def clean(self):
"""Let's veridfy the given passphrase"""
cleaned_data = self.cleaned_data
model = cleaned_data.get('_model')
obj_id = cleaned_data.get('_id')
pf_raw = cleaned_data.get('passphrase')
if not pf_raw or pf_raw == '':
pf_in = ''
else:
pf_in = md5_constructor(pf_raw).hexdigest()
if model == "certificateauthority":
obj = get_object_or_404(CertificateAuthority, pk=obj_id)
if not pf_in or pf_in == "":
self._errors["passphrase"] = ErrorList(
['Passphrase is missing!'])
return cleaned_data
elif model == "certificate":
obj = get_object_or_404(Certificate, pk=obj_id)
if not obj.parent and not obj.passphrase:
return cleaned_data
else:
raise Http404
if obj.parent:
pf_obj = obj.parent.passphrase
else:
pf_obj = obj.passphrase
if pf_in != pf_obj:
self._errors["passphrase"] = ErrorList(['Passphrase is wrong!'])
return cleaned_data
def clean(self):
"""Let's veridfy the given passphrase"""
cleaned_data = self.cleaned_data
model = cleaned_data.get('_model')
obj_id = cleaned_data.get('_id')
pf_raw = cleaned_data.get('passphrase')
if not pf_raw or pf_raw == '':
pf_in = ''
else:
pf_in = md5_constructor(pf_raw).hexdigest()
if model == "certificateauthority":
obj = get_object_or_404(CertificateAuthority, pk=obj_id)
if not pf_in or pf_in == "":
self._errors["passphrase"] = ErrorList(
['Passphrase is missing!'])
return cleaned_data
elif model == "certificate":
obj = get_object_or_404(Certificate, pk=obj_id)
if not obj.parent and not obj.passphrase:
return cleaned_data
else:
raise Http404
if obj.parent:
pf_obj = obj.parent.passphrase
else:
pf_obj = obj.passphrase
if pf_in != pf_obj:
self._errors["passphrase"] = ErrorList(['Passphrase is wrong!'])
return cleaned_data
def save(self):
"""Save the Certificate object"""
if self.pk:
if self.action in ('update', 'revoke', 'renew'):
action = OpensslActions(self)
prev = Certificate.objects.get(pk=self.pk)
if self.action == 'update':
## Create or remove DER certificate
if self.der_encoded:
action.generate_der_encoded()
else:
action.remove_der_encoded()
## Create or remove PKCS12 certificate
if self.pkcs12_encoded:
if prev.pkcs12_encoded and prev.pkcs12_passphrase == self.pkcs12_passphrase:
logger.debug( 'PKCS12 passphrase is unchanged. Nothing to do' )
else:
action.generate_pkcs12_encoded()
else:
action.remove_pkcs12_encoded()
self.pkcs12_passphrase = None
prev.pkcs12_passphrase = None
if self.pkcs12_passphrase:
prev.pkcs12_passphrase = md5_constructor(self.pkcs12_passphrase).hexdigest()
else:
prev.pkcs12_passphrase = None
prev.description = self.description
prev.der_encoded = self.der_encoded
prev.pkcs12_encoded = self.pkcs12_encoded
prev.pem_encoded = True
elif self.action == 'revoke':
## Revoke and generate CRL
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Modify fields
prev.parent_passphrase = None
prev.active = False
prev.der_encoded = False
prev.pem_encoded = False
prev.pkcs12_encoded = False
prev.revoked = datetime.datetime.now()
elif self.action == 'renew':
## Revoke if certificate is active
if not action.get_revoke_status_from_cert():
action.revoke_certificate(self.parent_passphrase)
## Renew and update CRL
action.renew_certificate()
action.generate_crl(self.parent.name, self.parent_passphrase)
## Modify fields
prev.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
prev.expiry_date = datetime.datetime.now() + delta
prev.parent_passphrase = None
prev.active = True
prev.pem_encoded = True
prev.der_encoded = self.der_encoded
prev.pkcs12_encoded = self.pkcs12_encoded
prev.revoked = None
prev.valid_days = self.valid_days
## Get the new serial
prev.serial = action.get_serial_from_cert()
#prev.passphrase = md5_constructor(self.passphrase).hexdigest()
## Save the data
self = prev
self.action = 'update'
super(Certificate, self).save()
else:
## Set creation data
self.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
self.expiry_date = datetime.datetime.now() + delta
## Force instance to be active
self.active = True
logger.info( "***** { New certificate generation: %s } *****" % self.name )
## Generate key and certificate
action = OpensslActions(self)
action.generate_key()
action.generate_csr()
action.sign_csr()
## Get the serial from certificate
self.serial = action.get_serial_from_cert()
self.ca_chain = self.parent.ca_chain
if self.ca_chain == 'self-signed':
self.ca_chain = self.parent.name
self.pem_encoded = True
## Create or remove DER certificate
if self.der_encoded:
action.generate_der_encoded()
else:
action.remove_der_encoded()
## Create or remove PKCS12 certificate
if self.pkcs12_encoded:
action.generate_pkcs12_encoded()
else:
action.remove_pkcs12_encoded()
if self.pkcs12_passphrase:
self.pkcs12_passphrase = md5_constructor(self.pkcs12_passphrase).hexdigest()
