ASWI - Pokročilé softwarové inženýrství » ASWI 2021 » Aplikace pro správu X.509 certifikátů (Yoso Czech s.r.o.) - JMSD

from typing import Dict, List

from src.exceptions.database_exception import DatabaseException

from src.model.certificate import Certificate

from src.utils.logger import Logger

class CertificateRepository:

        :return: the result of whether the creation was successful

        """

        try:

            sql = (f"INSERT INTO {TAB_CERTIFICATES} "

                   f"({COL_COMMON_NAME},"

                        values = [last_id, usage_id]

                        self.cursor.execute(sql, values)

                        self.connection.commit()

        return last_id

        :return: instance of the Certificate object

        """

        try:

            sql = (f"SELECT * FROM {TAB_CERTIFICATES} "

                   f"WHERE {COL_ID} = ?")

                                                   usage_dict,

                                                   certificate_row[5],

                                                   certificate_row[6])

        return certificate

        :return: list of certificates

        """

        try:

            sql_extension = ""

            values = []

                                                usage_dict,

                                                certificate_row[5],

                                                certificate_row[6]))

        return certificates

        :return: the result of whether the updation was successful

        """

        try:

            sql = (f"UPDATE {TAB_CERTIFICATES} "

                   f"SET {COL_COMMON_NAME} = ?, "

                    values = [certificate_id, usage_id]

                    self.cursor.execute(sql, values)

                    self.connection.commit()

        return self.cursor.rowcount > 0

        :return: the result of whether the deletion was successful

        """

        try:

            sql = (f"DELETE FROM {TAB_CERTIFICATES} "

                   f"WHERE {COL_ID} = ?")

            values = [certificate_id]

            self.cursor.execute(sql, values)

            self.connection.commit()

        return self.cursor.rowcount > 0

            sqlite3.Error if an exception is thrown

        """

        try:

            if revocation_date != "" and revocation_reason == "":

                revocation_reason = REV_REASON_UNSPECIFIED

                      certificate_id]

            self.cursor.execute(sql, values)

            self.connection.commit()

        return self.cursor.rowcount > 0

            sqlite3.Error if an exception is thrown

        """

        try:

            sql = (f"UPDATE {TAB_CERTIFICATES} "

                   f"SET {COL_REVOCATION_DATE} = '', "

            values = [certificate_id]

            self.cursor.execute(sql, values)

            self.connection.commit()

        return self.cursor.rowcount > 0

            sqlite3.Error if an exception is thrown

        """

        try:

            sql = (f"SELECT * FROM {TAB_CERTIFICATES} "

                   f"WHERE {COL_PARENT_ID} = ? AND {COL_REVOCATION_DATE} IS NOT NULL AND {COL_REVOCATION_DATE} != ''")

                                                usage_dict,

                                                certificate_row[5],

                                                certificate_row[6]))

        return certificates

            sqlite3.Error if an exception is thrown

        """

        try:

            sql = (f"SELECT * FROM {TAB_CERTIFICATES} "

                   f"WHERE {COL_PARENT_ID} = ? AND {COL_ID} != ?")

                                                usage_dict,

                                                certificate_row[5],

                                                certificate_row[6]))

        return certificates

        :param certificate_id: target certificate ID

        :return: list of all descendants

        """

        return all_certs

    def get_next_id(self) -> int:

        Get identifier of the next certificate that will be inserted into the database

        :return: identifier of the next certificate that will be added into the database

        """

        return 1

from typing import List

from injector import inject

from src.exceptions.database_exception import DatabaseException

from src.model.private_key import PrivateKey

from src.constants import *

class PrivateKeyRepository:

            self.cursor.execute(sql, values)

            last_id = self.cursor.lastrowid

            self.connection.commit()

        return last_id

            private_key: PrivateKey = PrivateKey(private_key_row[0],

                                                 private_key_row[1],

                                                 private_key_row[2])

        return private_key

                private_keys.append(PrivateKey(private_key_row[0],

                                               private_key_row[1],

                                               private_key_row[2]))

        return private_keys

                      private_key_id]

            self.cursor.execute(sql, values)

            self.connection.commit()

        return self.cursor.rowcount > 0

            values = [private_key_id]

            self.cursor.execute(sql, values)

            self.connection.commit()

        return self.cursor.rowcount > 0

import time

VALID_FROM_TO_DATE_FORMAT = "%d.%m.%Y %H:%M:%S"

CA_EXTENSIONS = "basicConstraints=critical,CA:TRUE"

CRL_EXTENSION = "crlDistributionPoints=URI:"

        :param days: Number of days for which the generated cert. will be considered valid

        :return: An instance of Certificate class representing the generated root CA cert

        """

        if usages is None:

            usages = {}

        :param cert_type: Type of this certificate (see constants.py)

        :return: An instance of the Certificate class wrapping the values passed  via method parameters

        """

        # parse the generated pem for subject and notBefore/notAfter fields

        # TODO this could be improved in the future in such way that calling openssl is not required to parse the dates

        subj, not_before, not_after = self.cryptography_service.parse_cert_pem(cert_pem)

