Python load_privatekey Examples

Example #1

File: certs.py Project: UfSoft/SSHgD

    def _makeContext(self):
        ctx = SSL.Context(self.method)

        if self.certificate is not None and self.privateKey is not None:
            if isinstance(self.certificate, basestring):
                ctx.use_certificate(crypto.load_certificate(
                    crypto.FILETYPE_PEM, self.certificate))
            else:
                ctx.use_certificate(crypto.load_certificate(
                    crypto.FILETYPE_PEM, self.certificate.content))

            if isinstance(self.privateKey, basestring):
                ctx.use_privatekey(crypto.load_privatekey(
                    crypto.FILETYPE_PEM, self.privateKey))
            else:
                ctx.use_privatekey(crypto.load_privatekey(
                    crypto.FILETYPE_PEM, self.privateKey.privateKey))
            # Sanity check
            ctx.check_privatekey()

        verifyFlags = SSL.VERIFY_NONE
        if self.verify:
            verifyFlags = SSL.VERIFY_PEER
            if self.requireCertificate:
                verifyFlags |= SSL.VERIFY_FAIL_IF_NO_PEER_CERT
            if self.verifyOnce:
                verifyFlags |= SSL.VERIFY_CLIENT_ONCE
            if self.caCerts:
                store = ctx.get_cert_store()
                if isinstance(self.caCerts, basestring):
                    store.add_cert(crypto.load_certificate(
                        crypto.FILETYPE_PEM, self.caCerts))
                else:
                    for cert in self.caCerts:
                        content = None
                        if isinstance(cert, basestring):
                            content = cert
                        else:
                            content = cert.content
                        store.add_cert(crypto.load_certificate(
                            crypto.FILETYPE_PEM, content))


        ctx.set_verify(verifyFlags, self._verify)

        if self.verifyDepth is not None:
            ctx.set_verify_depth(self.verifyDepth)

        if self.enableSingleUseKeys:
            ctx.set_options(SSL.OP_SINGLE_DH_USE)

        if self.fixBrokenPeers:
            ctx.set_options(self._OP_ALL)

        if self.enableSessions:
            sessionName = md5.md5("%s-%d" % (reflect.qual(self.__class__),
                                             _sessionCounter())).hexdigest()
            ctx.set_session_id(sessionName)

        return ctx

Example #2

File: test_keystone_pki.py Project: larsks/os-cloud-config

    def test_create_ca_and_signing_pairs(self):
        # use one common test to avoid generating CA pair twice
        # do not mock out pyOpenSSL, test generated keys/certs

        # create CA pair
        ca_key_pem, ca_cert_pem = keystone_pki.create_ca_pair()
        ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_pem)
        ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert_pem)

        # check CA key properties
        self.assertTrue(ca_key.check())
        self.assertEqual(2048, ca_key.bits())

        # check CA cert properties
        self.assertFalse(ca_cert.has_expired())
        self.assertEqual('Keystone CA', ca_cert.get_issuer().CN)
        self.assertEqual('Keystone CA', ca_cert.get_subject().CN)

        # create signing pair
        signing_key_pem, signing_cert_pem = keystone_pki.create_signing_pair(
            ca_key_pem, ca_cert_pem)
        signing_key = crypto.load_privatekey(crypto.FILETYPE_PEM,
                                             signing_key_pem)
        signing_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
                                               signing_cert_pem)

        # check signing key properties
        self.assertTrue(signing_key.check())
        self.assertEqual(2048, signing_key.bits())

        # check signing cert properties
        self.assertFalse(signing_cert.has_expired())
        self.assertEqual('Keystone CA', signing_cert.get_issuer().CN)
        self.assertEqual('Keystone Signing', signing_cert.get_subject().CN)

Example #3

File: signurl.py Project: mengyazhu96/gsutil

def _ReadJSONKeystore(ks_contents, passwd=None):
  """Read the client email and private key from a JSON keystore.

  Assumes this keystore was downloaded from the Cloud Platform Console.
  By default, JSON keystore private keys from the Cloud Platform Console
  aren't encrypted so the passwd is optional as load_privatekey will
  prompt for the PEM passphrase if the key is encrypted.

  Arguments:
    ks_contents: JSON formatted string representing the keystore contents. Must
                 be a valid JSON string and contain the fields 'private_key'
                 and 'client_email'.
    passwd: Passphrase for encrypted private keys.

  Returns:
    key: Parsed private key from the keystore.
    client_email: The email address for the service account.

  Raises:
    ValueError: If unable to parse ks_contents or keystore is missing
                required fields.
  """
  ks = json.loads(ks_contents)

  if 'client_email' not in ks or 'private_key' not in ks:
    raise ValueError('JSON keystore doesn\'t contain required fields')

  client_email = ks['client_email']
  if passwd:
    key = load_privatekey(FILETYPE_PEM, ks['private_key'], passwd)
  else:
    key = load_privatekey(FILETYPE_PEM, ks['private_key'])

  return key, client_email

Example #4

File: crypto.py Project: rackerlabs/pyopenssl

 def check_load_privatekey_callback(self):
     """
     Call the function with an encrypted PEM and a passphrase callback.
     """
     for i in xrange(self.iterations * 10):
         load_privatekey(
             FILETYPE_PEM, self.ENCRYPTED_PEM, lambda *args: "hello, secret")

Example #5

File: certificate.py Project: ArthurGarnier/geni-tools

 def load_from_string(self, string):
     if glo_passphrase_callback:
         self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, string, functools.partial(glo_passphrase_callback, self, string) )
         self.m2key = M2Crypto.EVP.load_key_string(string, functools.partial(glo_passphrase_callback, self, string) )
     else:
         self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, string)
         self.m2key = M2Crypto.EVP.load_key_string(string)

Example #6

File: pki_manager.py Project: 1126729585/OpenVPN_UAM

  def loadPrivateKey(path):
    """Import an private key from file to python object

    @param path [str] : the path to the private key file to import
    @return [OpenSSL.crypto.PKey] the certificate object that correspond to the
                                  certificate file
            [None] if an error occur
    """
    assert path is not None
    try:
      # open file in binary mode
      f_cert = open(path, 'rb').read()
    except IOError as e:
      g_sys_log.error('Unable to open private key file : ' + str(e))
      return None

    try:
      # try to load the key as PEM format
      key = crypto.load_privatekey(crypto.FILETYPE_PEM, f_cert)
    except crypto.Error as e:
      # if error try with another format
      try:
        # try to load the cert as ASN1 format
        key = crypto.load_privatekey(crypto.FILETYPE_ASN1, f_cert)
        g_sys_log.warning('Private Key "%s" is not in PEM recommanded format',
                          path)
      except crypto.Error as e:
        g_sys_log.error('Unable to import private key : ' + str(e))
        return None
    return key

Example #7

File: plugin.py Project: dustinboling/rapache

 def on_button_import_key_clicked(self, widget):
     path = self.filechooserbutton_ssl_key.get_filename()
     
     if path:
         f = open(path, "r")
         text = f.read()
         f.close()
         
         try:
             crypto.load_privatekey(crypto.FILETYPE_PEM, text) 
         except:
             md = gtk.MessageDialog(None, flags=0, type=gtk.MESSAGE_ERROR, buttons=gtk.BUTTONS_OK, message_format="Could not import does not appear to be a valid key!") 
             md.run()
             md.destroy()
             return
                
         key_path = os.path.join("/etc/ssl/private/", os.path.basename(path))
         
         if not Shell.command.sudo_exists(key_path):
             Shell.command.write_file(key_path, text)
             self.entry_ssl_key_location.set_text(key_path)    
         
         else:
             md = gtk.MessageDialog(None, flags=0, type=gtk.MESSAGE_ERROR, buttons=gtk.BUTTONS_CLOSE, message_format="A key with that filename already exists") 
             result = md.run()
             md.destroy()

Example #8

File: rest_api.py Project: fuentesj/easy-key-z

def generate_csr():
	request_data = json.loads(request.data.decode())
	csr_filename = str(request_data['csrFilename'])
	with open(CERTIFICATE_SIGNING_REQUEST_DIR + csr_filename, "w+") as csr_file:
		certificate_signing_request = crypto.X509Req()
		certificate_signing_request.get_subject().CN = str(request_data['commonName'])
		certificate_signing_request.get_subject().O = str(request_data['organization'])
		certificate_signing_request.get_subject().OU = str(request_data['organizationalUnit'])
		certificate_signing_request.get_subject().L = str(request_data['city'])
		certificate_signing_request.get_subject().ST = str(request_data['state'])
		certificate_signing_request.get_subject().C = str(request_data['country'])
		certificate_signing_request.get_subject().emailAddress = str(request_data['email'])
		selected_pkey_filename = str(request_data['private_key'])
		try:
			if 'passphrase' in request_data:
				selected_pkey_passphrase = str(request_data['passphrase'])
				selected_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(PRIVATE_KEY_DIR + selected_pkey_filename).read(), selected_pkey_passphrase)
			else:
				selected_key = crypto.load_privatekey(crypto.FILETYPE_PEM, open(PRIVATE_KEY_DIR + selected_pkey_filename).read())
			certificate_signing_request.set_pubkey(selected_key)
			certificate_signing_request.sign(selected_key, "sha256")
			print csr_file.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, certificate_signing_request))
			csr_file.seek(0)
			csr_data = csr_file.read()
			responseObject = {}
			responseObject['csr'] = csr_data,
			responseObject['message'] = 'CSR successfully created.'
			return jsonify(responseObject), 201
		except Error, error:
			return jsonify(str(error)), 400

Example #9

File: test_certificate.py Project: AMITHSHAH/Test

    def test_certfile_contains_key(self):
        path = self.cc['www.example.com'].certfile

        assert os.path.exists(path)
        # Check key path can be successfully loaded as private key and doesn't
        # requires password, lambda is for case where password is required
        load_privatekey(FILETYPE_PEM, open(path).read(), lambda: "")

Example #10

File: cert.py Project: SUNET/pysaml2

    def create_cert_signed_certificate(self, sign_cert_str, sign_key_str,
                                       request_cert_str, hash_alg="sha256",
                                       valid_from=0, valid_to=315360000, sn=1,
                                       passphrase=None):

        """
        Will sign a certificate request with a give certificate.
        :param sign_cert_str:     This certificate will be used to sign with.
                                  Must be a string representation of
                                  the certificate. If you only have a file
                                  use the method read_str_from_file to
                                  get a string representation.
        :param sign_key_str:        This is the key for the ca_cert_str
                                  represented as a string.
                                  If you only have a file use the method
                                  read_str_from_file to get a string
                                  representation.
        :param request_cert_str:  This is the prepared certificate to be
                                  signed. Must be a string representation of
                                  the requested certificate. If you only have
                                  a file use the method read_str_from_file
                                  to get a string representation.
        :param hash_alg:          Hash algorithm to use for the key. Default
                                  is sha256.
        :param valid_from:        When the certificate starts to be valid.
                                  Amount of seconds from when the
                                  certificate is generated.
        :param valid_to:          How long the certificate will be valid from
                                  when it is generated.
                                  The value is in seconds. Default is
                                  315360000 seconds, a.k.a 10 years.
        :param sn:                Serial number for the certificate. Default
                                  is 1.
        :param passphrase:        Password for the private key in sign_key_str.
        :return:                  String representation of the signed
                                  certificate.
        """
        ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, sign_cert_str)
        ca_key = None
        if passphrase is not None:
            ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str,
                                            passphrase)
        else:
            ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str)
        req_cert = crypto.load_certificate_request(crypto.FILETYPE_PEM,
                                                   request_cert_str)

        cert = crypto.X509()
        cert.set_subject(req_cert.get_subject())
        cert.set_serial_number(sn)
        cert.gmtime_adj_notBefore(valid_from)
        cert.gmtime_adj_notAfter(valid_to)
        cert.set_issuer(ca_cert.get_subject())
        cert.set_pubkey(req_cert.get_pubkey())
        cert.sign(ca_key, hash_alg)

        cert_dump = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
        if isinstance(cert_dump, six.string_types):
            return cert_dump
        return cert_dump.decode('utf-8')

Example #11

File: certificate_resources.py Project: great2soul/barbican

def _generate_csr_from_private_key(order_model, project_model):
    """Generate a CSR from the private key.