## Encrypt passphrase and blank parent's passphrase
if self.passphrase:
self.passphrase = md5_constructor(self.passphrase).hexdigest()
self.parent_passphrase = None
## Save the data
super(Certificate, self).save()
def save(self, force_insert=False, force_update=False):
"""Save the CertificateAuthority object"""
if self.pk:
### existing CA
if self.action in ('update', 'revoke', 'renew'):
action = OpensslActions(self)
prev = CertificateAuthority.objects.get(pk=self.pk)
if self.action == 'update':
## Create or remove DER certificate
if self.der_encoded:
action.generate_der_encoded()
else:
action.remove_der_encoded()
prev.description = self.description
prev.der_encoded = self.der_encoded
elif self.action == 'revoke':
## DB-revoke all related certs
garbage = []
id_dict = { 'cert': [], 'ca': [], }
from pki.views import chain_recursion as r_chain_recursion
r_chain_recursion(self.id, garbage, id_dict)
for i in id_dict['cert']:
x = Certificate.objects.get(pk=i)
x.active = False
x.der_encoded = False
x.pem_encoded = False
x.pkcs12_encoded = False
x.revoked = datetime.datetime.now()
super(Certificate, x).save()
for i in id_dict['ca']:
x = CertificateAuthority.objects.get(pk=i)
x.active = False
x.der_encoded = False
x.pem_encoded = False
x.revoked = datetime.datetime.now()
super(CertificateAuthority, x).save()
## Revoke and generate CRL
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Modify fields
prev.parent_passphrase = None
prev.active = False
prev.der_encoded = False
prev.pem_encoded = False
prev.revoked = datetime.datetime.now()
elif self.action == 'renew':
## Revoke if certificate is active
if self.parent and not action.get_revoke_status_from_cert():
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Rebuild the ca metadata
self.rebuild_ca_metadata(modify=True, task='replace')
## Renew certificate and update CRL
if self.parent == None:
action.generate_self_signed_cert()
action.generate_crl(self.name, self.passphrase)
else:
action.renew_certificate()
action.generate_crl(self.parent.name, self.parent_passphrase)
action.update_ca_chain_file()
## Modify fields
prev.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
prev.expiry_date = datetime.datetime.now() + delta
prev.valid_days = self.valid_days
prev.parent_passphrase = None
prev.active = True
prev.pem_encoded = True
prev.der_encoded = self.der_encoded
prev.revoked = None
## Get the new serial
prev.serial = action.get_serial_from_cert()
#prev.passphrase = md5_constructor(self.passphrase).hexdigest()
## Save the data
self = prev
self.action = 'update'
super(CertificateAuthority, self).save()
else:
raise Exception( 'Invalid action %s supplied' % self.action )
else:
## Set creation data
self.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
self.expiry_date = datetime.datetime.now() + delta
## Force instance to be active
self.active = True
## Reset the action
self.action = 'update'
## Rebuild the ca metadata
self.rebuild_ca_metadata(modify=True, task='append')
## Generate keys and certificates
action = OpensslActions(self)
action.generate_key()
if not self.parent:
action.generate_self_signed_cert()
else:
action.generate_csr()
action.sign_csr()
if self.der_encoded:
action.generate_der_encoded()
## Generate CRL
action.generate_crl(self.name, self.passphrase)
## Always enable pem encoded flag
self.pem_encoded = True
## Get the serial from certificate
self.serial = action.get_serial_from_cert()
## Generate ca chain (db field and chain file)
chain = []
chain_str = ''
p = self.parent
if self.parent == None:
chain.append('self-signed')
else:
chain.append( self.common_name )
while p != None:
chain.append(p.common_name)
p = p.parent
chain.reverse()
## Build chain string and file
for i in chain:
if chain_str == '':
chain_str += '%s' % i
else:
chain_str += ' → %s' % i
self.ca_chain = chain_str
action.update_ca_chain_file()
## Encrypt passphrase and blank parent's passphrase
self.passphrase = md5_constructor(self.passphrase).hexdigest()
self.parent_passphrase = None
## Save the data
super(CertificateAuthority, self).save()
def clean(self):
"""Verify fields"""
cleaned_data = self.cleaned_data
name = cleaned_data.get('name')
action = cleaned_data.get('action')
parent = cleaned_data.get('parent')
pf = cleaned_data.get('passphrase')
pf_v = cleaned_data.get('passphrase_verify')
p_pf = cleaned_data.get('parent_passphrase')
extension = cleaned_data.get('extension')
crl_dpoints = cleaned_data.get('crl_dpoints')
enc_p_pf = None
if name in PKI_CA_NAME_BLACKLIST:
self._errors['name'] = ErrorList(['Name "%s" is blacklisted!' %
name])
return cleaned_data
if action in ('create', 'renew'):
if action == 'create':
if not pf_v or pf != pf_v:
self.errors['passphrase_verify'] = ErrorList(
['Passphrase mismtach!'])
