def test_x509_name(self):
n = X509.X509_Name()
n.C = 'US' # It seems this actually needs to be a real 2 letter country code
n.SP = 'State or Province'
n.L = 'locality name'
n.O = 'orhanization name'
n.OU = 'org unit'
n.CN = 'common name'
n.Email = '*****@*****.**'
n.serialNumber = '1234'
n.SN = 'surname'
n.GN = 'given name'
n.givenName = 'name given'
assert len(n) == 11, len(n)
tl = map(x509_name_entry2tuple, x509_name2list(n))
assert len(tl) == len(n), len(tl)
x509_n = m2.x509_name_new()
for o in map(tuple2x509_name_entry, tl):
m2.x509_name_add_entry(x509_n, o._ptr(), -1, 0)
o._pyfree = 0 # Take care of underlying object
n1 = X509.X509_Name(x509_n)
assert n.as_text() == n1.as_text(), n1.as_text()
def test_x509_name(self):
n = X509.X509_Name()
# It seems this actually needs to be a real 2 letter country code
n.C = b'US'
n.SP = b'State or Province'
n.L = b'locality name'
n.O = b'orhanization name'
n.OU = b'org unit'
n.CN = b'common name'
n.Email = b'*****@*****.**'
n.serialNumber = b'1234'
n.SN = b'surname'
n.GN = b'given name'
n.givenName = b'name given'
self.assertEqual(len(n), 11, len(n))
# Thierry: this call to list seems extraneous...
tl = [x509_name_entry2tuple(x) for x in x509_name2list(n)]
self.assertEqual(len(tl), len(n), len(tl))
x509_n = m2.x509_name_new()
for o in [tuple2x509_name_entry(x) for x in tl]:
m2.x509_name_add_entry(x509_n, o._ptr(), -1, 0)
o._pyfree = 0 # Take care of underlying object
n1 = X509.X509_Name(x509_n)
self.assertEqual(n.as_text(), n1.as_text(), n1.as_text())
def get_x509_proxy(self,
request_pem,
issuer=None,
subject=None,
private_key=None):
"""
Generate a X509 proxy based on the request
Args:
requestPEM: The request PEM encoded
issuer: The issuer user
subject: The subject of the proxy. If None, issuer/CN=proxy will be used
Returns:
A X509 proxy PEM encoded
"""
if issuer is None:
issuer = [('DC', 'ch'), ('DC', 'cern'), ('CN', 'Test User')]
if subject is None:
subject = issuer + [('CN', 'proxy')]
x509_request = X509.load_request_string(str(request_pem))
not_before = ASN1.ASN1_UTCTIME()
not_before.set_datetime(datetime.now(UTC))
not_after = ASN1.ASN1_UTCTIME()
not_after.set_datetime(datetime.now(UTC) + timedelta(hours=3))
issuer_subject = X509.X509_Name()
for c in issuer:
issuer_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0)
proxy_subject = X509.X509_Name()
for c in subject:
proxy_subject.add_entry_by_txt(c[0], 0x1000, c[1], -1, -1, 0)
proxy = X509.X509()
proxy.set_version(2)
proxy.set_subject(proxy_subject)
proxy.set_serial_number(int(time.time()))
proxy.set_version(x509_request.get_version())
proxy.set_issuer(issuer_subject)
proxy.set_pubkey(x509_request.get_pubkey())
proxy.set_not_after(not_after)
proxy.set_not_before(not_before)
if not private_key:
proxy.sign(self.pkey, 'sha1')
else:
proxy.sign(private_key, 'sha1')
return proxy.as_pem() + self.cert.as_pem()
def genSignature(privkey, sig_domain="WangYang", sig_depart="", sig_organization="IIE", sig_province="Beijing", sig_locale="Beijing"):
#首先载入密钥文件。此文件同时保存了申请者的私钥与公钥。
pkey=EVP.load_key_string(privkey, util.no_passphrase_callback)
req=X509.Request()
req.set_pubkey(pkey) #包含公钥
#req.set_version(1)
#身份信息不是简单的字符串。而是X509_Name对象。
name=X509.X509_Name()
#CN是Common Name的意思。如果是一个网站的电子证书,就要写成网站的域名
name.CN = sig_domain # "WangYang" # 普通名字
#Organization Unit,通常是指部门吧,组织内单元
name.OU = sig_depart # "SKLOIS"
#Organization。通常是指公司
name.O = sig_organization # "IIE"
#State or Province。州或者省
name.ST = sig_province # "Beijing"
#Locale。
name.L = sig_locale # "Beijing"
#国家。不能直接写国家名字,比如China之类的,而应该是国家代码。
#CN代表中国。US代表美国,JP代表日本
name.C="CN" # 国家名称
req.set_subject(name) #包含通信节点的身份信息
req.sign(pkey, "sha256") #使用通信节点的密钥进行签名,sha1已经不安全了,这里使用sha256
signature = req.as_pem()
return signature
def helper_generate_certificate(self, pkey):
"""Create a self-signed x509 certificate."""