    :param: order_model - order for the request
    :param: project_model - project for this request
    :return: CSR (certificate signing request) in PEM format
    :raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found
            :class:`StoredKeyContainerNotFound` if container not found
    """
    container_id, container = _get_container_from_order_meta(order_model, project_model)

    if not container:
        raise excep.StoredKeyContainerNotFound(container_id)

    passphrase = None
    private_key = None

    for cs in container.container_secrets:
        secret_repo = repos.get_secret_repository()
        if cs.name == "private_key":
            private_key_model = secret_repo.get(cs.secret_id, project_model.external_id)
            private_key = plugin.get_secret("application/pkcs8", private_key_model, project_model)
        elif cs.name == "private_key_passphrase":
            passphrase_model = secret_repo.get(cs.secret_id, project_model.external_id)
            passphrase = plugin.get_secret("text/plain;charset=utf-8", passphrase_model, project_model)
            passphrase = str(passphrase)

    if not private_key:
        raise excep.StoredKeyPrivateKeyNotFound(container.id)

    if passphrase is None:
        pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key)
    else:
        pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key, passphrase)

    subject_name = order_model.meta.get("subject_dn")
    subject_name_dns = ldap.dn.str2dn(subject_name)
    extensions = order_model.meta.get("extensions", None)

    req = crypto.X509Req()
    subj = req.get_subject()

    # Note: must iterate over the DNs in reverse order, or the resulting
    # subject name will be reversed.
    for ava in reversed(subject_name_dns):
        for key, val, extra in ava:
            setattr(subj, key.upper(), val)
    req.set_pubkey(pkey)
    if extensions:
        # TODO(alee-3) We need code here to parse the encoded extensions and
        # convert them into X509Extension objects.  This code will also be
        # used in the validation code.  Commenting out for now till we figure
        # out how to do this.
        # req.add_extensions(extensions)
        pass
    req.sign(pkey, "sha256")

    csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
    return csr

Example #12

File: snakeoil_ca.py Project: abattye/barbican

 def key(self):
     self.ensure_exists()
     if self.key_path:
         with open(self.key_path) as key_fh:
             return crypto.load_privatekey(crypto.FILETYPE_PEM,
                                           key_fh.read())
     else:
         return crypto.load_privatekey(crypto.FILETYPE_PEM, self._key_val)

Example #13

File: test_ssl_cert.py Project: bamthomas/aioimaplib

    def test_create_temp_self_signed_cert_returns_key_as_second_value(self):
        with open(self.key, 'rb') as f:
            data = f.read()

        try:
            crypto.load_privatekey(crypto.FILETYPE_PEM, data)
        except crypto.Error:
            self.fail('First file is not a key')

Example #14

File: CryptoPlugin.py Project: freenas/middleware

    def run(self, id, updated_fields):
        def update_all_signed_certs_and_get_ids(old_signing_name, new_signing_name):
            certs = self.datastore.query('crypto.certificates', ('signing_ca_name', '=', old_signing_name))
            for c in certs:
                c['signing_ca_name'] = new_signing_name
                self.datastore.update('crypto.certificates', c['id'], c)
            return [c['id'] for c in certs]

        ids = [id]
        if not self.datastore.exists('crypto.certificates', ('id', '=', id)):
            raise TaskException(errno.ENOENT, 'Certificate ID {0} does not exist'.format(id))

        cert = self.datastore.get_by_id('crypto.certificates', id)
        if cert['type'] in ('CA_EXISTING', 'CERT_EXISTING'):
            if 'certificate' in updated_fields:
                try:
                    crypto.load_certificate(crypto.FILETYPE_PEM, updated_fields['certificate'])
                except Exception:
                    raise TaskException(errno.EINVAL, 'Invalid certificate')
            if 'privatekey' in updated_fields:
                try:
                    crypto.load_privatekey(crypto.FILETYPE_PEM, updated_fields['privatekey'])
                except Exception:
                    raise TaskException(errno.EINVAL, 'Invalid privatekey')
            if 'name' in updated_fields:
                if self.datastore.exists('crypto.certificates', ('name', '=', updated_fields['name'])):
                    raise TaskException(errno.EEXIST,
                                        'Certificate name : "{0}" already in use'.format(updated_fields['name']))
        else:
            if len(updated_fields) > 1 or 'name' not in updated_fields:
                raise TaskException(errno.EINVAL, 'Only "name" field can be modified'.format(id))

            if self.datastore.exists('crypto.certificates', ('name', '=', updated_fields['name'])):
                raise TaskException(errno.EEXIST,
                                    'Certificate name : "{0}" already in use'.format(updated_fields['name']))

        try:
            if 'certificate' in updated_fields:
                cert['certificate'] = updated_fields['certificate']
                cert.update(get_cert_info(cert['certificate']))
            if 'privatekey' in updated_fields:
                cert['privatekey'] = updated_fields['privatekey']
            if 'name' in updated_fields:
                old_name = cert['name']
                cert['name'] = updated_fields['name']
                ids.extend(update_all_signed_certs_and_get_ids(old_name, cert['name']))
            pkey = self.datastore.update('crypto.certificates', id, cert)
            self.dispatcher.call_sync('etcd.generation.generate_group', 'crypto')
            self.dispatcher.dispatch_event('crypto.certificate.changed', {
                'operation': 'update',
                'ids': ids
            })
        except DatastoreException as e:
            raise TaskException(errno.EBADMSG, 'Cannot update certificate: {0}'.format(str(e)))
        except RpcException as e:
            raise TaskException(errno.ENXIO, 'Cannot generate certificate: {0}'.format(str(e)))

        return pkey

Example #15

File: CryptoPlugin.py Project: freenas/middleware

    def run(self, certificate):
        if self.datastore.exists('crypto.certificates', ('name', '=', certificate['name'])):
            raise TaskException(errno.EEXIST, 'Certificate named "{0}" already exists'.format(certificate['name']))

        new_cert_db_entry = {}
        new_cert_db_entry['name'] = certificate['name']
        new_cert_db_entry['type'] = certificate['type']

        if certificate.get('certificate_path'):
            imported_cert = crypto.load_certificate(
                crypto.FILETYPE_PEM, get_file_contents(certificate['certificate_path']).encode('utf-8'))
        elif certificate.get('certificate'):
            imported_cert = crypto.load_certificate(crypto.FILETYPE_PEM, certificate['certificate'].encode('utf-8'))
        else:
            imported_cert = False

        if imported_cert:
            new_cert_db_entry['certificate'] = crypto.dump_certificate(
                crypto.FILETYPE_PEM, imported_cert).decode('utf-8')
            new_cert_db_entry.update(get_cert_info(imported_cert))
            new_cert_db_entry['serial'] = str(imported_cert.get_serial_number())
            #certificate['selfsigned'] = False
            new_cert_db_entry['not_before'] = get_utc_string_from_asn1generalizedtime(
                imported_cert.get_notBefore().decode('utf-8'))
            new_cert_db_entry['not_after'] = get_utc_string_from_asn1generalizedtime(
                imported_cert.get_notAfter().decode('utf-8'))
            new_cert_db_entry['lifetime'] = 3650
        else:
            new_cert_db_entry['certificate'] = ""

        if certificate.get('privatekey_path'):
            imported_privkey = crypto.load_privatekey(
                crypto.FILETYPE_PEM, get_file_contents(certificate['privatekey_path']))
        elif certificate.get('privatekey'):
            imported_privkey = crypto.load_privatekey(crypto.FILETYPE_PEM, certificate['privatekey'])
        else:
            imported_privkey = False

        if imported_privkey:
            new_cert_db_entry['privatekey'] = crypto.dump_privatekey(
                crypto.FILETYPE_PEM, imported_privkey).decode('utf-8')
            new_cert_db_entry['key_length'] = imported_privkey.bits()
        else:
            new_cert_db_entry['privatekey'] = ""

        try:
            pkey = self.datastore.insert('crypto.certificates', new_cert_db_entry)
            self.dispatcher.call_sync('etcd.generation.generate_group', 'crypto')
            self.dispatcher.dispatch_event('crypto.certificate.changed', {
                'operation': 'create',
                'ids': [pkey]
            })
        except DatastoreException as e:
            raise TaskException(errno.EBADMSG, 'Cannot import certificate: {0}'.format(str(e)))
        except RpcException as e:
            raise TaskException(errno.ENXIO, 'Cannot generate certificate: {0}'.format(str(e)))

        return pkey

Example #16

File: crypto.py Project: LxiaoH/pyopenssl

 def check_load_privatekey_callback_wrong_type(self):
     """
     Call the function with an encrypted PEM and a passphrase callback which
     returns a non-string.
     """
     for i in xrange(self.iterations * 10):
         try:
             load_privatekey(FILETYPE_PEM, self.ENCRYPTED_PEM, lambda *args: {})
         except ValueError:
             pass

Example #17

File: crypto.py Project: LxiaoH/pyopenssl

 def check_load_privatekey_callback_incorrect(self):
     """
     Call the function with an encrypted PEM and a passphrase callback which
     returns the wrong passphrase.
     """
     for i in xrange(self.iterations * 10):
         try:
             load_privatekey(FILETYPE_PEM, self.ENCRYPTED_PEM, lambda *args: "hello, public")
         except Error:
             pass

Example #18

File: test_crypto.py Project: dreamwave/rad

 def test_dump_privatekey_passphrase(self):
     """
     L{dump_privatekey} writes an encrypted PEM when given a passphrase.
     """
     passphrase = "foo"
     key = load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)
     pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)
     self.assertTrue(isinstance(pem, str))
     loadedKey = load_privatekey(FILETYPE_PEM, pem, passphrase)
     self.assertTrue(isinstance(loadedKey, PKeyType))
     self.assertEqual(loadedKey.type(), key.type())
     self.assertEqual(loadedKey.bits(), key.bits())

Example #19

File: util.py Project: bboerner/zato

def get_validate_tls_key_cert(server_tls_dir, fs_name):

    pem, full_path = get_full_tls(server_tls_dir, 'keys-certs', fs_name)

    # Only validate it's there.
    crypto.load_privatekey(crypto.FILETYPE_PEM, pem)

    # Really do something with a certificate though.
    cert = crypto.load_certificate(crypto.FILETYPE_PEM, pem)
    subject = sorted(dict(cert.get_subject().get_components()).items())

    return cert.digest(b'sha1'), '; '.join(['{}={}'.format(k, v) for k, v in subject]), full_path

Example #20

File: __init__.py Project: andreybpanfilov/dctmpy

def build_dfc_identity(keystore, key_name, keystore_password, key_password, hostname):
    pk = get_private_key(keystore, key_name, keystore_password, key_password)
    if not pk:
        return None
    cert = pk.cert_chain[0][1]
    cert = crypto.load_certificate(crypto.FILETYPE_ASN1, cert)
    cn = cert.get_subject().commonName
    if pk.algorithm_oid == jks.util.RSA_ENCRYPTION_OID:
        pk = crypto.load_privatekey(crypto.FILETYPE_ASN1, pk.pkey)
    else:
        pk = crypto.load_privatekey(crypto.FILETYPE_ASN1, pk.pkey_pkcs8)
    data = "%s\t%d\t%s\t%s" % (cn, time.time(), hostname, "")
    signature = crypto.sign(pk, data, b"sha1")
    return str("%s\t%s" % (data, jks.base64.b64encode(signature)))

Example #21

File: webcert.py Project: pombredanne/f5test2

    def gen_certificate(self, cn, alt_names=None):
        assert cn
        # Load ROOTCA certificate and private key.
        if self.options.ca_crt and self.options.ca_key:
            crt = open(os.path.join(self.options.ca_crt))
            key = open(os.path.join(self.options.ca_key))
            capair = (
                crypto.load_privatekey(crypto.FILETYPE_PEM, key.read()),
                crypto.load_certificate(crypto.FILETYPE_PEM, crt.read()),
            )
            crt.close()
            key.close()
        else:
            capair = (
                crypto.load_privatekey(crypto.FILETYPE_PEM, ROOTCA_KEY),
                crypto.load_certificate(crypto.FILETYPE_PEM, ROOTCA_CRT),
            )

        pkey = WebCert.create_key_pair(crypto.TYPE_RSA, 1024)
        subject = F5TEST_SUBJECT
        subject.CN = cn
        req = WebCert.create_cert_request(pkey, **subject)

        serial = random.randint(0, MAXINT)

        extensions = []
        if alt_names:
            tmp = ",".join(["DNS:%s" % name for name in alt_names if name and name != cn])
            if tmp:
                extensions.append(crypto.X509Extension(b("subjectAltName"), False, b(tmp)))

        # Stick some nifty extensions- just for fun.
        extensions.append(crypto.X509Extension(b("basicConstraints"), False, b("CA:FALSE")))
        extensions.append(crypto.X509Extension(b("keyUsage"), False, b("digitalSignature,keyEncipherment")))
        extensions.append(crypto.X509Extension(b("extendedKeyUsage"), False, b("serverAuth,clientAuth")))
        extensions.append(crypto.X509Extension(b("authorityInfoAccess"), False, b("caIssuers;email:[email protected]")))
        extensions.append(
            crypto.X509Extension(b("crlDistributionPoints"), False, b("URI:http://172.27.58.1/rootca.crl"))
        )

        return (
            pkey,
            WebCert.create_certificate(
                req,
                capair,
                serial,
                (-60 * 60 * 24 * 1, 60 * 60 * 24 * 365 * 10),  # -1 .. 10 years
                extensions=extensions,
            ),
        )

Example #22

File: crypto.py Project: awiddersheim/ansible

def load_privatekey(path, passphrase=None):
    """Load the specified OpenSSL private key."""

    try:
        if passphrase:
            privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM,
                                                open(path, 'rb').read(),
                                                to_bytes(passphrase))
        else:
            privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM,
                                                open(path, 'rb').read())

        return privatekey
    except (IOError, OSError) as exc:
        raise OpenSSLObjectError(exc)

Example #23

File: util.py Project: dmalikcs/zato

def get_validate_tls_key_cert(server_tls_dir, fs_name):
    full_path = os.path.join(server_tls_dir, 'keys-certs', fs_name)
    if not os.path.exists(full_path):
        raise Exception('No such path `{}`'.format(full_path))

    pem = open(full_path).read()

    # Only validate it's there.
    crypto.load_privatekey(crypto.FILETYPE_PEM, pem)

    # Really do something with a certificate though.
    cert = crypto.load_certificate(crypto.FILETYPE_PEM, pem)
    subject = sorted(dict(cert.get_subject().get_components()).items())

    return cert.digest(b'sha1'), '; '.join(['{}={}'.format(k, v) for k, v in subject]), full_path

Example #24

File: test_rsa.py Project: abattye/barbican

 def verify_container_keys_valid(self,
                                 secret_dict,
                                 with_passphrase=False):
     # verify generated keys can be parsed
     if with_passphrase:
         crypto.load_privatekey(
             crypto.FILETYPE_PEM,
             secret_dict['private_key'],
             secret_dict['private_key_passphrase'])
     else:
         self.assertFalse('private_key_passphrase' in secret_dict)
         crypto.load_privatekey(
             crypto.FILETYPE_PEM,
             secret_dict['private_key'])
     RSA.importKey(secret_dict['public_key'])

Example #25

File: fiscal.py Project: vvojvoda/fiscal-hr-python

    def generate_sha1_rsa_md5_signature(self, data):
        '''Generates SHA1-RSA-MD5 hash required for receipt signature (ZKI)'''

        key_pem = open(self.key_path).read()

        if self.key_passphrase:
            pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem,
                                          self.key_passphrase)
        else:
            pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem)

        signature = crypto.sign(pkey, data, 'sha1')
        signature = md5(signature).hexdigest()

        return signature

Example #26

File: models.py Project: fdurand/pki

 def pemf(self, passphrase):
     pem = crypto.X509()
     blump = self.pkey
     key = crypto.load_privatekey(crypto.FILETYPE_PEM, self.pkey)
     cert = crypto.load_certificate(crypto.FILETYPE_PEM, self.x509 + "\n" + self.profile.ca.ca_cert)
     pem.set_privatekey(key)
     pem.set_certificate(cert)

Example #27

File: models.py Project: fdurand/pki

 def pkcs12(self, passphrase):
     p12 = crypto.PKCS12()
     key = crypto.load_privatekey(crypto.FILETYPE_PEM, self.pkey)
     cert = crypto.load_certificate(crypto.FILETYPE_PEM, self.x509 + "\n" + self.profile.ca.ca_cert)
     p12.set_privatekey(key)
     p12.set_certificate(cert)
     return p12.export(passphrase)

Example #28

File: models.py Project: fdurand/pki

 def pkcs12(self, passphrase):
     p12 = crypto.PKCS12()
     key = crypto.load_privatekey(crypto.FILETYPE_PEM, self.ca_key)
     cert = crypto.load_certificate(crypto.FILETYPE_PEM, self.ca_cert)
     p12.set_privatekey(key)
     p12.set_certificate(cert)
     return crypto.dump_pkcs12(p12,passphrase, "")

Example #29

File: credentials.py Project: ROZ32/gcloud_test

def _get_pem_key(credentials):
    """Gets private key for a PEM payload from a credentials object.

    :type credentials: :class:`service_account.ServiceAccountCredentials`,
    :param credentials: The credentials used to create a private key
                        for signing text.

    :rtype: :class:`OpenSSL.crypto.PKey`
    :returns: A PKey object used to sign text.
    :raises: `TypeError` if `credentials` is the wrong type.
             `EnvironmentError` if `crypto` did not import successfully.
    """
    if isinstance(credentials, ServiceAccountCredentials):
        if credentials._private_key_pkcs12 is not None:
            # Take our PKCS12 (.p12) text and convert to PEM text.
            pem_text = crypt.pkcs12_key_as_pem(
                credentials._private_key_pkcs12,
                credentials._private_key_password)
        else:
            pem_text = credentials._private_key_pkcs8_pem
    else:
        raise TypeError((credentials,
                         'not a valid service account credentials type'))

    if crypto is None:
        raise EnvironmentError(
            'pyOpenSSL must be installed to load a private key')
    return crypto.load_privatekey(crypto.FILETYPE_PEM, pem_text)

Example #30

File: test_2_authenticate.py Project: ncarenton/esgf-test-suite

 def test_get_credentials(self):
     # Test output from get_trustroots
     assert isinstance(_mu.credentials, tuple)
     cert = crypto.load_certificate(crypto.FILETYPE_PEM, _mu.credentials[0])
     key = crypto.load_privatekey(crypto.FILETYPE_PEM, _mu.credentials[1])
     assert isinstance(cert, crypto.X509)
     assert isinstance(key, crypto.PKey)

Example #31

def import_srv_crt_to_keystore():
    config = hookenv.config()
    for cert_type in ('server', 'client'):
        password = keystore_password()
        crt_path = os.path.join(
            KAFKA_REST_DATA,
            "{}.crt".format(cert_type)
        )
        key_path = os.path.join(
            KAFKA_REST_DATA,
            "{}.key".format(cert_type)
        )

        if os.path.isfile(crt_path) and os.path.isfile(key_path):
            with open(crt_path, 'rt') as f:
                cert = f.read()
                loaded_cert = crypto.load_certificate(
                    crypto.FILETYPE_PEM,
                    cert
                )
                if not data_changed(
                    'confluent_kafka_rest{}_certificate'.format(cert_type),
                    cert
                ):
                    if not config['ssl_key_password']:
                        log('server certificate of key file missing')
                        return

            with open(key_path, 'rt') as f:
                loaded_key = crypto.load_privatekey(
                    crypto.FILETYPE_PEM,
                    f.read()
                )

            with tempfile.NamedTemporaryFile() as tmp:
                log('server certificate changed')

                keystore_path = os.path.join(
                    KAFKA_REST_DATA,
                    "confluent_kafka_rest.{}.jks".format(cert_type)
                )
                if os.path.isfile(keystore_path):
                    os.remove(keystore_path)
                pkcs12 = crypto.PKCS12Type()
                pkcs12.set_certificate(loaded_cert)
                pkcs12.set_privatekey(loaded_key)
                pkcs12_data = pkcs12.export(password)
                log('opening tmp file {}'.format(tmp.name))

