def cmd_ca_sign(self, data): cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, base64.b64decode(data['cert'])) cert.add_extensions([ OpenSSL.crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always", issuer=SSL.get_ca()) ]) capriv = SSL.get_ca_privatekey() certsigned = SSL.sign(cert, capriv, str(data['digest'])) return 'OK', OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, certsigned)
def create_cert(self, profile): before = datetime.utcnow() after = before + timedelta(days=Config().config.getint("cert", "validity")) pkey = SSL.create_key(Config().config.getint("cert", "key_size")) ca = SSL.get_ca() cert = SSL.create_cert(pkey) if Config().config.get("ldap", "enable") and "false" not in Config().config.get("profile_" + profile, "ldap"): print "Search in LDAP" l = LDAP() filter = Config().config.get("profile_" + profile, "ldap") res = l.get_dn(l.get_basedn(), filter, ['cn', 'mail', 'uid']) listSearch = {} users = {} for elt in res: key = elt[0] val = elt[1]['cn'][0] mail = None if 'mail' in elt[1].keys(): mail = elt[1]['mail'][0] val = val + " (mail : " + elt[1]['mail'][0] + ")" listSearch.update({key: val}) users.update({key: {'mail': mail, 'cn': elt[1]['cn'][0]}}) nbr_select = 0 while nbr_select != 1: userList = Render.print_selector(listSearch) nbr_select = len(userList) email = users[userList[0]]['mail'] cn = users[userList[0]]['cn'] subject_array = userList[0].split(',') subject_array.reverse() subject_array.pop() subject = '/'.join(subject_array) + "/CN=" + cn else: cn = raw_input("Common Name : ") email = raw_input("Mail address : ") subject = Config().config.get("ca", "base_cn") + "/CN=" + cn subject_x509 = SSL.parse_str_to_x509Name(subject, cert.get_subject()) issuer_x509 = ca.get_subject() if email: subject_x509.emailAddress = email cert.set_subject(subject_x509) cert.set_issuer(issuer_x509) cert.set_notBefore(before.strftime("%Y%m%d%H%M%S%Z")+"Z") cert.set_notAfter(after.strftime("%Y%m%d%H%M%S%Z")+"Z") cert.set_serial_number(int(time() * 1000000)) cert.set_version(2) bsConst = "CA:FALSE" cert.add_extensions([ crypto.X509Extension("basicConstraints", True, bsConst), crypto.X509Extension("keyUsage", True, SSL.get_key_usage_from_profile(profile)), crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=cert), ]) cert.add_extensions([ crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always", issuer=ca) ]) cert.add_extensions([ crypto.X509Extension("extendedKeyUsage", False, SSL.get_extended_key_usage_from_profile(profile)) ]) if Config().config.getboolean("crl", "enable"): crlUri = "URI:" + Config().config.get("crl", "uri") cert.add_extensions([ crypto.X509Extension("crlDistributionPoints", False, crlUri) ]) if Config().config.getboolean("ocsp", "enable"): ocspUri = "OCSP;URI:" + Config().config.get("ocsp", "uri") cert.add_extensions([ crypto.X509Extension("authorityInfoAccess", False, ocspUri) ]) cert_signed = SSL.sign(cert, SSL.get_ca_privatekey(), Config().config.get("cert", "digest")) SSL.set_cert(cert_signed) SSL.set_cert_privatekey(cert_signed, pkey) if Config().config.getboolean("ldap", "enable"): LDAP.add_queue(cert_signed)
def resigned_all_cert(self): for certhash in SSL.get_all_certificates(): cert_signed = SSL.sign(certhash['cert'], SSL.get_ca_privatekey(), Config().config.get("cert", "digest")) SSL.delete_cert(certhash['id']) SSL.set_cert(cert_signed)