Пример #1
0
def sign_csr(csr,ca_cn,attrib,algorithm='sha512',expires=1825):
    ca = CertificateAuthority.objects.get(cn=ca_cn)
    # TODO: Check to see if the certificate already exists, and if so, is it the same user? Revoke the old one?
    cert = Certificate(ca=ca, csr=csr)
    expiry = datetime.datetime.now() + datetime.timedelta(expires)
    cert.x509 = Certificate.objects.init(
            ca=ca, csr=csr, algorithm=algorithm, expires=expiry, subject={'CN': attrib.get('CN'), },
            subjectAltName=attrib['san'])
    cert.save()
    return cert.pub
Пример #2
0
    def create_cert(cls, ca, csr, subject, san=None, **kwargs):
        cert_kwargs = get_cert_profile_kwargs()
        cert_kwargs.update(kwargs)
        cert_kwargs.setdefault('subject', {})
        cert_kwargs['subject'].update(subject)
        x509 = Certificate.objects.init(ca=ca, csr=csr, algorithm='sha256', expires=720,
                                        subjectAltName=san, **cert_kwargs)
        expires = parse_date(x509.get_notAfter().decode('utf-8'))

        cert = Certificate(ca=ca, csr=csr, expires=expires)
        cert.x509 = x509
        cert.save()
        return cert
Пример #3
0
    def create_cert(cls, ca, csr, subject, san=None, **kwargs):
        cert_kwargs = get_cert_profile_kwargs()
        cert_kwargs.update(kwargs)
        cert_kwargs.setdefault('subject', {})
        cert_kwargs['subject'].update(subject)
        x509 = Certificate.objects.init(
            ca=ca, csr=csr, algorithm='sha256', expires=cls.expires(720), subjectAltName=san,
            **cert_kwargs)
        expires = parse_date(x509.get_notAfter().decode('utf-8'))

        cert = Certificate(ca=ca, csr=csr, expires=expires)
        cert.x509 = x509
        cert.save()
        return cert
Пример #4
0
    def handle(self, *args, **options):
        if not options['CN'] and not options['alt']:
            raise CommandError("Must give at least --CN or one or more --alt arguments.")

        # construct subject
        subject = OrderedDict()
        for field in ['C', 'ST', 'L', 'O', 'OU', 'CN', ]:
            if options.get(field):
                subject[field] = options[field]
        if options.get('E'):
            subject['emailAddress'] = options['E']

        if options['csr'] is None:
            print('Please paste the CSR:')
            csr = ''
            while not csr.endswith('-----END CERTIFICATE REQUEST-----\n'):
                csr += '%s\n' % six.moves.input()
            csr = csr.strip()
        else:
            csr = open(options['csr']).read()

        # get list of watchers
        watchers = [Watcher.from_addr(addr) for addr in options['watch']]

        # get keyUsage and extendedKeyUsage flags based on profiles
        kwargs = get_cert_profile_kwargs(options['profile'])
        if options['cn_in_san'] is not None:
            kwargs['cn_in_san'] = options['cn_in_san']
        if options['key_usage']:
            kwargs['keyUsage'] = self.parse_extension(options['key_usage'])
        if options['ext_key_usage']:
            kwargs['extendedKeyUsage'] = self.parse_extension(options['ext_key_usage'])
        if subject:
            kwargs['subject'] = subject

        expires = datetime.today() + timedelta(days=options['days'] + 1)
        expires = expires.replace(hour=0, minute=0, second=0, microsecond=0)

        x509 = get_cert(csr=csr, expires=expires, subjectAltName=options['alt'], **kwargs)
        cert = Certificate(csr=csr, expires=expires)
        cert.x509 = x509
        cert.save()
        cert.watchers.add(*watchers)

        if options['out']:
            with open(options['out'], 'w') as f:
                f.write(cert.pub.decode('utf-8'))
        else:
            self.stdout.write(cert.pub.decode('utf-8'))
Пример #5
0
    def handle(self, pub, **options):
        pub_data = pub.read()

        # load public key
        try:
            pub_loaded = x509.load_pem_x509_certificate(
                pub_data, default_backend())
        except:
            try:
                pub_loaded = x509.load_der_x509_certificate(
                    pub_data, default_backend())
            except:
                raise CommandError('Unable to load public key.')