                # write cert and private key to the pkcs12 file
                tmp.write(pkcs12_data)
                tmp.flush()

                log('importing pkcs12')
                # import the pkcs12 into the keystore
                check_call([
                    'keytool',
                    '-v', '-importkeystore',
                    '-srckeystore', str(tmp.name),
                    '-srcstorepass', password,
                    '-srcstoretype', 'PKCS12',
                    '-destkeystore', keystore_path,
                    '-deststoretype', 'JKS',
                    '-deststorepass', password,
                    '--noprompt'
                ])
                set_state('confluent_kafka_rest.{}.keystore.saved'.format(cert_type))

        remove_state('confluent_kafka_rest.started')
        remove_state('tls_client.certs.changed')

Example #32

def load_privatekey(key, filetype=FILETYPE_PEM):
    """Loads obj private key object from string."""
    return crypto.load_privatekey(filetype, key)

Example #33

File: upload_package_gforge.py Project: massich/mklontravis-appveyor-db

server = os.environ['deploy_host']
username = os.environ['deploy_user']
password = os.environ['deploy_password']
remotepath = os.environ['deploy_folder']
key_filename = os.path.join(os.environ['src_dir'], 'build_tools',
                            'openmeeg_deploy_key.pem')

if __name__ == '__main__':
    if len(sys.argv) == 1:
        print('nothing to upload')
        sys.exit(0)
    # load the encrypted file
    with open(key_filename, 'rb') as f:
        priv = f.read()

    pkey = load_privatekey(FILETYPE_PEM, priv, passphrase=password)
    priv = dump_privatekey(FILETYPE_PEM, pkey)

    # hack on the header
    priv = priv.replace('BEGIN ', 'BEGIN RSA ')

    key_filename += '.dec'

    with open(key_filename, 'w') as f:
        f.write(priv)

    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    ssh.connect(server, username=username, key_filename=key_filename)
    sftp = ssh.open_sftp()

Example #34

def load_privatekey(buf, passphrase=None):
    return crypto.load_privatekey(
        crypto.FILETYPE_PEM,
        buf,
        passphrase=lambda x: str(passphrase) if passphrase else ''
    )

Example #35

File: certerator.py Project: liwz11/blogsource

def make_cert_p12(cert,key):
    p12 = crypto.PKCS12()
    p12.set_certificate(cert)
    p12.set_privatekey(key)
    #p12.set_friendlyname(b"test")
    return p12.export('123456') # passwaord is 123456

if __name__ == "__main__":
    try:
        config_ca, config_cert = certerator_config()
    
        # Firstly, sort out the CA file
        if os.path.isfile(config_ca['cert_filename']) and os.path.isfile(config_ca['cert_key']):
            sys.stdout.write("Reusing "+config_ca['cert_filename']+" as the CA\n")
            ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, file(config_ca['cert_filename']).read())
            ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, file(config_ca['cert_key']).read())
            sys.stdout.write(" SHA1 CA Fingerprint: "+ca_cert.digest('sha1')+"\n")
        else:
            sys.stdout.write("Generating new CA...")
            sys.stdout.flush()
            ca_cert, ca_key = generate_ca(config_ca)
            sys.stdout.write("..done\n")
            open(config_ca['cert_filename'], "w").write(crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert))
            open(config_ca['cert_der'], "wb").write(crypto.dump_certificate(crypto.FILETYPE_ASN1, ca_cert))
            open(config_ca['cert_key'], "w").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, ca_key))
            open(config_ca['cert_p12'], "wb").write(make_ca_p12(ca_cert,ca_key))
            sys.stdout.write(" Written PEM CA certificate to "+config_ca['cert_filename']+"\n")
            sys.stdout.write(" Written DER CA certificate to "+config_ca['cert_der']+"\n")
            sys.stdout.write(" Written CA private key to "+config_ca['cert_key']+"\n")
            sys.stdout.write(" Written CA PKCS12 (private key and certificate) to "+config_ca['cert_p12']+"\n")
            sys.stdout.write(" SHA1 CA Fingerprint: "+ca_cert.digest('sha1')+"\n")

Example #36

File: butterfly.server.py Project: gitsuke/butterfly

        ca_cert.get_subject().CN = 'Butterfly CA on %s' % socket.gethostname()
        fill_fields(ca_cert.get_subject())
        ca_cert.set_serial_number(uuid.uuid4().int)
        ca_cert.gmtime_adj_notBefore(0)  # From now
        ca_cert.gmtime_adj_notAfter(315360000)  # to 10y
        ca_cert.set_issuer(ca_cert.get_subject())  # Self signed
        ca_cert.set_pubkey(ca_pk)
        ca_cert.sign(ca_pk, 'sha512')

        write(ca, crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert))
        write(ca_key, crypto.dump_privatekey(crypto.FILETYPE_PEM, ca_pk))
        os.chmod(ca_key, stat.S_IRUSR | stat.S_IWUSR)  # 0o600 perms
    else:
        print('Root certificate found, using it')
        ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, read(ca))
        ca_pk = crypto.load_privatekey(crypto.FILETYPE_PEM, read(ca_key))

    server_pk = crypto.PKey()
    server_pk.generate_key(crypto.TYPE_RSA, 2048)
    server_cert = crypto.X509()
    server_cert.get_subject().CN = host
    alt = 'subjectAltName'
    value = 'DNS:%s' % host
    server_cert.add_extensions([
        crypto.X509Extension(alt.encode('utf-8'), False, value.encode('utf-8'))
    ])

    fill_fields(server_cert.get_subject())
    server_cert.set_serial_number(uuid.uuid4().int)
    server_cert.gmtime_adj_notBefore(0)  # From now
    server_cert.gmtime_adj_notAfter(315360000)  # to 10y

Example #37

File: test_load_private_key.py Project: pykiki/PyKI

    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

    Contact: [email protected] / 34 rue appienne 13480 - FRANCE.
'''

filePath = "/Users/albookpro/Downloads/pyTLSpki/building/pki/CERTS/clients/clientKey.pem"

#passphrase = False
passphrase = b'azerty'

if passphrase:
    try:
        sslkeyObject = crypto.load_privatekey(
            crypto.FILETYPE_PEM, open(filePath).read(), passphrase)
    except:
        print("Error reading key\n")
        exit(1)
else:
    # if the key is passphrase protected, you will be interactively prompt for
    # it
    try:
        sslkeyObject = crypto.load_privatekey(
            crypto.FILETYPE_PEM, open(filePath).read())
    except:
        print("Error reading key\n")
        exit(1)

# you have now your OpenSSL.crypto.PKey object
print(sslkeyObject)

Example #38

 def load(Class, data, format=crypto.FILETYPE_ASN1):
     return Class(crypto.load_privatekey(format, data))

Example #39

def run(config=None,
        plugin_providers=None,
        product_name='webui',
        dev_mode=False,
        debug_mode=False,
        autologin=False):
    """
    A global entry point for Webui.

    :param config: config file implementation instance to use
    :type  config: :class:`wu.config.BaseConfig`
    :param plugin_providers: list of plugin providers to load plugins from
    :type  plugin_providers: list(:class:`wu.plugins.PluginProvider`)
    :param str product_name: a product name to use
    :param bool dev_mode: enables dev mode (automatic resource recompilation)
    :param bool debug_mode: enables debug mode (verbose and extra logging)
    :param bool autologin: disables authentication and logs everyone in as the user running the panel. This is EXTREMELY INSECURE.
    """
    if config is None:
        raise TypeError('`config` can\'t be None')

    reload_module(sys)
    if hasattr(sys, 'setdefaultencoding'):
        sys.setdefaultencoding('utf8')

    wu.product = product_name
    wu.debug = debug_mode
    wu.dev = dev_mode
    wu.dev_autologin = autologin

    wu.init()
    wu.log.set_log_params(tag='master', master_pid=os.getpid())
    wu.context = Context()
    wu.config = config
    wu.plugin_providers = plugin_providers or []
    logging.info('Loading config from %s', wu.config)
    wu.config.load()
    wu.config.ensure_structure()

    if wu.debug:
        logging.warn('Debug mode')
    if wu.dev:
        logging.warn('Dev mode')

    try:
        locale.setlocale(locale.LC_ALL, '')
    except locale.Error:
        logging.warning('Couldn\'t set default locale')

    # install a passthrough gettext replacement since all localization is handled in frontend
    # and _() is here only for string extraction
    __builtins__['_'] = lambda x: x

    logging.info('Webui Core %s', wu.version)
    logging.info('Detected platform: %s / %s', wu.platform, wu.platform_string)

    # Load plugins
    PluginManager.get(wu.context).load_all_from(wu.plugin_providers)
    if len(PluginManager.get(wu.context)) == 0:
        logging.warn('No plugins were loaded!')

    if wu.config.data['bind']['mode'] == 'unix':
        path = wu.config.data['bind']['socket']
        if os.path.exists(path):
            os.unlink(path)
        listener = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
        try:
            listener.bind(path)
        except OSError:
            logging.error('Could not bind to %s', path)
            sys.exit(1)

    if wu.config.data['bind']['mode'] == 'tcp':
        host = wu.config.data['bind']['host']
        port = wu.config.data['bind']['port']
        listener = socket.socket(
            socket.AF_INET6 if ':' in host else socket.AF_INET,
            socket.SOCK_STREAM)
        if wu.platform not in ['freebsd', 'osx']:
            try:
                listener.setsockopt(socket.IPPROTO_TCP, socket.TCP_CORK, 1)
            except socket.error:
                logging.warn('Could not set TCP_CORK')
        listener.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        logging.info('Binding to [%s]:%s', host, port)
        try:
            listener.bind((host, port))
        except socket.error as e:
            logging.error('Could not bind: %s', str(e))
            sys.exit(1)