## Verify that we're not creating a certificate
# that already exists
if name and os.path.isdir(os.path.join(PKI_DIR, name)):
self._errors['name'] = ErrorList(
['Name "%s" is already in use!' % name])
## Take care that parent is active when action is revoke
if action == 'renew':
ca = CertificateAuthority.objects.get(name='%s' % name)
## Prevent renewal when parent is disabled
if ca.parent is not None and ca.parent.active is not True:
self._errors['action'] = ErrorList(
['Cannot renew CA certificate when parent "%s" isn\'t \
active!' % ca.parent.name])
return cleaned_data
## Compare passphrase
if not pf or (ca.passphrase !=
md5_constructor(pf).hexdigest()):
self._errors['passphrase'] = ErrorList(
['Passphrase is wrong. Enter correct passphrase for \
CA "%s"' % cleaned_data.get('common_name')])
if parent:
ca = CertificateAuthority.objects.get(name='%s' % parent.name)
if p_pf:
enc_p_pf = md5_constructor(p_pf).hexdigest()
## Check if parent allows sub CA
if ca.is_edge_ca():
self._errors['parent'] = ErrorList(
['Parent\'s x509 extension doesn\'t allow a sub CA. \
Only non CA certificates can be created'])
## Check parent passphrase if not RootCA
if ca.passphrase != enc_p_pf:
self._errors['parent_passphrase'] = ErrorList(
['Passphrase is wrong. Enter correct passphrase for \
CA "%s"' % parent])
## Verify CRL distribution settings
x509 = get_object_or_404(x509Extension, name=extension)
if x509.crl_distribution_point and not crl_dpoints:
self._errors['crl_dpoints'] = ErrorList(
['CRL Distribution Points are required by x509 extension \
"%s"' % extension])
elif action == 'revoke':
if parent:
ca = CertificateAuthority.objects.get(name='%s' % parent.name)
enc_p_pf = md5_constructor(cleaned_data.get(
'parent_passphrase')).hexdigest()
## Check parent passphrase
if ca.passphrase != enc_p_pf:
self._errors['parent_passphrase'] = ErrorList(
['Passphrase is wrong. Enter correct passphrase for \
CA "%s"' % parent])
else:
self._errors['action'] = ErrorList(
['You cannot revoke a self-signed root certificate as \
there\'s no CA to revoke against. Delete it instead!'])
return cleaned_data
def clean(self):
"""Verify crucial fields"""
cleaned_data = self.cleaned_data
name = cleaned_data.get('name')
action = cleaned_data.get('action')
parent = cleaned_data.get('parent')
pf = cleaned_data.get('passphrase')
pf_v = cleaned_data.get('passphrase_verify')
p_pf = cleaned_data.get('parent_passphrase')
extension = cleaned_data.get('extension')
crl_dpoints = cleaned_data.get('crl_dpoints')
enc_p_pf = None
if action in ('create', 'renew'):
if action == 'create':
if (pf and not pf_v) or pf != pf_v:
self.errors['passphrase_verify'] = ErrorList(
['Passphrase mismtach detected'])
## Verify that we're not creating a certificate
## that already exists
if parent:
if os.path.exists(os.path.join(PKI_DIR,
parent.name, 'certs',
'%s.key.pem' % name)):
self._errors['name'] = ErrorList(
['Name "%s" is already in use!' % name])
else:
if os.path.exists(os.path.join(PKI_DIR,
'_SELF_SIGNED_CERTIFICATES',
'certs', '%s.key.pem' %
name)):
self._errors['name'] = ErrorList(
['Name "%s" is already in use!' % name])
## Take care that parent is active when action is revoke
if action == 'renew':
cert = Certificate.objects.get(name='%s' % name)
if cert.parent is not None and cert.parent.active is not True:
self._errors['action'] = ErrorList(
['Cannot renew certificate when parent CA "%s" isn\'t \
active!' % cert.parent])
return cleaned_data
if parent:
ca = CertificateAuthority.objects.get(name='%s' % parent.name)
if p_pf:
enc_p_pf = md5_constructor(p_pf).hexdigest()
## Check parent passphrase
if ca.passphrase != enc_p_pf:
self._errors['parent_passphrase'] = ErrorList(
['Passphrase is wrong. Enter correct passphrase for \
CA "%s"' % parent])
## Verify CRL distribution settings
x509 = get_object_or_404(x509Extension, name=extension)
if x509.crl_distribution_point and not crl_dpoints:
self._errors['crl_dpoints'] = ErrorList(
['CRL Distribution Points are required by x509 extension \
"%s"' % extension])
elif action == 'revoke':
if parent:
ca = CertificateAuthority.objects.get(name='%s' % parent.name)
if p_pf:
enc_p_pf = md5_constructor(p_pf).hexdigest()
## Check parent passphrase
if ca.passphrase != enc_p_pf:
self._errors['parent_passphrase'] = ErrorList(
['Passphrase is wrong. Enter correct passphrase for CA\
"%s"' % parent])
else:
self._errors['action'] = ErrorList(
['You cannot revoke a self-signed certificate as there\'s \
no CA to revoke against. Delete it instead!'])
return cleaned_data
def clean(self):
"""Verify fields"""
cleaned_data = self.cleaned_data
name = cleaned_data.get('name')
action = cleaned_data.get('action')
parent = cleaned_data.get('parent')
pf = cleaned_data.get('passphrase')
pf_v = cleaned_data.get('passphrase_verify')
p_pf = cleaned_data.get('parent_passphrase')
extension = cleaned_data.get('extension')
crl_dpoints = cleaned_data.get('crl_dpoints')
enc_p_pf = None
if name in PKI_CA_NAME_BLACKLIST:
self._errors['name'] = ErrorList(
['Name "%s" is blacklisted!' % name])
return cleaned_data
if action in ('create', 'renew'):
if action == 'create':
if not pf_v or pf != pf_v:
self.errors['passphrase_verify'] = ErrorList(
['Passphrase mismtach!'])
