def cmd_revoke(workingdir, name=None, serial=None): cwd = os.getcwd() try: fs_util.ch_dir(workingdir) priv = read_private() if name is not None and serial is not None: raise Exception( "You may not specify a cert and a serial at the same time") if name is None and serial is None: raise Exception("You must specify a cert or a serial to revoke") if name is not None: # load up the cert cert = load_cert_by_path(f"{name}-cert.crt") serial = cert.serial_number # convert serial to string serial = str(serial) # get the ca key cert and keys as strings with open("cacert.crt", encoding="utf-8") as f: cacert = f.read() ca_pk = priv[0]["ca"].decode("utf-8") if serial not in priv[0]["revoked_keys"]: priv[0]["revoked_keys"].append(serial) crl = ca_impl.gencrl(priv[0]["revoked_keys"], cacert, ca_pk) write_private(priv) # write out the CRL to the disk if os.stat("cacrl.der").st_size: with open("cacrl.der", "wb") as f: f.write(crl) convert_crl_to_pem("cacrl.der", "cacrl.pem") finally: os.chdir(cwd) return crl
def cmd_regencrl(workingdir): cwd = os.getcwd() try: fs_util.ch_dir(workingdir) priv = read_private() # get the ca key cert and keys as strings with open("cacert.crt", encoding="utf-8") as f: cacert = f.read() ca_pk = priv[0]["ca"].decode() crl = ca_impl.gencrl(priv[0]["revoked_keys"], cacert, ca_pk) write_private(priv) # write out the CRL to the disk with open("cacrl.der", "wb") as f: f.write(crl) convert_crl_to_pem("cacrl.der", "cacrl.pem") finally: os.chdir(cwd) return crl
def cmd_init(workingdir): cwd = os.getcwd() try: fs_util.ch_dir(workingdir) rmfiles("*.pem") rmfiles("*.crt") rmfiles("*.zip") rmfiles("*.der") rmfiles("private.yml") cacert, ca_pk, _ = ca_impl.mk_cacert() # pylint: disable=W0632 priv = read_private() # write out keys with open("cacert.crt", "wb") as f: f.write(cacert.public_bytes(serialization.Encoding.PEM)) priv[0]["ca"] = ca_pk.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption(), ) # store the last serial number created. # the CA is always serial # 1 priv[0]["lastserial"] = 1 write_private(priv) with os.fdopen( os.open("ca-public.pem", os.O_WRONLY | os.O_CREAT, 0o600), "wb") as f: f.write(ca_pk.public_key().public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo)) # generate an empty crl cacert_str = cacert.public_bytes(serialization.Encoding.PEM).decode() crl = ca_impl.gencrl([], cacert_str, priv[0]["ca"].decode()) if isinstance(crl, str): crl = crl.encode("utf-8") with open("cacrl.der", "wb") as f: f.write(crl) convert_crl_to_pem("cacrl.der", "cacrl.pem") # Sanity checks... cac = load_cert_by_path("cacert.crt") pubkey = cacert.public_key() pubkey.verify( cac.signature, cac.tbs_certificate_bytes, padding.PKCS1v15(), cac.signature_hash_algorithm, ) logger.info("CA certificate created successfully in %s", workingdir) except crypto_exceptions.InvalidSignature: logger.error("ERROR: Cert does not self validate") finally: os.chdir(cwd)