Add mdmcert.download code

jessepeterson · jessepeterson · commit 78ca64f65137 · 2016-07-03T15:21:59.000-07:00
diff --git a/commandment/app.py b/commandment/app.py
@@ -6,12 +6,14 @@
 from flask import Flask
 from .mdm import mdm_app
 from .admin import admin_app
+from .mdmcert import admin_mdmcert_app
 
 def create_app():
     app = Flask(__name__)
 
     app.register_blueprint(mdm_app)
     app.register_blueprint(admin_app, url_prefix='/admin')
+    app.register_blueprint(admin_mdmcert_app, url_prefix='/admin/mdmcert')
 
     from .database import db_session
 
diff --git a/commandment/mdmcert.py b/commandment/mdmcert.py
@@ -0,0 +1,138 @@
+'''
+Copyright (c) 2015 Jesse Peterson
+Licensed under the MIT license. See the included LICENSE.txt file for details.
+'''
+
+from flask import Blueprint, Response, render_template, request, make_response
+from flask import redirect
+# Response, request, current_app, abort, make_response
+from .pki.ca import get_ca, PushCertificate
+from .pki.x509 import CertificateRequest
+from .models import (Certificate as DBCertificate,
+                     PrivateKey as DBPrivateKey,
+                     CertificateRequest as DBCertificateRequest)
+from .database import db_session
+import json
+from base64 import b64encode
+import urllib2
+from M2Crypto import BIO, SMIME, X509, m2
+import datetime
+
+MDMCERT_REQ_URL = 'https://mdmcert.download/api/v1/signrequest'
+
+# PLEASE! Do not take this key and use it for another product/project. It's
+# only for Commandment's use. If you'd like to get your own (free!) key
+# contact the mdmcert.download administrators and get your own key for your
+# own project/product.  We're trying to keep statistics on which products are
+# requesting certs (per Apple T&C). Don't force Apple's hand and
+# ruin it for everyone!
+MDMCERT_API_KEY = 'b742461ff981756ca3f924f02db5a12e1f6639a9109db047ead1814aafc058dd'
+
+CERT_REQ_TYPE = 'mdmcert.pushcert'
+
+def submit_mdmcert_request(email, pem_csr, pem_enc):
+    mdmcert_dict = {
+        'csr': b64encode(pem_csr),
+        'email': email,
+        'key': MDMCERT_API_KEY,
+        'encrypt': b64encode(pem_enc),
+    }
+
+    req = urllib2.Request(
+        MDMCERT_REQ_URL,
+        json.dumps(mdmcert_dict),
+        {'Content-Type': 'application/json',
+         'User-Agent': 'coMmanDMent/0.1'})
+
+    f = urllib2.urlopen(req)
+    resp = f.read()
+    f.close()
+
+    return json.loads(resp)
+
+
+class FixedLocationResponse(Response):
+    # override Werkzeug default behaviour of "fixing up" once-non-compliant
+    # relative location headers. now permitted in rfc7231 sect. 7.1.2
+    autocorrect_location_header = False
+
+admin_mdmcert_app = Blueprint('admin_mdmcert_app', __name__)
+
+@admin_mdmcert_app.route('/')
+def index():
+    return render_template('admin/mdmcert/new.html')
+
+@admin_mdmcert_app.route('/submit', methods=['POST'])
+def submit():
+    mdm_ca = get_ca()
+
+    csr, csr_pk = CertificateRequest.with_new_private_key(CN='mdmcert.download')
+
+    db_csr = DBCertificateRequest.from_x509(csr, CERT_REQ_TYPE)
+    db_pk = DBPrivateKey.from_x509(csr_pk)
+
+    db_pk.certificate_requests.append(db_csr)
+
+    db_session.add(db_csr)
+    db_session.add(db_pk)
+
+    db_session.commit()
+
+    email = request.form.get('email')
+
+    res = submit_mdmcert_request(email, csr.to_pem(), mdm_ca.get_cacert().to_pem())
+    print res.get('result')
+    if res.get('result') != 'success':
+        return 'Error! ' + res.get('reason', '')
+
+    return 'Submitted!'
+
+from binascii import unhexlify
+
+@admin_mdmcert_app.route('/upload_encr', methods=['POST'])
+def upload_encr():
+    mdm_ca = get_ca()
+
+    upl_encrypt = unhexlify(request.files['upload_encr_file'].stream.read())
+
+    s = SMIME.SMIME()
+
+    bio = BIO.MemoryBuffer(upl_encrypt)
+
+    s.load_key_bio(
+        BIO.MemoryBuffer(mdm_ca.get_private_key().to_pem()),
+        BIO.MemoryBuffer(mdm_ca.get_cacert().to_pem()))
+
+    p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(bio._ptr()))
+
+    out = s.decrypt(p7)
+
+    response = make_response(out)
+    response.headers['Content-Type'] = 'application/octet-stream'
+    response.headers['Content-Disposition'] = 'attachment; filename=mdm_signed_request.%s.plist.b64' % datetime.datetime.now().strftime('%Y%m%d_%H%M%S')
+    return response
+
+@admin_mdmcert_app.route('/upload_cert', methods=['POST'])
+def upload_cert():
+    pcert = PushCertificate.from_pem(request.files['upload_cert_file'].stream.read())
+
+    cert_modulus = pcert._get_pubkey().get_modulus()
+
+    q = db_session.query(DBCertificateRequest).filter(DBCertificateRequest.req_type == CERT_REQ_TYPE)
+    for cr in q:
+        req = cr.to_x509()
+        if req._get_pubkey().get_modulus() == cert_modulus:
+            db_cert = DBCertificate.from_x509(pcert, 'mdm.pushcert')
+
+            db_pk = cr.privatekeys[0]
+
+            db_pk.certificates.append(db_cert)
+
+            db_session.add(db_cert)
+
+            db_session.commit()
+
+            return redirect('/admin/certificates', Response=FixedLocationResponse)
+
+
+    return 'no matching CSR found'
diff --git a/commandment/models.py b/commandment/models.py
@@ -11,7 +11,9 @@
 from .database import JSONEncodedDict, Base, or_, and_
 from profiles.mdm import MDM_AR__ALL
 
