def generateFiles(mkFile, request): if '.csr' in mkFile: f = open(mkFile, "w") f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, request)) f.close() print crypto.dump_certificate_request(crypto.FILETYPE_PEM, request) elif '.key' in mkFile: f = open(mkFile, "w") f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, request)) f.close() else: print "Failed." exit()
def generateFiles(mkFile, request): '''Generates CSR file and private key file used to generate CSR''' if mkFile == str(args.name) + '.csr': f = open(mkFile, "w") f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, request)) f.close() print ("CSR below, copy and paste into StartSSL's certificates wizard\n") print crypto.dump_certificate_request(crypto.FILETYPE_PEM, request) elif mkFile == str(args.name) + '.key': f = open(mkFile, "w") f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, request)) f.close() else: print "Failed." exit()
def create_cert_req(keyType = crypto.TYPE_RSA, bits = 1024, messageDigest = "md5"): """ Create certificate request. Returns: certificate request PEM text, private key PEM text """ # Create certificate request req = crypto.X509Req() # Generate private key pkey = crypto.PKey() pkey.generate_key(keyType, bits) req.set_pubkey(pkey) req.sign(pkey, messageDigest) cert_req_pem = crypto.dump_certificate_request(crypto.FILETYPE_ASN1,req) key_pem = crypto.dump_privatekey(crypto.FILETYPE_PEM,pkey) # Nasty OpenSSL 1.0 Hack # OpenSSL 1.0 changes the headers from "RSA PRIVATE KEY" to "PRIVATE KEY" try: ssl_version = SSL.SSLeay_version(SSL.SSLEAY_VERSION) logger.debug('Using SSL: ' + ssl_version) if ssl_version.startswith("OpenSSL 1"): key_pem = re.sub(r'BEGIN PRIVATE KEY', r'BEGIN RSA PRIVATE KEY', key_pem) key_pem = re.sub(r'END PRIVATE KEY', r'END RSA PRIVATE KEY', key_pem) except Exception, e: logger.warn('Using older version of openSSL without SSLeay_version: %s' + e)
def make_csr(pkey, dest=None, cn=None, hostname=None, emailaddr=None): req = crypto.X509Req() req.get_subject() subj = req.get_subject() subj.C = def_country subj.ST = def_state subj.L = def_local subj.O = def_org subj.OU = def_ou if cn: subj.CN = cn elif hostname: subj.CN = hostname else: subj.CN = utils.gethostname() if emailaddr: subj.emailAddress = emailaddr else: subj.emailAddress = 'root@%s' % subj.CN req.set_pubkey(pkey) req.sign(pkey, 'md5') if dest: destfd = os.open(dest, os.O_RDWR|os.O_CREAT, 0644) os.write(destfd, crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)) os.close(destfd) return req
def storePKIUserCertificate(self, user, hostname, certificate, obj, password=None): """Store a given PKI object into a file @param user [User] the user to which the certificate is associated @param hostname [Hostname] the hostname to which the certificate is associated @param certificate [Certificate] the Certificate instance associated with the file @param obj [X509/PKey] The object that will be dump to the file @param password [str] OPTIONNAL : an optionnal passphrase to use for encrypt the output (if available) """ path = (self.__new_cert_directory + str(user.id) + "/" + str(hostname.id) + "/") self.makePath(path) bytes_ = None if isinstance(obj, OpenSSL.crypto.X509): bytes_ = crypto.dump_certificate(crypto.FILETYPE_PEM, obj) path += str(certificate.id) + ".crt" if isinstance(obj, OpenSSL.crypto.X509Req): bytes_ = crypto.dump_certificate_request(crypto.FILETYPE_PEM, obj) path += str(certificate.id) + ".csr" elif isinstance(obj, OpenSSL.crypto.PKey): if isinstance(password, str): bytes_ = crypto.dump_privatekey(crypto.FILETYPE_PEM, obj, self.__cipher, password.encode()) else: bytes_ = crypto.dump_privatekey(crypto.FILETYPE_PEM, obj) path += str(certificate.id) + ".key" assert bytes_ is not None self.storeBytesToFile(bytes_, path)
def run(self, certificate): try: certificate['key_length'] = certificate.get('key_length', 2048) certificate['digest_algorithm'] = certificate.get('digest_algorithm', 'SHA256') certificate['lifetime'] = certificate.get('lifetime', 3650) key = generate_key(certificate['key_length']) req = crypto.X509Req() req.get_subject().C = certificate['country'] req.get_subject().ST = certificate['state'] req.get_subject().L = certificate['city'] req.get_subject().O = certificate['organization'] req.get_subject().CN = certificate['common'] req.get_subject().emailAddress = certificate['email'] req.set_pubkey(key) req.sign(key, str(certificate['digest_algorithm'])) certificate['type'] = 'CERT_CSR' certificate['csr'] = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) certificate['privatekey'] = crypto.dump_privatekey(crypto.FILETYPE_PEM, key) pkey = self.datastore.insert('crypto.certificates', certificate) self.dispatcher.call_sync('etcd.generation.generate_group', 'crypto') except DatastoreException, e: raise TaskException(errno.EBADMSG, 'Cannot create CSR: {0}'.format(str(e)))
def generate_csr(certificate): pkey_type = crypto.TYPE_RSA pkey_bits = 2048 digest_type = 'md5' pkey = crypto.PKey() pkey.generate_key(pkey_type, pkey_bits) #certificate.private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey) #certificate.save() req = crypto.X509Req() subj = req.get_subject() for key in certificate.openssl_arg_map: if not getattr(certificate, key) in [None, '']: setattr(subj, certificate.openssl_arg_map[key], getattr(certificate, key)) # TODO : add sans : http://stackoverflow.com/a/25714864/168874 # We are not adding oids like streetAddress and postalCode to the CSR req.set_pubkey(pkey) req.sign(pkey, digest_type) #certificate.certificate_request = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) #certificate.save() return (dump_rsa_privatekey(pkey), crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
def _gen_csr(self, key, alternate_names, wildcard): csr = crypto.X509Req() subj = csr.get_subject() domain = self.domain if wildcard: domain = '*.{}'.format(self.domain) setattr(subj, 'CN', domain) for k, n in X509Wrapper.subject_assoc: value = self.config.get(self.domain, n, fallback='') if value != '': setattr(subj, k, value) csr.set_pubkey(key) if alternate_names: ca = crypto.X509Extension(b'basicConstraints', False, b'CA:FALSE') key_usage = crypto.X509Extension( b'keyUsage', False, b'digitalSignature, nonRepudiation, keyEncipherment' ) names = ', '.join('DNS:{}'.format(n) for n in alternate_names) subject_alt_name = crypto.X509Extension( b'subjectAltName', False, bytes(names, encoding=encoding) ) csr.add_extensions([ca, key_usage, subject_alt_name]) csr.sign(key, self.config.get(self.domain, 'digest')) pem = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr) with open(self.csr_path, 'xb') as f: f.write(pem) return (csr, pem)