name = X509.X509_Name()
name.C = 'NO'
name.ST = 'Oslo'
name.L = 'Oslo'
name.O = 'University of Oslo'
name.OU = 'Cerebrumtesting'
name.CN = '127.0.0.1'
name.emailAddress = '*****@*****.**'
cert = X509.X509()
cert.set_version(2)
cert.set_serial_number(1)
cert.set_subject(name)
t = long(time.time()) + time.timezone
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
end = ASN1.ASN1_UTCTIME()
end.set_time(t + 60 * 60 * 24 * 365 * 10)
cert.set_not_before(now)
cert.set_not_after(end)
cert.set_issuer(name)
cert.set_pubkey(pkey)
#ext = X509.new_extension('subjectAltName', 'DNS:localhost')
#ext.set_critical(0)
#cert.add_ext(ext)
cert.sign(pkey, 'sha1')
return cert
def _create(self, hostname='localhost'):
# Make the RSA key
self.rsakey = RSA.gen_key(2048, m2.RSA_F4)
if self.secure:
# Save the key, AES256-CBC encrypted
self.rsakey.save_key(self.keyfile, 'aes_256_cbc')
else:
# Save the key unencrypted.
self.rsakey.save_key(self.keyfile,
None,
callback=m2util.no_passphrase_callback)
# Make the public key
pkey = EVP.PKey()
pkey.assign_rsa(self.rsakey, 0)
# Generate the certificate
self.cert = X509.X509()
self.cert.set_serial_number(long(bttime()))
self.cert.set_version(0x2)
self.cert.set_pubkey(pkey)
# Set the name on the certificate
name = X509.X509_Name()
name.CN = hostname
self.cert.set_subject(name)
self.cert.set_issuer(name)
# Set the period of time the cert is valid for (5 years from issue)
notBefore = m2.x509_get_not_before(self.cert.x509)
notAfter = m2.x509_get_not_after(self.cert.x509)
m2.x509_gmtime_adj(notBefore, 0)
m2.x509_gmtime_adj(notAfter, 60 * 60 * 24 * 365 * 5)
# Sign the certificate
self.cert.sign(pkey, 'sha1')
# Save it
self.cert.save_pem(self.certfile)
def name_from_options(options):
name = X509.X509_Name()
for field in ('C', 'ST', 'L', 'O', 'OU', 'CN'):
value = getattr(options, field)
if value:
setattr(name, field, value)
return name, []
def gen_cert():
"""
Generate TLS certificate request for testing
"""
req, key = gen_req()
pub_key = req.get_pubkey()
subject = req.get_subject()
cert = X509.X509()
# noinspection PyTypeChecker
cert.set_serial_number(1)
cert.set_version(2)
cert.set_subject(subject)
t = int(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
now_plus_year = ASN1.ASN1_UTCTIME()
now_plus_year.set_time(t + 60 * 60 * 24 * 365)
cert.set_not_before(now)
cert.set_not_after(now_plus_year)
issuer = X509.X509_Name()
issuer.C = 'US'
issuer.CN = 'minifi-listen'
cert.set_issuer(issuer)
cert.set_pubkey(pub_key)
cert.sign(key, 'sha256')
return cert, key
def on_generate(self, cr, uid, ids, context=None):
if context is None:
context = {}
active_ids = context['active_ids']
pairkey_obj = self.pool.get('crypto.pairkey')
r_ids = []
for wizard in self.browse(cr, uid, ids):
try:
name = X509.X509_Name()
if wizard.name_c: name.C = wizard.name_c
if wizard.name_sp: name.SP = wizard.name_sp
if wizard.name_l: name.L = wizard.name_l
if wizard.name_o: name.O = wizard.name_o
if wizard.name_ou: name.OU = wizard.name_ou
