ca.py 4.63 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123
from OpenSSL import crypto
import logging
import os
import subprocess
import time

from autoca import ca_storage
from autoca import certutil

log = logging.getLogger(__name__)


class CA(object):

    def __init__(self, root, subject, bits=1024, digest='sha1'):
        self.ca_subject = subject
        self.bits = bits
        self.digest = digest
        self.storage = ca_storage.FileStorage(root)
        self._init_ca()
        self._update_crl()

    def _init_ca(self):
        key_str, crt_str = self.storage.get_ca()
        if key_str:
            self.ca_key = crypto.load_privatekey(
                crypto.FILETYPE_PEM, key_str)
            self.ca_crt = crypto.load_certificate(
                crypto.FILETYPE_PEM, crt_str)
            self.public_ca_pem = crt_str
        else:
            log.info('initializing CA certificate and private key')
            self.ca_key = certutil.create_rsa_key_pair(self.bits)
            ca_req = certutil.create_cert_request(
                self.ca_key, **(self.ca_subject))
            self.ca_crt = certutil.sign_certificate(
                ca_req, self.ca_key, ca_req, 1, 3650,
                extensions=[
                    crypto.X509Extension('basicConstraints', True,
                                         'CA:TRUE, pathlen:0'),
                    crypto.X509Extension('keyUsage', True,
                                         'keyCertSign, cRLSign'),
                    #crypto.X509Extension('subjectKeyIdentifier', False,
                    #                     'hash', subject=ca_req),
                    ],
                digest=self.digest)

            crt_str = crypto.dump_certificate(
                crypto.FILETYPE_PEM, self.ca_crt)
            self.storage.set_ca(
                crypto.dump_privatekey(crypto.FILETYPE_PEM, self.ca_key),
                crt_str)
            self.public_ca_pem = crt_str

    def sign_certificate(self, req, days=365, server=False):
        cn = req.get_subject().CN
        log.info('sign request for cn=%s', cn)
        cert = self.get_certificate(cn)
        if cert:
            log.info('a valid certificate already exists for cn=%s, '
                     'revoking it', cn)
            self._revoke_certificate(cn, cert.get_serial_number())
        new_serial = self.storage.get_next_serial()
        extensions = [
            crypto.X509Extension('basicConstraints', True, 'CA:FALSE'),
            crypto.X509Extension('keyUsage', True,
                                 '%sdigitalSignature, keyEncipherment' % (
                    server and '' or 'nonRepudiation, ')),
            crypto.X509Extension('extendedKeyUsage', True,
                                 server and 'serverAuth' or 'clientAuth'),
            crypto.X509Extension('nsCertType', True,
                                 server and 'server' or 'client'),
            ]
        cert = certutil.sign_certificate(
            req, self.ca_key, self.ca_crt, new_serial, days,
            extensions=extensions, digest=self.digest)
        self.storage.store_certificate(
            cn, crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
        return cert

    def _update_crl(self):
        self.crl_data_der = ''
        self.crl_data_pem = self.storage.get_crl() or ''
        if self.crl_data_pem:
            # Re-read the CRL data in DER and PEM formats.
            pipe = subprocess.Popen(
                ['openssl', 'crl', '-inform', 'PEM', '-outform', 'DER'],
                stdout=subprocess.PIPE)
            self.crl_data_der = pipe.communicate(self.crl_data_pem)[0]

    def _revoke_certificate(self, cn, serial_num):
        log.debug('revoking certificate: cn=%s, serial=%s', cn, serial_num)
        if self.crl_data_pem:
            crl = crypto.load_crl(crypto.FILETYPE_PEM, self.crl_data_pem)
        else:
            crl = crypto.CRL()
        revoked_set = set(x.get_serial() for x in crl.get_revoked())
        if serial_num in revoked_set:
            return

        r = crypto.Revoked()
        r.set_serial(str(serial_num))
        crl.add_revoked(r)

        self.storage.delete_certificate(cn)
        self.storage.set_crl(crl.export(self.ca_crt, self.ca_key,
                                        crypto.FILETYPE_PEM, 7))
        self._update_crl()

    def revoke_certificate(self, cn):
        serial_num = self.get_serial(cn)
        if serial_num:
           self._revoke_certificate(cn, serial_num) 

    def get_certificate(self, cn):
        data = self.storage.get_certificate(cn)
        if data:
            return crypto.load_certificate(crypto.FILETYPE_PEM, data)

    def get_serial(self, cn):
        crt = self.get_certificate(cn)
        if crt:
            return crt.get_serial_number()