def create_cert_req(key_pair, cn ,message_digest="md5"): """Create a certificate request. @type CN: basestring @param CN: Common Name for certificate - effectively the same as the username for the MyProxy credential @type keyPair: string/None @param keyPair: public/private key pair @type messageDigest: basestring @param messageDigest: message digest type - default is MD5 @rtype: base string @return certificate request PEM text and private key PEM text """ # Check all required certifcate request DN parameters are set # Create certificate request cert_req = crypto.X509Req() # Create public key object cert_req.set_pubkey(key_pair) cert_req.get_subject().CN=cn # Add the public key to the request cert_req.sign(key_pair, message_digest) cert_req = crypto.dump_certificate_request(crypto.FILETYPE_PEM, cert_req) return cert_req
def createCertRequest(self, **name): """ Create a certificate request. Arguments: pkey - The key to associate with the request digest - Digestion method to use for signing, default is sha256 **name - The name of the subject of the request, possible arguments are: C - Country name ST - State or province name L - Locality name O - Organization name OU - Organizational unit name CN - Common name emailAddress - E-mail address Returns: The certificate request in an X509Req object """ pkey=crypto.load_privatekey(crypto.FILETYPE_PEM, open(self.key.path, 'rt').read()) req = crypto.X509Req() subj = req.get_subject() for key, value in name.items(): setattr(subj, key, value) req.set_pubkey(pkey) req.sign(pkey, "sha256".encode('ascii','ignore')) return crypto.dump_certificate_request(crypto.FILETYPE_PEM, req).decode('utf-8')
def generate(self, module): '''Generate the certificate signing request.''' if not os.path.exists(self.path) or self.force: req = crypto.X509Req() req.set_version(self.version) subject = req.get_subject() for (key, value) in self.subject.items(): if value is not None: setattr(subject, key, value) if self.subjectAltName is not None: req.add_extensions([crypto.X509Extension(b"subjectAltName", False, self.subjectAltName.encode('ascii'))]) privatekey_content = open(self.privatekey_path).read() self.privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM, privatekey_content) req.set_pubkey(self.privatekey) req.sign(self.privatekey, self.digest) self.request = req try: csr_file = open(self.path, 'wb') csr_file.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request)) csr_file.close() except (IOError, OSError) as exc: raise CertificateSigningRequestError(exc) else: self.changed = False file_args = module.load_file_common_arguments(module.params) if module.set_fs_attributes_if_different(file_args, False): self.changed = True
def test_gen_unicode(self): """ Domains are encoded using IDNA and names using Unicode. """ options = self.parseArguments([ self.command_name, u'--common-name=domain-\u20acuro.com', u'--key-size=512', u'--alternative-name=DNS:www.domain-\u20acuro.com,IP:127.0.0.1', u'--email=name@domain-\u20acuro.com', u'--organization=OU Nam\u20acuro', u'--organization-unit=OU Unit\u20acuro', u'--locality=Som\u20acwhere', u'--state=Stat\u20ac', u'--country=GB', ]) result = generate_csr(options) csr = crypto.dump_certificate_request( crypto.FILETYPE_PEM, result['csr']) self.assertEqual(csr, result['csr_pem']) subject = result['csr'].get_subject() self.assertEqual(u'xn--domain-uro-x77e.com', subject.commonName) self.assertEqual( u'*****@*****.**', subject.emailAddress) self.assertEqual(u'OU Nam\u20acuro', subject.organizationName) self.assertEqual(u'OU Unit\u20acuro', subject.organizationalUnitName) self.assertEqual(u'Som\u20acwhere', subject.localityName) self.assertEqual(u'Stat\u20ac', subject.stateOrProvinceName) self.assertEqual(u'GB', subject.countryName)
def create_certificate_signing_request(subjectKey, subjectInfo, version = 0, hash = 'sha1'): """ Create a certificate signing request (CSR) and return CSR in PEM and text formats. :param subjectKey: Subject private RSA key in PEM format. :type subjectKey: str :param subjectInfo: Subject information. :type subjectInfo: dict :returns tuple -- (CSR in PEM format, CSR as Text). """ skey = crypto.load_privatekey(crypto.FILETYPE_PEM, subjectKey) req = crypto.X509Req() subj = req.get_subject() fill_x509name_from_info(subj, subjectInfo) req.set_pubkey(skey) req.set_version(version) req.sign(skey, hash) csr_pem = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) # FIXME: needs crypto.FILETYPE_TEXT csr_text = '???' return (csr_pem, csr_text)
def _generate_csr(self, pkey, key_obj, cleaned_data): req = crypto.X509Req() req.set_pubkey(pkey) subject = req.get_subject() for attr, value in cleaned_data.items(): if value: if attr == 'subjectAlternativeNames': req.add_extensions([ crypto.X509Extension('subjectAltName', False, ", ".join( "DNS.{i}:{domain}".format(i=i, domain=domain) for i, domain in enumerate(value) )) ]) else: setattr(subject, attr, value) cn = cleaned_data['commonName'] # Strip www. from the common name if cn.startswith(WWW): cn = cn[len(WWW):] req.sign(pkey, "sha256") csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) csr_obj = CertificateSigningRequest(domain=cn, key=key_obj, content=csr) return csr_obj
def test_issue_certificate_request_set_subject(self): req = certificate_utils.get_valid_csr_object() subj = req.get_subject() subj.countryName = 'US' subj.stateOrProvinceName = 'OR' subj.localityName = 'Testlandia' subj.organizationName = 'Testers Anon' subj.organizationalUnitName = 'Testers OU' subj.commonName = 'Testing' req_enc = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) req_enc = base64.b64encode(req_enc) order_meta = {'request_data': req_enc} resp = self.plugin.issue_certificate_request(self.order_id, order_meta, {}, self.barbican_meta_dto) cert = crypto.load_certificate( crypto.FILETYPE_PEM, resp.certificate.decode('base64')) cert_subj = cert.get_subject() self.assertEqual('US', cert_subj.C) self.assertEqual('OR', cert_subj.ST) self.assertEqual('Testlandia', cert_subj.L) self.assertEqual('Testers Anon', cert_subj.O) self.assertEqual('Testers OU', cert_subj.OU) self.assertEqual('Testing', cert_subj.CN)
