ASWI - Pokročilé softwarové inženýrství » ASWI 2021 » Aplikace pro správu X.509 certifikátů (Yoso Czech s.r.o.) - JMSD

import re

import time

# openssl executable name

OPENSSL_EXECUTABLE = "openssl"

NOT_AFTER_BEFORE_DATE_FORMAT = "%b %d %H:%M:%S %Y %Z"

# specifies distinguished_name that references empty section only

# openssl requires this option to be present

MINIMAL_CONFIG_FILE = "[req]\ndistinguished_name = req_distinguished_name\n[req_distinguished_name]\n\n"

# section to be used to specify extensions when creating a SSCRT

SSCRT_SECTION = "sscrt_ext"

CA_EXTENSIONS = "basicConstraints=critical,CA:TRUE"

MAX_SN = 4294967296

class CryptographyService:

    @staticmethod

        """

        Converts the given subject to a dictionary containing openssl field names mapped to subject's fields

        :param subject: subject to be converted

        :return: a dictionary containing openssl field names mapped to subject's fields

        """

        if subject.common_name is not None:

            subj_dict["CN"] = subject.common_name

        if subject.country is not None:

            subj_dict["C"] = subject.country

        if subject.locality is not None:

            subj_dict["L"] = subject.locality

        if subject.state is not None:

            subj_dict["ST"] = subject.state

        if subject.organization is not None:

            subj_dict["O"] = subject.organization

        if subject.organization_unit is not None:

            subj_dict["OU"] = subject.organization_unit

        if subject.email_address is not None:

            subj_dict["emailAddress"] = subject.email_address

        # merge the subject into a "subj" parameter format

        return "".join([f"/{key}={value}" for key, value in subj_dict.items()])

    @staticmethod

        Launches a new process in which the given executable is run. STDIN and process arguments can be set.

        If the process ends with a non-zero then <CryptographyException> is raised.

        :return: If the process ends with a zero return code then the STDOUT of the process is returned as a byte array.

        """

        if args is None:

            args = []

        try:

            # prepend the name of the executable

            args.insert(0, executable)

            # create a new process

                                    stdout=subprocess.PIPE,

            if proc.returncode != 0:

                # if the process did not result in zero result code, then raise an exception

                else:

                    raise CryptographyException(executable, args,

                                                f""""Execution resulted in non-zero argument""")

            return out

        except FileNotFoundError:

            raise CryptographyException(executable, args, f""""{executable}" not found in the current PATH.""")

    def create_private_key(self, passphrase=None):

        """

        Creates a private key with the option to encrypt it using a passphrase.

        :param passphrase: A passphrase to be used when encrypting the key (if none is passed then the key is not

        encrypted at all). Empty passphrase ("") also results in a key that is not encrypted.

        if passphrase is None or len(passphrase) == 0:

        Creates a root CA

        :param subject: an instance of <Subject> representing the subject to be added to the certificate

        :param extensions: name of the section in the configuration representing extensions

        assert key is not None

        assert subject is not None

        # file instead of an extension file. Therefore the following code creates

        # the most basic configuration file with sscrt_ext section, that is later

        # reference in openssl req command using -extensions option.

        extensions += "\n"+CA_EXTENSIONS

        if len(config) == 0:

            # without passing it openssl generates a random one

            if sn is not None:

                args.extend(["-set_serial", str(sn)])

                args.extend(["-config", conf_path])

            if len(extensions) > 0:

            # it would be best to not send the pass phrase at all, but for some reason pytest then prompts for

            # the pass phrase (this does not happen when run from pycharm)

            # waiting for the passphrase to be typed in

        :param subject: an instance of <Subject> representing the subject to be added to the CSR

        :param key_pass: passphrase of the subject's private key

        args = ["req", "-new", "-subj", subj_param, "-key", "-"]

        # waiting for the passphrase to be typed in

        Signs the given CSR by the given issuer CA

        :param issuer_pem: string containing the certificate of the issuer that will sign this CSR in PEM format

        :param issuer_key: string containing the private key of the issuer's certificate in PEM format

        format

        """

