Revize 5f4e6c2f
Přidáno uživatelem Stanislav Král před téměř 4 roky(ů)
| src/services/certificate_service.py | ||
|---|---|---|
| 15 | 15 |
|
| 16 | 16 |
import time |
| 17 | 17 |
|
| 18 |
DATE_FORMAT = "%d.%m.%Y %H:%M:%S" |
|
| 18 |
NOT_BEFORE_AFTER_DATE_FORMAT = "%d.%m.%Y %H:%M:%S"
|
|
| 19 | 19 |
CA_EXTENSIONS = "basicConstraints=critical,CA:TRUE" |
| 20 | 20 |
CRL_EXTENSION = "crlDistributionPoints=URI:" |
| 21 | 21 |
OCSP_EXTENSION = "authorityInfoAccess=OCSP;URI:" |
| ... | ... | |
| 86 | 86 |
# TODO this could be improved in the future in such way that calling openssl is not required to parse the dates |
| 87 | 87 |
subj, not_before, not_after = self.cryptography_service.parse_cert_pem(cert_pem) |
| 88 | 88 |
# format the parsed date |
| 89 |
not_before_formatted = time.strftime(DATE_FORMAT, not_before) |
|
| 90 |
not_after_formatted = time.strftime(DATE_FORMAT, not_after) |
|
| 89 |
not_before_formatted = time.strftime(NOT_BEFORE_AFTER_DATE_FORMAT, not_before)
|
|
| 90 |
not_after_formatted = time.strftime(NOT_BEFORE_AFTER_DATE_FORMAT, not_after)
|
|
| 91 | 91 |
|
| 92 | 92 |
# create a certificate wrapper |
| 93 | 93 |
certificate = Certificate(-1, subj.common_name, not_before_formatted, not_after_formatted, cert_pem, |
| ... | ... | |
| 136 | 136 |
subj, not_before, not_after = self.cryptography_service.parse_cert_pem(cert_pem) |
| 137 | 137 |
|
| 138 | 138 |
# format the parsed date |
| 139 |
not_before_formatted = time.strftime(DATE_FORMAT, not_before) |
|
| 140 |
not_after_formatted = time.strftime(DATE_FORMAT, not_after) |
|
| 139 |
not_before_formatted = time.strftime(NOT_BEFORE_AFTER_DATE_FORMAT, not_before)
|
|
| 140 |
not_after_formatted = time.strftime(NOT_BEFORE_AFTER_DATE_FORMAT, not_after)
|
|
| 141 | 141 |
|
| 142 | 142 |
# specify CA usage |
| 143 | 143 |
usages[CA_ID] = True |
| src/services/crl/ca_index_file_line_generator.py | ||
|---|---|---|
| 1 |
import time |
|
| 2 |
from time import struct_time |
|
| 3 |
|
|
| 4 |
from src.model.certificate import Certificate |
|
| 5 |
from src.model.subject import Subject |
|
| 6 |
|
|
| 7 |
TAB_CHAR = "\t" |
|
| 8 |
INDEX_FILE_DATE_ENTRY_FORMAT = "%y%m%d%H%M%SZ" |
|
| 9 |
|
|
| 10 |
|
|
| 11 |
def get_index_file_time_entry(date: struct_time): |
|
| 12 |
# convert the time to the format of openssl CA index file |
|
| 13 |
return time.strftime(INDEX_FILE_DATE_ENTRY_FORMAT, date) |
|
| 14 |
|
|
| 15 |
|
|
| 16 |
def get_distinguished_name(subject: Subject): |
|
| 17 |
# convert subject class instance to the distinguished name in the openssl CA index file format |
|
| 18 |
return "".join([f"/{key}={value}" if value is not None else "" for key, value in subject.to_dict().items()])
|
|
| 19 |
|
|
| 20 |
|
|
| 21 |
def create_index_file_revoked_line(revoked_certificate: Certificate, subject: Subject, revocation_date: struct_time, |
|
| 22 |
valid_to: struct_time) -> str: |
|
| 23 |
# converts the given certificate as well as the subject and revocation / valid_to dates to a line of openssl CA |
|
| 24 |
# index file format |
|
| 25 |
items = [ |
|
| 26 |
# certificate status flag (R stands for revoked) |
|
| 27 |
"R", |
|
| 28 |
# followed by the expiration date field |
|
| 29 |
f"{get_index_file_time_entry(valid_to)}",
|
|
| 30 |
# followed by the revocation date field |
|
| 31 |
f"{get_index_file_time_entry(revocation_date)},{revoked_certificate.revocation_reason}",
|
|
| 32 |
