def __init__(self, *args, **kargs):
CertificateFactory.__init__(self, *args, **kargs)
# Transform key/signature algorithm to suitable values for keytool
if not self.parent:
self.keyalg = self.keyalg.upper()
self.sigalg = self.sigalg.upper() + "with" + self.keyalg;
# Create the CA self-signed certificate
if not self.cacert.exists():
cacert = self.cacert
subAltName = cacert.getAlternativeName()
issuerAltName = self.parent.cacert.getAlternativeName() if self.parent else None
ext = "-ext bc:c" + \
((" -ext san=" + subAltName) if subAltName else "") + \
((" -ext ian=" + issuerAltName) if issuerAltName else "")
if not self.parent:
cacert.keyTool("genkeypair", ext, validity=self.validity, sigalg=self.sigalg)
else:
self.cacert = self.parent.cacert
cacert.keyTool("genkeypair")
pem = cacert.keyTool("gencert", ext, validity = self.validity, stdin=cacert.keyTool("certreq"))
chain = ""
parent = self.parent
while parent:
chain += d(read(parent.cacert.pem))
parent = parent.parent
cacert.keyTool("importcert", stdin=chain + d(pem))
self.cacert = cacert
self.cacert.generatePEM()
def __init__(self, *args, **kargs):
CertificateFactory.__init__(self, *args, **kargs)
# Transform key/signature algorithm to suitable values for keytool
if not self.parent:
self.keyalg = self.keyalg.upper()
self.sigalg = self.sigalg.upper() + "with" + self.keyalg;
# Create the CA self-signed certificate
if not self.cacert.exists():
cacert = self.cacert
subAltName = cacert.getAlternativeName()
issuerAltName = self.parent.cacert.getAlternativeName() if self.parent else None
ext = "-ext bc:c" + \
((" -ext san=" + subAltName) if subAltName else "") + \
((" -ext ian=" + issuerAltName) if issuerAltName else "")\
((" -ext eku=" + self.extendedKeyUsage) if self.extendedKeyUsage else "")
if not self.parent:
cacert.keyTool("genkeypair", ext, validity=self.validity, sigalg=self.sigalg)
else:
self.cacert = self.parent.cacert
cacert.keyTool("genkeypair")
pem = cacert.keyTool("gencert", ext, validity = self.validity, stdin=cacert.keyTool("certreq"))
chain = ""
parent = self.parent
while parent:
chain += d(read(parent.cacert.pem))
parent = parent.parent
cacert.keyTool("importcert", stdin=chain + d(pem))
self.cacert = cacert
self.cacert.generatePEM()
def __init__(self, *args, **kargs):
CertificateFactory.__init__(self, *args, **kargs)
if not self.parent:
self.keyalg = crypto.TYPE_RSA if self.keyalg == "rsa" else crypto.TYPE_DSA
self.cipher = "DES-EDE3-CBC" # Cipher used to encode the private key
if not self.cacert.exists():
# Generate the CA certificate
key = crypto.PKey()
key.generate_key(self.keyalg, self.keysize)
req = crypto.X509Req()
setSubject(self.cacert.dn, req.get_subject())
req.set_pubkey(key)
req.sign(key, self.sigalg)
x509 = crypto.X509()
x509.set_version(0x02)
x509.set_serial_number(random.getrandbits(64))
x509.gmtime_adj_notBefore(0)
x509.gmtime_adj_notAfter(60 * 60 * 24 * self.validity)
x509.set_subject(req.get_subject())
x509.set_pubkey(req.get_pubkey())
extensions = [
crypto.X509Extension(b('basicConstraints'), False, b('CA:true')),
crypto.X509Extension(b('subjectKeyIdentifier'), False, b('hash'), subject=x509),
]
subjectAltName = self.cacert.getAlternativeName()
if subjectAltName:
extensions.append(crypto.X509Extension(b('subjectAltName'), False, b(subjectAltName)))
if self.parent:
extensions.append(crypto.X509Extension(b('authorityKeyIdentifier'), False,
b('keyid:always,issuer:always'), issuer=self.parent.cacert.x509))
if self.parent.cacert.getAlternativeName():
extensions.append(crypto.X509Extension(b('issuerAltName'), False, b("issuer:copy"),
issuer=self.parent.cacert.x509))
x509.add_extensions(extensions)
if self.parent:
x509.set_issuer(self.parent.cacert.x509.get_subject())
x509.sign(self.parent.cacert.pkey, self.sigalg)
else:
x509.set_issuer(req.get_subject())
x509.sign(key, self.sigalg)
self.cacert.init(key, x509)
def __init__(self, *args, **kargs):
CertificateFactory.__init__(self, *args, **kargs)
if self.keyalg == "dsa":
self.keysize = os.path.join(self.home, "dsaparams.pem")
if not os.path.exists(self.keysize):
self.run("openssl", "dsaparam", 1024, outform="PEM", out=self.keysize)
if not self.cacert.exists():
subAltName = self.cacert.getAlternativeName()