def generate_csr(file, key, locality, cn, alt=[], log=None): san = [] san.append("DNS: %s" % cn) for i in alt: san.append("DNS: %s" % i) san = ", ".join(san) req = crypto.X509Req() req.get_subject().CN = cn if locality.get("country", None): req.get_subject().countryName = locality["country"] if locality.get("state", None): req.get_subject().stateOrProvinceName = locality["state"] if locality.get("city", None): req.get_subject().localityName = locality["city"] if locality.get("organization", None): req.get_subject().organizationName = locality["organization"] if locality.get("organizationUnit", None): req.get_subject().organizationalUnitName = locality["organizationUnit"] if log: log.debug(req.get_subject()) x509_extensions = [] if san: san_constraint = crypto.X509Extension(b"subjectAltName", False, str.encode(san)) x509_extensions.append(san_constraint) req.add_extensions(x509_extensions) req.set_pubkey(key) req.sign(key, "sha256") with open(file, "wb") as f: f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)) os.chmod(file, stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP) return req
def import_csr_file(csrfile, data): """Import a CSR file, which can be either PEM or DER. :param str csrfile: CSR filename :param str data: contents of the CSR file :returns: (`crypto.FILETYPE_PEM`, util.CSR object representing the CSR, list of domains requested in the CSR) :rtype: tuple """ PEM = crypto.FILETYPE_PEM load = crypto.load_certificate_request try: # Try to parse as DER first, then fall back to PEM. csr = load(crypto.FILETYPE_ASN1, data) except crypto.Error: try: csr = load(PEM, data) except crypto.Error: raise errors.Error("Failed to parse CSR file: {0}".format(csrfile)) domains = _get_names_from_loaded_cert_or_req(csr) # Internally we always use PEM, so re-encode as PEM before returning. data_pem = crypto.dump_certificate_request(PEM, csr) return PEM, util.CSR(file=csrfile, data=data_pem, form="pem"), domains
def issue_certificate(self, cert_req): '''Certificate issuing from a callout to an OpenSSL executable @param cert_req: Certificate request to use @return: output certificate ''' try: out_cert_file = tempfile.NamedTemporaryFile(delete=False) in_csr_file = tempfile.NamedTemporaryFile(delete=False) s_cert_req = crypto.dump_certificate_request(crypto.FILETYPE_PEM, cert_req) in_csr_file.seek(0) in_csr_file.write(s_cert_req) in_csr_file.close() cmd_tmpl = string.Template(self.cert_issue_cmd) populated_cmd = cmd_tmpl.substitute(in_csr=in_csr_file.name, out_cert=out_cert_file.name) log.debug('Executing command to issue certificate: %r', populated_cmd) cmd_args = populated_cmd.split() proc = subprocess.Popen(cmd_args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdoutdata, stderrdata = proc.communicate() if proc.returncode == 0: if stdoutdata: log.info('stdout message: \'%s\'; for command: %r', stdoutdata, populated_cmd) if stderrdata: log.info('stderr message: \'%s\'; for command: %r', stderrdata, populated_cmd) out_cert = crypto.load_certificate( crypto.FILETYPE_PEM, open(out_cert_file.name).read()) else: error_msg = '' if stdoutdata: error_msg += ('stdout message: \'%s\'; for command: %r' % (stdoutdata, populated_cmd)) if stderrdata: error_msg += ('stderr message: \'%s\'; for command: %r' % (stderrdata, populated_cmd)) raise CertificateIssuingError('Error issuing certificate: %s' % error_msg) finally: os.unlink(in_csr_file.name) os.unlink(out_cert_file.name) return out_cert
def test_dump_certificate_request(self): """ L{dump_certificate_request} writes a PEM, DER, and text. """ req = load_certificate_request(FILETYPE_PEM, cleartextCertificateRequestPEM) dumped_pem = dump_certificate_request(FILETYPE_PEM, req) self.assertEqual(dumped_pem, cleartextCertificateRequestPEM) dumped_der = dump_certificate_request(FILETYPE_ASN1, req) good_der = self._runopenssl(dumped_pem, "req", "-outform", "DER") self.assertEqual(dumped_der, good_der) req2 = load_certificate_request(FILETYPE_ASN1, dumped_der) dumped_pem2 = dump_certificate_request(FILETYPE_PEM, req2) self.assertEqual(dumped_pem2, cleartextCertificateRequestPEM) dumped_text = dump_certificate_request(FILETYPE_TEXT, req) good_text = self._runopenssl(dumped_pem, "req", "-noout", "-text") self.assertEqual(dumped_text, good_text)
def generate_csr(): request_data = json.loads(request.data.decode()) csr_filename = str(request_data['csrFilename']) with open(CERTIFICATE_SIGNING_REQUEST_DIR + csr_filename, "w+") as csr_file: certificate_signing_request = crypto.X509Req() certificate_signing_request.get_subject().CN = str(request_data['commonName']) certificate_signing_request.get_subject().O = str(request_data['organization']) certificate_signing_request.get_subject().OU = str(request_data['organizationalUnit']) certificate_signing_request.get_subject().L = str(request_data['city']) certificate_signing_request.get_subject().ST = str(request_data['state']) certificate_signing_request.get_subject().C = str(request_data['country']) certificate_signing_request.get_subject().emailAddress = str(request_data['email']) selected_pkey_filename = str(request_data['private_key']) try: if 'passphrase' in request_data: selected_pkey_passphrase = str(request_data['passphrase']) selected_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(PRIVATE_KEY_DIR + selected_pkey_filename).read(), selected_pkey_passphrase) else: selected_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(PRIVATE_KEY_DIR + selected_pkey_filename).read()) certificate_signing_request.set_pubkey(selected_key) certificate_signing_request.sign(selected_key, "sha256") print csr_file.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, certificate_signing_request)) csr_file.seek(0) csr_data = csr_file.read() responseObject = {} responseObject['csr'] = csr_data, responseObject['message'] = 'CSR successfully created.' return jsonify(responseObject), 201 except Error, error: return jsonify(str(error)), 400
def create_certreq(CN, keyPair, messageDigest=MESSAGE_DIGEST_TYPE): """Create a certificate request. @type CN: basestring @param CN: Common Name for certificate - effectively the same as the username for the MyProxy credential @type keyPair: string/None @param keyPair: public/private key pair @type messageDigest: basestring @param messageDigest: message digest type - default is MD5 @rtype: base string @return certificate request PEM text and private key PEM text """ # Check all required certificate request DN parameters are set # Create certificate request certReq = crypto.X509Req() # Create public key object certReq.set_pubkey(keyPair) # Add the public key to the request certReq.sign(keyPair, messageDigest) derCertReq = crypto.dump_certificate_request(crypto.FILETYPE_ASN1, certReq) return derCertReq
