def info(reqid): dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"]) try: return_str = dbdata[reqid].toInfoString() + "\n" return_str += dbdata[reqid].validationResultToString() + "\n" return return_str except Exception: return "Cannot find reqid %d in cert DB\n" % reqid
def deny(reqid): dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"]) try: if dbdata[reqid].getStatus() == "Revoked": return "Cannot deny, certificate already Revoked" elif dbdata[reqid].getStatus() == "Issued": return "Cannot deny, certificate already Issued" elif dbdata[reqid].getStatus() == "Pending": dbdata[reqid].Denied = True elif dbdata[reqid].getStatus() == "Denied": return "Cannot deny, certificate already Denied" else: return "Cannot deny, Unkown state error" util.write_db(dbdata, jsonloader.conf.ra_options["certdb_file"]) return dbdata[reqid].toInfoString() except Exception: return "Cannot find reqid %d in cert DB" % reqid
def generate_crl(): dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"]) crl_builder = x509.CertificateRevocationListBuilder() # find revoked certs, create revoked cert objects and # add to the crl builder for req in sorted(dbdata): if dbdata[req] is None: continue if dbdata[req].getStatus() == "Revoked": builder = x509.RevokedCertificateBuilder() builder = builder.revocation_date(dbdata[req].revocation_date) # todo. dg. check this is getting valid serial numbers builder = builder.serial_number(dbdata[req].get_cert_serial()) revoked_certificate = builder.build(backends.default_backend()) crl_builder = crl_builder.add_revoked_certificate(revoked_certificate) # set crl lifetimes #todo. dg. what about clock skew? validfrom date in # past? crl_builder = crl_builder.last_update(datetime.datetime.utcnow()) crl_lifetime = datetime.timedelta(int(jsonloader.conf.revocation_options["crl_lifetime_days"]), 0, 0) crl_builder = crl_builder.next_update(datetime.datetime.utcnow() + crl_lifetime) # get CA cert ca_conf = jsonloader.signing_ca_for_registration_authority(jsonloader.conf.ra_options["ra_name"]) try: ca_cert = anchor_certificate.X509Certificate.from_file(ca_conf["cert_path"]) except Exception as e: logger.error("Cannot load the signing CA: %s" % (e,)) raise # set CRL cn (issuer name) to that of the CA certificate crl_builder = crl_builder.issuer_name( x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, ca_cert.get_subject()[0].get_value())]) ) # get private key try: private_key = anchor_utils.get_private_key_from_file(ca_conf["key_path"]) except Exception as e: logger.error("Cannot load the signing CA private key: %s" % (e,)) raise # generate crl #todo get hash alg from config? crl = crl_builder.sign(private_key, hashes.SHA256(), backends.default_backend()) return crl.public_bytes(serialization.Encoding(jsonloader.conf.revocation_options["crl_format"]))
def fetch_cert(reqid): dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"]) try: if dbdata[reqid].getStatus() == "Revoked": return "Cannot fetch, certificate is revoked" elif dbdata[reqid].getStatus() == "Issued": return dbdata[reqid].get_cert() elif dbdata[reqid].getStatus() == "Pending": return "Cannot fetch, certificate is not yet Issued" elif dbdata[reqid].getStatus() == "Denied": return "Cannot fetch, certificate request is Denied" else: return "Cannot fetch, Unkown state error" util.write_db(dbdata, jsonloader.conf.ra_options["certdb_file"]) return dbdata[reqid].toInfoString() except Exception: return "Cannot find reqid %d in cert DB" % reqid
def revoke(reqid): dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"]) try: if dbdata[reqid].getStatus() == "Revoked": return "Cannot revoke, certificate already Revoked" elif dbdata[reqid].getStatus() == "Issued": dbdata[reqid].Revoked = True dbdata[reqid].revocation_date = datetime.datetime.utcnow() elif dbdata[reqid].getStatus() == "Pending": return "Cannot revoke, certificate not Issued" elif dbdata[reqid].getStatus() == "Denied": return "Cannot revoke, certificate already Denied" else: return "Cannot revoke, Unkown state error" util.write_db(dbdata, jsonloader.conf.ra_options["certdb_file"]) return dbdata[reqid].toInfoString() except Exception: return "Cannot find reqid %d in cert DB" % reqid
def issue(reqid): dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"]) try: if dbdata[reqid].getStatus() == "Pending": dbdata[reqid].Issued = True elif dbdata[reqid].getStatus() == "Issued": return "Cannot issue, certificate already Issued" elif dbdata[reqid].getStatus() == "Denied": return "Cannot issue certificate already Denied" elif dbdata[reqid].getStatus() == "Revoked": return "Cannot issue certificate already Revoked" except Exception: return "Cannot find reqid %d in cert DB" % reqid dbdata[reqid].cert = certificate_ops.dispatch_sign(jsonloader.conf.ra_options["ra_name"], dbdata[reqid].get_X509csr())[0].replace("\n", ""), util.write_db(dbdata, jsonloader.conf.ra_options["certdb_file"]) return dbdata[reqid].toInfoString()
def list(*filter): dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"]) return_str = "" # hack - deal with optional key from pecan (i.e /list vs /list/pending) # by checking for tuple and unpacking - there must be a nicer way of # doing this if type(filter[0]) is tuple: filter = filter[0] if len(filter) > 0: if filter[0].lower() == "issued": for req in sorted(dbdata): if dbdata[req] is None: continue if dbdata[req].getStatus() == "Issued": return_str += dbdata[req].toInfoString() + "\n" elif filter[0].lower() == "revoked": for req in sorted(dbdata): if dbdata[req] is None: continue if dbdata[req].getStatus() == "Revoked": return_str += dbdata[req].toInfoString() + "\n" elif filter[0].lower() == "denied": for req in sorted(dbdata): if dbdata[req] is None: continue if dbdata[req].getStatus() == "Denied": return_str += dbdata[req].toInfoString() + "\n" elif filter[0].lower() == "pending": for req in sorted(dbdata): if dbdata[req] is None: continue if dbdata[req].getStatus() == "Pending": return_str += dbdata[req].toInfoString() + "\n" else: return_str = ("Unkown filter, valid filters are issued,", "pending, denied or revoked\n") else: for req in sorted(dbdata): if dbdata[req] is None: continue return_str += dbdata[req].toInfoString() + "\n" return return_str