Revize 329216fe
Přidáno uživatelem Stanislav Král před téměř 4 roky(ů)
| src/services/certificate_service.py | ||
|---|---|---|
| 4 | 4 |
|
| 5 | 5 |
from src.config.configuration import Configuration |
| 6 | 6 |
from src.constants import ROOT_CA_ID, INTERMEDIATE_CA_ID, CA_ID, CERTIFICATE_ID, CERTIFICATE_STATES, \ |
| 7 |
CERTIFICATE_REVOCATION_REASONS |
|
| 7 |
CERTIFICATE_REVOCATION_REASONS, SSL_ID, SIGNATURE_ID, AUTHENTICATION_ID
|
|
| 8 | 8 |
from src.dao.certificate_repository import CertificateRepository |
| 9 | 9 |
from src.exceptions.certificate_not_found_exception import CertificateNotFoundException |
| 10 | 10 |
from src.exceptions.database_exception import DatabaseException |
| ... | ... | |
| 16 | 16 |
|
| 17 | 17 |
import time |
| 18 | 18 |
|
| 19 |
from src.utils.usages_to_extensions import usages_to_extension_lines, ExtensionFieldFlags, CRITICAL, KEY_CERT_SIGN, \ |
|
| 20 |
CRL_SIGN, CA, DIGITAL_SIGNATURE, KEY_ENCIPHERMENT, KEY_AGREEMENT, SERVER_AUTH, NON_REPUDIATION, TIME_STAMPING, \ |
|
| 21 |
CLIENT_AUTH |
|
| 22 |
|
|
| 19 | 23 |
VALID_FROM_TO_DATE_FORMAT = "%d.%m.%Y %H:%M:%S" |
| 20 | 24 |
CA_EXTENSIONS = "basicConstraints=critical,CA:TRUE" |
| 21 | 25 |
CRL_EXTENSION = "crlDistributionPoints=URI:" |
| ... | ... | |
| 23 | 27 |
STATUS_REVOKED = "revoked" |
| 24 | 28 |
STATUS_VALID = "valid" |
| 25 | 29 |
|
| 30 |
# define which flags are required for various usages |
|
| 31 |
REQUIRED_USAGE_EXTENSION_FLAGS = {
|
|
| 32 |
CA_ID: ExtensionFieldFlags({CRITICAL, KEY_CERT_SIGN, CRL_SIGN}, {}, {CRITICAL, CA}),
|
|
| 33 |
SSL_ID: ExtensionFieldFlags({DIGITAL_SIGNATURE, KEY_ENCIPHERMENT, KEY_AGREEMENT}, {SERVER_AUTH}, {}),
|
|
| 34 |
SIGNATURE_ID: ExtensionFieldFlags({DIGITAL_SIGNATURE, NON_REPUDIATION}, {TIME_STAMPING}, {}),
|
|
| 35 |
AUTHENTICATION_ID: ExtensionFieldFlags({DIGITAL_SIGNATURE}, {CLIENT_AUTH}, {})}
|
|
| 36 |
|
|
| 26 | 37 |
|
| 27 | 38 |
class CertificateService: |
| 28 | 39 |
|
| ... | ... | |
| 52 | 63 |
|
| 53 | 64 |
cert_id = self.certificate_repository.get_next_id() |
| 54 | 65 |
|
| 66 |
# specify CA usage |
|
| 67 |
usages[CA_ID] = True |
|
| 68 |
|
|
| 69 |
# generate extension configuration lines based on the specified usages |
|
| 70 |
extensions = extensions + "\n" + "\n".join(usages_to_extension_lines(usages, REQUIRED_USAGE_EXTENSION_FLAGS)) |
|
| 71 |
|
|
| 55 | 72 |
# create a new self signed certificate |
| 56 | 73 |
cert_pem = self.cryptography_service.create_sscrt(subject, key.private_key, key_pass=key.password, |
| 57 | 74 |
extensions=extensions, config=config, days=days, sn=cert_id) |
| 58 |
# specify CA usage |
|
| 59 |
usages[CA_ID] = True |
|
| 60 | 75 |
|
| 61 | 76 |
# wrap into Certificate class |
| 62 | 77 |
certificate = self.__create_wrapper(cert_pem, key.private_key_id, usages, 0, |
| ... | ... | |
| 111 | 126 |
if usages is None: |
| 112 | 127 |
usages = {}
|
| 113 | 128 |
|
| 114 |
extensions = extensions + "\n" + CA_EXTENSIONS |
|
| 129 |
# specify CA usage |
|
| 130 |
usages[CA_ID] = True |
|
| 131 |
|
|
| 132 |
# generate extension configuration lines based on the specified usages |
|
| 133 |
extensions = extensions + "\n" + "\n".join(usages_to_extension_lines(usages, REQUIRED_USAGE_EXTENSION_FLAGS)) |
|
| 134 |
|
|
| 115 | 135 |
# Add CRL and OCSP distribution point to certificate extensions |
| 116 | 136 |
cert_id = self.certificate_repository.get_next_id() |
| 117 | 137 |
extensions = extensions + "\n" + CRL_EXTENSION + " " + self.__get_crl_endpoint(issuer_cert.certificate_id) |
| ... | ... | |
| 125 | 145 |
days=days, |
| 126 | 146 |
sn=cert_id) |
| 127 | 147 |
|
| 128 |
# specify CA usage |
|
| 129 |
usages[CA_ID] = True |
|
| 130 |
|
|
| 131 | 148 |
# wrap into Certificate class |
| 132 | 149 |
self.__create_wrapper(cert_pem, subject_key.private_key_id, usages, |
| 133 | 150 |
issuer_cert.certificate_id, INTERMEDIATE_CA_ID) |
| ... | ... | |
| 139 | 156 |
not_before_formatted = time.strftime(VALID_FROM_TO_DATE_FORMAT, not_before) |
| 140 | 157 |
not_after_formatted = time.strftime(VALID_FROM_TO_DATE_FORMAT, not_after) |
| 141 | 158 |
|
| 142 |
# specify CA usage |
|
| 143 |
usages[CA_ID] = True |
|
| 144 |
|
|
| 145 | 159 |
# create a certificate wrapper |
| 146 | 160 |
certificate = Certificate(-1, subject.common_name, not_before_formatted, not_after_formatted, cert_pem, |
| 147 | 161 |
subject_key.private_key_id, INTERMEDIATE_CA_ID, issuer_cert.certificate_id, usages) |
| ... | ... | |
| 174 | 188 |
# get the next certificate ID in order to be able to specify the serial number |
| 175 | 189 |
cert_id = self.certificate_repository.get_next_id() |
| 176 | 190 |
|
| 191 |
# generate extension configuration lines based on the specified usages |
|
| 192 |
extensions = extensions + "\n" + "\n".join(usages_to_extension_lines(usages, REQUIRED_USAGE_EXTENSION_FLAGS)) |
|
| 193 |
|
|
| 177 | 194 |
# Add CRL and OCSP distribution point to certificate extensions |
| 178 | 195 |
extensions = extensions + "\n" + CRL_EXTENSION + " " + self.__get_crl_endpoint(issuer_cert.certificate_id) |
| 179 | 196 |
extensions = extensions + "\n" + OCSP_EXTENSION + " " + self.__get_ocsp_endpoint(issuer_cert.certificate_id) |
Také k dispozici: Unified diff
Re #8585 - Fixed an issue where required extensions based on cert. usages were not present in the generated certificate
Created an utility that converts usages to extension configuration lines
Defined which extension field flags are required for certain usages