## Verify that we're not creating a certificate that already exists
if name and os.path.isdir(os.path.join(PKI_DIR, name)):
self._errors['name'] = ErrorList(
['Name "%s" is already in use!' % name])
## Take care that parent is active when action is revoke
if action == 'renew':
ca = CertificateAuthority.objects.get(name='%s' % name)
## Prevent renewal when parent is disabled
if ca.parent is not None and ca.parent.active is not True:
self._errors['action'] = ErrorList([
'Cannot renew CA certificate when parent "%s" isn\'t active!'
% ca.parent.name
])
return cleaned_data
## Compare passphrase
if not pf or (ca.passphrase !=
md5_constructor(pf).hexdigest()):
self._errors['passphrase'] = ErrorList([
'Passphrase is wrong. Enter correct passphrase for CA "%s"'
% cleaned_data.get('common_name')
])
if parent:
ca = CertificateAuthority.objects.get(name='%s' % parent.name)
if p_pf:
enc_p_pf = md5_constructor(p_pf).hexdigest()
## Check if parent allows sub CA
if ca.is_edge_ca():
self._errors['parent'] = ErrorList([
'Parent\'s x509 extension doesn\'t allow a sub CA. Only non CA certificates can be created'
])
## Check parent passphrase if not RootCA
if ca.passphrase != enc_p_pf:
self._errors['parent_passphrase'] = ErrorList([
'Passphrase is wrong. Enter correct passphrase for CA "%s"'
% parent
])
## Verify CRL distribution settings
x509 = get_object_or_404(x509Extension, name=extension)
if x509.crl_distribution_point and not crl_dpoints:
self._errors['crl_dpoints'] = ErrorList([
'CRL Distribution Points are required by x509 extension "%s"'
% extension
])
elif action == 'revoke':
if parent:
ca = CertificateAuthority.objects.get(name='%s' % parent.name)
enc_p_pf = md5_constructor(
cleaned_data.get('parent_passphrase')).hexdigest()
## Check parent passphrase
if ca.passphrase != enc_p_pf:
self._errors['parent_passphrase'] = ErrorList([
'Passphrase is wrong. Enter correct passphrase for CA "%s"'
% parent
])
else:
self._errors['action'] = ErrorList([
'You cannot revoke a self-signed root certificate as there\'s no CA to revoke against. Delete it instead!'
])
return cleaned_data
def clean(self):
"""Verify crucial fields"""
cleaned_data = self.cleaned_data
name = cleaned_data.get('name')
action = cleaned_data.get('action')
parent = cleaned_data.get('parent')
pf = cleaned_data.get('passphrase')
pf_v = cleaned_data.get('passphrase_verify')
p_pf = cleaned_data.get('parent_passphrase')
extension = cleaned_data.get('extension')
crl_dpoints = cleaned_data.get('crl_dpoints')
enc_p_pf = None
if action in ('create', 'renew'):
if action == 'create':
if (pf and not pf_v) or pf != pf_v:
self.errors['passphrase_verify'] = ErrorList(
['Passphrase mismtach detected'])
## Verify that we're not creating a certificate that already exists
if parent:
if os.path.exists(
os.path.join(PKI_DIR, parent.name, 'certs',
'%s.key.pem' % name)):
self._errors['name'] = ErrorList(
['Name "%s" is already in use!' % name])
else:
if os.path.exists(
os.path.join(PKI_DIR, '_SELF_SIGNED_CERTIFICATES',
'certs', '%s.key.pem' % name)):
self._errors['name'] = ErrorList(
['Name "%s" is already in use!' % name])
## Take care that parent is active when action is revoke
if action == 'renew':
cert = Certificate.objects.get(name='%s' % name)
if cert.parent is not None and cert.parent.active is not True:
self._errors['action'] = ErrorList([
'Cannot renew certificate when parent CA "%s" isn\'t active!'
% cert.parent
])
return cleaned_data
if parent:
ca = CertificateAuthority.objects.get(name='%s' % parent.name)
if p_pf: enc_p_pf = md5_constructor(p_pf).hexdigest()
## Check parent passphrase
if ca.passphrase != enc_p_pf:
self._errors['parent_passphrase'] = ErrorList([
'Passphrase is wrong. Enter correct passphrase for CA "%s"'
% parent
])
## Verify CRL distribution settings
x509 = get_object_or_404(x509Extension, name=extension)
if x509.crl_distribution_point and not crl_dpoints:
self._errors['crl_dpoints'] = ErrorList([
'CRL Distribution Points are required by x509 extension "%s"'
% extension
])
elif action == 'revoke':
if parent:
ca = CertificateAuthority.objects.get(name='%s' % parent.name)
if p_pf: enc_p_pf = md5_constructor(p_pf).hexdigest()
## Check parent passphrase
if ca.passphrase != enc_p_pf:
self._errors['parent_passphrase'] = ErrorList([
'Passphrase is wrong. Enter correct passphrase for CA "%s"'
% parent
])
else:
self._errors['action'] = ErrorList([
'You cannot revoke a self-signed certificate as there\'s no CA to revoke against. Delete it instead!'
