def generate_keys(self):
if os.path.isfile('./private_key.pem') and os.path.isfile('./public_key.pem'):
with open('./public_key.pem', 'rb') as f:
self.public_key = f.read()
with open('./private_key.pem', 'rb') as f:
self.private_key = f.read()
else:
print("KEYS not found, creating new ones")
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
with open('private_key.pem', 'wb') as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey=key))
with open('public_key.pem', 'wb') as f:
f.write(crypto.dump_publickey(crypto.FILETYPE_PEM, pkey=key))
self.public_key = crypto.dump_publickey(
crypto.FILETYPE_PEM, pkey=key)
self.private_key = crypto.dump_privatekey(
crypto.FILETYPE_PEM, pkey=key)
def create_self_signed_cert():
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
cert = crypto.X509()
cert.get_subject().C = "PL"
cert.get_subject().ST = "Lublin"
cert.get_subject().L = "Lublin"
cert.get_subject().O = "ProjektPAS"
cert.get_subject().OU = "PP"
cert.get_subject().CN = "localhost"
print(gethostname())
cert.set_serial_number(1)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
open(CERT_FILE, "wt").write(
crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8")
)
open(KEY_FILE, "wt").write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode("utf-8")
)
def create_self_signed_cert(certFile, keyFile, hostName):
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "PT"
cert.get_subject().ST = "Portugal"
cert.get_subject().L = "Portugal"
cert.get_subject().O = "S-Razoes Lda"
cert.get_subject().OU = "S-Razoes Lda"
cert.get_subject().CN = hostName
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, b'sha512')
open(certFile, "wt").write(
crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8'))
open(keyFile, "wt").write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode('utf-8'))
def gen_cert(self):
key_pair = crypto.PKey()
key_pair.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.get_subject().O = 'admin'
cert.get_subject().CN = 'krishpranav'
cert.get_subject().OU = 'krishpranav'
cert.get_subject().C = 'US'
cert.get_subject().L = 'Los Santos'
cert.get_subject().ST = 'California'
cert.set_serial_number(SystemRandom().randint(2048**8, 4096**8))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(256 * 409600)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key_pair)
cert.sign(key_pair, 'sha256')
with open(const.CERT_FILE, 'wb') as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(const.KEY_FILE, 'wb') as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key_pair))
def test_should_return_for_pyopenssl_stored_key_with_passphrase(self):
self.order_meta.update(self.stored_key_meta)
self.order_meta['container_ref'] = (
"https://localhost/containers/" + self.container_with_passphrase.id
)
passphrase = "my secret passphrase"
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 2048)
key_pem = crypto.dump_privatekey(
crypto.FILETYPE_PEM,
pkey,
passphrase=passphrase.encode('utf-8')
)
self.private_key_value = base64.b64encode(key_pem)
self.public_key_value = "public_key"
self.passphrase_value = base64.b64encode(passphrase.encode('utf-8'))
self.store_plugin.get_secret.side_effect = self.stored_key_side_effect
self._test_should_return_waiting_for_ca(
cert_res.issue_certificate_request)
self._verify_issue_certificate_plugins_called()
self.assertIsNotNone(
self.order.order_barbican_meta['generated_csr'])
def _genPkeyCsr(self, name, mode, outp=None):
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, self.crypto_numbits)
xcsr = crypto.X509Req()
xcsr.get_subject().CN = name
xcsr.set_pubkey(pkey)
xcsr.sign(pkey, self.signing_digest)
keypath = self._savePkeyTo(pkey, mode, '%s.key' % name)
if outp is not None:
outp.printf('key saved: %s' % (keypath, ))
csrpath = self._getPathJoin(mode, '%s.csr' % name)
self._checkDupFile(csrpath)
with s_common.genfile(csrpath) as fd:
fd.truncate(0)
fd.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM,
xcsr))
if outp is not None:
outp.printf('csr saved: %s' % (csrpath, ))
def create_self_signed_cert(cert_dir: str,
cert_file: str = "myapp.crt",
key_file: str = "myapp.key") -> Tuple[str, str]:
"""
If datacard.crt and datacard.key don't exist in cert_dir, create a new
self-signed cert and keypair and write them into that directory.
