def generateFiles(mkFile, request):
if '.csr' in mkFile:
f = open(mkFile, "w")
f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, request))
f.close()
print crypto.dump_certificate_request(crypto.FILETYPE_PEM, request)
elif '.key' in mkFile:
f = open(mkFile, "w")
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, request))
f.close()
else:
print "Failed."
exit()
def generateFiles(mkFile, request):
'''Generates CSR file and private key file used to generate CSR'''
if mkFile == str(args.name) + '.csr':
f = open(mkFile, "w")
f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, request))
f.close()
print ("CSR below, copy and paste into StartSSL's certificates wizard\n")
print crypto.dump_certificate_request(crypto.FILETYPE_PEM, request)
elif mkFile == str(args.name) + '.key':
f = open(mkFile, "w")
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, request))
f.close()
else:
print "Failed."
exit()
def create_cert_req(keyType = crypto.TYPE_RSA,
bits = 1024,
messageDigest = "md5"):
"""
Create certificate request.
Returns: certificate request PEM text, private key PEM text
"""
# Create certificate request
req = crypto.X509Req()
# Generate private key
pkey = crypto.PKey()
pkey.generate_key(keyType, bits)
req.set_pubkey(pkey)
req.sign(pkey, messageDigest)
cert_req_pem = crypto.dump_certificate_request(crypto.FILETYPE_ASN1,req)
key_pem = crypto.dump_privatekey(crypto.FILETYPE_PEM,pkey)
# Nasty OpenSSL 1.0 Hack
# OpenSSL 1.0 changes the headers from "RSA PRIVATE KEY" to "PRIVATE KEY"
try:
ssl_version = SSL.SSLeay_version(SSL.SSLEAY_VERSION)
logger.debug('Using SSL: ' + ssl_version)
if ssl_version.startswith("OpenSSL 1"):
key_pem = re.sub(r'BEGIN PRIVATE KEY', r'BEGIN RSA PRIVATE KEY', key_pem)
key_pem = re.sub(r'END PRIVATE KEY', r'END RSA PRIVATE KEY', key_pem)
except Exception, e:
logger.warn('Using older version of openSSL without SSLeay_version: %s' + e)
def make_csr(pkey, dest=None, cn=None, hostname=None, emailaddr=None):
req = crypto.X509Req()
req.get_subject()
subj = req.get_subject()
subj.C = def_country
subj.ST = def_state
subj.L = def_local
subj.O = def_org
subj.OU = def_ou
if cn:
subj.CN = cn
elif hostname:
subj.CN = hostname
else:
subj.CN = utils.gethostname()
if emailaddr:
subj.emailAddress = emailaddr
else:
subj.emailAddress = 'root@%s' % subj.CN
req.set_pubkey(pkey)
req.sign(pkey, 'md5')
if dest:
destfd = os.open(dest, os.O_RDWR|os.O_CREAT, 0644)
os.write(destfd, crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
os.close(destfd)
return req
def storePKIUserCertificate(self, user, hostname, certificate, obj,
password=None):
"""Store a given PKI object into a file
@param user [User] the user to which the certificate is associated
@param hostname [Hostname] the hostname to which the certificate is
associated
@param certificate [Certificate] the Certificate instance associated with
the file
@param obj [X509/PKey] The object that will be dump to the file
@param password [str] OPTIONNAL : an optionnal passphrase to use for encrypt
the output (if available)
"""
path = (self.__new_cert_directory + str(user.id) + "/" + str(hostname.id) +
"/")
self.makePath(path)
bytes_ = None
if isinstance(obj, OpenSSL.crypto.X509):
bytes_ = crypto.dump_certificate(crypto.FILETYPE_PEM, obj)
path += str(certificate.id) + ".crt"
if isinstance(obj, OpenSSL.crypto.X509Req):
bytes_ = crypto.dump_certificate_request(crypto.FILETYPE_PEM, obj)
path += str(certificate.id) + ".csr"
elif isinstance(obj, OpenSSL.crypto.PKey):
if isinstance(password, str):
bytes_ = crypto.dump_privatekey(crypto.FILETYPE_PEM, obj,
self.__cipher, password.encode())
else:
bytes_ = crypto.dump_privatekey(crypto.FILETYPE_PEM, obj)
path += str(certificate.id) + ".key"
assert bytes_ is not None
self.storeBytesToFile(bytes_, path)
def run(self, certificate):
try:
certificate['key_length'] = certificate.get('key_length', 2048)
certificate['digest_algorithm'] = certificate.get('digest_algorithm', 'SHA256')
certificate['lifetime'] = certificate.get('lifetime', 3650)
key = generate_key(certificate['key_length'])
req = crypto.X509Req()
req.get_subject().C = certificate['country']
req.get_subject().ST = certificate['state']
req.get_subject().L = certificate['city']
req.get_subject().O = certificate['organization']
req.get_subject().CN = certificate['common']
req.get_subject().emailAddress = certificate['email']
req.set_pubkey(key)
req.sign(key, str(certificate['digest_algorithm']))
certificate['type'] = 'CERT_CSR'
certificate['csr'] = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
certificate['privatekey'] = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
pkey = self.datastore.insert('crypto.certificates', certificate)
self.dispatcher.call_sync('etcd.generation.generate_group', 'crypto')
except DatastoreException, e:
raise TaskException(errno.EBADMSG, 'Cannot create CSR: {0}'.format(str(e)))
def generate_csr(certificate):
pkey_type = crypto.TYPE_RSA
pkey_bits = 2048
digest_type = 'md5'
pkey = crypto.PKey()
pkey.generate_key(pkey_type, pkey_bits)
#certificate.private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)
#certificate.save()
req = crypto.X509Req()
subj = req.get_subject()
for key in certificate.openssl_arg_map:
if not getattr(certificate, key) in [None, '']:
setattr(subj, certificate.openssl_arg_map[key], getattr(certificate, key))
# TODO : add sans : http://stackoverflow.com/a/25714864/168874
# We are not adding oids like streetAddress and postalCode to the CSR
req.set_pubkey(pkey)
req.sign(pkey, digest_type)
#certificate.certificate_request = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
#certificate.save()
return (dump_rsa_privatekey(pkey),
crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
def _gen_csr(self, key, alternate_names, wildcard):
csr = crypto.X509Req()
subj = csr.get_subject()
domain = self.domain
if wildcard:
domain = '*.{}'.format(self.domain)
setattr(subj, 'CN', domain)
for k, n in X509Wrapper.subject_assoc:
value = self.config.get(self.domain, n, fallback='')
if value != '':
setattr(subj, k, value)
csr.set_pubkey(key)
if alternate_names:
ca = crypto.X509Extension(b'basicConstraints', False, b'CA:FALSE')
key_usage = crypto.X509Extension(
b'keyUsage',
False,
b'digitalSignature, nonRepudiation, keyEncipherment'
)
names = ', '.join('DNS:{}'.format(n) for n in alternate_names)
subject_alt_name = crypto.X509Extension(
b'subjectAltName',
False,
bytes(names, encoding=encoding)
)
csr.add_extensions([ca, key_usage, subject_alt_name])
csr.sign(key, self.config.get(self.domain, 'digest'))
pem = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
with open(self.csr_path, 'xb') as f:
f.write(pem)
return (csr, pem)
def create_cert_req(key_pair, cn ,message_digest="md5"):
"""Create a certificate request.
