/src/services/certificate_service.py - Komentovat - Aplikace pro správu X.509 certifikátů (Yoso Czech s.r.o.) - JMSD - Redmine

| Větev: | Tag: | Revize:

aswi2021jmsd-gitlab4/src/services/certificate_service.py @ 485913d0

1	ef65f488	Stanislav Král	from typing import List
2
3	151e7604	Jan Pašek	from injector import inject
4
5	20b33bd4	Jan Pašek	from src.config.configuration import Configuration
6			from src.constants import ROOT_CA_ID, INTERMEDIATE_CA_ID, CA_ID, CERTIFICATE_ID, CERTIFICATE_STATES, \
7			CERTIFICATE_REVOCATION_REASONS
8	4a40b0d2	Stanislav Král	from src.dao.certificate_repository import CertificateRepository
9	485913d0	Captain_Trojan	from src.exceptions.database_exception import DatabaseException
10	9e6f791a	Jan Pašek	from src.exceptions.unknown_exception import UnknownException
11	4a40b0d2	Stanislav Král	from src.model.certificate import Certificate
12	313b647b	Stanislav Král	from src.model.private_key import PrivateKey
13	4a40b0d2	Stanislav Král	from src.model.subject import Subject
14			from src.services.cryptography import CryptographyService
15
16	313b647b	Stanislav Král	import time
17
18			DATE_FORMAT = "%d.%m.%Y %H:%M:%S"
19	bbcb7c89	Stanislav Král	CA_EXTENSIONS = "basicConstraints=critical,CA:TRUE"
20	20b33bd4	Jan Pašek	CRL_EXTENSION = "crlDistributionPoints=URI:"
21			OCSP_EXTENSION = "authorityInfoAccess=OCSP;URI:"
22			STATUS_REVOKED = "revoked"
23			STATUS_VALID = "valid"
24	313b647b	Stanislav Král
25	4a40b0d2	Stanislav Král
26			class CertificateService:
27
28	151e7604	Jan Pašek	@inject
29	20b33bd4	Jan Pašek	def __init__(self, cryptography_service: CryptographyService,
30			certificate_repository: CertificateRepository,
31			configuration: Configuration):
32	4a40b0d2	Stanislav Král	self.cryptography_service = cryptography_service
33			self.certificate_repository = certificate_repository
34	20b33bd4	Jan Pašek	self.configuration = configuration
35	4a40b0d2	Stanislav Král
36	bbcb7c89	Stanislav Král	# TODO usages present in method parameters but not in class diagram
37	ca3ac7c0	Stanislav Král	def create_root_ca(self, key: PrivateKey, subject: Subject, extensions: str = "", config: str = "",
38	2f5101f1	Stanislav Král	usages=None, days=30):
39	a6727aa9	Stanislav Král	"""
40			Creates a root CA certificate based on the given parameters.
41			:param key: Private key to be used when generating the certificate
42			:param subject: Subject to be used put into the certificate
43			:param config: String containing the configuration to be used
44			:param extensions: Name of the section in the configuration representing extensions
45			:param usages: A dictionary containing usages of the certificate to be generated (see constants.py)
46	2f5101f1	Stanislav Král	:param days: Number of days for which the generated cert. will be considered valid
47	a6727aa9	Stanislav Král	:return: An instance of Certificate class representing the generated root CA cert
48			"""
49	ca3ac7c0	Stanislav Král	if usages is None:
50			usages = {}
51
52	20b33bd4	Jan Pašek	cert_id = self.certificate_repository.get_next_id()
53			extensions = extensions + "\n" + CRL_EXTENSION + " " + self.__get_crl_endpoint(cert_id)
54			extensions = extensions + "\n" + OCSP_EXTENSION + " " + self.__get_ocsp_endpoint(cert_id)
55
56	313b647b	Stanislav Král	# create a new self signed certificate
57			cert_pem = self.cryptography_service.create_sscrt(subject, key.private_key, key_pass=key.password,
58	2f5101f1	Stanislav Král	extensions=extensions, config=config, days=days)
59	ca3ac7c0	Stanislav Král	# specify CA usage
60			usages[CA_ID] = True
61
62	4c19a9b1	Stanislav Král	# wrap into Certificate class
63	a6727aa9	Stanislav Král	certificate = self.__create_wrapper(cert_pem, key.private_key_id, usages, 0,
64	4c19a9b1	Stanislav Král	ROOT_CA_ID)
65	313b647b	Stanislav Král
66			# store the wrapper into the repository
67			created_id = self.certificate_repository.create(certificate)
68
69			# assign the generated ID to the inserted certificate
70			certificate.certificate_id = created_id
71	4a40b0d2	Stanislav Král
72	313b647b	Stanislav Král	return certificate
73	10fab051	Stanislav Král
74	a6727aa9	Stanislav Král	def __create_wrapper(self, cert_pem, private_key_id, usages, parent_id, cert_type):
75			"""
76	a4e818dc	Jan Pašek	Wraps the given parameters using the Certificate class. Uses CryptographyService to find out the notBefore and
77	a6727aa9	Stanislav Král	notAfter fields.
