diff options
author | Niranjan Mallapadi <mrniranjan@redhat.com> | 2014-11-10 16:58:52 +0530 |
---|---|---|
committer | Niranjan Mallapadi <mrniranjan@redhat.com> | 2014-11-10 17:01:13 +0530 |
commit | 6e0d1347d59083e30c3cf059457549d95f757ea3 (patch) | |
tree | caa6b0643fa08645c63fe64d5860ecfc8e20420c /tests | |
parent | c0dc536293c960ad80cea37599364b9d783a17cd (diff) | |
download | pki-6e0d1347d59083e30c3cf059457549d95f757ea3.tar.gz pki-6e0d1347d59083e30c3cf059457549d95f757ea3.tar.xz pki-6e0d1347d59083e30c3cf059457549d95f757ea3.zip |
Add python scripts for profile cli automation
Diffstat (limited to 'tests')
-rw-r--r-- | tests/dogtag/shared/PkiLib/__init__.py | 0 | ||||
-rw-r--r-- | tests/dogtag/shared/PkiLib/pkicommonlib.py | 115 | ||||
-rw-r--r-- | tests/dogtag/shared/PkiLib/pkiconstraintslib.py | 129 | ||||
-rw-r--r-- | tests/dogtag/shared/PkiLib/pkiprofilecli.py | 340 | ||||
-rw-r--r-- | tests/dogtag/shared/PkiLib/pkiprofilelib.py | 914 |
5 files changed, 1498 insertions, 0 deletions
diff --git a/tests/dogtag/shared/PkiLib/__init__.py b/tests/dogtag/shared/PkiLib/__init__.py new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/tests/dogtag/shared/PkiLib/__init__.py diff --git a/tests/dogtag/shared/PkiLib/pkicommonlib.py b/tests/dogtag/shared/PkiLib/pkicommonlib.py new file mode 100644 index 000000000..82075b475 --- /dev/null +++ b/tests/dogtag/shared/PkiLib/pkicommonlib.py @@ -0,0 +1,115 @@ +#!/usr/bin/python +# -*- coding: utf-8 -* +from lxml import etree + +def policy_attributes(Policy_definition, policy_attributes): + + for idx,(name,syntax,constraint,description,defaultvalue) in enumerate(policy_attributes): + policy_attribute_name = etree.SubElement(Policy_definition, 'policyAttribute', name=name) + policy_attribute_descriptor = etree.SubElement(policy_attribute_name,'Descriptor') + policy_attribute_syntax = etree.SubElement(policy_attribute_descriptor, 'Syntax').text = syntax + if constraint != 'NULL': + policy_attribute_constraint = etree.SubElement(policy_attribute_descriptor, 'Constraint').text=constraint + policy_attribute_description = etree.SubElement(policy_attribute_descriptor, 'Description').text = description + if defaultvalue != 'NULL': + policy_attribute_defaultvalue = etree.SubElement(policy_attribute_descriptor, 'DefaultValue').text = defaultvalue + else: + policy_attribute_defaultvalue = etree.SubElement(policy_attribute_descriptor, 'DefaultValue') + + +def constraint_attributes(constraint_definition, constraint_attributes): + + for idx,(constraintid, syntax, constraint, description, defaultvalue, value) in enumerate(constraint_attributes): + + constraint_id = etree.SubElement(constraint_definition, 'constraint', id = constraintid) + constraint_id_descriptor = etree.SubElement(constraint_id, 'descriptor') + constraint_id_descriptor_syntax = etree.SubElement(constraint_id_descriptor, 'Syntax').text = syntax + if constraint != 'NULL': + constraint_id_descriptor_syntax = etree.SubElement(constraint_id_descriptor, 'Constraint').text = constraint + + constraint_id_descriptor_description = etree.SubElement(constraint_id_descriptor, 'Description').text = description + + if defaultvalue != 'NULL': + constraint_id_descriptor_defaultvalue = etree.SubElement(constraint_id_descriptor, 'DefaultValue').text = defaultvalue + + if value != 'NULL': + constraint_value = etree.SubElement(constraint_id, 'value').text = value + else: + constraint_value = etree.SubElement(constraint_id, 'value') + +def policy_parameters(Policy_definition, parameters): + + for idx,(name, value) in enumerate(parameters): + + policy_param_name = etree.SubElement(Policy_definition, 'params', name=name) + if value != 'NULL': + policy_param_value = etree.SubElement(policy_param_name, 'value').text=value + else: + policy_param_value = etree.SubElement(policy_param_name, 'value') + +def policy_definition(Policy_Value,definition): + + Policy_definition = etree.SubElement(Policy_Value, 'def', id=definition['id'], classId=definition['classid']) + Policy_description = etree.SubElement(Policy_definition, 'description').text = definition['description'] + + return Policy_definition + +def constraint_definition(Policy_Value, definition): + + constraint_definition = etree.SubElement(Policy_Value, 'constraint', id=definition['id']) + constraint_description = etree.SubElement(constraint_definition, 'description').text = definition['description'] + constraint_classid = etree.SubElement(constraint_definition, 'classId').text = definition['classId'] + + return constraint_definition + +def check_ext_key_usage(mylist, string): + + s1 = 'true' + s2 = 'false' + if string in mylist: + return s1 + else: + return s2 + +def get_policyId(root): + + Policy_Value = root.findall('./PolicySets/PolicySet/value') + value = 0 + for key in Policy_Value: + attributes = key.attrib + value = attributes["id"] + if value is 0: + pvalue = '1' + else: + pvalue = int(value) + 1 + + return str(pvalue) + +def get_Element_PolicyValue(PolicySet,javaclass): + + mydict = {} + for key in PolicySet.iterchildren(tag='value'): + PolicyValues=key.items()[0][1] + classId=key[0].get('classId') + mydict[classId]=PolicyValues + + if mydict.has_key(javaclass): + value_Id = mydict[javaclass] + Policy_value = PolicySet.find('./value[@id=' + "\"" + str(value_Id) + "\"" + "]") + return Policy_value + else: + return None + +def check_policy(PolicySet, javaclass): + + DefinedPolicies = PolicySet.findall("./value/def") + list_of_policy_classes = [] + for classes in DefinedPolicies: + list_of_policy_classes.append(classes.get('classId')) + + # check if my classId is already there + if javaclass in list_of_policy_classes: + return True + else: + return False + diff --git a/tests/dogtag/shared/PkiLib/pkiconstraintslib.py b/tests/dogtag/shared/PkiLib/pkiconstraintslib.py new file mode 100644 index 000000000..7add7b835 --- /dev/null +++ b/tests/dogtag/shared/PkiLib/pkiconstraintslib.py @@ -0,0 +1,129 @@ +#!/usr/bin/python +# -*- coding: utf-8 -* +from lxml import etree +#import pkicommonlib as common +import PkiLib.pkicommonlib as common + +def validityConstraintImpl(Policy_Value,default_value,range_value): + + + constraint_definition = etree.SubElement(Policy_Value, 'constraint', id='Validity Constraint') + s1 = 'This constraint rejects the validity that is not between %s days.' % (range_value) + constraint_description = etree.SubElement(constraint_definition, 'description').text = s1 + constraint_classid = etree.SubElement(constraint_definition, 'classId').text = 'validityConstraintImpl' + + validityConstraintImpl_attributes = [ + ('range', 'integer', 'NULL', 'Validity Range (in days)', str(default_value), str(range_value)), + ('notBeforeGracePeriod', 'integer', 'NULL','Grace period for Not Before being set in the future (in seconds).', '0', 'NULL'), + ('notBeforeCheck', 'boolean', 'NULL','Check Not Before against current time', 'false', 'false'), + ('notAfterCheck','boolean', 'NULL', 'Check Not After against Not Before', 'false', 'false')] + + common.constraint_attributes(constraint_definition, validityConstraintImpl_attributes) + +def subjectNameConstraintImpl(Policy_Value,subjectPattern): + + constraint_definition = etree.SubElement(Policy_Value, 'constraint', id='Subject Name Constraint') + constraint_description = etree.SubElement(constraint_definition, 'description').text = 'This constraint accepts the subject name that matches ' + subjectPattern + constraint_classid = etree.SubElement(constraint_definition, 'classId').text = 'subjectNameConstraintImpl' + + subjectNameConstraintImpl_attributes = [('pattern','string','NULL','Subject Name Pattern','NULL',subjectPattern)] + + common.constraint_attributes(constraint_definition, subjectNameConstraintImpl_attributes) + + +def noConstraintImpl(Policy_Value): + constraint_definition = etree.SubElement(Policy_Value, 'constraint', id='No Constraint') + constraint_description = etree.SubElement(constraint_definition, 'description').text = 'No Constraint' + constraint_classid = etree.SubElement(constraint_definition, 'classId').text = 'noConstraintImpl' + +def basicConstraintsCritical(Policy_Value,PathLength,isCA): + + constraint_definition = etree.SubElement(Policy_Value, 'constraint', id='Basic Constraint Extension Constraint') + s1 = 'This constraint accepts the Basic Constraint extension, if present, only when Criticality=true,' + s2 = 'Is CA=true, Min Path Length=-1, Max Path Length=-1' + constraint_description = etree.SubElement(constraint_definition, 'description').text = s1 + s2 + constraint_classid = etree.SubElement(constraint_definition, 'classId').text = 'basicConstraintsExtConstraintImpl' + + basicConstraintsCritical_attributes = [ + ('basicConstraintsCritical','choice', 'true,false,-', 'Criticality', '-', 'true'), + ('basicConstraintsIsCA', 'choice', 'true,false,-', 'Is CA', '-', isCA), + ('basicConstraintsMinPathLen', 'integer','NULL', 'Min Path Length','-1', PathLength), + ('basicConstraintsMaxPathLen', 'integer', 'NULL','Max Path Length', '100', '100') + ] + common.constraint_attributes(constraint_definition, basicConstraintsCritical_attributes) + +def signingAlgConstraintImpl(Policy_Value): + + constraint_definition = etree.SubElement(Policy_Value, 'constraint', id='No Constraint') + s1 = 'This constraint accepts only the Signing Algorithms of SHA1withRSA,SHA256withRSA,SHA512withRSA,' + s2 = 'MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC' + constraint_description = etree.SubElement(constraint_definition, 'description').text = s1 + s2 + constraint_classid = etree.SubElement(constraint_definition, 'classId').text = 'signingAlgConstraintImpl' + + signingAlgConstraintImpl_attributes = [ + ('signingAlgsAllowed', 'string','NULL','Allowed Signing Algorithms', + 'SHA1withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC', + 'SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC')] + + common.constraint_attributes(constraint_definition, signingAlgConstraintImpl_attributes) + +def renewGracePeriodConstraintImpl(Policy_Value,notBefore,notAfter): + + constraint_definition = etree.SubElement(Policy_Value, 'constraint', id='Renewal Grace Period Constraint') + s1 = 'This constraint rejects the validity that is not between %s days before' %(notBefore) + s2 = 'and %s days after original cert expiration date days.' %(notAfter) + constraint_description = etree.SubElement(constraint_definition, 'description').text = s1 + s2 + constraint_classid = etree.SubElement(constraint_definition, 'classId').text = 'renewGracePeriodConstraintImpl' + + renewGracePeriodConstraintImpl_attributes = [ + ('renewal.graceBefore', 'integer', 'NULL', 'Renewal Grace Period Before', notBefore, notBefore), + ('renewal.graceAfter', 'integer', 'NULL', 'Renewal Grace Period After', notAfter, notAfter)] + + common.constraint_attributes(constraint_definition, renewGracePeriodConstraintImpl_attributes) + +def keyUsageExtConstraintImpl(Policy_Value,keylist): + constraint_definition = etree.SubElement(Policy_Value, 'constraint', id='Key Usage Extension Constraint') + + def1 = 'This constraint accepts the Key Usage extension, if present, only when Criticality=true, Digital Signature=true,' + def2 = 'Non-Repudiation=true, Key Encipherment=true, Data Encipherment=false,' + def3 = 'Key Agreement=false, Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false' + + constraint_description = etree.SubElement(constraint_definition, 'description').text = def1 + def2 + def3 + constraint_classid = etree.SubElement(constraint_definition, 'classId').text = 'keyUsageExtConstraintImpl' + + key_default_list = ( + 'keyUsageCritical','keyUsageDigitalSignature', 'keyUsageNonRepudiation', + 'keyUsageKeyEncipherment', 'keyUsageDataEncipherment', 'keyUsageKeyAgreement', + 'keyUsageKeyCertSign', 'keyUsageCrlSign','keyUsageEncipherOnly', + 'keyUsageDecipherOnly') + + keyUsageExtConstraintImpl_attributes = [ + (key_default_list[0], 'choice', 'true,false,-', 'Criticality', '-', common.check_ext_key_usage(keylist,key_default_list[0])), + (key_default_list[1], 'choice', 'true,false,-', 'Digital Signature', '-', common.check_ext_key_usage(keylist,key_default_list[1])), + (key_default_list[2], 'choice', 'true,false,-', 'Non-Repudiation', '-', common.check_ext_key_usage(keylist,key_default_list[2])), + (key_default_list[3], 'choice', 'true,false,-', 'Key Encipherment', '-', common.check_ext_key_usage(keylist,key_default_list[3])), + (key_default_list[4], 'choice', 'true,false,-', 'Data Encipherment', '-', common.check_ext_key_usage(keylist,key_default_list[4])), + (key_default_list[5], 'choice', 'true,false,-', 'Key Agreement', '-', common.check_ext_key_usage(keylist,key_default_list[5])), + (key_default_list[6], 'choice', 'true,false,-', 'Key CertSign', '-', common.check_ext_key_usage(keylist,key_default_list[6])), + (key_default_list[7], 'choice', 'true,false,-', 'CRL Sign', '-', common.check_ext_key_usage(keylist,key_default_list[7])), + (key_default_list[8], 'choice', 'true,false,-', 'Encipher Only', '-', common.check_ext_key_usage(keylist,key_default_list[8])), + (key_default_list[9], 'choice', 'true,false,-', 'Decipher Only', '-', common.check_ext_key_usage(keylist,key_default_list[9]))] + + common.constraint_attributes(constraint_definition, keyUsageExtConstraintImpl_attributes) + +def keyConstraintImpl(Policy_Value): + + constraint_definition = etree.SubElement(Policy_Value, 'constraint', id='Key Constraint') + s1 = 'This constraint accepts the key only if Key Type=-, Key Parameters =1024,2048,3072,4096,nistp256,nistp384,nistp521' + constraint_description = etree.SubElement(constraint_definition, 'description').text = s1 + constraint_classid = etree.SubElement(constraint_definition, 'classId').text = 'keyConstraintImpl' + s2 = 'Key Lengths or Curves. For EC use comma separated list of curves, otherise use list of key sizes. Ex: 1024,2048,4096,8192 or:' + s3 = 'nistp256,nistp384,nistp521,sect163k1,nistk163 for EC.' + + keyConstraintImpl_attributes = [ + ('keyType', 'choice','-,RSA,EC', 'Key Type', 'RSA', '-'), + ('keyParameters', 'string', 'NULL', s2 + s3, 'NULL', '1024,2048,3072,4096,nistp256,nistp384,nistp521')] + + common.constraint_attributes(constraint_definition, keyConstraintImpl_attributes) + + diff --git a/tests/dogtag/shared/PkiLib/pkiprofilecli.py b/tests/dogtag/shared/PkiLib/pkiprofilecli.py new file mode 100644 index 000000000..aa7a050db --- /dev/null +++ b/tests/dogtag/shared/PkiLib/pkiprofilecli.py @@ -0,0 +1,340 @@ +import argparse +import PkiLib.pkiprofilelib as pkiprofilelib +from lxml import etree +import sys + +def main(): + + parser = argparse.ArgumentParser(description="Create and Edit Profiles") + required = parser.add_argument_group('Mandatory Arguments') + userChoices = ('user', 'smime', 'dualcert', 'server', 'ca','other') + parser.add_argument('--editprofile', help="Edit existing profile xml") + parser.add_argument('--new', choices = userChoices, help="Create new profile xml") + parser.add_argument('--profileId', help="Id of the Profile to be created") + parser.add_argument('--profilename', help="Name of the profile to be created") + parser.add_argument('--profiledescription', help="Description of the profile to be created") + parser.add_argument('--inputfile', help="Provide xml file to be modified") + parser.add_argument('--outputfile', help="Save the profile in output file",required=True) + parser.add_argument('--subjectNamePattern', help="Subject Name pattern constraint to be passed") + parser.add_argument('--subjectNameDefault', type=str, help="Default Subject Name to be appended") + parser.add_argument('--notBefore', type=str, help="Days not before the expiry date") + parser.add_argument('--notAfter', type=str, help="Days not After the expiry date") + parser.add_argument('--validfor', type=str, help="Total validity period of cert") + parser.add_argument('--maxvalidity', type=str, help="Total Maximum validity should not exceed Total validity") + parser.add_argument('--keyusageextensions', type=str, help="Add Key usage Extensions to be enabled in profile") + parser.add_argument('--netscapeextensions', type=str, help="Specify the Netscape Extensions to be added") + parser.add_argument('--crlextension', type=str, help="Specify CRL url") + parser.add_argument('--isCA', type=str, help="Specify True/False value") + parser.add_argument('--PathLength', type=str, help="Specify Maximum path length") + parser.add_argument('--altType', type=str, help="Provide subject Alt type") + parser.add_argument('--altPattern', type=str, help="Provide Subject Alt Pattern") + parser.add_argument('--ExtOID', type=str, help="Provide ExtOID supplied in csr") + args = parser.parse_args() + if args.new: + new_profile(args) + elif args.editprofile: + New_Edit_Profile(args) + +def new_profile(args): + + if (args.new == 'user') or (args.new == 'smime'): + profile_user_input_parser(args) + elif (args.new == 'server') or (args.new == 'ca') or (args.new == 'other'): + profile_server_input_parser(args) + elif args.new == 'dualcert': + profile_dualcert_input_parser(args) + else: + print "In appropriate option.Exiting" + sys.exit(1) + return 0 + +def Generate_Profile_hash(args): + + Profile_Input_Dict = {} + ProfileId = args.profileId + Profile_Input_Dict['ProfileId'] = ProfileId + if (args.new == 'user') or (args.new == 'smime'): + ProfileName = 'Manual User Dual-Use Certificate Enrollment' + ProfileDescription = 'This certificate profile is for enrolling user certificates' + Profile_Input_Dict['Key_Generation_Class'] = 'keyGenInputImpl' + Profile_Input_Dict['Key_Generate_InputId'] = '1' + Profile_Input_Dict['subject_Name_Input_Id'] = '2' + Profile_Input_Dict['Submitter_Info_InputId'] = '3' + keylist = ('keyUsageCritical','keyUsageDigitalSignature','keyUsageNonRepudiation','keyUsageKeyEncipherment') + subjectPattern = 'UID=.*' + policysetname = 'pkitest1' + elif (args.new == 'server') or (args.new == 'other'): + ProfileName = "Manual Server Certificate Enrollment" + ProfileDescription = "This certificate profile is for enrolling dual user certificates" + Profile_Input_Dict['Key_Generation_Class'] = 'certReqInputImpl' + Profile_Input_Dict['Key_Generate_InputId'] = '1' + Profile_Input_Dict['Submitter_Info_InputId'] = '2' + keylist = ('keyUsageCritical','keyUsageDigitalSignature','keyUsageNonRepudiation','keyUsageKeyEncipherment') + subjectPattern = 'CN=.*' + policysetname = 'pkitest1' + elif args.new == 'dualcert': + ProfileName = "Manual User Signing and Encryption Certificates Enrollment" + ProfileDescription = "This certificate profile is for enrolling dual user certificates" + Profile_Input_Dict['Key_Generation_Class'] = 'dualKeyGenInputImpl' + Profile_Input_Dict['Key_Generate_InputId'] = '1' + Profile_Input_Dict['subject_Name_Input_Id'] = '2' + Profile_Input_Dict['Submitter_Info_InputId'] = '3' + keylist = ('keyUsageCritical','keyUsageKeyEncipherment') + subjectPattern = 'UID=.*' + policysetname = 'encryptionCertSet' + elif args.new == 'ca': + policysetname = 'caCertSet' + ProfileName = "Manual Certificate Manager Signing Certificate Enrollment" + ProfileDescription = "This certificate profile is for enrolling Certificate Authority certificates." + Profile_Input_Dict['Key_Generation_Class'] = 'certReqInputImpl' + Profile_Input_Dict['Key_Generate_InputId'] = '1' + Profile_Input_Dict['Submitter_Info_InputId'] = '2' + keylist = ('keyUsageCritical', 'keyUsageDigitalSignature', 'keyUsageNonRepudiation', 'keyUsageKeyCertSign', 'keyUsageCrlSign') + subjectPattern = 'CN=.*' + if args.PathLength: + PathLength = args.PathLength + else: + PathLength = "-1" + Profile_Input_Dict['PathLength'] = PathLength + if args.isCA: + isCA = args.isCA + else: + isCA = "true" + Profile_Input_Dict['isCA'] = isCA + + Profile_Input_Dict['PolicySet'] = policysetname + + if args.subjectNamePattern: + Profile_Input_Dict['Subject_Pattern'] = args.subjectNamePattern + else: + Profile_Input_Dict['Subject_Pattern'] = subjectPattern + if args.subjectNameDefault: + Profile_Input_Dict['subjectNameDefault'] = args.subjectNameDefault + else: + Profile_Input_Dict['subjectNameDefault'] = None + + if args.profilename: + Profile_Input_Dict['name'] = args.profilename + else: + Profile_Input_Dict['name'] = ProfileName + + if args.profiledescription: + Profile_Input_Dict['Description'] = args.profiledescription + else: + Profile_Input_Dict['Description'] = ProfileDescription + if args.keyusageextensions: + Profile_Input_Dict['Key_List'] = args.keyusageextensions + else: + Profile_Input_Dict['Key_List'] = keylist + + if args.notBefore: + Profile_Input_Dict['NotBefore'] = args.notBefore + else: + Profile_Input_Dict['NotBefore'] = '30' + + if args.notAfter: + Profile_Input_Dict['NotAfter'] = args.notAfter + else: + Profile_Input_Dict['NotAfter'] = '30' + + if args.validfor: + validfor = args.validfor + Profile_Input_Dict['Validity'] = args.validfor + else: + Profile_Input_Dict['Validity'] = '180' + + if args.maxvalidity: + Profile_Input_Dict['MaxValidity'] = args.maxvalidity + else: + Profile_Input_Dict['MaxValidity'] = '365' + + if args.netscapeextensions: + Profile_Input_Dict['NetscapeExtensions'] = args.netscapeextensions + + if args.new == 'smime': + Profile_Input_Dict['Generic_extensions'] = 'true' + + if args.crlextension: + Profile_Input_Dict['crlurl'] = args.crlextension + + if args.altPattern: + altPattern = args.altPattern + else: + altPattern = "$request.requestor_email$" + Profile_Input_Dict['altPattern'] = altPattern + + if args.altType: + altType = args.altType + else: + altType = 'RFC822Name' + Profile_Input_Dict['altType'] = altType + + if args.ExtOID: + Profile_Input_Dict['ExtOID'] = args.ExtOID + + return Profile_Input_Dict + +def profile_user_input_parser(args): + + Profile_Input_Dict = Generate_Profile_hash(args) + root_element, PolicySets = Create_Profile(Profile_Input_Dict) + root_element, PolicySet = pkiprofilelib.Create_Policy(root_element, PolicySets, Profile_Input_Dict['PolicySet']) + et = Add_Policies(root_element,PolicySet,Profile_Input_Dict) + et.write(args.outputfile, pretty_print=True) + +def profile_server_input_parser(args): + + Profile_Input_Dict = Generate_Profile_hash(args) + root_element, PolicySets = Create_Profile(Profile_Input_Dict) + root_element, PolicySet = pkiprofilelib.Create_Policy(root_element, PolicySets, Profile_Input_Dict['PolicySet']) + et = Add_Policies(root_element,PolicySet,Profile_Input_Dict) + et.write(args.outputfile, pretty_print=True) + +def profile_dualcert_input_parser(args): + + Profile_Input_Dict1 = Generate_Profile_hash(args) + root_element, PolicySets = Create_Profile(Profile_Input_Dict1) + root_element, policyset = pkiprofilelib.Create_Policy(root_element, PolicySets, Profile_Input_Dict1['PolicySet']) + et = Add_Policies(root_element,policyset,Profile_Input_Dict1) + et.write(args.outputfile, pretty_print=True) + + keylist2 = ('keyUsageCritical','keyUsageDigitalSignature','keyUsageDigitalSignature', 'keyUsageNonRepudiation') + subjectPattern = Profile_Input_Dict1['Subject_Pattern'] + subjectDefault = Profile_Input_Dict1['subjectNameDefault'] + notBefore = Profile_Input_Dict1['NotBefore'] + notAfter = Profile_Input_Dict1['NotAfter'] + validfor = Profile_Input_Dict1['Validity'] + maxvalidity = Profile_Input_Dict1['MaxValidity'] + altType = Profile_Input_Dict1['altType'] + altPattern = Profile_Input_Dict1['altPattern'] + + Profile_Input_Dict2 = { + 'PolicySet': 'signingCertSet', + 'Subject_Pattern': subjectPattern, + 'subjectNameDefault': subjectDefault, + 