def get_cert_path(self, cn):
cnp = os.path.sep.join(
[self.cache_dir,
'%s-%s.pem' % (self.CERT_PREFIX, cn)])
if os.path.exists(cnp):
print("Cert already exists common_name=%s" % cn)
else:
print("Creating and signing cert common_name=%s" % cn)
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha1')
# Sign CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(123)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha256')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
print("Created cert common_name=%s location=%s" % (cn, cnp))
return cnp
class RSA:
def __init__(self):
self.pk = PKey()
self.pk.generate_key(TYPE_RSA, 1024)
self.private_key = self.strip_pri(
dump_privatekey(FILETYPE_PEM, self.pk))
self.public_key = self.strip_pub(dump_publickey(FILETYPE_PEM, self.pk))
def strip_pub(self, content):
content = content.replace(b'-----BEGIN PUBLIC KEY-----\n', b'')
content = content.replace(b'\n-----END PUBLIC KEY-----\n', b'')
content = content.replace(b'\n', b'')
return content
def strip_pri(self, content):
content = content.replace(b'-----BEGIN PRIVATE KEY-----\n', b'')
content = content.replace(b'\n-----END PRIVATE KEY-----\n', b'')
content = content.replace(b'\n', b'')
return content
def get_public_key(self):
return self.public_key.decode('utf8')
def get_private_key(self):
return self.private_key.decode('utf8')
def __getitem__(self, cn):
cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn])
if not path.exists(cnp):
# Crea Key
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Crea CSR
# revisar : http://stackoverflow.com/questions/24043226/generating-a-csr-with-python-crypto
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha1')
# Firmar CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha1')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
return cnp
def test_set_passwd_cb(self):
"""
L{Context.set_passwd_cb} accepts a callable which will be invoked when
a private key is loaded from an encrypted PEM.
"""
key = PKey()
key.generate_key(TYPE_RSA, 128)
pemFile = self.mktemp()
fObj = file(pemFile, 'w')
passphrase = "foobar"
fObj.write(dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase))
fObj.close()
calledWith = []
def passphraseCallback(maxlen, verify, extra):
calledWith.append((maxlen, verify, extra))
return passphrase
context = Context(TLSv1_METHOD)
context.set_passwd_cb(passphraseCallback)
context.use_privatekey_file(pemFile)
self.assertTrue(len(calledWith), 1)
self.assertTrue(isinstance(calledWith[0][0], int))
self.assertTrue(isinstance(calledWith[0][1], int))
self.assertEqual(calledWith[0][2], None)
def create_csr(csr_file_path):
private_key_path = re.sub(r".(pem|crt)$",
".key",
cert_file_path,
flags=re.IGNORECASE)
# create public/private key
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = 'localhost'
req.get_subject().O = 'XYZ Widgets Inc'
req.get_subject().OU = 'IT Department'
req.get_subject().L = 'Seattle'
req.get_subject().ST = 'Washington'
req.get_subject().C = 'US'
req.get_subject().emailAddress = '*****@*****.**'
req.set_pubkey(key)
req.sign(key, 'sha256')
with open(csr_file_path, 'wb+') as f:
f.write(dump_certificate_request(FILETYPE_PEM, req))
with open(private_key_path, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
def __getitem__(self, cn):
cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn])
if not path.exists(cnp):
# create certificate
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha1')
# Sign CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha1')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
return cnp
def create_dummy_certificate(certname,keyname,_dir, force=False) -> bool:
if certname and keyname and _dir:
if path.exists(_dir+keyname) and path.exists(_dir+certname) and not force:
return True
else:
if path.exists(_dir+certname):
remove(_dir+certname)
if path.exists(_dir+keyname):
remove(_dir+keyname)
key = PKey()
key.generate_key(TYPE_RSA, 4096)
cert = X509()
cert.set_serial_number(uuid4().int)
cert.set_version(2)
cert.get_subject().C = "US"
cert.get_subject().ST = "WA"