        # concatenate CSR, issuer certificate and issuer's key (will be used in the openssl call)

        proc_input = csr + issuer_pem + issuer_key

        # when serial number is not passed generate a random one

        if sn is None:

            sn = random.randint(0, MAX_SN)

        # CSR, CA and CA's private key will be passed via stdin (that's the meaning of the '-' symbol)

                  "-set_serial", str(sn)]

        with TemporaryFile("extensions.conf", extensions) as ext_path:

            # add the passphrase even when None is passed. Otherwise when running tests with pytest some tests freeze

            # waiting for the passphrase to be typed in

            params.extend(["-passin", f"pass:{issuer_key_pass}"])

            if len(extensions) > 0:

                params.extend(["-extfile", ext_path])

                   sn: int = None):

        :param issuer_pem: string containing the certificate of the issuer that will sign this CSR in PEM format

        in PEM format

        format

        :param extensions: extensions to be applied when creating the certificate

    @staticmethod

        """

        Verifies whether the given certificate is not expired.

        :param certificate: certificate to be verified in PEM format

        :return: Returns `true` if the certificate is not expired, `false` when expired.

        """

        args = [OPENSSL_EXECUTABLE, "x509", "-checkend", "0", "-noout", "-text", "-in", "-"]

        # create a new process

        proc = subprocess.Popen(args, stdin=subprocess.PIPE,

                                stdout=subprocess.PIPE,

                                stderr=subprocess.PIPE)

        out, err = proc.communicate(bytes(certificate, encoding="utf-8"))

        # zero return code means that the certificate is valid

        if proc.returncode == 0:

            return True

        elif proc.returncode == 1 and "Certificate will expire" in out.decode():

            # 1 return code means that the certificate is invalid but such message has to be present in the proc output

            return False

        else:

            # the process failed because of some other reason (incorrect cert format)

            raise CryptographyException(OPENSSL_EXECUTABLE, args, err.decode())

        :param private_key_pem: PEM data representing the private key from which a public key should be extracted

        :param passphrase: passphrase to be provided when the supplied private key is encrypted

        """

        if passphrase is not None:

            args.extend(["-passin", f"pass:{passphrase}"])

        return self.__run_for_output(args, proc_input=bytes(private_key_pem, encoding="utf-8")).decode()

        """

        Extracts a public key from the given certificate passed in PEM format

        :param cert_pem: PEM data representing a certificate from which a public key should be extracted

        :return: a string containing the extracted public key in PEM format

        """

        # extracting public key from a certificate does not seem to require a passphrase even when

        # signed using an encrypted PK

        args = ["x509", "-in", "-", "-noout", "-pubkey"]

        return self.__run_for_output(args, proc_input=bytes(cert_pem, encoding="utf-8")).decode()

        and NOT_AFTER field

        # run openssl x509 to view certificate content

        # split lines

        results = re.split("\n", cert_info_raw)

        not_before_line = results[1].strip()

        not_after_line = results[2].strip()

        # attempt to extract subject via regex

        match = re.search(r"subject=(.*)", subj_line)

            found = re.findall(r"\s?([^c=\s]+)\s?=\s?([^,\n]+)", match.group(1))

            for key, value in found:

                if key == "C":

        # extract notBefore and notAfter date fields

        not_before = re.search(r"notBefore=(.*)", not_before_line)

        not_after = re.search(r"notAfter=(.*)", not_after_line)

        # if date fields are found parse them into date objects

        if not_before is not None:

        # TODO wrapper class?

        # return it as a tuple

        return subj, not_before, not_after

        """

        Get version of the OpenSSL installed on the system

        :return: version of the OpenSSL as returned from the process

        """

        return self.__run_for_output(["version"]).decode("utf-8")

class CryptographyException(Exception):

    def __init__(self, executable, args, message):

        self.executable = executable

        self.args = args

        self.message = message

    def __str__(self):

        return f"""

        EXECUTABLE: {self.executable}

        ARGS: {self.args}

        MESSAGE: {self.message}

        """