"""
if not exists(join(cert_dir, cert_file)) or not exists(
join(cert_dir, key_file)):
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
subject = cert.get_subject()
setattr(subject, "C", "US")
setattr(subject, "ST", "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
setattr(subject, "L", "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB")
setattr(subject, "O", "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC")
# XD
setattr(subject, "OU", "bunny corp")
setattr(subject, "CN", "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD")
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, "sha256")
with open(join(cert_dir, cert_file), "wb") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(join(cert_dir, key_file), "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
return cert_file, key_file
def generate_ssl_cert(target_file=None, overwrite=False):
if target_file and not overwrite and os.path.exists(target_file):
return
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "AU"
cert.get_subject().ST = "Some-State"
cert.get_subject().L = "Some-Locality"
cert.get_subject().O = "LocalStack Org"
cert.get_subject().OU = "Testing"
cert.get_subject().CN = "LocalStack"
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
cert_file = StringIO()
key_file = StringIO()
cert_file.write(to_str(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)))
key_file.write(to_str(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)))
cert_file_content = cert_file.getvalue().strip()
key_file_content = key_file.getvalue().strip()
file_content = '%s\n%s' % (key_file_content, cert_file_content)
if target_file:
save_file(target_file, file_content)
save_file('%s.key' % target_file, key_file_content)
save_file('%s.crt' % target_file, cert_file_content)
return file_content
return file_content
def get(self, bits=2048, type=crypto.TYPE_RSA, digest='sha1'):
"""
Get a new self-signed certificate
@type bits: int
@type digest: str
@rtype: Certificate
"""
self.log.debug('Creating a new self-signed SSL certificate')
# Generate the key and ready our cert
key = crypto.PKey()
key.generate_key(type, bits)
cert = crypto.X509()
# Fill in some pseudo certificate information with a wildcard common name
cert.get_subject().C = 'US'
cert.get_subject().ST = 'California'
cert.get_subject().L = 'Los Angeles'
cert.get_subject().O = 'Wright Anything Agency'
cert.get_subject().OU = 'Law firm / talent agency'
cert.get_subject().CN = '*.{dn}'.format(dn=self.site.domain.name)
# Set the serial number, expiration and issued
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(315360000)
cert.set_issuer(cert.get_subject())
# Map the key and sign our certificate
cert.set_pubkey(key)
cert.sign(key, digest)
# Dump the PEM data and return a certificate container
_cert = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
return Certificate(_cert, _key, type, bits, digest)
def _genPkeyCsr(self, name, mode, outp=None):
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 2048)
xcsr = crypto.X509Req()
xcsr.get_subject().CN = name
xcsr.set_pubkey(pkey)
xcsr.sign(pkey, 'sha256')
keypath = self._savePkeyTo(pkey, mode, '%s.key' % name)
if outp is not None:
outp.printf('key saved: %s' % (keypath, ))
csrpath = self.getPathJoin(mode, '%s.csr' % name)
if os.path.isfile(csrpath):
raise s_common.DupFileName(path=csrpath)
with s_common.genfile(csrpath) as fd:
fd.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM,
xcsr))
if outp is not None:
outp.printf('csr saved: %s' % (csrpath, ))
def generate_ca(self) -> None:
"""
Generate a CA certificate
"""
if not os.path.exists(self.cakeypath):
print("Cannot find CA locally so generating one")
if not os.path.exists(os.path.dirname(self.cakeypath)):
print("the directory for storing certificates doesn't exist.")
