def generate_cert_for_host(self, host): cert = crypto.X509() cert.set_serial_number(self.serial_number) self.serial_number += 1 cert.set_issuer(self.master_cert.get_subject()) subject = crypto.X509Name(self.master_cert_req.get_subject()) subject.commonName = host cert.set_subject(subject) cert.set_pubkey(self.master_cert.get_pubkey()) today = datetime.datetime.today() before = today - datetime.timedelta(days=365) after = today + datetime.timedelta(days=365) if hasattr(cert, 'set_notBefore'): cert.set_notBefore(before.strftime('%Y%m%d%H%M%SZ')) cert.set_notAfter(after.strftime('%Y%m%d%H%M%SZ')) else: cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60*60*24*365*10) cert.sign(self.master_key, self.default_digest) return cert
def verify_cb(conn, cert, errnum, depth, ok): certsubject = crypto.X509Name(cert.get_subject()) commonname = certsubject.commonName if pinnedcertificate is not None: # check pinned certificate if depth == 0: # load certificate cert_hash = cert.digest("sha256") return (pinned_cert_hash == cert_hash) else: return True else: # check crl if crlfile is not None: serial_number_to_hex_str = str( format(cert.get_serial_number(), 'X')) for revoke in crl_list: if revoke.get_serial() == serial_number_to_hex_str: return False # allow expired certificate if allow_stale_certs_num is not None and errnum == 10: expired_time = datetime.datetime.strptime(cert.get_notAfter(), "%Y%m%d%H%M%SZ") new_time = expired_time + datetime.timedelta( days=allow_stale_certs_num) return new_time > datetime.datetime.utcnow() # Nothing is detected if ok and errnum == 0: return True else: return False
def getX509Name(certificate, get_components=False): """Get the DER-encoded form of the Name fields of an X509 certificate. @param certificate: A :class:`OpenSSL.crypto.X509Name` object. @param get_components: A boolean. If True, returns a list of tuples of the (name, value)s of each Name field in the :param:`certificate`. If False, returns the DER encoded form of the Name fields of the :param:`certificate`. """ x509_name = None try: assert isinstance(certificate, crypto.X509Name), \ "getX509Name takes OpenSSL.crypto.X509Name as first argument!" x509_name = crypto.X509Name(certificate) except AssertionError as ae: log.err(ae) except Exception as exc: log.exception(exc) if not x509_name is None: if not get_components: return x509_name.der() else: return x509_name.get_components() else: log.debug("getX509Name: got None for ivar x509_name")
def __verify_mfr_starttime_orgname(self, is_gcp): """Verify the validity start time and organization name in Mfr CVC. :is_gcp: :return: True or False """ if self.mfr_cvc == None: # pragma: no cover self.verify_result = SsdVerifyResult.ERROR_GCP_MISS_MFR_CVC return False notBefore = self.mfr_cvc.get_notBefore() # Check the organization name ou = c.X509Name(self.mfr_cvc.get_subject()) org_name = ou.organizationName if self.mfr_org_name != org_name: self.verify_result = SsdVerifyResult.ERROR_CVC_MFR_NAME_MISMATCH return False # AssumecvcAccessStart as ASN.1 GENERALIZEDTIME, YYYYMMDDHH[MM[SS[.fff]]]Z if self.__parse_datetime(self.mfr_cvcAccessStart) > self.__parse_datetime(notBefore): if is_gcp == True: self.verify_result = SsdVerifyResult.ERROR_CVC_MFR_VALIDITY_TIME_LESS_THAN_RPD else: self.verify_result = SsdVerifyResult.ERROR_PKCS_MFR_VALIDITY_TIME_LESS_THAN_RPD return False return True
