def dispatch_sign(ra_name, csr): """Dispatch the sign call to the configured backend. :param csr: X509 certificate signing request :return: signed certificate in PEM format """ ca_conf = jsonloader.signing_ca_for_registration_authority(ra_name) backend_name = ca_conf.get('backend', 'anchor') sign_func = jsonloader.conf.get_signing_backend(backend_name) try: cert_pem = sign_func(csr, ca_conf) except http_status.HTTPException: logger.exception("Failed to sign certificate") raise except Exception: logger.exception("Failed to sign the certificate") pecan.abort(500, "certificate signing error") fingerprint = certificate_fingerprint(cert_pem, 'sha256') if ca_conf.get('output_path') is not None: path = os.path.join(ca_conf['output_path'], '%s.crt' % fingerprint) logger.info("Saving certificate to: %s", path) with open(path, "w") as f: f.write(cert_pem) return cert_pem, fingerprint
def dispatch_sign(ra_name, csr): """Dispatch the sign call to the configured backend. :param csr: X509 certificate signing request :return: signed certificate in PEM format """ ca_conf = jsonloader.signing_ca_for_registration_authority(ra_name) backend_name = ca_conf.get('backend', 'anchor') sign_func = jsonloader.conf.get_signing_backend(backend_name) try: cert_pem = sign_func(csr, ca_conf) except http_status.HTTPException: logger.exception("Failed to sign certificate") raise except Exception: logger.exception("Failed to sign the certificate") pecan.abort(500, "certificate signing error") fingerprint = certificate_fingerprint(cert_pem, 'sha256') if ca_conf.get('output_path') is not None: path = os.path.join( ca_conf['output_path'], '%s.crt' % fingerprint) logger.info("Saving certificate to: %s", path) with open(path, "w") as f: f.write(cert_pem) return cert_pem, fingerprint
def get_ca(ra_name): ca_conf = jsonloader.signing_ca_for_registration_authority(ra_name) ca_path = ca_conf.get('cert_path') if not ca_path: pecan.abort(404, "CA certificate not available") with open(ca_path) as f: return f.read()
def get_ca(ra_name): ca_conf = jsonloader.signing_ca_for_registration_authority(ra_name) ca_path = ca_conf.get('cert_path') if not ca_path: pecan.abort(404, "CA certificate not available") with open(ca_path) as f: return f.read()
def generate_crl(): dbdata = util.load_db(jsonloader.conf.ra_options["certdb_file"]) crl_builder = x509.CertificateRevocationListBuilder() # find revoked certs, create revoked cert objects and # add to the crl builder for req in sorted(dbdata): if dbdata[req] is None: continue if dbdata[req].getStatus() == "Revoked": builder = x509.RevokedCertificateBuilder() builder = builder.revocation_date(dbdata[req].revocation_date) # todo. dg. check this is getting valid serial numbers builder = builder.serial_number(dbdata[req].get_cert_serial()) revoked_certificate = builder.build(backends.default_backend()) crl_builder = crl_builder.add_revoked_certificate(revoked_certificate) # set crl lifetimes #todo. dg. what about clock skew? validfrom date in # past? crl_builder = crl_builder.last_update(datetime.datetime.utcnow()) crl_lifetime = datetime.timedelta(int(jsonloader.conf.revocation_options["crl_lifetime_days"]), 0, 0) crl_builder = crl_builder.next_update(datetime.datetime.utcnow() + crl_lifetime) # get CA cert ca_conf = jsonloader.signing_ca_for_registration_authority(jsonloader.conf.ra_options["ra_name"]) try: ca_cert = anchor_certificate.X509Certificate.from_file(ca_conf["cert_path"]) except Exception as e: logger.error("Cannot load the signing CA: %s" % (e,)) raise # set CRL cn (issuer name) to that of the CA certificate crl_builder = crl_builder.issuer_name( x509.Name([x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, ca_cert.get_subject()[0].get_value())]) ) # get private key try: private_key = anchor_utils.get_private_key_from_file(ca_conf["key_path"]) except Exception as e: logger.error("Cannot load the signing CA private key: %s" % (e,)) raise # generate crl #todo get hash alg from config? crl = crl_builder.sign(private_key, hashes.SHA256(), backends.default_backend()) return crl.public_bytes(serialization.Encoding(jsonloader.conf.revocation_options["crl_format"]))