def load_csr(data):
"""
Loads a PEM X.509 CSR.
"""
return x509.load_pem_x509_csr(data, default_backend())
python类load_pem_x509_csr()的实例源码
def test_convert_from_cryptography(self):
crypto_req = x509.load_pem_x509_csr(
cleartextCertificateRequestPEM, backend
)
req = X509Req.from_cryptography(crypto_req)
assert isinstance(req, X509Req)
def list_hosts(self):
hosts = {}
for csr_file in os.listdir(self.csr_path):
with open(os.path.join(self.csr_path, csr_file), 'rb') as f:
csr = x509.load_pem_x509_csr(f.read(), default_backend())
hosts[csr.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value] = {
'key_fingerprint': rsa_key_fingerprint(csr.public_key()),
'cert_fingerprint': None,
'status': 'pending',
}
for crt_file in os.listdir(self.crt_path):
with open(os.path.join(self.crt_path, crt_file), 'rb') as f:
crt = x509.load_pem_x509_certificate(f.read(), default_backend())
revoked = revoked_cert(crt, self.crl)
if revoked:
status = 'revoked'
else:
status = 'authorized'
hosts[crt.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value] = {
'key_fingerprint': rsa_key_fingerprint(crt.public_key()),
'cert_fingerprint': x509_cert_fingerprint(crt),
'status': status,
}
return hosts
def sign_certificate_request(csr_file, crt_file, ca_crt, ca_pkey):
with open(csr_file, 'rb') as f:
csr = x509.load_pem_x509_csr(data=f.read(), backend=default_backend())
crt = x509.CertificateBuilder().subject_name(
csr.subject
).issuer_name(
ca_crt.subject
).public_key(
csr.public_key()
).serial_number(
uuid.uuid4().int # pylint: disable=no-member
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=365 * 10)
).add_extension(
extension=x509.KeyUsage(
digital_signature=True, key_encipherment=True, content_commitment=True,
data_encipherment=False, key_agreement=False, encipher_only=False, decipher_only=False, key_cert_sign=False, crl_sign=False
),
critical=True
).add_extension(
extension=x509.BasicConstraints(ca=False, path_length=None),
critical=True
).add_extension(
extension=x509.AuthorityKeyIdentifier.from_issuer_public_key(ca_pkey.public_key()),
critical=False
).sign(
private_key=ca_pkey,
algorithm=hashes.SHA256(),
backend=default_backend()
)
with open(crt_file, 'wb') as f:
f.write(crt.public_bytes(encoding=serialization.Encoding.PEM))
def _handle_auth(self):
request_data = request.json
csr = x509.load_pem_x509_csr(data=request_data['csr'].encode(), backend=default_backend()) # pylint: disable=unsubscriptable-object
if not csr.is_signature_valid:
raise HTTPResponse(
status=400,
body={'message': 'The certificate signing request signature is invalid.'}
)
host = csr.subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
csr_file = os.path.join(self.csr_path, "%s.csr" % (host))
crt_file = os.path.join(self.crt_path, "%s.crt" % (host))
if os.path.isfile(crt_file):
crt = load_certificate(crt_file)
if crt.public_key().public_numbers() == csr.public_key().public_numbers():
return {
'status': 'authorized',
'crt': dump_pem(crt).decode()
}
else:
raise HTTPResponse(
status=409,
body={'message': 'Mismatch between the certificate signing request and the certificate.'}
)
else:
# Save CSR
with open(csr_file, 'w') as f:
f.write(csr.public_bytes(serialization.Encoding.PEM).decode())
response.status = 202
return {
'status': 'pending'
}
def load(cls, data=None, filename=None):
if filename is not None:
with open(filename, 'rb') as fh:
data = fh.read()
csr = x509.load_pem_x509_csr(
data, default_backend())
return CSR(csr)
def load_csr(data):
"""
Loads a PEM X.509 CSR.
"""
return x509.load_pem_x509_csr(data, default_backend())
def __call__(self, parser, namespace, values, option_string):
setattr(namespace,
self.dest,
x509.load_pem_x509_csr(raw_loader(values), backend))