])
return cleaned_data
def save(self, *args, **kwargs):
"""Save the Certificate object"""
## Set user to None if it's missing
c_user = getattr(self, 'user', None)
## Variables to track changes
c_action = self.action
c_list = []
if self.pk:
if self.action in ('update', 'revoke', 'renew'):
action = Openssl(self)
prev = Certificate.objects.get(pk=self.pk)
if self.action == 'revoke':
if not self.parent:
raise Exception( "You cannot revoke a self-signed certificate! No parent => No revoke" )
## Revoke and generate CRL
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Modify fields
prev.active = False
prev.der_encoded = False
prev.pkcs12_encoded = False
prev.revoked = datetime.datetime.now()
c_list.append('Revoked certificate "%s"' % self.common_name)
elif self.action == 'renew':
c_list.append('Renewed certificate "%s"' % self.common_name)
## Revoke if certificate is active
if self.parent and not action.get_revoke_status_from_cert():
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Renew certificate and update CRL
if self.parent == None:
action.generate_self_signed_cert()
else:
action.generate_csr()
action.sign_csr()
action.generate_crl(self.parent.name, self.parent_passphrase)
## Modify fields
prev.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
prev.expiry_date = datetime.datetime.now() + delta
if prev.valid_days != self.valid_days:
c_list.append("Changed valid days to %d" % (prev.valid_days, self.valid_days))
prev.valid_days = self.valid_days
prev.active = True
prev.revoked = None
## Make sure possibly updated fields are saved to DB
if prev.country != self.country: c_list.append('Updated country to "%s"' % self.country)
if prev.locality != self.locality: c_list.append('Updated locality to "%s"' % self.locality)
if prev.organization != self.organization: c_list.append('Updated organization to "%s"' % self.organization)
if prev.email != self.email: c_list.append('Updated email to "%s"' % self.email)
if prev.OU != self.OU: c_list.append('Updated OU to "%s"' % self.OU)
prev.country = self.country
prev.locality = self.locality
prev.organization = self.organization
prev.email = self.email
prev.OU = self.OU
## Get the new serial
prev.serial = action.get_serial_from_cert()
c_list.append("Serial number changed to %s" % prev.serial)
if self.action != 'revoke':
if prev.pkcs12_encoded != self.pkcs12_encoded:
c_list.append("PKCS12 encoding set to %s" % self.der_encoded)
if self.pkcs12_encoded:
if prev.pkcs12_encoded and prev.pkcs12_passphrase == self.pkcs12_passphrase:
logger.debug( 'PKCS12 passphrase is unchanged. Nothing to do' )
else:
action.generate_pkcs12_encoded()
else:
action.remove_pkcs12_encoded()
self.pkcs12_passphrase = prev.pkcs12_passphrase = None
if self.pkcs12_passphrase:
prev.pkcs12_passphrase = md5_constructor(self.pkcs12_passphrase).hexdigest()
else:
prev.pkcs12_passphrase = None
if prev.der_encoded is not self.der_encoded:
c_list.append("DER encoding set to %s" % self.der_encoded)
if self.der_encoded:
action.generate_der_encoded()
else:
action.remove_der_encoded()
## Update description. This is always allowed
if prev.description != self.description:
c_list.append('Updated description to "%s"' % self.description)
prev.description = self.description
## Save the data
self = prev
self.action = 'update'
else:
raise Exception( 'Invalid action %s supplied' % self.action )
else:
## Set creation data
self.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
self.expiry_date = datetime.datetime.now() + delta
## Force instance to be active
self.active = True
logger.info( "***** { New certificate generation: %s } *****" % self.name )
## Generate key and certificate
action = Openssl(self)
action.generate_key()
if self.parent:
action.generate_csr()
action.sign_csr()
self.ca_chain = self.parent.ca_chain
if self.ca_chain == 'self-signed':
self.ca_chain = self.parent.name
else:
action.generate_self_signed_cert()
self.ca_chain = "self-signed"
## Get the serial from certificate
self.serial = action.get_serial_from_cert()
## Encoding
if self.der_encoded:
action.generate_der_encoded()
if self.pkcs12_encoded:
action.generate_pkcs12_encoded()
## Encrypt passphrase and blank parent's passphrase
if self.passphrase:
self.passphrase = md5_constructor(self.passphrase).hexdigest()
## Set change text to fixed value
c_list.append('Created certificate "%s"' % action.subj)
## Blank parent passphrase
self.parent_passphrase = None
## Save the data
super(Certificate, self).save(*args, **kwargs)
## Update changelog
self.Update_Changelog(obj=self, user=c_user, action=c_action, changes=c_list)
def save(self, *args, **kwargs):
"""Save the CertificateAuthority object"""
## Set user to None if it's missing
c_user = getattr(self, 'user', None)
## Variables to track changes
c_action = self.action
c_list = []
if self.pk:
if self.action in ('update', 'revoke', 'renew'):
action = Openssl(self)
prev = CertificateAuthority.objects.get(pk=self.pk)
if self.action in ('revoke', 'renew'):
if self.action == 'revoke':