        :param days: Number of days for which the generated cert. will be considered valid

        :return: An instance of Certificate class representing the generated intermediate CA cert

        """

        if usages is None:

            usages = {}

        :param days: Number of days for which the generated cert. will be considered valid

        :return: An instance of Certificate class representing the generated cert

        """

        if usages is None:

            usages = {}

        :return: Instance of the Certificate class containing a certificate with the given id or `None` if such

        certificate is not found

        """

        return self.certificate_repository.read(unique_id)

    def get_certificates(self, cert_type=None) -> List[Certificate]:

        :return: List of instances of the Certificate class representing all certificates present in the certificate

        repository. An empty list is returned when no certificates are found.

        """

        return self.certificate_repository.read_all(cert_type)

    def get_chain_of_trust(self, from_id: int, to_id: int = -1, exclude_root=True) -> List[Certificate]:

        :return: a list of certificates representing the chain of trust starting with the certificate given by `from_id`

        ID

        """

        # read the first certificate of the chain

        start_cert = self.certificate_repository.read(from_id)

        :param unique_id: ID of specific certificate

        """

        to_delete = self.certificate_repository.get_all_descendants_of(unique_id)

        if to_delete is None:

            raise CertificateNotFoundException(unique_id)

        for cert in to_delete:

            try:

                self.set_certificate_revocation_status(cert.certificate_id, STATUS_REVOKED)

            except CertificateAlreadyRevokedException:

                # TODO log as an info/debug, not warning or above <-- perfectly legal

                pass

    def get_certificates_issued_by(self, unique_id):

        """

        :param unique_id: target certificate ID

        :return: children of unique_id

        """

        try:

            if self.certificate_repository.read(unique_id) is None:

                raise CertificateNotFoundException(unique_id)

        except DatabaseException:

            raise CertificateNotFoundException(unique_id)

        return self.certificate_repository.get_all_issued_by(unique_id)

        :param id: identifier of the certificate whose status is to be changed

        :param status: new status of the certificate

        """

        if status not in CERTIFICATE_STATES:

            raise CertificateStatusInvalidException(status)

        if reason not in CERTIFICATE_REVOCATION_REASONS:

            raise RevocationReasonInvalidException(reason)

        # check whether the certificate exists

        certificate = self.certificate_repository.read(id)

        if certificate is None:

            raise CertificateNotFoundException(id)

        updated = False

            # check if the certificate is not revoked already

            revoked = self.certificate_repository.get_all_revoked_by(certificate.parent_id)

            if certificate.certificate_id in [x.certificate_id for x in revoked]:

                raise CertificateAlreadyRevokedException(id)

            revocation_timestamp = int(time.time())

            updated = self.certificate_repository.set_certificate_revoked(id, str(revocation_timestamp), reason)

        if not updated:

            raise UnknownException("Repository returned 'false' from clear_certificate_revocation() "

                                   "or set_certificate_revoked().")

        :param certificate: certificate instance whose Subject shall be parsed

        :return: instance of Subject class containing resulting distinguished name

        """

        (subject, _, _) = self.cryptography_service.parse_cert_pem(certificate.pem_data)

        return subject

        should be extracted.

        :return: a string containing the extracted public key in PEM format

        """

        return self.cryptography_service.extract_public_key_from_certificate(certificate.pem_data)

    def __get_crl_endpoint(self, ca_identifier: int) -> str:

        :param ca_identifier: ID of issuing authority

        :return: CRL endpoint for the given CA

        """

        return self.configuration.base_server_url + "/api/crl/" + str(ca_identifier)

    def __get_ocsp_endpoint(self, ca_identifier: int) -> str:

        :param ca_identifier: ID of issuing authority

        :return: OCSP endpoint for the given CA

        """

        return self.configuration.base_server_url + "/api/ocsp/" + str(ca_identifier)

from src.model.certificate import Certificate

from src.model.private_key import PrivateKey

from src.model.subject import Subject

from src.utils.temporary_file import TemporaryFile

# encryption method to be used when generating private keys

        :param subject: subject to be converted

        :return: a dictionary containing openssl field names mapped to subject's fields

        """

        subj_dict = {}

        if subject.common_name is not None:

            subj_dict["CN"] = subject.common_name

        :param executable: Executable to be run (defaults to openssl)

        :return: If the process ends with a zero return code then the STDOUT of the process is returned as a byte array.

        """

        if args is None:

            args = []

        try:

            if proc.returncode != 0:

                # if the process did not result in zero result code, then raise an exception

                if err is not None and len(err) > 0:

                    raise CryptographyException(executable, args, err.decode())

                else:

                    raise CryptographyException(executable, args,

                                                f""""Execution resulted in non-zero argument""")

            return out

        except FileNotFoundError:

            raise CryptographyException(executable, args, f""""{executable}" not found in the current PATH.""")

    def create_private_key(self, passphrase=None):

        encrypted at all). Empty passphrase ("") also results in a key that is not encrypted.