78			:param cert_pem: PEM of the cert. to be wrapped
79			:param private_key_id: ID of the private key used to create the given certificate
80			:param usages: A dictionary containing usages of the generated certificate generated (see constants.py)
81			:param parent_id: ID of the CA that issued this certificate
82			:param cert_type: Type of this certificate (see constants.py)
83			:return: An instance of the Certificate class wrapping the values passed via method parameters
84			"""
85	4c19a9b1	Stanislav Král	# parse the generated pem for subject and notBefore/notAfter fields
86	a6727aa9	Stanislav Král	# TODO this could be improved in the future in such way that calling openssl is not required to parse the dates
87	4c19a9b1	Stanislav Král	subj, not_before, not_after = self.cryptography_service.parse_cert_pem(cert_pem)
88			# format the parsed date
89			not_before_formatted = time.strftime(DATE_FORMAT, not_before)
90			not_after_formatted = time.strftime(DATE_FORMAT, not_after)
91
92			# create a certificate wrapper
93	a6727aa9	Stanislav Král	certificate = Certificate(-1, subj.common_name, not_before_formatted, not_after_formatted, cert_pem,
94	4c19a9b1	Stanislav Král	private_key_id, cert_type, parent_id, usages)
95
96			return certificate
97
98	bbcb7c89	Stanislav Král	# TODO config parameter present in class diagram but not here (unused)
99			def create_ca(self, subject_key: PrivateKey, subject: Subject, issuer_cert: Certificate, issuer_key: PrivateKey,
100	ca3ac7c0	Stanislav Král	extensions: str = "", days: int = 30, usages=None):
101	a6727aa9	Stanislav Král	"""
102			Creates an intermediate CA certificate issued by the given parent CA.
103			:param subject_key: Private key to be used when generating the certificate
104			:param subject: Subject to be used put into the certificate
105			:param issuer_cert: Issuer certificate that will sign the CSR required to create an intermediate CA
106			:param issuer_key: PK used to generate the issuer certificate
107			:param extensions: Extensions to be used when generating the certificate
108			:param usages: A dictionary containing usages of the certificate to be generated (see constants.py)
109			:param days: Number of days for which the generated cert. will be considered valid
110			:return: An instance of Certificate class representing the generated intermediate CA cert
111			"""
112	ca3ac7c0	Stanislav Král	if usages is None:
113			usages = {}
114
115	bbcb7c89	Stanislav Král	extensions = extensions + "\n" + CA_EXTENSIONS
116	20b33bd4	Jan Pašek	# Add CRL and OCSP distribution point to certificate extensions
117			cert_id = self.certificate_repository.get_next_id()
118			extensions = extensions + "\n" + CRL_EXTENSION + " " + self.__get_crl_endpoint(cert_id)
119			extensions = extensions + "\n" + OCSP_EXTENSION + " " + self.__get_ocsp_endpoint(cert_id)
120
121	bbcb7c89	Stanislav Král	# TODO implement AIA URI via extensions
122			cert_pem = self.cryptography_service.create_crt(subject, subject_key.private_key, issuer_cert.pem_data,
123			issuer_key.private_key,
124			subject_key_pass=subject_key.password,
125			issuer_key_pass=issuer_key.password, extensions=extensions,
126			days=days)
127
128	4c19a9b1	Stanislav Král	# specify CA usage
129			usages[CA_ID] = True
130
131			# wrap into Certificate class
132	a6727aa9	Stanislav Král	self.__create_wrapper(cert_pem, subject_key.private_key_id, usages,
133	4c19a9b1	Stanislav Král	issuer_cert.certificate_id, INTERMEDIATE_CA_ID)
134
135	bbcb7c89	Stanislav Král	# parse the generated pem for subject and notBefore/notAfter fields
136			subj, not_before, not_after = self.cryptography_service.parse_cert_pem(cert_pem)
137
138			# format the parsed date
139			not_before_formatted = time.strftime(DATE_FORMAT, not_before)
140			not_after_formatted = time.strftime(DATE_FORMAT, not_after)
141
142	ca3ac7c0	Stanislav Král	# specify CA usage