if wizard.name_cn: name.CN = wizard.name_cn
if wizard.name_gn: name.GN = wizard.name_gn
if wizard.name_sn: name.SN = wizard.name_sn
if wizard.name_email: name.EMail = wizard.name_email
if wizard.name_serialnumber:
name.serialNumber = wizard.name_serialnumber
r = pairkey_obj.generate_certificate_request(
cr, uid, active_ids, name)
r_ids.extend([r[_id] for _id in active_ids])
except Exception, m:
raise osv.except_osv(_('Error'), m)
def set_cacert(cert, CN=None, C=None, O=None, OU=None, Email=None):
"""Set the SubjectAltName, Issuer and Subject
:param CN: certificate commonName
:param C: certificate countryName
:param O: certificate organizationName
:param OU: certificate organizationalUnitName
:param Email: certificate emailAddress
:type CN: string
:type C: string
:type O: string
:type OU: string
:type Email: string
:param cert: x509 certificate
:type cert: X509.X509
:return: x509 certificate
:rtype: X509.X509
"""
x509_name = X509.X509_Name()
x509_name.O = O
x509_name.OU = OU
x509_name.CN = CN
x509_name.Email = Email
cert.set_issuer(x509_name)
# ext = X509.new_extension('subjectAltName', 'DNS:foobar.example.com')
# ext.set_critical(0)# Defaults to non-critical, but we can also set it
# cert.add_ext(ext)
return cert
def set_cert_xmppwebid(cert, id_xmpp, webid):
"""Set the SubjectAltName, Issuer and Subject
:param cert: x509 certificate
:type cert: X509.X509
:param id_xmpp: xmpp id
:param webid: FOAF WebId
:type id_xmpp: string
:type webid: string
:return: x509 certificate
:rtype: X509.X509
"""
# optional
# the issuer is going to be the same as subject
x509_name = X509.X509_Name()
x509_name.O = O
x509_name.OU = OU
x509_name.CN = CN
cert.set_issuer(x509_name)
# set subjectAltName extension
ext = X509.new_extension(
'subjectAltName',
'URI:%s, otherName:%s;UTF8:%s' % (webid, ID_ON_XMPPADDR_OID, id_xmpp))
ext.set_critical(1)
cert.add_ext(ext)
return cert
def set_csr_subject(csr, CN=None, C=None, O=None, OU=None, Email=None):
"""Set the CSR Subject data
:param CN: certificate commonName
:param C: certificate countryName
:param O: certificate organizationName
:param OU: certificate organizationalUnitName
:param Email: certificate emailAddress
:type CN: string
:type C: string
:type O: string
:type OU: string
:type Email: string
:return: x509 request
:rtype: X509.Request
"""
x509_name = X509.X509_Name()
x509_name.CN = CN
x509_name.C = C
x509_name.O = O
x509_name.OU = OU
x509_name.Email = Email
csr.set_subject_name(x509_name)
return csr
def mk_ca():
r, pk = req('ca')
pkey = r.get_pubkey()
sub = r.get_subject()
cert = X509.X509()
cert.set_version(2)
cert.set_subject(sub)
cert.set_serial_number(0)
issuer = X509.X509_Name()
issuer.C = sub.C
issuer.O = sub.O
issuer.CN = sub.CN
cert.set_issuer(issuer)
cert.set_pubkey(pkey)
cert.set_not_before(before)
cert.set_not_after(after)
ext = X509.new_extension('basicConstraints', 'CA:TRUE')
cert.add_ext(ext)
cert.sign(pk, 'sha256')
saveTextPemKey(cert, 'ca')
return cert, pk
def generate_certificate(
