def __init__(self, file_bag, options, protocol='sslv23'): BaseProfileFactory.__init__(self, file_bag, options) self.protocol = protocol self.cert_factory = CertFactory(self.file_bag) self.init_options() self.init_cert_requests() self.add_profiles()
class ProfileFactory(BaseProfileFactory): def __init__(self, file_bag, options, protocol='sslv23'): BaseProfileFactory.__init__(self, file_bag, options) self.protocol = protocol self.cert_factory = CertFactory(self.file_bag) self.init_options() self.init_cert_requests() self.add_profiles() def init_options(self): # handle --server= option if self.options.server != None: # fetch X.509 certificate from user-specified server self.server_x509_cert = self.cert_factory.grab_server_x509_cert(self.options.server, protocol=self.protocol) else: self.server_x509_cert = None # handle --user-cert and --user-key options self.user_certnkey = self.load_certnkey( '--user-cert', self.options.user_cert_file, '--user-key', self.options.user_key_file) # handle --user-ca-cert and --user-ca-key options self.user_ca_certnkey = self.load_certnkey( '--user-ca-cert', self.options.user_ca_cert_file, '--user-ca-key', self.options.user_ca_key_file) # ---------------------------------------------------------------------------------------------- def init_cert_requests(self): self.certreq_n_keyss = [] if not self.options.no_default_cn: req1 = self.cert_factory.mk_certreq_n_keys(cn=DEFAULT_CN) self.certreq_n_keyss.append(req1) if self.options.user_cn != None: req2 = self.cert_factory.mk_certreq_n_keys(cn=self.options.user_cn) self.certreq_n_keyss.append(req2) if self.server_x509_cert != None: cert_req3 = self.cert_factory.mk_replica_certreq_n_keys(self.server_x509_cert) self.certreq_n_keyss.append(cert_req3) def add_profiles(self): if self.user_certnkey != None: self.add_raw_user_certnkey_profile() if not self.options.no_self_signed: self.add_signed_profiles(ca_certnkey=None) if self.user_certnkey != None: self.add_signed_profiles(ca_certnkey=self.user_certnkey) if self.user_ca_certnkey != None: self.add_signed_profiles(ca_certnkey=self.user_ca_certnkey) self.add_im_basic_constraints_profiles() def add_raw_user_certnkey_profile(self): spec = SSLProfileSpec_UserSupplied(self.user_certnkey.cert.get_subject().CN) self.add_profile(SSLServerCertProfile(spec, self.user_certnkey)) def add_im_basic_constraints_profiles(self): ''' This method initializes auditors testing for basicConstraints violations ''' for cert_req in self.certreq_n_keyss: self.add_im_basic_constraints_profile(cert_req, basicConstraint_CA=None) self.add_im_basic_constraints_profile(cert_req, basicConstraint_CA=False) self.add_im_basic_constraints_profile(cert_req, basicConstraint_CA=True) # XXX if no user-cn and defalt-cn is disabled the test will be not performed silently # ---------------------------------------------------------------------------------------------- def add_signed_profiles(self, ca_certnkey): for certreq_n_keys in self.certreq_n_keyss: cn = certreq_n_keys[0].get_subject().CN if ca_certnkey == None: cert_spec = SSLProfileSpec_SelfSigned(cn) else: ca_cn = ca_certnkey.cert.get_subject().CN cert_spec = SSLProfileSpec_Signed(cn, ca_cn) self.add_signed_profile(cert_spec, certreq_n_keys, ca_certnkey) def add_signed_profile(self, cert_spec, certreq_n_keys, ca_certnkey): certnkey = self.cert_factory.sign_cert_req(certreq_n_keys=certreq_n_keys, ca_certnkey=ca_certnkey) self.add_profile(SSLServerCertProfile(cert_spec, certnkey)) def add_im_basic_constraints_profile(self, cert_req, basicConstraint_CA): ca_certnkey = self.user_ca_certnkey # create an intermediate authority, signed by user-supplied CA, possibly with proper constraints if basicConstraint_CA != None: if basicConstraint_CA: ext_value="CA:TRUE" im_ca_cn = IM_CA_TRUE_CN else: ext_value = "CA:FALSE" im_ca_cn = IM_CA_FALSE_CN ca_ext = X509.new_extension("basicConstraints", ext_value) ca_ext.set_critical() v3_exts=[ca_ext] else: v3_exts=[] im_ca_cn = IM_CA_NONE_CN # create the intermediate CA im_ca_cert_req = self.cert_factory.mk_certreq_n_keys(cn=im_ca_cn, v3_exts=v3_exts) im_ca_certnkey = self.cert_factory.sign_cert_req(im_ca_cert_req, ca_certnkey=ca_certnkey) # create server certificate, signed by that authority certnkey = self.cert_factory.sign_cert_req(cert_req, ca_certnkey=im_ca_certnkey) # create auditor using that certificate cn = certnkey.cert.get_subject().CN ca_cn = ca_certnkey.cert.get_subject().CN spec = SSLProfileSpec_IMCA_Signed(cn, im_ca_cn, ca_cn) self.add_profile(SSLServerCertProfile(spec, certnkey)) def load_certnkey(self, cert_param, cert_file, key_param, key_file): ''' This function loads X509 certificate from files and returns CertAndKey object. It throws a sensible ConfigErrorException in case of parameter error or problems with the input files. ''' if (cert_file == None) and (key_file == None): return None if key_file == None: raise ConfigErrorException("If %s is set, %s must be set too" % (cert_param, key_param)) if cert_file == None: raise ConfigErrorException("If %s is set, %s must be set too" % (key_param, cert_param)) try: return self.cert_factory.load_certnkey_files(cert_file, key_file) except IOError as ex: raise ConfigErrorException(ex)