if not self.parent:
raise Exception( "You cannot revoke a self-signed certificate! No parent => No revoke" )
## Revoke and generate CRL
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Modify fields
prev.active = False
prev.der_encoded = False
prev.revoked = datetime.datetime.now()
c_list.append('Revoked certificate "%s"' % self.common_name)
elif self.action == 'renew':
c_list.append('Renewed certificate "%s"' % self.common_name)
## Revoke if certificate is active
if self.parent and not action.get_revoke_status_from_cert():
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Rebuild the ca metadata
self.rebuild_ca_metadata(modify=True, task='replace')
## Renew certificate and update CRL
if self.parent == None:
action.generate_self_signed_cert()
action.generate_crl(self.name, self.passphrase)
else:
action.generate_csr()
action.sign_csr()
action.generate_crl(self.parent.name, self.parent_passphrase)
action.update_ca_chain_file()
## Modify fields
prev.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
prev.expiry_date = datetime.datetime.now() + delta
if prev.valid_days != self.valid_days:
c_list.append("Changed valid days to %d" % (prev.valid_days, self.valid_days))
prev.valid_days = self.valid_days
prev.active = True
prev.revoked = None
## Make sure possibly updated fields are saved to DB
if prev.country != self.country: c_list.append('Updated country to "%s"' % self.country)
if prev.locality != self.locality: c_list.append('Updated locality to "%s"' % self.locality)
if prev.organization != self.organization: c_list.append('Updated organization to "%s"' % self.organization)
if prev.email != self.email: c_list.append('Updated email to "%s"' % self.email)
if prev.OU != self.OU: c_list.append('Updated OU to "%s"' % self.OU)
prev.country = self.country
prev.locality = self.locality
prev.organization = self.organization
prev.email = self.email
prev.OU = self.OU
## Get the new serial
prev.serial = action.get_serial_from_cert()
c_list.append("Serial number changed to %s" % prev.serial)
## DB-revoke all related certs
garbage = []
id_dict = { 'cert': [], 'ca': [], }
from pki.views import chain_recursion as r_chain_recursion
r_chain_recursion(self.id, garbage, id_dict)
for i in id_dict['cert']:
x = Certificate.objects.get(pk=i)
x.active = False
x.der_encoded = False
x.pkcs12_encoded = False
x.revoked = datetime.datetime.now()
super(Certificate, x).save(*args, **kwargs)
self.Update_Changelog(obj=x, user=c_user, action='broken', changes=(['Broken by %s of CA "%s"' % (c_action, self.common_name),]))
for i in id_dict['ca']:
x = CertificateAuthority.objects.get(pk=i)
x.active = False
x.der_encoded = False
x.revoked = datetime.datetime.now()
super(CertificateAuthority, x).save(*args, **kwargs)
if x.pk != self.pk:
self.Update_Changelog(obj=x, user=c_user, action='broken', changes=(['Broken by %s of CA "%s"' % (c_action, self.common_name),]))
## Update description. This is always allowed
if prev.description != self.description:
c_list.append('Updated description to "%s"' % self.description)
prev.description = self.description
if prev.der_encoded is not self.der_encoded:
c_list.append("DER encoding set to %s" % self.der_encoded)
if self.der_encoded and self.action != "revoke":
action.generate_der_encoded()
else:
action.remove_der_encoded()
self = prev
self.action = 'update'
else:
raise Exception( 'Invalid action %s supplied' % self.action )
else:
## Set creation data
self.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
self.expiry_date = datetime.datetime.now() + delta
## Force instance to be active
self.active = True
## Reset the action
self.action = 'update'
## Rebuild the ca metadata
self.rebuild_ca_metadata(modify=True, task='append')
## Generate keys and certificates
action = Openssl(self)
action.generate_key()
if not self.parent:
action.generate_self_signed_cert()
else:
action.generate_csr()
action.sign_csr()
if self.der_encoded:
action.generate_der_encoded()
## Generate CRL
action.generate_crl(self.name, self.passphrase)
## Get the serial from certificate
self.serial = action.get_serial_from_cert()
## Generate ca chain (db field and chain file)
chain = []
chain_str = ''
p = self.parent
if self.parent == None:
chain.append('self-signed')
else:
chain.append( self.common_name )
while p != None:
chain.append(p.common_name)
p = p.parent
chain.reverse()
## Build chain string and file
for i in chain:
if chain_str == '':
chain_str += '%s' % i
else:
chain_str += ' → %s' % i
self.ca_chain = chain_str
action.update_ca_chain_file()
## Encrypt passphrase and blank parent's passphrase
self.passphrase = md5_constructor(self.passphrase).hexdigest()
## Set change text to fixed value
c_list.append('Created certificate "%s"' % self.common_name)
## Blank parent passphrase
self.parent_passphrase = None
## Save the data
super(CertificateAuthority, self).save(*args, **kwargs)
## Update changelog
self.Update_Changelog(obj=self, user=c_user, action=c_action, changes=c_list)
def save(self, *args, **kwargs):