self,
aca_cert,
btc_address=None,
pkey=None,
):
if pkey is None and btc_address is None:
pkey, btc_address = self.generate_keys()
self.btc_address = btc_address
issuer = aca_cert.get_issuer()
# Creating a certificate
cert = X509.X509()
# Set issuer
cert.set_issuer(issuer)
# Generate CS information
cert_name = X509.X509_Name()
cert_name.C = 'CT'
cert_name.ST = 'Barcelona'
cert_name.L = 'Bellaterra'
cert_name.O = 'UAB'
cert_name.OU = 'DEIC'
cert_name.CN = btc_address
cert.set_subject_name(cert_name)
# Set public_key
cert.set_pubkey(pkey)
# Time for certificate to stay valid
cur_time = ASN1.ASN1_UTCTIME()
cur_time.set_time(int(time()))
# Expire certs in 1 year.
expire_time = ASN1.ASN1_UTCTIME()
expire_time.set_time(int(time()) + 60 * 60 * 24 * 365)
# Set the validity
cert.set_not_before(cur_time)
cert.set_not_after(expire_time)
# Sign the certificate using the same key type the CA is going to use later
# The resulting signature will not be used, it is only for setting the corresponding field into the certificate
rsa_keys = RSA.gen_key(2046, 65537, callback=lambda x, y, z: None)
rsa_pkey = EVP.PKey()
rsa_pkey.assign_rsa(rsa_keys)
cert.sign(rsa_pkey, md='sha256')
# Load the Certificate as a ASN.1 object and extract the TBS Certificate (special thanks to Alex <*****@*****.**>)
asn1_cert = decoder.decode(cert.as_der(), asn1Spec=Certificate())[0]
tbs = asn1_cert.getComponentByName("tbsCertificate")
# Compute the sha256 of the TBS Certificate
tbs_der = encoder.encode(tbs)
digest = sha256()
digest.update(tbs_der)
cert_hash = digest.digest()
return asn1_cert, cert_hash
def CrearPedidoCertificado(self, cuit="", empresa="", nombre="pyafipws",
filename="empresa.csr"):
"Crear un certificate signing request (X509 CSR)"
from M2Crypto import RSA, EVP, X509
# create the certificate signing request (CSR):
self.x509_req = X509.Request ()
# normalizar encoding (reemplazar acentos, eñe, etc.)
if isinstance(empresa, unicode):
empresa = unicodedata.normalize('NFKD', empresa).encode('ASCII', 'ignore')
if isinstance(nombre, unicode):
nombre = unicodedata.normalize('NFKD', nombre).encode('ASCII', 'ignore')
# subjet: C=AR/O=[empresa]/CN=[nombre]/serialNumber=CUIT [nro_cuit]
x509name = X509.X509_Name ()
# default OpenSSL parameters:
kwargs = {"type": 0x1000 | 1, "len": -1, "loc": -1, "set": 0}
x509name.add_entry_by_txt(field='C', entry='AR', **kwargs)
x509name.add_entry_by_txt(field='O', entry=empresa, **kwargs)
x509name.add_entry_by_txt(field='CN', entry=nombre, **kwargs)
x509name.add_entry_by_txt(field='serialNumber', entry="CUIT %s" % cuit, **kwargs)
self.x509_req.set_subject_name(x509name)
# sign the request with the previously created key (CrearClavePrivada)
self.x509_req.set_pubkey (pkey=self.pkey)
self.x509_req.sign(pkey=self.pkey, md='sha256')
# save the CSR result to a file:
f = open(filename, "w")
f.write(self.x509_req.as_pem())
f.close()
def MakeCACert(common_name="grr", issuer_cn="grr_test", issuer_c="US"):
"""Generate a CA certificate.