143			usages[CA_ID] = True
144
145	bbcb7c89	Stanislav Král	# create a certificate wrapper
146			certificate = Certificate(-1, subject.common_name, not_before_formatted, not_after_formatted, cert_pem,
147	ca3ac7c0	Stanislav Král	subject_key.private_key_id, INTERMEDIATE_CA_ID, issuer_cert.certificate_id, usages)
148	bbcb7c89	Stanislav Král
149			# store the wrapper into the repository
150			created_id = self.certificate_repository.create(certificate)
151
152			# assign the generated ID to the inserted certificate
153			certificate.certificate_id = created_id
154
155			return certificate
156
157	4c19a9b1	Stanislav Král	def create_end_cert(self, subject_key: PrivateKey, subject: Subject, issuer_cert: Certificate,
158			issuer_key: PrivateKey,
159			extensions: str = "", days: int = 30, usages=None):
160	a6727aa9	Stanislav Král	"""
161			Creates an end certificate issued by the given parent CA.
162			:param subject_key: Private key to be used when generating the certificate
163			:param subject: Subject to be used put into the certificate
164			:param issuer_cert: Issuer certificate that will sign the CSR required to create an intermediate CA
165			:param issuer_key: PK used to generate the issuer certificate
166			:param extensions: Extensions to be used when generating the certificate
167			:param usages: A dictionary containing usages of the certificate to be generated (see constants.py)
168			:param days: Number of days for which the generated cert. will be considered valid
169			:return: An instance of Certificate class representing the generated cert
170			"""
171	4c19a9b1	Stanislav Král	if usages is None:
172			usages = {}
173
174			# generate a new certificate
175			cert_pem = self.cryptography_service.create_crt(subject, subject_key.private_key, issuer_cert.pem_data,
176			issuer_key.private_key,
177			subject_key_pass=subject_key.password,
178			issuer_key_pass=issuer_key.password, extensions=extensions,
179			days=days)
180
181			# wrap the generated certificate using Certificate class
182	a6727aa9	Stanislav Král	certificate = self.__create_wrapper(cert_pem, subject_key.private_key_id, usages,
183	4c19a9b1	Stanislav Král	issuer_cert.certificate_id, CERTIFICATE_ID)
184
185			created_id = self.certificate_repository.create(certificate)
186
187			certificate.certificate_id = created_id
188
189			return certificate
190
191	10fab051	Stanislav Král	def get_certificate(self, unique_id: int) -> Certificate:
192	a6727aa9	Stanislav Král	"""
193			Tries to fetch a certificate from the certificate repository using a given id.
194			:param unique_id: ID of the certificate to be fetched
195			:return: Instance of the Certificate class containing a certificate with the given id or `None` if such
196			certificate is not found
197			"""
198	10fab051	Stanislav Král	return self.certificate_repository.read(unique_id)
199	2a90f4fd	Stanislav Král
200	ef65f488	Stanislav Král	def get_certificates(self, cert_type=None) -> List[Certificate]:
201	a6727aa9	Stanislav Král	"""
202			Tries to fetch a list of all certificates from the certificate repository. Using the `cert_type` parameter only
203			certificates of the given type can be returned.
204			:param cert_type: Type of certificates to be returned
205			:return: List of instances of the Certificate class representing all certificates present in the certificate
206			repository. An empty list is returned when no certificates are found.
207			"""
208	2a90f4fd	Stanislav Král	return self.certificate_repository.read_all(cert_type)
209	ef65f488	Stanislav Král
210			def get_chain_of_trust(self, from_id: int, to_id: int = -1, exclude_root=True) -> List[Certificate]:
211	4e70d22a	Stanislav Král	"""
212			Traverses the certificate hierarchy tree upwards till a certificate with the `to_id` ID is found or till a
213			root CA certificate is found. Root certificates are excluded from the chain by default.
