def _decode_issuing_dist_point(backend, idp): idp = backend._ffi.cast("ISSUING_DIST_POINT *", idp) idp = backend._ffi.gc(idp, backend._lib.ISSUING_DIST_POINT_free) if idp.distpoint != backend._ffi.NULL: full_name, relative_name = _decode_distpoint(backend, idp.distpoint) else: full_name = None relative_name = None only_user = idp.onlyuser == 255 only_ca = idp.onlyCA == 255 indirect_crl = idp.indirectCRL == 255 only_attr = idp.onlyattr == 255 if idp.onlysomereasons != backend._ffi.NULL: only_some_reasons = _decode_reasons(backend, idp.onlysomereasons) else: only_some_reasons = None return x509.IssuingDistributionPoint( full_name, relative_name, only_user, only_ca, only_some_reasons, indirect_crl, only_attr, )
def get_idp( self, full_name: typing.Optional[typing.Iterable[x509.GeneralName]] = None, indirect_crl: bool = False, only_contains_attribute_certs: bool = False, only_contains_ca_certs: bool = False, only_contains_user_certs: bool = False, only_some_reasons: typing.Optional[typing.FrozenSet[ x509.ReasonFlags]] = None, relative_name: typing.Optional[x509.RelativeDistinguishedName] = None, ) -> "x509.Extension[x509.IssuingDistributionPoint]": """Get an IssuingDistributionPoint extension.""" return x509.Extension( oid=x509.oid.ExtensionOID.ISSUING_DISTRIBUTION_POINT, value=x509.IssuingDistributionPoint( full_name=full_name, indirect_crl=indirect_crl, only_contains_attribute_certs=only_contains_attribute_certs, only_contains_ca_certs=only_contains_ca_certs, only_contains_user_certs=only_contains_user_certs, only_some_reasons=only_some_reasons, relative_name=relative_name, ), critical=True, )
def get_idp(self, full_name=None, indirect_crl=False, only_contains_attribute_certs=False, only_contains_ca_certs=False, only_contains_user_certs=False, only_some_reasons=None, relative_name=None): if not ca_settings.CRYPTOGRAPHY_HAS_IDP: # pragma: only cryptography<2.5 return else: # pragma: only cryptography>=2.5 return x509.Extension( oid=ExtensionOID.ISSUING_DISTRIBUTION_POINT, value=x509.IssuingDistributionPoint( full_name=full_name, indirect_crl=indirect_crl, only_contains_attribute_certs=only_contains_attribute_certs, only_contains_ca_certs=only_contains_ca_certs, only_contains_user_certs=only_contains_user_certs, only_some_reasons=only_some_reasons, relative_name=relative_name ), critical=True)
def get_idp(self, full_name=None, indirect_crl=False, only_contains_attribute_certs=False, only_contains_ca_certs=False, only_contains_user_certs=False, only_some_reasons=None, relative_name=None): return x509.Extension( oid=ExtensionOID.ISSUING_DISTRIBUTION_POINT, value=x509.IssuingDistributionPoint( full_name=full_name, indirect_crl=indirect_crl, only_contains_attribute_certs=only_contains_attribute_certs, only_contains_ca_certs=only_contains_ca_certs, only_contains_user_certs=only_contains_user_certs, only_some_reasons=only_some_reasons, relative_name=relative_name), critical=True)
def get_crl(self, expires=86400, encoding=None, algorithm=None, password=None, scope=None, counter=None, **kwargs): """Generate a Certificate Revocation List (CRL). The ``full_name`` and ``relative_name`` parameters describe how to retrieve the CRL and are used in the `Issuing Distribution Point extension <https://tools.ietf.org/html/rfc5280.html#section-5.2.5>`_. The former defaults to the ``crl_url`` field, pass ``None`` to not include the value. At most one of the two may be set. Parameters ---------- expires : int The time in seconds when this CRL expires. Note that you should generate a new CRL until then. encoding : :py:class:`~cg:cryptography.hazmat.primitives.serialization.Encoding` or str, optional The encoding format for the CRL, passed to :py:func:`~django_ca.utils.parse_encoding`. The default value is ``"PEM"``. algorithm : :py:class:`~cg:cryptography.hazmat.primitives.hashes.Hash` or str, optional The hash algorithm to use, passed to :py:func:`~django_ca.utils.parse_hash_algorithm`. The default is to use :ref:`CA_DIGEST_ALGORITHM <settings-ca-digest-algorithm>`. password : bytes, optional Password used to load the private key of