Args:
common_name: Name for cert.
issuer_cn: Name for issuer.
issuer_c: Country for issuer.
Returns:
(Certificate, priv key, pub key).
"""
req, pk = MakeCSR(2048, common_name=common_name)
pkey = req.get_pubkey()
cert = X509.X509()
cert.set_serial_number(1)
cert.set_version(2)
SetCertValidityDate(cert, days=3650)
issuer = X509.X509_Name()
issuer.C = issuer_c
issuer.CN = issuer_cn
cert.set_issuer(issuer)
cert.set_subject(cert.get_issuer())
cert.set_pubkey(pkey)
cert.add_ext(X509.new_extension("basicConstraints", "CA:TRUE"))
cert.add_ext(X509.new_extension("subjectKeyIdentifier",
cert.get_fingerprint()))
cert.sign(pk, "sha256")
return cert, pk, pkey
def __init__(self, parameters=None):
""" Constructor
"""
super(DIRACCAProxyProvider, self).__init__(parameters)
self.__X509Name = X509.X509_Name()
self.log = gLogger.getSubLogger(__name__)
# Initialize
self.maxDict = {}
self.minDict = {}
self.bits = 2048
self.algoritm = 'sha256'
self.match, self.supplied, self.optional = [], [], []
# Add not supported distributes names
self.fs2nid = X509.X509_Name.nid.copy()
self.fs2nid['DC'] = -1
self.fs2nid['domainComponent'] = -1
self.n2field = {} # nid: most short or specidied in CS distributes name
self.n2fields = {} # nid: list of distributes names
# Specify standart fields
for field in self.fs2nid:
if self.fs2nid[field] not in self.n2fields:
self.n2fields[self.fs2nid[field]] = []
self.n2fields[self.fs2nid[field]].append(field)
for nid in self.n2fields:
for field in self.n2fields[nid]:
if nid not in self.n2field:
self.n2field[nid] = field
self.n2field[nid] = len(field) < len(self.n2field[nid]) and field or self.n2field[nid]
def makeRequest(pk):
"""
Creates a new CSR from an RSA key
:param pk: RSA key
:return: CSR
"""
pkey = EVP.PKey()
pkey.assign_rsa(pk)
req = X509.Request()
req.set_version(2)
req.set_pubkey(pkey)
name = X509.X509_Name()
name.CN = 'cirosec gmbh'
req.set_subject_name(name)
ext1 = X509.new_extension('subjectAltName', 'DNS:foobar.example.com')
ext2 = X509.new_extension('nsComment', 'Hello there')
extstack = X509.X509_Extension_Stack()
extstack.push(ext1)
extstack.push(ext2)
assert (extstack[1].get_name() == 'nsComment')
req.add_extensions(extstack)
req.sign(pkey, 'sha1')
return req
def mk_cacert(name=None):
"""
Make a CA certificate.
Returns the certificate, private key and public key.