@type CN: basestring
@param CN: Common Name for certificate - effectively the same as the
username for the MyProxy credential
@type keyPair: string/None
@param keyPair: public/private key pair
@type messageDigest: basestring
@param messageDigest: message digest type - default is MD5
@rtype: base string
@return certificate request PEM text and private key PEM text
"""
# Check all required certifcate request DN parameters are set
# Create certificate request
cert_req = crypto.X509Req()
# Create public key object
cert_req.set_pubkey(key_pair)
cert_req.get_subject().CN=cn
# Add the public key to the request
cert_req.sign(key_pair, message_digest)
cert_req = crypto.dump_certificate_request(crypto.FILETYPE_PEM,
cert_req)
return cert_req
def createCertRequest(self, **name):
"""
Create a certificate request.
Arguments: pkey - The key to associate with the request
digest - Digestion method to use for signing, default is sha256
**name - The name of the subject of the request, possible
arguments are:
C - Country name
ST - State or province name
L - Locality name
O - Organization name
OU - Organizational unit name
CN - Common name
emailAddress - E-mail address
Returns: The certificate request in an X509Req object
"""
pkey=crypto.load_privatekey(crypto.FILETYPE_PEM, open(self.key.path, 'rt').read())
req = crypto.X509Req()
subj = req.get_subject()
for key, value in name.items():
setattr(subj, key, value)
req.set_pubkey(pkey)
req.sign(pkey, "sha256".encode('ascii','ignore'))
return crypto.dump_certificate_request(crypto.FILETYPE_PEM, req).decode('utf-8')
def generate(self, module):
'''Generate the certificate signing request.'''
if not os.path.exists(self.path) or self.force:
req = crypto.X509Req()
req.set_version(self.version)
subject = req.get_subject()
for (key, value) in self.subject.items():
if value is not None:
setattr(subject, key, value)
if self.subjectAltName is not None:
req.add_extensions([crypto.X509Extension(b"subjectAltName", False, self.subjectAltName.encode('ascii'))])
privatekey_content = open(self.privatekey_path).read()
self.privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM, privatekey_content)
req.set_pubkey(self.privatekey)
req.sign(self.privatekey, self.digest)
self.request = req
try:
csr_file = open(self.path, 'wb')
csr_file.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request))
csr_file.close()
except (IOError, OSError) as exc:
raise CertificateSigningRequestError(exc)
else:
self.changed = False
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def test_gen_unicode(self):
"""
Domains are encoded using IDNA and names using Unicode.
"""
options = self.parseArguments([
self.command_name,
u'--common-name=domain-\u20acuro.com',
u'--key-size=512',
u'--alternative-name=DNS:www.domain-\u20acuro.com,IP:127.0.0.1',
u'--email=name@domain-\u20acuro.com',
u'--organization=OU Nam\u20acuro',
u'--organization-unit=OU Unit\u20acuro',
u'--locality=Som\u20acwhere',
u'--state=Stat\u20ac',
u'--country=GB',
])
result = generate_csr(options)
csr = crypto.dump_certificate_request(
crypto.FILETYPE_PEM, result['csr'])
self.assertEqual(csr, result['csr_pem'])
subject = result['csr'].get_subject()
self.assertEqual(u'xn--domain-uro-x77e.com', subject.commonName)
self.assertEqual(
u'*****@*****.**', subject.emailAddress)
self.assertEqual(u'OU Nam\u20acuro', subject.organizationName)
self.assertEqual(u'OU Unit\u20acuro', subject.organizationalUnitName)
self.assertEqual(u'Som\u20acwhere', subject.localityName)
self.assertEqual(u'Stat\u20ac', subject.stateOrProvinceName)
self.assertEqual(u'GB', subject.countryName)
def create_certificate_signing_request(subjectKey,
subjectInfo,
version = 0,
hash = 'sha1'):
"""
Create a certificate signing request (CSR) and return CSR
in PEM and text formats.
:param subjectKey: Subject private RSA key in PEM format.
:type subjectKey: str
:param subjectInfo: Subject information.
:type subjectInfo: dict
:returns tuple -- (CSR in PEM format, CSR as Text).
"""
skey = crypto.load_privatekey(crypto.FILETYPE_PEM, subjectKey)
req = crypto.X509Req()
subj = req.get_subject()
fill_x509name_from_info(subj, subjectInfo)
req.set_pubkey(skey)
req.set_version(version)
req.sign(skey, hash)
csr_pem = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
# FIXME: needs crypto.FILETYPE_TEXT
csr_text = '???'
return (csr_pem, csr_text)
def _generate_csr(self, pkey, key_obj, cleaned_data):
req = crypto.X509Req()
req.set_pubkey(pkey)
subject = req.get_subject()
for attr, value in cleaned_data.items():
if value:
if attr == 'subjectAlternativeNames':
req.add_extensions([
crypto.X509Extension('subjectAltName', False, ", ".join(
"DNS.{i}:{domain}".format(i=i, domain=domain)
for i, domain in enumerate(value)
))
])
else:
setattr(subject, attr, value)
cn = cleaned_data['commonName']
# Strip www. from the common name
if cn.startswith(WWW):
cn = cn[len(WWW):]
req.sign(pkey, "sha256")
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
csr_obj = CertificateSigningRequest(domain=cn, key=key_obj, content=csr)
return csr_obj
def test_issue_certificate_request_set_subject(self):
req = certificate_utils.get_valid_csr_object()
subj = req.get_subject()
subj.countryName = 'US'
subj.stateOrProvinceName = 'OR'
subj.localityName = 'Testlandia'
subj.organizationName = 'Testers Anon'
subj.organizationalUnitName = 'Testers OU'
subj.commonName = 'Testing'
req_enc = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
req_enc = base64.b64encode(req_enc)
order_meta = {'request_data': req_enc}
resp = self.plugin.issue_certificate_request(self.order_id,
order_meta, {},
self.barbican_meta_dto)
cert = crypto.load_certificate(
crypto.FILETYPE_PEM, resp.certificate.decode('base64'))
cert_subj = cert.get_subject()
self.assertEqual('US', cert_subj.C)
self.assertEqual('OR', cert_subj.ST)
self.assertEqual('Testlandia', cert_subj.L)
self.assertEqual('Testers Anon', cert_subj.O)
self.assertEqual('Testers OU', cert_subj.OU)
self.assertEqual('Testing', cert_subj.CN)
def generate_csr(file, key, locality, cn, alt=[], log=None):
san = []
san.append("DNS: %s" % cn)
for i in alt:
san.append("DNS: %s" % i)
san = ", ".join(san)
req = crypto.X509Req()
req.get_subject().CN = cn
if locality.get("country", None):
req.get_subject().countryName = locality["country"]
if locality.get("state", None):
req.get_subject().stateOrProvinceName = locality["state"]
if locality.get("city", None):
req.get_subject().localityName = locality["city"]
if locality.get("organization", None):
req.get_subject().organizationName = locality["organization"]
if locality.get("organizationUnit", None):
req.get_subject().organizationalUnitName = locality["organizationUnit"]
if log:
log.debug(req.get_subject())
x509_extensions = []
if san:
san_constraint = crypto.X509Extension(b"subjectAltName", False, str.encode(san))
x509_extensions.append(san_constraint)
req.add_extensions(x509_extensions)
req.set_pubkey(key)
req.sign(key, "sha256")
with open(file, "wb") as f:
f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
os.chmod(file, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP)
return req
def import_csr_file(csrfile, data):
"""Import a CSR file, which can be either PEM or DER.