def generate_csr(customer_data, pkey_obj): """ Generate a CSR using the customer data and OpenSSL.crypto.PKEY object. :param customer_data: Dictionary that includes all customer data required for the certificate and the partner name. :param pkey_obj: OpenSSL.crypto.PKEY object used to sign the CSR and to be associated with the certificate. :return CSR PEM string. """ if not isinstance(pkey_obj, crypto.PKey): raise ValueError('OpenSSL crypto.PKey Type Required For Private Key') req = crypto.X509Req() req.get_subject().organizationName = customer_data.get('partner_name') req.get_subject().CN = '%s %s' % (customer_data.get('first_name'), customer_data.get('last_name')) req.get_subject().countryName = customer_data.get('country') req.get_subject().localityName = customer_data.get('city') req.get_subject().stateOrProvinceName = customer_data.get('state') req.get_subject().street = customer_data.get('street_address') req.get_subject().postalCode = customer_data.get('postal_code') base_constraints = ([ crypto.X509Extension("keyUsage", False, "Digital Signature, Non Repudiation, Key Encipherment"), crypto.X509Extension("basicConstraints", False, "CA:FALSE") ]) req.add_extensions(base_constraints) req.set_pubkey(pkey_obj) req.sign(pkey_obj, 'sha256') return crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
def update(self, param): """ This method is called during the initialization process. :param param: parameters from the token init :type param: dict :return: None """ TokenClass.update(self, param) request = getParam(param, "request", optional) spkac = getParam(param, "spkac", optional) certificate = getParam(param, "certificate", optional) generate = getParam(param, "genkey", optional) if request or generate: # If we do not upload a user certificate, then we need a CA do # sign the uploaded request or generated certificate. ca = getParam(param, "ca", required) self.add_tokeninfo("CA", ca) cacon = get_caconnector_object(ca) if request: # During the initialization process, we need to create the # certificate x509object = cacon.sign_request(request, options={"spkac": spkac}) certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, x509object) elif generate: # Create the certificate on behalf of another user. # Now we need to create the key pair, # the request # and the certificate # We need the user for whom the certificate should be created user = get_user_from_param(param, optionalOrRequired=required) keysize = getParam(param, "keysize", optional, 2048) key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, keysize) req = crypto.X509Req() req.get_subject().CN = user.login # Add email to subject if user.info.get("email"): req.get_subject().emailAddress = user.info.get("email") req.get_subject().organizationalUnitName = user.realm # TODO: Add Country, Organization, Email # req.get_subject().countryName = 'xxx' # req.get_subject().stateOrProvinceName = 'xxx' # req.get_subject().localityName = 'xxx' # req.get_subject().organizationName = 'xxx' req.set_pubkey(key) req.sign(key, "sha256") x509object = cacon.sign_request(crypto.dump_certificate_request( crypto.FILETYPE_PEM, req)) certificate = crypto.dump_certificate(crypto.FILETYPE_PEM, x509object) # Save the private key to the encrypted key field of the token s = crypto.dump_privatekey(crypto.FILETYPE_PEM, key) self.add_tokeninfo("privatekey", s, value_type="password") if certificate: self.add_tokeninfo("certificate", certificate)
def make_csr(private_key_pem, domains, must_staple=False): """Generate a CSR containing a list of domains as subjectAltNames. :param buffer private_key_pem: Private key, in PEM PKCS#8 format. :param list domains: List of DNS names to include in subjectAltNames of CSR. :param bool must_staple: Whether to include the TLS Feature extension (aka OCSP Must Staple: https://tools.ietf.org/html/rfc7633). :returns: buffer PEM-encoded Certificate Signing Request. """ private_key = crypto.load_privatekey( crypto.FILETYPE_PEM, private_key_pem) csr = crypto.X509Req() extensions = [ crypto.X509Extension( b'subjectAltName', critical=False, value=', '.join('DNS:' + d for d in domains).encode('ascii') ), ] if must_staple: extensions.append(crypto.X509Extension( b"1.3.6.1.5.5.7.1.24", critical=False, value=b"DER:30:03:02:01:05")) csr.add_extensions(extensions) csr.set_pubkey(private_key) csr.set_version(2) csr.sign(private_key, 'sha256') return crypto.dump_certificate_request( crypto.FILETYPE_PEM, csr)
def test_default_gen(self): """ By default it will serialized the key without password and generate the csr without alternative name and just the common name. """ options = self.parseArguments([ self.command_name, '--common-name=domain.com', ]) result = generate_csr(options) # OpenSSL.crypto.PKey has no equality so we need to compare the # serialization. self.assertEqual(2048L, result['key'].bits()) self.assertEqual(crypto.TYPE_RSA, result['key'].type()) key = crypto.dump_privatekey(crypto.FILETYPE_PEM, result['key']) self.assertEqual(key, result['key_pem']) # For CSR we can not get extensions so we only check the subject. csr = crypto.dump_certificate_request( crypto.FILETYPE_PEM, result['csr']) self.assertEqual(csr, result['csr_pem']) subject = result['csr'].get_subject() self.assertEqual(u'domain.com', subject.commonName) self.assertIsNone(subject.emailAddress) self.assertIsNone(subject.organizationName) self.assertIsNone(subject.organizationalUnitName) self.assertIsNone(subject.localityName) self.assertIsNone(subject.stateOrProvinceName) self.assertIsNone(subject.countryName) self.assertEqual(0, result['csr'].get_version())
def create_cert_req(key_pair, message_digest=MESSAGE_DIGEST_TYPE): """Create a certificate request. :type key_pair: string/None :param key_pair: public/private key pair :type message_digest: basestring :param message_digest: message digest type - default is MD5 :rtype: base string :return: certificate request PEM text and private key PEM text """ # Check all required certificate request DN parameters are set # Create certificate request cert_req = crypto.X509Req() # Create public key object cert_req.set_pubkey(key_pair) # Add the public key to the request cert_req.sign(key_pair, message_digest) cert_req_s = crypto.dump_certificate_request(crypto.FILETYPE_PEM, cert_req) return cert_req_s
