X509Certificate

X509Certificate is a class for managing X509 certificates

Proxy RFC: https://tools.ietf.org/html/rfc38200

X509RFC: https://tools.ietf.org/html/rfc5280

class DIRAC.Core.Security.m2crypto.X509Certificate.X509Certificate(x509Obj=None, certString=None)

Bases: object

The X509Certificate object represents … a X509Certificate.

It is a wrapper around a lower level implementation (M2Crypto in this case) of a certificate. In theory, tt can be a host or user certificate. Also, a proxy certificate is a X509Certificate, however it is useless without all the chain of issuers. That’s why one has the X509Chain.

In practice, X509Certificate is just used for checking if the host certificate has expired. This class will most probably disappear once we get ride of pyGSI. After all, a X509Certificate is nothing but a X509Chain of length 1.

Note that the SSL connection itself does not use this class, it gives directly the certificate to the library

__init__(x509Obj=None, certString=None)

Constructor. You can give either nothing, or the x509Obj or the certString

Parameters:
  • x509Obj (M2Crypto.X509.X509) – (optional) certificate instance

  • certString (String) – text representation of certificate

asPem()

Return certificate as PEM string

Returns:

pem string

classmethod generateProxyCertFromIssuer(x509Issuer, x509ExtensionStack, proxyKey, lifetime=3600)

This class method is meant to generate a new X509Certificate out of an existing one. Basically, it generates a proxy… However, you can’t have a proxy certificate working on its own, you need all the chain of certificates. This method is meant to be called only by the X509Chain class.

Inspired from https://github.com/eventbrite/m2crypto/blob/master/demo/x509/ca.py#L45

Parameters:
  • x509Issuer – X509Certificate instance from which we generate the next one

  • x509ExtensionStack – M2Crypto.X509.X509_Extension_Stack object to add to the new certificate. It contains all the X509 extensions needed for the proxy (e.g. DIRAC group). See ~X509Chain.__getProxyExtensionList

  • proxyKey – a M2Crypto.EVP.PKey instance with private and public key

  • lifetime – duration of the proxy in second. Default 3600

Returns:

a new X509Certificate

generateProxyRequest(bitStrength=2048, limited=False)

Generate a proxy request. See DIRAC.Core.Security.m2crypto.X509Request.X509Request

In principle, there is no reason to have this here, since a the X509Request is independant of the 509Certificate when generating it. The only reason is to check whether the current Certificate is limited or not.

Parameters:
  • bitStrength – strength of the key

  • limited – if True or if the current certificate is limited (see proxy RFC), creates a request for a limited proxy

Returns:

S_OK( DIRAC.Core.Security.m2crypto.X509Request.X509Request ) / S_ERROR

getDIRACGroup(ignoreDefault=False)

Get the dirac group if present

If no group is found in the certificate, we query the CS to get the default group for the given user. This can be disabled using the ignoreDefault parameter

Note that the lookup in the CS only can work for a proxy of first generation, since we search based on the issuer DN

Parameters:

ignoreDefault – if True, do not lookup the CS

Returns:

S_OK(group name/bool)

getExtension(name)

Return X509 Extension with given name

Parameters:

name – name of the extension

Returns:

S_OK with M2Crypto.X509.X509_Extension object, or S_ERROR

getExtensions()

Get a decoded list of extensions

Returns:

S_OK( list of tuple (extensionName, extensionValue))

getIssuerDN()

Get issuer DN

Returns:

S_OK( string )/S_ERROR

getNotAfterDate()

Get not after date of a certificate

Returns:

S_OK( datetime )/S_ERROR

getNotBeforeDate()

Get not before date of a certificate

Returns:

S_OK( datetime )/S_ERROR

getPublicKey()

Get the public key of the certificate

Returns:

S_OK(M2crypto.EVP.PKey)

getRemainingSecs()

Get remaining lifetime in secs

Returns:

S_OK(remaining seconds)

getSerialNumber()

Get certificate serial number

Returns:

S_OK( serial )/S_ERROR

getStrength()

Get the length of the key of the certificate in bit

Returns:

S_OK( size )/S_ERROR

getSubjectDN()

Get subject DN

Returns:

S_OK( string )/S_ERROR

getSubjectNameObject()

Get subject name object

Returns:

S_OK( X509Name )/S_ERROR

getVOMSData()

Get voms extensions data

Returns:

S_ERROR/S_OK(dict). For the content of the dict, see decodeVOMSExtension()

hasExpired()

Check if the loaded certificate is still valid

Returns:

S_OK( True/False )/S_ERROR

hasVOMSExtensions()

Has voms extensions

Returns:

S_OK(bool) if voms extensions are found

load(certificate)

Load an x509 certificate either from a file or from a string

Parameters:

certificate – path to the file or PEM encoded string

Returns:

S_OK on success, otherwise S_ERROR

loadFromFile(certLocation)

Load a x509 cert from a pem file

param certLocation:

path to the certificate file

Returns:

S_OK / S_ERROR.

loadFromString(pemData)

Load a x509 cert from a string containing the pem data

Parameters:

pemData – pem encoded string

Returns:

S_OK / S_ERROR

sign(key, algo)

Sign the cerificate using provided key and algorithm.

Parameters:
  • key – M2crypto.EVP.PKey object with private and public key

  • algo – algorithm to sign the certificate

Returns:

S_OK/S_ERROR

verify(pkey)

Verify the signature of the certificate using the public key provided

Parameters:

pkey – ~M2Crypto.EVP.PKey object

Returns:

S_OK(bool) where the boolean shows the success of the verification