:param str csrfile: CSR filename
:param str data: contents of the CSR file
:returns: (`crypto.FILETYPE_PEM`,
util.CSR object representing the CSR,
list of domains requested in the CSR)
:rtype: tuple
"""
PEM = crypto.FILETYPE_PEM
load = crypto.load_certificate_request
try:
# Try to parse as DER first, then fall back to PEM.
csr = load(crypto.FILETYPE_ASN1, data)
except crypto.Error:
try:
csr = load(PEM, data)
except crypto.Error:
raise errors.Error("Failed to parse CSR file: {0}".format(csrfile))
domains = _get_names_from_loaded_cert_or_req(csr)
# Internally we always use PEM, so re-encode as PEM before returning.
data_pem = crypto.dump_certificate_request(PEM, csr)
return PEM, util.CSR(file=csrfile, data=data_pem, form="pem"), domains
def issue_certificate(self, cert_req):
'''Certificate issuing from a callout to an OpenSSL executable
@param cert_req: Certificate request to use
@return: output certificate
'''
try:
out_cert_file = tempfile.NamedTemporaryFile(delete=False)
in_csr_file = tempfile.NamedTemporaryFile(delete=False)
s_cert_req = crypto.dump_certificate_request(crypto.FILETYPE_PEM,
cert_req)
in_csr_file.seek(0)
in_csr_file.write(s_cert_req)
in_csr_file.close()
cmd_tmpl = string.Template(self.cert_issue_cmd)
populated_cmd = cmd_tmpl.substitute(in_csr=in_csr_file.name,
out_cert=out_cert_file.name)
log.debug('Executing command to issue certificate: %r',
populated_cmd)
cmd_args = populated_cmd.split()
proc = subprocess.Popen(cmd_args,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdoutdata, stderrdata = proc.communicate()
if proc.returncode == 0:
if stdoutdata:
log.info('stdout message: \'%s\'; for command: %r',
stdoutdata,
populated_cmd)
if stderrdata:
log.info('stderr message: \'%s\'; for command: %r',
stderrdata,
populated_cmd)
out_cert = crypto.load_certificate(
crypto.FILETYPE_PEM,
open(out_cert_file.name).read())
else:
error_msg = ''
if stdoutdata:
error_msg += ('stdout message: \'%s\'; for command: %r' %
(stdoutdata, populated_cmd))
if stderrdata:
error_msg += ('stderr message: \'%s\'; for command: %r' %
(stderrdata, populated_cmd))
raise CertificateIssuingError('Error issuing certificate: %s' %
error_msg)
finally:
os.unlink(in_csr_file.name)
os.unlink(out_cert_file.name)
return out_cert
def test_dump_certificate_request(self):
"""
L{dump_certificate_request} writes a PEM, DER, and text.
"""
req = load_certificate_request(FILETYPE_PEM, cleartextCertificateRequestPEM)
dumped_pem = dump_certificate_request(FILETYPE_PEM, req)
self.assertEqual(dumped_pem, cleartextCertificateRequestPEM)
dumped_der = dump_certificate_request(FILETYPE_ASN1, req)
good_der = self._runopenssl(dumped_pem, "req", "-outform", "DER")
self.assertEqual(dumped_der, good_der)
req2 = load_certificate_request(FILETYPE_ASN1, dumped_der)
dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2)
self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM)
dumped_text = dump_certificate_request(FILETYPE_TEXT, req)
good_text = self._runopenssl(dumped_pem, "req", "-noout", "-text")
self.assertEqual(dumped_text, good_text)
def generate_csr():
request_data = json.loads(request.data.decode())
csr_filename = str(request_data['csrFilename'])
with open(CERTIFICATE_SIGNING_REQUEST_DIR + csr_filename, "w+") as csr_file:
certificate_signing_request = crypto.X509Req()
certificate_signing_request.get_subject().CN = str(request_data['commonName'])
certificate_signing_request.get_subject().O = str(request_data['organization'])
certificate_signing_request.get_subject().OU = str(request_data['organizationalUnit'])
certificate_signing_request.get_subject().L = str(request_data['city'])
certificate_signing_request.get_subject().ST = str(request_data['state'])
certificate_signing_request.get_subject().C = str(request_data['country'])
certificate_signing_request.get_subject().emailAddress = str(request_data['email'])
selected_pkey_filename = str(request_data['private_key'])
try:
if 'passphrase' in request_data:
selected_pkey_passphrase = str(request_data['passphrase'])
selected_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(PRIVATE_KEY_DIR + selected_pkey_filename).read(), selected_pkey_passphrase)
else:
selected_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(PRIVATE_KEY_DIR + selected_pkey_filename).read())
certificate_signing_request.set_pubkey(selected_key)
certificate_signing_request.sign(selected_key, "sha256")
print csr_file.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, certificate_signing_request))
csr_file.seek(0)
csr_data = csr_file.read()
responseObject = {}
responseObject['csr'] = csr_data,
responseObject['message'] = 'CSR successfully created.'
return jsonify(responseObject), 201
except Error, error:
return jsonify(str(error)), 400
def create_certreq(CN, keyPair, messageDigest=MESSAGE_DIGEST_TYPE):
"""Create a certificate request.
@type CN: basestring
@param CN: Common Name for certificate - effectively the same as the
username for the MyProxy credential
@type keyPair: string/None
@param keyPair: public/private key pair
@type messageDigest: basestring
@param messageDigest: message digest type - default is MD5
@rtype: base string
@return certificate request PEM text and private key PEM text
"""
# Check all required certificate request DN parameters are set
# Create certificate request
certReq = crypto.X509Req()
# Create public key object
certReq.set_pubkey(keyPair)
# Add the public key to the request
certReq.sign(keyPair, messageDigest)
derCertReq = crypto.dump_certificate_request(crypto.FILETYPE_ASN1,
certReq)
return derCertReq
def generate_csr(customer_data, pkey_obj):
"""
Generate a CSR using the customer data and OpenSSL.crypto.PKEY object.
:param customer_data: Dictionary that includes all customer data required for the certificate and the partner name.
:param pkey_obj: OpenSSL.crypto.PKEY object used to sign the CSR and to be associated with the certificate.
:return CSR PEM string.