def _generate_csr_from_private_key(order_model, project_model): """Generate a CSR from the private key. :param: order_model - order for the request :param: project_model - project for this request :return: CSR (certificate signing request) in PEM format :raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found :class:`StoredKeyContainerNotFound` if container not found """ container_id, container = _get_container_from_order_meta(order_model, project_model) if not container: raise excep.StoredKeyContainerNotFound(container_id) passphrase = None private_key = None for cs in container.container_secrets: secret_repo = repos.get_secret_repository() if cs.name == "private_key": private_key_model = secret_repo.get(cs.secret_id, project_model.external_id) private_key = plugin.get_secret("application/pkcs8", private_key_model, project_model) elif cs.name == "private_key_passphrase": passphrase_model = secret_repo.get(cs.secret_id, project_model.external_id) passphrase = plugin.get_secret("text/plain;charset=utf-8", passphrase_model, project_model) passphrase = str(passphrase) if not private_key: raise excep.StoredKeyPrivateKeyNotFound(container.id) if passphrase is None: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key) else: pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key, passphrase) subject_name = order_model.meta.get("subject_dn") subject_name_dns = ldap.dn.str2dn(subject_name) extensions = order_model.meta.get("extensions", None) req = crypto.X509Req() subj = req.get_subject() # Note: must iterate over the DNs in reverse order, or the resulting # subject name will be reversed. for ava in reversed(subject_name_dns): for key, val, extra in ava: setattr(subj, key.upper(), val) req.set_pubkey(pkey) if extensions: # TODO(alee-3) We need code here to parse the encoded extensions and # convert them into X509Extension objects. This code will also be # used in the validation code. Commenting out for now till we figure # out how to do this. # req.add_extensions(extensions) pass req.sign(pkey, "sha256") csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) return csr
def csr(self): key = crypto.load_privatekey(FILETYPE_PEM, self.private_key) csr = crypto.X509Req() csr.get_subject().CN = "AWS IoT Certificate" csr.get_subject().O = "Amazon" csr.set_pubkey(key) csr.sign(key, "sha256") return str(crypto.dump_certificate_request(FILETYPE_PEM, csr), "utf8")
def generate(self, module): '''Generate the certificate signing request.''' if not self.check(module, perms_required=False) or self.force: req = crypto.X509Req() req.set_version(self.version - 1) subject = req.get_subject() for entry in self.subject: if entry[1] is not None: # Workaround for https://github.com/pyca/pyopenssl/issues/165 nid = OpenSSL._util.lib.OBJ_txt2nid(to_bytes(entry[0])) if nid == 0: raise CertificateSigningRequestError('Unknown subject field identifier "{0}"'.format(entry[0])) res = OpenSSL._util.lib.X509_NAME_add_entry_by_NID(subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0) if res == 0: raise CertificateSigningRequestError('Invalid value for subject field identifier "{0}": {1}'.format(entry[0], entry[1])) extensions = [] if self.subjectAltName: altnames = ', '.join(self.subjectAltName) try: extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii'))) except OpenSSL.crypto.Error as e: raise CertificateSigningRequestError( 'Error while parsing Subject Alternative Names {0} (check for missing type prefix, such as "DNS:"!): {1}'.format( ', '.join(["{0}".format(san) for san in self.subjectAltName]), str(e) ) ) if self.keyUsage: usages = ', '.join(self.keyUsage) extensions.append(crypto.X509Extension(b"keyUsage", self.keyUsage_critical, usages.encode('ascii'))) if self.extendedKeyUsage: usages = ', '.join(self.extendedKeyUsage) extensions.append(crypto.X509Extension(b"extendedKeyUsage", self.extendedKeyUsage_critical, usages.encode('ascii'))) if self.basicConstraints: usages = ', '.join(self.basicConstraints) extensions.append(crypto.X509Extension(b"basicConstraints", self.basicConstraints_critical, usages.encode('ascii'))) if self.ocspMustStaple: extensions.append(crypto.X509Extension(MUST_STAPLE_NAME, self.ocspMustStaple_critical, MUST_STAPLE_VALUE)) if extensions: req.add_extensions(extensions) req.set_pubkey(self.privatekey) req.sign(self.privatekey, self.digest) self.request = req result = crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request) crypto_utils.write_file(module, result) self.changed = True file_args = module.load_file_common_arguments(module.params) if module.set_fs_attributes_if_different(file_args, False): self.changed = True
def generate(self, module): '''Generate the certificate signing request.''' if not self.check(module, perms_required=False) or self.force: req = crypto.X509Req() req.set_version(self.version - 1) subject = req.get_subject() for (key, value) in self.subject.items(): if value is not None: setattr(subject, key, value) altnames = ', '.join(self.subjectAltName) extensions = [ crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii')) ] if self.keyUsage: usages = ', '.join(self.keyUsage) extensions.append( crypto.X509Extension(b"keyUsage", self.keyUsage_critical, usages.encode('ascii'))) if self.extendedKeyUsage: usages = ', '.join(self.extendedKeyUsage) extensions.append( crypto.X509Extension(b"extendedKeyUsage", self.extendedKeyUsage_critical, usages.encode('ascii'))) if self.basicConstraints: usages = ', '.join(self.basicConstraints) extensions.append( crypto.X509Extension(b"basicConstraints", self.basicConstraints_critical, usages.encode('ascii'))) req.add_extensions(extensions) req.set_pubkey(self.privatekey) req.sign(self.privatekey, self.digest) self.request = req try: csr_file = open(self.path, 'wb') csr_file.write( crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request)) csr_file.close() except (IOError, OSError) as exc: raise CertificateSigningRequestError(exc) self.changed = True file_args = module.load_file_common_arguments(module.params) if module.set_fs_attributes_if_different(file_args, False): self.changed = True
def issue_certificate(self, cert_req): '''Certificate issuing from a callout to an OpenSSL executable @param cert_req: Certificate request to use @return: output certificate ''' try: out_cert_file = tempfile.NamedTemporaryFile(delete=False) in_csr_file = tempfile.NamedTemporaryFile(delete=False) s_cert_req = crypto.dump_certificate_request( crypto.FILETYPE_PEM, cert_req) in_csr_file.seek(0) in_csr_file.write(s_cert_req) in_csr_file.close() cmd_tmpl = string.Template(self.cert_issue_cmd) populated_cmd = cmd_tmpl.substitute(in_csr=in_csr_file.name, out_cert=out_cert_file.name) log.debug('Executing command to issue certificate: %r', populated_cmd) cmd_args = populated_cmd.split() proc = subprocess.Popen(cmd_args, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdoutdata, stderrdata = proc.communicate() if proc.returncode == 0: if stdoutdata: log.info('stdout message: \'%s\'; for command: %r', stdoutdata, populated_cmd) if stderrdata: log.info('stderr message: \'%s\'; for command: %r', stderrdata, populated_cmd) out_cert = crypto.load_certificate( crypto.FILETYPE_PEM, open(out_cert_file.name).read()) else: error_msg = '' if stdoutdata: error_msg += ('stdout message: \'%s\'; for command: %r' % (stdoutdata, populated_cmd)) if stderrdata: error_msg += ('stderr message: \'%s\'; for command: %r' % (stderrdata, populated_cmd)) raise CertificateIssuingError('Error issuing certificate: %s' % error_msg) finally: os.unlink(in_csr_file.name) os.unlink(out_cert_file.name) return out_cert
