Revize 7313994f
Přidáno uživatelem Stanislav Král před téměř 4 roky(ů)
| src/services/certificate_service.py | ||
|---|---|---|
| 15 | 15 |
|
| 16 | 16 |
import time |
| 17 | 17 |
|
| 18 |
NOT_BEFORE_AFTER_DATE_FORMAT = "%d.%m.%Y %H:%M:%S"
|
|
| 18 |
VALID_FROM_TO_DATE_FORMAT = "%d.%m.%Y %H:%M:%S"
|
|
| 19 | 19 |
CA_EXTENSIONS = "basicConstraints=critical,CA:TRUE" |
| 20 | 20 |
CRL_EXTENSION = "crlDistributionPoints=URI:" |
| 21 | 21 |
OCSP_EXTENSION = "authorityInfoAccess=OCSP;URI:" |
| ... | ... | |
| 86 | 86 |
# TODO this could be improved in the future in such way that calling openssl is not required to parse the dates |
| 87 | 87 |
subj, not_before, not_after = self.cryptography_service.parse_cert_pem(cert_pem) |
| 88 | 88 |
# format the parsed date |
| 89 |
not_before_formatted = time.strftime(NOT_BEFORE_AFTER_DATE_FORMAT, not_before)
|
|
| 90 |
not_after_formatted = time.strftime(NOT_BEFORE_AFTER_DATE_FORMAT, not_after)
|
|
| 89 |
not_before_formatted = time.strftime(VALID_FROM_TO_DATE_FORMAT, not_before)
|
|
| 90 |
not_after_formatted = time.strftime(VALID_FROM_TO_DATE_FORMAT, not_after)
|
|
| 91 | 91 |
|
| 92 | 92 |
# create a certificate wrapper |
| 93 | 93 |
certificate = Certificate(-1, subj.common_name, not_before_formatted, not_after_formatted, cert_pem, |
| ... | ... | |
| 136 | 136 |
subj, not_before, not_after = self.cryptography_service.parse_cert_pem(cert_pem) |
| 137 | 137 |
|
| 138 | 138 |
# format the parsed date |
| 139 |
not_before_formatted = time.strftime(NOT_BEFORE_AFTER_DATE_FORMAT, not_before)
|
|
| 140 |
not_after_formatted = time.strftime(NOT_BEFORE_AFTER_DATE_FORMAT, not_after)
|
|
| 139 |
not_before_formatted = time.strftime(VALID_FROM_TO_DATE_FORMAT, not_before)
|
|
| 140 |
not_after_formatted = time.strftime(VALID_FROM_TO_DATE_FORMAT, not_after)
|
|
| 141 | 141 |
|
| 142 | 142 |
# specify CA usage |
| 143 | 143 |
usages[CA_ID] = True |
| src/services/crl/crl_service.py | ||
|---|---|---|
| 1 |
import time |
|
| 2 |
|
|
| 3 |
from injector import inject |
|
| 4 |
|
|
| 5 |
from src.dao.certificate_repository import CertificateRepository |
|
| 6 |
from src.services.certificate_service import VALID_FROM_TO_DATE_FORMAT |
|
| 7 |
from src.services.crl.ca_index_file_line_generator import create_index_file_revoked_line |
|
| 8 |
from src.services.cryptography import CryptographyService |
|
| 9 |
|
|
| 10 |
|
|
| 11 |
class CrlService: |
|
| 12 |
@inject |
|
| 13 |
def __init__(self, |
|
| 14 |
certificate_repository: CertificateRepository, |
|
| 15 |
cryptography_service: CryptographyService |
|
| 16 |
): |
|
| 17 |
self.certificate_repository = certificate_repository |
|
| 18 |
self.cryptography_service = cryptography_service |
|
| 19 |
|
|
| 20 |
def create_revoked_index(self, ca_id) -> str: |
|
| 21 |
""" |
|
| 22 |
Queries the certificate repository and looks for all certificates revoked by the certificate authority given |
|
| 23 |
by the passed ID. Found certificates are then put into a string representing the CA's database index file. |
|
| 24 |
|
|
| 25 |
:param ca_id: ID of the CA whose revoked certificates should be put into the index file |
|
| 26 |
:return: a str representing the content of a CA index file |
|
| 27 |
""" |
|
