X509Certificate
X509Certificate is a class for managing X509 certificates
Proxy RFC: https://tools.ietf.org/html/rfc38200
X509RFC: https://tools.ietf.org/html/rfc5280
- class DIRAC.Core.Security.m2crypto.X509Certificate.X509Certificate(x509Obj=None, certString=None)
Bases:
object
The X509Certificate object represents … a X509Certificate.
It is a wrapper around a lower level implementation (M2Crypto in this case) of a certificate. In theory, tt can be a host or user certificate. Also, a proxy certificate is a X509Certificate, however it is useless without all the chain of issuers. That’s why one has the X509Chain.
In practice, X509Certificate is just used for checking if the host certificate has expired. This class will most probably disappear once we get ride of pyGSI. After all, a X509Certificate is nothing but a X509Chain of length 1.
Note that the SSL connection itself does not use this class, it gives directly the certificate to the library
- __init__(x509Obj=None, certString=None)
Constructor. You can give either nothing, or the x509Obj or the certString
- Parameters:
x509Obj (M2Crypto.X509.X509) – (optional) certificate instance
certString (String) – text representation of certificate
- asPem()
Return certificate as PEM string
- Returns:
pem string
- classmethod generateProxyCertFromIssuer(x509Issuer, x509ExtensionStack, proxyKey, lifetime=3600)
This class method is meant to generate a new X509Certificate out of an existing one. Basically, it generates a proxy… However, you can’t have a proxy certificate working on its own, you need all the chain of certificates. This method is meant to be called only by the X509Chain class.
Inspired from https://github.com/eventbrite/m2crypto/blob/master/demo/x509/ca.py#L45
- Parameters:
x509Issuer – X509Certificate instance from which we generate the next one
x509ExtensionStack – M2Crypto.X509.X509_Extension_Stack object to add to the new certificate. It contains all the X509 extensions needed for the proxy (e.g. DIRAC group). See ~X509Chain.__getProxyExtensionList
proxyKey – a M2Crypto.EVP.PKey instance with private and public key
lifetime – duration of the proxy in second. Default 3600
- Returns:
a new X509Certificate
- generateProxyRequest(bitStrength=2048, limited=False)
Generate a proxy request. See
DIRAC.Core.Security.m2crypto.X509Request.X509Request
In principle, there is no reason to have this here, since a the X509Request is independant of the 509Certificate when generating it. The only reason is to check whether the current Certificate is limited or not.
- Parameters:
bitStrength – strength of the key
limited – if True or if the current certificate is limited (see proxy RFC), creates a request for a limited proxy
- Returns:
S_OK(
DIRAC.Core.Security.m2crypto.X509Request.X509Request
) / S_ERROR
- getDIRACGroup(ignoreDefault=False)
Get the dirac group if present
If no group is found in the certificate, we query the CS to get the default group for the given user. This can be disabled using the ignoreDefault parameter
Note that the lookup in the CS only can work for a proxy of first generation, since we search based on the issuer DN
- Parameters:
ignoreDefault – if True, do not lookup the CS
- Returns:
S_OK(group name/bool)
- getExtension(name)
Return X509 Extension with given name
- Parameters:
name – name of the extension
- Returns:
S_OK with M2Crypto.X509.X509_Extension object, or S_ERROR
- getExtensions()
Get a decoded list of extensions
- Returns:
S_OK( list of tuple (extensionName, extensionValue))
- getIssuerDN()
Get issuer DN
- Returns:
S_OK( string )/S_ERROR
- getNotAfterDate()
Get not after date of a certificate
- Returns:
S_OK( datetime )/S_ERROR
- getNotBeforeDate()
Get not before date of a certificate
- Returns:
S_OK( datetime )/S_ERROR
- getPublicKey()
Get the public key of the certificate
- Returns:
S_OK(M2crypto.EVP.PKey)
- getRemainingSecs()
Get remaining lifetime in secs
- Returns:
S_OK(remaining seconds)
- getSerialNumber()
Get certificate serial number
- Returns:
S_OK( serial )/S_ERROR
- getStrength()
Get the length of the key of the certificate in bit
- Returns:
S_OK( size )/S_ERROR
- getSubjectDN()
Get subject DN
- Returns:
S_OK( string )/S_ERROR
- getSubjectNameObject()
Get subject name object
- Returns:
S_OK( X509Name )/S_ERROR
- getVOMSData()
Get voms extensions data
- Returns:
S_ERROR/S_OK(dict). For the content of the dict, see
decodeVOMSExtension()
- hasExpired()
Check if the loaded certificate is still valid
- Returns:
S_OK( True/False )/S_ERROR
- hasVOMSExtensions()
Has voms extensions
- Returns:
S_OK(bool) if voms extensions are found
- load(certificate)
Load an x509 certificate either from a file or from a string
- Parameters:
certificate – path to the file or PEM encoded string
- Returns:
S_OK on success, otherwise S_ERROR
- loadFromFile(certLocation)
Load a x509 cert from a pem file
- param certLocation:
path to the certificate file
- Returns:
S_OK / S_ERROR.
- loadFromString(pemData)
Load a x509 cert from a string containing the pem data
- Parameters:
pemData – pem encoded string
- Returns:
S_OK / S_ERROR
- sign(key, algo)
Sign the cerificate using provided key and algorithm.
- Parameters:
key – M2crypto.EVP.PKey object with private and public key
algo – algorithm to sign the certificate
- Returns:
S_OK/S_ERROR
- verify(pkey)
Verify the signature of the certificate using the public key provided
- Parameters:
pkey – ~M2Crypto.EVP.PKey object
- Returns:
S_OK(bool) where the boolean shows the success of the verification