        :return: string containing the generated private key in PEM format

        """

        if passphrase is None or len(passphrase) == 0:

            return self.__run_for_output(["genrsa", "2048"]).decode()

        else:

        :return: string containing the generated certificate in PEM format

        """

        assert key is not None

        assert subject is not None

        :return: string containing the generated certificate signing request in PEM format

        """

        subj_param = self.__subject_to_param_format(subject)

        args = ["req", "-new", "-subj", subj_param, "-key", "-"]

        :return: string containing the generated and signed certificate in PEM format

        """

        # concatenate CSR, issuer certificate and issuer's key (will be used in the openssl call)

        proc_input = csr + issuer_pem + issuer_key

        :param sn: serial number to be set, when "None" is set a random serial number is generated

        :return: string containing the generated certificate in PEM format

        """

        csr = self.__create_csr(subject, subject_key, key_pass=subject_key_pass)

        return self.__sign_csr(csr, issuer_pem, issuer_key, issuer_key_pass=issuer_key_pass, extensions=extensions,

                               days=days, sn=sn)

        :param certificate: certificate to be verified in PEM format

        :return: Returns `true` if the certificate is not expired, `false` when expired.

        """

        # call openssl to check whether the certificate is valid to this date

        args = [OPENSSL_EXECUTABLE, "x509", "-checkend", "0", "-noout", "-text", "-in", "-"]

            return False

        else:

            # the process failed because of some other reason (incorrect cert format)

            raise CryptographyException(OPENSSL_EXECUTABLE, args, err.decode())

    def extract_public_key_from_private_key(self, private_key_pem: str, passphrase=None) -> str:

        :param passphrase: passphrase to be provided when the supplied private key is encrypted

        :return: a string containing the extracted public key in PEM format

        """

        args = ["rsa", "-in", "-", "-pubout"]

        if passphrase is not None:

            args.extend(["-passin", f"pass:{passphrase}"])

        :param cert_pem: PEM data representing a certificate from which a public key should be extracted

        :return: a string containing the extracted public key in PEM format

        """

        # extracting public key from a certificate does not seem to require a passphrase even when

        # signed using an encrypted PK

        args = ["x509", "-in", "-", "-noout", "-pubkey"]

        :param cert_pem: a certificated in a PEM format to be parsed

        :return: a tuple containing a subject, NOT_BEFORE and NOT_AFTER dates

        """

        # run openssl x509 to view certificate content

        args = ["x509", "-noout", "-subject", "-startdate", "-enddate", "-in", "-"]

        Get version of the OpenSSL installed on the system

        :return: version of the OpenSSL as returned from the process

        """

        return self.__run_for_output(["version"]).decode("utf-8")

    def generate_crl(self, cert: Certificate, key: PrivateKey, index_file_path: str) -> str:

        :param index_file_path: path to a file that contains the openssl index with all revoked certificates

        :return: CRL encoded in PEM format string

        """

        # openssl ca requires the .srl file to exists, therefore a dummy, unused file is created

        with TemporaryFile("serial.srl", "0") as serial_file, \

             TemporaryFile("crl.conf", CRL_CONFIG % (index_file_path, serial_file)) as config_file, \

        :param der_ocsp_request: DER encoded OCSP Request

        :return: DER encoded OCSP Response

        """

        with TemporaryFile("certificate.pem", cert.pem_data) as ca_certificate, \

             TemporaryFile("private_key.pem", key.private_key) as key_file, \

             TemporaryFile("request.der", der_ocsp_request) as request_file:

        self.message = message

    def __str__(self):

        EXECUTABLE: {self.executable}

        ARGS: {self.args}

        MESSAGE: {self.message}

        """

from src.dao.private_key_repository import PrivateKeyRepository

from src.model.private_key import PrivateKey

from src.services.cryptography import CryptographyService

class KeyService:

        :param passphrase: Passphrase to be used when encrypting the PK

        :return: An instance of the <PrivateKey> class representing the generated PK

        """

        # generate a new private key

        private_key_pem = self.cryptography_service.create_private_key(passphrase)

        :param unique_id: ID of the PK to be found

        :return:An instance of the required PK or `None`

        """

        return self.private_key_repository.read(unique_id)

    def get_keys(self, unique_ids=None):

        :param unique_ids: An array containing IDs of PKs to be fetched from the repository.

        :return: A list of instances of the PrivateKey class representing the PKs found

        """

        if unique_ids is None:

            return self.private_key_repository.read_all()

        else:

        :param unique_id: ID of specific certificate to be deleted

        :return: `True` when the deletion was successful. `False` in other case

        """

        return self.private_key_repository.delete(unique_id)

    def get_public_key(self, private_key: PrivateKey):

        :param private_key: private key from which a public key should be extracted

        :return: a string containing the extracted public key in PEM format

        """

        return self.cryptography_service.extract_public_key_from_private_key(private_key.private_key,

                                                                             private_key.password)