print("Creating one at " + os.path.dirname(self.cakeypath))
os.makedirs(os.path.dirname(self.cakeypath))
ca_key = crypto.PKey()
ca_key.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.get_subject().CN = "CA"
cert.set_serial_number(0)
cert.set_version(2)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(cert.get_subject())
cert.add_extensions([
crypto.X509Extension(b'basicConstraints', False, b'CA:TRUE'),
crypto.X509Extension(b'keyUsage', False,
b'keyCertSign, cRLSign')
])
cert.set_pubkey(ca_key)
cert.sign(ca_key, "sha256")
f = open(self.cakeypath, "wb")
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, ca_key))
f.close()
f = open(self.capempath, "wb")
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
f.close()
else:
print("CA found locally, not generating a new one")
def create_self_signed_cert(certfile, keyfile, certargs, cert_dir="."):
if not os.path.isdir(cert_dir):
os.mkdir(cert_dir)
c_f = os.path.join(cert_dir, certfile)
k_f = os.path.join(cert_dir, keyfile)
if not os.path.exists(c_f) or not os.path.exists(k_f):
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
cert = crypto.X509()
cert.get_subject().C = certargs["Country"]
cert.get_subject().ST = certargs["State"]
cert.get_subject().L = certargs["City"]
cert.get_subject().O = certargs["Organization"]
cert.get_subject().OU = certargs["Org. Unit"]
cert.get_subject().CN = HOSTNAME
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(315360000)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
open(c_f,
"wb").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
open(k_f, "wb").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
def init_crypto(csr_file=CSR_FILE, key_file=KEY_FILE):
'''
Generate private key and CSR for secure communication
'''
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
req = crypto.X509Req()
subj = req.get_subject()
subj.C = "PL"
subj.ST = "Dolnyslask"
subj.L = "Wroclaw"
subj.O = "MonitOwl Agents"
subj.OU = "Agents"
subj.CN = gethostname()
req.set_pubkey(key)
req.sign(key, 'sha1')
with open(csr_file, "wt", 0o400) as fileh:
fileh.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
with open(key_file, "wt", 0o400) as fileh:
fileh.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
LOG.info("Crypto files Key and CSR created")
def create_self_signed_cert(cert_dir, cert_file, key_file, hostname):
# from https://gist.github.com/ril3y/1165038
cert_path = realpath(join(cert_dir, cert_file))
key_path = realpath(join(cert_dir, key_file))
if not exists(cert_path) or not exists(key_path):
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().CN = hostname
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
with open(cert_path, "wt") as fp:
fp.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8'))
with open(key_path, "wt") as fp:
fp.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode('utf-8'))
def generate_test_cert(hostname="somehostname",
san_list=None,
expires=1000000):
"""
Generates a test SSL certificate and returns the certificate data and private key data.
"""
# Based on: http://blog.richardknop.com/2012/08/create-a-self-signed-x509-certificate-in-python/
# Create a key pair.
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# Create a self-signed cert.
cert = crypto.X509()
cert.get_subject().CN = hostname
# Add the subjectAltNames (if necessary).
if san_list is not None:
cert.add_extensions([
crypto.X509Extension(b"subjectAltName", False,
b", ".join(san_list))
])
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(expires)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, "sha1")
# Dump the certificate and private key in PEM format.
cert_data = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
key_data = crypto.dump_privatekey(crypto.FILETYPE_PEM, k)
return (cert_data, key_data)
def create_self_signed_cert():
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "CA"
cert.get_subject().ST = "BC"
cert.get_subject().L = "Vancouver"
cert.get_subject().O = "Self Signed Madness"
cert.get_subject().OU = "Self Signyness"
cert.get_subject().CN = gethostname()
