Automatically download CA from AIA-data in certificate (fixes github.com/moepman/acertmgr/issues/12)

2024-12-29 10:31:49 +01:00 · 2019-01-21 15:35:17 +01:00 · 2019-01-21 15:35:17 +01:00 · 1c939363c0
commit 1c939363c0
parent a135bae583
3 changed files with 41 additions and 3 deletions
--- a/acertmgr.py
+++ b/acertmgr.py
@ -101,6 +101,9 @@ def cert_get(settings):
            crt_final = settings['cert_file']
            shutil.copy2(crt_file, crt_final)
            os.chmod(crt_final, stat.S_IREAD)
+            # download current ca file for the new certificate if no static ca is configured
+            if "static_ca" in settings and not config['static_ca']:
+                tools.download_issuer_ca(crt_final, settings['ca_file'])

    finally:
        os.remove(csr_file)
--- a/configuration.py
+++ b/configuration.py
@ -79,10 +79,14 @@ def parse_config_entry(entry, globalconfig):
    # SSL CA location
    ca_files = [x for x in entry if 'ca_file' in x]
    if len(ca_files) > 0:
+        config['static_ca'] = True
        config['ca_file'] = ca_files[0]
+    elif 'server_ca' in globalconfig:
+        config['static_ca'] = True
+        config['ca_file'] = globalconfig['server_ca']
    else:
-        config['ca_file'] = globalconfig.get('server_ca',
-                                             os.path.join(config['cert_dir'], "{}.ca".format(config['id'])))
+        config['static_ca'] = False
+        config['ca_file'] = os.path.join(config['cert_dir'], "{}.ca".format(config['id']))

    # SSL cert location
    cert_files = [x for x in entry if 'cert_file' in x]
--- a/tools.py
+++ b/tools.py
@ -16,7 +16,12 @@ from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
-from cryptography.x509.oid import NameOID
+from cryptography.x509.oid import NameOID,ExtensionOID
+
+try:
+    from urllib.request import urlopen  # Python 3
+except ImportError:
+    from urllib2 import urlopen  # Python 2


 class InvalidCertificateError(Exception):
@ -89,6 +94,32 @@ def new_rsa_key(path, key_size=4096):
        print('Warning: Could not set file permissions on {0}!'.format(path))


+# @brief download the issuer ca for a given certificate
+# @param cert_file certificate file
+# @param ca_file destination for the ca file
+def download_issuer_ca(cert_file, ca_file):
+    with open(cert_file, 'r') as f:
+        cert_data = f.read()
+    cert = x509.load_pem_x509_certificate(cert_data, default_backend())
+    aia = cert.extensions.get_extension_for_oid(ExtensionOID.AUTHORITY_INFORMATION_ACCESS)
+
+    ca_issuers = None
+    for data in aia.value:
+        if data.access_method == x509.OID_CA_ISSUERS:
+            ca_issuers = data.access_location.value
+            break
+
+    if not ca_issuers:
+        raise Exception("Could not determine issuer CA for {}".format(cert_file))
+
+    print("Downloading CA certificate from {} to {}".format(ca_issuers, ca_file))
+    cadata = urlopen(ca_issuers).read()
+    cacert = x509.load_der_x509_certificate(cadata, default_backend())
+    pem = cacert.public_bytes(encoding=serialization.Encoding.PEM)
+    with open(ca_file, 'wb') as pem_out:
+        pem_out.write(pem)
+
+
 # @brief convert certificate to PEM format
 # @param cert certificate object in pyopenssl format
 # @return the certificate in PEM format