    # Fix stupid socketio bug (it tries to do *args[0][0])
    socket.socket.__getitem__ = lambda x, y: None

    listener.listen(10)

    gateway = GateMiddleware.get(wu.context)
    application = HttpRoot(HttpMiddlewareAggregator([gateway])).dispatch

    wu.server = SocketIOServer(
        listener,
        log=open(os.devnull, 'w'),
        application=application,
        handler_class=RequestHandler,
        policy_server=False,
        transports=[
            str('websocket'),
            str('flashsocket'),
            str('xhr-polling'),
            str('jsonp-polling'),
        ],
    )

    if wu.config.data['ssl']['enable'] and wu.config.data['bind'][
            'mode'] == 'tcp':
        try:
            context = SSL.Context(SSL.TLSv1_2_METHOD)
        except:
            context = SSL.Context(SSL.TLSv1_METHOD)
        context.set_session_id(str(id(context)))
        context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
        context.set_cipher_list(
            'ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM')

        certificate = crypto.load_certificate(
            crypto.FILETYPE_PEM,
            open(wu.config.data['ssl']['certificate']).read())
        private_key = crypto.load_privatekey(
            crypto.FILETYPE_PEM,
            open(wu.config.data['ssl']['certificate']).read())

        context.use_certificate(certificate)
        context.use_privatekey(private_key)

        if wu.config.data['ssl']['client_auth']['enable']:
            # todo harden files
            logging.info('Enabling SSL client authentication')
            context.add_client_ca(certificate)
            context.get_cert_store().add_cert(certificate)
            verify_flags = SSL.VERIFY_PEER
            if wu.config.data['ssl']['client_auth']['force']:
                verify_flags |= SSL.VERIFY_FAIL_IF_NO_PEER_CERT
            context.set_verify(
                verify_flags,
                AuthenticationService.get(
                    wu.context).client_certificate_callback)
            context.set_verify_depth(0)

        wu.server.ssl_args = {'server_side': True}
        wu.server.wrap_socket = lambda socket, **ssl: SSLSocket(
            context, socket)
        logging.info('SSL enabled')

    # auth.log
    try:
        syslog.openlog(
            ident=str(wu.product),
            facility=syslog.LOG_AUTH,
        )
    except:
        syslog.openlog(wu.product)

    def cleanup():
        if hasattr(cleanup, 'started'):
            return
        cleanup.started = True
        logging.info('Process %s exiting normally', os.getpid())
        gevent.signal(signal.SIGINT, lambda: None)
        gevent.signal(signal.SIGTERM, lambda: None)
        if wu.master:
            gateway.destroy()

        p = psutil.Process(os.getpid())
        for c in p.children(recursive=True):
            try:
                os.killpg(c.pid, signal.SIGTERM)
                os.killpg(c.pid, signal.SIGKILL)
            except OSError:
                pass

    def signal_handler():
        cleanup()
        sys.exit(0)

    gevent.signal(signal.SIGINT, signal_handler)
    gevent.signal(signal.SIGTERM, signal_handler)

    wu.server.serve_forever()

    if not wu.master:
        # child process, server is stopped, wait until killed
        gevent.wait()

    if hasattr(wu.server, 'restart_marker'):
        logging.warn('Restarting by request')
        cleanup()

        fd = 20  # Close all descriptors. Creepy thing
        while fd > 2:
            try:
                os.close(fd)
                logging.debug('Closed descriptor #%i', fd)
            except OSError:
                pass
            fd -= 1

        logging.warn('Will restart the process now')
        if '-d' in sys.argv:
            sys.argv.remove('-d')
        os.execv(sys.argv[0], sys.argv)
    else:
        if wu.master:
            logging.debug('Server stopped')
            cleanup()

Example #40

 def get_privatekey(self):
     privatekey = None
     if self.cert_privatekey:
         privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM,
                                             self.cert_privatekey)
     return privatekey

Example #41

def HttpdStart(session):
    """
	Helper class to start web server
	
	Args:
		session: (?) session object
	"""
    if config.OpenWebif.enabled.value is True:
        global listener, site, sslsite
        port = config.OpenWebif.port.value

        temproot = buildRootTree(session)
        root = AuthResource(session, temproot)
        site = server.Site(root)
        site.displayTracebacks = config.OpenWebif.displayTracebacks.value

        # start http webserver on configured port
        try:
            if has_ipv6 and fileExists(
                    '/proc/net/if_inet6') and version.major >= 12:
                # use ipv6
                listener.append(reactor.listenTCP(port, site, interface='::'))
            else:
                # ipv4 only
                listener.append(reactor.listenTCP(port, site))
            print("[OpenWebif] started on %i" % (port))
            BJregisterService('http', port)
        except CannotListenError:
            print("[OpenWebif] failed to listen on Port %i" % (port))

        if config.OpenWebif.https_clientcert.value is True and not os.path.exists(
                CA_FILE):
            # Disable https
            config.OpenWebif.https_enabled.value = False
            config.OpenWebif.https_enabled.save()
            # Inform the user
            session.open(
                MessageBox,
                "Cannot read CA certs for HTTPS access\nHTTPS access is disabled!",
                MessageBox.TYPE_ERROR)

        if config.OpenWebif.https_enabled.value is True:
            httpsPort = config.OpenWebif.https_port.value
            installCertificates(session)
            # start https webserver on port configured port
            try:
                try:
                    key = crypto.load_privatekey(crypto.FILETYPE_PEM,
                                                 open(KEY_FILE, 'rt').read())
                    cert = crypto.load_certificate(
                        crypto.FILETYPE_PEM,
                        open(CERT_FILE, 'rt').read())
                    print("[OpenWebif] CHAIN_FILE = %s" % CHAIN_FILE)
                    chain = None
                    if os.path.exists(CHAIN_FILE):
                        chain = [
                            crypto.load_certificate(
                                crypto.FILETYPE_PEM,
                                open(CHAIN_FILE, 'rt').read())
                        ]
                        print("[OpenWebif] ssl chain file found - loading")
                    context = ssl.CertificateOptions(privateKey=key,
                                                     certificate=cert,
                                                     extraCertChain=chain)
                except:
                    # THIS EXCEPTION IS ONLY CATCHED WHEN CERT FILES ARE BAD (look below for error)
                    print(
                        "[OpenWebif] failed to get valid cert files. (It could occure bad file save or format, removing...)"
                    )
                    # removing bad files
                    if os.path.exists(KEY_FILE):
                        os.remove(KEY_FILE)
                    if os.path.exists(CERT_FILE):
                        os.remove(CERT_FILE)
                    # regenerate new ones
                    installCertificates(session)
                    context = ssl.DefaultOpenSSLContextFactory(
                        KEY_FILE, CERT_FILE)

                if config.OpenWebif.https_clientcert.value is True:
                    ctx = context.getContext()
                    ctx.set_verify(
                        SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
                        verifyCallback)
                    ctx.load_verify_locations(CA_FILE)

                sslroot = AuthResource(session, temproot)
                sslsite = server.Site(sslroot)

                if has_ipv6 and fileExists(
                        '/proc/net/if_inet6') and version.major >= 12:
                    # use ipv6
                    listener.append(
                        reactor.listenSSL(httpsPort,
                                          sslsite,
                                          context,
                                          interface='::'))
                else:
                    # ipv4 only
                    listener.append(
                        reactor.listenSSL(httpsPort, sslsite, context))
                print("[OpenWebif] started on", httpsPort)
                BJregisterService('https', httpsPort)
            except CannotListenError:
                print("[OpenWebif] failed to listen on Port", httpsPort)
            except:
                print("[OpenWebif] failed to start https, disabling...")
                # Disable https
                config.OpenWebif.https_enabled.value = False
                config.OpenWebif.https_enabled.save()

        # Streaming requires listening on 127.0.0.1:80
        if port != 80:
            try:
                if has_ipv6 and fileExists(
                        '/proc/net/if_inet6') and version.major >= 12:
                    # use ipv6
                    # Dear Twisted devs: Learning English, lesson 1 - interface != address
                    listener.append(
                        reactor.listenTCP(80, site, interface='::1'))
                    listener.append(
                        reactor.listenTCP(80,
                                          site,
                                          interface='::ffff:127.0.0.1'))
                else:
                    # ipv4 only
                    listener.append(
                        reactor.listenTCP(80, site, interface='127.0.0.1'))
                print("[OpenWebif] started stream listening on port 80")
            except CannotListenError:
                print("[OpenWebif] port 80 busy")

Example #42

 def _read_ca(self, file):
     self.cert = load_certificate(FILETYPE_PEM, open(file, 'rb').read())
     self.key = load_privatekey(FILETYPE_PEM, open(file, 'rb').read())

Example #43

#
# SPDX-License-Identifier: MIT
#

from OpenSSL import crypto
import os

Import("env")

s = 1
try:
    pkey = os.environ["FIRMWARE_SIGNING_PKEY"]
except:
    s = 0

if s:
    if os.path.exists(pkey):
        try:
            with open(pkey, "r") as f:
                pkey = f.read()
        except:
            s = 0
if s:
    try:
        pk = crypto.load_privatekey(crypto.FILETYPE_PEM, pkey)
    except:
        s = 0

signing = "-DSIGNED_UPDATES=%d" % s
env.Append(CPPDEFINES=[signing])

Example #44

File: rsacrypto.py Project: lordsky/hall0

_ali_pubkey_py = RSA.importKey(ALIPAY_PUB_KEY)
_ali_pubkey_tuyoo_py = RSA.importKey(ALIPAY_PUB_KEY_TUYOO)
_shediao_pubkey_py = RSA.importKey(SHEDIAO_ALIPAY_PUB_KEY)
_oppo_pubkey_py = RSA.importKey(OPPO_PUB_KEY)
_jinli_pubkey_py = RSA.importKey(JINLI_PUB_KEY)
_iTools_pubkey_py = RSA.importKey(iTools_pubkey_str)
_kuaiyongpingguo_pubkey_py = RSA.importKey(KUAIYONGPINGGUO_PUB_KEY)
_unionpay_private_key = RSA.importKey(UNIONPAY_PRIVATE_KEY)
_jolo_pubkey_py = RSA.importKey(JOLO_PUB_KEY)
_changba_pubkey_py = RSA.importKey(CHANGBA_PUB_KEY)
_wandoujia_pubkey_py = RSA.importKey(WANDOUJIA_PUB_KEY)
_jusdk_public_py = RSA.importKey(JUSDK_PUB_KEY)

# for openssl...
try:
    _ali_privkey = load_privatekey(FILETYPE_PEM, ALIPAY_PRIVATE_KEY)
    _shediao_privkey = load_privatekey(FILETYPE_PEM,
                                       SHEDIAO_ALIPAY_PRIVATE_KEY)
    _huafubao_privkey = load_privatekey(FILETYPE_PEM, HUAFUBAO_PRIVATE_KEY)
    _ali_certkey = load_certificate(FILETYPE_PEM, ALIPAY_CERT)
    _shediao_certkey = load_certificate(FILETYPE_PEM, SHEDIAO_ALIPAY_CERT)
    _huafubao_certkey = load_certificate(FILETYPE_PEM, HUAFUBAO_CERT_KEY)
    _unionpay_certkey = load_certificate(FILETYPE_PEM, UNIONPAY_CERT_KEY)
except:
    traceback.print_exc()
    _ali_privkey = None
    _shediao_privkey = None
    _huafubao_privkey = None
    _ali_certkey = None
    _shediao_certkey = None
    _huafubao_certkey = None