"""Save the Certificate object"""
## Set user to None if it's missing
c_user = getattr(self, 'user', None)
## Variables to track changes
c_action = self.action
c_list = []
if self.pk:
if self.action in ('update', 'revoke', 'renew'):
action = Openssl(self)
prev = Certificate.objects.get(pk=self.pk)
if self.action == 'revoke':
if not self.parent:
raise Exception( "You cannot revoke a self-signed certificate! No parent => No revoke" )
## Revoke and generate CRL
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Modify fields
prev.active = False
prev.der_encoded = False
prev.pkcs12_encoded = False
prev.revoked = datetime.datetime.now()
c_list.append('Revoked certificate "%s"' % self.common_name)
elif self.action == 'renew':
c_list.append('Renewed certificate "%s"' % self.common_name)
## Revoke if certificate is active
if self.parent and not action.get_revoke_status_from_cert():
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Renew certificate and update CRL
if self.parent == None:
action.generate_self_signed_cert()
else:
action.generate_csr()
action.sign_csr()
action.generate_crl(self.parent.name, self.parent_passphrase)
## Modify fields
prev.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
prev.expiry_date = datetime.datetime.now() + delta
if prev.valid_days != self.valid_days:
c_list.append("Changed valid days to %d" % (prev.valid_days, self.valid_days))
prev.valid_days = self.valid_days
prev.active = True
prev.revoked = None
## Make sure possibly updated fields are saved to DB
if prev.country != self.country: c_list.append('Updated country to "%s"' % self.country)
if prev.locality != self.locality: c_list.append('Updated locality to "%s"' % self.locality)
if prev.organization != self.organization: c_list.append('Updated organization to "%s"' % self.organization)
if prev.email != self.email: c_list.append('Updated email to "%s"' % self.email)
if prev.OU != self.OU: c_list.append('Updated OU to "%s"' % self.OU)
prev.country = self.country
prev.locality = self.locality
prev.organization = self.organization
prev.email = self.email
prev.OU = self.OU
## Get the new serial
prev.serial = action.get_serial_from_cert()
c_list.append("Serial number changed to %s" % prev.serial)
if self.action != 'revoke':
if prev.pkcs12_encoded != self.pkcs12_encoded:
c_list.append("PKCS12 encoding set to %s" % self.der_encoded)
if self.pkcs12_encoded:
if prev.pkcs12_encoded and prev.pkcs12_passphrase == self.pkcs12_passphrase:
logger.debug( 'PKCS12 passphrase is unchanged. Nothing to do' )
else:
action.generate_pkcs12_encoded()
else:
action.remove_pkcs12_encoded()
self.pkcs12_passphrase = prev.pkcs12_passphrase = None
if self.pkcs12_passphrase:
prev.pkcs12_passphrase = md5_constructor(self.pkcs12_passphrase).hexdigest()
else:
prev.pkcs12_passphrase = None
if prev.der_encoded is not self.der_encoded:
c_list.append("DER encoding set to %s" % self.der_encoded)
if self.der_encoded:
action.generate_der_encoded()
else:
action.remove_der_encoded()
## Update description. This is always allowed
if prev.description != self.description:
c_list.append('Updated description to "%s"' % self.description)
prev.description = self.description
## Save the data
self = prev
self.action = 'update'
else:
raise Exception( 'Invalid action %s supplied' % self.action )
else:
## Set creation data
self.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
self.expiry_date = datetime.datetime.now() + delta
## Force instance to be active
self.active = True
logger.info( "***** { New certificate generation: %s } *****" % self.name )
## Generate key and certificate
action = Openssl(self)
action.generate_key()
if self.parent:
action.generate_csr()
action.sign_csr()
self.ca_chain = self.parent.ca_chain
if self.ca_chain == 'self-signed':
self.ca_chain = self.parent.name
else:
action.generate_self_signed_cert()
self.ca_chain = "self-signed"
## Get the serial from certificate
self.serial = action.get_serial_from_cert()
## Encoding
if self.der_encoded:
action.generate_der_encoded()
if self.pkcs12_encoded:
action.generate_pkcs12_encoded()
## Encrypt passphrase and blank parent's passphrase
if self.passphrase:
self.passphrase = md5_constructor(self.passphrase).hexdigest()
## Set change text to fixed value
c_list.append('Created certificate "%s"' % action.subj)
## Blank parent passphrase
self.parent_passphrase = None
## Save the data
super(Certificate, self).save(*args, **kwargs)
## Update changelog
self.Update_Changelog(obj=self, user=c_user, action=c_action, changes=c_list)
def save(self, *args, **kwargs):
"""Save the CertificateAuthority object"""
## Set user to None if it's missing
c_user = getattr(self, 'user', None)
## Variables to track changes
c_action = self.action
c_list = []
if self.pk:
if self.action in ('update', 'revoke', 'renew'):
action = Openssl(self)
prev = CertificateAuthority.objects.get(pk=self.pk)
if self.action in ('revoke', 'renew'):
if self.action == 'revoke':
if not self.parent:
