def create_authority(self, hostname): key = OpenSSL.crypto.PKey() key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048) ca = OpenSSL.crypto.X509() ca.set_version(3) ca.set_serial_number(int(SystemTime.get_serial_time())) ca.get_subject().O = 'arkOS Servers' ca.get_subject().CN = hostname ca.gmtime_adj_notBefore(0) ca.gmtime_adj_notAfter(5*365*24*60*60) ca.set_issuer(ca.get_subject()) ca.set_pubkey(key) ca.add_extensions([ OpenSSL.crypto.X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), OpenSSL.crypto.X509Extension("keyUsage", True, "keyCertSign, cRLSign"), OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=ca), ]) ca.sign(key, 'sha1') open('/etc/ssl/certs/genesis/ca/'+hostname+'.pem', "wt").write( OpenSSL.crypto.dump_certificate( OpenSSL.crypto.FILETYPE_PEM, ca) ) os.chmod('/etc/ssl/certs/genesis/ca/'+hostname+'.pem', 0660) open('/etc/ssl/private/genesis/ca/'+hostname+'.key', "wt").write( OpenSSL.crypto.dump_privatekey( OpenSSL.crypto.FILETYPE_PEM, key) )
def create_authority(self, hostname): key = OpenSSL.crypto.PKey() key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048) ca = OpenSSL.crypto.X509() ca.set_version(3) ca.set_serial_number(int(SystemTime.get_serial_time())) ca.get_subject().O = 'arkOS Servers' ca.get_subject().CN = hostname ca.gmtime_adj_notBefore(0) ca.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60) ca.set_issuer(ca.get_subject()) ca.set_pubkey(key) ca.add_extensions([ OpenSSL.crypto.X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), OpenSSL.crypto.X509Extension("keyUsage", True, "keyCertSign, cRLSign"), OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=ca), ]) ca.sign(key, 'sha1') open('/etc/ssl/certs/genesis/ca/' + hostname + '.pem', "wt").write( OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca)) os.chmod('/etc/ssl/certs/genesis/ca/' + hostname + '.pem', 0660) open('/etc/ssl/private/genesis/ca/' + hostname + '.key', "wt").write( OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key))
def gencert(self, name, vars, hostname): # Make sure our folders are in place if not os.path.exists('/etc/ssl/certs/genesis'): os.mkdir('/etc/ssl/certs/genesis') if not os.path.exists('/etc/ssl/private/genesis'): os.mkdir('/etc/ssl/private/genesis') # If system time is way off, raise an error try: st = SystemTime.get_offset() if st < -3600 or st > 3600: raise SystemTimeError(st) except: raise SystemTimeError('UNKNOWN') # Check to see that we have a CA ready ca_cert_path = '/etc/ssl/certs/genesis/ca/' + hostname + '.pem' ca_key_path = '/etc/ssl/private/genesis/ca/' + hostname + '.key' if not os.path.exists(ca_cert_path) and not os.path.exists( ca_key_path): self.create_authority(hostname) ca_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, open(ca_cert_path).read()) ca_key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, open(ca_key_path).read()) # Generate a key, then use it to sign a new cert # We'll use 2048-bit RSA until pyOpenSSL supports ECC keytype = OpenSSL.crypto.TYPE_DSA if self.app.get_config( self).keytype == 'DSA' else OpenSSL.crypto.TYPE_RSA keylength = int(self.app.get_config(self).keylength) try: key = OpenSSL.crypto.PKey() key.generate_key(keytype, keylength) crt = OpenSSL.crypto.X509() crt.set_version(3) if vars.getvalue('certcountry', ''): crt.get_subject().C = vars.getvalue('certcountry') if vars.getvalue('certsp', ''): crt.get_subject().ST = vars.getvalue('certsp') if vars.getvalue('certlocale', ''): crt.get_subject().L = vars.getvalue('certlocale') if vars.getvalue('certcn', ''): crt.get_subject().CN = vars.getvalue('certcn') if vars.getvalue('certemail', ''): crt.get_subject().emailAddress = vars.getvalue('certemail') crt.get_subject().O = 'arkOS Servers' crt.set_serial_number(int(SystemTime.get_serial_time())) crt.gmtime_adj_notBefore(0) crt.gmtime_adj_notAfter(2 * 365 * 24 * 60 * 60) crt.set_issuer(ca_cert.get_subject()) crt.set_pubkey(key) crt.sign(ca_key, 'sha1') except Exception, e: raise Exception('Error generating self-signed certificate: ' + str(e))
def gencert(self, name, vars, keytype, keylength, hostname): # Make sure our folders are in place if not os.path.exists('/etc/ssl/certs/genesis'): os.mkdir('/etc/ssl/certs/genesis') if not os.path.exists('/etc/ssl/private/genesis'): os.mkdir('/etc/ssl/private/genesis') # If system time is way off, raise an error try: st = SystemTime.get_offset() if st < -3600 or st > 3600: raise SystemTimeError(st) except: raise SystemTimeError('UNKNOWN') # Check to see that we have a CA ready ca_cert_path = '/etc/ssl/certs/genesis/ca/'+hostname+'.pem' ca_key_path = '/etc/ssl/private/genesis/ca/'+hostname+'.key' if not os.path.exists(ca_cert_path) and not os.path.exists(ca_key_path): self.create_authority(hostname) ca_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, open(ca_cert_path).read()) ca_key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, open(ca_key_path).read()) # Generate a key, then use it to sign a new cert # We'll use 2048-bit RSA until pyOpenSSL supports ECC keytype = OpenSSL.crypto.TYPE_DSA if keytype == 'DSA' else OpenSSL.crypto.TYPE_RSA keylength = int(keylength) try: key = OpenSSL.crypto.PKey() key.generate_key(keytype, keylength) crt = OpenSSL.crypto.X509() crt.set_version(3) if vars.getvalue('certcountry', ''): crt.get_subject().C = vars.getvalue('certcountry') if vars.getvalue('certsp', ''): crt.get_subject().ST = vars.getvalue('certsp') if vars.getvalue('certlocale', ''): crt.get_subject().L = vars.getvalue('certlocale') if vars.getvalue('certcn', ''): crt.get_subject().CN = vars.getvalue('certcn') if vars.getvalue('certemail', ''): crt.get_subject().emailAddress = vars.getvalue('certemail') crt.get_subject().O = 'arkOS Servers' crt.set_serial_number(int(SystemTime.get_serial_time())) crt.gmtime_adj_notBefore(0) crt.gmtime_adj_notAfter(2*365*24*60*60) crt.set_issuer(ca_cert.get_subject()) crt.set_pubkey(key) crt.sign(ca_key, 'sha1') except Exception, e: raise Exception('Error generating self-signed certificate: '+str(e))