def sign(pkey, p_ca_pem, p_ca_key, commonName, days, emailAddress=None, altName=None, userid=None): serial = _next_serial_number() ca_pem = p_ca_pem and file(p_ca_pem).read() or CA_CER ca_x509 = crypto.load_certificate(crypto.FILETYPE_PEM, ca_pem) ca_subj = ca_x509.get_subject() ca_pkey = p_ca_key and file(p_ca_key).read() or CA_KEY ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_pkey) # create client X509 certificate x509 = crypto.X509() # 0x0:v1, 0x1:v2, 0x2:v3 x509.set_version(2) x509.set_serial_number(serial) x509.set_issuer(ca_subj) # overload CAs subject and add extensions subj = crypto.X509Name(ca_subj) subj.CN = commonName x509.set_subject(subj) x509.add_extensions(CLIENT_EXTENSIONS) if altName: x509.add_extensions((crypto.X509Extension('subjectAltName', False, 'URI:' + altName), )) # x509 validity starts at present x509.gmtime_adj_notBefore(0) # and ends before CA expires x509.gmtime_adj_notAfter(days * 24 * 3600) #if asn1time(x509.get_notAfter()) > asn1time(ca_x509.get_notAfter()): # x509.set_notAfter(ca_x509.get_notAfter()) # insert public key x509.set_pubkey(pkey) # add identifiers x509.add_extensions(( crypto.X509Extension('subjectKeyIdentifier', False, 'hash', subject=x509), crypto.X509Extension('authorityKeyIdentifier', False, 'keyid', issuer=ca_x509), )) # sign with CA private key x509.sign(ca_key, 'sha1') return x509
def examine_certificate(arg_conn, arg_cert, arg_errnum, arg_depth, arg_ok): """ Examine the incoming client certificate. """ subject = crypto.X509Name(arg_cert.get_subject()) common_name = subject.commonName util.logger("Received certificate from client CN={%s}, depth={%d}", common_name, arg_depth) return 1
def verify_cb(conn, cert, errnum, depth, ok): certsubject = crypto.X509Name(cert.get_subject()) commonname = certsubject.commonName print '\n---------------------------------Certificate information---------------------------------\n' print 'Common name: ', commonname + '\n' print 'Country name: ', certsubject.countryName + '\n' print 'Locality Name: ', certsubject.localityName + '\n' print 'Email Address: ', certsubject.emailAddress + '\n' print '------------------------------------------------------------------------------------------\n' return ok
def examine_certificate(arg_conn, arg_cert, arg_errnum, arg_depth, arg_okay): """ Examine the incoming server certificate Unused input: arg_conn, arg_errnum, arg_okay """ subject = crypto.X509Name(arg_cert.get_subject()) common_name = subject.commonName util.logger("Received certificate from server CN={%s}, depth={%d}", common_name, arg_depth) return 1
def generateSelfSigned(folderpath=None, certname=None, keysize=4096, cn="*.maas", user=None, group=None, mode=None): key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, keysize) cert = crypto.X509() serNum = 0 valSecs = 10 * 365 * 24 * 60 * 60 x509name = crypto.X509Name(crypto.X509().get_subject()) x509name.countryName = "UK" x509name.stateOrProvinceName = "London" x509name.organizationName = "TestWandUbuntu" x509name.organizationalUnitName = "WandLib" x509name.commonName = cn or "*.example.com" cert.set_subject(x509name) cert.set_serial_number(serNum) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(valSecs) cert.set_pubkey(key) issuerName = crypto.X509Name(x509name) cert.set_issuer(issuerName) cert.sign(key, 'sha512') cname = certname or genRandomPassword(6) folder = folderpath or "/tmp" with open(os.path.join(folder, cname + ".crt"), "w") as f: f.write( crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8")) f.close() with open(os.path.join(folder, cname + ".key"), "w") as f: f.write( crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode("utf-8")) f.close() if user and group: setFilePermissions(os.path.join(folder, cname + ".crt"), user, group, mode) setFilePermissions(os.path.join(folder, cname + ".key"), user, group, mode) return (crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8"), crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode("utf-8"))