# followed by the serial number of the certificate in hex format |
|
| 33 |
hex(revoked_certificate.certificate_id).replace("x", ""),
|
|
| 34 |
# certificate filename ("unknown" literal used for unknown file names)
|
|
| 35 |
"unknown", |
|
| 36 |
# certificate distinguished name |
|
| 37 |
get_distinguished_name(subject) |
|
| 38 |
] |
|
| 39 |
|
|
| 40 |
return TAB_CHAR.join(items) |
|
| tests/unit_tests/services/crl/ca_index_file_line_generator_test.py | ||
|---|---|---|
| 1 |
import time |
|
| 2 |
|
|
| 3 |
from src.model.certificate import Certificate |
|
| 4 |
from src.model.subject import Subject |
|
| 5 |
from src.services.crl.ca_index_file_line_generator import create_index_file_revoked_line |
|
| 6 |
|
|
| 7 |
|
|
| 8 |
def test_get_index_file_time_entry_valid(): |
|
| 9 |
cert = Certificate( |
|
| 10 |
1, "Foo", "21.03.2020", "21.03.2021", "", -1, -1, -1, {}, "02.02.2021", "keyCompromise"
|
|
| 11 |
) |
|
| 12 |
|
|
| 13 |
date_format = "%d.%m.%Y" |
|
| 14 |
|
|
| 15 |
expiration_date = time.strptime(cert.valid_to, date_format) |
|
| 16 |
revocation_date = time.strptime(cert.revocation_date, date_format) |
|
| 17 |
|
|
| 18 |
index_line = create_index_file_revoked_line(cert, Subject( |
|
| 19 |
"Foo", "CZ", "Pilsen", email_address="bar@foo.cz" |
|
| 20 |
), revocation_date, expiration_date) |
|
| 21 |
|
|
| 22 |
assert "R 210321000000Z 210202000000Z,keyCompromise 01 unknown " \ |
|
| 23 |
"/CN=Foo/C=CZ/L=Pilsen/emailAddress=bar@foo.cz" \ |
|
| 24 |
== index_line |
|
| 25 |
|
|
| 26 |
|
|
| 27 |
def test_get_index_file_time_entry_valid_2(): |
|
| 28 |
cert = Certificate( |
|
| 29 |
1024, "Bar", "01.01.2019", "06.10.2021", "", -1, -1, -1, {}, "03.09.2021", "affiliationChanged"
|
|
| 30 |
) |
|
| 31 |
|
|
| 32 |
date_format = "%d.%m.%Y" |
|
| 33 |
|
|
| 34 |
expiration_date = time.strptime(cert.valid_to, date_format) |
|
| 35 |
revocation_date = time.strptime(cert.revocation_date, date_format) |
|
| 36 |
|
|
| 37 |
index_line = create_index_file_revoked_line(cert, Subject( |
|
| 38 |
"Bar", "SK", "Foosen", organization="Bar Org." |
|
| 39 |
), revocation_date, expiration_date) |
|
| 40 |
|
|
| 41 |
assert "R 211006000000Z 210903000000Z,affiliationChanged 0400 unknown " \ |
|
| 42 |
"/CN=Bar/C=SK/L=Foosen/O=Bar Org." \ |
|
| 43 |
== index_line |
|
| 44 |
|
|
| 45 |
|
|
| 46 |
def test_get_index_file_time_entry_valid_3(): |
|
| 47 |
cert = Certificate( |
|
| 48 |
1, "IA CA", "", "01.04.2023 15:01:11", "", -1, -1, -1, {}, "01.04.2021 15:12:00", "keyCompromise"
|
|
| 49 |
) |
|
| 50 |
|
|
| 51 |
date_format = "%d.%m.%Y %H:%M:%S" |
|
| 52 |
|
|
| 53 |
expiration_date = time.strptime(cert.valid_to, date_format) |
|
| 54 |
revocation_date = time.strptime(cert.revocation_date, date_format) |
|
| 55 |
|
|
| 56 |
index_line = create_index_file_revoked_line(cert, Subject( |
|
| 57 |
common_name=cert.common_name, |
|
| 58 |
state="Some-State", |
|
| 59 |
country="AU", |
|
| 60 |
organization="Internet Widgits Pty Ltd " |
|
| 61 |
), revocation_date, expiration_date) |
|
| 62 |
|
|
| 63 |
expected = "R 230401150111Z 210401151200Z,keyCompromise 01 unknown /CN=IA CA/C=AU/ST=Some-State/O=Internet " \ |
|
| 64 |
"Widgits Pty Ltd " |
|
| 65 |
|
|
| 66 |
assert expected == index_line |
|
Také k dispozici: Unified diff
Re #8575 - Added a file that defines methods used for generating CA index file lines
Added unit tests verifying the validity of added methods