Revize 2c8b7911
Přidáno uživatelem Stanislav Král před téměř 4 roky(ů)
| src/services/cryptography.py | ||
|---|---|---|
| 2 | 2 |
import subprocess |
| 3 | 3 |
import time |
| 4 | 4 |
import random |
| 5 |
from typing import List |
|
| 5 | 6 |
|
| 6 | 7 |
from src.constants import CRL_CONFIG |
| 7 | 8 |
from src.model.certificate import Certificate |
| ... | ... | |
| 411 | 412 |
|
| 412 | 413 |
# openssl ca requires the .srl file to exists, therefore a dummy, unused file is created |
| 413 | 414 |
with TemporaryFile("serial.srl", "0") as serial_file, \
|
| 414 |
TemporaryFile("crl.conf", CRL_CONFIG % (index_file_path, serial_file)) as config_file, \
|
|
| 415 |
TemporaryFile("certificate.pem", cert.pem_data) as cert_file, \
|
|
| 416 |
TemporaryFile("private_key.pem", key.private_key) as key_file:
|
|
| 417 |
|
|
| 415 |
TemporaryFile("crl.conf", CRL_CONFIG % (index_file_path, serial_file)) as config_file, \
|
|
| 416 |
TemporaryFile("certificate.pem", cert.pem_data) as cert_file, \
|
|
| 417 |
TemporaryFile("private_key.pem", key.private_key) as key_file:
|
|
| 418 | 418 |
args = ["ca", "-config", config_file, "-gencrl", "-keyfile", key_file, "-cert", cert_file, "-outdir", "."] |
| 419 | 419 |
|
| 420 | 420 |
if key.password is not None and key.password != "": |
| ... | ... | |
| 437 | 437 |
Logger.debug("Function launched.")
|
| 438 | 438 |
|
| 439 | 439 |
with TemporaryFile("certificate.pem", cert.pem_data) as ca_certificate, \
|
| 440 |
TemporaryFile("private_key.pem", key.private_key) as key_file, \
|
|
| 441 |
TemporaryFile("request.der", der_ocsp_request) as request_file:
|
|
| 442 |
|
|
| 440 |
TemporaryFile("private_key.pem", key.private_key) as key_file, \
|
|
| 441 |
TemporaryFile("request.der", der_ocsp_request) as request_file:
|
|
| 443 | 442 |
args = ["ocsp", "-index", index_path, "-CA", ca_certificate, "-rsigner", ca_certificate, "-rkey", key_file, |
| 444 | 443 |
"-reqin", request_file, "-respout", "-"] |
| 445 | 444 |
|
| ... | ... | |
| 448 | 447 |
|
| 449 | 448 |
return self.__run_for_output(args) |
| 450 | 449 |
|
| 450 |
def generate_pkcs_identity(self, cert_pem: str, cert_key_pem: str, identity_name: str, identity_passphrase: str, |
|
| 451 |
chain_of_trust_pems: List[str], cert_key_passphrase: str = None): |
|
| 452 |
""" |
|
| 453 |
Generates a PKCS12 identity of the given child certificate while including the given chain of trust. |
|
| 454 |
|
|
| 455 |
:param cert_pem: PEM of the certificate whose identity should be created |
|
| 456 |
:param cert_key_pem: PEM of the private key used to sign the certificate whose identity should be created |
|
| 457 |
:param identity_name: the name to be given to the identity created |
|
| 458 |
:param chain_of_trust_pems: list of PEMs representing certificates present in the chain of trust of the certificate |
|
| 459 |
whose identity should be created |
|
| 460 |
:param identity_passphrase: passphrase to be used when encrypting the identity |
|
| 461 |
:param cert_key_passphrase: passphrase of the key used to sign the certificate whose identity should be created |
|
| 462 |
:return: byte array containing the generated identity |
|
| 463 |
""" |
|
| 464 |
with TemporaryFile("cert_key.pem", cert_key_pem) as cert_key_pem_file:
|
|
| 465 |
args = ["pkcs12", "-export", "-name", identity_name, "-in", "-", "-inkey", cert_key_pem_file, "-CAfile", |
|
| 466 |
"-", "-passout", f"pass:{identity_passphrase}", "-passin", f"pass:{cert_key_passphrase}"]
|
|
| 467 |
return self.__run_for_output(args, |
|
| 468 |
proc_input=bytes(cert_pem + "".join(chain_of_trust_pems), |
|
| 469 |
encoding="utf-8")) |
|
| 470 |
|
|
| 451 | 471 |
|
| 452 | 472 |
class CryptographyException(Exception): |
| 453 | 473 |
|
Také k dispozici: Unified diff
Re #8708 - Implemented a new method in the CryptographyService that allows the caller to create a PKCS12 identity of a certificate and it's chain of trust
Covered the new method with unit tests.