"""
req, pk = mk_request(config.getint('ca','cert_bits'),config.get('ca','cert_ca_name'))
pkey = req.get_pubkey()
cert = X509.X509()
cert.set_serial_number(1)
cert.set_version(2)
mk_cert_valid(cert,config.getint('ca','cert_ca_lifetime'))
if name==None:
name = config.get('ca','cert_ca_name')
issuer = X509.X509_Name()
issuer.C = config.get('ca','cert_country')
issuer.CN = name
issuer.ST = config.get('ca','cert_state')
issuer.L = config.get('ca','cert_locality')
issuer.O = config.get('ca','cert_organization')
issuer.OU = config.get('ca','cert_org_unit')
cert.set_issuer(issuer)
cert.set_subject(cert.get_issuer())
cert.set_pubkey(pkey)
cert.add_ext(X509.new_extension('basicConstraints', 'CA:TRUE'))
cert.add_ext(X509.new_extension('subjectKeyIdentifier', str(cert.get_fingerprint())))
cert.add_ext(X509.new_extension('crlDistributionPoints','URI:http://localhost/crl.pem'))
cert.add_ext(X509.new_extension('keyUsage', 'keyCertSign, cRLSign'))
cert.sign(pk, 'sha256')
return cert, pk, pkey
def _forceGenerateProxyForDN(self, dn, time, group=None):
""" An additional helper method for creating a proxy without any substantial validation,
it can be used for a specific case(such as testing) where just need to generate a proxy
with specific DN on the fly.
:param str dn: requested proxy DN
:param int time: expired time in a seconds
:param str group: if need to add DIRAC group
:return: S_OK(tuple)/S_ERROR() -- contain proxy as chain and as string
"""
self.__X509Name = X509.X509_Name()
result = self.__parseDN(dn)
if not result['OK']:
return result
dnInfoDict = result['Value']
for field, values in dnInfoDict.items():
result = self.__fillX509Name(field, values)
if not result['OK']:
return result
result = self.__createCertM2Crypto()
if result['OK']:
certStr, keyStr = result['Value']
chain = X509Chain()
if chain.loadChainFromString(certStr)['OK'] and chain.loadKeyFromString(keyStr)['OK']:
result = chain.generateProxyToString(time, rfc=True, diracGroup=group)
if not result['OK']:
return result
chain = X509Chain()
chain.loadProxyFromString(result['Value'])
return S_OK((chain, result['Value']))
def create_self_signed_cert(rsa, subject={'CN': 'Testing'}, san=None):
""" Creates a self-signed cert
Pass in an RSA private key object
Pass in a dictionary of subject name data, using C ST L O OU CN keys
Pass in an optional san like 'DNS:example.com'
Returns a X509.X509 object
"""
pk = EVP.PKey()
pk.assign_rsa(rsa)
name = X509.X509_Name()
for key in ['C', 'ST', 'L', 'O', 'OU', 'CN']:
if subject.get(key, None):
setattr(name, key, subject[key])
cert = X509.X509()
cert.set_serial_number(1)
cert.set_version(2)
t = long(time.time())
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
expire = ASN1.ASN1_UTCTIME()
expire.set_time(t + 365 * 24 * 60 * 60)
cert.set_not_before(now)
cert.set_not_after(expire)
cert.set_issuer(name)
cert.set_subject(name)
cert.set_pubkey(pk)
cert.add_ext(X509.new_extension('basicConstraints', 'CA:FALSE'))
if san:
cert.add_ext(X509.new_extension('subjectAltName', san))
cert.add_ext(
X509.new_extension('subjectKeyIdentifier', cert.get_fingerprint()))
cert.sign(pk, 'sha1')
return cert
def make_proxycert(self, eecert):
proxycert = X509.X509()
pk2 = EVP.PKey()
proxykey = RSA.gen_key(1024, 65537, self.callback)
pk2.assign_rsa(proxykey)
proxycert.set_pubkey(pk2)
proxycert.set_version(2)
not_before = ASN1.ASN1_UTCTIME()
not_after = ASN1.ASN1_UTCTIME()
not_before.set_time(int(time.time()))
offset = 12 * 3600
not_after.set_time(int(time.time()) + offset)
proxycert.set_not_before(not_before)
