Skip to content

Commit

Permalink
Document (and fix) certificate sign via API
Browse files Browse the repository at this point in the history
  • Loading branch information
fmonniot committed Dec 13, 2024
1 parent 108be0c commit 1724516
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 3 deletions.
11 changes: 11 additions & 0 deletions src/tools/push_av_server/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,4 +36,15 @@ $ curl -XGET --cacert ~/.pavstest/certs/server/root.pem https://localhost:1234/s
# Get detailed information about the uploaded media file.
# This correspond to the ffprobe tool output
$ curl --cacert ~/.pavstest/certs/server/root.pem -XGET 'https://localhost:1234/probe/1/cmaf/example/video-720p.cmfv'

# You can also use the web server to sign certificates if given a CSR.
# First create a key and csr for your device:
$ openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/CN=test"

# When sending the CSR over JSON we need to have the newline characters be the literal \n.
$ sed '$!G' client.csr | paste -sd '\\n' - > client.curl.csr

# Then sign it with the server
$ curl --cacert ~/.pavstest/certs/server/root.pem -XPOST 'https://localhost:1234/certs/my-device/sign' -d "{\"csr\":\"$(cat client.curl.csr)\"}" --header "content-type: application/json"

```
6 changes: 3 additions & 3 deletions src/tools/push_av_server/server.py
Original file line number Diff line number Diff line change
Expand Up @@ -248,7 +248,7 @@ def _save_cert(
turn make it very unsecure.
"""
cert_path = self.directory / f"{name}.pem"
key_path = self.directory / f"{name}.key"
key_path = self.directory / f"{name}.key" if key else None

if key:
with open(key_path, "wb") as f:
Expand Down Expand Up @@ -344,7 +344,7 @@ def gen_cert(self, dns: str, csr: str, override=False, duration: datetime.timede
Generate a certificate signed by this CA hierarchy using the provided CSR.
Returns the path to the key, cert, and whether it was reused or not.
"""
signing_request = x509.load_pem_x509_csr(csr)
signing_request = x509.load_pem_x509_csr(csr.encode('utf-8'))
signing_request.public_key()

# If we don't always override, first check if an existing keypair already exists
Expand All @@ -356,7 +356,7 @@ def gen_cert(self, dns: str, csr: str, override=False, duration: datetime.timede
return (key_path, cert_path, True)

# Sign certificate
cert = self._sign_cert(dns, csr.public_key(), duration)
cert = self._sign_cert(dns, signing_request.public_key(), duration)

# Save that information to disk
(key_path, cert_bundle_path) = self._save_cert(
Expand Down

0 comments on commit 1724516

Please sign in to comment.