'Key_List': keylist2, + 'NotBefore': notBefore, + 'NotAfter': notAfter, + 'Validity': validfor, + 'MaxValidity': maxvalidity, + 'altType': altType, + 'altPattern': altPattern + } + root_element, policyset = pkiprofilelib.Create_Policy(root_element, PolicySets, Profile_Input_Dict2['PolicySet']) + et = Add_Policies(root_element,policyset,Profile_Input_Dict2) + et.write(args.outputfile, pretty_print=True) + +def Create_Profile(Profile_Input_Dict): + + root_element = pkiprofilelib.new_profile(Profile_Input_Dict['ProfileId'], Profile_Input_Dict['name'], + Profile_Input_Dict['Description']) + pkiprofilelib.key_gen(root_element, Profile_Input_Dict['Key_Generation_Class'], + Profile_Input_Dict['Key_Generate_InputId']) + + if Profile_Input_Dict.has_key('subject_Name_Input_Id'): + pkiprofilelib.subject_name_input(root_element, Profile_Input_Dict['subject_Name_Input_Id']) + pkiprofilelib.submitter_info(root_element, Profile_Input_Dict['Submitter_Info_InputId']) + else: + pkiprofilelib.submitter_info(root_element,Profile_Input_Dict['Submitter_Info_InputId']) + + pkiprofilelib.output_info(root_element) + # Create Policy Set + root_element, PolicySets = pkiprofilelib.Create_PolicySets(root_element) + return root_element, PolicySets + +def New_Edit_Profile(args): + + # Get Root Element and PolicySet + parser = etree.XMLParser(remove_blank_text=True) + root_element = etree.parse(args.editprofile,parser) + PolicySet = root_element.find('./PolicySets/PolicySet') + + if args.profilename: + Profilename = root_element.find('name') + Profilename.text = args.profilename + + if args.profiledescription: + ProfileDescription = root_element.find('description') + ProfileDescription.text = args.profiledescription + + if args.subjectNamePattern and args.subjectNameDefault is None: + pkiprofilelib.Subject_Name_Default(root_element, PolicySet,args.subjectNamePattern,None) + + if args.subjectNamePattern is None and args.subjectNameDefault: + pkiprofilelib.Subject_Name_Default(root_element, PolicySet,None,args.subjectNameDefault) + + if args.subjectNamePattern and args.subjectNameDefault: + pkiprofilelib.Subject_Name_Default(root_element, PolicySet,args.subjectNamePattern,args.subjectNameDefault) + + if args.keyusageextensions: + pkiprofilelib.Key_Usage_Default(root_element,PolicySet, args.keyusageextensions) + + if args.maxvalidity and args.validfor: + pkiprofilelib.Validity_Default(root_element,PolicySet, args.validfor, args.maxvalidity) + + if args.notBefore and args.notAfter: + pkiprofilelib.No_Default(root_element, PolicySet, args.notBefore , args.notAfter) + + if args.netscapeextensions: + pkiprofilelib.Netscape_Certificate_Type_Extension_Default(root_element,PolicySet,args.netscapeextensions) + + if args.crlextension: + pkiprofilelib.crl_Distribution_Points_Ext_Default(root_element,PolicySet,args.crlextension) + + if args.PathLength and args.isCA: + pkiprofilelib.Basic_Constraints_Extension_Default(root_element,PolicySet,args.PathLength,args.isCA) + + if args.altType and args.altPattern: + pkiprofilelib.Subject_Alt_Name_Constraint(root_element,PolicySet,args.altType, args.altPattern) + + if args.ExtOID: + pkiprofilelib.User_Supplied_Extension_Default(root_element,PolicySet,args.ExtOID) + + root_element.write(args.outputfile, pretty_print=True) + + +def Add_Policies(root_element, PolicySet, Profile_Input_Dict): + + if Profile_Input_Dict['subjectNameDefault'] is None: + pkiprofilelib.Subject_Name_Default(root_element,PolicySet, Profile_Input_Dict['Subject_Pattern'],None) + else: + pkiprofilelib.Subject_Name_Default(root_element,PolicySet, Profile_Input_Dict['Subject_Pattern'],Profile_Input_Dict['subjectNameDefault']) + + + if not (Profile_Input_Dict.has_key('PathLength') and Profile_Input_Dict.has_key('isCA')): + pkiprofilelib.No_Default(root_element, PolicySet, Profile_Input_Dict['NotBefore'],Profile_Input_Dict['NotAfter']) + pkiprofilelib.Validity_Default(root_element,PolicySet, Profile_Input_Dict['Validity'],Profile_Input_Dict['MaxValidity']) + pkiprofilelib.Extended_Key_Usage_Extension_Default(root_element,PolicySet) + pkiprofilelib.Subject_Alt_Name_Constraint(root_element,PolicySet,Profile_Input_Dict['altType'],Profile_Input_Dict['altPattern']) + + if Profile_Input_Dict.has_key('ExtOID'): + pkiprofilelib.User_Supplied_Extension_Default(root_element,PolicySet,Profile_Input_Dict['ExtOID']) + + pkiprofilelib.Key_Default(root_element, PolicySet) + pkiprofilelib.Authority_Key_Identifier_Default(root_element,PolicySet) + pkiprofilelib.AIA_Extension_Default(root_element,PolicySet) + pkiprofilelib.Key_Usage_Default(root_element, PolicySet,Profile_Input_Dict['Key_List']) + pkiprofilelib.Signing_Alg(root_element,PolicySet) + + + if Profile_Input_Dict.has_key('Generic_extensions'): + pkiprofilelib.Generic_Extension(root_element,PolicySet) + + if Profile_Input_Dict.has_key('NetscapeExtensions'): + pkiprofilelib.Netscape_Certificate_Type_Extension_Default(root_element,PolicySet, Profile_Input_Dict['NetscapeExtensions']) + + if Profile_Input_Dict.has_key('crlurl'): + pkiprofilelib.crl_Distribution_Points_Ext_Default(root_element,PolicySet,Profile_Input_Dict['crlurl']) + + if Profile_Input_Dict.has_key('PathLength') and Profile_Input_Dict.has_key('isCA'): + pkiprofilelib.Basic_Constraints_Extension_Default(root_element,PolicySet,Profile_Input_Dict['PathLength'], Profile_Input_Dict['isCA']) + pkiprofilelib.CA_Certificate_Validity_Default(root_element,PolicySet) + pkiprofilelib.Subject_Key_Identifier_Extension_Default(root_element,PolicySet) + + et = etree.ElementTree(root_element) + + return et + +if __name__=='__main__': + main() + diff --git a/tests/dogtag/shared/PkiLib/pkiprofilelib.py b/tests/dogtag/shared/PkiLib/pkiprofilelib.py new file mode 100644 index 000000000..941478d50 --- /dev/null +++ b/tests/dogtag/shared/PkiLib/pkiprofilelib.py @@ -0,0 +1,914 @@ +#!/usr/bin/python +# -*- coding: utf-8 -* +from lxml import etree +import sys +import re +import PkiLib.pkiconstraintslib as constraints +import PkiLib.pkicommonlib as common + +def new_profile(ProfileId,ProfileName,ProfileDescription): + + #our profile starts with Profile Tag + root = etree.Element("Profile", id=ProfileId) + #print type(root) + + # In future the this could be a arguement to be passed + classId = etree.SubElement(root, "classId").text = 'caEnrollImpl' + + # Profile Name + name = etree.SubElement(root, "name").text = ProfileName + + # Profile Description + description = etree.SubElement(root, "description").text = ProfileDescription + + enabled = etree.SubElement(root, "enabled").text = 'false' + visible = etree.SubElement(root, "visible").text = 'true' + enabledBy = etree.SubElement(root, "enabledBy") + authzAcl = etree.SubElement(root, "authzAcl") + renew = etree.SubElement(root, "renewal").text = 'false' + xmlOutput = etree.SubElement(root, "xmlOutput").text = 'false' + + return root + +def key_gen(root,InputClassID,InputId): + + ''' This function for storing the Key Generation + Possible values of InputClassID: + certReqInputImpl : For Server Cert + keyGenInputImpl : For User Cert/SMIMECert + dualKeyGenInputImpl: For Dual Cert + + @parameters InputClassID + ''' + Input = etree.SubElement(root, "Input", id = 'i'+InputId) + classId = etree.SubElement(Input, 'ClassID').text = InputClassID + name = etree.SubElement(Input, 'Name').text = 'Key Generation' + + if InputClassID == 'dualKeyGenInputImpl': + input_attributes = [ + ('cert_request_type','dual_keygen_request_type','Key Generation Request Typ'), + ('cert_request','dual_keygen_request', 'Key Generation Request')] + + elif InputClassID == 'keyGenInputImpl': + input_attributes = [ + ('cert_request_type','keygen_request_type', 'Key Generation Request Type'), + ('cert_request','keygen_request', 'Key Generation Request')] + + elif InputClassID == 'certReqInputImpl': + input_attributes = [ + ('cert_request_type','cert_request_type', 'Certificate Request Type'), + ('cert_request','cert_request', 'Certificate Request')] + else: + print '%s did not match with valid Input ClassId', InputClassID + sys.exit(1) + + for idx, (name, syntax, description) in enumerate(input_attributes): + + Attribute = etree.SubElement(Input, 'Attribute', name=name) + Descriptor = etree.SubElement(Attribute, 'Descriptor') + syntax = etree.SubElement(Descriptor, 'Syntax').text = syntax + Description = etree.SubElement(Descriptor, 'Description').text = description + +def subject_name_input(root, InputId): + + subject_name_values = [ + ('sn_uid', 'UID'), + ('sn_e','Email'), + ('sn_cn','Common Name'), + ('sn_ou3','Organizational Unit 3'), + ('sn_ou2','Organizational Unit 2'), + ('sn_ou1','Organizational Unit 1'), + ('sn_ou','Organizational Unit'), + ('sn_o','Organization'), + ('sn_c','Country')] + + Input = etree.SubElement(root, "Input", id = 'i'+InputId) + classId = etree.SubElement(Input, 'ClassID').text = 'subjectNameInputImpl' + name = etree.SubElement(Input, 'Name').text = 'Subject Name' + + for idx, (attr_name, desc_value) in enumerate(subject_name_values): + + Attribute = etree.SubElement(Input, 'Attribute', name=attr_name) + Descriptor = etree.SubElement(Attribute, 'Descriptor') + syntax = etree.SubElement(Descriptor, 'Syntax').text = 'string' + description = etree.SubElement(Descriptor, 'Description').text = desc_value + + +def submitter_info(root, InputId): + + Input = etree.SubElement(root, "Input", id='i'+InputId) + classId = etree.SubElement(Input, 'ClassID').text = 'submitterInfoInputImpl' + name = etree.SubElement(Input, 'Name').text = 'Requestor Information' + + requestor_info_values = [ + ('requestor_name', 'Requestor Name'), + ('requestor_email', 'Requestor Email'), + ('requestor_phone', 'Requestor Phone') + ] + for idx, (attr_name, desc_value) in enumerate(requestor_info_values): + + Attribute = etree.SubElement(Input, 'Attribute', name=attr_name) + Descriptor = etree.SubElement(Attribute, 'Descriptor') + syntax = etree.SubElement(Descriptor, 'Syntax').text = 'string' + description = etree.SubElement(Descriptor, 'Description').text = desc_value + +def output_info(root): + + output = etree.SubElement(root, "Output", id="o1") + Name = etree.SubElement(output, 'name').text = 'Certificate Output' + output_classId = etree.SubElement(output, 'classId').text = 'certOutputImpl' + + output_attributes = [ + ('pretty_cert', 'pretty_print', 'Certificate Pretty Print'), + ('b64_cert', 'pretty_print', 'Certificate Base-64 Encoded')] + + for idx, (name, syntax, description) in enumerate(output_attributes): + Attribute = etree.SubElement(output, 'attributes', name=name) + Descriptor = etree.SubElement(Attribute, 'Descriptor') + Syntax = etree.SubElement(Descriptor, 'Syntax').text = syntax + Description = etree.SubElement(Descriptor, 'Description').text = description + +def Create_PolicySets(root): + + PolicySets = etree.SubElement(root, "PolicySets") + return root, PolicySets + + +def Create_Policy(root_element, PolicySets, policysetname): + + #PolicySets = root_element.find('./PolicySets') + policyset = etree.SubElement(PolicySets, 'PolicySet') + policySetId = etree.SubElement(policyset, 'id').text = policysetname + return root_element, policyset + + + +def get_policyId(PolicySet): + + PolicyValue = '1' + if len(PolicySet) > 1: + PolicyValue = '1' + for valuedef in PolicySet.iterchildren(tag='value'): + value = valuedef.get('id') + + PolicyValue = int(value) + 1 + return str(PolicyValue) + else: + return PolicyValue + +def get_current_policyvalue(root): + Policy_Value = root.findall('./PolicySets/PolicySet/value') + mydict = {} + for key in Policy_Value: + PolicyValues=key.items()[0][1] + classId=key[0].get('classId') + mydict[PolicyValues]=classId + return mydict + +def Subject_Name_Default(root_element,PolicySet,subjectPattern,subjectDefault): + + # Check if the policy is already defined + javaclass = 'userSubjectNameDefaultImpl' + + result = common.check_policy(PolicySet, javaclass) + + if result is False: + + #Get Policy ID + pvalue = get_policyId(PolicySet) + Subject_Name_Default_description = 'This default populates a User-Supplied Certificate Subject Name to the request' + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + if subjectDefault: + Policy_definition = etree.SubElement(Policy_Value, 'def', classId='subjectNameDefaultImpl',id='Subject Name Default') + else: + Policy_definition = etree.SubElement(Policy_Value, 'def', classId='userSubjectNameDefaultImpl',id='Subject Name Default') + Policy_description = etree.SubElement(Policy_definition, 'description').text = Subject_Name_Default_description + + # Policy Attributes + Subject_Name_Default_attributes = [('name','string','NULL','Subject Name','NULL')] + common.policy_attributes(Policy_definition, Subject_Name_Default_attributes) + + # Policy Parameters + if subjectDefault: + Subject_Name_Default_params = [('name',subjectDefault)] + common.policy_parameters(Policy_definition,Subject_Name_Default_params) + + # Policy Constraints + constraints.subjectNameConstraintImpl(Policy_Value,subjectPattern) + + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + if subjectDefault: + Policy_Definition = Policy_Value[0] + Policy_Definition.set('classId', 'subjectNameDefaultImpl') + policy_param_name = etree.SubElement(Policy_Definition, 'params', name='name') + policy_param_value = etree.SubElement(policy_param_name, 'value').text=subjectDefault + if subjectPattern: + CurrentValue = Policy_Value.find('./constraint/constraint/value') + CurrentValue.text = subjectPattern + + +def Key_Usage_Default(root, PolicySet, keylist): + ''' This function defines Key Usage Default Policy ''' + + javaclass = 'keyUsageExtDefaultImpl' + + result = common.check_policy(PolicySet, javaclass) + + if result is False: + #Get Policy ID + pvalue = get_policyId(PolicySet) + + s1 = 'This default populates a Key Usage Extension (2.5.29.15) to the request,The default values are Criticality=true' + s2 = 'Digital Signature=true, Non-Repudiation=true,Key Encipherment=true, Data Encipherment=false, Key Agreement=false' + s3 = 'Key Certificate Sign=false, Key CRL Sign=false, Encipher Only=false, Decipher Only=false' + Key_Usage_Default_description = s1 + s2 + s3 + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='Key Usage Default',classId='keyUsageExtDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = Key_Usage_Default_description + + # Policy Attributes #name,syntax,constraint,description,defaultvalue + Key_Usage_Default_attributes = [ + ('keyUsageCritical','boolean','NULL','Criticality','false'), + ('keyUsageDigitalSignature','boolean','NULL','Digital Signature','false'), + ('keyUsageNonRepudiation','boolean','NULL','Non-Repudiation','false'), + ('keyUsageKeyEncipherment','boolean','NULL','Key Encipherment','false'), + ('keyUsageDataEncipherment','boolean','NULL','Data Encipherment','false'), + ('keyUsageKeyAgreement','boolean','NULL','Key Agreement','false'), + ('keyUsageKeyCertSign','boolean','NULL','Key CertSign','false'), + ('keyUsageCrlSign','boolean','NULL','CRL Sign','false'), + ('keyUsageEncipherOnly','boolean','NULL','Encipher Only','false'), + ('keyUsageDecipherOnly','boolean','NULL','Decipher Only','false'), + ] + common.policy_attributes(Policy_definition, Key_Usage_Default_attributes) + + # Policy Parameters + Key_Usage_Default_parms = [ + ('keyUsageCritical', common.check_ext_key_usage(keylist,'keyUsageCritical')), + ('keyUsageDigitalSignature', common.check_ext_key_usage(keylist,'keyUsageDigitalSignature')), + ('keyUsageNonRepudiation', common.check_ext_key_usage(keylist,'keyUsageNonRepudiation')), + ('keyUsageKeyEncipherment', common.check_ext_key_usage(keylist,'keyUsageKeyEncipherment')), + ('keyUsageDataEncipherment', common.check_ext_key_usage(keylist,'keyUsageDataEncipherment')), + ('keyUsageKeyAgreement', common.check_ext_key_usage(keylist,'keyUsageKeyAgreement')), + ('keyUsageKeyCertSign', common.check_ext_key_usage(keylist,'keyUsageKeyCertSign')), + ('keyUsageCrlSign', common.check_ext_key_usage(keylist,'keyUsageCrlSign')), + ('keyUsageEncipherOnly', common.check_ext_key_usage(keylist,'keyUsageEncipherOnly')), + ('keyUsageDecipherOnly', common.check_ext_key_usage(keylist,'keyUsageDecipherOnly')) + ] + common.policy_parameters(Policy_definition,Key_Usage_Default_parms) + + # Policy Constraint + constraints.keyUsageExtConstraintImpl(Policy_Value,keylist) + + else: + + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + # Change Policy Parameters + mylist = re.split(',', keylist) + for v in mylist: + result_param = Policy_Value.find("./def/params[@name=\"%s\"]/value" % v) + result_param.text = 'true' + # Change Policy Constraints + for v in mylist: + result_constraint = Policy_Value.find("./constraint/constraint[@id=\"%s\"]/value" % v) + result_constraint.text = 'true' + +def CA_Certificate_Validity_Default(root,PolicySet): + + javaclass = 'caValidityDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + + if result is False: + #Get Policy ID + pvalue = get_policyId(PolicySet) + CA_Certificate_Validity_Default_description = 'This default populates a Certificate Validity to the request. The default values are Range=7305 in days' + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='CA Certificate Validity Default', classId='caValidityDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = CA_Certificate_Validity_Default_description + + # Policy Attributes + CA_Certificate_Validity_Default_attributes = [ + ('notBefore','string','NULL','Not Before','NULL'), + ('notAfter','string','NULL','notAfter','NULL'), + ('bypassCAnotafter','boolean','NULL','Bypass CA notAfter constraint','false')] + + common.policy_attributes(Policy_definition, CA_Certificate_Validity_Default_attributes) + + # Policy Parameters + CA_Certificate_Validity_Default_params = [ + ('range', '7305'), + ('startTime', '0'), + ('bypassCAnotafter', '') + ] + common.policy_parameters(Policy_definition,CA_Certificate_Validity_Default_params) + + # Policy Constraints + constraints.validityConstraintImpl(Policy_Value, 365, 7305) + + else: + + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + +def Key_Default(root,PolicySet): + + ''' This function Defines key default policy''' + javaclass = 'userKeyDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + if result is False: + + #Get Policy ID + pvalue = get_policyId(PolicySet) + + # Description + Key_Default_description = 'This default populates a User-Supplied Certificate Key to the request' + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + ### Policy Defintion + Policy_definition = etree.SubElement(Policy_Value, 'def', id='Key Default', classId='userKeyDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = Key_Default_description + + ### Policy Attributes + Key_Default_attributes = [ + ('TYPE','string','readonly','Key Type','NULL'), + ('LEN','string','readonly','Key Length','NULL'), + ('KEY','string','readonly','Key','NULL')] + + common.policy_attributes(Policy_definition, Key_Default_attributes) + constraints.keyConstraintImpl(Policy_Value) + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + +def Authority_Key_Identifier_Default(root,PolicySet): + + ''' This function Defines Authority Key Identifier Default Policy''' + javaclass = 'authorityKeyIdentifierExtDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + if result is False: + + #Get Policy ID + pvalue = get_policyId(PolicySet) + + # Description + Authority_Key_Identifier_Default_description = 'This default populates an Authority Key Identifier Extension (2.5.29.35) to the request.' + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='Authority Key Identifier Default', + classId='authorityKeyIdentifierExtDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = Authority_Key_Identifier_Default_description + + # Policy Attributes + Authority_Key_Identifier_Default_attributes = [ + ('critical', 'string','readonly','Criticality','NULL'), + ('keyid', 'string', 'readonly', 'Key ID', 'NULL') + ] + + common.policy_attributes(Policy_definition, Authority_Key_Identifier_Default_attributes) + + # Constraint Definition + constraints.noConstraintImpl(Policy_Value) + + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + +def Basic_Constraints_Extension_Default(root,PolicySet,PathLength, isCA): + + ''' This function Defines Basic Constraints Extension Default Policy''' + javaclass = 'basicConstraintsExtDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + + if result is False: + #Get Policy ID + pvalue = get_policyId(PolicySet) + + #Description + Basic_Constraints_Extension_Default_description = 'This default populates a Basic Constraints Extension (2.5.29.19) to the request.,The default values are Criticality=true, Is CA=true, Path Length=-1' + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='Basic Constraints Extension Default',classId='basicConstraintsExtDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = Basic_Constraints_Extension_Default_description + + # Policy Attributes + Basic_Constraints_Extension_Default_attributes = [ + ('basicConstraintsCritical', 'boolean', 'Criticality','false','NULL'), + ('basicConstraintsIsCA', 'boolean', 'Is CA', 'true', 'NULL'), + ('basicConstraintsPathLen', 'integer', 'Path Length', '-1', 'NULL') + ] + + common.policy_attributes(Policy_definition, Basic_Constraints_Extension_Default_attributes) + + # Policy Parameters + Basic_Constraints_Extension_Default_params = [ + ('basicConstraintsCritical', 'true'), + ('basicConstraintsIsCA', isCA), + ('basicConstraintsPathLen', PathLength) + ] + common.policy_parameters(Policy_definition, Basic_Constraints_Extension_Default_params) + + # Constraint Definition + constraints.basicConstraintsCritical(Policy_Value,PathLength, isCA) + + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + basicConstraintsIsCA_params = Policy_Value.find('./def/params[@name="basicConstraintsIsCA"]') + basicConstraintsIsCA_params[0].text = isCA + basicConstraintsPathLen_params = Policy_Value.find('./def/params[@name="basicConstraintsPathLen"]') + basicConstraintsPathLen_params[0].text = PathLength + + basicConstraintsIsCA_constraint = Policy_Value.find('./constraint/constraint[@id=basicConstraintsIsCA]/value') + basicConstraintsIsCA_constraint.text = isCA + basicConstraintsPathLen_constraint = Policy_Value.find('./constraint/constraint[@id="basicConstraintsMaxPathLen"]/value') + basicConstraintsPathLen_constraint.text = PathLength + + +def Subject_Key_Identifier_Extension_Default(root,PolicySet): + ''' This function defines Subject Key Identifier Extension Default Policy ''' + + javaclass = 'subjectKeyIdentifierExtDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + + if result is False: + # Get Policy ID + pvalue = get_policyId(PolicySet) + # Description + Subject_Key_Identifier_Extension_Default_description = 'This default populates a Subject Key Identifier Extension (2.5.29.14) to the request.' + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='Subject Key Identifier Extension Default', classId='subjectKeyIdentifierExtDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = Subject_Key_Identifier_Extension_Default_description + + # Policy Attributes + Subject_Key_Identifier_Extension_Default_attributes = [ + ('critical', 'string', 'readonly', 'Criticality', 'NULL'), + ('keyid', 'string', 'readonly', 'Key ID', 'NULL')] + + common.policy_attributes(Policy_definition, Subject_Key_Identifier_Extension_Default_attributes) + # Policy Parameters + # None + + # Constraint Definition + constraints.noConstraintImpl(Policy_Value) + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + +def Signing_Alg(root,PolicySet): + + ''' This Function defines Signing Algorithm Policy ''' + javaclass = 'signingAlgDefaultImpl' + + result = common.check_policy(PolicySet, javaclass) + if result is False: + + #Get Policy ID + pvalue = get_policyId(PolicySet) + + #Description + Signing_Alg_description = 'This default populates the Certificate Signing Algorithm. The default values are Algorithm=SHA512withRSA' + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='Signing Alg', classId='signingAlgDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = Signing_Alg_description + + # Policy Attributes + + Signing_Alg_attributes = [('signingAlg', 'choice','SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA', + 'Signing Algorithm', 'NULL')] + common.policy_attributes(Policy_definition, Signing_Alg_attributes) + + # Policy Parameters + Signing_Alg_params = [('signingAlg', '-')] + common.policy_parameters(Policy_definition, Signing_Alg_params) + + #Constraint + constraints.signingAlgConstraintImpl(Policy_Value) + + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + + + +def AIA_Extension_Default(root,PolicySet): + ''' This Function defines AIA Extension Default Policy ''' + + javaclass = 'authInfoAccessExtDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + + if result is False: + #Get Policy ID + pvalue = get_policyId(PolicySet) + + s1 = 'This default populates a Authority Info Access Extension (1.3.6.1.5.5.7.1.1) to the request. ' + s2 = 'The default values are Criticality=false,Record #0{Method:1.3.6.1.5.5.7.48.1,Location Type:URIName,Location:,Enable:true}' + AIA_Extension_description = s1 + s2 + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='AIA Extension Default', classId='authInfoAccessExtDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = AIA_Extension_description + + # Policy Attributes + + AIA_Extension_Default_attributes = [ + ('authInfoAccessCritical', 'boolean', 'NULL','Criticality','false'), + ('authInfoAccessGeneralNames', 'string_list', 'NULL', 'General Names', 'NULL')] + + common.policy_attributes(Policy_definition, AIA_Extension_Default_attributes) + + # Policy Parameters + AIA_Extension_Default_params = [ + ('authInfoAccessCritical','false'), + ('authInfoAccessNumADs', '1'), + ('authInfoAccessADMethod_0', '1.3.6.1.5.5.7.48.1'), + ('authInfoAccessADLocationType_0', 'URIName'), + ('authInfoAccessADLocation_0', ''), + ('authInfoAccessADEnable_0', 'true') + ] + common.policy_parameters(Policy_definition, AIA_Extension_Default_params) + + # Constraint + constraints.noConstraintImpl(Policy_Value) + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + +def No_Default(root,PolicySet,notBefore,notAfter): + + javaclass = 'noDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + + if result is False: + + #Get Policy ID + pvalue = get_policyId(PolicySet) + + # Description + No_Default_description = 'No Default' + + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='No Default', classId='noDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = No_Default_description + + # Policy Attributes None + # Policy Parameters None + + #constraint + constraints.renewGracePeriodConstraintImpl(Policy_Value,notBefore,notAfter) + + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + NotBeforeDefaultValue = Policy_Value.find('./constraint[@id="Renewal Grace Period Constraint"]/constraint[@id="renewal.graceBefore"]/descriptor/DefaultValue') + NotBeforeDefaultValue.text = notBefore + NotBeforeValue = Policy_Value.find('./constraint[@id="Renewal Grace Period Constraint"]/constraint[@id="renewal.graceBefore"]/value') + NotBeforeValue.text = notBefore + + NotAfterDefaultValue = Policy_Value.find('./constraint[@id="Renewal Grace Period Constraint"]/constraint[@id="renewal.graceAfter"]/descriptor/DefaultValue') + NotAfterDefaultValue.text = notAfter + NotAfterValue = Policy_Value.find('./constraint[@id="Renewal Grace Period Constraint"]/constraint[@id="renewal.graceAfter"]/value') + NotAfterValue.text = notAfter + + +def Validity_Default(root, PolicySet, defaultRange, range_value): + + javaclass = 'validityDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + + if result is False: + #Get Policy ID + pvalue = get_policyId(PolicySet) + + #Description + Validity_Default_description='This default populates a Certificate Validity to the request. The default values are Range=180 in days' + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='Validity Default', classId='validityDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = Validity_Default_description + + # Policy Attributes + Validity_Default_attributes = [ + ('notBefore', 'string', 'NULL', 'Not Before', 'NULL'), + ('notAfter', 'string', 'NULL', 'Not After', 'NULL')] + + common.policy_attributes(Policy_definition, Validity_Default_attributes) + # Policy Parameters + Validity_Default_params = [ + ('range', defaultRange), + ('startTime', '0')] + + common.policy_parameters(Policy_definition, Validity_Default_params) + + #Constraint + constraints.validityConstraintImpl(Policy_Value, defaultRange, range_value) + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + defaultRange_value = Policy_Value.find('./def/params[@name="range"]/value') + defaultRange_value.text = defaultRange + + Constraint_DefaultValue = Policy_Value.find('./constraint[@id="Validity Constraint"]/constraint[@id="range"]/descriptor/DefaultValue') + Constraint_DefaultValue.text = range_value + Constraint_Value = Policy_Value.find('./constraint[@id="Validity Constraint"]/constraint[@id="range"]/value') + Constraint_Value.text = range_value + +def Extended_Key_Usage_Extension_Default(root,PolicySet): + + javaclass = 'extendedKeyUsageExtDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + + if result is False: + + #Get Policy ID + pvalue = get_policyId(PolicySet) + + #Description + s1 = 'This default populates an Extended Key Usage Extension () to the request.' + s2 = 'The default values are Criticality=false, OIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4' + Extended_Key_Usage_Extension_Default_Description = s1 + s2 + + # policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='Extended Key Usage Extension Default', classId='extendedKeyUsageExtDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = Extended_Key_Usage_Extension_Default_Description + + # Policy Attributes + Extended_Key_Usage_Extension_Default_attributes = [ + ('exKeyUsageCritical', 'boolean', 'NULL', 'Criticality', 'false'), + ('exKeyUsageOIDs', 'string_list', 'NULL', 'Comma-Separated list of Object Identifiers', 'false')] + + common.policy_attributes(Policy_definition, Extended_Key_Usage_Extension_Default_attributes) + + # Policy Parameters + Extended_Key_Usage_Extension_Default_params = [ + ('exKeyUsageCritical','false'), + ('exKeyUsageOIDs', '1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4')] + + common.policy_parameters(Policy_definition, Extended_Key_Usage_Extension_Default_params) + + # Constraint + constraints.noConstraintImpl(Policy_Value) + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + +def Subject_Alt_Name_Constraint(root,PolicySet,altType,altPattern): + + javaclass = 'subjectAltNameExtDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + + if result is False: + + #Get Policy ID + pvalue = get_policyId(PolicySet) + + #Description + s1 = 'This default populates a Subject Alternative Name Extension (2.5.29.17) to the request.' + s2 = 'The default values are Criticality=false, Record #0{Pattern:$request.requestor_email$,Pattern Type:RFC822Name,Enable:true}' + Subject_Alt_Name_Constraint_description = s1 + s2 + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='Subject Alt Name Constraint', classId='subjectAltNameExtDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = Subject_Alt_Name_Constraint_description + + # Policy Attributes + Subject_Alt_Name_Constraint_attributes = [ + ('subjAltNameExtCritical', 'boolean', 'NULL', 'Criticality', 'false'), + ('subjAltNames', 'string_list', 'NULL', 'General Names', 'NULL')] + + common.policy_attributes(Policy_definition, Subject_Alt_Name_Constraint_attributes) + + # Policy Parameters + Subject_Alt_Name_Constraint_params = [ + ('subjAltNameExtCritical', 'false'), + ('subjAltNameNumGNs', '1'), + ('subjAltExtType_0', altType), + ('subjAltExtPattern_0', altPattern), + ('subjAltExtGNEnable_0', 'true')] + + common.policy_parameters(Policy_definition, Subject_Alt_Name_Constraint_params) + + # constraints + constraints.noConstraintImpl(Policy_Value) + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + subjAltExtType_0_param = Policy_Value.find('./def/params[@name="subjAltExtType_0"]/value') + subjAltExtType_0_param.text = altType + subjAltExtPattern_0_param = Policy_Value.find('./def/params[@name="subjAltExtPattern_0"]/value') + subjAltExtPattern_0_param.text = altPattern + + +def Generic_Extension(root,PolicySet): + + javaclass = 'genericExtDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + + if result is False: + #Get Policy ID + pvalue = get_policyId(PolicySet) + + #Description + s1 = 'This default populates a Generic Extension to the request. The default values are Criticality=, OID=1.2.840.113549.1.9.15,' + s2 = ' OID=1.2.840.113549.1.9.15, Value=' + s3 = '3067300B06092A864886F70D010105300B06092A864886F70D01010B300B06092A864886F70D01010C300B06092A864886F70D01010D300A06082A864886F70D0307300B0609608648016503040102300B060960864801650304012A300B06092A864886F70D010101' + Generic_Extension_description = s1 + s2 + s3 + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='Generic Extension', classId='genericExtDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = Generic_Extension_description + # Policy Attributes + Generic_Extension_attributes = [ + ('genericExtCritical', 'boolean', 'NULL', 'Criticality', 'false'), + ('genericExtData', 'string_list', 'NULL', 'Extension Value', 'NULL')] + + # Policy Parameters + Generic_Extension_params = [ + ('genericExtCritical', ''), + ('genericExtOID', '1.2.840.113549.1.9.15'), + ('genericExtData', s3)] + common.policy_parameters(Policy_definition, Generic_Extension_params) + + # Constraints + constraints.noConstraintImpl(Policy_Value) + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + +def Netscape_Certificate_Type_Extension_Default(root,PolicySet,extlist): + + javaclass = 'nsCertTypeExtDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + + if result is False: + + #Get Policy ID + pvalue = get_policyId(PolicySet) + + # Description + Netscape_Certificate_Type_Extension_Default_description = 'This default populates a Netscape Certificate Type Extension' + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='Netscape Certificate Type Extension Default', classId='nsCertTypeExtDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = Netscape_Certificate_Type_Extension_Default_description + + # Policy Attributes + Netscape_Certificate_Type_Extension_Default_attributes = [ + ('nsCertCritical', 'boolean', 'NULL', 'Criticality','false'), + ('nsCertSSLClient', 'boolean', 'NULL', 'SSL Client', 'false'), + ('nsCertSSLServer', 'boolean', 'NULL', 'SSL Server', 'false'), + ('nsCertEmail', 'boolean', 'NULL', 'Email', 'false'), + ('nsCertObjectSigning', 'boolean', 'NULL', 'Object Signing', 'false'), + ('nsCertSSLCA', 'boolean', 'NULL', 'SSL CA', 'false'), + ('nsCertEmailCA', 'boolean', 'NULL', 'Email CA', 'false'), + ('nsCertObjectSigningCA', 'boolean', 'NULL', 'Object Signing CA', 'false')] + + # Policy Parameters + Netscape_Certificate_Type_Extension_Default_params = [ + ('nsCertCritical', common.check_ext_key_usage(extlist, 'nsCertCritical')), + ('nsCertSSLClient', common.check_ext_key_usage(extlist, 'nsCertSSLClient')), + ('nsCertSSLServer', common.check_ext_key_usage(extlist, 'nsCertSSLServer')), + ('nsCertEmail', common.check_ext_key_usage(extlist, 'nsCertEmail')), + ('nsCertObjectSigning', common.check_ext_key_usage(extlist, 'nsCertObjectSigning')), + ('nsCertSSLCA', common.check_ext_key_usage(extlist, 'nsCertSSLCA')), + ('nsCertEmailCA', common.check_ext_key_usage(extlist, 'nsCertEmailCA')), + ('nsCertObjectSigningCA', common.check_ext_key_usage(extlist, 'nsCertObjectSigningCA'))] + + common.policy_parameters(Policy_definition, Netscape_Certificate_Type_Extension_Default_params) + + # Constraints + constraints.noConstraintImpl(Policy_Value) + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + for v in extlist: + result = Policy_Value.find("./def/params[@name=\"%s\"]" % v) + result[0].text = 'true' + +def crl_Distribution_Points_Ext_Default(root,PolicySet,crlurl): + + javaclass = 'crlDistributionPointsExtDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + + if result is False: + + #Get Policy ID + pvalue = get_policyId(PolicySet) + + #Description + s1='This default populates a CRL Distribution Points Extension (2.5.29.31) to the request' + s2='The default values are Criticality=false, Record #0{Point Type:URIName,Point Name:http://localhost.localdomain:9180/ca/ee/ca/getCRL' + s3='?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit,Reasons:,Issuer Type' + s4=':,Issuer Name:,Enable:true}' + clrDistribution_Point_Name = 'http://localhost.localdomain:9180/ca/ee/ca/getCRL?crlIssuingPoint=MasterCRL&op=getCRL&crlDisplayType=cachedCRL&submit=Submit' + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='crlDistributionPointsExtDefaultImpl', classId='crlDistributionPointsExtDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = s1 + s2 + s3 + s4 + + # Policy Attributes + crl_Distribution_Points_Ext_Default_attributes = [ + ('crlDistPointsCritical', 'boolean', 'NULL', 'Criticality', 'false'), + ('crlDistPointsValue', 'string_list', 'NULL', 'CRL Distribution Points', 'NULL')] + # Params + crl_Distribution_Points_Ext_Default_params = [ + ('crlDistPointsNum', '1'), + ('crlDistPointsPointType_0', 'URIName'), + ('crlDistPointsPointName_0', crlurl), + ('crlDistPointsReasons_0', 'NULL'), + ('crlDistPointsIssuerType_0', 'NULL'), + ('crlDistPointsIssuerName_0', 'NULL'), + ('crlDistPointsEnable_0', 'true')] + common.policy_parameters(Policy_definition, crl_Distribution_Points_Ext_Default_params) + + #No Constraint + constraints.noConstraintImpl(Policy_Value) + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + crlDistPointsPointName_value = Policy_Value.find('./def/params[@name="crlDistPointsPointName_0"]/value') + crlDistPointsPointName_value[0].text = crlurl + +def User_Supplied_Extension_Default(root,PolicySet,ExtOID): + + javaclass = 'userExtensionDefaultImpl' + result = common.check_policy(PolicySet, javaclass) + + if result is False: + # Get Policy ID + pvalue = get_policyId(PolicySet) + + # Description + s1 = 'This default populates a User-Supplied Extension (%s) to the request.', ExtOID + + # Policy Value + Policy_Value = etree.SubElement(PolicySet, 'value', id=pvalue) + + # Policy Definition + Policy_definition = etree.SubElement(Policy_Value, 'def', + id='User Supplied Extension Default', classid='userExtensionDefaultImpl') + Policy_description = etree.SubElement(Policy_definition, 'description').text = s1 + + # Policy Attributes + User_Supplied_Extension_Default_attributes = [('userExtOID', 'string', 'readonly', 'Object Identifier', 'NULL')] + + # Policy Params + User_Supplied_Extension_Default_params = [('userExtOID', ExtOID)] + common.policy_parameters(Policy_definition, User_Supplied_Extension_Default_params) + + # No Constraint + constraints.noConstraintImpl(Policy_Value) + else: + Policy_Value = common.get_Element_PolicyValue(PolicySet, javaclass) + userExtOID_param = Policy_Value.find('./def/params[@name="userExtOID"]/value') + userExtOID_param.text = ExtOID |