Commit abe15200 authored by Alain Takoudjou's avatar Alain Takoudjou

follow naming convention, fix getting new X509Name object for createCertificate

parent 809c04cd
...@@ -42,20 +42,15 @@ MIN_CA_RENEW_PERIOD = 2 ...@@ -42,20 +42,15 @@ MIN_CA_RENEW_PERIOD = 2
DEFAULT_DIGEST_LIST = ['sha256', 'sha384', 'sha512'] DEFAULT_DIGEST_LIST = ['sha256', 'sha384', 'sha512']
SUBJECT_KEY_LIST = ['C', 'ST', 'L', 'OU', 'O', 'CN', 'emailAddress'] SUBJECT_KEY_LIST = ['C', 'ST', 'L', 'OU', 'O', 'CN', 'emailAddress']
def x509_name(**attrs): def getX509NameFromDict(**name_dict):
""" """
Return a new X509Name with the given attributes. Return a new X509Name with the given attributes.
""" """
# XXX There's no other way to get a new X509Name. # XXX There's no other way to get a new X509Name.
name = crypto.X509().get_subject() name = crypto.X509().get_subject()
attrs = list(attrs.items())
for key, value in name_dict.items():
# Make the order stable - order matters! setattr(name, key, value)
def key(attr):
return attr[1]
attrs.sort(key=key)
for k, v in attrs:
setattr(name, k, v)
return name return name
class CertificateAuthority(object): class CertificateAuthority(object):
...@@ -251,14 +246,16 @@ class CertificateAuthority(object): ...@@ -251,14 +246,16 @@ class CertificateAuthority(object):
if ca_key_pair is None: if ca_key_pair is None:
ca_key_pair = self._ca_key_pairs_list[-1] ca_key_pair = self._ca_key_pairs_list[-1]
if subject_dict: if subject_dict:
for attr in subject_dict.keys():
if not attr in SUBJECT_KEY_LIST:
raise ValueError("Subject key %r is not allowed. Certificate subject " \
"key should be one of %r" % (attr, SUBJECT_KEY_LIST))
if subject_dict.has_key('C') and len(subject_dict['C']) != 2: if subject_dict.has_key('C') and len(subject_dict['C']) != 2:
# Country code size is 2 # Country code size is 2
raise ValueError("Country Code size in subject should be equal to 2.") raise ValueError("Country Code size in subject should be equal to 2.")
subject = x509_name(**subject_dict) if not subject_dict.has_key('CN'):
raise AttributeError("Attribute 'CN' is required in subject.")
try:
subject = getX509NameFromDict(**subject_dict)
except AttributeError:
raise AttributeError("X509Name attribute not found. Subject " \
"keys should be in %r" % SUBJECT_KEY_LIST)
cert_pem = self._generateCertificateObjects(ca_key_pair, cert_pem = self._generateCertificateObjects(ca_key_pair,
csr_pem, csr_pem,
serial, serial,
......
...@@ -268,10 +268,10 @@ m4DpuP4nL0ixQJWZuV+qrx6Tow== ...@@ -268,10 +268,10 @@ m4DpuP4nL0ixQJWZuV+qrx6Tow==
subject_dict = {'CN': 'some.site.com', subject_dict = {'CN': 'some.site.com',
'C': 'FR', 'C': 'FR',
'ST': 'State',
'L': 'Localisation',
'O': 'My Organisation', 'O': 'My Organisation',
'L': 'Localisation',
'OU': 'Organisation U', 'OU': 'Organisation U',
'ST': 'State',
'emailAddress': 'toto@example.com'} 'emailAddress': 'toto@example.com'}
# sign certificate but change subject # sign certificate but change subject
cert_id = ca.createCertificate(csr_id, subject_dict=subject_dict) cert_id = ca.createCertificate(csr_id, subject_dict=subject_dict)
...@@ -287,6 +287,17 @@ m4DpuP4nL0ixQJWZuV+qrx6Tow== ...@@ -287,6 +287,17 @@ m4DpuP4nL0ixQJWZuV+qrx6Tow==
with self.assertRaises(NotFound): with self.assertRaises(NotFound):
ca.getPendingCertificateRequest(csr_id) ca.getPendingCertificateRequest(csr_id)
def test_createCertificate_custom_subject_no_cn(self):
ca = self.make_ca(190)
csr, key = self.generateCSR(cn="test certificate", email="some@test.com")
csr_id = ca.createCertificateSigningRequest(self.csr_tostring(csr))
subject_dict = dict(C="FR", emailAddress="caucase@email.com")
# CN is missing, will raise
with self.assertRaises(AttributeError):
ca.createCertificate(csr_id, subject_dict=subject_dict)
def test_getCAKeypairForCertificate(self): def test_getCAKeypairForCertificate(self):
csr, key = self.generateCSR() csr, key = self.generateCSR()
ca = self.make_ca(3) ca = self.make_ca(3)
......
...@@ -508,6 +508,10 @@ def sign_cert(): ...@@ -508,6 +508,10 @@ def sign_cert():
subject_dict = json.loads(subject) subject_dict = json.loads(subject)
return signcert(key, subject_dict=subject_dict) return signcert(key, subject_dict=subject_dict)
except ValueError, e: except ValueError, e:
traceback.print_exc()
raise FlaskException(str(e),
payload={"name": "FileFormat", "code": 3})
except AttributeError, e:
raise FlaskException(str(e), raise FlaskException(str(e),
payload={"name": "FileFormat", "code": 3}) payload={"name": "FileFormat", "code": 3})
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment