powerdns-admin/powerdnsadmin/lib/certutil.py

from OpenSSL import crypto
from datetime import datetime
import pytz
import os
CRYPT_PATH = os.path.abspath(os.path.dirname(os.path.realpath(__file__))  + "/../../")
CERT_FILE = CRYPT_PATH + "/saml_cert.crt"
KEY_FILE = CRYPT_PATH + "/saml_cert.key"


def check_certificate():
    if not os.path.isfile(CERT_FILE):
        return False
    st_cert = open(CERT_FILE, 'rt').read()
    cert = crypto.load_certificate(crypto.FILETYPE_PEM, st_cert)
    now = datetime.now(pytz.utc)
    begin = datetime.strptime(cert.get_notBefore(), "%Y%m%d%H%M%SZ").replace(tzinfo=pytz.UTC)
    begin_ok = begin < now
    end = datetime.strptime(cert.get_notAfter(), "%Y%m%d%H%M%SZ").replace(tzinfo=pytz.UTC)
    end_ok = end > now
    if begin_ok and end_ok:
        return True
    return False

def create_self_signed_cert():

    # create a key pair
    k = crypto.PKey()
    k.generate_key(crypto.TYPE_RSA, 2048)

    # create a self-signed cert
    cert = crypto.X509()
    cert.get_subject().C = "DE"
    cert.get_subject().ST = "NRW"
    cert.get_subject().L = "Dortmund"
    cert.get_subject().O = "Dummy Company Ltd"
    cert.get_subject().OU = "Dummy Company Ltd"
    cert.get_subject().CN = "PowerDNS-Admin"
    cert.set_serial_number(1000)
    cert.gmtime_adj_notBefore(0)
    cert.gmtime_adj_notAfter(10*365*24*60*60)
    cert.set_issuer(cert.get_subject())
    cert.set_pubkey(k)
    cert.sign(k, 'sha256')

    open(CERT_FILE, "bw").write(
        crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
    open(KEY_FILE, "bw").write(
        crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
added application certificate handling for signed SAML messages 2018-01-20 16:17:02 +00:00			`from OpenSSL import crypto`
			`from datetime import datetime`
			`import pytz`
			`import os`
			`CRYPT_PATH = os.path.abspath(os.path.dirname(os.path.realpath(__file__)) + "/../../")`
			`CERT_FILE = CRYPT_PATH + "/saml_cert.crt"`
			`KEY_FILE = CRYPT_PATH + "/saml_cert.key"`


			`def check_certificate():`
			`if not os.path.isfile(CERT_FILE):`
			`return False`
			`st_cert = open(CERT_FILE, 'rt').read()`
			`cert = crypto.load_certificate(crypto.FILETYPE_PEM, st_cert)`
			`now = datetime.now(pytz.utc)`
			`begin = datetime.strptime(cert.get_notBefore(), "%Y%m%d%H%M%SZ").replace(tzinfo=pytz.UTC)`
			`begin_ok = begin < now`
			`end = datetime.strptime(cert.get_notAfter(), "%Y%m%d%H%M%SZ").replace(tzinfo=pytz.UTC)`
			`end_ok = end > now`
			`if begin_ok and end_ok:`
			`return True`
			`return False`

			`def create_self_signed_cert():`

			`# create a key pair`
			`k = crypto.PKey()`
			`k.generate_key(crypto.TYPE_RSA, 2048)`

			`# create a self-signed cert`
			`cert = crypto.X509()`
			`cert.get_subject().C = "DE"`
			`cert.get_subject().ST = "NRW"`
			`cert.get_subject().L = "Dortmund"`
			`cert.get_subject().O = "Dummy Company Ltd"`
			`cert.get_subject().OU = "Dummy Company Ltd"`
			`cert.get_subject().CN = "PowerDNS-Admin"`
			`cert.set_serial_number(1000)`
			`cert.gmtime_adj_notBefore(0)`
			`cert.gmtime_adj_notAfter(10365246060)`
			`cert.set_issuer(cert.get_subject())`
			`cert.set_pubkey(k)`
			`cert.sign(k, 'sha256')`

SAML certificate fix and enhancement Problems resolved: - Method create_self_signed_cert() was invoked nowhere. This puts parameter "SAML_SIGN_REQUEST" description in configs/development.py as incorrect - Method create_self_signed_cert() was returning error while trying to write out certificate and private key. File handler was opened for writing out TEXT instead of BINARY data Enhancements: - Two new parameters are introduced SAML_CERT_FILE and SAML_KEY_FILE. User can now explicitly define own certificate and key file anywhere on file-system. - If parameters mentioned in previous bullet aren't explicitly defined, in PowerDNS-Admin root directory self-signed certificate will be created. - Certificates will be used or generated in any case, because in saml.py there are explicit parameters defined which require certificate/key in order to work normally. If they aren't, exception will be thrown. Examples of parameters defined in saml.py requiring certificate: wantAssertionsEncrypted, signMetadata, wantAssertionsSigned. 2019-12-18 23:40:25 +00:00			`open(CERT_FILE, "bw").write(`
added application certificate handling for signed SAML messages 2018-01-20 16:17:02 +00:00			`crypto.dump_certificate(crypto.FILETYPE_PEM, cert))`
SAML certificate fix and enhancement Problems resolved: - Method create_self_signed_cert() was invoked nowhere. This puts parameter "SAML_SIGN_REQUEST" description in configs/development.py as incorrect - Method create_self_signed_cert() was returning error while trying to write out certificate and private key. File handler was opened for writing out TEXT instead of BINARY data Enhancements: - Two new parameters are introduced SAML_CERT_FILE and SAML_KEY_FILE. User can now explicitly define own certificate and key file anywhere on file-system. - If parameters mentioned in previous bullet aren't explicitly defined, in PowerDNS-Admin root directory self-signed certificate will be created. - Certificates will be used or generated in any case, because in saml.py there are explicit parameters defined which require certificate/key in order to work normally. If they aren't, exception will be thrown. Examples of parameters defined in saml.py requiring certificate: wantAssertionsEncrypted, signMetadata, wantAssertionsSigned. 2019-12-18 23:40:25 +00:00			`open(KEY_FILE, "bw").write(`
added application certificate handling for signed SAML messages 2018-01-20 16:17:02 +00:00			`crypto.dump_privatekey(crypto.FILETYPE_PEM, k))`