def generateImpacketCert(certname='/tmp/impacket.crt'): # Create a private key pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 2048) # Create the certificate cert = crypto.X509() cert.gmtime_adj_notBefore(0) # Valid for 5 years cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 5) subj = cert.get_subject() subj.CN = 'impacket' cert.set_pubkey(pkey) cert.sign(pkey, "sha256") # We write both from the same file with open(certname, 'w') as certfile: certfile.write( crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey).decode('utf-8')) certfile.write( crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8')) LOG.debug('Wrote certificate to %s' % certname)
def make_certificate(self, csr, ca, ca_pkey, serial, export_file=False): crt = crypto.X509() crt.set_serial_number(serial) crt.gmtime_adj_notBefore(86400 * self.notbefore_days) crt.gmtime_adj_notAfter(86400 * self.notafter_days) crt.set_issuer(ca.get_subject()) crt.set_subject(csr.get_subject()) crt.set_pubkey(csr.get_pubkey()) crt.sign(ca_pkey, self.digest_type) if isinstance(export_file, string_types): dcrt = crypto.dump_certificate(crypto.FILETYPE_PEM, crt) if not os.path.exists(export_file): open(export_file, 'wb').close() os.chmod(export_file, 0o600) f = open(export_file, 'wb') f.writelines(dcrt) f.close() return crt
def create_self_signed_cert(name): from OpenSSL import crypto # create key pair key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 2048) # create self-signed certificate cert = crypto.X509() cert.get_subject().CN = name cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 86400) cert.set_issuer(cert.get_subject()) cert.set_pubkey(key) cert.sign(key, 'sha1') with open(CERT_FILE, 'wb') as fp: fp.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) with open(KEY_FILE, 'wb') as fp: fp.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
def generateCertificateObjects(organization, organizationalUnit): pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 512) req = crypto.X509Req() subject = req.get_subject() subject.O = organization subject.OU = organizationalUnit req.set_pubkey(pkey) req.sign(pkey, "md5") # Here comes the actual certificate cert = crypto.X509() cert.set_serial_number(1) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60) # Testing certificates need not be long lived cert.set_issuer(req.get_subject()) cert.set_subject(req.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(pkey, "md5") return pkey, req, cert
def generate_user_own_cert(cn, path_to_cert=PATH_TO_CERT, path_to_pem=PATH_TO_PEM): logger.debug("Trying to generate user certificate files") k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 2048) cert = crypto.X509() cert.get_subject().OU = 'Mirantis Fuel-QA Team' cert.get_subject().CN = cn cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(315360000) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) cert.sign(k, 'sha1') with open(path_to_pem, 'wt') as f: f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) logger.debug("Generated PEM file {}".format(path_to_pem)) with open(path_to_cert, 'wt') as f: f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) logger.debug("Generated PEM file {}".format(path_to_cert))
def generate_adhoc_ssl_context(): from random import random from OpenSSL import crypto, SSL cert = crypto.X509() cert.set_serial_number(int(random() * sys.maxint)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) subject = cert.get_subject() subject.CN = '*' subject.O = 'Dummy Certificate' issuer = cert.get_issuer() issuer.CN = 'Untrusted Authority' issuer.O = 'Self-Signed' pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 768) cert.set_pubkey(pkey) cert.sign(pkey, 'md5') ctx = SSL.Context(SSL.SSLv23_METHOD) ctx.use_privatekey(pkey) ctx.use_certificate(cert) return ctx
def generate_cert_with_cn_san(self, cn, san): pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 2048) extensions = list() extensions.append( crypto.X509Extension(b'basicConstraints', False, f'CA:FALSE'.encode())) extensions.append(crypto.X509Extension(b'subjectAltName', False, san)) cert = crypto.X509() cert.get_subject().CN = cn cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60) cert.set_issuer(self.ca_cert.get_subject()) cert.set_pubkey(pkey) cert.add_extensions(extensions) cert.set_version(2) cert.sign(self.ca_key, 'sha256') return cert, pkey