def patched_createCertReq(self, CN, keyPair, messageDigest=None): from OpenSSL import crypto messageDigest = 'sha256' certReq = crypto.X509Req() certReq.set_pubkey(keyPair) certReq.sign(keyPair, messageDigest) derCertReq = crypto.dump_certificate_request(crypto.FILETYPE_ASN1, certReq) return derCertReq
def create_csr_that_has_not_been_signed(): """Generate a CSR that has not been signed.""" key_pair = create_key_pair(crypto.TYPE_RSA, 2048) csr = crypto.X509Req() subject = csr.get_subject() setattr(subject, "CN", "host.example.net") csr.set_pubkey(key_pair) pem = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr) return pem
def make_certreq(self, pkey, attributes, export_file=False, **kwargs): csr = crypto.X509Req() subject = csr.get_subject() for key, value in iteritems(attributes): if value is not None: setattr(subject, key, value) extensions = [] for x in X509_TYPE_NAMES: if x in kwargs: extensions.append( crypto.X509Extension( ensure_binary(x), isinstance(kwargs[x], CriticalExt), ensure_binary(', '.join(kwargs[x]), encoding='ascii'))) if kwargs.get('subject'): if 'subjectKeyIdentifier' in kwargs: extensions.append( crypto.X509Extension(ensure_binary('subjectKeyIdentifier'), isinstance( kwargs['subjectKeyIdentifier'], CriticalExt), ensure_binary(', '.join( kwargs['subjectKeyIdentifier']), encoding='ascii'), subject=kwargs['subject'])) if kwargs.get('issuer'): if 'authorityKeyIdentifier' in kwargs: extensions.append( crypto.X509Extension( ensure_binary('authorityKeyIdentifier'), isinstance(kwargs['authorityKeyIdentifier'], CriticalExt), ensure_binary(', '.join( kwargs['authorityKeyIdentifier']), encoding='ascii'), issuer=kwargs['issuer'])) if extensions: csr.add_extensions(extensions) csr.set_pubkey(pkey) csr.sign(pkey, self.digest_type) if isinstance(export_file, string_types): dcsr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr) if not os.path.exists(export_file): open(export_file, 'wb').close() os.chmod(export_file, 0o600) f = open(export_file, 'wb') f.writelines(dcsr) f.close() return csr
def get_request_signed(self, req): """Call RPyC remote method to get request signed""" req_string = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) try: cert = self.conn.root.sign_request(req_string, self.req_dict['CN']) except RetryMethodError as e: cert = self.conn.root.sign_request(req_string, self.req_dict['CN']) with open('{0}.crt'.format(self.req_dict['CN']), 'w+') as certfile: certfile.write(cert)
def test_issue_certificate_request_stored_key(self): req = certificate_utils.get_valid_csr_object() req_enc = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) self.barbican_meta_dto.generated_csr = req_enc resp = self.plugin.issue_certificate_request( self.order_id, {}, {}, self.barbican_meta_dto) crypto.load_certificate( crypto.FILETYPE_PEM, resp.certificate.decode('base64'))
def test_issue_certificate_request_stored_key(self): req = certificate_utils.get_valid_csr_object() req_enc = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) self.barbican_meta_dto.generated_csr = req_enc resp = self.plugin.issue_certificate_request(self.order_id, {}, {}, self.barbican_meta_dto) crypto.load_certificate(crypto.FILETYPE_PEM, base64.b64decode(resp.certificate))
def get_crt(self): """ Use automatic signing CA service to sign the CSR """ r = requests.post( f"{self.signing_service}/get_cert", crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.csr), ) self.crt = r.content.decode()
def test_issue_certificate_request(self): req = certificate_utils.get_valid_csr_object() req_enc = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) order_meta = {'request_data': req_enc} resp = self.plugin.issue_certificate_request(self.order_id, order_meta, {}, self.barbican_meta_dto) crypto.load_certificate(crypto.FILETYPE_PEM, resp.certificate.decode('base64'))
def gencsrfiles(cn, email, C, ST, L, OU): # Create all needed directory result_dir = ssl_dir + '/' + cn if not os.path.exists(ssl_dir + '/' +cn): os.makedirs(ssl_dir + '/' +cn) csr_file = result_dir + '/' + cn + '.csr' key_file = result_dir + '/' + cn + '.key' # Generate key and csr key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 2048) # print(key()) csr = crypto.X509Req() csr.get_subject().CN = cn csr.get_subject().C = C csr.get_subject().ST = ST csr.get_subject().L = L csr.get_subject().OU = OU csr.get_subject().emailAddress = email csr.set_pubkey(key) csr.sign(key, 'sha1') # Save results to files and print them to stdout with open(csr_file, 'wb') as csr_f: csr_f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)) with open(key_file, 'wb') as key_f: key_f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key)) print(" \n") print(" ██████╗███████╗██████╗ ") print(" ██╔════╝██╔════╝██╔══██╗ ") print(" ██║ ███████╗██████╔╝ ") print(" ██║ ╚════██║██╔══██╗ ") print(" ╚██████╗███████║██║ ██║ ") print(" ╚═════╝╚══════╝╚═╝ ╚═╝ \n") sys.stdout.buffer.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)) print(" \n") print(" ██╗ ██╗███████╗██╗ ██╗") print(" ██║ ██╔╝██╔════╝╚██╗ ██╔╝") print(" █████╔╝ █████╗ ╚████╔╝ ") print(" ██╔═██╗ ██╔══╝ ╚██╔╝ ") print(" ██║ ██╗███████╗ ██║ ") print(" ╚═╝ ╚═╝╚══════╝ ╚═╝ \n") sys.stdout.buffer.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
def csr(self): request = crypt.X509Req() subject = request.get_subject() for (k, v) in self.csr_info.items(): setattr(subject, k, v) request.set_pubkey(self.keypair) request.sign(self.keypair, self.DIGEST) return crypt.dump_certificate_request(crypt.FILETYPE_PEM, request)
def _generate_csr(self): req = crypto.X509Req() req.set_version(self.version - 1) subject = req.get_subject() for entry in self.subject: if entry[1] is not None: # Workaround for https://github.com/pyca/pyopenssl/issues/165 nid = OpenSSL._util.lib.OBJ_txt2nid(to_bytes(entry[0])) OpenSSL._util.lib.X509_NAME_add_entry_by_NID( subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0) extensions = [] if self.subjectAltName: altnames = ', '.join(self.subjectAltName) extensions.append( crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii'))) if self.keyUsage: usages = ', '.join(self.keyUsage) extensions.append( crypto.X509Extension(b"keyUsage", self.keyUsage_critical, usages.encode('ascii'))) if self.extendedKeyUsage: usages = ', '.join(self.extendedKeyUsage) extensions.append( crypto.X509Extension(b"extendedKeyUsage", self.extendedKeyUsage_critical, usages.encode('ascii'))) if self.basicConstraints: usages = ', '.join(self.basicConstraints) extensions.append( crypto.X509Extension(b"basicConstraints", self.basicConstraints_critical, usages.encode('ascii'))) if self.ocspMustStaple: extensions.append( crypto.X509Extension(OPENSSL_MUST_STAPLE_NAME, self.ocspMustStaple_critical, OPENSSL_MUST_STAPLE_VALUE)) if extensions: req.add_extensions(extensions) req.set_pubkey(self.privatekey) req.sign(self.privatekey, self.digest) self.request = req return crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request)