issuerAltName = self.parent.cacert.getAlternativeName() if self.parent else None
altName = (("\nsubjectAltName = " + subAltName) if subAltName else "") + \
(("\nissuerAltName = " + issuerAltName) if issuerAltName else "")
cacert = self.cacert
if not self.parent:
cacert.openSSL("req", "-x509", days = self.validity, config =
"""
[ req ]
x509_extensions = ext
distinguished_name = dn
prompt = no
[ ext ]
basicConstraints = CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
{altName}
{dn}
""".format(dn=toDNSection(cacert.dn),altName=altName))
else:
self.cacert = self.parent.cacert
req = cacert.openSSL("req", config=
"""
[ req ]
distinguished_name = dn
prompt = no
{dn}
""".format(dn=toDNSection(cacert.dn)))
# Sign the certificate
cacert.openSSL("x509", "-req", set_serial=random.getrandbits(64), stdin=req, days = self.validity,
extfile=
"""
[ ext ]
basicConstraints = CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
{altName}
""".format(altName=altName))
self.cacert = cacert
def __init__(self, *args, **kargs):
CertificateFactory.__init__(self, *args, **kargs)
if self.keyalg == "dsa":
self.keyparams = os.path.join(self.home, "dsaparams.pem")
if not os.path.exists(self.keyparams):
self.run("openssl dsaparam -outform PEM -out {0} {1}".format(
self.keyparams, self.keysize))
else:
self.keyparams = self.keysize
if not self.cacert.exists():
subAltName = self.cacert.getAlternativeName()
issuerAltName = self.parent.cacert.getAlternativeName(
) if self.parent else None
altName = (("\nsubjectAltName = " + subAltName) if subAltName else "") + \
(("\nissuerAltName = " + issuerAltName) if issuerAltName else "")
extendedKeyUsage = (
"extendedKeyUsage = " +
self.extendedKeyUsage) if self.extendedKeyUsage else ""
cacert = self.cacert
if not self.parent:
cacert.openSSL("req",
"-x509",
days=self.validity,
config="""
[ req ]
x509_extensions = ext
distinguished_name = dn
prompt = no
[ ext ]
basicConstraints = CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
{altName}
{dn}
{extendedKeyUsage}
""".format(dn=toDNSection(cacert.dn),
altName=altName,
extendedKeyUsage=extendedKeyUsage))
else:
self.cacert = self.parent.cacert
req = cacert.openSSL("req",
config="""
[ req ]
distinguished_name = dn
prompt = no
{dn}
""".format(dn=toDNSection(cacert.dn)))
# Sign the certificate
cacert.openSSL("x509",
"-req",
set_serial=random.getrandbits(64),
stdin=req,
days=self.validity,
extfile="""
[ ext ]
basicConstraints = CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
{altName}
{extendedKeyUsage}
""".format(altName=altName,
extendedKeyUsage=extendedKeyUsage))
self.cacert = cacert
def __init__(self, *args, **kargs):
CertificateFactory.__init__(self, *args, **kargs)
if not self.parent:
self.keyalg = crypto.TYPE_RSA if self.keyalg == "rsa" else crypto.TYPE_DSA
self.cipher = "DES-EDE3-CBC" # Cipher used to encode the private key
if not self.cacert.exists():
# Generate the CA certificate
key = crypto.PKey()
key.generate_key(self.keyalg, self.keysize)
req = crypto.X509Req()
setSubject(self.cacert.dn, req.get_subject())
req.set_pubkey(key)
req.sign(key, self.sigalg)
x509 = crypto.X509()
x509.set_version(0x02)
x509.set_serial_number(random.getrandbits(64))
x509.gmtime_adj_notBefore(0)
x509.gmtime_adj_notAfter(60 * 60 * 24 * self.validity)
x509.set_subject(req.get_subject())
x509.set_pubkey(req.get_pubkey())
extensions = [
crypto.X509Extension(b('basicConstraints'), False,
b('CA:true')),
crypto.X509Extension(b('subjectKeyIdentifier'),
False,
b('hash'),
subject=x509),
]
subjectAltName = self.cacert.getAlternativeName()
if subjectAltName:
extensions.append(
crypto.X509Extension(b('subjectAltName'), False,
b(subjectAltName)))
if self.parent:
extensions.append(
crypto.X509Extension(b('authorityKeyIdentifier'),
False,
b('keyid:always,issuer:always'),
issuer=self.parent.cacert.x509))
if self.parent.cacert.getAlternativeName():
extensions.append(
crypto.X509Extension(b('issuerAltName'),
False,
b("issuer:copy"),
issuer=self.parent.cacert.x509))
x509.add_extensions(extensions)
if self.parent:
x509.set_issuer(self.parent.cacert.x509.get_subject())
x509.sign(self.parent.cacert.pkey, self.sigalg)
else:
x509.set_issuer(req.get_subject())
x509.sign(key, self.sigalg)
self.cacert.init(key, x509)
