def generate_authority(domain):
ca = CertificateAuthority(id=domain,
cert_path=os.path.join(config.get("certificates", "ca_cert_dir"), domain+".pem"),
key_path=os.path.join(config.get("certificates", "ca_key_dir"), domain+".key"))
# Generate private key and create X509 certificate, then set options
key = OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
crt = OpenSSL.crypto.X509()
crt.set_version(3)
crt.set_serial_number(int(systemtime.get_serial_time()))
crt.get_subject().O = "arkOS Servers"
crt.get_subject().CN = domain
crt.gmtime_adj_notBefore(0)
crt.gmtime_adj_notAfter(5*365*24*60*60)
crt.set_issuer(crt.get_subject())
crt.set_pubkey(key)
crt.add_extensions([
OpenSSL.crypto.X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
OpenSSL.crypto.X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=crt),
])
crt.sign(key, "sha256")
# Save to files
with open(ca.cert_path, "wt") as f:
f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, crt))
os.chmod(ca.cert_path, 0660)
with open(ca.key_path, "wt") as f:
f.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key))
ca.expiry = crt.get_notAfter()
storage.certs.add("authorities", ca)
return ca
def generate_certificate(
id, domain, country, state="", locale="", email="", keytype="RSA",
keylength=2048, message=DefaultMessage()):
signals.emit("certificates", "pre_add", id)
# Check to see that we have a CA ready; if not, generate one
basehost = ".".join(domain.split(".")[-2:])
ca = get_authorities(id=basehost)
if not ca:
message.update("info", "Generating certificate authority...")
ca = generate_authority(basehost)
with open(ca.cert_path, "r") as f:
ca_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, f.read())
with open(ca.key_path, "r") as f:
ca_key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, f.read())
# Check to see that we have DH params, if not then do that too
if not os.path.exists("/etc/arkos/ssl/dh_params.pem"):
message.update("info", "Generating Diffie-Hellman parameters...")
s = shell("openssl dhparam 2048 -out /etc/arkos/ssl/dh_params.pem")
if s["code"] != 0:
raise Exception("Failed to generate Diffie-Hellman parameters")
os.chown("/etc/arkos/ssl/dh_params.pem", -1, gid)
os.chmod("/etc/arkos/ssl/dh_params.pem", 0750)
# Generate private key and create X509 certificate, then set options
message.update("info", "Generating certificate...")
kt = OpenSSL.crypto.TYPE_DSA if keytype == "DSA" else OpenSSL.crypto.TYPE_RSA
try:
key = OpenSSL.crypto.PKey()
key.generate_key(kt, keylength)
crt = OpenSSL.crypto.X509()
crt.set_version(3)
crt.get_subject().C = country
crt.get_subject().CN = domain
if state:
crt.get_subject().ST = state
if locale:
crt.get_subject().L = locale
if email:
crt.get_subject().emailAddress = email
crt.get_subject().O = "arkOS Servers"
crt.set_serial_number(int(systemtime.get_serial_time()))
crt.gmtime_adj_notBefore(0)
crt.gmtime_adj_notAfter(2*365*24*60*60)
crt.set_issuer(ca_cert.get_subject())
crt.set_pubkey(key)
crt.sign(ca_key, "sha256")
except Exception, e:
raise Exception("Error generating self-signed certificate: "+str(e))