def create_self_signed_cert(certFile, key): cert = crypto.X509() cert.set_serial_number(1001) cert.set_notBefore(b"20190101000000Z") cert.set_notAfter(b"20290101000000Z") subject = cert.get_subject() subject.C = "NO" subject.ST = "Rogaland" subject.L = "Kolnes" subject.O = "UiA" subject.OU = "ICT" subject.CN = "localhost" cert.set_issuer(subject) cert.set_pubkey(key) cert.sign(key, 'SHA256') certToByte = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) write_to_file(certToByte, certFile) return cert
def signRequestObject( self, issuerDistinguishedName, requestObject, serialNumber, secondsToExpiry=60 * 60 * 24 * 365, # One year digestAlgorithm='md5'): """ Sign a CertificateRequest instance, returning a Certificate instance. """ req = requestObject.original dn = requestObject.getSubject() cert = crypto.X509() issuerDistinguishedName._copyInto(cert.get_issuer()) cert.set_subject(req.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(secondsToExpiry) cert.set_serial_number(serialNumber) cert.sign(self.original, digestAlgorithm) return Certificate(cert)
def create_self_signed_cert(self): # create a key pair pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 2048) # create a self-signed cert cert = crypto.X509() cert.get_subject().O = "IT" cert.get_subject().CN = "ceph-dashboard" cert.set_serial_number(int(uuid4())) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(pkey) cert.sign(pkey, 'sha512') cert = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) self.set_store('crt', cert.decode('utf-8')) pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey) self.set_store('key', pkey.decode('utf-8'))
def _create_self_signed_cert(self): """ Creates a self signed cert. Shouldn't be called directly except by this library for its own use. """ logger.debug("Creating self signed cert.") req = crypto.X509() gwid = "%s %s" % (self.gateway_id, self.hostname) req.get_subject().CN = 'localhost' req.get_subject().countryName = 'US' req.get_subject().stateOrProvinceName = 'California' req.get_subject().localityName = 'Sacramento' req.get_subject().organizationName = 'Yombo' req.get_subject().organizationalUnitName = gwid[0:63] req.set_serial_number(int(time())) req.gmtime_adj_notBefore(0) req.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) self.self_signed_expires = time() + (10 * 365 * 24 * 60 * 60) self.self_signed_created = time() self._Configs.set("sslcerts", "self_signed_expires", self.self_signed_expires) self._Configs.set("sslcerts", "self_signed_created", self.self_signed_created) req.set_issuer(req.get_subject()) key = yield threads.deferToThread( self._generate_key, **{ 'key_type': crypto.TYPE_RSA, 'key_size': 4096 }) req.set_pubkey(key) req.sign(key, 'sha256') csr_key = crypto.dump_certificate(crypto.FILETYPE_PEM, req) key_file = crypto.dump_privatekey(crypto.FILETYPE_PEM, key) save_file(self.self_signed_cert_file, csr_key) save_file(self.self_signed_key_file, key_file) return {'csr_key': csr_key, 'key': key_file}
def generate_adhoc_ssl_context(): """ Create temporary self-signed certificate for encrypted HTTP transport Exasol does not check validity of certificates """ from OpenSSL import crypto import pathlib import ssl import tempfile k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 2048) cert = crypto.X509() cert.set_serial_number(1) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) cert.set_pubkey(k) cert.sign(k, 'sha256') # TemporaryDirectory is used instead of NamedTemporaryFile for compatibility with Windows with tempfile.TemporaryDirectory(prefix='pyexasol_ssl_') as tempdir: tempdir = pathlib.Path(tempdir) cert_file = open(tempdir / 'cert', 'wb') cert_file.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) cert_file.close() key_file = open(tempdir / 'key', 'wb') key_file.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) key_file.close() context = ssl.SSLContext() context.verify_mode = ssl.CERT_NONE context.load_cert_chain(certfile=cert_file.name, keyfile=key_file.name) return context
def _gen_ca(self, ca_name, ca_config): ca = crypto.X509() ca.set_version(3) ca.set_serial_number(1) ca.get_subject().C = ca_config["countryName"] ca.get_subject().ST = ca_config["stateOrProvinceName"] ca.get_subject().L = ca_config["localityName"] ca.get_subject().O = ca_config["organizationName"] ca.get_subject().OU = ca_config["organizationalUnitName"] ca.gmtime_adj_notBefore(0) ca.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60) ca.set_issuer(ca.get_subject()) ca.set_pubkey(self.ca_key_pairs[ca_name]) # From RFC5280: Conforming CAs MUST include keyUsage extension in # certificates that contain public keys that are used to validate # digital signatures on other public key certificates or CRLs. # To facilitate certification path construction, subjectKeyIdentifier # extension MUST appear in all conforming CA certificates, that is, all # certificates including the basic constraints extension where the # value of cA is TRUE. ca.add_extensions([ # basicConstraints identifies whether subject of certificate is a CA # pathLen expresses the number of possible intermediate CA # certificates in a path built from an end-entity certificate up # to the CA certificate. crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:1"), # The keyCertSign bit is asserted when the subject public key is # used for verifying signatures on public key certificates. crypto.X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"), # From RFC5280: The keyIdentifier is composed of the 160-bit SHA-1 # hash of the value of the BIT STRING subjectPublicKey crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=ca), ]) ca.sign(self.ca_key_pairs[ca_name], "sha256") self.ca_certs[ca_config["ISD"]][ca_name] = ca
def generate(self, module): if not os.path.exists(self.privatekey_path): raise CertificateError( 'The private key %s does not exist' % self.privatekey_path ) if not os.path.exists(self.csr_path): raise CertificateError( 'The certificate signing request file %s does not exist' % self.csr_path ) if not self.check(module, perms_required=False) or self.force: cert = crypto.X509() cert.set_serial_number(self.serial_number) if self.notBefore: cert.set_notBefore(to_bytes(self.notBefore)) else: cert.gmtime_adj_notBefore(0) if self.notAfter: cert.set_notAfter(to_bytes(self.notAfter)) else: # If no NotAfter specified, expire in # 10 years. 315360000 is 10 years in seconds. cert.gmtime_adj_notAfter(315360000) cert.set_subject(self.csr.get_subject()) cert.set_issuer(self.csr.get_subject()) cert.set_version(self.version - 1) cert.set_pubkey(self.csr.get_pubkey()) cert.add_extensions(self.csr.get_extensions()) cert.sign(self.privatekey, self.digest) self.cert = cert crypto_utils.write_file(module, crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert)) self.changed = True file_args = module.load_file_common_arguments(module.params) if module.set_fs_attributes_if_different(file_args, False): self.changed = True
def generate_ca(config_ca): ca = crypto.X509() ca.set_version(2) ca.set_serial_number(config_ca['serial']) ca_subj = ca.get_subject() if 'commonName' in config_ca: ca_subj.commonName = config_ca['commonName'] if 'stateOrProvinceName' in config_ca: ca_subj.stateOrProvinceName = config_ca['stateOrProvinceName'] if 'localityName' in config_ca: ca_subj.localityName = config_ca['localityName'] if 'organizationName' in config_ca: ca_subj.organizationName = config_ca['organizationName'] if 'organizationalUnitName' in config_ca: ca_subj.organizationalUnitName = config_ca['organizationalUnitName'] if 'emailAddress' in config_ca: ca_subj.emailAddress = config_ca['emailAddress'] if 'countryName' in config_ca: ca_subj.countryName = config_ca['countryName'] if 'validfrom' in config_ca: ca.set_notBefore(config_ca['validfrom']) if 'validto' in config_ca: ca.set_notAfter(config_ca['validto']) key = openssl_generate_privatekey(config_ca['keyfilesize']) ca.add_extensions([ crypto.X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"), crypto.X509Extension("keyUsage", False, "keyCertSign, cRLSign"), crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=ca), ]) ca.add_extensions([ crypto.X509Extension("authorityKeyIdentifier", False, "keyid:always", issuer=ca) ]) ca.set_issuer(ca.get_subject()) ca.set_pubkey(key) ca.sign(key, config_ca['hashalgorithm']) return ca, key