def _prepare_certificate_signing_request(domain, key_file, output_folder): from OpenSSL import crypto # lazy loading this module for performance reasons # Init a request csr = crypto.X509Req() # Set the domain csr.get_subject().CN = domain from yunohost.domain import domain_list # For "parent" domains, include xmpp-upload subdomain in subject alternate names if domain in domain_list(exclude_subdomains=True)["domains"]: subdomain = "xmpp-upload." + domain xmpp_records = ( Diagnoser.get_cached_report( "dnsrecords", item={"domain": domain, "category": "xmpp"} ).get("data") or {} ) if xmpp_records.get("CNAME:xmpp-upload") == "OK": csr.add_extensions( [ crypto.X509Extension( "subjectAltName".encode("utf8"), False, ("DNS:" + subdomain).encode("utf8"), ) ] ) else: logger.warning( m18n.n( "certmanager_warning_subdomain_dns_record", subdomain=subdomain, domain=domain, ) ) # Set the key with open(key_file, "rt") as f: key = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read()) csr.set_pubkey(key) # Sign the request csr.sign(key, "sha256") # Save the request in tmp folder csr_file = output_folder + domain + ".csr" logger.debug("Saving to %s.", csr_file) with open(csr_file, "wb") as f: f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr))
def generate_csr(target_dir, key, ip_address): req = crypto.X509Req() req.set_version(0x2) req.get_subject().CN = "anyServer" # Add the IP SAN req.add_extensions( [crypto.X509Extension("subjectAltName", False, ip_address)]) req.set_pubkey(key) req.sign(key, "sha256") return crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
def create_csr_with_bad_subject_dn(): """Generate a CSR that has a bad subject dn.""" key_pair = create_key_pair(crypto.TYPE_RSA, 2048) csr = crypto.X509Req() subject = csr.get_subject() # server certs require attribute 'CN' setattr(subject, "UID", "bar") csr.set_pubkey(key_pair) csr.sign(key_pair, "sha256") pem = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr) return pem
def handler_getCertificates(): config_data = load_config_files() nodeInfo = config_data[0] networkList = config_data[1] # Privatekey of Node key = create_key(1024) for i in range(1, 4): fp = open("player-" + str(i) + ".key", "w+") fp.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key)) fp.close() # Create 3 requests to CA serial = int(nodeInfo["id"][1::]) print "CERTIFICATE SERIAL: " + str(serial) req = [] for i in range(1, 4): cn = "VIFF Player " + str(i) r = create_request(key, cn) req.append(crypto.dump_certificate_request(crypto.FILETYPE_PEM, r)) # Dinamic build of CA ip for item in networkList: if item["id"] == "ca": ca_ip = item["ip"] target = "http://" + ca_ip + ":5000/createCertificates" payload = {"serial": serial, "req": req} headers = {"content-type": "application/json"} r = requests.post(target, data=json.dumps(payload), headers=headers) # Obtain response response = dict(json.loads(r.text)) #pretty_print('B', response) dump_ca_cert = response['ca_cert'] fp = open("ca.cert", "w+") fp.write(dump_ca_cert) fp.close() dump_certs = response['certs'] #pretty_print('D', dump_certs) for i in range(0, 3): fp = open("player-" + str(i + 1) + ".cert", "w+") fp.write(dump_certs[i].encode('ascii')) fp.close() print dump_certs[i].encode('ascii') print "<< CERTIFICATES GENERATED >>" global certificate_gen certificate_gen = True return json.dumps({"status": "certificatesGenerated"})
def test_issue_raises_with_invalid_ca_id(self): req = certificate_utils.get_valid_csr_object() req_enc = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) req_enc = base64.b64encode(req_enc) order_meta = {'request_data': req_enc} plugin_meta = {'plugin_ca_id': "invalid_ca_id"} self.barbican_meta_dto.plugin_ca_id = "invalid_ca_id" self.assertRaises(cm.CertificateGeneralException, self.plugin.issue_certificate_request, self.order_id, order_meta, plugin_meta, self.barbican_meta_dto)
def make_csr( private_key_pem: bytes, domains: Optional[Union[Set[str], List[str]]] = None, must_staple: bool = False, ipaddrs: Optional[List[Union[ipaddress.IPv4Address, ipaddress.IPv6Address]]] = None ) -> bytes: """Generate a CSR containing domains or IPs as subjectAltNames. :param buffer private_key_pem: Private key, in PEM PKCS#8 format. :param list domains: List of DNS names to include in subjectAltNames of CSR. :param bool must_staple: Whether to include the TLS Feature extension (aka OCSP Must Staple: https://tools.ietf.org/html/rfc7633). :param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address) names to include in subbjectAltNames of CSR. params ordered this way for backward competablity when called by positional argument. :returns: buffer PEM-encoded Certificate Signing Request. """ private_key = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem) csr = crypto.X509Req() sanlist = [] # if domain or ip list not supplied make it empty list so it's easier to iterate if domains is None: domains = [] if ipaddrs is None: ipaddrs = [] if len(domains) + len(ipaddrs) == 0: raise ValueError( "At least one of domains or ipaddrs parameter need to be not empty" ) for address in domains: sanlist.append('DNS:' + address) for ips in ipaddrs: sanlist.append('IP:' + ips.exploded) # make sure its ascii encoded san_string = ', '.join(sanlist).encode('ascii') # for IP san it's actually need to be octet-string, # but somewhere downsteam thankfully handle it for us extensions = [ crypto.X509Extension(b'subjectAltName', critical=False, value=san_string), ] if must_staple: extensions.append( crypto.X509Extension(b"1.3.6.1.5.5.7.1.24", critical=False, value=b"DER:30:03:02:01:05")) csr.add_extensions(extensions) csr.set_pubkey(private_key) # RFC 2986 Section 4.1 only defines version 0 csr.set_version(0) csr.sign(private_key, 'sha256') return crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
def encode_csr(csr: util.ComparableX509) -> str: """Encode CSR as JOSE Base-64 DER. :type csr: `OpenSSL.crypto.X509Req` wrapped in `.ComparableX509` :rtype: unicode """ if isinstance(csr.wrapped, crypto.X509): raise ValueError("Error input is actually a certificate.") return encode_b64jose( crypto.dump_certificate_request(crypto.FILETYPE_ASN1, csr.wrapped))