| 28 |
|
|
| 29 |
index_lines = [] |
|
| 30 |
# iterate over revoked certificates of the CA given by an ID |
|
| 31 |
for certificate in self.certificate_repository.get_all_revoked_by(ca_id): |
|
| 32 |
# extract the complete subject information and not_after date field |
|
| 33 |
subject, _, not_after = self.cryptography_service.parse_cert_pem(certificate.pem_data) |
|
| 34 |
line = create_index_file_revoked_line(certificate, |
|
| 35 |
subject, |
|
| 36 |
# parse valid_to date to a date struct |
|
| 37 |
time.strptime(certificate.valid_to, VALID_FROM_TO_DATE_FORMAT), |
|
| 38 |
not_after) |
|
| 39 |
|
|
| 40 |
# append it to the list of lines |
|
| 41 |
index_lines.append(line) |
|
| 42 |
|
|
| 43 |
# join all lines with a new line |
|
| 44 |
return "\n".join(index_lines) |
|
| src/services/cryptography.py | ||
|---|---|---|
| 155 | 155 |
# waiting for the passphrase to be typed in |
| 156 | 156 |
args.extend(["-passin", f"pass:{key_pass}"])
|
| 157 | 157 |
|
| 158 |
print(args) |
|
| 159 |
|
|
| 160 | 158 |
return self.__run_for_output(args, proc_input=bytes(key, encoding="utf-8")).decode() |
| 161 | 159 |
|
| 162 | 160 |
def __create_csr(self, subject, key, key_pass=""): |
| tests/integration_tests/services/conftest.py | ||
|---|---|---|
| 10 | 10 |
from src.dao.private_key_repository import PrivateKeyRepository |
| 11 | 11 |
from src.db.init_queries import SCHEMA_SQL, DEFAULT_VALUES_SQL |
| 12 | 12 |
from src.services.certificate_service import CertificateService |
| 13 |
from src.services.crl.crl_service import CrlService |
|
| 13 | 14 |
from src.services.cryptography import CryptographyService |
| 14 | 15 |
from src.services.key_service import KeyService |
| 15 | 16 |
|
| ... | ... | |
| 80 | 81 |
@pytest.fixture |
| 81 | 82 |
def certificate_service_unique(certificate_repository_unique, cryptography_service_unique, configuration): |
| 82 | 83 |
return CertificateService(cryptography_service_unique, certificate_repository_unique, configuration) |
| 84 |
|
|
| 85 |
|
|
| 86 |
@pytest.fixture |
|
| 87 |
def crl_service_unique(certificate_repository_unique, cryptography_service): |
|
| 88 |
return CrlService(certificate_repository_unique, cryptography_service) |
|
| tests/integration_tests/services/crl_service_test.py | ||
|---|---|---|
| 1 |
import time |
|
| 2 |
|
|
| 3 |
from src.model.subject import Subject |
|
| 4 |
from src.services.certificate_service import VALID_FROM_TO_DATE_FORMAT |
|
| 5 |
|
|
| 6 |
CA_INDEX_DATE_FORMAT = "%y%m%d%H%M%SZ" |
|
| 7 |
|
|
| 8 |
|
|
| 9 |
def convert_valid_to_date_to_ca_index_format(date): |
|
| 10 |
return convert_date_to_ca_index_format(time.strptime(date, VALID_FROM_TO_DATE_FORMAT)) |
|
| 11 |
|
|
| 12 |
|
|
| 13 |
def convert_date_to_ca_index_format(date): |
|
| 14 |
return time.strftime(CA_INDEX_DATE_FORMAT, date) |
|
| 15 |
|
|
| 16 |
|
|
| 17 |
def test_set_certificate_revoked(certificate_service_unique, private_key_service_unique, crl_service_unique, |
|
| 18 |
cryptography_service): |
|
| 19 |
root_ca_private_key = private_key_service_unique.create_new_key(passphrase="foobar") |
|
| 20 |
inter_ca_private_key = private_key_service_unique.create_new_key(passphrase="barfoo") |
|
| 21 |
|
|
| 22 |