def create_self_signed_cert(cert_dir, keyfile, certfile): """ Create a self-signed `keyfile` and `certfile` in `cert_dir` Abort if one of the keyfile of certfile exist. """ if exists(join(cert_dir, certfile)) or exists(join(cert_dir, keyfile)): raise FileExistsError('{} or {} already exist in {}. Aborting.'.format( keyfile, certfile, cert_dir)) else: # create a key pair k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 1024) # create a self-signed cert cert = crypto.X509() cert.get_subject().C = "US" cert.get_subject().ST = "Jupyter notebook self-signed certificate" cert.get_subject().L = "Jupyter notebook self-signed certificate" cert.get_subject().O = "Jupyter notebook self-signed certificate" cert.get_subject().OU = "my organization" cert.get_subject().CN = "Jupyter notebook self-signed certificate" cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) cert.sign(k, 'sha256') with io.open(join(cert_dir, certfile), "wt") as f: f.write( crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf8')) os.chmod(join(cert_dir, certfile), 0o600) with io.open(join(cert_dir, keyfile), "wt") as f: f.write( crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode('utf8')) os.chmod(join(cert_dir, keyfile), 0o600)
def generate(self, device_id, ecc=False): # Device client certificate if ecc: filename_cert = CONFIG_CERT_DIRECTORY + "ft900device1_cert.pem" filename_pkey = CONFIG_CERT_DIRECTORY + "ft900device1_pkey.pem" return filename_cert, filename_pkey else: client_key = crypto.PKey() client_key.generate_key(crypto.TYPE_RSA, 2048) client_cert = crypto.X509() client_cert.set_version(0) client_cert.set_serial_number(random.getrandbits(8*9)) client_subj = client_cert.get_subject() client_cert.set_issuer(self.ca_subj) client_cert.set_pubkey(client_key) client_cert.gmtime_adj_notBefore(0) client_cert.gmtime_adj_notAfter(CONFIG_CERT_YEARS*365*24*60*60) client_cert.get_subject().C = CONFIG_CERT_COUNTRY client_cert.get_subject().ST = CONFIG_CERT_STATE client_cert.get_subject().L = CONFIG_CERT_CITY client_cert.get_subject().O = CONFIG_CERT_COMPANY client_cert.get_subject().OU = CONFIG_CERT_DEPARTMENT client_cert.get_subject().CN = device_id client_cert.sign(self.ca_key, 'sha256') # Get epoch time as timestamp timestamp = str(int(time.time())) # Save certificate filename_cert = CONFIG_CERT_DIRECTORY + device_id + "_" + timestamp + "_cert.pem" with open(filename_cert, "wt") as f: f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, client_cert).decode("utf-8")) # Save private key filename_pkey = CONFIG_CERT_DIRECTORY + device_id + "_" + timestamp + "_pkey.pem" with open(filename_pkey, "wt") as f: f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, client_key).decode("utf-8")) return filename_cert, filename_pkey
def create_ca(CN, C="", ST="", L="", O="", OU="", emailAddress="", hashalgorithm='sha256WithRSAEncryption'): cakey = make_keypair() careq = make_csr(cakey, cn=CN) cacert = crypto.X509() cacert.set_serial_number(0) cacert.gmtime_adj_notBefore(0) cacert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 10) # 10 yrs - hard to beat this kind of cert! cacert.set_issuer(careq.get_subject()) cacert.set_subject(careq.get_subject()) cacert.set_pubkey(careq.get_pubkey()) cacert.set_version(2) # Set the extensions in two passes cacert.add_extensions([ crypto.X509Extension('basicConstraints', True, 'CA:TRUE'), crypto.X509Extension('subjectKeyIdentifier', True, 'hash', subject=cacert) ]) # ... now we can set the authority key since it depends on the subject key cacert.add_extensions([ crypto.X509Extension('authorityKeyIdentifier', False, 'issuer:always, keyid:always', issuer=cacert, subject=cacert) ]) cacert.sign(cakey, hashalgorithm) return (cacert, cakey)
def generate_device_cert(dev_serial_num, dev_pub_key_path="keys/device_pub_key.pem", ca_priv_key_path="certificates/rootCA.key", ca_cert_path="certificates/rootCA.pem"): if True: # read device public key from previously read from the device dev_pub_key = crypto.load_publickey(crypto.FILETYPE_PEM, open(dev_pub_key_path, 'r').read()) else: # for development only, use public key from self generated private key dev_priv_key = crypto.load_privatekey( crypto.FILETYPE_ASN1, open("keys/device_priv_key.der", 'rb').read()) dev_pub_key = crypto.load_publickey( crypto.FILETYPE_PEM, crypto.dump_publickey(crypto.FILETYPE_PEM, dev_priv_key)) ca_privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM, open(ca_priv_key_path, 'r').read()) ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(ca_cert_path, 'r').read()) # create cert signed by ca_cert cert = crypto.X509() cert.set_subject(ca_cert.get_subject()) cert.get_subject( ).CN = cytools.target_name.upper() + '-' + str(dev_serial_num) cert.set_serial_number(int(dev_serial_num)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(dev_pub_key) cert.sign(ca_privatekey, 'sha256') open("certificates/device_cert.pem", "wb")\ .write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) open("certificates/device_cert.der", "wb")\ .write(crypto.dump_certificate(crypto.FILETYPE_ASN1, cert)) print('Device certificate generated successfully.') return 0
def _create_ca_cert(self, pub_key, issuer="Manger", subject=None): """ Create a CA Certificate that will be signed with each agent key Args: pub_key (PKey): Key to be set in certificate issuer (str): Name or hostname for the certificate issuer subject (str): Name or hostname for the ceritifcate subject. If none will be same as issuer Returns: ca_cert : X509 Object. Created ca certificate """ ca_cert = crypto.X509() ca_cert.set_serial_number(random.randint(50000000, 100000000)) xt = crypto.X509Extension(b"basicConstraints", 1, b"CA:TRUE") ca_cert.add_extensions((xt, )) ca_cert.gmtime_adj_notBefore(0) ca_cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) ca_cert.set_version(2) ca_issuer = ca_cert.get_issuer() ca_issuer.commonName = issuer ca_cert.set_issuer(ca_issuer) if subject: ca_subj = ca_cert.get_subject() ca_subj.commonName = subject ca_cert.set_subject(ca_subj) else: ca_subj = ca_cert.get_subject() ca_subj.commonName = issuer ca_cert.set_subject(ca_subj) ca_cert.set_pubkey(pub_key) return ca_cert
def installCertificates(session): if not os_exists(CERT_FILE) \ or not os_exists(KEY_FILE): print "[Webinterface].installCertificates :: Generating SSL key pair and CACert" # create a key pair k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 1024) # create a self-signed cert cert = crypto.X509() cert.get_subject().C = "DE" cert.get_subject().ST = "Home" cert.get_subject().L = "Home" cert.get_subject().O = "Dreambox" cert.get_subject().OU = "STB" cert.get_subject().CN = socket_gethostname() cert.set_serial_number(random.randint(1000000, 1000000000)) cert.set_notBefore("20120101000000Z") cert.set_notAfter("20301231235900Z") cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) print "[Webinterface].installCertificates :: Signing SSL key pair with new CACert" cert.sign(k, 'sha1') try: print "[Webinterface].installCertificates :: Installing newly generated certificate and key pair" open(CERT_FILE, "wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) open(KEY_FILE, "wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) except IOError, e: #Disable https config.plugins.Webinterface.https.enabled.value = False config.plugins.Webinterface.https.enabled.save() #Inform the user session.open( MessageBox, "Couldn't install generated SSL-Certifactes for https access\nHttps access is disabled!", MessageBox.TYPE_ERROR)
def create_self_signed_cert(self, common_name): C_F = self.settings.certificates.certificate K_F = self.settings.certificates.privatekey P_F = joinFilePath( getDirNameByPath(self.settings.certificates.privatekey), 'server.pub.key') if not exists(C_F) or not exists(K_F): k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 2048) cert = crypto.X509() cert.get_subject().C = self.settings.certificates.country cert.get_subject().ST = self.settings.certificates.state cert.get_subject().L = self.settings.certificates.city cert.get_subject().O = self.settings.certificates.organization cert.get_subject().OU = self.settings.certificates.unit cert.get_subject().CN = common_name cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(315360000) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) cert.sign(k, 'sha1') with open(C_F, "wb") as f: f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) with open(K_F, "wb") as f: f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) with open(P_F, "wb") as f: f.write(crypto.dump_publickey(crypto.FILETYPE_PEM, k))
def generate_cert(root_ca_cert_str, server_cert_str, server_host): """Generates a cert_str with the sni field in server_cert_str signed by the root_ca_cert_str. Args: root_ca_cert_str: PEM formatted string representing the root cert server_cert_str: PEM formatted string representing cert server_host: host name to use if there is no server_cert_str Returns: a PEM formatted certificate string """ EXTENSION_WHITELIST = set(['subjectAltName']) if openssl_import_error: raise openssl_import_error # pylint: disable=raising-bad-type common_name = server_host reused_extensions = [] if server_cert_str: original_cert = load_cert(server_cert_str) common_name = original_cert.get_subject().commonName for i in xrange(original_cert.get_extension_count()): original_cert_extension = original_cert.get_extension(i) if original_cert_extension.get_short_name() in EXTENSION_WHITELIST: reused_extensions.append(original_cert_extension) ca_cert = load_cert(root_ca_cert_str) ca_key = load_privatekey(root_ca_cert_str) cert = crypto.X509() cert.get_subject().CN = common_name cert.gmtime_adj_notBefore(-60 * 60) cert.gmtime_adj_notAfter(60 * 60 * 24 * 30) cert.set_issuer(ca_cert.get_subject()) cert.set_serial_number(int(time.time()*10000)) cert.set_pubkey(ca_key) cert.add_extensions(reused_extensions) cert.sign(ca_key, 'sha256') return _dump_cert(cert)
