Revize 1fa20e93
Přidáno uživatelem Stanislav Král před téměř 4 roky(ů)
| src/services/certificate_service.py | ||
|---|---|---|
| 434 | 434 |
# Read the selected certificate from the repository |
| 435 | 435 |
certificate = self.certificate_repository.read(id) |
| 436 | 436 |
if certificate is None: |
| 437 |
Logger.error("Certificate whose details were requested does not exists.")
|
|
| 437 |
Logger.error("Certificate whose details were requested does not exist.")
|
|
| 438 | 438 |
raise CertificateNotFoundException(id) |
| 439 | 439 |
|
| 440 | 440 |
# check the expiration date using OpenSSL |
| ... | ... | |
| 477 | 477 |
|
| 478 | 478 |
return self.configuration.base_server_url + "/api/ocsp/" + str(ca_identifier) |
| 479 | 479 |
|
| 480 |
def generate_pkcs_identity(self, cert_id: int, cert_key: PrivateKey, identity_name: str, identity_passphrase: str): |
|
| 481 |
""" |
|
| 482 |
Generates a PKCS identity of the certificate given by the specified ID while using the private key passed. |
|
| 483 |
A name of the identity to be used and certificate's passphrase have to be specified as well as the passphrase |
|
| 484 |
of certificate's private key (if encrypted). |
|
| 485 |
:param cert_id: ID of the certificate to be put into the PKCS identity store |
|
| 486 |
:param cert_key: key used to sign the given certificate |
|
| 487 |
:param identity_name: name to be given to the identity to be created |
|
| 488 |
:param identity_passphrase: passphrase to be used to encrypt the identity |
|
| 489 |
:return: byte array containing the generated identity (PKCS12 store) |
|
| 490 |
""" |
|
| 491 |
Logger.debug("Function launched.")
|
|
| 492 |
|
|
| 493 |
# Read the selected certificate from the repository |
|
| 494 |
certificate = self.certificate_repository.read(cert_id) |
|
| 495 |
if certificate is None: |
|
| 496 |
Logger.error("Certificate whose identity should be generated does not exist.")
|
|
| 497 |
raise CertificateNotFoundException(cert_id) |
|
| 498 |
|
|
| 499 |
# get the chain of trust of the certificate whose identity should be generated and exclude the certificate |
|
| 500 |
# whose chain of trust we are querying |
|
| 501 |
cot_pem_list = [cert.pem_data for cert in self.get_chain_of_trust(cert_id, exclude_root=False)[1:]] |
|
| 502 |
|
|
| 503 |
return self.cryptography_service.generate_pkcs_identity(certificate.pem_data, cert_key.private_key, |
|
| 504 |
identity_name, |
|
| 505 |
identity_passphrase, cot_pem_list, cert_key.password) |
|
| 506 |
|
|
| 480 | 507 |
|
| 481 | 508 |
class RevocationReasonInvalidException(Exception): |
| 482 | 509 |
""" |
| tests/integration_tests/services/certificate_service_test.py | ||
|---|---|---|
| 394 | 394 |
|
| 395 | 395 |
with pytest.raises(CertificateNotFoundException) as e: |
| 396 | 396 |
certificate_service_unique.get_certificate_state(888) |
| 397 |
|
|
| 398 |
|
|
| 399 |
def test_create_pkcs_identity(certificate_service_unique, private_key_service_unique): |
|
| 400 |
# create tests certificates |
|
| 401 |
root_ca_private_key = private_key_service_unique.create_new_key() |
|
| 402 |
intermediate_ca_key = private_key_service_unique.create_new_key() |
|
| 403 |
child_key = private_key_service_unique.create_new_key() |
|
| 404 |
|
|
| 405 |
root_ca_cert = certificate_service_unique.create_root_ca(root_ca_private_key, |
|
| 406 |
Subject(common_name="RootFoo", |
|
| 407 |
organization_unit="Department of Foo")) |
|
| 408 |
|
|
| 409 |
intermediate_ca_cert = certificate_service_unique.create_end_cert(intermediate_ca_key, |
|
| 410 |
Subject(common_name="Intermediate Bar"), |
|
| 411 |
root_ca_cert, |
|
| 412 |
root_ca_private_key, usages={SSL_ID: True})
|
|
| 413 |
|
|
| 414 |
child_cert = certificate_service_unique.create_end_cert(child_key, |
|
| 415 |
Subject(common_name="Foo Child"), |
|
| 416 |
intermediate_ca_cert, |
|
| 417 |
intermediate_ca_key, usages={SSL_ID: True})
|
|
| 418 |
|
|
| 419 |
# generate the identity |
|
| 420 |
pkcs = certificate_service_unique.generate_pkcs_identity(child_cert.certificate_id, child_key, "Foo Child's Identity", "pass") |
|
| 421 |
|
|
| 422 |
# print out the pkcs store in order to be able to check it |
|
| 423 |
pkcs_info = subprocess.check_output( |
|
| 424 |
["openssl", "pkcs12", "-info", "-in", "-", "-nodes", "-passin", "pass:pass"], |
|
| 425 |
input=pkcs, |
|
| 426 |
stderr=subprocess.STDOUT).decode() |
|
| 427 |
|
|
| 428 |
assert child_cert.pem_data in pkcs_info |
|
| 429 |
assert intermediate_ca_cert.pem_data in pkcs_info |
|
| 430 |
assert root_ca_cert.pem_data in pkcs_info |
|
| 431 |
|
|
| 432 |
|
|
| 433 |
def test_create_pkcs_identity_incorrect_id(certificate_service_unique): |
|
| 434 |
with pytest.raises(CertificateNotFoundException): |
|
| 435 |
certificate_service_unique.generate_pkcs_identity(999, None, None, None) |
|
Také k dispozici: Unified diff
Re #8708 - Implemented a new method in the CertificateService that does generate a PKCS12 identity by using the CryptographyService
Covered the new method with few integration tests
Fixed minor typos in the CertificateService