def test_dump_certificate_request(self):
"""
L{dump_certificate_request} writes a PEM, DER, and text.
"""
req = load_certificate_request(FILETYPE_PEM, cleartextCertificateRequestPEM)
dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
self.assertEqual(dumped_pem, cleartextCertificateRequestPEM)
dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
good_der = _runopenssl(dumped_pem, "req", "-outform", "DER")
self.assertEqual(dumped_der, good_der)
req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM)
dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
good_text = _runopenssl(dumped_pem, "req", "-noout", "-text")
self.assertEqual(dumped_text, good_text)
python类load_certificate_request()的实例源码
def test_dump_certificate_request(self):
"""
:py:obj:`dump_certificate_request` writes a PEM, DER, and text.
"""
req = load_certificate_request(FILETYPE_PEM, cleartextCertificateRequestPEM)
dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
self.assertEqual(dumped_pem, cleartextCertificateRequestPEM)
dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
good_der = _runopenssl(dumped_pem, b"req", b"-outform", b"DER")
self.assertEqual(dumped_der, good_der)
req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM)
dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
good_text = _runopenssl(dumped_pem, b"req", b"-noout", b"-text")
self.assertEqual(dumped_text, good_text)
self.assertRaises(ValueError, dump_certificate_request, 100, req)
def test_dump_certificate_request(self):
"""
:py:obj:`dump_certificate_request` writes a PEM, DER, and text.
"""
req = load_certificate_request(FILETYPE_PEM, cleartextCertificateRequestPEM)
dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
self.assertEqual(dumped_pem, cleartextCertificateRequestPEM)
dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
good_der = _runopenssl(dumped_pem, b"req", b"-outform", b"DER")
self.assertEqual(dumped_der, good_der)
req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM)
dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
good_text = _runopenssl(dumped_pem, b"req", b"-noout", b"-text")
self.assertEqual(dumped_text, good_text)
self.assertRaises(ValueError, dump_certificate_request, 100, req)
def test_dump_certificate_request(self):
"""
L{dump_certificate_request} writes a PEM, DER, and text.
"""
req = load_certificate_request(FILETYPE_PEM, cleartextCertificateRequestPEM)
dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
self.assertEqual(dumped_pem, cleartextCertificateRequestPEM)
dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
good_der = _runopenssl(dumped_pem, "req", "-outform", "DER")
self.assertEqual(dumped_der, good_der)
req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM)
dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
good_text = _runopenssl(dumped_pem, "req", "-noout", "-text")
self.assertEqual(dumped_text, good_text)
self.assertRaises(ValueError, dump_certificate_request, 100, req)
def test_dump_certificate_request(self):
"""
L{dump_certificate_request} writes a PEM, DER, and text.
"""
req = load_certificate_request(FILETYPE_PEM, cleartextCertificateRequestPEM)
dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
self.assertEqual(dumped_pem, cleartextCertificateRequestPEM)
dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
good_der = _runopenssl(dumped_pem, "req", "-outform", "DER")
self.assertEqual(dumped_der, good_der)
req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM)
dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
good_text = _runopenssl(dumped_pem, "req", "-noout", "-text")
self.assertEqual(dumped_text, good_text)
def load(Class, requestData, requestFormat=crypto.FILETYPE_ASN1):
req = crypto.load_certificate_request(requestFormat, requestData)
dn = DistinguishedName()
dn._copyFrom(req.get_subject())
if not req.verify(req.get_pubkey()):
raise VerifyError("Can't verify that request for %r is self-signed." % (dn,))
return Class(req)
def test_convert_to_cryptography_key(self):
req = load_certificate_request(
FILETYPE_PEM, cleartextCertificateRequestPEM
)
crypto_req = req.to_cryptography()
assert isinstance(crypto_req, x509.CertificateSigningRequest)
def test_dump_certificate_request(self):
"""
`dump_certificate_request` writes a PEM, DER, and text.
"""
req = load_certificate_request(
FILETYPE_PEM, cleartextCertificateRequestPEM)
dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
assert dumped_pem == cleartextCertificateRequestPEM
dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
good_der = _runopenssl(dumped_pem, b"req", b"-outform", b"DER")
assert dumped_der == good_der
req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
assert dumped_pem2 == cleartextCertificateRequestPEM
dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
good_text = _runopenssl(
dumped_pem, b"req", b"-noout", b"-text", b"-nameopt", b"")
assert dumped_text == good_text
with pytest.raises(ValueError):
dump_certificate_request(100, req)
def test_bad_file_type(self):
"""
If the file type passed to `load_certificate_request` is neither
`FILETYPE_PEM` nor `FILETYPE_ASN1` then `ValueError` is raised.
"""
with pytest.raises(ValueError):
load_certificate_request(object(), b"")
with pytest.raises(ValueError):
load_certificate(object(), b"")
def load(Class, requestData, requestFormat=crypto.FILETYPE_ASN1):
req = crypto.load_certificate_request(requestFormat, requestData)
dn = DistinguishedName()
dn._copyFrom(req.get_subject())
if not req.verify(req.get_pubkey()):
raise VerifyError("Can't verify that request for %r is self-signed." % (dn,))
return Class(req)
def test_badFileType(self):
"""
If the file type passed to :py:obj:`load_certificate_request` is
neither :py:obj:`FILETYPE_PEM` nor :py:obj:`FILETYPE_ASN1` then
:py:class:`ValueError` is raised.