raise Exception( "You cannot revoke a self-signed certificate! No parent => No revoke" )
## Revoke and generate CRL
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Modify fields
prev.active = False
prev.der_encoded = False
prev.revoked = datetime.datetime.now()
c_list.append('Revoked certificate "%s"' % self.common_name)
elif self.action == 'renew':
c_list.append('Renewed certificate "%s"' % self.common_name)
## Revoke if certificate is active
if self.parent and not action.get_revoke_status_from_cert():
action.revoke_certificate(self.parent_passphrase)
action.generate_crl(self.parent.name, self.parent_passphrase)
## Rebuild the ca metadata
self.rebuild_ca_metadata(modify=True, task='replace')
## Renew certificate and update CRL
if self.parent == None:
action.generate_self_signed_cert()
action.generate_crl(self.name, self.passphrase)
else:
action.generate_csr()
action.sign_csr()
action.generate_crl(self.parent.name, self.parent_passphrase)
action.update_ca_chain_file()
## Modify fields
prev.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
prev.expiry_date = datetime.datetime.now() + delta
if prev.valid_days != self.valid_days:
c_list.append("Changed valid days to %d" % (prev.valid_days, self.valid_days))
prev.valid_days = self.valid_days
prev.active = True
prev.revoked = None
## Make sure possibly updated fields are saved to DB
if prev.country != self.country: c_list.append('Updated country to "%s"' % self.country)
if prev.locality != self.locality: c_list.append('Updated locality to "%s"' % self.locality)
if prev.organization != self.organization: c_list.append('Updated organization to "%s"' % self.organization)
if prev.email != self.email: c_list.append('Updated email to "%s"' % self.email)
if prev.OU != self.OU: c_list.append('Updated OU to "%s"' % self.OU)
prev.country = self.country
prev.locality = self.locality
prev.organization = self.organization
prev.email = self.email
prev.OU = self.OU
## Get the new serial
prev.serial = action.get_serial_from_cert()
c_list.append("Serial number changed to %s" % prev.serial)
## DB-revoke all related certs
garbage = []
id_dict = { 'cert': [], 'ca': [], }
from pki.views import chain_recursion as r_chain_recursion
r_chain_recursion(self.id, garbage, id_dict)
for i in id_dict['cert']:
x = Certificate.objects.get(pk=i)
x.active = False
x.der_encoded = False
x.pkcs12_encoded = False
x.revoked = datetime.datetime.now()
super(Certificate, x).save(*args, **kwargs)
self.Update_Changelog(obj=x, user=c_user, action='broken', changes=(['Broken by %s of CA "%s"' % (c_action, self.common_name),]))
for i in id_dict['ca']:
x = CertificateAuthority.objects.get(pk=i)
x.active = False
x.der_encoded = False
x.revoked = datetime.datetime.now()
super(CertificateAuthority, x).save(*args, **kwargs)
if x.pk != self.pk:
self.Update_Changelog(obj=x, user=c_user, action='broken', changes=(['Broken by %s of CA "%s"' % (c_action, self.common_name),]))
## Update description. This is always allowed
if prev.description != self.description:
c_list.append('Updated description to "%s"' % self.description)
prev.description = self.description
if prev.der_encoded is not self.der_encoded:
c_list.append("DER encoding set to %s" % self.der_encoded)
if self.der_encoded and self.action != "revoke":
action.generate_der_encoded()
else:
action.remove_der_encoded()
self = prev
self.action = 'update'
else:
raise Exception( 'Invalid action %s supplied' % self.action )
else:
## Set creation data
self.created = datetime.datetime.now()
delta = datetime.timedelta(self.valid_days)
self.expiry_date = datetime.datetime.now() + delta
## Force instance to be active
self.active = True
## Reset the action
self.action = 'update'
## Rebuild the ca metadata
self.rebuild_ca_metadata(modify=True, task='append')
## Generate keys and certificates
action = Openssl(self)
action.generate_key()
if not self.parent:
action.generate_self_signed_cert()
else:
action.generate_csr()
action.sign_csr()
if self.der_encoded:
action.generate_der_encoded()
## Generate CRL
action.generate_crl(self.name, self.passphrase)
## Get the serial from certificate
self.serial = action.get_serial_from_cert()
## Generate ca chain (db field and chain file)
chain = []
chain_str = ''
p = self.parent
if self.parent == None:
chain.append('self-signed')
else:
chain.append( self.common_name )
while p != None:
chain.append(p.common_name)
p = p.parent
chain.reverse()
## Build chain string and file
for i in chain:
if chain_str == '':
chain_str += '%s' % i
else:
chain_str += ' → %s' % i
self.ca_chain = chain_str
action.update_ca_chain_file()
## Encrypt passphrase and blank parent's passphrase
self.passphrase = md5_constructor(self.passphrase).hexdigest()
## Set change text to fixed value
c_list.append('Created certificate "%s"' % self.common_name)
## Blank parent passphrase
self.parent_passphrase = None
## Save the data
super(CertificateAuthority, self).save(*args, **kwargs)
## Update changelog
self.Update_Changelog(obj=self, user=c_user, action=c_action, changes=c_list)