def gen_cert(ca=None, ca_key=None, ca_cert=None, commonName=None): '''Create an CERT signed by an given CA''' # Generate a CSR # http://docs.ganeti.org/ganeti/2.14/html/design-x509-ca.html key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 4096) req = crypto.X509Req() if commonName is None: commonName = input("CommonName: ") req.get_subject().CN = commonName req.set_pubkey(key) req.sign(key, "sha512") key = crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode("utf-8") # Load cert and key if an ca is supplied if ca is not None: ca_cert = ca.get_cert() ca_key = ca.get_key() ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, bytes(ca_cert, 'utf-8')) ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, bytes(ca_key, 'utf-8')) # Generate Cert cert = crypto.X509() cert.set_subject(req.get_subject()) cert.set_serial_number(random.randint(0, sys.maxsize)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(1 * 365 * 24 * 60 * 60) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(ca_key, "sha512") # Sign with CA cert = crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8") return cert, key
def create_signed_client_cert(client_public_key, country, state, locality, organization, organizational_unit, common_name, email, valid_until): """ Function for generating client certificates """ # load files try: with open(settings.CERT_CA_FILE) as ca_file: ca = crypto.load_certificate(crypto.FILETYPE_PEM, ca_file.read()) with open(settings.CERT_CA_KEY_FILE) as ca_key_file: ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_file.read()) except IOError as e: log.error(e) raise # create a self-signed cert cert = crypto.X509() cert.get_subject().C = country cert.get_subject().ST = state cert.get_subject().L = locality cert.get_subject().O = organization cert.get_subject().OU = organizational_unit cert.get_subject().CN = common_name cert.get_subject().emailAddress = email cert.set_serial_number(uuid.uuid4().int) now = datetime.now() cert.set_notBefore(now.strftime("%Y%m%d%H%M%SZ")) cert.set_notAfter(valid_until.strftime("%Y%m%d%H%M%SZ")) cert.set_issuer(ca.get_subject()) cert.set_pubkey(client_public_key) cert.sign(ca_key, 'sha1') return cert
def _create_self_signed_cert(self, directory, email, common_name, cert_ttl, country='RU', state='Moscow', city='Moscow', organization='Nekrasovka', organizational_unit='Nekrasovka'): # create a key pair k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 1024) # create a self-signed cert cert = crypto.X509() cert.get_subject().C = country cert.get_subject().ST = state cert.get_subject().L = city cert.get_subject().O = organization cert.get_subject().OU = organizational_unit cert.get_subject().CN = common_name cert.set_serial_number(int(time.time())) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(int(cert_ttl) * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) cert.sign(k, 'sha1') open(self.cert_path, "wb+").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) open(self.private_key_path, "wb+").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) open(self.public_key_path, "wb+").write(crypto.dump_publickey(crypto.FILETYPE_PEM, k)) p12 = crypto.PKCS12() p12.set_privatekey(k) p12.set_certificate(cert) open(self.pfx_path, 'wb+').write(p12.export())
def __init__(self): self.ca_key = crypto.PKey() self.ca_key.generate_key(crypto.TYPE_RSA, 2048) self.ca_cert = crypto.X509() self.ca_cert.set_version(2) self.ca_cert.set_serial_number(1) self.ca_cert.get_subject().CN = "MyEC" self.ca_cert.get_subject().ST = "Portugal" self.ca_cert.get_subject().L = "GuimarĂ£es" self.ca_cert.get_subject().OU = "UMinho" self.ca_cert.set_issuer(self.ca_cert.get_subject()) self.ca_cert.set_pubkey(self.ca_key) self.ca_cert.add_extensions([ crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=self.ca_cert), ]) self.ca_cert.add_extensions([ crypto.X509Extension(b"authorityKeyIdentifier", False, b"keyid:always,issuer", issuer=self.ca_cert), ]) self.ca_cert.add_extensions([ crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE"), crypto.X509Extension(b"keyUsage", True, b"digitalSignature, keyCertSign, cRLSign"), ]) self.ca_cert.gmtime_adj_notBefore(0) self.ca_cert.gmtime_adj_notAfter(24 * 60 * 60) self.ca_cert.sign(self.ca_key, 'sha256')