def __verify_mso_starttime_orgname(self, is_gcp): """Verify the validity start time and organization name in co-signer CVC. :is_gcp: :return: True or False """ if self.mso_cvc == None: # pragma: no cover self.verify_result = SsdVerifyResult.ERROR_GCP_MISS_CO_CVC return False notBefore = self.mso_cvc.get_notBefore() # Check the organization name ou = c.X509Name(self.mso_cvc.get_subject()) org_name = ou.organizationName # should we return false if the mso_org_name doesn't exist if self.mso_org_name != None and self.mso_org_name != org_name: self.verify_result = SsdVerifyResult.ERROR_CVC_CO_NAME_MISMATCH return False else: # Give an initial value self.mso_org_name = org_name # AssumecvcAccessStart as ASN.1 GENERALIZEDTIME if self.mso_cvcAccessStart != None: if self.__parse_datetime(self.mso_cvcAccessStart) > self.__parse_datetime(notBefore): if is_gcp == True: self.verify_result = SsdVerifyResult.ERROR_CVC_CO_VALIDITY_TIME_LESS_THAN_RPD else: self.verify_result = SsdVerifyResult.ERROR_PKCS_CO_VALIDITY_TIME_LESS_THAN_RPD return False else: # Give an initial vaue self.mso_cvcAccessStart = notBefore self.mso_codeAccessStart = notBefore self.new_mso_codeAccessStart = notBefore self.new_mso_cvcAccessStart = notBefore return True
def createCert(host, digest='sha1'): cert = crypto.X509() # 得到一个X509对象 cert.set_version(0) cert.set_serial_number( int(time.time() * 10000000) ) # 序号,不重复即可。 #证书有效与过期时间 cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(EXPIRE_DELAY ) cert.set_issuer(CA[0].get_subject() ) # 得到CA的信息 subjects = crypto.X509Name(CERT_SUBJECTS) subjects.O = host subjects.CN = host cert.set_subject(subjects) pubkey = createPKey() cert.set_pubkey(pubkey) cert.sign(CA[1], digest) return (dumpPEM(cert, 0), dumpPEM(pubkey, 1))
def get_cert(): from binascii import b2a_base64 as to_base64 from OpenSSL import crypto from fluxmonitor.storage import Storage s = Storage("security", "private") try: key = crypto.load_privatekey(crypto.FILETYPE_PEM, s["sslkey.pem"]) except (crypto.Error, TypeError): pkey = get_private_key() s["sslkey.pem"] = pem = pkey.export_pem() key = crypto.load_privatekey(crypto.FILETYPE_PEM, pem) try: cert = crypto.load_certificate(crypto.FILETYPE_PEM, s["cert2.pem"]) except (crypto.Error, TypeError): issuersubj = crypto.X509Name(crypto.X509().get_subject()) issuersubj.C = "TW" issuersubj.L = "Taipei" issuersubj.O = "FLUX Inc." cert = crypto.X509() subj = cert.get_subject() subj.O = "FLUX 3D Delta Printer" subj.CN = (get_uuid() + ":" + get_serial() + ":") ext = crypto.X509Extension("nsComment", True, to_base64(get_identify())) cert.add_extensions((ext, )) cert.set_serial_number(1001) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(key) cert.sign(key, 'sha512') s["cert2.pem"] = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) return s.get_path("cert2.pem"), s.get_path("sslkey.pem")
import logging import time import os try: from OpenSSL import crypto except ImportError: logging.error('You should install `OpenSSL`, run `sudo pip install pyopenssl` or other command depends on your system.') sys.exit(-1) CA = None CALock = threading.Lock() EXPIRE_DELAY = 60*60*24*365*10 # 10 years CERT_SUBJECTS = crypto.X509Name(crypto.X509().get_subject()) CERT_SUBJECTS.C = 'CN' CERT_SUBJECTS.ST = 'SiChuan' CERT_SUBJECTS.L = 'SiChuan Univ.' CERT_SUBJECTS.OU = 'KeepAgent Branch' CA_SUBJECTS = crypto.X509Name(CERT_SUBJECTS) CA_SUBJECTS.OU = 'KeepAgent Root' CA_SUBJECTS.O = 'KeepAgent' CA_SUBJECTS.CN = 'KeepAgent CA' def readBinFile(filename): with open(filename, 'rb') as f: content = f.read() return content
def _verify_cert(self, conn, cert, errnum, depth, ok): certsubject = crypto.X509Name(cert.get_subject()) commonname = certsubject.commonName return ok
def _VerifyCb(conn, cert, errnum, depth, ok): certsubject = crypto.X509Name(cert.get_subject()) commonname = certsubject.commonName logging.debug('TLS handshake verify: certificate: %s -> %d', commonname, ok) return ok