proxycert.set_not_after(not_after)
proxycert.set_issuer_name(eecert.get_subject())
proxycert.set_serial_number(12345678)
issuer_name_string = eecert.get_subject().as_text()
seq = issuer_name_string.split(",")
subject_name = X509.X509_Name()
for entry in seq:
l = entry.split("=")
subject_name.add_entry_by_txt(field=l[0].strip(),
type=ASN1.MBSTRING_ASC,
entry=l[1], len=-1, loc=-1, set=0)
subject_name.add_entry_by_txt(field="CN", type=ASN1.MBSTRING_ASC,
entry="Proxy", len=-1, loc=-1, set=0)
proxycert.set_subject_name(subject_name)
# XXX leaks 8 bytes
pci_ext = X509.new_extension("proxyCertInfo",
"critical,language:Inherit all", 1)
proxycert.add_ext(pci_ext)
return proxycert
def on_generate(self, cr, uid, ids, context):
if context is None:
context = {}
active_ids = context['active_ids']
certificate_obj = self.pool.get('crypto.certificate')
for wizard in self.browse(cr, uid, ids):
name = X509.X509_Name()
if wizard.name_c: name.C = wizard.name_c
if wizard.name_sp: name.SP = wizard.name_sp
if wizard.name_l: name.L = wizard.name_l
if wizard.name_o: name.O = wizard.name_o
if wizard.name_ou: name.OU = wizard.name_ou
if wizard.name_cn: name.CN = wizard.name_cn
if wizard.name_gn: name.GN = wizard.name_gn
if wizard.name_sn: name.SN = wizard.name_sn
if wizard.name_email: name.EMail = wizard.name_email
if wizard.name_serialnumber:
name.serialNumber = wizard.name_serialnumber
certificate_obj.generate_certificate(
cr,
uid,
active_ids,
name,
ext=None,
serial_number=wizard.serial_number,
version=wizard.version,
date_begin=datetime.strptime(wizard.date_begin, '%Y-%m-%d'),
date_end=datetime.strptime(wizard.date_end, '%Y-%m-%d'))
return {'type': 'ir.actions.act_window_close'}
def _set_subject(self):
"""
Internal method that sets the subject name
"""
subject_name = X509.X509_Name()
serial_number = self._make_serial_number(self._proxycert)
issuer_name = self._usercert.get_subject()
issuer_name_txt = issuer_name.as_text()
seq = issuer_name_txt.split(",")
for entry in seq:
name_component = entry.split("=")
subject_name.add_entry_by_txt(field=name_component[0].strip(),
type=MBSTRING_ASC,
entry=name_component[1],
len=-1,
loc=-1,
set=0)
subject_name.add_entry_by_txt(field="CN",
type=MBSTRING_ASC,
entry=str(serial_number),
len=-1,
loc=-1,
set=0)
self._proxycert.set_subject_name(subject_name)
def generate_certificate(csr, serial, cn):
"""Generate a certificate and sign it with CA.
:param csr: Certificate Signing Request. See :class:`M2Crypto.X509.Request`.
:param serial: Serial number of the certificate as long int.
:param cn: Common Name of the certificate.
:return: Generated + signed certificate. See :class:`M2Crypto.X509.X509`.
"""
ca_key = EVP.load_key(settings.PKI_CA_KEYFILE, lambda *args: None)
ca_cert = X509.load_cert(settings.PKI_CA_CERTFILE)
cert = X509.X509()
cert.set_serial_number(serial)
cert.set_version(2)
csr_subject = csr.get_subject()
subject = X509.X509_Name()
for key in ('C', 'ST', 'L', 'O', 'OU'):
original_value = getattr(csr_subject, key)
if original_value:
setattr(subject, key, original_value)
subject.CN = cn
cert.set_subject(subject)
t = long(time.time()) + time.timezone
now = ASN1.ASN1_UTCTIME()
now.set_time(t)
now_plus_year = ASN1.ASN1_UTCTIME()
now_plus_year.set_time(t + 60 * 60 * 24 * 365)
cert.set_not_before(now)
cert.set_not_after(now_plus_year)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(csr.get_pubkey())
cert.sign(ca_key, 'sha1')
return cert
def mk_request(bits, CN, C, ST, L, O, OU):
"""Create a X509 request with the given number of bits in they key.
