Projekt

Obecné

Profil

« Předchozí | Další » 

Revize 5fdd01a6

Přidáno uživatelem Stanislav Král před asi 4 roky(ů)

Re #8472 - Added verify_ca method that verifies whether a certificate has expired

Added 3 unit tests that verify the added method.
Added "days" parameter to some methods in order to be able to specify the number of days after which the generated certificate will expire.

Zobrazit rozdíly:

proj/services/cryptography.py
135 135 

  		




  136
  136
  
    
        return self._run_for_output(args, proc_input=bytes(subject_key, encoding="utf-8")).decode()


  		




  137
  137
  
    

  		




  138
  
  
    
    def sign_csr(self, csr, issuer_pem, issuer_key, issuer_key_pass=None, config="", extensions=""):


  		




  
  138
  
    
    def sign_csr(self, csr, issuer_pem, issuer_key, issuer_key_pass=None, config="", extensions="", days=30):


  		




  139
  139
  
    
        """


  		




  140
  140
  
    
        Signs the given CSR by the given issuer CA


  		




  141
  141
  
    
        :param csr: a string containing the CSR to be signed


  		




  ......




  145
  145
  
    
        format


  		




  146
  146
  
    
        :param config: TODO NOT USED


  		




  147
  147
  
    
        :param extensions: extensions to be applied when signing the CSR


  		




  
  148
  
    
        :param days: number of days for which the certificate will be valid TODO this parameter is not in the SW arch.


  		




  148
  149
  
    
        :return: string containing the generated and signed certificate in PEM format


  		




  149
  150
  
    
        """


  		




  150
  151
  
    

  		




  ......




  153
  154
  
    

  		




  154
  155
  
    
        # prepare openssl parameters...


  		




  155
  156
  
    
        # CSR, CA and CA's private key will be passed via stdin (that's the meaning of the '-' symbol)


  		




  156
  
  
    
        params = ["x509", "-req", "-in", "-", "-CA", "-", "-CAkey", "-", "-CAcreateserial"]


  		




  
  157
  
    
        params = ["x509", "-req", "-in", "-", "-CA", "-", "-CAkey", "-", "-CAcreateserial", "-days", str(days)]


  		




  157
  158
  
    

  		




  158
  159
  
    
        # TODO delete created -.srl file


  		




  159
  160
  
    

  		




  ......




  169
  170
  
    

  		




  170
  171
  
    
    def create_crt(self, subject, subject_key, issuer_pem, issuer_key, subject_key_pass=None, issuer_key_pass=None,


  		




  171
  172
  
    
                   config="",


  		




  172
  
  
    
                   extensions=""):


  		




  
  173
  
    
                   extensions="",


  		




  
  174
  
    
                   days=30):


  		




  173
  175
  
    
        """


  		




  174
  176
  
    
        Signs the given CSR by the given issuer CA


  		




  175
  177
  
    
        :param subject: subject to be added to the created certificate


  		




  ......




  183
  185
  
    
        format


  		




  184
  186
  
    
        :param config: TODO NOT USED


  		




  185
  187
  
    
        :param extensions: extensions to be applied when creating the certificate


  		




  
  188
  
    
        :param days: number of days for which the certificate will be valid


  		




  186
  189
  
    
        :return: string containing the generated certificate in PEM format


  		




  187
  190
  
    
        """


  		




  188
  191
  
    
        csr = self.make_csr(subject, subject_key, subject_key_pass=subject_key_pass)


  		




  189
  
  
    
        return self.sign_csr(csr, issuer_pem, issuer_key, issuer_key_pass=issuer_key_pass, extensions=extensions)


  		




  
  192
  
    
        return self.sign_csr(csr, issuer_pem, issuer_key, issuer_key_pass=issuer_key_pass, extensions=extensions,


  		




  
  193
  
    
                             days=days)


  		




  
  194
  
    

  		




  
  195
  
    
    @staticmethod


  		




  
  196
  
    
    def verify_ca(certificate, key, key_pass=None):


  		




  
  197
  
    
        # TODO could be renamed to "verify_certificate"? This method can verify all certificates, not just CAs.


  		




  
  198
  
    
        # call openssl to check whether the certificate is valid to this date


  		




  
  199
  
    
        args = [OPENSSL_EXECUTABLE, "x509", "-checkend", "0", "-noout", "-text", "-in", "-"]


  		




  
  200
  
    

  		




  
  201
  
    
        # create a new process


  		




  
  202
  
    
        proc = subprocess.Popen(args, stdin=subprocess.PIPE,


  		




  
  203
  
    
                                stdout=subprocess.PIPE,


  		




  
  204
  
    
                                stderr=subprocess.PIPE)


  		




  
  205
  
    

  		




  
  206
  
    
        out, err = proc.communicate(bytes(certificate, encoding="utf-8"))


  		




  
  207
  
    

  		




  
  208
  
    
        # zero return code means that the certificate is valid


  		




  
  209
  
    
        if proc.returncode == 0:


  		




  
  210
  
    
            return True


  		




  
  211
  
    
        elif proc.returncode == 1 and "Certificate will expire" in out.decode():


  		




  
  212
  
    
            # 1 return code means that the certificate is invalid but such message has to be present in the proc output


  		




  
  213
  
    
            return False


  		




  
  214
  
    
        else:


  		




  
  215
  
    
            # the process failed because of some other reason (incorrect cert format)


  		




  
  216
  
    
            raise CryptographyException(OPENSSL_EXECUTABLE, args, err.decode())


  		




  190
  217
  
    

  		




  191
  218
  
    

  		




  192
  219
  
    
class CryptographyException(Exception):


  		












Také k dispozici:  Unified diff