openwisp / django-x509 Goto Github PK
View Code? Open in Web Editor NEWReusable django app implementing x509 PKI certificates management
Home Page: http://openwisp.org
License: BSD 3-Clause "New" or "Revised" License
Reusable django app implementing x509 PKI certificates management
Home Page: http://openwisp.org
License: BSD 3-Clause "New" or "Revised" License
Generated certificate use GENERALIZEDTIME for dates <2050.
According to this RFC https://tools.ietf.org/html/rfc5280#section-4.1.2.5:
CAs conforming to this profile MUST always encode certificate
validity dates through the year 2049 as UTCTime; certificate validity
dates in 2050 or later MUST be encoded as GeneralizedTime.
Here is a test ca.crt
generated with django-x509:
-----BEGIN CERTIFICATE-----
MIIDtjCCAp6gAwIBAgIQVeW93R49QC+y5UU79QyzizANBgkqhkiG9w0BAQsFADA4
MSIwIAYJKoZIhvcNAQkBFhNoZWxsb0BlemFxdWFyaWkuY29tMRIwEAYDVQQDDAlz
ZXJ2ZXItY2EwIhgPMjAxODEyMTIwMDAwMDBaGA8yMDE5MTIxMzAwMDAwMFowODEi
MCAGCSqGSIb3DQEJARYTaGVsbG9AZXphcXVhcmlpLmNvbTESMBAGA1UEAwwJc2Vy
dmVyLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArZ4waqi5X93l
5qQ6RTC0RrUnn768Sz4svOw8QL6JNNLvntia9bkA9JKofIYDoOxk5h7sY+Oy0HQe
cm4RCQgMwqC87PmVBH/ov1xBxMavqJxDaWfhWMp56lZZBcEHvRAICja6scC1i9ex
APEzwoJ+LUMvRwh629mYUVdOmNMeeZxc3pcYpcDFMDRYpn0gP98Cke+hH8Of7cG1
o9S+l+bQ4/l0zfUJybthY19VfyULLn7KVRm3bi+7w56oLNc14SQQssZoPteuRiHu
M6SiCAM4jzO7RYjwzvB0OZ2eYBQcuG9K9mnf3sxzmlNQpffo8qkmxP1XCrhhkTI0
kIGvGVLRewIDAQABo4G3MIG0MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/
BAQDAgEGMB0GA1UdDgQWBBSOTILApLPKh37AMXE+fRCLQVjUzzBvBgNVHSMEaDBm
gBSOTILApLPKh37AMXE+fRCLQVjUz6E8pDowODEiMCAGCSqGSIb3DQEJARYTaGVs
bG9AZXphcXVhcmlpLmNvbTESMBAGA1UEAwwJc2VydmVyLWNhghBV5b3dHj1AL7Ll
RTv1DLOLMA0GCSqGSIb3DQEBCwUAA4IBAQBhe9m/zQlA2B/mxXOZiiwRWzHNQxPh
TFl2r6sYZA3Vb5VHmp9pYuMKrATNQW1rNVgN8GVA+6qjhM5OqZ45/zh392KTV1DJ
kP12pNbbuqekHn6U8tf+SSPdqXbNy/FFTfq1D7zwmqXsyKzwCXYt+7DxuK+07GGK
Omj/ImiczOtm/DvVEVoFzV/cTEbqNUc0r3ssQN2okiOr+2EbS7Gc8tY+6385/hpK
0t3Kl80P+NERsNrjiyew+NoqGEYqMtWWHePxzB00Q0Zdid9WVY1BBbz/s61LsRb4
3ocaruGTLmiHzKo7XPYm2rriTEiRcL+jeFSReq4RU4qS1Bs9upYCIBim
-----END CERTIFICATE-----
Here is a matching test cert.crt
:
-----BEGIN CERTIFICATE-----
MIIDwTCCAqmgAwIBAgIQU6Th6IdIQZuLsCIshr/qOzANBgkqhkiG9w0BAQsFADA4
MSIwIAYJKoZIhvcNAQkBFhNoZWxsb0BlemFxdWFyaWkuY29tMRIwEAYDVQQDDAlz
ZXJ2ZXItY2EwIhgPMjAxODEyMTIwMDAwMDBaGA8yMDE5MTIxMzAwMDAwMFowTzEi
MCAGCSqGSIb3DQEJARYTaGVsbG9AZXphcXVhcmlpLmNvbTEpMCcGA1UEAwwgNjE1
M2JiZWZjN2UzNDljYTkxYmVmMjQzZjJiMjhhYjkwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDqpd3attN8kLIE+dy1gf66pmzsKXhP2/ZQ+EGdgYDlXJ40
vsXJ1eqjlMR6acNeyb0LeOhILtho9Mx+jPKVYrjgsjjvD4OM7Yu4w/qRhzmj8gop
z69FrrmQkGt9ziXVcMjI17k5Lmy/l6FdIAIKaANZ5tGpOgZhe3kM7Lf+ldM+knJc
Pqi6RNrNilbjaxxC7DHlDwUcxEabJqRi0vP61WoEtx5DjoxQp2umu0iwNLx/kx/0
Ae4NV3RMXIxvkwVgOspNVNwkwzv/Z6mi2p3i0prSgtLYmRHHZHQ5BaNJYRwc9Z2S
u0xCOwJUIsvrYfmFJcsfcrQQ7y+N+Pzzxbg4eQPlAgMBAAGjgaswgagwCQYDVR0T
BAIwADALBgNVHQ8EBAMCBaAwHQYDVR0OBBYEFGDZUAM0v0j1yqGehbO8tJTtBcAD
MG8GA1UdIwRoMGaAFI5MgsCks8qHfsAxcT59EItBWNTPoTykOjA4MSIwIAYJKoZI
hvcNAQkBFhNoZWxsb0BlemFxdWFyaWkuY29tMRIwEAYDVQQDDAlzZXJ2ZXItY2GC
EFXlvd0ePUAvsuVFO/UMs4swDQYJKoZIhvcNAQELBQADggEBAIRM4FFfUYtSyu2x
pCMIt0oRcyoBNhB7E8qjSuR7wWOLfEKzp+5Arn8S3HLHNdYHVyYg4xC14KIwKGVL
ZuOZ9GeEp0yigXwpHuebxgwzl8O07MTQEPPcPQ4C0DRZYTqu2p0VwP2QWFOxo0cW
20GhwUDIcLFmSNBsP4XAK6HxnVBCpD6lpkrNqKxvgE9R3zozB3CzunnYanBMKPQS
5cyN0uJD6AcO1IeSJMNGcqbdY5hmd3OgwepZURAQnARe00NKqLqnFW4LxulVy6Kx
nfnHPzBqJV49b5l40vTVsXNuAmUL3LIJ7V+cP7xB/YspCSelOFivzdAscbP4PDQh
bkzmxkA=
-----END CERTIFICATE-----
Verification using LibreSSL
fails:
$ openssl verify -CAfile ca.crt cert.crt
cert.crt: emailAddress = [email protected], CN = server-ca
error 13 at 1 depth lookup:format error in certificate's notBefore field
emailAddress = [email protected], CN = server-ca
error 13 at 1 depth lookup:format error in certificate's notBefore field
emailAddress = [email protected], CN = server-ca
error 13 at 1 depth lookup:format error in certificate's notBefore field
That is because LibreSSL
has intentionaly stricter parser and
CA uses GENERALIZEDTIME:
$ openssl asn1parse -in ca.crt | grep TIME
106:d=3 hl=2 l= 15 prim: GENERALIZEDTIME :20181212000000Z
123:d=3 hl=2 l= 15 prim: GENERALIZEDTIME :20191213000000Z
The last few days, my CI tests fail with a Segmentation fault (core dumped) error when trying to use django-x509. I noticed that the CI tests of django-x509 fail as well with the same error. I was able to track it down to the latest cryptography release.
Django-x509 requires pyopenssl, which requires cryptography. The latest release of cryptography 2.1.3 was published a few days ago. The changelog contains a single entry:
Updated Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0g.
I was able to work around the segmentation fault by pinning cryptography to 2.1.2. Perhaps django-x509 should also be pinning cryptography, until a proper fix is implemented that allows upgrading cryptography without segfaults.
Move to Github actions.
Hi ,
it was working well for long time. Suddenly "OperationalError: no such column: django_x509_ca.organization " error came. not able to use Ca and Cert tables. Even in django admin page also it shows same error. please help me in this.
Thanks.
Reserved for GCI
When importing a certificate or CA, a mistake in the PEM formatted fields will trigger a validation error, which will report internal pyopenssl messages which are not easy to understand.
Serial number may clash with an imported certificate.
We should add a way to catch this exception and generate a new serial number until an available serial number is found.
It's better to work on this issue after having solved #8.
Github is flagging the current pyopenssl version used as a potential security vulnerability.
As we did in the other repos, to be done after #87 is merged.
How to reproduce:
Expected result:
Actual result:
It's related to the Issue mentioned here openwisp/openwisp-controller#375.
It should be solved from here.
How to reproduce
?_to_field=id&_popup=1
in the url and refresh the page.We should add a way to renew expired certificates, a model method and an admin action.
It should also be possible to renew a CA, which in turn should renew all the certificates related to it.
Renewing would mean generate a new x509 certificate and private key which replaces the old ones.
When we will release the new version with swappable models, dependencies using this library will get an error and will come here to look what has been changed.
We should mention this and how to upgrade in the change log.
Let's release openwisp-utils 0.7.0 first and update the requirement files to support both 0.6 and 0.7 (to avoid conflict with other modules having older versions).
Then we can release django-x509 0.9.1.
What to do
How to do
django-x509
installation instructions from README.rst and compiled those instructions into Dockerfile.How to verify it
docker build -t django_x509 .
Move the command line options in runflake8 or runisort script to the setup.cfg which standardize qa check of python modules of OpenWISP Network Management System and makes it cleaner and easier to review.
What can be the reason of not loaded js in Admin panel? I was following the guide to extend model
I got a workaround to solve the problem with staticfiles
import os
import importlib
def pkg_static(pkg, static='static'):
return os.path.join(os.path.dirname(importlib.util.find_spec(pkg).origin), static)
...
STATICFILES_DIRS = [pkg_static('django_x509')]
Is there any smarter way to do that?
Update the cryptography library to allow the latest version, ensure tests pass and the main features work correctly.
I was playing with django-x509 before deciding to build a project on top of it. I've tried to import my existing CA in the admin panel (running on docker image) but got no response. After a closer look I've found PEM passphrase request for CA. That was really surprising because I had to type it in CLI (where logs were printed). Afterwards, problem was solved. It's probably better to have password field in the form and automatically pass it to verify CA
In short, I'm planning to import all my VPN clients into the app
Importing a certificate or ca with invalid country code fails the validation error.
Have to find a solution in order to keep compatibility with legacy systems.
I see an error on javascript in the latest release with django 2.2.
Go to the CA or Certs form to see the error.
Note: Ensure django 2.2 is installed in your virtualenv, clear the cache (actually in google chrome or chromium you can go to the network tab in the developer console and check "disable cache" and repeat the process.
You should see a JS error.
We need to move the download crl_view
to a mixin to allow reusability for REST API of PKI
app in openwisp-controller
module.
django-x509/django_x509/base/admin.py
Lines 135 to 143 in 43d810f
While installing other openwisp projects I've got
ERROR: django-x509 0.6.2 has requirement cryptography<2.9.0,>=2.4.0, but you'll have cryptography 2.9 which is incompatible.
Hi,
I'm testing django-x509 for my application. Upon creating client certificate I noticed something strange regarding serial_number.
From database:
Serial number: 169979165402110668045607377783554886462
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
88:77:73:03:c1:e5:4a:5c:81:4f:58:20:6d:cf:bf:01
88:77:73:03:c1:e5:4a:5c:81:4f:58:20:6d:cf:bf:01 = 181395223527710912757353954506106191617 (which is also the result i get from crypto (get_serial_number()).
So why isn't the serial number on the db entry and the certificate itself the same?
/Kristian
The common_name
field max_length
should be 64
, not 63
. The common_name represents a hostname, and hostnames by various internet standard definitions have a maximum length of 64 characters.
This code:
django-x509/django_x509/base/models.py
Lines 206 to 217 in c5a5acd
Generates two queries for creating a certificate and a CA.
I figured this out while working on openwisp/openwisp-controller#455.
I think this part could be optimized.
Creating Ca/Cert with timzone enabled results in Django warnings: "RuntimeWarning: DateTimeField Ca.validity_start received a naive datetime (2018-01-02 00:00:00) while time zone support is active.
RuntimeWarning)" warning
This looked like a bug, so I checked the implementation and I find the comment quite unhelpful.
def default_validity_start():
"""
sets validity_start field to 1 day before the current date
(avoids "certificate not valid yet" edge case)
intentionally returns naive datetime (not timezone aware)
"""
...
Well, I see that we return naive date, that's what this 2-line function does. Re-using this code I'm wondering WHY we do this. My first reaction was "i'll fix it", but now I'm not sure what can of worms is hiding behind such change.
The hipster punctuation doesn't help understanding the intent too.
Please, please, please clarify the function documentation providing hints for end-users regarding this behavior.
We need to update all the dependencies including update to django 3.0
The serial number implementation would be more robust as an alphanumeric string rather than a number.
A possible solution would be to use a uuid (universal unique identifier).
In some cases it may happen that by using the app normally the unique_together check will fail.
We should avoid this, will try to collect more information on how to reproduce the issue.
Add swappable models like we did in openwisp/openwisp-firmware-upgrader#9.
testing
We should add a jsonschema widget like the one added to the credentials admin of openwisp-controller to make easier to define the x509 extensions to be used.
Once #84 is merged, we should add a confirmation step to the admin action that renews the CA.
The page should say something like the following.
Are you sure you want to renew the CA {name} and {count} certificates related to it?
We need to improve the UX in the Ca
and Cert
admin, so that the difference between creating and importing CAs and Certs is clear without needing further explaination.
A CharField
named operation_type
(suggestions for better names are welcome) at the ModelForm
level should be added, this field should use a select widget having 2 options:
With the default option, all the fields except the name should be hidden.
When "new" is selected, all the hidden fields except certificate
and private_key
will be shown.
When "import" is selected, of all the hidden fields only the fields certificate
and private_key
will be shown.
I'm trying to importing an existing CA certificate which generates an error:
File "/home/max/git/django-x509/django_x509/base/models.py", line 362, in _import
self.digest = SIGNATURE_MAPPING[algorithm]
KeyError: 'ecdsa-with-SHA384'
[13/Jun/2021 00:03:38] "POST /admin/django_x509/ca/add/ HTTP/1.1" 500 142363
Looking into django_x509/base/models.py
dict SIGNATURE_MAPPING
: are EC signatures and certificates/keys supported?
django-x509 should be upgraded to Django 2.0 because when i upgrade django-netjsonconfig to Django 2.0, need django-x509 in django 2.0 version
All the OpenWISP 2 models have uuid based IDs except django-x509.
We need to have uuid based fields for django-x509 too, but since this app is also used by projects that are not related to openwisp, we could keep this feature optional.
Tasks:
BaseUUID
model which inherits BaseX509 which has a uuid field exactly as https://github.com/openwisp/openwisp-utils/blob/master/openwisp_utils/base.py#L13AbstractUUIDCa
and AbstractUUIDCert
, which inherit BaseUUID
AbstractUUIDCa
and AbstractUUIDCert
work as expected, (concrete models will have to be added as well)I have discovered a really strange problem with django-x509. I have created a small demo application to trigger that problem:
https://github.com/hggh/certrest
If you want to create a certificate via the REST API the cert itself is created at the database but the REST Framework throws a IntegrityError.
Steps:
This might be a dumb request, if so, feel free to just say so and close out this ticket.
Would it be possible for you to include pre-built images of django-x509 project within the openwisp hub.docker.com registry along with the other projects?
I ask because I'm using unraid, which doesn't support building within the UI, only pulling down existing images.
GCI task:
https://codein.withgoogle.com/dashboard/task-instances/6534612266254336/
I'll be doing this.
Google Chrome is apparently enforcing this extension; phasing it by version 65.
According to https://github.com/rpkilby/jsonfield2/ jsonfield2 has been merged back with jsonfield. The merge happened with the 3.0.0 release.
Hi,
Cryptography package has been bumped to 2.6.x, but pypi release of x509 still depends on <2.4.0. Is there any intention to update it?
I see that on master it is upgraded to >=2.4, <2.5, but that version is not in pypi.
The current maximum length of serial number in x509 model is 39. The maximum value of x509 serial number is 2^159
which is equal to 730750818665451459101842416358141509827966271488
and has a length of 48.
So while importing existing ca, I got this validation error- Ensure this value has at most 39 characters (it has 48).
Add support for django 2.1.
Added commit message style check
Add support for django 2.2
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.