Пример #1
0
    def clean(self):
        """Verify crucial fields"""
        
        cleaned_data = self.cleaned_data
        
        action = cleaned_data.get('action')
        parent = cleaned_data.get('parent')
        pf = cleaned_data.get('passphrase')
        enc_p_pf = None

        if action in ('create', 'renew'):
            ## Check if name contains invalid chars
            name = cleaned_data.get('name')
            
            if name != None and re.search('[^a-zA-Z0-9-_\.]', name):
                self._errors['name'] = ErrorList(['Name may only contain characters in range a-Z0-9_-.'])
            
            ## Verify passphrase length
            if action == 'create' and pf and len(pf) < 8:
                self._errors['passphrase'] = ErrorList(['Passphrase has to be at least 8 characters long'])
            
            ## Take care that parent is active when action is revoke
            if action == 'renew':
                ca = CertificateAuthority.objects.get(name='%s' % name)
                
                if ca.parent is not None and ca.parent.active is not True:
                    self._errors['action'] = ErrorList(['Cannot renew CA certificate when parent "%s" isn\'t active!' % ca.parent.name])
                    return cleaned_data
                
                ## Self-signed renew. compare passphrase
                if ca.parent is None:
                    if not pf or ca.passphrase != md5_constructor(pf).hexdigest():
                        self._errors['passphrase'] = ErrorList(['Passphrase is wrong. Enter correct passphrase for CA "%s"' % name])
            
            if parent:                
                ca = CertificateAuthority.objects.get(name='%s' % parent)
                p_pf = cleaned_data.get('parent_passphrase')
                if p_pf: enc_p_pf = md5_constructor(p_pf).hexdigest()
                
                ## Check if parent allows sub CA
                if not ca.subcas_allowed:
                    self._errors['parent'] = ErrorList(['Parent CA %s doesn\'t allow a sub CA. Only non CA certificates can be created' % ca.name])
                    
                ## Check parent passphrase if not RootCA
                if ca.passphrase != enc_p_pf:
                    self._errors['parent_passphrase'] = ErrorList(['Passphrase is wrong. Enter correct passphrase for CA "%s"' % parent])
        
        elif action == 'revoke':
            
            if parent:
                ca = CertificateAuthority.objects.get(name='%s' % parent)
                enc_p_pf = md5_constructor(cleaned_data.get('parent_passphrase')).hexdigest()
                
                ## Check parent passphrase
                if ca.passphrase != enc_p_pf:
                    self._errors['parent_passphrase'] = ErrorList(['Passphrase is wrong. Enter correct passphrase for CA %s' % parent])
            else:
                self._errors['action'] = ErrorList(['You cannot revoke a self-signed root certificate as this would break the whole chain!'])
        
        return cleaned_data
Пример #2
0
 def clean(self):
     """Verify crucial fields"""
     
     cleaned_data = self.cleaned_data
     passphrase   = cleaned_data.get('passphrase')
     
     if passphrase: 
         e_passphrase = md5_constructor(cleaned_data.get('passphrase')).hexdigest()
         ca_id        = cleaned_data.get('ca_id')
         ca           = CertificateAuthority.objects.get(pk=ca_id)
         
         if ca.passphrase != e_passphrase:
             self._errors["passphrase"] = ErrorList(['Passphrase is wrong. Enter correct passphrase for CA %s' % ca.name])
     else:
         self._errors["passphrase"] = ErrorList(['Passphrase is missing!'])
     
     return cleaned_data
Пример #3
0
 def clean(self):
     """Verify crucial fields"""
     
     cleaned_data = self.cleaned_data
     
     action = cleaned_data.get('action')
     parent = cleaned_data.get('parent')
     pf = cleaned_data.get('passphrase')
     p_pf = cleaned_data.get('parent_passphrase')
     subjaltname = cleaned_data.get('subjaltname')
     pkcs12_passphrase = cleaned_data.get('pkcs12_passphrase')
     pkcs12_encoded = cleaned_data.get('pkcs12_encoded')
     
     enc_p_pf = None
     
     if action in ('create', 'renew'):
         ## Check if name contains invalid chars
         name = cleaned_data.get('name')
         
         if name != None and re.search('[^a-zA-Z0-9-_\.]', name):
             self._errors['name'] = ErrorList(['Name may only contain characters in range a-Z0-9'])
         
         ## Verify passphrase length
         if action == 'create' and pf and len(pf) < 8:
             self._errors['passphrase'] = ErrorList(['Passphrase has to be at least 8 characters long'])
         
         ## Verify that pkcs12 passphrase isn't empty when encoding is requested
         if pkcs12_encoded and len(pkcs12_passphrase) < 8:
             self._errors['pkcs12_passphrase'] = ErrorList(['PKCS12 passphrase has to be at least 8 characters long'])
         
         ## Take care that parent is active when action is revoke
         if action == 'renew':
             cert = Certificate.objects.get(name='%s' % name)
             
             if cert.parent is not None and cert.parent.active is not True:
                 self._errors['action'] = ErrorList(['Cannot renew certificate when parent CA "%s" isn\'t active!' % cert.parent.name])
                 return cleaned_data
         
         if parent:
             ca = CertificateAuthority.objects.get(name='%s' % parent)
             if p_pf: enc_p_pf = md5_constructor(p_pf).hexdigest()
             
             ## Check parent passphrase
             if ca.passphrase != enc_p_pf:
                 self._errors['parent_passphrase'] = ErrorList(['Passphrase is wrong. Enter correct passphrase for CA %s' % parent])
         else:
             self._errors['parent'] = ErrorList(['You cannot renew a certificate while the parent is not active. Renew requires the intial parent to be active'])
         
         ## Verify subjAltName
         if subjaltname and len(subjaltname) > 0:
             allowed = { 'email': '^copy|[\w\-\.]+\@[\w\-\.]+\.\w{2,4}$',
                         'IP'   : '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$',
                         'DNS'  : '^[a-zA-Z0-9\-\.\*]+$',
                       }
             items = subjaltname.split(',')
             
             for i in items:
                 if not re.match( '^\s*(email|IP|DNS)\s*:\s*.+$', i):
                     self._errors['subjaltname'] = ErrorList(['Item "%s" doesn\'t match specification' % i])
                 else:
                     kv  = i.split(':')
                     key = kv[0].lstrip().rstrip()
                     val = kv[1].lstrip().rstrip()
                     
                     if key in allowed:
                         if not re.match( allowed[key], val ):
                             self._errors['subjaltname'] = ErrorList(['Invalid subjAltName value supplied: \"%s\"' % i])
                     else:
                         self._errors['subjaltname'] = ErrorList(['Invalid subjAltName key supplied: "%s" (supported are %s)' % (key, ', '.join(allowed.keys()))])
     elif action == 'revoke':
         if parent:
             ca = CertificateAuthority.objects.get(name='%s' % parent)
             if p_pf: enc_p_pf = md5_constructor(p_pf).hexdigest()
             
             ## Check parent passphrase
             if ca.passphrase != enc_p_pf:
                 self._errors['parent_passphrase'] = ErrorList(['Passphrase is wrong. Enter correct passphrase for CA %s' % parent])
     elif action == 'update':
         ## Verify that pkcs12 passphrase isn't empty when encoding is requested
         if pkcs12_encoded and len(pkcs12_passphrase) < 8:
             self._errors['pkcs12_passphrase'] = ErrorList(['PKCS12 passphrase has to be at least 8 characters long'])
     
     return cleaned_data