"""
if not isinstance(pkey_obj, crypto.PKey):
raise ValueError('OpenSSL crypto.PKey Type Required For Private Key')
req = crypto.X509Req()
req.get_subject().organizationName = customer_data.get('partner_name')
req.get_subject().CN = '%s %s' % (customer_data.get('first_name'), customer_data.get('last_name'))
req.get_subject().countryName = customer_data.get('country')
req.get_subject().localityName = customer_data.get('city')
req.get_subject().stateOrProvinceName = customer_data.get('state')
req.get_subject().street = customer_data.get('street_address')
req.get_subject().postalCode = customer_data.get('postal_code')
base_constraints = ([
crypto.X509Extension("keyUsage", False, "Digital Signature, Non Repudiation, Key Encipherment"),
crypto.X509Extension("basicConstraints", False, "CA:FALSE")
])
req.add_extensions(base_constraints)
req.set_pubkey(pkey_obj)
req.sign(pkey_obj, 'sha256')
return crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
def update(self, param):
"""
This method is called during the initialization process.
:param param: parameters from the token init
:type param: dict
:return: None
"""
TokenClass.update(self, param)
request = getParam(param, "request", optional)
spkac = getParam(param, "spkac", optional)
certificate = getParam(param, "certificate", optional)
generate = getParam(param, "genkey", optional)
if request or generate:
# If we do not upload a user certificate, then we need a CA do
# sign the uploaded request or generated certificate.
ca = getParam(param, "ca", required)
self.add_tokeninfo("CA", ca)
cacon = get_caconnector_object(ca)
if request:
# During the initialization process, we need to create the
# certificate
x509object = cacon.sign_request(request,
options={"spkac": spkac})
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM,
x509object)
elif generate:
# Create the certificate on behalf of another user.
# Now we need to create the key pair,
# the request
# and the certificate
# We need the user for whom the certificate should be created
user = get_user_from_param(param, optionalOrRequired=required)
keysize = getParam(param, "keysize", optional, 2048)
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, keysize)
req = crypto.X509Req()
req.get_subject().CN = user.login
# Add email to subject
if user.info.get("email"):
req.get_subject().emailAddress = user.info.get("email")
req.get_subject().organizationalUnitName = user.realm
# TODO: Add Country, Organization, Email
# req.get_subject().countryName = 'xxx'
# req.get_subject().stateOrProvinceName = 'xxx'
# req.get_subject().localityName = 'xxx'
# req.get_subject().organizationName = 'xxx'
req.set_pubkey(key)
req.sign(key, "sha256")
x509object = cacon.sign_request(crypto.dump_certificate_request(
crypto.FILETYPE_PEM, req))
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM,
x509object)
# Save the private key to the encrypted key field of the token
s = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
self.add_tokeninfo("privatekey", s, value_type="password")
if certificate:
self.add_tokeninfo("certificate", certificate)
def make_csr(private_key_pem, domains, must_staple=False):
"""Generate a CSR containing a list of domains as subjectAltNames.
:param buffer private_key_pem: Private key, in PEM PKCS#8 format.
:param list domains: List of DNS names to include in subjectAltNames of CSR.
:param bool must_staple: Whether to include the TLS Feature extension (aka
OCSP Must Staple: https://tools.ietf.org/html/rfc7633).
:returns: buffer PEM-encoded Certificate Signing Request.
"""
private_key = crypto.load_privatekey(
crypto.FILETYPE_PEM, private_key_pem)
csr = crypto.X509Req()
extensions = [
crypto.X509Extension(
b'subjectAltName',
critical=False,
value=', '.join('DNS:' + d for d in domains).encode('ascii')
),
]
if must_staple:
extensions.append(crypto.X509Extension(
b"1.3.6.1.5.5.7.1.24",
critical=False,
value=b"DER:30:03:02:01:05"))
csr.add_extensions(extensions)
csr.set_pubkey(private_key)
csr.set_version(2)
csr.sign(private_key, 'sha256')
return crypto.dump_certificate_request(
crypto.FILETYPE_PEM, csr)
def test_default_gen(self):
"""
By default it will serialized the key without password and generate
the csr without alternative name and just the common name.
"""
options = self.parseArguments([
self.command_name,
'--common-name=domain.com',
])
result = generate_csr(options)
# OpenSSL.crypto.PKey has no equality so we need to compare the
# serialization.
self.assertEqual(2048L, result['key'].bits())
self.assertEqual(crypto.TYPE_RSA, result['key'].type())
key = crypto.dump_privatekey(crypto.FILETYPE_PEM, result['key'])
self.assertEqual(key, result['key_pem'])
# For CSR we can not get extensions so we only check the subject.
csr = crypto.dump_certificate_request(
crypto.FILETYPE_PEM, result['csr'])
self.assertEqual(csr, result['csr_pem'])
subject = result['csr'].get_subject()
self.assertEqual(u'domain.com', subject.commonName)
self.assertIsNone(subject.emailAddress)
self.assertIsNone(subject.organizationName)
self.assertIsNone(subject.organizationalUnitName)
self.assertIsNone(subject.localityName)
self.assertIsNone(subject.stateOrProvinceName)
self.assertIsNone(subject.countryName)
self.assertEqual(0, result['csr'].get_version())
def create_cert_req(key_pair, message_digest=MESSAGE_DIGEST_TYPE):
"""Create a certificate request.
:type key_pair: string/None
:param key_pair: public/private key pair
:type message_digest: basestring
:param message_digest: message digest type - default is MD5
:rtype: base string
:return: certificate request PEM text and private key PEM text
"""
# Check all required certificate request DN parameters are set
# Create certificate request
cert_req = crypto.X509Req()
# Create public key object
cert_req.set_pubkey(key_pair)
# Add the public key to the request
cert_req.sign(key_pair, message_digest)
cert_req_s = crypto.dump_certificate_request(crypto.FILETYPE_PEM,
cert_req)
return cert_req_s
def _generate_csr_from_private_key(order_model, project_model):
"""Generate a CSR from the private key.
:param: order_model - order for the request
:param: project_model - project for this request
:return: CSR (certificate signing request) in PEM format
:raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found
:class:`StoredKeyContainerNotFound` if container not found
"""
container_id, container = _get_container_from_order_meta(order_model, project_model)
if not container:
raise excep.StoredKeyContainerNotFound(container_id)
passphrase = None
private_key = None
for cs in container.container_secrets:
secret_repo = repos.get_secret_repository()
if cs.name == "private_key":
private_key_model = secret_repo.get(cs.secret_id, project_model.external_id)
private_key = plugin.get_secret("application/pkcs8", private_key_model, project_model)
elif cs.name == "private_key_passphrase":
passphrase_model = secret_repo.get(cs.secret_id, project_model.external_id)
passphrase = plugin.get_secret("text/plain;charset=utf-8", passphrase_model, project_model)
passphrase = str(passphrase)
if not private_key:
raise excep.StoredKeyPrivateKeyNotFound(container.id)
if passphrase is None:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key)
else:
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key, passphrase)
subject_name = order_model.meta.get("subject_dn")
subject_name_dns = ldap.dn.str2dn(subject_name)
extensions = order_model.meta.get("extensions", None)
req = crypto.X509Req()
subj = req.get_subject()
# Note: must iterate over the DNs in reverse order, or the resulting
# subject name will be reversed.
for ava in reversed(subject_name_dns):
for key, val, extra in ava:
setattr(subj, key.upper(), val)
req.set_pubkey(pkey)
if extensions:
# TODO(alee-3) We need code here to parse the encoded extensions and
# convert them into X509Extension objects. This code will also be
# used in the validation code. Commenting out for now till we figure
# out how to do this.
# req.add_extensions(extensions)
pass
req.sign(pkey, "sha256")
csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
return csr
def csr(self):
key = crypto.load_privatekey(FILETYPE_PEM, self.private_key)
csr = crypto.X509Req()
csr.get_subject().CN = "AWS IoT Certificate"
csr.get_subject().O = "Amazon"
csr.set_pubkey(key)
csr.sign(key, "sha256")
return str(crypto.dump_certificate_request(FILETYPE_PEM, csr), "utf8")
def generate(self, module):
'''Generate the certificate signing request.'''
