbdata, jsonloader.conf.ra_options["certdb_file"])
return dbdata[reqid].toInfoString()
except Exception:
return "Cannot find reqid %d in cert DB" % reqid
def generate_crl():
dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"])
crl_builder = x509.CertificateRevocationListBuilder()
# find revoked certs, create revoked cert objects and
# add to the crl builder
for req in sorted(dbdata):
if dbdata[req] is None:
continue
if dbdata[req].getStatus() == "Revoked":
builder = x509.RevokedCertificateBuilder()
builder = builder.revocation_date(dbdata[req].revocation_date)
# todo. dg. check this is getting valid serial numbers
builder = builder.serial_number(dbdata[req].get_cert_serial())
revoked_certificate = builder.build(backends.default_backend())
crl_builder = crl_builder.add_revoked_certificate(revoked_certificate)
# set crl lifetimes #todo. dg. what about clock skew? validfrom date in
# past?
crl_builder = crl_builder.last_update(datetime.datetime.utcnow())
crl_lifetime = datetime.timedelta(int(jsonloader.conf.revocation_options["crl_lifetime_days"]), 0, 0)
crl_builder = crl_builder.next_update(datetime.datetime.utcnow() + crl_lifetime)
# get CA cert
ca_conf = jsonloader.signing_ca_for_registration_authority(jsonloader.conf.ra_options["ra_name"])
try:
ca_cert = anchor_certificate.X509Certificate.from_file(ca_conf["cert_path"])
except Exception as e:
logger.error("Cannot load the signing CA: %s" % (e,))
raise
# set CRL cn (issuer name) to that of the CA certificate
crl_builder = crl_builder.issuer_name(
x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, ca_cert.get_subject()[0].get_value())])
)
# get private key
try:
private_key = anchor_utils.get_private_key_from_file(ca_conf["key_path"])
except Exception as e:
logger.error("Cannot load the signing CA private key: %s" % (e,))
raise
# generate crl #todo get hash alg from config?
crl = crl_builder.sign(private_key, hashes.SHA256(), backends.default_backend())
return crl.public_bytes(serialization.Encoding(jsonloader.conf.revocation_options["crl_format"]))
def fetch_cert(reqid):
dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"])
try:
if dbdata[reqid].getStatus() == "Revoked":
return "Cannot fetch, certificate is revoked"
elif dbdata[reqid].getStatus() == "Issued":
return dbdata[reqid].get_cert()
elif dbdata[reqid].getStatus() == "Pending":
return "Cannot fetch, certificate is not yet Issued"
elif dbdata[reqid].getStatus() == "Denied":
return "Cannot fetch, certificate request is Denied"
else:
return "Cannot fetch, Unkown state error"
util.write_db(dbdata, jsonloader.conf.ra_options["certdb_file"])
return dbdata[reqid].toInfoString()
except Exception:
return "Cannot find reqid %d in cert DB" % reqid
def revoke(reqid):
dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"])
try:
if dbdata[reqid].getStatus() == "Revoked":
return "Cannot revoke, certificate already Revoked"
elif dbdata[reqid].getStatus() == "Issued":
dbdata[reqid].Revoked = True
dbdata[reqid].revocation_date = datetime.datetime.utcnow()
elif dbdata[reqid].getStatus() == "Pending":
return "Cannot revoke, certificate not Issued"
elif dbdata[reqid].getStatus() == "Denied":
return "Cannot revoke, certificate already Denied"
else:
return "Cannot revoke, Unkown state error"
util.write_db(dbdata, jsonloader.conf.ra_options["certdb_file"])
return dbdata[reqid].toInfoString()
except Exception:
return "Cannot find reqid %d in cert DB" % reqid
def issue(reqid):
dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"])
try:
if dbdata[reqid].getStatus() == "Pending":
dbdata[reqid].Issued = True
elif dbdata[reqid].getStatus() == "Issued":
return "Cannot issue, certificate already Issued"
elif dbdata[reqid].getStatus() == "Denied":
return "Cannot issue certificate already Denied"
elif dbdata[reqid].getStatus() == "Revoked":
return "Cannot issue certificate already Revoked"
except Exception:
return "Cannot find reqid %d in cert DB" % reqid
dbdata[reqid].cert = certificate_ops.dispatch_sign(jsonloader.conf.ra_options["ra_name"],
dbdata[reqid].get_X509csr())[0].replace("\n", ""),
util.write_db(dbdata, jsonloader.conf.ra_options["certdb_file"])
return dbdata[reqid].toInfoString()
def list(*filter):
dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"])
return_str = ""
# hack - deal with optional key from pecan (i.e /list vs /list/pending)
# by checking for tuple and unpacking - there must be a nicer way of
# doing this
if type(filter[0]) is tuple:
filter = filter[0]
if len(filter) > 0:
if filter[0].lower() == "issued":
for req in sorted(dbdata):
if dbdata[req] is None:
continue
if dbdata[req].getStatus() == "Issued":
return_str += dbdata[req].toInfoString() + "\n"
elif filter[0].lower() == "revoked":
for req in sorted(dbdata):
if dbdata[req] is None:
continue
if dbdata[req].getStatus() == "Revoked":
return_str += dbdata[req].toInfoString() + "\n"
elif filter[0].lower() == "denied":
for req in sorted(dbdata):
if dbdata[req] is None:
continue
if dbdata[req].getStatus() == "Denied":
return_str += dbdata[req].toInfoString() + "\n"
elif filter[0].lower() == "pending":
for req in sorted(dbdata):
if dbdata[req] is None:
continue
if dbdata[req].getStatus() == "Pending":
return_str += dbdata[req].toInfoString() + "\n"
else:
return_str = ("Unkown filter, valid filters are issued,",
"pending, denied or revoked\n")
else:
for req in sorted(dbdata):
if dbdata[req] is None:
continue
return_str += dbdata[req].toInfoString() + "\n"
return return_str