214			:param from_id: ID of the first certificate to be included in the chain of trust
215			:param to_id: ID of the last certificate to be included in the chain of trust
216			:param exclude_root: a flag indicating whether root CA certificate should be excluded
217			:return: a list of certificates representing the chain of trust starting with the certificate given by `from_id`
218			ID
219			"""
220			# read the first certificate of the chain
221	ef65f488	Stanislav Král	start_cert = self.certificate_repository.read(from_id)
222
223	4e70d22a	Stanislav Král	# if no cert is found or the current cert is root CA and root CAs should be excluded, then return an empty list
224	ef65f488	Stanislav Král	if start_cert is None or (start_cert.type_id == ROOT_CA_ID and exclude_root):
225			return []
226
227			current_cert = start_cert
228			chain_of_trust = [current_cert]
229
230			# TODO could possibly be simplified
231			if start_cert.type_id == ROOT_CA_ID:
232	4e70d22a	Stanislav Král	# the first cert found is a root ca
233	ef65f488	Stanislav Král	return chain_of_trust
234
235			while True:
236			parent_cert = self.certificate_repository.read(current_cert.parent_id)
237
238	4e70d22a	Stanislav Král	# check whether parent certificate exists
239			if parent_cert is None:
240			break
241
242			# check whether the found certificate is a root certificate
243			if parent_cert.type_id == ROOT_CA_ID:
244	ef65f488	Stanislav Král	if not exclude_root:
245	4e70d22a	Stanislav Král	# append the found root cert only if root certificates should not be excluded from the CoT
246	ef65f488	Stanislav Král	chain_of_trust.append(parent_cert)
247			break
248
249	4e70d22a	Stanislav Král	# append the certificate
250	ef65f488	Stanislav Král	chain_of_trust.append(parent_cert)
251
252	4e70d22a	Stanislav Král	# stop iterating over certificates if the id of the found certificate matches `to_id` method parameter
253	ef65f488	Stanislav Král	if parent_cert.certificate_id == to_id:
254			break
255
256			current_cert = parent_cert
257
258			return chain_of_trust
259	3d639744	Stanislav Král
260	a6727aa9	Stanislav Král	def delete_certificate(self, unique_id) -> bool:
261	3d639744	Stanislav Král	"""
262			Deletes a certificate
263
264			:param unique_id: ID of specific certificate
265
266	a6727aa9	Stanislav Král	:return: `True` when the deletion was successful. `False` in other case
267	3d639744	Stanislav Král	"""
268			# TODO delete children?
269			return self.certificate_repository.delete(unique_id)
270	c4ba6bb7	Jan Pašek
271	485913d0	Captain_Trojan	def get_certificates_issued_by(self, unique_id):
272			"""
273			Returns a list of all children of a certificate identified by an unique_id.
274			Raises a DatabaseException should any unexpected behavior occur.
275			:param unique_id: target certificate ID
276			:return: children of unique_id
277			"""
278			try:
279			if self.certificate_repository.read(unique_id) is None:
280			raise CertificateNotFoundException(unique_id)
281			except DatabaseException:
282			raise CertificateNotFoundException(unique_id)
283
284			return self.certificate_repository.get_all_issued_by(unique_id)
285
286	20b33bd4	Jan Pašek	def set_certificate_revocation_status(self, id, status, reason="unspecified"):
287			"""