if not self.check(module, perms_required=False) or self.force:
req = crypto.X509Req()
req.set_version(self.version - 1)
subject = req.get_subject()
for entry in self.subject:
if entry[1] is not None:
# Workaround for https://github.com/pyca/pyopenssl/issues/165
nid = OpenSSL._util.lib.OBJ_txt2nid(to_bytes(entry[0]))
if nid == 0:
raise CertificateSigningRequestError('Unknown subject field identifier "{0}"'.format(entry[0]))
res = OpenSSL._util.lib.X509_NAME_add_entry_by_NID(subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0)
if res == 0:
raise CertificateSigningRequestError('Invalid value for subject field identifier "{0}": {1}'.format(entry[0], entry[1]))
extensions = []
if self.subjectAltName:
altnames = ', '.join(self.subjectAltName)
try:
extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
except OpenSSL.crypto.Error as e:
raise CertificateSigningRequestError(
'Error while parsing Subject Alternative Names {0} (check for missing type prefix, such as "DNS:"!): {1}'.format(
', '.join(["{0}".format(san) for san in self.subjectAltName]), str(e)
)
)
if self.keyUsage:
usages = ', '.join(self.keyUsage)
extensions.append(crypto.X509Extension(b"keyUsage", self.keyUsage_critical, usages.encode('ascii')))
if self.extendedKeyUsage:
usages = ', '.join(self.extendedKeyUsage)
extensions.append(crypto.X509Extension(b"extendedKeyUsage", self.extendedKeyUsage_critical, usages.encode('ascii')))
if self.basicConstraints:
usages = ', '.join(self.basicConstraints)
extensions.append(crypto.X509Extension(b"basicConstraints", self.basicConstraints_critical, usages.encode('ascii')))
if self.ocspMustStaple:
extensions.append(crypto.X509Extension(MUST_STAPLE_NAME, self.ocspMustStaple_critical, MUST_STAPLE_VALUE))
if extensions:
req.add_extensions(extensions)
req.set_pubkey(self.privatekey)
req.sign(self.privatekey, self.digest)
self.request = req
result = crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request)
crypto_utils.write_file(module, result)
self.changed = True
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def generate(self, module):
'''Generate the certificate signing request.'''
if not self.check(module, perms_required=False) or self.force:
req = crypto.X509Req()
req.set_version(self.version - 1)
subject = req.get_subject()
for (key, value) in self.subject.items():
if value is not None:
setattr(subject, key, value)
altnames = ', '.join(self.subjectAltName)
extensions = [
crypto.X509Extension(b"subjectAltName",
self.subjectAltName_critical,
altnames.encode('ascii'))
]
if self.keyUsage:
usages = ', '.join(self.keyUsage)
extensions.append(
crypto.X509Extension(b"keyUsage", self.keyUsage_critical,
usages.encode('ascii')))
if self.extendedKeyUsage:
usages = ', '.join(self.extendedKeyUsage)
extensions.append(
crypto.X509Extension(b"extendedKeyUsage",
self.extendedKeyUsage_critical,
usages.encode('ascii')))
if self.basicConstraints:
usages = ', '.join(self.basicConstraints)
extensions.append(
crypto.X509Extension(b"basicConstraints",
self.basicConstraints_critical,
usages.encode('ascii')))
req.add_extensions(extensions)
req.set_pubkey(self.privatekey)
req.sign(self.privatekey, self.digest)
self.request = req
try:
csr_file = open(self.path, 'wb')
csr_file.write(
crypto.dump_certificate_request(crypto.FILETYPE_PEM,
self.request))
csr_file.close()
except (IOError, OSError) as exc:
raise CertificateSigningRequestError(exc)
self.changed = True
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def issue_certificate(self, cert_req):
'''Certificate issuing from a callout to an OpenSSL executable
@param cert_req: Certificate request to use
@return: output certificate
'''
try:
out_cert_file = tempfile.NamedTemporaryFile(delete=False)
in_csr_file = tempfile.NamedTemporaryFile(delete=False)
s_cert_req = crypto.dump_certificate_request(
crypto.FILETYPE_PEM, cert_req)
in_csr_file.seek(0)
in_csr_file.write(s_cert_req)
in_csr_file.close()
cmd_tmpl = string.Template(self.cert_issue_cmd)
populated_cmd = cmd_tmpl.substitute(in_csr=in_csr_file.name,
out_cert=out_cert_file.name)
log.debug('Executing command to issue certificate: %r',
populated_cmd)
cmd_args = populated_cmd.split()
proc = subprocess.Popen(cmd_args,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
stdoutdata, stderrdata = proc.communicate()
if proc.returncode == 0:
if stdoutdata:
log.info('stdout message: \'%s\'; for command: %r',
stdoutdata, populated_cmd)
if stderrdata:
log.info('stderr message: \'%s\'; for command: %r',
stderrdata, populated_cmd)
out_cert = crypto.load_certificate(
crypto.FILETYPE_PEM,
open(out_cert_file.name).read())
else:
error_msg = ''
if stdoutdata:
error_msg += ('stdout message: \'%s\'; for command: %r' %
(stdoutdata, populated_cmd))
if stderrdata:
error_msg += ('stderr message: \'%s\'; for command: %r' %
(stderrdata, populated_cmd))
raise CertificateIssuingError('Error issuing certificate: %s' %
error_msg)
finally:
os.unlink(in_csr_file.name)
os.unlink(out_cert_file.name)
return out_cert
def patched_createCertReq(self, CN, keyPair, messageDigest=None):
from OpenSSL import crypto
messageDigest = 'sha256'
certReq = crypto.X509Req()
certReq.set_pubkey(keyPair)
certReq.sign(keyPair, messageDigest)
derCertReq = crypto.dump_certificate_request(crypto.FILETYPE_ASN1,
certReq)
return derCertReq
def create_csr_that_has_not_been_signed():
"""Generate a CSR that has not been signed."""