root_ca_cert = certificate_service_unique.create_root_ca(root_ca_private_key, |
|
| 23 |
Subject(common_name="RootFoo", |
|
| 24 |
organization_unit="Department of Foo")) |
|
| 25 |
|
|
| 26 |
# create a CA |
|
| 27 |
foo_ca = certificate_service_unique.create_ca(inter_ca_private_key, Subject(common_name="Foo CA", locality="Brno"), |
|
| 28 |
root_ca_cert, |
|
| 29 |
root_ca_private_key) |
|
| 30 |
|
|
| 31 |
# create another CA |
|
| 32 |
bar_ca = certificate_service_unique.create_ca(inter_ca_private_key, |
|
| 33 |
Subject(common_name="Bar CA", country="CZ", locality="Pilsen"), |
|
| 34 |
root_ca_cert, |
|
| 35 |
root_ca_private_key) |
|
| 36 |
|
|
| 37 |
# create another CA |
|
| 38 |
bar_baz_ca = certificate_service_unique.create_ca(inter_ca_private_key, Subject(common_name="BarBaz CA"), |
|
| 39 |
root_ca_cert, |
|
| 40 |
root_ca_private_key) |
|
| 41 |
|
|
| 42 |
# create a certificate |
|
| 43 |
baz_cert = certificate_service_unique.create_end_cert(inter_ca_private_key, |
|
| 44 |
Subject(common_name="Baz CA", state="ST"), |
|
| 45 |
root_ca_cert, |
|
| 46 |
root_ca_private_key) |
|
| 47 |
|
|
| 48 |
# revoke first created intermediate CA |
|
| 49 |
certificate_service_unique.set_certificate_revocation_status(foo_ca.certificate_id, "revoked", "unspecified") |
|
| 50 |
# revoke second created intermediate CA |
|
| 51 |
certificate_service_unique.set_certificate_revocation_status(bar_ca.certificate_id, "revoked", "keyCompromise") |
|
| 52 |
# revoke the created end certificate (non-CA) |
|
| 53 |
certificate_service_unique.set_certificate_revocation_status(baz_cert.certificate_id, "revoked", |
|
| 54 |
"privilegeWithdrawn") |
|
| 55 |
|
|
| 56 |
# split lines |
|
| 57 |
out = crl_service_unique.create_revoked_index(root_ca_cert.certificate_id) |
|
| 58 |
|
|
| 59 |
# convert revoked date fields |
|
| 60 |
revoked_dates = [ |
|
| 61 |
convert_date_to_ca_index_format(cryptography_service.parse_cert_pem(foo_ca.pem_data)[2]), |
|
| 62 |
convert_date_to_ca_index_format(cryptography_service.parse_cert_pem(bar_ca.pem_data)[2]), |
|
| 63 |
convert_date_to_ca_index_format(cryptography_service.parse_cert_pem(baz_cert.pem_data)[2]), |
|
| 64 |
] |
|
| 65 |
|
|
| 66 |
# convert valid_to date fields |
|
| 67 |
valid_to_dates = [ |
|
| 68 |
convert_valid_to_date_to_ca_index_format(foo_ca.valid_to), |
|
| 69 |
convert_valid_to_date_to_ca_index_format(bar_ca.valid_to), |
|
| 70 |
convert_valid_to_date_to_ca_index_format(baz_cert.valid_to), |
|
| 71 |
] |
|
| 72 |
|
|
| 73 |
expected_lines = [ |
|
| 74 |
f"R {valid_to_dates[0]} {revoked_dates[0]},unspecified 02 unknown /CN=Foo CA/L=Brno",
|
|
| 75 |
f"R {valid_to_dates[1]} {revoked_dates[1]},keyCompromise 03 unknown /CN=Bar CA/C=CZ/L=Pilsen",
|
|
| 76 |
f"R {valid_to_dates[2]} {revoked_dates[2]},privilegeWithdrawn 05 unknown /CN=Baz CA/ST=ST"
|
|
| 77 |
] |
|
| 78 |
|
|
| 79 |
assert out == "\n".join(expected_lines) |
|
Také k dispozici: Unified diff
Re #8575 - Implemented CrlService that allows the caller to generate a CA database index of revoked certificates
Added an integration test verifying its validity.
Renamed NOT_BEFORE_AFTER_DATE_FORMAT constant to VALID_FROM_TO_DATE_FORMAT in certificate_service.py.
Removed debug print in cryptography.py