        cert = Certificate(ca=options['ca'])
        cert.x509 = pub_loaded
        cert.save()
Пример #6
0
                                 cert_data["key_filename"]), "rb") as stream:
                pkey = stream.read()

            c = CertificateAuthority(name=name, private_key_path=path)
            loaded_cas[c.name] = c
        else:
            if cert_data["cat"] != "generated":
                continue  # Imported cert

            with open(
                    os.path.join(ca_settings.CA_DIR,
                                 cert_data["csr_filename"]), "r") as stream:
                csr = stream.read()
            profile = cert_data.get("profile", ca_settings.CA_DEFAULT_PROFILE)
            c = Certificate(ca=loaded_cas[cert_data["ca"]],
                            csr=csr,
                            profile=profile)

        with open(os.path.join(ca_settings.CA_DIR, cert_data["pub_filename"]),
                  "rb") as stream:
            pem = stream.read()
        c.update_certificate(
            x509.load_pem_x509_certificate(pem, default_backend()))

        c.save()

        if cert_data["type"] == "ca":
            password = cert_data.get("password")
            if password is not None:
                password = password.encode("utf-8")
            c.generate_ocsp_key(password=password)
Пример #7
0
                                   force_text(data[name]["cn"]))
            ])

            builder = x509.CertificateBuilder()
            builder = builder.not_valid_before(no_ext_now)
            builder = builder.not_valid_after(no_ext_now +
                                              data[name]["expires"])
            builder = builder.serial_number(x509.random_serial_number())
            builder = builder.subject_name(subject)
            builder = builder.issuer_name(ca.pub.loaded.subject)
            builder = builder.public_key(parsed_csr.public_key())

            x509_cert = builder.sign(private_key=ca.key(pwd),
                                     algorithm=hashes.SHA256(),
                                     backend=default_backend())
            cert = Certificate(ca=ca)
            cert.update_certificate(x509_cert)
            copy_cert(cert, data[name], key_path, csr_path)

        # create a cert with all extensions that we know
        # NOTE: This certificate is not really a meaningful certificate:
        #   * NameConstraints is only valid for CAs
        #   * KeyUsage and ExtendedKeyUsage are not meaningful
        # TODO: missing: unsupported extensions
        #   * Certificate Policies
        #   * Policy Constraints
        #   * Inhibit anyPolicy
        #   * Freshest CRL
        #   * PrecertificateSignedCertificateTimestamps (cannot be generated by cryptography 2.6:
        #       https://github.com/pyca/cryptography/issues/4531)
        #   * Policy Mappings (not supported by cryptography 2.6:
Пример #8
0
            if not cert_data['key_filename']:
                continue  # CA without private key (e.g. real-world CA)

            name = cert_data['name']
            path = '%s.key' % name

            with open(os.path.join(ca_settings.CA_DIR, cert_data['key_filename']), 'rb') as stream:
                pkey = stream.read()

            c = CertificateAuthority(name=name, private_key_path=path)
            loaded_cas[c.name] = c
        else:
            if cert_data['cat'] != 'generated':
                continue  # Imported cert

            c = Certificate(ca=loaded_cas[cert_data['ca']])

        with open(os.path.join(ca_settings.CA_DIR, cert_data['pub_filename']), 'rb') as stream:
            pem = stream.read()
        c.x509 = x509.load_pem_x509_certificate(pem, default_backend())

        c.save()

        if cert_data['type'] == 'ca':
            password = cert_data.get('password')
            if password is not None:
                password = password.encode('utf-8')
            c.generate_ocsp_key(password=password)

    # create admin user for login
    User.objects.create_superuser('user', '*****@*****.**', 'nopass')
Пример #9
0
 def load_cert(cls, ca, x509):
     cert = Certificate(ca=ca, csr='none')
     cert.x509 = x509
     cert.save()
     return cert
Пример #10
0
 def load_cert(cls, ca, x509):
     cert = Certificate(ca=ca, csr='none')
     cert.x509 = x509
     cert.save()
     return cert
Пример #11
0
                                   force_text(data[name]['cn']))
            ])

            builder = x509.CertificateBuilder()
            builder = builder.not_valid_before(no_ext_now)
            builder = builder.not_valid_after(no_ext_now +
                                              data[name]['expires'])
            builder = builder.serial_number(x509.random_serial_number())
            builder = builder.subject_name(subject)
            builder = builder.issuer_name(ca.x509.subject)
            builder = builder.public_key(parsed_csr.public_key())

            x509_cert = builder.sign(private_key=ca.key(pwd),
                                     algorithm=hashes.SHA256(),
                                     backend=default_backend())
            cert = Certificate(ca=ca)
            cert.x509 = x509_cert
            copy_cert(cert, data[name], key_path, csr_path)

        # create a cert with all extensions that we know
        # NOTE: This certificate is not really a meaningful certificate:
        #   * NameConstraints is only valid for CAs
        #   * KeyUsage and ExtendedKeyUsage are not meaningful
        # TODO: missing: unsupported extensions
        #   * Certificate Policies
        #   * Policy Constraints
        #   * Inhibit anyPolicy
        #   * Freshest CRL
        #   * PrecertificateSignedCertificateTimestamps (cannot be generated by cryptography 2.6:
        #       https://github.com/pyca/cryptography/issues/4531)
        #   * Policy Mappings (not supported by cryptography 2.6: