openwisp / django-x509 Goto Github PK

Generated certificate use GENERALIZEDTIME for dates <2050.

According to this RFC https://tools.ietf.org/html/rfc5280#section-4.1.2.5:

CAs conforming to this profile MUST always encode certificate
validity dates through the year 2049 as UTCTime; certificate validity
dates in 2050 or later MUST be encoded as GeneralizedTime.

Here is a test ca.crt generated with django-x509:

-----BEGIN CERTIFICATE-----
MIIDtjCCAp6gAwIBAgIQVeW93R49QC+y5UU79QyzizANBgkqhkiG9w0BAQsFADA4
MSIwIAYJKoZIhvcNAQkBFhNoZWxsb0BlemFxdWFyaWkuY29tMRIwEAYDVQQDDAlz
ZXJ2ZXItY2EwIhgPMjAxODEyMTIwMDAwMDBaGA8yMDE5MTIxMzAwMDAwMFowODEi
MCAGCSqGSIb3DQEJARYTaGVsbG9AZXphcXVhcmlpLmNvbTESMBAGA1UEAwwJc2Vy
dmVyLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArZ4waqi5X93l
5qQ6RTC0RrUnn768Sz4svOw8QL6JNNLvntia9bkA9JKofIYDoOxk5h7sY+Oy0HQe
cm4RCQgMwqC87PmVBH/ov1xBxMavqJxDaWfhWMp56lZZBcEHvRAICja6scC1i9ex
APEzwoJ+LUMvRwh629mYUVdOmNMeeZxc3pcYpcDFMDRYpn0gP98Cke+hH8Of7cG1
o9S+l+bQ4/l0zfUJybthY19VfyULLn7KVRm3bi+7w56oLNc14SQQssZoPteuRiHu
M6SiCAM4jzO7RYjwzvB0OZ2eYBQcuG9K9mnf3sxzmlNQpffo8qkmxP1XCrhhkTI0
kIGvGVLRewIDAQABo4G3MIG0MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/
BAQDAgEGMB0GA1UdDgQWBBSOTILApLPKh37AMXE+fRCLQVjUzzBvBgNVHSMEaDBm
gBSOTILApLPKh37AMXE+fRCLQVjUz6E8pDowODEiMCAGCSqGSIb3DQEJARYTaGVs
bG9AZXphcXVhcmlpLmNvbTESMBAGA1UEAwwJc2VydmVyLWNhghBV5b3dHj1AL7Ll
RTv1DLOLMA0GCSqGSIb3DQEBCwUAA4IBAQBhe9m/zQlA2B/mxXOZiiwRWzHNQxPh
TFl2r6sYZA3Vb5VHmp9pYuMKrATNQW1rNVgN8GVA+6qjhM5OqZ45/zh392KTV1DJ
kP12pNbbuqekHn6U8tf+SSPdqXbNy/FFTfq1D7zwmqXsyKzwCXYt+7DxuK+07GGK
Omj/ImiczOtm/DvVEVoFzV/cTEbqNUc0r3ssQN2okiOr+2EbS7Gc8tY+6385/hpK
0t3Kl80P+NERsNrjiyew+NoqGEYqMtWWHePxzB00Q0Zdid9WVY1BBbz/s61LsRb4
3ocaruGTLmiHzKo7XPYm2rriTEiRcL+jeFSReq4RU4qS1Bs9upYCIBim
-----END CERTIFICATE-----

Here is a matching test cert.crt:

-----BEGIN CERTIFICATE-----
MIIDwTCCAqmgAwIBAgIQU6Th6IdIQZuLsCIshr/qOzANBgkqhkiG9w0BAQsFADA4
MSIwIAYJKoZIhvcNAQkBFhNoZWxsb0BlemFxdWFyaWkuY29tMRIwEAYDVQQDDAlz
ZXJ2ZXItY2EwIhgPMjAxODEyMTIwMDAwMDBaGA8yMDE5MTIxMzAwMDAwMFowTzEi
MCAGCSqGSIb3DQEJARYTaGVsbG9AZXphcXVhcmlpLmNvbTEpMCcGA1UEAwwgNjE1
M2JiZWZjN2UzNDljYTkxYmVmMjQzZjJiMjhhYjkwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDqpd3attN8kLIE+dy1gf66pmzsKXhP2/ZQ+EGdgYDlXJ40
vsXJ1eqjlMR6acNeyb0LeOhILtho9Mx+jPKVYrjgsjjvD4OM7Yu4w/qRhzmj8gop
z69FrrmQkGt9ziXVcMjI17k5Lmy/l6FdIAIKaANZ5tGpOgZhe3kM7Lf+ldM+knJc
Pqi6RNrNilbjaxxC7DHlDwUcxEabJqRi0vP61WoEtx5DjoxQp2umu0iwNLx/kx/0
Ae4NV3RMXIxvkwVgOspNVNwkwzv/Z6mi2p3i0prSgtLYmRHHZHQ5BaNJYRwc9Z2S
u0xCOwJUIsvrYfmFJcsfcrQQ7y+N+Pzzxbg4eQPlAgMBAAGjgaswgagwCQYDVR0T
BAIwADALBgNVHQ8EBAMCBaAwHQYDVR0OBBYEFGDZUAM0v0j1yqGehbO8tJTtBcAD
MG8GA1UdIwRoMGaAFI5MgsCks8qHfsAxcT59EItBWNTPoTykOjA4MSIwIAYJKoZI
hvcNAQkBFhNoZWxsb0BlemFxdWFyaWkuY29tMRIwEAYDVQQDDAlzZXJ2ZXItY2GC
EFXlvd0ePUAvsuVFO/UMs4swDQYJKoZIhvcNAQELBQADggEBAIRM4FFfUYtSyu2x
pCMIt0oRcyoBNhB7E8qjSuR7wWOLfEKzp+5Arn8S3HLHNdYHVyYg4xC14KIwKGVL
ZuOZ9GeEp0yigXwpHuebxgwzl8O07MTQEPPcPQ4C0DRZYTqu2p0VwP2QWFOxo0cW
20GhwUDIcLFmSNBsP4XAK6HxnVBCpD6lpkrNqKxvgE9R3zozB3CzunnYanBMKPQS
5cyN0uJD6AcO1IeSJMNGcqbdY5hmd3OgwepZURAQnARe00NKqLqnFW4LxulVy6Kx
nfnHPzBqJV49b5l40vTVsXNuAmUL3LIJ7V+cP7xB/YspCSelOFivzdAscbP4PDQh
bkzmxkA=
-----END CERTIFICATE-----

Verification using LibreSSL fails:

$ openssl verify -CAfile ca.crt cert.crt
cert.crt: emailAddress = [email protected], CN = server-ca
error 13 at 1 depth lookup:format error in certificate's notBefore field
emailAddress = [email protected], CN = server-ca
error 13 at 1 depth lookup:format error in certificate's notBefore field
emailAddress = [email protected], CN = server-ca
error 13 at 1 depth lookup:format error in certificate's notBefore field

That is because LibreSSL has intentionaly stricter parser and
CA uses GENERALIZEDTIME:

$ openssl asn1parse -in ca.crt | grep TIME
  106:d=3  hl=2 l=  15 prim: GENERALIZEDTIME   :20181212000000Z
  123:d=3  hl=2 l=  15 prim: GENERALIZEDTIME   :20191213000000Z

The last few days, my CI tests fail with a Segmentation fault (core dumped) error when trying to use django-x509. I noticed that the CI tests of django-x509 fail as well with the same error. I was able to track it down to the latest cryptography release.

Django-x509 requires pyopenssl, which requires cryptography. The latest release of cryptography 2.1.3 was published a few days ago. The changelog contains a single entry:

Updated Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0g.

I was able to work around the segmentation fault by pinning cryptography to 2.1.2. Perhaps django-x509 should also be pinning cryptography, until a proper fix is implemented that allows upgrading cryptography without segfaults.

Move to Github actions.

Hi ,

it was working well for long time. Suddenly "OperationalError: no such column: django_x509_ca.organization " error came. not able to use Ca and Cert tables. Even in django admin page also it shows same error. please help me in this.
Thanks.

Reserved for GCI

When importing a certificate or CA, a mistake in the PEM formatted fields will trigger a validation error, which will report internal pyopenssl messages which are not easy to understand.

Blocked by #86 and #90.

Serial number may clash with an imported certificate.

We should add a way to catch this exception and generate a new serial number until an available serial number is found.

It's better to work on this issue after having solved #8.

Github is flagging the current pyopenssl version used as a potential security vulnerability.

As we did in the other repos, to be done after #87 is merged.

How to reproduce:

• add certificate or ca
• import an existing certificate, but omit the first line

Expected result:

• validation error in the web interface

Actual result:

• uncaught exception and resulting 500 internal server error

It's related to the Issue mentioned here openwisp/openwisp-controller#375.
It should be solved from here.

How to reproduce

1. Go to change page of ca.
2. add ?_to_field=id&_popup=1 in the url and refresh the page.

We should add a way to renew expired certificates, a model method and an admin action.

It should also be possible to renew a CA, which in turn should renew all the certificates related to it.

Renewing would mean generate a new x509 certificate and private key which replaces the old ones.

Steps to reproduce :-

First Error

1. Start creating a new CA.
2. Set the name.
3. Set the Key length choice to None.
4. Hit the save button.

Error[Screenshot]:-

Second Error
3. Set the Digest algorithm to None
4. Hit the save button.

Error[Screenshot]:-

When we will release the new version with swappable models, dependencies using this library will get an error and will come here to look what has been changed.

We should mention this and how to upgrade in the change log.

Let's release openwisp-utils 0.7.0 first and update the requirement files to support both 0.6 and 0.7 (to avoid conflict with other modules having older versions).

Then we can release django-x509 0.9.1.

What to do

• Create a Dockerfile so that users can create a virtual environment on Mac, Linux or Windows with ease and build it in a repeatable way.

How to do

• Follow the django-x509 installation instructions from README.rst and compiled those instructions into Dockerfile.

How to verify it

• Clone the PR and do a docker build -t django_x509 .

Move the command line options in runflake8 or runisort script to the setup.cfg which standardize qa check of python modules of OpenWISP Network Management System and makes it cleaner and easier to review.

What can be the reason of not loaded js in Admin panel? I was following the guide to extend model

I got a workaround to solve the problem with staticfiles

import os
import importlib
def pkg_static(pkg, static='static'):
    return os.path.join(os.path.dirname(importlib.util.find_spec(pkg).origin), static)

...


STATICFILES_DIRS = [pkg_static('django_x509')]

Is there any smarter way to do that?

Update the cryptography library to allow the latest version, ensure tests pass and the main features work correctly.

I was playing with django-x509 before deciding to build a project on top of it. I've tried to import my existing CA in the admin panel (running on docker image) but got no response. After a closer look I've found PEM passphrase request for CA. That was really surprising because I had to type it in CLI (where logs were printed). Afterwards, problem was solved. It's probably better to have password field in the form and automatically pass it to verify CA

In short, I'm planning to import all my VPN clients into the app

Importing a certificate or ca with invalid country code fails the validation error.

Have to find a solution in order to keep compatibility with legacy systems.

I see an error on javascript in the latest release with django 2.2.

Go to the CA or Certs form to see the error.

Note: Ensure django 2.2 is installed in your virtualenv, clear the cache (actually in google chrome or chromium you can go to the network tab in the developer console and check "disable cache" and repeat the process.

You should see a JS error.

We need to move the download crl_view to a mixin to allow reusability for REST API of PKI app in openwisp-controller module.

While installing other openwisp projects I've got

ERROR: django-x509 0.6.2 has requirement cryptography<2.9.0,>=2.4.0, but you'll have cryptography 2.9 which is incompatible.

Hi,

I'm testing django-x509 for my application. Upon creating client certificate I noticed something strange regarding serial_number.

From database:
Serial number: 169979165402110668045607377783554886462
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
88:77:73:03:c1:e5:4a:5c:81:4f:58:20:6d:cf:bf:01

88:77:73:03:c1:e5:4a:5c:81:4f:58:20:6d:cf:bf:01 = 181395223527710912757353954506106191617 (which is also the result i get from crypto (get_serial_number()).

So why isn't the serial number on the db entry and the certificate itself the same?

/Kristian

The common_name field max_length should be 64, not 63. The common_name represents a hostname, and hostnames by various internet standard definitions have a maximum length of 64 characters.

This code:

Generates two queries for creating a certificate and a CA.

I figured this out while working on openwisp/openwisp-controller#455.

I think this part could be optimized.

Creating Ca/Cert with timzone enabled results in Django warnings: "RuntimeWarning: DateTimeField Ca.validity_start received a naive datetime (2018-01-02 00:00:00) while time zone support is active.
RuntimeWarning)" warning

This looked like a bug, so I checked the implementation and I find the comment quite unhelpful.
def default_validity_start():
    """
    sets validity_start field to 1 day before the current date
    (avoids "certificate not valid yet" edge case)
    intentionally returns naive datetime (not timezone aware)
    """
   ...

Well, I see that we return naive date, that's what this 2-line function does. Re-using this code I'm wondering WHY we do this. My first reaction was "i'll fix it", but now I'm not sure what can of worms is hiding behind such change.

The hipster punctuation doesn't help understanding the intent too.

Please, please, please clarify the function documentation providing hints for end-users regarding this behavior.

We need to update all the dependencies including update to django 3.0

The serial number implementation would be more robust as an alphanumeric string rather than a number.

A possible solution would be to use a uuid (universal unique identifier).

In some cases it may happen that by using the app normally the unique_together check will fail.

We should avoid this, will try to collect more information on how to reproduce the issue.

Add swappable models like we did in openwisp/openwisp-firmware-upgrader#9.

testing

We should add a jsonschema widget like the one added to the credentials admin of openwisp-controller to make easier to define the x509 extensions to be used.

Once #84 is merged, we should add a confirmation step to the admin action that renews the CA.

The page should say something like the following.

Are you sure you want to renew the CA {name} and {count} certificates related to it?

We need to improve the UX in the Ca and Cert admin, so that the difference between creating and importing CAs and Certs is clear without needing further explaination.

A CharField named operation_type (suggestions for better names are welcome) at the ModelForm level should be added, this field should use a select widget having 2 options:

1. (empty string, default)
2. new
3. import

Case 1: empty

With the default option, all the fields except the name should be hidden.

Case 2: new

When "new" is selected, all the hidden fields except certificate and private_key will be shown.

Case 3: import

When "import" is selected, of all the hidden fields only the fields certificate and private_key will be shown.

I'm trying to importing an existing CA certificate which generates an error:

  File "/home/max/git/django-x509/django_x509/base/models.py", line 362, in _import
    self.digest = SIGNATURE_MAPPING[algorithm]
KeyError: 'ecdsa-with-SHA384'
[13/Jun/2021 00:03:38] "POST /admin/django_x509/ca/add/ HTTP/1.1" 500 142363

Looking into django_x509/base/models.py dict SIGNATURE_MAPPING: are EC signatures and certificates/keys supported?

django-x509 should be upgraded to Django 2.0 because when i upgrade django-netjsonconfig to Django 2.0, need django-x509 in django 2.0 version

All the OpenWISP 2 models have uuid based IDs except django-x509.

We need to have uuid based fields for django-x509 too, but since this app is also used by projects that are not related to openwisp, we could keep this feature optional.

Tasks:

• create an abstract BaseUUID model which inherits BaseX509 which has a uuid field exactly as https://github.com/openwisp/openwisp-utils/blob/master/openwisp_utils/base.py#L13
• create two additional abstract models: AbstractUUIDCa and AbstractUUIDCert, which inherit BaseUUID
• create tests to ensure AbstractUUIDCa and AbstractUUIDCert work as expected, (concrete models will have to be added as well)
• document how to use these models in the section Extending django-x509

I have discovered a really strange problem with django-x509. I have created a small demo application to trigger that problem:

https://github.com/hggh/certrest

If you want to create a certificate via the REST API the cert itself is created at the database but the REST Framework throws a IntegrityError.

Steps:

1. git clone https://github.com/hggh/certrest
2. pip install -r requirements.txt
3. ./manage migrate
4. ./mange createsuperuser
5. create a new CA inside the admin: http://127.0.0.1:8000/admin/certs/ca/add/
6. http://127.0.0.1:8000/certs/certs/
7. create a new certificate with the default CreateView in Django: http://127.0.0.1:8000/certs/certs/create/
   7.1 this works great the certificate is created and will be shown inside the Listview
8. Goto the REST Framework: http://127.0.0.1:8000/certs/api/cert/
9. create a new certificate within the REST Framework View
10. click on "POST"
11. Django throws: "UNIQUE constraint failed: certs_cert.id"

This might be a dumb request, if so, feel free to just say so and close out this ticket.

Would it be possible for you to include pre-built images of django-x509 project within the openwisp hub.docker.com registry along with the other projects?

I ask because I'm using unraid, which doesn't support building within the UI, only pulling down existing images.

GCI task:
https://codein.withgoogle.com/dashboard/task-instances/6534612266254336/

I'll be doing this.

Google Chrome is apparently enforcing this extension; phasing it by version 65.

• https://support.google.com/chrome/a/answer/7391219?hl=en
• https://www.openssl.org/docs/man1.0.2/apps/x509v3_config.html#Subject-Alternative-Name

According to https://github.com/rpkilby/jsonfield2/ jsonfield2 has been merged back with jsonfield. The merge happened with the 3.0.0 release.

Hi,

Cryptography package has been bumped to 2.6.x, but pypi release of x509 still depends on <2.4.0. Is there any intention to update it?

I see that on master it is upgraded to >=2.4, <2.5, but that version is not in pypi.

The current maximum length of serial number in x509 model is 39. The maximum value of x509 serial number is 2^159 which is equal to 730750818665451459101842416358141509827966271488 and has a length of 48.
So while importing existing ca, I got this validation error- Ensure this value has at most 39 characters (it has 48).

Add support for django 2.1.

Added commit message style check

Add support for django 2.2