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
open(CERT_FILE,
"wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
open(KEY_FILE, "wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
def create_self_signed_cert(cert_dir, key_dir, domain_name):
SYSTEM_CERT_DIR = '/usr/local/share/ca-certificates'
DOMAIN_SYS_DIR = os.path.join(SYSTEM_CERT_DIR, domain_name)
CERT_FILE = domain_name + '.crt'
KEY_FILE = domain_name + '.key'
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "US"
cert.get_subject().ST = "New York"
cert.get_subject().L = "Stony Brook"
cert.get_subject().O = "Computer Science"
cert.get_subject().OU = "NetSys"
cert.get_subject().CN = domain_name
cert.set_serial_number(int(random.randint(0, 1000000000)))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
#print(cert_dir, CERT_FILE, crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
open(os.path.join(cert_dir, CERT_FILE),
"wb").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
open(os.path.join(key_dir, KEY_FILE),
"wb").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
clear_folder(DOMAIN_SYS_DIR)
system_cert_domain = os.path.join(DOMAIN_SYS_DIR, CERT_FILE)
shutil.copy2(os.path.join(cert_dir, CERT_FILE), system_cert_domain)
#print(' '.join(['certutil', '-d', 'sql:/home/jnejati/.pki/nssdb','-A','-t', '"C,,"', '-n', domain_name, '-i', system_cert_domain]))
#subprocess.call(['certutil', '-d', 'sql:/home/jnejati/.pki/nssdb','-D','-t', '"C,,"', '-n', domain_name, '-i', system_cert_domain])
#subprocess.call(['certutil', '-d', 'sql:/home/jnejati/.pki/nssdb','-A','-t', '"C,,"', '-n', domain_name, '-i', system_cert_domain])
os.system('certutil -d sql:/home/jnejati/.pki/nssdb -D -t "C,," -n ' +
domain_name + ' -i ' + system_cert_domain)
os.system('certutil -d sql:/home/jnejati/.pki/nssdb -A -t "C,," -n ' +
domain_name + ' -i ' + system_cert_domain)
def gen_cert(cert_path, key_path):
"""
Generate certificate and key for scratch-link
"""
os.makedirs(localdir, exist_ok=True)
if os.path.isfile(cert_path) and os.path.isfile(key_path):
if is_cert_valid(cert_path):
logger.debug(
f"Alreadfy {cert_path} and {key_path} are genereated.")
return
else:
logger.info(f"Certificate {cert_path} expired. Regenerate it.")
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.get_subject().CN = SCRATCH_CERT_NICKNAME
cert.gmtime_adj_notBefore(9)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) # ten years
cert.set_pubkey(key)
cert.set_issuer(cert.get_subject())
cert.add_extensions([
crypto.X509Extension(b"subjectAltName", False,
b"DNS:device-manager.scratch.mit.edu")
])
cert.sign(key, 'sha256')
with open(cert_path, "wb") as cf:
cf.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(key_path, "wb") as kf:
kf.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
logger.info(f"Generated certificate: {cert_path}")
logger.info(f"Generated key: {key_path}")
def gencert():
# https://www.linux.org/threads/creating-a-self-signed-certificate-with-python.9038/
# https://markusholtermann.eu/2016/09/ssl-all-the-things-in-python/
from OpenSSL import crypto, SSL
from pprint import pprint
from time import gmtime, mktime
from os.path import exists, join
from random import choice, randint
from string import letters
CN = "SSLS"
CERT_FILE = "%s.crt" % CN
PEM_FILE = "%s.pem" % CN
PUBKEY_FILE = "%s.pub" % CN
cert_dir = "."
C_F = join(cert_dir, CERT_FILE)
K_F = join(cert_dir, PEM_FILE)
P_F = join(cert_dir, PUBKEY_FILE)
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 4096)
cert = crypto.X509()
cert.get_subject().C = "".join([choice(letters[:26]) for i in range(2)])
cert.get_subject().ST = "".join([choice(letters[:26]) for i in range(2)])
cert.get_subject().L = "".join([choice(letters[:26]) for i in xrange(0, randint(2,32))])
cert.get_subject().O = "".join([choice(letters[:26]) for i in xrange(0, randint(2,32))])
cert.get_subject().OU = "".join([choice(letters[:26]) for i in xrange(0, randint(2,32))])
cert.get_subject().CN = CN
cert.set_serial_number(randint(1000,9999))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(604800) # 7 days...