:param bits: number of RSA key bits
:param CN: Common Name field
:param C: Country Name
:param ST: State or province name
:param L: Locality
:param O: Organization
:param OU: Organization Unit
:returns: a X509 request and the private key (EVP)
"""
pk = EVP.PKey()
x = X509.Request()
rsa = RSA.gen_key(bits, 65537, lambda: None)
pk.assign_rsa(rsa)
x.set_pubkey(pk)
subject_name = X509.X509_Name()
subject_name.add_entry_by_txt(field="CN",
type=ASN1.MBSTRING_ASC,
entry=CN or "",
len=-1,
loc=-1,
set=0)
subject_name.add_entry_by_txt(field="C",
type=ASN1.MBSTRING_ASC,
entry=C or "",
len=-1,
loc=-1,
set=0)
subject_name.add_entry_by_txt(field="ST",
type=ASN1.MBSTRING_ASC,
entry=ST or "",
len=-1,
loc=-1,
set=0)
subject_name.add_entry_by_txt(field="L",
type=ASN1.MBSTRING_ASC,
entry=L or "",
len=-1,
loc=-1,
set=0)
subject_name.add_entry_by_txt(field="O",
type=ASN1.MBSTRING_ASC,
entry=O or "",
len=-1,
loc=-1,
set=0)
subject_name.add_entry_by_txt(field="OU",
type=ASN1.MBSTRING_ASC,
entry=OU or "",
len=-1,
loc=-1,
set=0)
x.set_subject_name(subject_name)
x.sign(pk, 'sha256')
return x, pk
def _populated_x509_name(components):
"""
Generates a populated X509_Name with the entries passed in components
"""
x509_name = X509.X509_Name()
for field, value in components:
x509_name.add_entry_by_txt(field, 0x1000, value, len=-1, loc=-1, set=0)
return x509_name
def _create_cert(key, webid_uri, time_len=365):
key_dir = jongau.settings.key_dir
key_path = os.path.join(key_dir, key['filename'])
rsa = RSA.load_key(key_path)
pk = EVP.PKey()
pk.assign_rsa(rsa)
parsed = urlparse.urlparse(webid_uri)
issuer = X509.X509_Name()
issuer.CN = parsed[1]
subject = X509.X509_Name()
subject.CN = parsed[1]
cert = X509.X509()
cert.set_serial_number(long(time.time()))
cert.set_version(2)
cert.set_issuer(issuer)
cert.set_subject(subject)
cert.set_pubkey(pk)
now = long(key['created'])
time_start = ASN1.ASN1_UTCTIME()
time_start.set_time(now)
time_end = ASN1.ASN1_UTCTIME()
time_end.set_time(now + time_len * 24 * 60 * 60)
cert.set_not_before(time_start)
cert.set_not_after(time_end)
cert.add_ext(X509.new_extension('basicContraints', 'CA:FALSE'))
cert.add_ext(X509.new_extension('subjectAltName', "URI:" + webid_uri))
cert.add_ext(
X509.new_extension('subjectKeyIdentifier', cert.get_fingerprint()))
cert.sign(pk, 'sha1')
filename = '%s_%s_%s' % (key['filename'], parsed[1], long(time.time()))
pathname = os.path.join(key_dir, filename)
cert.save_pem(pathname)
certificate = {}
certificate['filename'] = filename
certificate['keyname'] = key['filename']
certificate['created'] = key['created']
certificate['expiration'] = key['created'] + time_len * 24 * 60 * 60
return certificate
def create_request(self, **subject):
request = X509.Request()
subject_name = X509.X509_Name()
for key, value in subject.iteritems():
setattr(subject_name, key, value)
request.set_subject(subject_name)
request.set_pubkey(pkey=self.pkey)
request.sign(self.pkey, md="sha256")
return request
def dict_to_x509_name(subject):
"""Our default CA issuer name."""
name = X509.X509_Name()
name.C = subject['C']
name.ST = subject['ST']
name.L = subject['L']
name.O = subject['O'] # noqa
name.OU = subject['OU']
name.CN = subject['CN']
return name