Example #45

    def generate_files(self, config):
        tls_certificate_path = config["tls_certificate_path"]
        tls_private_key_path = config["tls_private_key_path"]
        tls_dh_params_path = config["tls_dh_params_path"]

        if not os.path.exists(tls_private_key_path):
            with open(tls_private_key_path, "w") as private_key_file:
                tls_private_key = crypto.PKey()
                tls_private_key.generate_key(crypto.TYPE_RSA, 2048)
                private_key_pem = crypto.dump_privatekey(
                    crypto.FILETYPE_PEM, tls_private_key
                )
                private_key_file.write(private_key_pem)
        else:
            with open(tls_private_key_path) as private_key_file:
                private_key_pem = private_key_file.read()
                tls_private_key = crypto.load_privatekey(
                    crypto.FILETYPE_PEM, private_key_pem
                )

        if not os.path.exists(tls_certificate_path):
            with open(tls_certificate_path, "w") as certificate_file:
                cert = crypto.X509()
                subject = cert.get_subject()
                subject.CN = config["server_name"]

                cert.set_serial_number(1000)
                cert.gmtime_adj_notBefore(0)
                cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
                cert.set_issuer(cert.get_subject())
                cert.set_pubkey(tls_private_key)

                cert.sign(tls_private_key, 'sha256')

                cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)

                certificate_file.write(cert_pem)

        if not os.path.exists(tls_dh_params_path):
            if GENERATE_DH_PARAMS:
                subprocess.check_call([
                    "openssl", "dhparam",
                    "-outform", "PEM",
                    "-out", tls_dh_params_path,
                    "2048"
                ])
            else:
                with open(tls_dh_params_path, "w") as dh_params_file:
                    dh_params_file.write(
                        "2048-bit DH parameters taken from rfc3526\n"
                        "-----BEGIN DH PARAMETERS-----\n"
                        "MIIBCAKCAQEA///////////JD9qiIWjC"
                        "NMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n"
                        "IlFKCHmONATd75UZs806QxswKwpt8l8U"
                        "N0/hNW1tUcJF5IW1dmJefsb0TELppjft\n"
                        "awv/XLb0Brft7jhr+1qJn6WunyQRfEsf"
                        "5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n"
                        "mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVS"
                        "u57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n"
                        "fDKQXkYuNs474553LBgOhgObJ4Oi7Aei"
                        "j7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n"
                        "5RXSJhiY+gUQFXKOWoqsqmj/////////"
                        "/wIBAg==\n"
                        "-----END DH PARAMETERS-----\n"
                    )

Example #46

from OpenSSL import crypto
from socket import gethostname
import os
import subprocess


#Reading the Private key generated using openssl(should be generated using ECDSA P256 curve)
f = open("ecdsa-sha256-signer.key.pem")
pv_buf = f.read()
f.close()
priv_key = crypto.load_privatekey(crypto.FILETYPE_PEM, pv_buf)

#Reading the certificate generated using openssl(should be generated using ECDSA P256 curve)
f = open("ecdsa-sha256-signer.crt.pem")
ss_buf = f.read()
f.close()
ss_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ss_buf)

#opening the firmware_is.bin and getting the number of padding bytes
fw_bin = open('./Debug/Exe/firmware_is.bin', 'br').read()
fw_bin_size = os.path.getsize("./Debug/Exe/firmware_is.bin")
fw_padding = 1024-(fw_bin_size%1024)

#padding 0's to make the last block of OTA equal to an integral multiple of block size
x = bytes([0] * fw_padding)

#append the 0 padding bytes 
f = open("./Debug/Exe/firmware_is_pad.bin", 'wb')
f.write(fw_bin)
f.write(x)
f.close()

Example #47

 def read_tls_private_key(self, private_key_path):
     private_key_pem = self.read_file(private_key_path, "tls_private_key")
     return crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem)

Example #48

    def do_userCERT(self, params):
        tlscfg = cfg
        user_cfg = cfg.get("tls_user_config")
        if user_cfg:
            tlscfg = OpenSIPSCLIConfig()
            tlscfg.parse(user_cfg)

        cn = tlscfg.read_param(
            "tls_user_common_name",
            "input the hostname of the website the certificate is for",
            "www.open.ro")
        user_dir = tlscfg.read_param("tls_user_dir", "user director",
                                     "/etc/opensips/tls/user/")
        cert_file = tlscfg.read_param("tls_user_cert_file", "cert_file",
                                      "user-cert.pem")
        key_file = tlscfg.read_param("tls_user_key_file", "key_file",
                                     "user-privkey.pem")
        calist_file = tlscfg.read_param("tls_user_calist_file", "cert_file",
                                        "user-calist.pem")
        c_f = join(user_dir, cert_file)
        k_f = join(user_dir, key_file)
        ca_f = join(user_dir, calist_file)

        create_cert = False
        if not exists(c_f) or not exists(k_f):
            create_cert = True
        else:
            if tlscfg.read_param(
                    "tls_user_overwrite",
                    "user certificate already exists, do you want to overwrite it?",
                    "yes", True):
                create_cert = True
        if create_cert:
            cacert = tlscfg.read_param("tls_user_cacert", "cert_file",
                                       "/etc/opensips/tls/rootCA/cacert.pem")
            cakey = tlscfg.read_param(
                "tls_user_cakey", "key_file",
                "/etc/opensips/tls/rootCA/private/cakey.pem")
            ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
                                              open(cacert, 'rt').read())
            ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM,
                                            open(cakey, 'rt').read())

            # create a key pair
            key = crypto.PKey()
            key_size = int(
                tlscfg.read_param("tls_user_key_size", "key_size", 4096))
            key.generate_key(crypto.TYPE_RSA, key_size)

            # create a self-signed cert
            cert = crypto.X509()

            cert.get_subject().C = tlscfg.read_param("tls_user_country",
                                                     "country", "ro")
            cert.get_subject().ST = tlscfg.read_param("tls_user_state",
                                                      "state", "Braila")
            cert.get_subject().L = tlscfg.read_param("tls_user_city", "city",
                                                     "Braila")
            cert.get_subject().O = tlscfg.read_param("tls_user_organisation",
                                                     "organization",
                                                     "opensips")
            cert.get_subject().OU = tlscfg.read_param(
                "tls_user_organisational_unit", "organisational unit",
                "project")
            cert.get_subject().CN = cn
            serial = int(tlscfg.read_param("tls_user_serial", "serial", 2))
            cert.set_serial_number(serial)
            cert.gmtime_adj_notBefore(0)
            notafter = int(
                tlscfg.read_param("tls_user_notafter", "duration", 315360000))
            cert.gmtime_adj_notAfter(notafter)
            cert.set_issuer(ca_cert.get_subject())
            cert.set_pubkey(key)
            md = tlscfg.read_param("tls_user_md", "md", "sha1")
            cert.sign(ca_key, md)

            if not exists(dirname(c_f)):
                makedirs(dirname(c_f))
            try:
                open(c_f, "wt").write(
                    crypto.dump_certificate(crypto.FILETYPE_PEM,
                                            cert).decode('utf-8'))
            except Exception as e:
                logger.error(e)

            if not exists(dirname(k_f)):
                makedirs(dirname(k_f))
            try:
                open(k_f, "wt").write(
                    crypto.dump_privatekey(crypto.FILETYPE_PEM,
                                           key).decode('utf-8'))
            except Exception as e:
                logger.error(e)

            if not exists(dirname(ca_f)):
                makedirs(dirname(ca_f))
            try:
                open(ca_f, "wt").write(
                    crypto.dump_certificate(crypto.FILETYPE_PEM,
                                            ca_cert).decode('utf-8'))
            except Exception as e:
                logger.error(e)
            logger.info("user certificate created in " + c_f)
            logger.info("user private key created in " + k_f)
            logger.info("user calist(ca chain of trust) created in " + ca_f)

Example #49

File: simpleca.py Project: claudex/simpleca

 def _sign_cert(self, cert):
     """ Sign the certificate with the given key """
     with open(self._get_key_link(self.commonname), 'r') as private_file:
         data = private_file.read()
         pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, data)
     cert.sign(pkey, 'sha256')

Example #50

File: acisession.py Project: ryanpjbyrne/acitoolkit

    def __init__(self, url, uid, pwd=None, cert_name=None, key=None, verify_ssl=False,
                 appcenter_user=False, subscription_enabled=True, proxies=None,
                 relogin_forever=False):
        """
        :param url:  String containing the APIC URL such as ``https://1.2.3.4``
        :param uid: String containing the username that will be used as\
        part of the  the APIC login credentials.
        :param pwd: String containing the password that will be used as\
        part of the  the APIC login credentials.
        :param cert_name: String containing the certificate name that will be used\
        as part of the  the APIC certificate authentication credentials.
        :param key: String containing the private key file name that will be used\
        as part of the  the APIC certificate authentication credentials.
        :param verify_ssl:  Used only for SSL connections with the APIC.\
        Indicates whether SSL certificates must be verified.  Possible\
        values are True and False with the default being False.
        :param appcenter_user:  Set True when using certificate authentication from\
        the context of an APIC appcenter app
        :param proxies: Optional dictionary containing the proxies passed\
        directly to the Requests library
        :param relogin_forever: Boolean that when set to True will attempt to re-login
                                forever regardless of the error returned from APIC.
        """
        if not isinstance(url, str):
            url = str(url)
        if not isinstance(uid, str):
            uid = str(uid)
        if not isinstance(pwd, str):
            pwd = str(pwd)
        if not isinstance(url, str):
            raise CredentialsError("The URL or APIC address must be a string")
        if not isinstance(uid, str):
            raise CredentialsError("The user ID must be a string")
        if (pwd is None or pwd == 'None') and not cert_name and not key:
            raise CredentialsError("An authentication method must be provided")
        if pwd:
            if not isinstance(pwd, str):
                raise CredentialsError("The password must be a string")
        if cert_name:
            if not isinstance(cert_name, str):
                raise CredentialsError("The certificate name must be a string")
        if key:
            if not isinstance(key, str):
                raise CredentialsError("The key path must be a string")
        if (cert_name and not key) or (not cert_name and key):
            raise CredentialsError("Both a certificate name and private key must be provided")
        if not isinstance(relogin_forever, bool):
            raise CredentialsError("relogin_forever must be a boolean")

        if 'https://' in url:
            self.ipaddr = url[len('https://'):]
        else:
            self.ipaddr = url[len('http://'):]
        self.uid = uid
        self.pwd = pwd
        self.key = key
        self.cert_name = cert_name
        self.appcenter_user = appcenter_user
        if key and cert_name:
            if NO_OPENSSL:
                raise ImportError('Cannot use certificate authentication because pyopenssl is not available.\n\
                Please install it using "pip install pyopenssl"')

            self.cert_auth = True
            # Cert based auth does not support subscriptions :(
            # there's an exception for appcenter_user relying on the requestAppToken api
            if subscription_enabled and not self.appcenter_user:
                logging.warning('Disabling subscription support as certificate authentication does not support it.')
                logging.warning('Consider passing subscription_enabled=False to hide this warning message.')
                subscription_enabled = False
            # Disable the warnings for SSL
            if not verify_ssl:
                try:
                    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
                except (AttributeError, NameError):
                    pass
            with open(self.key, 'r') as f:
                key_text = f.read()
            try:
                self._x509Key = load_privatekey(FILETYPE_PEM, key_text)
            except Exception:
                raise TypeError('Could not load private key file %s\
                \nAre you sure you provided the private key? (Not the certificate)' % self.key)
        else:
            self.cert_auth = False
        # self.api = 'http://%s:80/api/' % self.ip # 7580
        self.api = url
        self.session = None
        self.verify_ssl = verify_ssl
        self.token = None
        self.login_thread = Login(self)
        self._relogin_callbacks = []
        self.login_error = False
        self._logged_in = False
        self.relogin_forever = relogin_forever
        self._subscription_enabled = subscription_enabled
        self._proxies = proxies
        if subscription_enabled:
            self.subscription_thread = Subscriber(self)
            self.subscription_thread.daemon = True
            self.subscription_thread.start()

