[objets, attributs] Vérifications de contraintes liées au certificats d'un machine

2014-02-23 15:29:26 +01:00 · 2014-02-23 15:29:26 +01:00 · 626851baca
commit 626851baca
parent afb436f706
2 changed files with 148 additions and 7 deletions
--- a/attributs.py
+++ b/attributs.py
@ -1444,6 +1444,7 @@ class issuerCN(Attr):
@crans_attribute
 class serialNumber(Attr):
    ldap_name = "serialNumber"
+    python_type = int

@crans_attribute
 class start(intAttr):
@ -1469,8 +1470,78 @@ class certificat(Attr):
    ldap_name = "certificat"
    binary = True
    python_type = str
+
+    def __init__(self, *args, **kwargs):
+        super(certificat, self).__init__(*args, **kwargs)
+        self.data = None
+
+    def _decode_subjectAltName(self, data):
+        from pyasn1.codec.der import decoder
+        from pyasn1_modules.rfc2459 import SubjectAltName
+        altName = []
+        sa_names = decoder.decode(data, asn1Spec=SubjectAltName())[0]
+        for name in sa_names:
+            name_type = name.getName()
+            if name_type == 'dNSName':
+                altName.append(unicode(name.getComponent()))
+            else:
+                raise ValueError("Seulement les dNSName sont supporté pour l'extension de certificat SubjectAltName")
+        return altName
+
+    def _format_cert(self, certificat):
+            import OpenSSL
+            if certificat.startswith('-----BEGIN CERTIFICATE-----'):
+                certificat = ssl.PEM_cert_to_DER_cert(certificat)
+            try:
+                x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, certificat)
+            except:
+                certificat = base64.b64decode(certificat)
+                x509 = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, certificat)
+            data = {}
+            data['subject'] = dict(x509.get_subject().get_components())
+            data['issuer'] = dict(x509.get_issuer().get_components())
+            data['start'] = int(time.mktime(time.strptime(x509.get_notBefore(), '%Y%m%d%H%M%SZ')))
+            data['end'] = int(time.mktime(time.strptime(x509.get_notAfter(), '%Y%m%d%H%M%SZ')))
+            data['serialNumber'] = unicode(int(x509.get_serial_number()))
+            data['extensions'] = {}
+            for i in range(0, x509.get_extension_count()):
+                ext = x509.get_extension(i)
+                ext_name = ext.get_short_name()
+                if ext_name == 'subjectAltName':
+                    data['extensions'][ext_name] = self._decode_subjectAltName(ext.get_data())
+                else:
+                    data['extensions'][ext_name] = str(ext)
+            return (certificat, data)
+
+    def parse_value(self, certificat):
+        if self.parent.mode in ['w', 'rw']:
+            (certificat, data) = self._format_cert(certificat)
+            self.data = data
+
+            if not 'x509Cert' in self.parent['objectClass']:
+                self.parent.x509(unicode(data['issuer']['CN']), data['start'], data['end'], data['serialNumber'])
+            else:
+                self.parent['issuerCN'] = unicode(data['issuer']['CN'])
+                self.parent['start'] = data['start']
+                self.parent['end'] = data['end']
+                self.parent['serialNumber'] = data['serialNumber']
+
+            for hostname in [data['subject']['CN']] + data['extensions'].get('subjectAltName',[]):
+                if hostname not in self.parent['hostCert']:
+                    self.parent['hostCert'].append(hostname)
+
+        self.value = certificat
+
+    def __getitem__(self, key):
+        if not self.data:
+            self.data=self._format_cert(self.value)[1]
+        return self.data[key]
+
+    def pem(self):
+        return ssl.DER_cert_to_PEM_cert(self.value)
+
    def __unicode__(self):
-        return unicode(ssl.DER_cert_to_PEM_cert(self.value))
+        return unicode(base64.b64encode(self.value))
    def __str__(self):
        return self.value