Revize 4c19a9b1
Přidáno uživatelem Stanislav Král před asi 4 roky(ů)
| src/services/certificate_service.py | ||
|---|---|---|
| 1 |
from src.constants import ROOT_CA_ID, INTERMEDIATE_CA_ID, CA_ID |
|
| 1 |
from src.constants import ROOT_CA_ID, INTERMEDIATE_CA_ID, CA_ID, CERTIFICATE_ID
|
|
| 2 | 2 |
from src.dao.certificate_repository import CertificateRepository |
| 3 | 3 |
from src.model.certificate import Certificate |
| 4 | 4 |
from src.model.private_key import PrivateKey |
| ... | ... | |
| 26 | 26 |
# create a new self signed certificate |
| 27 | 27 |
cert_pem = self.cryptography_service.create_sscrt(subject, key.private_key, key_pass=key.password, |
| 28 | 28 |
extensions=extensions, config=config) |
| 29 |
|
|
| 30 |
# parse the generated pem for subject and notBefore/notAfter fields |
|
| 31 |
subj, not_before, not_after = self.cryptography_service.parse_cert_pem(cert_pem) |
|
| 32 |
|
|
| 33 |
# format the parsed date |
|
| 34 |
not_before_formatted = time.strftime(DATE_FORMAT, not_before) |
|
| 35 |
not_after_formatted = time.strftime(DATE_FORMAT, not_after) |
|
| 36 |
|
|
| 37 | 29 |
# specify CA usage |
| 38 | 30 |
usages[CA_ID] = True |
| 39 | 31 |
|
| 40 |
# create a certificate wrapper
|
|
| 41 |
certificate = Certificate(-1, subject.common_name, not_before_formatted, not_after_formatted, cert_pem,
|
|
| 42 |
key.private_key_id, ROOT_CA_ID, 0, usages)
|
|
| 32 |
# wrap into Certificate class
|
|
| 33 |
certificate = self.__create_wrapper(cert_pem, key.private_key_id, subject.common_name, usages, 0,
|
|
| 34 |
ROOT_CA_ID)
|
|
| 43 | 35 |
|
| 44 | 36 |
# store the wrapper into the repository |
| 45 | 37 |
created_id = self.certificate_repository.create(certificate) |
| ... | ... | |
| 49 | 41 |
|
| 50 | 42 |
return certificate |
| 51 | 43 |
|
| 44 |
def __create_wrapper(self, cert_pem, private_key_id, common_name, usages, parent_id, cert_type): |
|
| 45 |
# parse the generated pem for subject and notBefore/notAfter fields |
|
| 46 |
subj, not_before, not_after = self.cryptography_service.parse_cert_pem(cert_pem) |
|
| 47 |
# format the parsed date |
|
| 48 |
not_before_formatted = time.strftime(DATE_FORMAT, not_before) |
|
| 49 |
not_after_formatted = time.strftime(DATE_FORMAT, not_after) |
|
| 50 |
|
|
| 51 |
# create a certificate wrapper |
|
| 52 |
certificate = Certificate(-1, common_name, not_before_formatted, not_after_formatted, cert_pem, |
|
| 53 |
private_key_id, cert_type, parent_id, usages) |
|
| 54 |
|
|
| 55 |
print(f"CW: {parent_id} {certificate.parent_id}")
|
|
| 56 |
return certificate |
|
| 57 |
|
|
| 52 | 58 |
# TODO config parameter present in class diagram but not here (unused) |
| 53 | 59 |
def create_ca(self, subject_key: PrivateKey, subject: Subject, issuer_cert: Certificate, issuer_key: PrivateKey, |
| 54 | 60 |
extensions: str = "", days: int = 30, usages=None): |
| ... | ... | |
| 63 | 69 |
issuer_key_pass=issuer_key.password, extensions=extensions, |
| 64 | 70 |
days=days) |
| 65 | 71 |
|
| 72 |
# specify CA usage |
|
| 73 |
usages[CA_ID] = True |
|
| 74 |
|
|
| 75 |
# wrap into Certificate class |
|
| 76 |
self.__create_wrapper(cert_pem, subject_key.private_key_id, subject.common_name, usages, |
|
| 77 |
issuer_cert.certificate_id, INTERMEDIATE_CA_ID) |
|
| 78 |
|
|
| 66 | 79 |
# parse the generated pem for subject and notBefore/notAfter fields |
| 67 | 80 |
subj, not_before, not_after = self.cryptography_service.parse_cert_pem(cert_pem) |
| 68 | 81 |
|
| ... | ... | |
| 85 | 98 |
|
| 86 | 99 |
return certificate |
| 87 | 100 |
|
| 101 |
def create_end_cert(self, subject_key: PrivateKey, subject: Subject, issuer_cert: Certificate, |
|
| 102 |
issuer_key: PrivateKey, |
|
| 103 |
extensions: str = "", days: int = 30, usages=None): |
|
| 104 |
if usages is None: |
|
| 105 |
usages = {}
|
|
| 106 |
|
|
| 107 |
# generate a new certificate |
|
| 108 |
cert_pem = self.cryptography_service.create_crt(subject, subject_key.private_key, issuer_cert.pem_data, |
|
| 109 |
issuer_key.private_key, |
|
| 110 |
subject_key_pass=subject_key.password, |
|
| 111 |
issuer_key_pass=issuer_key.password, extensions=extensions, |
|
| 112 |
days=days) |
|
| 113 |
|
|
| 114 |
print(f"test cert {issuer_cert.certificate_id}")
|
|
| 115 |
# wrap the generated certificate using Certificate class |
|
| 116 |
certificate = self.__create_wrapper(cert_pem, subject_key.private_key_id, subject.common_name, usages, |
|
| 117 |
issuer_cert.certificate_id, CERTIFICATE_ID) |
|
| 118 |
|
|
| 119 |
print(f"parent cert {certificate.parent_id}")
|
|
| 120 |
|
|
| 121 |
created_id = self.certificate_repository.create(certificate) |
|
| 122 |
|
|
| 123 |
certificate.certificate_id = created_id |
|
| 124 |
|
|
| 125 |
print(f"parent cert {certificate.parent_id}")
|
|
| 126 |
|
|
| 127 |
return certificate |
|
| 128 |
|
|
| 88 | 129 |
def get_certificate(self, unique_id: int) -> Certificate: |
| 89 | 130 |
return self.certificate_repository.read(unique_id) |
| tests/integration_tests/services/certificate_key_service_test.py | ||
|---|---|---|
| 1 | 1 |
import subprocess |
| 2 | 2 |
|
| 3 |
from src.constants import SSL_ID, CA_ID |
|
| 3 |
from src.constants import SSL_ID, CA_ID, AUTHENTICATION_ID, INTERMEDIATE_CA_ID, ROOT_CA_ID, CERTIFICATE_ID, SIGNATURE_ID
|
|
| 4 | 4 |
from src.model.subject import Subject |
| 5 | 5 |
|
| 6 | 6 |
|
| ... | ... | |
| 25 | 25 |
Subject(common_name="FooName", organization_unit="Department of Foo"), |
| 26 | 26 |
usages={SSL_ID: True})
|
| 27 | 27 |
|
| 28 |
assert CA_ID in cert.usages |
|
| 29 |
assert SSL_ID in cert.usages |
|
| 28 |
assert ROOT_CA_ID == cert.type_id |
|
| 29 |
|
|
| 30 |
assert cert.usages[CA_ID] |
|
| 31 |
assert cert.usages[SSL_ID] |
|
| 32 |
assert cert.usages[AUTHENTICATION_ID] is False |
|
| 33 |
assert cert.usages[SIGNATURE_ID] is False |
|
| 30 | 34 |
|
| 31 | 35 |
cert_loaded = certificate_service.get_certificate(cert.certificate_id) |
| 32 | 36 |
|
| ... | ... | |
| 56 | 60 |
inter_cert = certificate_service.create_ca(inter_ca_private_key, Subject(common_name="Intermediate CA"), root_ca, |
| 57 | 61 |
root_ca_private_key, usages={SSL_ID: True})
|
| 58 | 62 |
|
| 59 |
assert CA_ID in inter_cert.usages |
|
| 60 |
assert SSL_ID in inter_cert.usages |
|
| 63 |
assert INTERMEDIATE_CA_ID == inter_cert.type_id |
|
| 64 |
|
|
| 65 |
assert inter_cert.usages[CA_ID] |
|
| 66 |
assert inter_cert.usages[SSL_ID] |
|
| 67 |
assert inter_cert.usages[AUTHENTICATION_ID] is False |
|
| 68 |
assert inter_cert.usages[SIGNATURE_ID] is False |
|
| 61 | 69 |
|
| 62 | 70 |
inter_cert_loaded = certificate_service.get_certificate(inter_cert.certificate_id) |
| 63 | 71 |
|
| ... | ... | |
| 66 | 74 |
assert """ X509v3 Basic Constraints: critical |
| 67 | 75 |
CA:TRUE""" in cert_loaded_printed |
| 68 | 76 |
|
| 69 |
assert inter_cert_loaded.certificate_id == inter_cert_loaded.certificate_id
|
|
| 77 |
assert inter_cert.certificate_id == inter_cert_loaded.certificate_id |
|
| 70 | 78 |
assert inter_cert.common_name == inter_cert_loaded.common_name |
| 71 | 79 |
assert inter_cert.valid_from == inter_cert_loaded.valid_from |
| 72 | 80 |
assert inter_cert.valid_to == inter_cert_loaded.valid_to |
| ... | ... | |
| 74 | 82 |
assert inter_cert.private_key_id == inter_cert_loaded.private_key_id |
| 75 | 83 |
assert inter_cert.type_id == inter_cert_loaded.type_id |
| 76 | 84 |
assert inter_cert.parent_id == root_ca.certificate_id |
| 85 |
assert inter_cert_loaded.parent_id == root_ca.certificate_id |
|
| 77 | 86 |
assert inter_cert.usages == inter_cert_loaded.usages |
| 87 |
|
|
| 88 |
|
|
| 89 |
def test_create_and_get_cert(private_key_service, certificate_service): |
|
| 90 |
root_ca_private_key = private_key_service.create_new_key(passphrase="foobar") |
|
| 91 |
inter_ca_private_key = private_key_service.create_new_key(passphrase="barfoo") |
|
| 92 |
end_cert_private_key = private_key_service.create_new_key(passphrase="foofoo") |
|
| 93 |
|
|
| 94 |
root_ca_cert = certificate_service.create_root_ca(root_ca_private_key, |
|
| 95 |
Subject(common_name="RootFoo", |
|
| 96 |
organization_unit="Department of Foo")) |
|
| 97 |
|
|
| 98 |
inter_ca_cert = certificate_service.create_ca(inter_ca_private_key, Subject(common_name="Intermediate CA"), |
|
| 99 |
root_ca_cert, |
|
| 100 |
root_ca_private_key, usages={SSL_ID: True})
|
|
| 101 |
|
|
| 102 |
cert = certificate_service.create_end_cert(end_cert_private_key, |
|
| 103 |
Subject("Foo Child", email_address="foo@bar.cz"), inter_ca_cert,
|
|
| 104 |
inter_ca_private_key, usages={AUTHENTICATION_ID: True})
|
|
| 105 |
assert CERTIFICATE_ID == cert.type_id |
|
| 106 |
|
|
| 107 |
assert cert.usages[AUTHENTICATION_ID] |
|
| 108 |
assert cert.usages[SSL_ID] is False |
|
| 109 |
assert cert.usages[SIGNATURE_ID] is False |
|
| 110 |
assert cert.usages[CA_ID] is False |
|
| 111 |
|
|
| 112 |
cert_loaded = certificate_service.get_certificate(cert.certificate_id) |
|
| 113 |
|
|
| 114 |
assert cert.certificate_id == cert_loaded.certificate_id |
|
| 115 |
assert cert.common_name == cert_loaded.common_name |
|
| 116 |
assert cert.valid_from == cert_loaded.valid_from |
|
| 117 |
assert cert.valid_to == cert_loaded.valid_to |
|
| 118 |
assert cert.pem_data == cert_loaded.pem_data |
|
| 119 |
assert cert.private_key_id == cert_loaded.private_key_id |
|
| 120 |
assert cert.type_id == cert_loaded.type_id |
|
| 121 |
assert cert.parent_id == inter_ca_cert.certificate_id |
|
| 122 |
assert cert_loaded.parent_id == inter_ca_cert.certificate_id |
|
| 123 |
assert cert.usages == cert_loaded.usages |
|
Také k dispozici: Unified diff
Re #8472 - Implemented create_end_cert method and added an integration test validating it