Revize 3e770afd
Přidáno uživatelem Jan Pašek před asi 4 roky(ů)
| src/services/cryptography.py | ||
|---|---|---|
| 14 | 14 |
# format of NOT_BEFORE NOT_AFTER date fields |
| 15 | 15 |
NOT_AFTER_BEFORE_DATE_FORMAT = "%b %d %H:%M:%S %Y %Z" |
| 16 | 16 |
|
| 17 |
# minimal configuration file to be used for openssl req command |
|
| 18 |
# specifies distinguished_name that references empty section only |
|
| 19 |
# openssl requires this option to be present |
|
| 20 |
MINIMAL_CONFIG_FILE = "[req]\ndistinguished_name = req_distinguished_name\n[req_distinguished_name]\n\n" |
|
| 21 |
|
|
| 22 |
# section to be used to specify extensions when creating a SSCRT |
|
| 23 |
SSCRT_SECTION = "sscrt_ext" |
|
| 24 |
|
|
| 25 |
CA_EXTENSIONS = "basicConstraints=critical,CA:TRUE" |
|
| 26 |
|
|
| 17 | 27 |
|
| 18 | 28 |
class CryptographyService: |
| 19 | 29 |
|
| ... | ... | |
| 110 | 120 |
|
| 111 | 121 |
subj = self.__subject_to_param_format(subject) |
| 112 | 122 |
|
| 123 |
# To specify extension for creating a SSCRT, one has to use a configuration |
|
| 124 |
# file instead of an extension file. Therefore the following code creates |
|
| 125 |
# the most basic configuration file with sscrt_ext section, that is later |
|
| 126 |
# reference in openssl req command using -extensions option. |
|
| 127 |
extensions += "\n"+CA_EXTENSIONS |
|
| 128 |
if len(config) == 0: |
|
| 129 |
config += MINIMAL_CONFIG_FILE+"[ " + SSCRT_SECTION + " ]"+"\n"+extensions |
|
| 130 |
config += "\n[ " + SSCRT_SECTION + " ]" + "\n" + extensions |
|
| 131 |
|
|
| 113 | 132 |
with TemporaryFile("openssl.conf", config) as conf_path:
|
| 114 | 133 |
args = ["req", "-x509", "-new", "-subj", subj, "-days", f"{days}",
|
| 115 | 134 |
"-key", "-"] |
| 135 |
|
|
| 116 | 136 |
if len(config) > 0: |
| 117 | 137 |
args.extend(["-config", conf_path]) |
| 118 |
|
|
| 119 | 138 |
if len(extensions) > 0: |
| 120 |
args.extend(["-extensions", extensions])
|
|
| 139 |
args.extend(["-extensions", SSCRT_SECTION]) # when creating SSCRT, section references section in config
|
|
| 121 | 140 |
|
| 122 | 141 |
# it would be best to not send the pass phrase at all, but for some reason pytest then prompts for |
| 123 | 142 |
# the pass phrase (this does not happen when run from pycharm) |
| ... | ... | |
| 268 | 287 |
|
| 269 | 288 |
# split lines |
| 270 | 289 |
results = re.split("\n", cert_info_raw)
|
| 271 |
subj_line = results[0] |
|
| 272 |
not_before_line = results[1] |
|
| 273 |
not_after_line = results[2] |
|
| 290 |
subj_line = results[0].strip()
|
|
| 291 |
not_before_line = results[1].strip()
|
|
| 292 |
not_after_line = results[2].strip()
|
|
| 274 | 293 |
|
| 275 | 294 |
# attempt to extract subject via regex |
| 276 | 295 |
match = re.search(r"subject=(.*)", subj_line) |
| ... | ... | |
| 284 | 303 |
subj = Subject() |
| 285 | 304 |
for key, value in found: |
| 286 | 305 |
if key == "C": |
| 287 |
subj.country = value |
|
| 306 |
subj.country = value.strip()
|
|
| 288 | 307 |
elif key == "ST": |
| 289 |
subj.state = value |
|
| 308 |
subj.state = value.strip()
|
|
| 290 | 309 |
elif key == "L": |
| 291 |
subj.locality = value |
|
| 310 |
subj.locality = value.strip()
|
|
| 292 | 311 |
elif key == "O": |
| 293 |
subj.organization = value |
|
| 312 |
subj.organization = value.strip()
|
|
| 294 | 313 |
elif key == "OU": |
| 295 |
subj.organization_unit = value |
|
| 314 |
subj.organization_unit = value.strip()
|
|
| 296 | 315 |
elif key == "CN": |
| 297 |
subj.common_name = value |
|
| 316 |
subj.common_name = value.strip()
|
|
| 298 | 317 |
elif key == "emailAddress": |
| 299 |
subj.email_address = value |
|
| 318 |
subj.email_address = value.strip()
|
|
| 300 | 319 |
|
| 301 | 320 |
# extract notBefore and notAfter date fields |
| 302 | 321 |
not_before = re.search(r"notBefore=(.*)", not_before_line) |
Také k dispozici: Unified diff
Re #8571 - cryptography.py unified extension specification and support for CRL LF