Example #51

def import_key(client, vault_base_url, key_name, destination=None, key_ops=None, disabled=False, expires=None,
               not_before=None, tags=None, pem_file=None, pem_password=None, byok_file=None):
    """ Import a private key. Supports importing base64 encoded private keys from PEM files.
        Supports importing BYOK keys into HSM for premium KeyVaults. """
    from azure.keyvault.models import KeyAttributes, JsonWebKey

    def _to_bytes(hex_string):
        # zero pads and decodes a hex string
        if len(hex_string) % 2:
            hex_string = '0{}'.format(hex_string)
        return codecs.decode(hex_string, 'hex_codec')

    def _set_rsa_parameters(dest, src):
        # map OpenSSL parameter names to JsonWebKey property names
        conversion_dict = {
            'modulus': 'n',
            'publicExponent': 'e',
            'privateExponent': 'd',
            'prime1': 'p',
            'prime2': 'q',
            'exponent1': 'dp',
            'exponent2': 'dq',
            'coefficient': 'qi'
        }
        # regex: looks for matches that fit the following patterns:
        #   integerPattern: 65537 (0x10001)
        #   hexPattern:
        #      00:a0:91:4d:00:23:4a:c6:83:b2:1b:4c:15:d5:be:
        #      d8:87:bd:c9:59:c2:e5:7a:f5:4a:e7:34:e8:f0:07:
        # The desired match should always be the first component of the match
        regex = re.compile(r'([^:\s]*(:[^\:)]+\))|([^:\s]*(:\s*[0-9A-Fa-f]{2})+))')
        # regex2: extracts the hex string from a format like: 65537 (0x10001)
        regex2 = re.compile(r'(?<=\(0x{1})([0-9A-Fa-f]*)(?=\))')

        key_params = crypto.dump_privatekey(crypto.FILETYPE_TEXT, src).decode('utf-8')
        for match in regex.findall(key_params):
            comps = match[0].split(':', 1)
            name = conversion_dict.get(comps[0], None)
            if name:
                value = comps[1].replace(' ', '').replace('\n', '').replace(':', '')
                try:
                    value = _to_bytes(value)
                except Exception:  # pylint:disable=broad-except
                    # if decoding fails it is because of an integer pattern. Extract the hex
                    # string and retry
                    value = _to_bytes(regex2.findall(value)[0])
                setattr(dest, name, value)

    key_attrs = KeyAttributes(not disabled, not_before, expires)
    key_obj = JsonWebKey(key_ops=key_ops)
    if pem_file:
        key_obj.kty = 'RSA'
        logger.info('Reading %s', pem_file)
        with open(pem_file, 'r') as f:
            pem_data = f.read()
        # load private key and prompt for password if encrypted
        try:
            pem_password = str(pem_password).encode() if pem_password else None
            # despite documentation saying password should be a string, it needs to actually
            # be UTF-8 encoded bytes
            pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, pem_data, pem_password)
        except crypto.Error:
            raise CLIError(
                'Import failed: Unable to decrypt private key. --pem-password may be incorrect.')
        except TypeError:
            raise CLIError('Invalid --pem-password.')
        logger.info('setting RSA parameters from PEM data')
        _set_rsa_parameters(key_obj, pkey)
    elif byok_file:
        with open(byok_file, 'rb') as f:
            byok_data = f.read()
        key_obj.kty = 'RSA-HSM'
        key_obj.t = byok_data

    return client.import_key(
        vault_base_url, key_name, key_obj, destination == 'hsm', key_attrs, tags)

Example #52

File: depot.py Project: stensonb/pkg5

                # Assume the configuration target was an SMF
                # FMRI and let svcprop fail with an error if
                # it wasn't.
                svc_fmri = dconf.target
            else:
                svc_fmri = ssl_dialog
            cmdline = "/usr/bin/svcprop -p " \
                "pkg_secure/ssl_key_passphrase {0}".format(svc_fmri)

        # The key file requires decryption, but the user has requested
        # exec-based authentication, so it will have to be decoded first
        # to an un-named temporary file.
        try:
            with open(ssl_key_file, "rb") as key_file:
                pkey = crypto.load_privatekey(crypto.FILETYPE_PEM,
                                              key_file.read(),
                                              get_ssl_passphrase)

            key_data = tempfile.NamedTemporaryFile(dir=pkg_root, delete=True)
            key_data.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey))
            key_data.seek(0)
        except EnvironmentError as _e:
            emsg("pkg.depotd: unable to read the SSL private key "
                 "file: {0}".format(_e))
            sys.exit(1)
        except crypto.Error as _e:
            emsg("pkg.depotd: authentication or cryptography "
                 "failure while attempting to decode\nthe SSL "
                 "private key file: {0}".format(_e))
            sys.exit(1)
        else:

Example #53

File: crypto.py Project: xj361685640/freenas

    async def cert_extend(self, cert):
        """Extend certificate with some useful attributes."""

        if cert.get('signedby'):

            # We query for signedby again to make sure it's keys do not have the "cert_" prefix and it has gone through
            # the cert_extend method

            cert['signedby'] = await self.middleware.call(
                'datastore.query', 'system.certificateauthority',
                [('id', '=', cert['signedby']['id'])], {
                    'prefix': 'cert_',
                    'extend': 'certificate.cert_extend',
                    'get': True
                })

        # convert san to list
        cert['san'] = (cert.pop('san', '') or '').split()
        if cert['serial'] is not None:
            cert['serial'] = int(cert['serial'])

        if cert['type'] in (CA_TYPE_EXISTING, CA_TYPE_INTERNAL,
                            CA_TYPE_INTERMEDIATE):
            root_path = CERT_CA_ROOT_PATH
        else:
            root_path = CERT_ROOT_PATH
        cert['root_path'] = root_path
        cert['certificate_path'] = os.path.join(root_path,
                                                '{0}.crt'.format(cert['name']))
        cert['privatekey_path'] = os.path.join(root_path,
                                               '{0}.key'.format(cert['name']))
        cert['csr_path'] = os.path.join(root_path,
                                        '{0}.csr'.format(cert['name']))

        def cert_issuer(cert):
            issuer = None
            if cert['type'] in (CA_TYPE_EXISTING, CERT_TYPE_EXISTING):
                issuer = "external"
            elif cert['type'] == CA_TYPE_INTERNAL:
                issuer = "self-signed"
            elif cert['type'] in (CERT_TYPE_INTERNAL, CA_TYPE_INTERMEDIATE):
                issuer = cert['signedby']
            elif cert['type'] == CERT_TYPE_CSR:
                issuer = "external - signature pending"
            return issuer

        cert['issuer'] = cert_issuer(cert)

        cert['chain_list'] = []
        if cert['chain']:
            certs = RE_CERTIFICATE.findall(cert['certificate'])
        else:
            certs = [cert['certificate']]
            signing_CA = cert['issuer']
            # Recursively get all internal/intermediate certificates
            # FIXME: NONE HAS BEEN ADDED IN THE FOLLOWING CHECK FOR CSR'S WHICH HAVE BEEN SIGNED BY A CA
            while signing_CA not in [
                    "external", "self-signed", "external - signature pending",
                    None
            ]:
                certs.append(signing_CA['certificate'])
                signing_CA['issuer'] = cert_issuer(signing_CA)
                signing_CA = signing_CA['issuer']

        cert_obj = None
        try:
            for c in certs:
                # XXX Why load certificate if we are going to dump it right after?
                # Maybe just to verify its integrity?
                # Logic copied from freenasUI
                cert_obj = crypto.load_certificate(crypto.FILETYPE_PEM, c)
                cert['chain_list'].append(
                    crypto.dump_certificate(crypto.FILETYPE_PEM,
                                            cert_obj).decode())
        except Exception:
            self.logger.debug('Failed to load certificate {0}'.format(
                cert['name']),
                              exc_info=True)

        try:
            if cert['privatekey']:
                key_obj = crypto.load_privatekey(crypto.FILETYPE_PEM,
                                                 cert['privatekey'])
                cert['privatekey'] = crypto.dump_privatekey(
                    crypto.FILETYPE_PEM, key_obj).decode()
        except Exception:
            self.logger.debug('Failed to load privatekey {0}'.format(
                cert['name']),
                              exc_info=True)

        try:
            if cert['CSR']:
                csr_obj = crypto.load_certificate_request(
                    crypto.FILETYPE_PEM, cert['CSR'])
                cert['CSR'] = crypto.dump_certificate_request(
                    crypto.FILETYPE_PEM, csr_obj).decode()
        except Exception:
            self.logger.debug('Failed to load csr {0}'.format(cert['name']),
                              exc_info=True)

        cert['internal'] = 'NO' if cert['type'] in (
            CA_TYPE_EXISTING, CERT_TYPE_EXISTING) else 'YES'

        obj = None
        # date not applicable for CSR
        cert['from'] = None
        cert['until'] = None
        if cert['type'] == CERT_TYPE_CSR:
            obj = csr_obj
        elif cert_obj:
            obj = crypto.load_certificate(crypto.FILETYPE_PEM,
                                          cert['certificate'])
            notBefore = obj.get_notBefore()
            t1 = dateutil.parser.parse(notBefore)
            t2 = t1.astimezone(dateutil.tz.tzutc())
            cert['from'] = t2.ctime()

            notAfter = obj.get_notAfter()
            t1 = dateutil.parser.parse(notAfter)
            t2 = t1.astimezone(dateutil.tz.tzutc())
            cert['until'] = t2.ctime()

        if obj:
            cert['DN'] = '/' + '/'.join([
                '%s=%s' % (c[0].decode(), c[1].decode())
                for c in obj.get_subject().get_components()
            ])

        return cert

Example #54

File: utils.py Project: BrendonYim/barbican

def is_private_key_valid(expected, observed):
    k1 = crypto.load_privatekey(crypto.FILETYPE_PEM, expected)
    k2 = crypto.load_privatekey(crypto.FILETYPE_PEM, observed)
    return (crypto.dump_privatekey(crypto.FILETYPE_PEM,
                                   k1) == crypto.dump_privatekey(
                                       crypto.FILETYPE_PEM, k2))