def generate_dummy_ca_cert(subject='_WebPageReplayCert'): """Generates dummy certificate authority. Args: subject: a string representing the desired root cert issuer Returns: A tuple of the public key and the private key strings for the root certificate """ if openssl_import_error: raise openssl_import_error # pylint: disable=raising-bad-type key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 1024) ca_cert = crypto.X509() ca_cert.set_serial_number(int(time.time() * 10000)) ca_cert.set_version(2) ca_cert.get_subject().CN = subject ca_cert.get_subject().O = subject ca_cert.gmtime_adj_notBefore(-60 * 60 * 24 * 365 * 2) ca_cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 2) ca_cert.set_issuer(ca_cert.get_subject()) ca_cert.set_pubkey(key) ca_cert.add_extensions([ crypto.X509Extension('basicConstraints', True, 'CA:TRUE'), crypto.X509Extension('extendedKeyUsage', True, ('serverAuth,clientAuth,emailProtection,' 'timeStamping,msCodeInd,msCodeCom,msCTLSign,' 'msSGC,msEFS,nsSGC')), crypto.X509Extension('keyUsage', False, 'keyCertSign, cRLSign'), crypto.X509Extension('subjectKeyIdentifier', False, 'hash', subject=ca_cert), ]) ca_cert.sign(key, 'sha256') key_str = _dump_privatekey(key) ca_cert_str = _dump_cert(ca_cert) return ca_cert_str, key_str
def cert_gen(emailAddress=generate_random(random.randint(5, 20)), commonName=generate_random(random.randint(5, 20)), countryName=generate_random(2), localityName=generate_random(random.randint(5, 20)), stateOrProvinceName=generate_random(random.randint(5, 20)), organizationName=generate_random(random.randint(5, 20)), organizationUnitName=generate_random(random.randint(5, 20)), serialNumber=0, validityStartInSeconds=0, validityEndInSeconds=10 * 365 * 24 * 60 * 60, KEY_FILE="private.key", CERT_FILE="selfsigned.crt"): if (os.path.exists("./private.key") and os.path.exists("./selfsigned.crt")): return # create a key pair k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 4096) # create a self-signed cert cert = crypto.X509() cert.get_subject().C = countryName cert.get_subject().ST = stateOrProvinceName cert.get_subject().L = localityName cert.get_subject().O = organizationName cert.get_subject().OU = organizationUnitName cert.get_subject().CN = commonName cert.get_subject().emailAddress = emailAddress cert.set_serial_number(serialNumber) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(validityEndInSeconds) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) cert.sign(k, 'sha512') with open(CERT_FILE, "wt") as f: f.write( crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8")) with open(KEY_FILE, "wt") as f: f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode("utf-8"))
def create_certificate(cert_info): cert = crypto.X509() cert.get_subject().C = cert_info['country'] cert.get_subject().ST = cert_info['state'] cert.get_subject().L = cert_info['city'] cert.get_subject().O = cert_info['organization'] cert.get_subject().CN = cert_info['common'] # Add subject alternate name in addition to CN # first lets determine if an ip address was specified or # a dns entry in the common name default_san_type = 'DNS' try: ipaddress.ip_address(cert_info['common']) default_san_type = 'IP' except ValueError: # This is raised if say we specified freenas.org in the Common name pass if cert_info['san']: cert.add_extensions([ crypto.X509Extension( b"subjectAltName", False, f"{default_san_type}:{cert_info['san']}".encode()) ]) cert.get_subject().subjectAltName = cert_info['san'].replace(" ", ", ") cert.get_subject().emailAddress = cert_info['email'] serial = cert_info.get('serial') if serial is not None: cert.set_serial_number(serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(cert_info['lifetime'] * (60 * 60 * 24)) cert.set_issuer(cert.get_subject()) # Setting it to '2' actually results in a v3 cert # openssl's cert x509 versions are zero-indexed! # see: https://www.ietf.org/rfc/rfc3280.txt cert.set_version(2) return cert