def __create_csr(self, data): # no signedby, lifetime attributes required cert_info = get_cert_info_from_data(data) data['type'] = CERT_TYPE_CSR req, key = self.create_certificate_signing_request(cert_info) data['CSR'] = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) data['privatekey'] = crypto.dump_privatekey(crypto.FILETYPE_PEM, key) return data
def generate_files(mkFile, request): if ".csr" in mkFile: f = open(mkFile, "w") f.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, request)) f.close() elif ".key" in mkFile: f = open(mkFile, "w") f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, request)) f.close() else: logging.debug("Failed to create CSR/Key files for %s" % (dest)) exit()
def write_files(self, mkFile, request): if mkFile.endswith(".csr"): with open(mkFile, "wb") as f: f.write( crypto.dump_certificate_request(crypto.FILETYPE_PEM, request)) elif mkFile.endswith(".key"): with open(mkFile, "wb") as f: f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, request)) else: print("Failed.") exit()
def _get_body(self): # H2N assert isinstance(self.cert_request, (crypto.X509Req, NoneType)), \ repr(self.cert_request) assert isinstance(self.username, str), repr(self.username) result = {'username': self.username} if self.cert_request is not None: result['SSL request'] = \ crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.cert_request) return result
def generate(self, module): '''Generate the certificate signing request.''' if not self.check(module, perms_required=False) or self.force: req = crypto.X509Req() req.set_version(self.version - 1) subject = req.get_subject() for entry in self.subject: if entry[1] is not None: # Workaround for https://github.com/pyca/pyopenssl/issues/165 nid = OpenSSL._util.lib.OBJ_txt2nid(to_bytes(entry[0])) OpenSSL._util.lib.X509_NAME_add_entry_by_NID(subject._name, nid, OpenSSL._util.lib.MBSTRING_UTF8, to_bytes(entry[1]), -1, -1, 0) extensions = [] if self.subjectAltName: altnames = ', '.join(self.subjectAltName) extensions.append(crypto.X509Extension(b"subjectAltName", self.subjectAltName_critical, altnames.encode('ascii'))) if self.keyUsage: usages = ', '.join(self.keyUsage) extensions.append(crypto.X509Extension(b"keyUsage", self.keyUsage_critical, usages.encode('ascii'))) if self.extendedKeyUsage: usages = ', '.join(self.extendedKeyUsage) extensions.append(crypto.X509Extension(b"extendedKeyUsage", self.extendedKeyUsage_critical, usages.encode('ascii'))) if self.basicConstraints: usages = ', '.join(self.basicConstraints) extensions.append(crypto.X509Extension(b"basicConstraints", self.basicConstraints_critical, usages.encode('ascii'))) if self.ocspMustStaple: extensions.append(crypto.X509Extension(MUST_STAPLE_NAME, self.ocspMustStaple_critical, MUST_STAPLE_VALUE)) if extensions: req.add_extensions(extensions) req.set_pubkey(self.privatekey) req.sign(self.privatekey, self.digest) self.request = req try: csr_file = open(self.path, 'wb') csr_file.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request)) csr_file.close() except (IOError, OSError) as exc: raise CertificateSigningRequestError(exc) self.changed = True file_args = module.load_file_common_arguments(module.params) if module.set_fs_attributes_if_different(file_args, False): self.changed = True
def DumpKeyCertCsr(self): Key = self.GetPrivateKey() Csr = self.CreateCsr(Key) Cert = self.CreateCert(Csr, Key) cn = Csr.get_subject().commonName cn = re.sub(' +', '_', cn) #Files in PEM format PemKeyPath = os.path.join(self.CertDir, cn + "_pkey.pem") PemCsrPath = os.path.join(self.CertDir, cn + "_csr.pem") PemCertPath = os.path.join(self.CertDir, cn + "_cert.pem") if not self.OldPrivateKey: with open(PemKeyPath, "w") as fPemPrivKey: fPemPrivKey.write(crypto.dump_privatekey(FILETYPE_PEM, Key)) if not self.CsrFile: with open(PemCsrPath, "w") as fPemcsr: fPemcsr.write( crypto.dump_certificate_request(FILETYPE_PEM, Csr)) with open(PemCertPath, "w") as fPemcert: fPemcert.write(crypto.dump_certificate(FILETYPE_PEM, Cert)) #Files in DER (a.k.a ASN1) format DerKeyPath = os.path.join(self.CertDir, cn + "_pkey.der") DerCsrPath = os.path.join(self.CertDir, cn + "_csr.der") DerCertPath = os.path.join(self.CertDir, cn + "_cert.der") if not self.OldPrivateKey: with open(DerKeyPath, "w") as fDerPrivKey: fDerPrivKey.write(crypto.dump_privatekey(FILETYPE_ASN1, Key)) if not self.CsrFile: with open(DerCsrPath, "w") as fDercsr: fDercsr.write( crypto.dump_certificate_request(FILETYPE_ASN1, Csr)) with open(DerCertPath, "w") as fDercert: fDercert.write(crypto.dump_certificate(FILETYPE_ASN1, Cert)) #Files in p12/PFX format P12CertPath = os.path.join(self.CertDir, cn + "_cert.p12") fP12cert = open(P12CertPath, "w") self.CreateP12(Key, Cert, fP12cert)
def gen_pkey_req(identity): pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 2048) req = crypto.X509Req() req.get_subject().C = ca_infra_cert.get_subject().C req.get_subject().O = ca_infra_cert.get_subject().O req.get_subject().OU = ca_infra_cert.get_subject().OU req.get_subject().CN = identity req.set_pubkey(pkey) req.sign(pkey, "sha256") return crypto.dump_certificate_request(crypto.FILETYPE_PEM, req), crypto.dump_privatekey( crypto.FILETYPE_PEM, pkey)
def test_issue_certificate_request_with_ca_id(self): req = certificate_utils.get_valid_csr_object() req_enc = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req) req_enc = base64.b64encode(req_enc) order_meta = {'request_data': req_enc} plugin_meta = {'plugin_ca_id': self.plugin.get_default_ca_name()} self.barbican_meta_dto.plugin_ca_id = self.plugin.get_default_ca_name() resp = self.plugin.issue_certificate_request(self.order_id, order_meta, plugin_meta, self.barbican_meta_dto) crypto.load_certificate(crypto.FILETYPE_PEM, base64.b64decode(resp.certificate))
def generateFiles(self, mkFile, request): """Generate .csr/key files. """ with open(mkFile, "w") as f: if ".csr" in mkFile: f.write( crypto.dump_certificate_request(crypto.FILETYPE_PEM, request)) elif ".key" in mkFile: f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, request)) else: self.output("[!] Failed to create CSR/Key files", level=logging.ERROR)
def generateRequest(self, keyType=crypto.TYPE_RSA, bits=2048, messageDigest="sha1"): """Generate a request and return the PEM-encoded PKCS10 object.""" logging.info("Generating private keys and certificate request.") self.request = crypto.X509Req() self.privateKey = crypto.PKey() self.privateKey.generate_key(keyType, bits) self.request.set_pubkey(self.privateKey) self.request.sign(self.privateKey, messageDigest) return crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request)