key_pair = create_key_pair(crypto.TYPE_RSA, 2048)
csr = crypto.X509Req()
subject = csr.get_subject()
setattr(subject, "CN", "host.example.net")
csr.set_pubkey(key_pair)
pem = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
return pem
def make_certreq(self, pkey, attributes, export_file=False, **kwargs):
csr = crypto.X509Req()
subject = csr.get_subject()
for key, value in iteritems(attributes):
if value is not None:
setattr(subject, key, value)
extensions = []
for x in X509_TYPE_NAMES:
if x in kwargs:
extensions.append(
crypto.X509Extension(
ensure_binary(x), isinstance(kwargs[x], CriticalExt),
ensure_binary(', '.join(kwargs[x]), encoding='ascii')))
if kwargs.get('subject'):
if 'subjectKeyIdentifier' in kwargs:
extensions.append(
crypto.X509Extension(ensure_binary('subjectKeyIdentifier'),
isinstance(
kwargs['subjectKeyIdentifier'],
CriticalExt),
ensure_binary(', '.join(
kwargs['subjectKeyIdentifier']),
encoding='ascii'),
subject=kwargs['subject']))
if kwargs.get('issuer'):
if 'authorityKeyIdentifier' in kwargs:
extensions.append(
crypto.X509Extension(
ensure_binary('authorityKeyIdentifier'),
isinstance(kwargs['authorityKeyIdentifier'],
CriticalExt),
ensure_binary(', '.join(
kwargs['authorityKeyIdentifier']),
encoding='ascii'),
issuer=kwargs['issuer']))
if extensions:
csr.add_extensions(extensions)
csr.set_pubkey(pkey)
csr.sign(pkey, self.digest_type)
if isinstance(export_file, string_types):
dcsr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
if not os.path.exists(export_file):
open(export_file, 'wb').close()
os.chmod(export_file, 0o600)
f = open(export_file, 'wb')
f.writelines(dcsr)
f.close()
return csr
def get_request_signed(self, req):
"""Call RPyC remote method to get request signed"""
req_string = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
try:
cert = self.conn.root.sign_request(req_string, self.req_dict['CN'])
except RetryMethodError as e:
cert = self.conn.root.sign_request(req_string, self.req_dict['CN'])
with open('{0}.crt'.format(self.req_dict['CN']), 'w+') as certfile:
certfile.write(cert)
def create_csr_that_has_not_been_signed():
"""Generate a CSR that has not been signed."""
key_pair = create_key_pair(crypto.TYPE_RSA, 2048)
csr = crypto.X509Req()
subject = csr.get_subject()
setattr(subject, "CN", "host.example.net")
csr.set_pubkey(key_pair)
pem = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
return pem
def test_issue_certificate_request_stored_key(self):
req = certificate_utils.get_valid_csr_object()
req_enc = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
self.barbican_meta_dto.generated_csr = req_enc
resp = self.plugin.issue_certificate_request(
self.order_id, {}, {}, self.barbican_meta_dto)
crypto.load_certificate(
crypto.FILETYPE_PEM, resp.certificate.decode('base64'))
def test_issue_certificate_request_stored_key(self):
req = certificate_utils.get_valid_csr_object()
req_enc = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
self.barbican_meta_dto.generated_csr = req_enc
resp = self.plugin.issue_certificate_request(self.order_id, {}, {},
self.barbican_meta_dto)
crypto.load_certificate(crypto.FILETYPE_PEM,
base64.b64decode(resp.certificate))
def get_crt(self):
"""
Use automatic signing CA service to sign the CSR
"""
r = requests.post(
f"{self.signing_service}/get_cert",
crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.csr),
)
self.crt = r.content.decode()
def test_issue_certificate_request(self):
req = certificate_utils.get_valid_csr_object()
req_enc = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
order_meta = {'request_data': req_enc}
resp = self.plugin.issue_certificate_request(self.order_id, order_meta,
{},
self.barbican_meta_dto)
crypto.load_certificate(crypto.FILETYPE_PEM,
resp.certificate.decode('base64'))
def gencsrfiles(cn, email, C, ST, L, OU):
# Create all needed directory
result_dir = ssl_dir + '/' + cn
if not os.path.exists(ssl_dir + '/' +cn):
os.makedirs(ssl_dir + '/' +cn)
csr_file = result_dir + '/' + cn + '.csr'
key_file = result_dir + '/' + cn + '.key'
# Generate key and csr
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
# print(key())
csr = crypto.X509Req()
csr.get_subject().CN = cn
csr.get_subject().C = C
csr.get_subject().ST = ST
csr.get_subject().L = L
csr.get_subject().OU = OU
csr.get_subject().emailAddress = email
csr.set_pubkey(key)
csr.sign(key, 'sha1')
# Save results to files and print them to stdout
with open(csr_file, 'wb') as csr_f:
csr_f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr))
with open(key_file, 'wb') as key_f:
key_f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
print(" \n")
print(" ██████╗███████╗██████╗ ")
print(" ██╔════╝██╔════╝██╔══██╗ ")
print(" ██║ ███████╗██████╔╝ ")
print(" ██║ ╚════██║██╔══██╗ ")
print(" ╚██████╗███████║██║ ██║ ")
print(" ╚═════╝╚══════╝╚═╝ ╚═╝ \n")
sys.stdout.buffer.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr))
print(" \n")
print(" ██╗ ██╗███████╗██╗ ██╗")
print(" ██║ ██╔╝██╔════╝╚██╗ ██╔╝")
print(" █████╔╝ █████╗ ╚████╔╝ ")
print(" ██╔═██╗ ██╔══╝ ╚██╔╝ ")
print(" ██║ ██╗███████╗ ██║ ")
print(" ╚═╝ ╚═╝╚══════╝ ╚═╝ \n")
sys.stdout.buffer.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
def csr(self):
request = crypt.X509Req()
subject = request.get_subject()
for (k, v) in self.csr_info.items():
setattr(subject, k, v)
request.set_pubkey(self.keypair)
request.sign(self.keypair, self.DIGEST)
return crypt.dump_certificate_request(crypt.FILETYPE_PEM, request)
def _generate_csr(self):
req = crypto.X509Req()
req.set_version(self.version - 1)
subject = req.get_subject()
for entry in self.subject:
if entry[1] is not None:
# Workaround for https://github.com/pyca/pyopenssl/issues/165
nid = OpenSSL._util.lib.OBJ_txt2nid(to_bytes(entry[0]))
OpenSSL._util.lib.X509_NAME_add_entry_by_NID(
subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8,
to_bytes(entry[1]), -1, -1, 0)
extensions = []
if self.subjectAltName:
altnames = ', '.join(self.subjectAltName)
extensions.append(
crypto.X509Extension(b"subjectAltName",
self.subjectAltName_critical,
altnames.encode('ascii')))
if self.keyUsage:
usages = ', '.join(self.keyUsage)
extensions.append(
crypto.X509Extension(b"keyUsage", self.keyUsage_critical,
usages.encode('ascii')))
if self.extendedKeyUsage:
usages = ', '.join(self.extendedKeyUsage)
extensions.append(
crypto.X509Extension(b"extendedKeyUsage",
self.extendedKeyUsage_critical,
usages.encode('ascii')))
if self.basicConstraints:
usages = ', '.join(self.basicConstraints)
extensions.append(
crypto.X509Extension(b"basicConstraints",
self.basicConstraints_critical,
usages.encode('ascii')))
if self.ocspMustStaple:
extensions.append(
crypto.X509Extension(OPENSSL_MUST_STAPLE_NAME,
self.ocspMustStaple_critical,
OPENSSL_MUST_STAPLE_VALUE))
if extensions:
req.add_extensions(extensions)
req.set_pubkey(self.privatekey)
req.sign(self.privatekey, self.digest)
self.request = req
return crypto.dump_certificate_request(crypto.FILETYPE_PEM,
self.request)
def _prepare_certificate_signing_request(domain, key_file, output_folder):
from OpenSSL import crypto # lazy loading this module for performance reasons
# Init a request
csr = crypto.X509Req()
# Set the domain
csr.get_subject().CN = domain
from yunohost.domain import domain_list
# For "parent" domains, include xmpp-upload subdomain in subject alternate names
if domain in domain_list(exclude_subdomains=True)["domains"]:
subdomain = "xmpp-upload." + domain
xmpp_records = (
Diagnoser.get_cached_report(
"dnsrecords", item={"domain": domain, "category": "xmpp"}
).get("data")
or {}
)
if xmpp_records.get("CNAME:xmpp-upload") == "OK":
csr.add_extensions(
[
crypto.X509Extension(
"subjectAltName".encode("utf8"),
False,
("DNS:" + subdomain).encode("utf8"),
)
]
)
else:
logger.warning(
m18n.n(
"certmanager_warning_subdomain_dns_record",
subdomain=subdomain,
domain=domain,
)
)
# Set the key
with open(key_file, "rt") as f:
key = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
csr.set_pubkey(key)
# Sign the request
csr.sign(key, "sha256")
# Save the request in tmp folder
csr_file = output_folder + domain + ".csr"
logger.debug("Saving to %s.", csr_file)
with open(csr_file, "wb") as f:
f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr))
def generate_csr(target_dir, key, ip_address):
req = crypto.X509Req()
req.set_version(0x2)
req.get_subject().CN = "anyServer"
# Add the IP SAN
req.add_extensions(
[crypto.X509Extension("subjectAltName", False, ip_address)])
req.set_pubkey(key)
req.sign(key, "sha256")
return crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
def create_csr_with_bad_subject_dn():
"""Generate a CSR that has a bad subject dn."""
key_pair = create_key_pair(crypto.TYPE_RSA, 2048)
csr = crypto.X509Req()
subject = csr.get_subject()
# server certs require attribute 'CN'
setattr(subject, "UID", "bar")
csr.set_pubkey(key_pair)
csr.sign(key_pair, "sha256")
pem = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
return pem
def handler_getCertificates():
config_data = load_config_files()
nodeInfo = config_data[0]
networkList = config_data[1]
# Privatekey of Node
key = create_key(1024)
for i in range(1, 4):
fp = open("player-" + str(i) + ".key", "w+")
fp.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
fp.close()
# Create 3 requests to CA
serial = int(nodeInfo["id"][1::])
print "CERTIFICATE SERIAL: " + str(serial)
req = []
for i in range(1, 4):
cn = "VIFF Player " + str(i)
r = create_request(key, cn)
req.append(crypto.dump_certificate_request(crypto.FILETYPE_PEM, r))
# Dinamic build of CA ip
for item in networkList:
if item["id"] == "ca":
ca_ip = item["ip"]
target = "http://" + ca_ip + ":5000/createCertificates"
payload = {"serial": serial, "req": req}
headers = {"content-type": "application/json"}
r = requests.post(target, data=json.dumps(payload), headers=headers)
# Obtain response
response = dict(json.loads(r.text))
#pretty_print('B', response)
dump_ca_cert = response['ca_cert']
fp = open("ca.cert", "w+")
fp.write(dump_ca_cert)
fp.close()
dump_certs = response['certs']
#pretty_print('D', dump_certs)
for i in range(0, 3):
fp = open("player-" + str(i + 1) + ".cert", "w+")
fp.write(dump_certs[i].encode('ascii'))
fp.close()
print dump_certs[i].encode('ascii')
print "<< CERTIFICATES GENERATED >>"
global certificate_gen
certificate_gen = True
return json.dumps({"status": "certificatesGenerated"})
def test_issue_raises_with_invalid_ca_id(self):
req = certificate_utils.get_valid_csr_object()
req_enc = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
req_enc = base64.b64encode(req_enc)
order_meta = {'request_data': req_enc}
plugin_meta = {'plugin_ca_id': "invalid_ca_id"}
self.barbican_meta_dto.plugin_ca_id = "invalid_ca_id"
self.assertRaises(cm.CertificateGeneralException,
self.plugin.issue_certificate_request, self.order_id,
order_meta, plugin_meta, self.barbican_meta_dto)
def make_csr(
private_key_pem: bytes,
domains: Optional[Union[Set[str], List[str]]] = None,
must_staple: bool = False,
ipaddrs: Optional[List[Union[ipaddress.IPv4Address,
ipaddress.IPv6Address]]] = None
) -> bytes:
"""Generate a CSR containing domains or IPs as subjectAltNames.
:param buffer private_key_pem: Private key, in PEM PKCS#8 format.
:param list domains: List of DNS names to include in subjectAltNames of CSR.
:param bool must_staple: Whether to include the TLS Feature extension (aka
OCSP Must Staple: https://tools.ietf.org/html/rfc7633).
:param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address)
names to include in subbjectAltNames of CSR.
params ordered this way for backward competablity when called by positional argument.
:returns: buffer PEM-encoded Certificate Signing Request.
"""
private_key = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem)
csr = crypto.X509Req()
sanlist = []
# if domain or ip list not supplied make it empty list so it's easier to iterate
if domains is None:
domains = []
if ipaddrs is None:
ipaddrs = []
if len(domains) + len(ipaddrs) == 0:
raise ValueError(
"At least one of domains or ipaddrs parameter need to be not empty"
)
for address in domains:
sanlist.append('DNS:' + address)
for ips in ipaddrs:
sanlist.append('IP:' + ips.exploded)
# make sure its ascii encoded
san_string = ', '.join(sanlist).encode('ascii')
# for IP san it's actually need to be octet-string,
# but somewhere downsteam thankfully handle it for us
extensions = [
crypto.X509Extension(b'subjectAltName',
critical=False,
value=san_string),
]
if must_staple:
extensions.append(
crypto.X509Extension(b"1.3.6.1.5.5.7.1.24",
critical=False,
value=b"DER:30:03:02:01:05"))
csr.add_extensions(extensions)
csr.set_pubkey(private_key)
# RFC 2986 Section 4.1 only defines version 0
csr.set_version(0)
csr.sign(private_key, 'sha256')
return crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
def encode_csr(csr: util.ComparableX509) -> str:
"""Encode CSR as JOSE Base-64 DER.