the certificate authority. If not passed, the private key is assumed to be unencrypted. scope : {None, 'ca', 'user', 'attribute'}, optional What to include in the CRL: Use ``"ca"`` to include only revoked certificate authorities and ``"user"`` to include only certificates or ``None`` (the default) to include both. ``"attribute"`` is reserved for future use and always produces an empty CRL. counter : str, optional Override the counter-variable for the CRL Number extension. Passing the same key to multiple invocations will yield a different sequence then what would ordinarily be returned. The default is to use the scope as the key. full_name : list of str or :py:class:`~cg:cryptography.x509.GeneralName`, optional List of general names to use in the Issuing Distribution Point extension. If not passed, use ``crl_url`` if set. relative_name : :py:class:`~cg:cryptography.x509.RelativeDistinguishedName`, optional Used in Issuing Distribution Point extension, retrieve the CRL relative to the issuer. Returns ------- bytes The CRL in the requested format. """ if scope is not None and scope not in ['ca', 'user', 'attribute']: raise ValueError('Scope must be either None, "ca", "user" or "attribute"') encoding = parse_encoding(encoding) now = now_builder = timezone.now() algorithm = parse_hash_algorithm(algorithm) if timezone.is_aware(now_builder): now_builder = timezone.make_naive(now, pytz.utc) else: now_builder = datetime.utcnow() builder = x509.CertificateRevocationListBuilder() builder = builder.issuer_name(self.x509.subject) builder = builder.last_update(now_builder) builder = builder.next_update(now_builder + timedelta(seconds=expires)) if 'full_name' in kwargs: full_name = kwargs['full_name'] full_name = [parse_general_name(n) for n in full_name] elif self.crl_url: crl_url = [url.strip() for url in self.crl_url.split()] full_name = [x509.UniformResourceIdentifier(c) for c in crl_url] else: full_name = None # Keyword arguments for the IssuingDistributionPoint extension idp_kwargs = { 'only_contains_ca_certs': False, 'only_contains_user_certs': False, 'indirect_crl': False, 'only_contains_attribute_certs': False, 'only_some_reasons': None, 'full_name': full_name, 'relative_name': kwargs.get('relative_name'), } ca_qs = self.children.filter(expires__gt=now).revoked() cert_qs = self.certificate_set.filter(expires__gt=now).revoked() if scope == 'ca': certs = ca_qs idp_kwargs['only_contains_ca_certs'] = True elif scope == 'user': certs = cert_qs idp_kwargs['only_contains_user_certs'] = True elif scope == 'attribute': # sorry, nothing we support right now certs = [] idp_kwargs['only_contains_attribute_certs'] = True else: certs = itertools.chain(ca_qs, cert_qs) for cert in certs: builder = builder.add_revoked_certificate(cert.get_revocation()) # We can only add the IDP extension if one of these properties is set, see RFC 5280, 5.2.5. add_idp = idp_kwargs['only_contains_attribute_certs'] or idp_kwargs['only_contains_user_certs'] \ or idp_kwargs['only_contains_ca_certs'] or idp_kwargs['full_name'] or idp_kwargs['relative_name'] if add_idp and ca_settings.CRYPTOGRAPHY_HAS_IDP: # pragma: no branch, pragma: only cryptography>=2.5 builder = builder.add_extension(x509.IssuingDistributionPoint(**idp_kwargs), critical=True) # Add AuthorityKeyIdentifier from CA if present try: aki = self.x509.extensions.get_extension_for_oid(ExtensionOID.AUTHORITY_KEY_IDENTIFIER) builder = builder.add_extension(aki.value, critical=aki.critical) except x509.ExtensionNotFound: pass # Add the CRLNumber extension (RFC 5280, 5.2.3) if counter is None: counter = scope or 'all' crl_number_data = json.loads(self.crl_number) crl_number = int(crl_number_data['scope'].get(counter, 0)) builder = builder.add_extension(x509.CRLNumber(crl_number=crl_number), critical=False) # increase crl_number for the given scope and save crl_number_data['scope'][counter] = crl_number + 1 self.crl_number = json.dumps(crl_number_data) self.save() crl = builder.sign(private_key=self.key(password), algorithm=algorithm, backend=default_backend()) return crl.public_bytes(encoding)