def cmd_revoke(workingdir, name=None, serial=None):
cwd = os.getcwd()
try:
fs_util.ch_dir(workingdir)
priv = read_private()
if name is not None and serial is not None:
raise Exception(
"You may not specify a cert and a serial at the same time")
if name is None and serial is None:
raise Exception("You must specify a cert or a serial to revoke")
if name is not None:
# load up the cert
cert = load_cert_by_path(f"{name}-cert.crt")
serial = cert.serial_number
# convert serial to string
serial = str(serial)
# get the ca key cert and keys as strings
with open("cacert.crt", encoding="utf-8") as f:
cacert = f.read()
ca_pk = priv[0]["ca"].decode("utf-8")
if serial not in priv[0]["revoked_keys"]:
priv[0]["revoked_keys"].append(serial)
crl = ca_impl.gencrl(priv[0]["revoked_keys"], cacert, ca_pk)
write_private(priv)
# write out the CRL to the disk
if os.stat("cacrl.der").st_size:
with open("cacrl.der", "wb") as f:
f.write(crl)
convert_crl_to_pem("cacrl.der", "cacrl.pem")
finally:
os.chdir(cwd)
return crl
def cmd_regencrl(workingdir):
cwd = os.getcwd()
try:
fs_util.ch_dir(workingdir)
priv = read_private()
# get the ca key cert and keys as strings
with open("cacert.crt", encoding="utf-8") as f:
cacert = f.read()
ca_pk = priv[0]["ca"].decode()
crl = ca_impl.gencrl(priv[0]["revoked_keys"], cacert, ca_pk)
write_private(priv)
# write out the CRL to the disk
with open("cacrl.der", "wb") as f:
f.write(crl)
convert_crl_to_pem("cacrl.der", "cacrl.pem")
finally:
os.chdir(cwd)
return crl
def cmd_init(workingdir):
cwd = os.getcwd()
try:
fs_util.ch_dir(workingdir)
rmfiles("*.pem")
rmfiles("*.crt")
rmfiles("*.zip")
rmfiles("*.der")
rmfiles("private.yml")
cacert, ca_pk, _ = ca_impl.mk_cacert() # pylint: disable=W0632
priv = read_private()
# write out keys
with open("cacert.crt", "wb") as f:
f.write(cacert.public_bytes(serialization.Encoding.PEM))
priv[0]["ca"] = ca_pk.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
)
# store the last serial number created.
# the CA is always serial # 1
priv[0]["lastserial"] = 1
write_private(priv)
with os.fdopen(
os.open("ca-public.pem", os.O_WRONLY | os.O_CREAT, 0o600),
"wb") as f:
f.write(ca_pk.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo))
# generate an empty crl
cacert_str = cacert.public_bytes(serialization.Encoding.PEM).decode()
crl = ca_impl.gencrl([], cacert_str, priv[0]["ca"].decode())
if isinstance(crl, str):
crl = crl.encode("utf-8")
with open("cacrl.der", "wb") as f:
f.write(crl)
convert_crl_to_pem("cacrl.der", "cacrl.pem")
# Sanity checks...
cac = load_cert_by_path("cacert.crt")
pubkey = cacert.public_key()
pubkey.verify(
cac.signature,
cac.tbs_certificate_bytes,
padding.PKCS1v15(),
cac.signature_hash_algorithm,
)
logger.info("CA certificate created successfully in %s", workingdir)
except crypto_exceptions.InvalidSignature:
logger.error("ERROR: Cert does not self validate")
finally:
os.chdir(cwd)