:type csr: `OpenSSL.crypto.X509Req` wrapped in `.ComparableX509`
:rtype: unicode
"""
if isinstance(csr.wrapped, crypto.X509):
raise ValueError("Error input is actually a certificate.")
return encode_b64jose(
crypto.dump_certificate_request(crypto.FILETYPE_ASN1, csr.wrapped))
def __create_csr(self, data):
# no signedby, lifetime attributes required
cert_info = get_cert_info_from_data(data)
data['type'] = CERT_TYPE_CSR
req, key = self.create_certificate_signing_request(cert_info)
data['CSR'] = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
data['privatekey'] = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
return data
def generate_files(mkFile, request):
if ".csr" in mkFile:
f = open(mkFile, "w")
f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, request))
f.close()
elif ".key" in mkFile:
f = open(mkFile, "w")
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, request))
f.close()
else:
logging.debug("Failed to create CSR/Key files for %s" % (dest))
exit()
def write_files(self, mkFile, request):
if mkFile.endswith(".csr"):
with open(mkFile, "wb") as f:
f.write(
crypto.dump_certificate_request(crypto.FILETYPE_PEM,
request))
elif mkFile.endswith(".key"):
with open(mkFile, "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, request))
else:
print("Failed.")
exit()
def _get_body(self):
# H2N
assert isinstance(self.cert_request, (crypto.X509Req, NoneType)), \
repr(self.cert_request)
assert isinstance(self.username, str), repr(self.username)
result = {'username': self.username}
if self.cert_request is not None:
result['SSL request'] = \
crypto.dump_certificate_request(crypto.FILETYPE_PEM,
self.cert_request)
return result
def generate(self, module):
'''Generate the certificate signing request.'''
if not self.check(module, perms_required=False) or self.force:
req = crypto.X509Req()
req.set_version(self.version - 1)
subject = req.get_subject()
for entry in self.subject:
if entry[1] is not None:
# Workaround for https://github.com/pyca/pyopenssl/issues/165
nid = OpenSSL._util.lib.OBJ_txt2nid(to_bytes(entry[0]))
OpenSSL._util.lib.X509_NAME_add_entry_by_NID(subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0)
extensions = []
if self.subjectAltName:
altnames = ', '.join(self.subjectAltName)
extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')))
if self.keyUsage:
usages = ', '.join(self.keyUsage)
extensions.append(crypto.X509Extension(b"keyUsage", self.keyUsage_critical, usages.encode('ascii')))
if self.extendedKeyUsage:
usages = ', '.join(self.extendedKeyUsage)
extensions.append(crypto.X509Extension(b"extendedKeyUsage", self.extendedKeyUsage_critical, usages.encode('ascii')))
if self.basicConstraints:
usages = ', '.join(self.basicConstraints)
extensions.append(crypto.X509Extension(b"basicConstraints", self.basicConstraints_critical, usages.encode('ascii')))
if self.ocspMustStaple:
extensions.append(crypto.X509Extension(MUST_STAPLE_NAME, self.ocspMustStaple_critical, MUST_STAPLE_VALUE))
if extensions:
req.add_extensions(extensions)
req.set_pubkey(self.privatekey)
req.sign(self.privatekey, self.digest)
self.request = req
try:
csr_file = open(self.path, 'wb')
csr_file.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request))
csr_file.close()
except (IOError, OSError) as exc:
raise CertificateSigningRequestError(exc)
self.changed = True
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def DumpKeyCertCsr(self):
Key = self.GetPrivateKey()
Csr = self.CreateCsr(Key)
Cert = self.CreateCert(Csr, Key)
cn = Csr.get_subject().commonName
cn = re.sub(' +', '_', cn)
#Files in PEM format
PemKeyPath = os.path.join(self.CertDir, cn + "_pkey.pem")
PemCsrPath = os.path.join(self.CertDir, cn + "_csr.pem")
PemCertPath = os.path.join(self.CertDir, cn + "_cert.pem")
if not self.OldPrivateKey:
with open(PemKeyPath, "w") as fPemPrivKey:
fPemPrivKey.write(crypto.dump_privatekey(FILETYPE_PEM, Key))
if not self.CsrFile:
with open(PemCsrPath, "w") as fPemcsr:
fPemcsr.write(
crypto.dump_certificate_request(FILETYPE_PEM, Csr))
with open(PemCertPath, "w") as fPemcert:
fPemcert.write(crypto.dump_certificate(FILETYPE_PEM, Cert))
#Files in DER (a.k.a ASN1) format
DerKeyPath = os.path.join(self.CertDir, cn + "_pkey.der")
DerCsrPath = os.path.join(self.CertDir, cn + "_csr.der")
DerCertPath = os.path.join(self.CertDir, cn + "_cert.der")
if not self.OldPrivateKey:
with open(DerKeyPath, "w") as fDerPrivKey:
fDerPrivKey.write(crypto.dump_privatekey(FILETYPE_ASN1, Key))
if not self.CsrFile:
with open(DerCsrPath, "w") as fDercsr:
fDercsr.write(
crypto.dump_certificate_request(FILETYPE_ASN1, Csr))
with open(DerCertPath, "w") as fDercert:
fDercert.write(crypto.dump_certificate(FILETYPE_ASN1, Cert))
#Files in p12/PFX format
P12CertPath = os.path.join(self.CertDir, cn + "_cert.p12")
fP12cert = open(P12CertPath, "w")
self.CreateP12(Key, Cert, fP12cert)
def gen_pkey_req(identity):
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 2048)
req = crypto.X509Req()
req.get_subject().C = ca_infra_cert.get_subject().C
req.get_subject().O = ca_infra_cert.get_subject().O
req.get_subject().OU = ca_infra_cert.get_subject().OU
req.get_subject().CN = identity
req.set_pubkey(pkey)
req.sign(pkey, "sha256")
return crypto.dump_certificate_request(crypto.FILETYPE_PEM,
req), crypto.dump_privatekey(
crypto.FILETYPE_PEM, pkey)
def test_issue_certificate_request_with_ca_id(self):
req = certificate_utils.get_valid_csr_object()
req_enc = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
req_enc = base64.b64encode(req_enc)
order_meta = {'request_data': req_enc}
plugin_meta = {'plugin_ca_id': self.plugin.get_default_ca_name()}
self.barbican_meta_dto.plugin_ca_id = self.plugin.get_default_ca_name()
resp = self.plugin.issue_certificate_request(self.order_id, order_meta,
plugin_meta,
self.barbican_meta_dto)
crypto.load_certificate(crypto.FILETYPE_PEM,
base64.b64decode(resp.certificate))
def generateFiles(self, mkFile, request):
"""Generate .csr/key files.
"""
with open(mkFile, "w") as f:
if ".csr" in mkFile:
f.write(
crypto.dump_certificate_request(crypto.FILETYPE_PEM,
request))
elif ".key" in mkFile:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, request))
else:
self.output("[!] Failed to create CSR/Key files",
level=logging.ERROR)
def generateRequest(self,
keyType=crypto.TYPE_RSA,
bits=2048,
messageDigest="sha1"):
"""Generate a request and return the PEM-encoded PKCS10 object."""
logging.info("Generating private keys and certificate request.")
self.request = crypto.X509Req()
self.privateKey = crypto.PKey()
self.privateKey.generate_key(keyType, bits)
self.request.set_pubkey(self.privateKey)
self.request.sign(self.privateKey, messageDigest)
return crypto.dump_certificate_request(crypto.FILETYPE_PEM,
self.request)
