Simple reusable django app implementing x509 PKI certificates management.
Want to help OpenWISP? Find out how to help us grow here.
Table of Contents:
- Current features
- Project goals
- Dependencies
- Install stable version from pypi
- Install development version
- Setup (integrate in an existing django project)
- Installing for development
- Install and run on docker
- Settings
DJANGO_X509_DEFAULT_CERT_VALIDITY
DJANGO_X509_DEFAULT_CA_VALIDITY
DJANGO_X509_DEFAULT_KEY_LENGTH
DJANGO_X509_DEFAULT_DIGEST_ALGORITHM
DJANGO_X509_CA_BASIC_CONSTRAINTS_CRITICAL
DJANGO_X509_CA_BASIC_CONSTRAINTS_PATHLEN
DJANGO_X509_CA_KEYUSAGE_CRITICAL
DJANGO_X509_CA_KEYUSAGE_VALUE
DJANGO_X509_CERT_KEYUSAGE_CRITICAL
DJANGO_X509_CERT_KEYUSAGE_VALUE
DJANGO_X509_CRL_PROTECTED
- Extending django-x509
- 1. Initialize your custom module
- 2. Install
django-x509
&openwisp-utils
- 3. Add
EXTENDED_APPS
- 4. Add
openwisp_utils.staticfiles.DependencyFinder
- 5. Add
openwisp_utils.loaders.DependencyLoader
- 6. Inherit the AppConfig class
- 7. Create your custom models
- 8. Add swapper configurations
- 9. Create database migrations
- 10. Create the admin
- 11. Create root URL configuration
- 12. Import the automated tests
- Contributing
- Support
- Changelog
- License
- CA generation
- Import existing CAs
- End entity certificate generation
- Import existing certificates
- Certificate revocation
- CRL view (public or protected)
- Possibility to specify x509 extensions on each certificate
- Random serial numbers based on uuid4 integers (see why is this a good idea)
- Possibility to generate and import passphrase protected x509 certificates/CAs
- Passphrase protected x509 content will be shown encrypted in the web UI
- provide a simple and reusable x509 PKI management django app
- provide abstract models that can be imported and extended in larger django projects
- Python >= 3.8
- OpenSSL
Install from pypi:
pip install django-x509
Install tarball:
pip install https://github.com/openwisp/django-x509/tarball/master
Alternatively you can install via pip using git:
pip install -e git+git://github.com/openwisp/django-x509#egg=django-x509
If you want to contribute, install your cloned fork:
git clone [email protected]:<your_fork>/django-x509.git
cd django-x509
python setup.py develop
Add django_x509
to INSTALLED_APPS
:
INSTALLED_APPS = [
# other apps
"django_x509",
]
Add the URLs to your main urls.py
:
from django.contrib import admin
urlpatterns = [
# ... other urls in your project ...
url(r"admin/", admin.site.urls),
]
Then run:
./manage.py migrate
Install sqlite:
sudo apt-get install sqlite3 libsqlite3-dev
Install your forked repo:
git clone git://github.com/<your_fork>/django-x509
cd django-x509/
python setup.py develop
Install test requirements:
pip install -r requirements-test.txt
Create database:
cd tests/
./manage.py migrate
./manage.py createsuperuser
Launch development server:
./manage.py runserver
You can access the admin interface at http://127.0.0.1:8000/admin/.
Run tests with:
./runtests.py
Build from docker file:
sudo docker build -t openwisp/djangox509 .
Run the docker container:
sudo docker run -it -p 8000:8000 openwisp/djangox509
type: | int |
default: | 365 |
Default validity period (in days) when creating new x509 certificates.
type: | int |
default: | 3650 |
Default validity period (in days) when creating new Certification Authorities.
type: | int |
default: | 2048 |
Default key length for new CAs and new certificates.
Must be one of the following values:
512
1024
2048
4096
type: | str |
default: | sha256 |
Default digest algorithm for new CAs and new certificates.
Must be one of the following values:
sha1
sha224
sha256
sha384
sha512
type: | bool |
default: | True |
Whether the basicConstraint
x509 extension must be flagged as critical
when creating new CAs.
type: | int or None |
default: | 0 |
Value of the pathLenConstraint
of basicConstraint
x509 extension
used when creating new CAs.
When this value is a positive int
it represents the maximum number of
non-self-issued intermediate certificates that may follow the generated
certificate in a valid certification path.
Set this value to None
to avoid imposing any limit.
type: | bool |
default: | True |
Whether the keyUsage
x509 extension should be flagged as "critical"
for new CAs.
type: | str |
default: | cRLSign, keyCertSign |
Value of the keyUsage
x509 extension for new CAs.
type: | bool |
default: | False |
Whether the keyUsage
x509 extension should be flagged as "critical"
for new end-entity certificates.
type: | str |
default: | digitalSignature, keyEncipherment |
Value of the keyUsage
x509 extension for new end-entity certificates.
type: | bool |
default: | False |
Whether the view for downloading Certificate Revocation Lists should be protected with authentication or not.
One of the core values of the OpenWISP project is Software Reusability, for this reason django-x509 provides a set of base classes which can be imported, extended and reused to create derivative apps.
In order to implement your custom version of django-x509, you need to perform the steps described in this section.
When in doubt, the code in the test project and the sample app will serve you as source of truth: just replicate and adapt that code to get a basic derivative of django-x509 working.
Premise: if you plan on using a customized version of this module, we suggest to start with it since the beginning, because migrating your data from the default module to your extended version may be time consuming.