-from .pki.x509 import (Certificate as X509Certificate, PrivateKey as X509PrivateKey)
+from .pki.x509 import (Certificate as X509Certificate,
+                       PrivateKey as X509PrivateKey,
+                       CertificateRequest as X509CertificateRequest)
 
 CERT_TYPES = {
     'mdm.pushcert': {
@@ -45,13 +47,19 @@
     Column('privatekey_id', Integer, ForeignKey('rsa_private_key.id')),
 )
 
+certreq_private_key_assoc = Table('certreq_private_key', Base.metadata,
+    Column('certreq_id', Integer, ForeignKey('certificate_request.id')),
+    Column('privatekey_id', Integer, ForeignKey('rsa_private_key.id')),
+)
+
 class PrivateKey(Base):
     __tablename__ = 'rsa_private_key'
 
     id = Column(Integer, primary_key=True)
     pem_key = Column(Text, nullable=False)
 
     certificates = relationship('Certificate', secondary=certificate_private_key_assoc, backref='privatekeys')
+    certificate_requests = relationship('CertificateRequest', secondary=certreq_private_key_assoc, backref='privatekeys')
 
     def to_x509(self, key_type=X509PrivateKey):
         return key_type.from_pem(self.pem_key)
@@ -70,10 +78,16 @@ class CertificateRequest(Base):
     subject = Column(Text, nullable=True)
     pem_request = Column(Text, nullable=False)
 
-certreq_private_key_assoc = Table('certreq_private_key', Base.metadata,
-    Column('certreq_id', Integer, ForeignKey('certificate_request.id')),
-    Column('privatekey_id', Integer, ForeignKey('rsa_private_key.id')),
-)
+    def to_x509(self, request_type=X509CertificateRequest):
+        return request_type.from_pem(self.pem_request)
+
+    @classmethod
+    def from_x509(cls, req, req_type):
+        newcls = cls()
+        newcls.subject = req.get_subject_text()
+        newcls.req_type = req_type
+        newcls.pem_request = req.to_pem()
+        return newcls
 
 class Certificate(Base):
     __tablename__ = 'certificate'
diff --git a/commandment/pki/x509.py b/commandment/pki/x509.py
@@ -86,6 +86,13 @@ def from_der(cls, data):
         assert newcls._req.verify(newcls._req.get_pubkey()) == 1
         return newcls
 
+    @classmethod
+    def from_pem(cls, data):
+        newcls = cls.__new__(cls)
+        newcls._req = X509.load_request_string(str(data), format=X509.FORMAT_PEM)
+        assert newcls._req.verify(newcls._req.get_pubkey()) == 1
+        return newcls
+
     def to_pem(self):
         return self._req.as_pem()
 
@@ -114,6 +121,9 @@ def get_pubkey_fingerprint(self, digest=None):
     def _m2_req(self):
         return self._req
 
+    def get_subject_text(self):
+        return self._get_subject().as_text()
+
 class CertificatePolicy(object):
     ca = False
 
diff --git a/commandment/templates/admin/certificates/index.html b/commandment/templates/admin/certificates/index.html
@@ -4,9 +4,10 @@
 
 <h1>Admin - Certificates</h1>
 
-<p>
-<a href="/admin/certificates/new">[ Generate New ]</a>
-</p>
+<ul>
+<li><a href="/admin/certificates/new">[ Generate New ]</a></li>
+<li><a href="/admin/mdmcert/">[ Generate New mdmcert.download Request ]</a></li>
+</ul>
 
 <table border="1">
 
diff --git a/commandment/templates/admin/mdmcert/new.html b/commandment/templates/admin/mdmcert/new.html
@@ -0,0 +1,46 @@
+{% set section = 'cert' %}
+{% extends "admin/layout.html" %}
+{% block content %}
+
+<a href="https://mdmcert.download/instructions">See instructions here</a>
+
+<h1>
+	(Step 5) Generate New mdmcert.download Request
+</h1>
+
+<form id="new" action="submit" method="POST">
+
+<p>Make sure you've <em>already</em> registered on the <a href="https://mdmcert.download/">mdmcert.download</a> site!</p>
+<br>
+<label for="email">Email address</label>
+<input type="input" name="email" id="email" form="new">
+<button type="submit" form="new" value="Submit">Submit</button>
+
+</form>
+
+<h1>
+	(Step 7) Upload MDM Push Cert from Identity.Apple.com
+</h1>
+<form id="upload_encr" action="upload_encr" method="POST" enctype="multipart/form-data">
+
+<label for="upload_encr_widget">mdmcert Encrypted Cert Req (from email) - *.plist.b64.p7 file</label>
+<input type="file" id="upload_encr_widget" form="upload_encr" name="upload_encr_file">
+
+<button type="submit" form="upload_encr" value="Submit">Upload Encrypted Request</button>
+
+</form>
+
+
+<h1>
+	(Step 9) Upload MDM Push Cert from Identity.Apple.com
+</h1>
+<form id="upload_cert" action="upload_cert" method="POST" enctype="multipart/form-data">
+
+<label for="upload_cert_widget">mdmcert Push Certificate (from identity.apple.com)</label>
+<input type="file" form="upload_cert" id="upload_cert_widget" name="upload_cert_file">
+
+<button type="submit" form="upload_cert" value="Submit">Upload Push Cert</button>
+
+</form>
+
+{% endblock %}