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
open(C_F, 'wt').write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
open(K_F, 'wt').write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey=k))
open(P_F, 'wt').write(crypto.dump_publickey(crypto.FILETYPE_PEM, pkey=k))
return C_F, K_F, P_F
def create_self_signed_certificate():
global SN, certificate, key
# generate key
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
# define certificate attributes
cert = crypto.X509()
cert.get_subject().C = "IT"
cert.get_subject().ST = "Italy"
cert.get_subject().L = "Rome"
cert.get_subject().O = "."
cert.get_subject().OU = "."
cert.get_subject().CN = CN
cert.set_serial_number(0)
SN += 1
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(315360000)
cert.set_issuer(cert.get_subject(
)) #self signing the certificate (the issuer is the same of the subject)
cert.set_pubkey(k)
cert.sign(k, "sha256")
# assign to global variables
certificate = cert
key = k
# write to disk certificate and key
open(CF, "wt").write(
crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8"))
open(KF, "wt").write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode("utf-8"))
def generateCSR(cn, c, st, l, o, ou, email, sans):
# TODO: support different kind/size keys???
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
csr = crypto.X509Req()
csr.get_subject().CN = cn
csr.get_subject().countryName = c
csr.get_subject().stateOrProvinceName = st
csr.get_subject().localityName = l
csr.get_subject().organizationName = o
csr.get_subject().organizationalUnitName = ou
csr.get_subject().emailAddress = email
# csr.get_subject().subjectAltName = 'test.example.com'
x509_extensions = ([])
# TODO: support "IP:" in addition to "DNS:" below
sans_list = []
for san in sans:
sans_list.append("DNS: {0}".format(san))
sans_list = ", ".join(sans_list)
if sans_list:
x509_extensions.append(crypto.X509Extension("subjectAltName", False, sans_list))
csr.add_extensions(x509_extensions)
csr.set_pubkey(key)
csr.sign(key, "sha256")
csr_out = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
key_out = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
return key_out,csr_out
def create_self_signed_cert():
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "DE"
cert.get_subject().ST = "NRW"
cert.get_subject().L = "Dortmund"
cert.get_subject().O = "Dummy Company Ltd"
cert.get_subject().OU = "Dummy Company Ltd"
cert.get_subject().CN = "PowerDNS-Admin"
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
open(CERT_FILE,
"wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
open(KEY_FILE, "wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
def gen_cert(self, domain, key=None, bits=2048):
"""Generate tls-alpn-01 certificate.
:param unicode domain: Domain verified by the challenge.
:param OpenSSL.crypto.PKey key: Optional private key used in
certificate generation. If not provided (``None``), then
fresh key will be generated.
:param int bits: Number of bits for newly generated key.
:rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey`
"""
if key is None:
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, bits)
der_value = b"DER:" + codecs.encode(self.h, 'hex')
acme_extension = crypto.X509Extension(self.ID_PE_ACME_IDENTIFIER_V1,
critical=True,
value=der_value)
return crypto_util.gen_ss_cert(key, [domain],
force_san=True,
extensions=[acme_extension]), key
def create_server_pair(self, o, cn, san=[]):
"""Issue a X.509 server key/certificate pair"""
# key
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
# cert
cert = crypto.X509()
cert.set_serial_number(self.__next_serial)
cert.set_version(2)
cert.set_pubkey(key)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(365*24*60*60)
cert_subject = cert.get_subject()
cert_subject.O = o
cert_subject.OU = 'kOVHernetes'
cert_subject.CN = cn
cert.set_issuer(self.cert.get_issuer())
cert_ext = []
cert_ext.append(crypto.X509Extension(b'subjectKeyIdentifier', False, b'hash', cert))
cert_ext.append(crypto.X509Extension(b'authorityKeyIdentifier', False, b'keyid,issuer:always', issuer=self.cert))
cert_ext.append(crypto.X509Extension(b'basicConstraints', False, b'CA:FALSE'))
cert_ext.append(crypto.X509Extension(b'keyUsage', True, b'digitalSignature, keyEncipherment'))
cert_ext.append(crypto.X509Extension(b'extendedKeyUsage', True, b'serverAuth'))
if san: cert_ext.append(crypto.X509Extension(b'subjectAltName', False, ','.join(san).encode()))
cert.add_extensions(cert_ext)
# sign cert with CA key
cert.sign(self.key, 'sha256')
type(self).__next_serial += 1
return key, cert
def create_self_signed_cert(cert_dir, cert_file_name, key_file_name,
IP_address, tenant_id):
"""
If datacard.crt and datacard.key don't exist in cert_dir, create a new
self-signed cert and keypair and write them into that directory.
"""
CERT_FILE = cert_file_name
KEY_FILE = key_file_name
if not exists(join(cert_dir, CERT_FILE)) \
or not exists(join(cert_dir, KEY_FILE)):
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "US"
cert.get_subject().ST = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
cert.get_subject().L = "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
cert.get_subject().O = "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
cert.get_subject().OU = tenant_id
cert.get_subject().CN = IP_address
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
open(join(cert_dir, CERT_FILE),
"wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
open(join(cert_dir, KEY_FILE),
"wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
def genCertificate(self,
KEY_FILE="certificate/private.pem",
CERT_FILE="certificate/cacert.pem"):
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 4096)
cert = crypto.X509()
cert.get_subject().C = "UK"
cert.get_subject().ST = "London"
cert.get_subject().L = "London"
cert.get_subject().O = "Development"
cert.get_subject().CN = "www.google.com"
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31557600)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha512')
with open(CERT_FILE, "wt") as f:
f.write(
crypto.dump_certificate(crypto.FILETYPE_PEM,
cert).decode("utf-8"))
with open(KEY_FILE, "wt") as f:
f.write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode("utf-8"))
def __init__(self,
filename=None,
text=None,
passphrase=None,
filetype="pem",
bits=2048,
_key=None):
self.__passphrase = passphrase # can also be a callable
if _key is not None:
key = _key
else:
ftype = _FILETYPES[filetype]
if filename is not None:
ftype, text = get_type_and_text(filename)
if text is not None:
if passphrase is not None:
key = crypto.load_privatekey(ftype, text, passphrase)
else:
key = crypto.load_privatekey(ftype, text)
else:
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, bits)
key.check()
self._key = key
def create_self_signed_cert(cert_dir, keyfile, certfile):
"""
Create a self-signed `keyfile` and `certfile` in `cert_dir`
Abort if one of the keyfile of certfile exist.
"""
if exists(join(cert_dir, certfile)) or exists(join(cert_dir, keyfile)):
raise FileExistsError('{} or {} already exist in {}. Aborting.'.format(keyfile, certfile, cert_dir))
else:
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "US"
cert.get_subject().ST = "Jupyter notebook self-signed certificate"
cert.get_subject().L = "Jupyter notebook self-signed certificate"
cert.get_subject().O = "Jupyter notebook self-signed certificate"
cert.get_subject().OU = "my organization"
cert.get_subject().CN = "Jupyter notebook self-signed certificate"
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(365*24*60*60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
with io.open(join(cert_dir, certfile), "wt") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf8'))
os.chmod(join(cert_dir, certfile), 0o600)
with io.open(join(cert_dir, keyfile), "wt") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode('utf8'))
os.chmod(join(cert_dir, keyfile), 0o600)
def make_ssl_cert(name):
'''Create and return an SslCertificate in dictionary format.
'''
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.get_subject().C = "US"
cert.get_subject().ST = "New York"
cert.get_subject().L = "New York City"
cert.get_subject().O = "Google"
cert.get_subject().OU = "Spinnaker"
cert.get_subject().CN = "localhost"
cert.set_serial_number(4096)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.sign(key, 'sha1')
return {
'name': name,
'privateKey': crypto.dump_privatekey(crypto.FILETYPE_PEM, key),
'certificate': crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
}
def create_cert():
"""Create self signed certificate for HTTP server"""
if not os.path.exists(CERT_FILE) or not os.path.exists(KEY_FILE):
try:
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "IE"
cert.get_subject().ST = "Galway"
cert.get_subject().L = "Galway"
cert.get_subject().O = "NUIG"
cert.get_subject().OU = "Computer Science & IT"
cert.get_subject().CN = socket.gethostname()
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
open(CERT_FILE,
"wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM,
cert))
open(KEY_FILE,
"wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
except crypto.Error as err:
logging.warning("OpenSSL error occurred: %s" % err)
return
except Exception as e:
logging.warning(
"Error occurred when creating self signed cert: %s" % e)
return
else:
logging.info("Signed cert already exists.")