The first thing you need to do is to create a new django app which will contain your custom version of django-x509.
A django app is nothing more than a python package (a directory
of python scripts), in the following examples we'll call this django app
myx509
, but you can name it how you want:
django-admin startapp myx509
Keep in mind that the command mentioned above must be called from a directory which is available in your PYTHON_PATH so that you can then import the result into your project.
Now you need to add myx509
to INSTALLED_APPS
in your
settings.py
, ensuring also that django_x509
has been removed:
INSTALLED_APPS = [
# ... other apps ...
# 'django_x509' <-- comment out or delete this line
"myx509"
]
For more information about how to work with django projects and django apps, please refer to the django documentation.
Install (and add to the requirement of your project):
pip install django-x509 openwisp-utils
Add the following to your settings.py
:
EXTENDED_APPS = ["django_x509"]
Add openwisp_utils.staticfiles.DependencyFinder
to
STATICFILES_FINDERS
in your settings.py
:
STATICFILES_FINDERS = [
"django.contrib.staticfiles.finders.FileSystemFinder",
"django.contrib.staticfiles.finders.AppDirectoriesFinder",
"openwisp_utils.staticfiles.DependencyFinder",
]
Add openwisp_utils.loaders.DependencyLoader
to TEMPLATES
in your
settings.py
:
TEMPLATES = [
{
"BACKEND": "django.template.backends.django.DjangoTemplates",
"OPTIONS": {
"loaders": [
"django.template.loaders.filesystem.Loader",
"django.template.loaders.app_directories.Loader",
"openwisp_utils.loaders.DependencyLoader",
],
"context_processors": [
"django.template.context_processors.debug",
"django.template.context_processors.request",
"django.contrib.auth.context_processors.auth",
"django.contrib.messages.context_processors.messages",
],
},
}
]
Please refer to the following files in the sample app of the test project:
You have to replicate and adapt that code in your project.
For more information regarding the concept of AppConfig
please refer
to the "Applications" section in the django documentation.
Here we provide an example of how to extend the base models of django-x509. We added a simple "details" field to the models for demostration of modification:
from django.db import models
from django_x509.base.models import AbstractCa, AbstractCert
class DetailsModel(models.Model):
details = models.CharField(max_length=64, blank=True, null=True)
class Meta:
abstract = True
class Ca(DetailsModel, AbstractCa):
"""
Concrete Ca model
"""
class Meta(AbstractCa.Meta):
abstract = False
class Cert(DetailsModel, AbstractCert):
"""
Concrete Cert model
"""
class Meta(AbstractCert.Meta):
abstract = False
You can add fields in a similar way in your models.py
file.
Note: for doubts regarding how to use, extend or develop models please refer to the "Models" section in the django documentation.
Once you have created the models, add the following to your
settings.py
:
# Setting models for swapper module
DJANGO_X509_CA_MODEL = "myx509.Ca"
DJANGO_X509_CERT_MODEL = "myx509.Cert"
Substitute myx509
with the name you chose in step 1.
Create and apply database migrations:
./manage.py makemigrations ./manage.py migrate
For more information, refer to the "Migrations" section in the django documentation.
Refer to the admin.py file of the sample app.
To introduce changes to the admin, you can do it in two main ways which are described below.
Note: for more information regarding how the django admin works, or how it can be customized, please refer to "The django admin site" section in the django documentation.
If the changes you need to add are relatively small, you can resort to monkey patching.
For example:
from django_x509.admin import CaAdmin, CertAdmin
CaAdmin.list_display.insert(
1, "my_custom_field"
) # <-- your custom change example
CertAdmin.list_display.insert(
1, "my_custom_field"
) # <-- your custom change example
If you need to introduce significant changes and/or you don't want to resort to monkey patching, you can proceed as follows:
from django.contrib import admin
from swapper import load_model
from django_x509.base.admin import AbstractCaAdmin, AbstractCertAdmin
Ca = load_model("django_x509", "Ca")
Cert = load_model("django_x509", "Cert")
class CertAdmin(AbstractCertAdmin):
pass
# add your changes here
class CaAdmin(AbstractCaAdmin):
pass
# add your changes here
admin.site.register(Ca, CaAdmin)
admin.site.register(Cert, CertAdmin)
Please refer to the urls.py file in the test project.
For more information about URL configuration in django, please refer to the "URL dispatcher" section in the django documentation.
When developing a custom application based on this module, it's a good idea to import and run the base tests too, so that you can be sure the changes you're introducing are not breaking some of the existing features of django-x509.
In case you need to add breaking changes, you can overwrite the tests defined in the base classes to test your own behavior.
from django.test import TestCase
from django_x509.tests.base import TestX509Mixin
from django_x509.tests.test_admin import (
ModelAdminTests as BaseModelAdminTests,
)
from django_x509.tests.test_ca import TestCa as BaseTestCa
from django_x509.tests.test_cert import TestCert as BaseTestCert
class ModelAdminTests(BaseModelAdminTests):
app_label = "myx509"
class TestCert(BaseTestCert):
pass
class TestCa(BaseTestCa):
pass
del BaseModelAdminTests
del BaseTestCa
del BaseTestCert
Now, you can then run tests with:
# the --parallel flag is optional ./manage.py test --parallel myx509
Substitute myx509
with the name you chose in step 1.
For more information about automated tests in django, please refer to "Testing in Django".
Please refer to the OpenWISP contributing guidelines.
See OpenWISP Support Channels.
See CHANGES.
See LICENSE.