288			Set certificate status to 'valid' or 'revoked'.
289			If the new status is revoked a reason can be provided -> default is unspecified
290			:param reason: reason for revocation
291			:param id: identifier of the certificate whose status is to be changed
292			:param status: new status of the certificate
293			"""
294			if status not in CERTIFICATE_STATES:
295			raise CertificateStatusInvalidException(status)
296			if reason not in CERTIFICATE_REVOCATION_REASONS:
297			raise RevocationReasonInvalidException(reason)
298
299	9e6f791a	Jan Pašek	# check whether the certificate exists
300			certificate = self.certificate_repository.read(id)
301			if certificate is None:
302			raise CertificateNotFoundException(id)
303
304	9c704fb1	Jan Pašek	updated = False
305	20b33bd4	Jan Pašek	if status == STATUS_VALID:
306	9c704fb1	Jan Pašek	updated = self.certificate_repository.clear_certificate_revocation(id)
307	20b33bd4	Jan Pašek	elif status == STATUS_REVOKED:
308	9e6f791a	Jan Pašek	# check if the certificate is not revoked already
309			revoked = self.certificate_repository.get_all_revoked_by(certificate.parent_id)
310			if certificate.certificate_id in [x.certificate_id for x in revoked]:
311			raise CertificateAlreadyRevokedException(id)
312
313	20b33bd4	Jan Pašek	revocation_timestamp = int(time.time())
314	9c704fb1	Jan Pašek	updated = self.certificate_repository.set_certificate_revoked(id, str(revocation_timestamp), reason)
315
316			if not updated:
317	9e6f791a	Jan Pašek	# TODO log this
318			raise UnknownException("Repository returned 'false' from clear_certificate_revocation() "
319			"or set_certificate_revoked().")
320	20b33bd4	Jan Pašek
321	c4ba6bb7	Jan Pašek	def get_subject_from_certificate(self, certificate: Certificate) -> Subject:
322			"""
323			Get Subject distinguished name from a Certificate
324			:param certificate: certificate instance whose Subject shall be parsed
325			:return: instance of Subject class containing resulting distinguished name
326			"""
327			(subject, _, _) = self.cryptography_service.parse_cert_pem(certificate.pem_data)
328			return subject
329	d3bfacfc	Stanislav Král
330			def get_public_key_from_certificate(self, certificate: Certificate):
331			"""
332			Extracts a public key from the given certificate
333			:param certificate: an instance of the Certificate class containing the certificate from which a public key
334			should be extracted.
335			:return: a string containing the extracted public key in PEM format
336			"""
337			return self.cryptography_service.extract_public_key_from_certificate(certificate.pem_data)
338	20b33bd4	Jan Pašek
339			def __get_crl_endpoint(self, ca_identifier: int) -> str:
340			"""
341			Get URL address of CRL distribution endpoint based on
342			issuer's ID
343
344			:param ca_identifier: ID of issuing authority
345			:return: CRL endpoint for the given CA
346			"""
347			return self.configuration.base_server_url + "/api/crl/" + str(ca_identifier)
348
349			def __get_ocsp_endpoint(self, ca_identifier: int) -> str:
350			"""
351			Get URL address of OCSP distribution endpoint based on
352			issuer's ID
353
354			:param ca_identifier: ID of issuing authority
355			:return: OCSP endpoint for the given CA
356			"""
357			return self.configuration.base_server_url + "/api/ocsp/" + str(ca_identifier)
358
359
360			class RevocationReasonInvalidException(Exception):
361			"""
362			Exception that denotes that the caller was trying to revoke
363			a certificate using an invalid revocation reason
364			"""
365
366			def __init__(self, reason):
367			self.reason = reason
368
369			def __str__(self):
370			return f"Revocation reason '{self.reason}' is not valid."
371
372
373			class CertificateStatusInvalidException(Exception):
374			"""
375			Exception that denotes that the caller was trying to set
376			a certificate to an invalid state
377			"""
378
379			def __init__(self, status):
380			self.status = status
381
382			def __str__(self):
383			return f"Certificate status '{self.status}' is not valid."
384	9c704fb1	Jan Pašek
385
386			class CertificateNotFoundException(Exception):
387			"""
388			Exception that denotes that the caller was trying to set
389	9e6f791a	Jan Pašek	work with non-existing certificate
390	9c704fb1	Jan Pašek	"""
391
392			def __init__(self, id):
393			self.id = id
394
395			def __str__(self):
396			return f"Certificate id '{self.id}' does not exist."
397	9e6f791a	Jan Pašek
398
399			class CertificateAlreadyRevokedException(Exception):
400			"""
401			Exception that denotes that the caller was trying to revoke
402			a certificate that is already revoked
403			"""
404
405			def __init__(self, id):
406			self.id = id
407
408			def __str__(self):
409			return f"Certificate id '{self.id}' is already revoked."

Projekt

Obecné

Profil

ASWI - Pokročilé softwarové inženýrství » ASWI 2021 » Aplikace pro správu X.509 certifikátů (Yoso Czech s.r.o.) - JMSD