def create_authority(self, hostname):
key = OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
ca = OpenSSL.crypto.X509()
ca.set_version(3)
ca.set_serial_number(int(SystemTime.get_serial_time()))
ca.get_subject().O = 'arkOS Servers'
ca.get_subject().CN = hostname
ca.gmtime_adj_notBefore(0)
ca.gmtime_adj_notAfter(5*365*24*60*60)
ca.set_issuer(ca.get_subject())
ca.set_pubkey(key)
ca.add_extensions([
OpenSSL.crypto.X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
OpenSSL.crypto.X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=ca),
])
ca.sign(key, 'sha1')
open('/etc/ssl/certs/genesis/ca/'+hostname+'.pem', "wt").write(
OpenSSL.crypto.dump_certificate(
OpenSSL.crypto.FILETYPE_PEM, ca)
)
os.chmod('/etc/ssl/certs/genesis/ca/'+hostname+'.pem', 0660)
open('/etc/ssl/private/genesis/ca/'+hostname+'.key', "wt").write(
OpenSSL.crypto.dump_privatekey(
OpenSSL.crypto.FILETYPE_PEM, key)
)
def create_authority(self, hostname):
key = OpenSSL.crypto.PKey()
key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
ca = OpenSSL.crypto.X509()
ca.set_version(3)
ca.set_serial_number(int(SystemTime.get_serial_time()))
ca.get_subject().O = 'arkOS Servers'
ca.get_subject().CN = hostname
ca.gmtime_adj_notBefore(0)
ca.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60)
ca.set_issuer(ca.get_subject())
ca.set_pubkey(key)
ca.add_extensions([
OpenSSL.crypto.X509Extension("basicConstraints", True,
"CA:TRUE, pathlen:0"),
OpenSSL.crypto.X509Extension("keyUsage", True,
"keyCertSign, cRLSign"),
OpenSSL.crypto.X509Extension("subjectKeyIdentifier",
False,
"hash",
subject=ca),
])
ca.sign(key, 'sha1')
open('/etc/ssl/certs/genesis/ca/' + hostname + '.pem', "wt").write(
OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, ca))
os.chmod('/etc/ssl/certs/genesis/ca/' + hostname + '.pem', 0660)
open('/etc/ssl/private/genesis/ca/' + hostname + '.key', "wt").write(
OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key))
def gencert(self, name, vars, hostname):
# Make sure our folders are in place
if not os.path.exists('/etc/ssl/certs/genesis'):
os.mkdir('/etc/ssl/certs/genesis')
if not os.path.exists('/etc/ssl/private/genesis'):
os.mkdir('/etc/ssl/private/genesis')
# If system time is way off, raise an error
try:
st = SystemTime.get_offset()
if st < -3600 or st > 3600:
raise SystemTimeError(st)
except:
raise SystemTimeError('UNKNOWN')
# Check to see that we have a CA ready
ca_cert_path = '/etc/ssl/certs/genesis/ca/' + hostname + '.pem'
ca_key_path = '/etc/ssl/private/genesis/ca/' + hostname + '.key'
if not os.path.exists(ca_cert_path) and not os.path.exists(
ca_key_path):
self.create_authority(hostname)
ca_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
open(ca_cert_path).read())
ca_key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM,
open(ca_key_path).read())
# Generate a key, then use it to sign a new cert
# We'll use 2048-bit RSA until pyOpenSSL supports ECC
keytype = OpenSSL.crypto.TYPE_DSA if self.app.get_config(
self).keytype == 'DSA' else OpenSSL.crypto.TYPE_RSA
keylength = int(self.app.get_config(self).keylength)
try:
key = OpenSSL.crypto.PKey()
key.generate_key(keytype, keylength)
crt = OpenSSL.crypto.X509()
crt.set_version(3)
if vars.getvalue('certcountry', ''):
crt.get_subject().C = vars.getvalue('certcountry')
if vars.getvalue('certsp', ''):
crt.get_subject().ST = vars.getvalue('certsp')
if vars.getvalue('certlocale', ''):
crt.get_subject().L = vars.getvalue('certlocale')
if vars.getvalue('certcn', ''):
crt.get_subject().CN = vars.getvalue('certcn')
if vars.getvalue('certemail', ''):
crt.get_subject().emailAddress = vars.getvalue('certemail')
crt.get_subject().O = 'arkOS Servers'
crt.set_serial_number(int(SystemTime.get_serial_time()))
crt.gmtime_adj_notBefore(0)
crt.gmtime_adj_notAfter(2 * 365 * 24 * 60 * 60)
crt.set_issuer(ca_cert.get_subject())
crt.set_pubkey(key)
crt.sign(ca_key, 'sha1')
except Exception, e:
raise Exception('Error generating self-signed certificate: ' +
str(e))
def gencert(self, name, vars, keytype, keylength, hostname):
# Make sure our folders are in place
if not os.path.exists('/etc/ssl/certs/genesis'):
os.mkdir('/etc/ssl/certs/genesis')
if not os.path.exists('/etc/ssl/private/genesis'):
os.mkdir('/etc/ssl/private/genesis')
# If system time is way off, raise an error
try:
st = SystemTime.get_offset()
if st < -3600 or st > 3600:
raise SystemTimeError(st)
except:
raise SystemTimeError('UNKNOWN')
# Check to see that we have a CA ready
ca_cert_path = '/etc/ssl/certs/genesis/ca/'+hostname+'.pem'
ca_key_path = '/etc/ssl/private/genesis/ca/'+hostname+'.key'
if not os.path.exists(ca_cert_path) and not os.path.exists(ca_key_path):
self.create_authority(hostname)
ca_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, open(ca_cert_path).read())
ca_key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, open(ca_key_path).read())
# Generate a key, then use it to sign a new cert
# We'll use 2048-bit RSA until pyOpenSSL supports ECC
keytype = OpenSSL.crypto.TYPE_DSA if keytype == 'DSA' else OpenSSL.crypto.TYPE_RSA
keylength = int(keylength)
try:
key = OpenSSL.crypto.PKey()
key.generate_key(keytype, keylength)
crt = OpenSSL.crypto.X509()
crt.set_version(3)
if vars.getvalue('certcountry', ''):
crt.get_subject().C = vars.getvalue('certcountry')
if vars.getvalue('certsp', ''):
crt.get_subject().ST = vars.getvalue('certsp')
if vars.getvalue('certlocale', ''):
crt.get_subject().L = vars.getvalue('certlocale')
if vars.getvalue('certcn', ''):
crt.get_subject().CN = vars.getvalue('certcn')
if vars.getvalue('certemail', ''):
crt.get_subject().emailAddress = vars.getvalue('certemail')
crt.get_subject().O = 'arkOS Servers'
crt.set_serial_number(int(SystemTime.get_serial_time()))
crt.gmtime_adj_notBefore(0)
crt.gmtime_adj_notAfter(2*365*24*60*60)
crt.set_issuer(ca_cert.get_subject())
crt.set_pubkey(key)
crt.sign(ca_key, 'sha1')
except Exception, e:
raise Exception('Error generating self-signed certificate: '+str(e))
