Created
August 30, 2017 17:05
-
-
Save maretekent/9e96b47588b47804be09bedfe2eddded to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Create the CA Key and Certificate for signing Client Certs | |
| openssl req -new -x509 -days 3650 -newkey rsa:4096 -out client.crt -keyout ca.key | |
| # Create the Server Key, CSR, and Certificate | |
| openssl req -new -newkey rsa:4096 -nodes -out server.csr -keyout server.key | |
| # We're self signing our own server cert here. This is a no-no in production. | |
| openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt | |
| # Create the Client Key and CSR | |
| openssl req -new -newkey rsa:4096 -out client.csr -keyout client.key | |
| # Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do. | |
| serial="0x`python -c "import uuid; print(str(uuid.uuid4()).replace('-', ''))"`" | |
| openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial "${serial}" -out client.crt | |
| # Verify the client certificate | |
| openssl x509 -serial -subject -startdate -enddate -noout -in client.crt | |
| # Or | |
| openssl x509 -text -noout -in client.crt |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: utf-8 -*- | |
| from django.db import models | |
| from django.contrib.sites.models import Site | |
| from django.utils.translation import ugettext_lazy as _ | |
| class Certificate(models.Model): | |
| """Certificate x509 to contact the API.""" | |
| serial = UUIDField(unique=True) | |
| dn = models.TextField(_('Distinguished Name')) | |
| serial = models.UUIDField(unique=True) | |
| created_at = models.DateTimeField() | |
| expire_at = models.DateTimeField() | |
| def __unicode__(self): | |
| return u'%s' % self.dn |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CERTIFICATE_IS_MANDATORY = True | |
| class CertificateError(Exception): | |
| pass | |
| def raise_for_certificate(self, environ): | |
| if not CERTIFICATE_IS_MANDATORY: | |
| return None | |
| if 'HTTP_SSL_VERIFY' in environ and \ | |
| environ['HTTP_SSL_CLIENT_VERIFY'] == 'SUCCESS': | |
| try: | |
| serial = UUID(environ['HTTP_SSL_CLIENT_SERIAL']) | |
| self.certificates.get( | |
| serial=str(serial).replace('-', '')) | |
| except Certificate.DoesNotExist: | |
| message = 'Access not allowed for this certificate.' | |
| except (ValueError, KeyError): | |
| message = 'Certificat serial is not a valid UUID.' | |
| else: | |
| return None | |
| else: | |
| message = 'SSL certificate invalid.' | |
| raise CertificateError(message) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment