Revize cc271e04
Přidáno uživatelem Michal Seják před téměř 4 roky(ů)
| src/services/crl/crl_service.py | ||
|---|---|---|
| 56 | 56 |
# join all lines with a new line |
| 57 | 57 |
return "\n".join(index_lines) |
| 58 | 58 |
|
| 59 |
def create_index(self, ca_id) -> str: |
|
| 60 |
""" |
|
| 61 |
Queries the certificate repository and looks for all certificates issued by the certificate authority given |
|
| 62 |
by the passed ID. Found certificates are then put into a string representing the CA's database index file. |
|
| 63 |
|
|
| 64 |
:param ca_id: ID of the CA whose issued (=child) certificates should be put into the index file |
|
| 65 |
:return: a str representing the content of a CA index file |
|
| 66 |
""" |
|
| 67 |
# get issuing certificate |
|
| 68 |
certificate = self.certificate_repository.read(ca_id) |
|
| 69 |
if certificate is None: |
|
| 70 |
raise CertificateNotFoundException(ca_id) |
|
| 71 |
|
|
| 72 |
# get subject and notAfter of the issuer |
|
| 73 |
subject, _, not_after = self.cryptography_service.parse_cert_pem(certificate.pem_data) |
|
| 74 |
|
|
| 75 |
index_lines = [create_index_file_valid_line(certificate, subject, not_after)] |
|
| 76 |
# iterate over revoked certificates of the CA given by an ID |
|
| 77 |
for certificate in self.certificate_repository.get_all_issued_by(ca_id): |
|
| 78 |
# extract the complete subject information and not_after date field |
|
| 79 |
subject, _, not_after = self.cryptography_service.parse_cert_pem(certificate.pem_data) |
|
| 80 |
if len(certificate.revocation_reason) > 0: |
|
| 81 |
line = create_index_file_revoked_line(certificate, |
|
| 82 |
subject, |
|
| 83 |
# parse revocation date from unix timestamp to struct_time |
|
| 84 |
datetime.utcfromtimestamp( |
|
| 85 |
int(certificate.revocation_date)).timetuple(), |
|
| 86 |
not_after) |
|
| 87 |
else: |
|
| 88 |
line = create_index_file_valid_line(certificate, subject, not_after) |
|
| 89 |
|
|
| 90 |
# append it to the list of lines |
|
| 91 |
index_lines.append(line) |
|
| 92 |
|
|
| 93 |
# join all lines with a new line |
|
| 94 |
return "\n".join(index_lines) |
|
| 95 |
|
|
| 59 | 96 |
def generate_crl_response(self, ca_id: int) -> str: |
| 60 | 97 |
""" |
| 61 | 98 |
Generate a CRL for the given certificate authority |
| ... | ... | |
| 79 | 116 |
crl_content = self.cryptography_service.generate_crl(cert, key, index_path) |
| 80 | 117 |
|
| 81 | 118 |
return crl_content |
| 119 |
|
|
| 120 |
def generate_ocsp_response(self, ca_id: int, der_ocsp_request: bytes): |
|
| 121 |
# get cert and check if the requested CA exists and if not throw an exception |
|
| 122 |
cert = self.certificate_repository.read(ca_id) |
|
| 123 |
if cert is None: |
|
| 124 |
raise CertificateNotFoundException(ca_id) |
|
| 125 |
|
|
| 126 |
# get key and check if it exists |
|
| 127 |
key = self.key_repository.read(cert.private_key_id) |
|
| 128 |
if key is None: |
|
| 129 |
raise PrivateKeyNotFoundException(ca_id) |
|
| 130 |
|
|
| 131 |
# Create an index file and call cryptography service to generate the OCSP response |
|
| 132 |
with TemporaryFile("crl.index", f"{self.create_index(ca_id)}\n") as index_path:
|
|
| 133 |
ocsp_content = self.cryptography_service.generate_ocsp(cert, key, index_path, der_ocsp_request) |
|
| 134 |
|
|
| 135 |
return ocsp_content |
|
Také k dispozici: Unified diff
Re #8577 - Added a `create_index` method (= index including valid certificates) to the CRL Service.