Example #55

File: franken_generate.py Project: yuchi1989/frankencert

ca_cert_path = sys.argv[2]
out_cert_path = sys.argv[3]
n_outcert = int(sys.argv[4])

if (len(sys.argv) > 5):
    configfile = sys.argv[5]
else:
    configfile = ""

fconf = franken_conf_parse.parse_config(configfile)
certs = franken_util.load_dir(input_cert_path)
with open(ca_cert_path, 'rt') as ca_cert_file:
    ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, ca_cert_file.read())

with open(ca_cert_path, 'rt') as ca_key_file:
    ca_private_key = crypto.load_privatekey(crypto.FILETYPE_PEM, \
                                                ca_key_file.read())
sys.stdout.write("Generating frankencerts")
max_certs_in_mem = 200
nc = n_outcert / max_certs_in_mem
remaining_cnt = n_outcert
for i in range(nc + 1):
    if (remaining_cnt > max_certs_in_mem):
        franken_certs = franken_core.generate(certs, ca_cert, ca_private_key, \
                                    fconf, count=max_certs_in_mem)
        remaining_cnt = remaining_cnt - max_certs_in_mem
    else:
        franken_certs = franken_core.generate(certs, ca_cert, ca_private_key, \
                                    fconf, count=remaining_cnt)
        remaining_cnt = 0

    franken_util.dump_certs(franken_certs, "frankencert", out_cert_path,

Example #56

def _generate_csr_from_private_key(order_model, project_model):
    """Generate a CSR from the private key.

    :param: order_model - order for the request
    :param: project_model - project for this request
    :return: CSR (certificate signing request) in PEM format
    :raise: :class:`StoredKeyPrivateKeyNotFound` if private key not found
            :class:`StoredKeyContainerNotFound` if container not found
    """
    container_id, container = _get_container_from_order_meta(
        order_model, project_model)

    if not container:
        raise excep.StoredKeyContainerNotFound(container_id)

    passphrase = None
    private_key = None

    for cs in container.container_secrets:
        secret_repo = repos.get_secret_repository()
        if cs.name == 'private_key':
            private_key_model = secret_repo.get(cs.secret_id,
                                                project_model.external_id)
            private_key = plugin.get_secret('application/pkcs8',
                                            private_key_model, project_model)
        elif cs.name == 'private_key_passphrase':
            passphrase_model = secret_repo.get(cs.secret_id,
                                               project_model.external_id)
            passphrase = plugin.get_secret('text/plain;charset=utf-8',
                                           passphrase_model, project_model)
            passphrase = str(passphrase)

    if not private_key:
        raise excep.StoredKeyPrivateKeyNotFound(container.id)

    if passphrase is None:
        pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key)
    else:
        pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key,
                                      passphrase.encode('utf-8'))

    subject_name = order_model.meta.get('subject_dn')
    subject_name_dns = parse_dn(subject_name)
    extensions = order_model.meta.get('extensions', None)

    req = crypto.X509Req()
    subj = req.get_subject()

    # Note: must iterate over the DNs in reverse order, or the resulting
    # subject name will be reversed.
    for ava in reversed(subject_name_dns):
        key, val, extra = ava
        setattr(subj, key.upper(), val)
    req.set_pubkey(pkey)
    if extensions:
        # TODO(alee-3) We need code here to parse the encoded extensions and
        # convert them into X509Extension objects.  This code will also be
        # used in the validation code.  Commenting out for now till we figure
        # out how to do this.
        # req.add_extensions(extensions)
        pass
    req.sign(pkey, 'sha256')

    csr = crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)
    return csr

Example #57

def generate_key():
    key = ec.generate_private_key(ec.SECP256R1(), default_backend())
    key_pem = key.private_bytes(encoding=Encoding.PEM,
                                format=PrivateFormat.TraditionalOpenSSL,
                                encryption_algorithm=NoEncryption())
    return crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem)

Example #58

    def _generateSignature(self, uri, data, forceManual=False):
        """Generate a signature over the uri and data.

        This signature is used to authenticate with the APIC and must be
        calculated for each transaction because the signature is calculated
        using the uri and data if any.

        Args:
          uri (str): The string that represents the URI for the transaction.
            The uri is everything from api to the end of the options.
          data (str): The payload for the request that will be sent.
          forceManual (bool): If True, the signature will be calculated using
            subprocess to execute openssl commands, otherwise pyOpenSSL is
            used.

        Returns:
          str: A string containing the cookie that should be used in the
            request.
        """
        # One global that is not changing in the rest of the file is ok
        global INLINE_SIGNATURE  # pylint:disable=global-statement
        # Added for easier testing of each signature generation method
        if forceManual:
            INLINE_SIGNATURE = False

        privateKeyStr = str(self.privateKey)
        certDn = str(self.certificateDn)

        if uri.endswith('?'):
            uri = uri[:-1]
        uri = uri.replace('//', '/')

        if INLINE_SIGNATURE:
            if data is None:
                payLoad = 'GET' + uri
            else:
                payLoad = 'POST' + uri + data

            pkey = load_privatekey(FILETYPE_PEM, privateKeyStr)

            signedDigest = sign(pkey, payLoad.encode(), 'sha256')
            signature = base64.b64encode(signedDigest).decode()
        else:
            tmpFiles = []
            tempDir = tempfile.mkdtemp()
            payloadFile = os.path.join(tempDir, "payload")
            keyFile = os.path.join(tempDir, "pkey")
            sigBinFile = keyFile + "_sig.bin"
            sigBaseFile = keyFile + "_sig.base64"

            if data is None:
                self.writeFile(payloadFile, mode="wt", fileData='GET' + uri)
            else:
                self.writeFile(payloadFile,
                               mode="wt",
                               fileData='POST' + uri + data)
            tmpFiles.append(payloadFile)

            self.writeFile(fileName=keyFile, mode="w", fileData=privateKeyStr)
            tmpFiles.append(keyFile)

            cmd = ["openssl", "dgst", "-sha256", "-sign", keyFile, payloadFile]
            cmd_out = self.runCmd(cmd)
            self.writeFile(fileName=sigBinFile, mode="wb", fileData=cmd_out)
            tmpFiles.append(sigBinFile)

            cmd = [
                "openssl", "base64", "-in", keyFile + "_sig.bin", "-e", "-out",
                sigBaseFile
            ]
            self.runCmd(cmd)
            tmpFiles.append(sigBaseFile)

            sigBase64 = self.readFile(fileName=sigBaseFile)
            signature = "".join(sigBase64.splitlines())

            for fileName in tmpFiles:
                try:
                    os.remove(fileName)
                except:  # pylint:disable=bare-except
                    pass  # pylint:disable=pointless-except
                try:
                    os.rmdir(tempDir)
                except:  # pylint:disable=bare-except
                    pass  # pylint:disable=pointless-except

        cookieFmt = ("APIC-Request-Signature=%s;" +
                     " APIC-Certificate-Algorithm=v1.0;" +
                     " APIC-Certificate-Fingerprint=fingerprint;" +
                     " APIC-Certificate-DN=%s")
        return cookieFmt % (signature, certDn)

Example #59

File: cert.py Project: P79N6A/hue-from-scratch

    def create_cert_signed_certificate(self,
                                       sign_cert_str,
                                       sign_key_str,
                                       request_cert_str,
                                       hash_alg="sha256",
                                       valid_from=0,
                                       valid_to=315360000,
                                       sn=1,
                                       passphrase=None):
        """
        Will sign a certificate request with a give certificate.
        :param sign_cert_str:     This certificate will be used to sign with.
                                  Must be a string representation of
                                  the certificate. If you only have a file
                                  use the method read_str_from_file to
                                  get a string representation.
        :param sign_key_str:        This is the key for the ca_cert_str
                                  represented as a string.
                                  If you only have a file use the method
                                  read_str_from_file to get a string
                                  representation.
        :param request_cert_str:  This is the prepared certificate to be
                                  signed. Must be a string representation of
                                  the requested certificate. If you only have
                                  a file use the method read_str_from_file
                                  to get a string representation.
        :param hash_alg:          Hash algorithm to use for the key. Default
                                  is sha256.
        :param valid_from:        When the certificate starts to be valid.
                                  Amount of seconds from when the
                                  certificate is generated.
        :param valid_to:          How long the certificate will be valid from
                                  when it is generated.
                                  The value is in seconds. Default is
                                  315360000 seconds, a.k.a 10 years.
        :param sn:                Serial number for the certificate. Default
                                  is 1.
        :param passphrase:        Password for the private key in sign_key_str.
        :return:                  String representation of the signed
                                  certificate.
        """
        ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, sign_cert_str)
        ca_key = None
        if passphrase is not None:
            ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str,
                                            passphrase)
        else:
            ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, sign_key_str)
        req_cert = crypto.load_certificate_request(crypto.FILETYPE_PEM,
                                                   request_cert_str)

        cert = crypto.X509()
        cert.set_subject(req_cert.get_subject())
        cert.set_serial_number(sn)
        cert.gmtime_adj_notBefore(valid_from)
        cert.gmtime_adj_notAfter(valid_to)
        cert.set_issuer(ca_cert.get_subject())
        cert.set_pubkey(req_cert.get_pubkey())
        cert.sign(ca_key, hash_alg)

        cert_dump = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
        if isinstance(cert_dump, six.string_types):
            return cert_dump
        return cert_dump.decode('utf-8')

Example #60

    with open(cert_key, "wb") as cf:
        cf.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, server_pk))
    print('Done')
    sys.exit(0)

if tornado.options.options.generate_user_pkcs:
    from OpenSSL import crypto
    if not all(map(os.path.exists, [cert, cert_key, ca, ca_key])):
        print('Please generate certificates using --generate_certs before')
        sys.exit(1)

    user = tornado.options.options.generate_user_pkcs
    with open(ca, 'rb') as cf:
        ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, cf.read())
    with open(ca_key, 'rb') as cf:
        ca_pk = crypto.load_privatekey(crypto.FILETYPE_PEM, cf.read())

    client_pk = crypto.PKey()
    client_pk.generate_key(crypto.TYPE_RSA, 2048)

    client_cert = crypto.X509()
    client_cert.get_subject().CN = user
    client_cert.set_serial_number(uuid.uuid4().int)
    client_cert.gmtime_adj_notBefore(0)  # From now
    client_cert.gmtime_adj_notAfter(315360000)  # to 10y
    client_cert.set_issuer(ca_cert.get_subject())  # Signed by ca
    client_cert.set_pubkey(client_pk)
    client_cert.sign(client_pk, 'sha1')
    client_cert.sign(ca_pk, 'sha1')

    pfx = crypto.PKCS12()