"""
self.assertRaises(ValueError, load_certificate_request, object(), b"")
def load(Class, requestData, requestFormat=crypto.FILETYPE_ASN1):
req = crypto.load_certificate_request(requestFormat, requestData)
dn = DistinguishedName()
dn._copyFrom(req.get_subject())
if not req.verify(req.get_pubkey()):
raise VerifyError("Can't verify that request for %r is self-signed." % (dn,))
return Class(req)
def load_certificate_request(path):
"""Load the specified certificate signing request."""
try:
csr_content = open(path, 'rb').read()
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_content)
return csr
except (IOError, OSError) as exc:
raise OpenSSLObjectError(exc)
def test_badFileType(self):
"""
If the file type passed to :py:obj:`load_certificate_request` is
neither :py:obj:`FILETYPE_PEM` nor :py:obj:`FILETYPE_ASN1` then
:py:class:`ValueError` is raised.
"""
self.assertRaises(ValueError, load_certificate_request, object(), b"")
def sign_csr(arg_userid, arg_csr_path, arg_crt_path):
# csr = User CSR file in internal crypto format
(result, buffer) = get_file_contents(arg_csr_path)
if not result:
app.logger.error("sign_csr: cannot access CSR {%s} for user {%s}, reason: {%s}", arg_csr_path, arg_userid, buffer)
return False
try:
csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, buffer)
except Exception as e:
app.logger.error("sign_csr: load CSR {%s} for user {%s} failed, reason: {%s}", arg_csr_path, arg_userid, repr(e))
return False
# CAcertificate = CA certificate in internal crypto format
(result, buffer) = get_file_contents(CA_CRT_FILE)
if not result:
app.logger.error("sign_csr: cannot access CA certificate {%s} for user {%s}, reason: {%s}", CA_CRT_FILE, arg_userid, repr(e))
return False
try:
CAcertificate = crypto.load_certificate(crypto.FILETYPE_PEM, buffer)
if app.debug:
app.logger.debug("sign_csr: CA cert subject = {%s}", CAcertificate.get_subject())
except Exception as e:
app.logger.error("sign_csr: load CA certificate {%s} for user {%s} failed, reason: {%s}", CA_CRT_FILE, arg_userid, repr(e))
return False
# CAprivatekey = CA private key in internal crypto format
(result, buffer) = get_file_contents(CA_KEY_FILE)
if not result:
app.logger.error("sign_csr: cannot access CA private key {%s} for user {%s}, reason: {%s}", CA_KEY_FILE, arg_userid, buffer)
return False
try:
CAprivatekey = crypto.load_privatekey(crypto.FILETYPE_PEM, buffer)
except Exception as e:
app.logger.error("sign_csr: load CA private key {%s} for user {%s} failed, reason: {%s}", CA_KEY_FILE, arg_userid, repr(e))
# Sign CSR, giving the CRT
try:
cert = crypto.X509()
cert.set_serial_number(42)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(EXPIRY_PERIOD)
cert.set_issuer(CAcertificate.get_subject())
subject = csr.get_subject() # will log the subject later
cert.set_subject(subject)
cert.set_pubkey(csr.get_pubkey())
cert.sign(CAprivatekey, DIGEST)
except Exception as e:
app.logger.error("sign_csr: Cannot sign CSR {%s} for user {%s}, reason: {%s}", arg_csr_path, arg_userid, repr(e))
return False
# Store signed CRT
try:
file = open(arg_crt_path, "w")
file.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8'))
file.flush()
os.fsync(file)
file.close()
except Exception as e:
app.logger.error("sign_csr: Cannot store CRT {%s} for user {%s}, reason: {%s}", arg_crt_path, arg_userid, repr(e))
return False
# Success
app.logger.info("sign_csr: Success with CRT {%s} for user {%s}, subject={%s}", arg_csr_path, arg_userid, subject)
return True
def create_cert_signed_certificate(self, sign_cert_str, sign_key_str,
request_cert_str, hash_alg="sha256",
valid_from=0, valid_to=315360000, sn=1,
passphrase=None):
"""
Will sign a certificate request with a give certificate.
:param sign_cert_str: This certificate will be used to sign with.
Must be a string representation of
the certificate. If you only have a file
use the method read_str_from_file to
get a string representation.
:param sign_key_str: This is the key for the ca_cert_str
represented as a string.
If you only have a file use the method
read_str_from_file to get a string
representation.
:param request_cert_str: This is the prepared certificate to be
signed. Must be a string representation of
the requested certificate. If you only have
a file use the method read_str_from_file
to get a string representation.
:param hash_alg: Hash algorithm to use for the key. Default
is sha256.
:param valid_from: When the certificate starts to be valid.
Amount of seconds from when the
certificate is generated.
:param valid_to: How long the certificate will be valid from
when it is generated.
The value is in seconds. Default is
315360000 seconds, a.k.a 10 years.
:param sn: Serial number for the certificate. Default
is 1.
:param passphrase: Password for the private key in sign_key_str.
:return: String representation of the signed
certificate.
"""
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, sign_cert_str)
ca_key = None
if passphrase is not None:
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str,
passphrase)
else:
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str)
req_cert = crypto.load_certificate_request(crypto.FILETYPE_PEM,
request_cert_str)
cert = crypto.X509()
cert.set_subject(req_cert.get_subject())
cert.set_serial_number(sn)
cert.gmtime_adj_notBefore(valid_from)
cert.gmtime_adj_notAfter(valid_to)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(req_cert.get_pubkey())
cert.sign(ca_key, hash_alg)
cert_dump = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
if isinstance(cert_dump, six.string_types):
return cert_dump
return cert_dump.decode('utf-8')