def verify_cb(conn, cert, errnum, depth, ok): certsubject = crypto.X509Name(cert.get_subject()) CN = cert.get_issuer().commonName if 'CA_COMMON_NAME' in config['CERTIFICATE']: CA_COMMON_NAME = config['CERTIFICATE']['CA_COMMON_NAME'] if not CA_COMMON_NAME: CA_COMMON_NAME = None else: warn = '请在初始化文件config.ini中加入字段CA_COMMON_NAME以验证证书!' box.showwarning(title='初始化错误', message=warn, parent=root) return False if depth == 1: if CN != CA_COMMON_NAME: return False elif depth == 0: if 'CERTIFICATE' not in config: warn = '请在初始化文件config.ini中加入字段[CERTIFICATE]!' box.showwarning(title='初始化错误', message=warn, parent=root) return if 'SERIAL_NUMBER' in config['CERTIFICATE']: SERIAL_NUMBER = config['CERTIFICATE']['SERIAL_NUMBER'] try: SERIAL_NUMBER = int(SERIAL_NUMBER, 16) except: warn = '请以16进制的形式输入SERIAL_NUMBER!' box.showwarning(title='初始化错误', message=warn, parent=root) return False else: warn = '请在初始化文件config.ini中加入字段SERIAL_NUMBER以验证证书序列号!' box.showwarning(title='初始化错误', message=warn, parent=root) return False if 'COMMON_NAME' in config['CERTIFICATE']: COMMON_NAME = config['CERTIFICATE']['COMMON_NAME'] if not COMMON_NAME: COMMON_NAME = None else: warn = '请在初始化文件config.ini中加入字段COMMON_NAME以验证证书!' box.showwarning(title='初始化错误', message=warn, parent=root) return False if 'ORGANIZATIONAL_UNIT_NAME' in config['CERTIFICATE']: ORGANIZATIONAL_UNIT_NAME = config['CERTIFICATE'][ 'ORGANIZATIONAL_UNIT_NAME'] if not ORGANIZATIONAL_UNIT_NAME: ORGANIZATIONAL_UNIT_NAME = None else: warn = '请在初始化文件config.ini中加入字段ORGANIZATIONAL_UNIT_NAME以验证证书!' box.showwarning(title='初始化错误', message=warn, parent=root) return False if 'ORGANIZATION_NAME' in config['CERTIFICATE']: ORGANIZATION_NAME = config['CERTIFICATE']['ORGANIZATION_NAME'] if not ORGANIZATION_NAME: ORGANIZATION_NAME = None else: warn = '请在初始化文件config.ini中加入字段ORGANIZATION_NAME以验证证书!' box.showwarning(title='初始化错误', message=warn, parent=root) return False if 'STATE_OR_PROVINCE_NAME' in config['CERTIFICATE']: STATE_OR_PROVINCE_NAME = config['CERTIFICATE'][ 'STATE_OR_PROVINCE_NAME'] if not STATE_OR_PROVINCE_NAME: STATE_OR_PROVINCE_NAME = None else: warn = '请在初始化文件config.ini中加入字段STATE_OR_PROVINCE_NAME以验证证书!' box.showwarning(title='初始化错误', message=warn, parent=root) return False if 'COUNTRY_NAME' in config['CERTIFICATE']: COUNTRY_NAME = config['CERTIFICATE']['COUNTRY_NAME'] if not COUNTRY_NAME: COUNTRY_NAME = None else: warn = '请在初始化文件config.ini中加入字段COUNTRY_NAME以验证证书!' box.showwarning(title='初始化错误', message=warn, parent=root) return False if 'LOCALITY_NAME' in config['CERTIFICATE']: LOCALITY_NAME = config['CERTIFICATE']['LOCALITY_NAME'] if not LOCALITY_NAME: LOCALITY_NAME = None else: warn = '请在初始化文件config.ini中加入字段LOCALITY_NAME以验证证书!' box.showwarning(title='初始化错误', message=warn, parent=root) return False if 'EMAIL_ADDRESS' in config['CERTIFICATE']: EMAIL_ADDRESS = config['CERTIFICATE']['EMAIL_ADDRESS'] if not EMAIL_ADDRESS: EMAIL_ADDRESS = None else: warn = '请在初始化文件config.ini中加入字段EMAIL_ADDRESS以验证证书!' box.showwarning(title='初始化错误', message=warn, parent=root) return False CN = certsubject.commonName OU = certsubject.organizationalUnitName O = certsubject.organizationName S = certsubject.stateOrProvinceName C = certsubject.countryName L = certsubject.localityName EMail = certsubject.emailAddress if CN != COMMON_NAME or OU != ORGANIZATIONAL_UNIT_NAME or\ O != ORGANIZATION_NAME or S != STATE_OR_PROVINCE_NAME or\ C != COUNTRY_NAME or L != LOCALITY_NAME or EMail != EMAIL_ADDRESS: return False if cert.get_serial_number() != SERIAL_NUMBER: return False if cert.has_expired(): return False return ok
def examine_certificate(conn, cert, errnum, depth, ok): subject = crypto.X509Name(cert.get_subject()) common_name = subject.commonName util.logger("Received certificate from client CN={%s}, depth={%d}", common_name, depth) return ok
def verify_cb(conn, cert, errnum, depth, ok): certsubject = crypto.X509Name(cert.get_subject()) commonname = certsubject.commonName print 'C> GOT CERT: %s' % cert.get_subject() return ok
def verify_cb(conn, cert, errnum, depth, ok): certsubject = crypto.X509Name(cert.get_subject()) commonname = certsubject.commonName print('Got certificate: ' + commonname) return ok
def get_imovies_name(self): name = crypto.X509Name(crypto.X509().get_subject()) name.O = "Imovies" return name