~ubuntu-branches/ubuntu/hardy/pyca/hardy

« back to all changes in this revision

Viewing changes to cgi-bin/ns-revoke.py

Committer: Bazaar Package Importer
Author(s): Lars Bahner
Date: 2003-12-02 19:39:35 UTC
Revision ID: james.westby@ubuntu.com-20031202193935-fzzt289mntvy6a8q

Tags: upstream-20031118

Import upstream version 20031118

files added:

bin/ca2ldif.py

bin/certs2ldap.py

bin/copy-cacerts.py

bin/ldap2certs.py

bin/ns-jsconfig.py

bin/print-cacerts.py

cgi-bin

cgi-bin/browser-check.py

cgi-bin/ca-index.py

cgi-bin/cert-query.py

cgi-bin/client-enroll.py

cgi-bin/get-cert.py

cgi-bin/ns-check-rev.py

cgi-bin/ns-revoke.py

cgi-bin/pycacnf.py

cgi-bin/scep.py

cgi-bin/view-cert.py

conf

conf/cacert_AuthCerts.cnf

conf/cacert_CodeSigning.cnf

conf/cacert_EmailCerts.cnf

conf/cacert_Root.cnf

conf/cacert_ServerCerts.cnf

conf/openssl.cnf

conf/ssl_server_csr.cnf

docs

help

htdocs

htdocs/changes.html

htdocs/config.html

htdocs/demo.html

htdocs/download.html

htdocs/faq.html

htdocs/features.html

htdocs/feedback.html

htdocs/files.html

htdocs/help

htdocs/help/client-enroll.html.de

htdocs/help/client-enroll.html.en

htdocs/install.html

htdocs/news.html

htdocs/overview.html

htdocs/pyca.html

htdocs/related.html

htdocs/roadmap.html

htdocs/security.html

htdocs/ssi

htdocs/ssi/footer.html

htdocs/ssi/head.html

htdocs/ssi/navigation.html

pylib

pylib/certhelper.py

pylib/cgiforms.py

pylib/cgihelper.py

pylib/cgissl.py

pylib/charset.py

pylib/htmlbase.py

pylib/ipadr.py

pylib/ldapbase.py

pylib/ldif.py

pylib/openssl

pylib/openssl/__init__.py

pylib/openssl/cert.py

pylib/openssl/cnf.py

pylib/openssl/db.py

pylib/vbs.py

sbin

sbin/ca-certreq-mail.py

sbin/ca-cycle-priv.py

sbin/ca-cycle-pub.py

sbin/ca-make.py

sbin/ca-revoke.py

sbin/pickle-cnf.py

Show diffs side-by-side

added added

removed removed

cgi-bin/ns-revoke.py

#!/usr/bin/python

"""

ns-revoke.py

CGI-BIN for revoking client certificates

Input:

PATH_INFO

- Name of CA in openssl.cnf (section [ca] of openssl.cnf)

QUERY_STRING

- Serial number of certificate to revoke

max. 8 digits hexadecimal (32 Bit)

Example:

ns-revoke.py/Persona?01

revokes client certificate with serial 0x01 of CA "Persona"

The following checks are made to avoid denial of service attacks:

- The client software must provide the client certificate.

- The issuer of the client and the server certificates must match

"""

Version='0.6.6'

import sys, os, string, re, pycacnf, htmlbase, openssl, cgissl, certhelper

from pycacnf import opensslcnf, pyca_section

# Wir lesen rein gar nix von Standardeingabe => gleich dicht machen

sys.stdin.close()

# Path to openssl executable

openssl.bin_filename = pyca_section.get('OpenSSLExec','/usr/bin/openssl')

# Ein paar Umgebungsvariablen auslesen, welche der Apache liefert

request_method = os.environ.get('REQUEST_METHOD','')

query_string = os.environ.get('QUERY_STRING','')

script_name = os.environ.get('SCRIPT_NAME','')

path_info = os.environ.get('PATH_INFO','')[1:]

rm = (re.compile('[0-9a-fA-F]+(&yes)*')).match(query_string)

# Hier die ueblichen Paranoid-Pruefungen der Parameter

if request_method!='GET':

# Skript nicht mit GET aufgerufen

htmlbase.PrintErrorMsg('Wrong method.')

sys.exit(0)

# Angabe der CA pruefen

ca_name = os.environ.get('PATH_INFO','')[1:]

if not ca_name:

htmlbase.PrintErrorMsg('No certificate authority.')

sys.exit(0)

# Name der CA pruefen

if not opensslcnf.data['ca'].has_key(ca_name):

# CA-Definition nicht in openssl-Konfiguration enthalten

htmlbase.PrintErrorMsg('Unknown certificate authority "%s".' % ca_name)

sys.exit(0)

ca = opensslcnf.getcadata(ca_name)

# Abruf eines Zertifikates mittels Seriennummer

try:

serial,yes = string.split(query_string,'_')

except ValueError:

serial = query_string

serialnumber=string.atoi(serial,16)

ca_db = openssl.db.OpenSSLcaDatabaseClass(ca.database)

entry = ca_db.GetEntrybySerial(serialnumber)

# Kein entsprechender Eintrag gefunden

if not entry:

htmlbase.PrintErrorMsg('Certificate not found.')

sys.exit(0)

# Zertifikat ist ungueltig

if entry[openssl.db.DB_type]!=openssl.db.DB_TYPE_VAL:

htmlbase.PrintErrorMsg('Certificate invalid.')

sys.exit(0)

certfilename = os.path.join(ca.certs,'%s.pem' % (entry[openssl.db.DB_serial]))

# Does the certificate file exist?

if not os.path.isfile(certfilename):

htmlbase.PrintErrorMsg('Certificate file not found.')

sys.exit(0)

# Kein Zertifikat mit angegebener Nummer gefunden

if entry==[]:

htmlbase.PrintErrorMsg('Certificate not found.')

sys.exit(0)

if entry[openssl.db.DB_type]!=openssl.db.DB_TYPE_VAL:

100

htmlbase.PrintErrorMsg('Certificate invalid.')

101

sys.exit(0)

102

103

ssl_env = cgissl.GetAllSSLEnviron()

104

105

if not ssl_env.has_key('SSL_CLIENT_S_DN'):

106

htmlbase.PrintErrorMsg('No client certificate present.')

107

sys.exit(0)

108

109

cacert = openssl.cert.X509CertificateClass(ca.certificate)

110

111

#if ssl_env['SSL_CLIENT_I_DN']!=ssl_env['SSL_SERVER_I_DN']:

112

# htmlbase.PrintErrorMsg('Wrong issuer of client certificate.')

113

# sys.exit(0)

114

115

if ssl_env['SSL_CLIENT_S_DN']!=entry[openssl.db.DB_name]:

116

htmlbase.PrintErrorMsg('Wrong client certificate.')

117

sys.exit(0)

118

119

cert = openssl.cert.X509CertificateClass(certfilename)

120

121

if query_string[-4:]!='_yes':

122

htmlbase.PrintHeader('Confirmation of certificate revocation.')

123

print """The following certificate will be revoked:

124

125

Are you really sure that you want to revoke your certificate?

126

The following reasons can make revoking necessary:

127

<UL>

128

<LI>Your private key was compromised (stolen, the password was sniffed etc.)</LI>

129

<LI>The content of the certificate attributes has become wrong.</LI>

130

</UL>

131

132

""" % (cert.htmlprint(),script_name,ca_name,serialnumber)

133

htmlbase.PrintFooter()

134

sys.exit(0)

135

136

ca_db.Revoke(serialnumber)

137

htmlbase.PrintHeader('Revoked certificate.')

138

print 'The following certificate was revoked by you: %s' % (cert.htmlprint())

139

140

sys.exit(0)

141

Older »