cert.get_subject().L = "127.0.0.1"
cert.get_subject().O = "github.com/qeeqbox/analyzer"
cert.get_subject().OU = "github.com/qeeqbox/analyzer"
cert.get_subject().CN = "auto generated self signed certificate by qeeqbox/analyzer"
cert.gmtime_adj_notBefore(-60 * 60 * 24 * 365 * 2)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 2)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.add_extensions([X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"),
X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert),])
cert.sign(key, 'sha256')
with open(_dir+certname, 'wb') as f:
f.write(dump_certificate(FILETYPE_PEM, cert))
with open(_dir+keyname, 'wb') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
return True
return False
def __getitem__(self, cn):
cnp = os.path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn])
if not os.path.exists(cnp):
# create certificate
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha256')
# Sign CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha256')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(self.filetype, key))
f.write(dump_certificate(self.filetype, cert))
return cnp
def make_cert(filename, cacert=None, cakey=None):
key = PKey()
key.generate_key(TYPE_RSA, 2048)
cert = X509()
subject = cert.get_subject()
subject.C = b"TR"
subject.ST = b"Çorum"
subject.L = b"Başmakçı"
subject.CN = b"localhost"
subject.O = b"Mozilla Test"
subject.OU = b"Autopush Test %s" % filename
subject.emailAddress = b"*****@*****.**"
subjectAltName = X509Extension(b'subjectAltName', False, b'DNS:localhost')
cert.add_extensions([subjectAltName])
cert.set_serial_number(uuid.uuid4().int)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 100)
cert.set_pubkey(key)
if not cacert:
# self sign
cacert = cert
cakey = key
cert.set_issuer(cacert.get_subject())
cert.sign(cakey, 'sha1')
with open(filename, 'wb') as fp:
fp.write(dump_privatekey(FILETYPE_PEM, key))
fp.write(dump_certificate(FILETYPE_PEM, cert))
return cert, key
def _sign_ca(self, cn, cnp):
# 使用合法的CA证书为代理程序生成服务器证书
# create certificate
try:
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha256')
# Sign CSR
cert = X509()
cert.set_version(2)
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
ss = ("DNS:%s" % cn).encode(encoding="utf-8")
cert.add_extensions([X509Extension(b"subjectAltName", False, ss)])
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha256')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
except Exception as e:
raise Exception("generate CA fail:{}".format(str(e)))
def _sign_ca(self,cn,cnp):
#使用合法的CA证书为代理程序生成服务器证书
# create certificate
try:
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha256')
# Sign CSR
cert = X509()
cert.set_version(2)
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
ss = ("DNS:%s" % cn).encode(encoding="utf-8")
cert.add_extensions(
[X509Extension(b"subjectAltName", False, ss)])
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha256')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
except Exception as e:
raise Exception("generate CA fail:{}".format(str(e)))
def __getitem__(self, cn):
'''
Gets the specified Certificate authority file if it already exists, else creates one!
'''
cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn])
if not path.exists(cnp):
# create certificate
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha1')
# Sign CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha1')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
return cnp
def make_certificate(
ca_crt_path = 'ca.crt',
ca_key_path = 'ca.key',
server_crt_path = 'server.crt',
server_key_path = 'server.key',
vars=None):
# make the certificat of CA
# need passphrase ?
ca_key = PKey()
ca_key.generate_key(TYPE_RSA, 1024)
dump_write(dump_privatekey(FILETYPE_PEM, ca_key),
ca_key_path)
# MAKE THE CA SELF-SIGNED CERTIFICATE
cert = X509()
sub = cert.get_subject()
set_x509_ca(sub, vars=vars)
#FORMAT : YYYYMMDDhhmmssZ
after = '20200101000000Z'
before = '20090101000000Z'
cert.set_notAfter(after)
cert.set_notBefore(before)
cert.set_serial_number(1)
cert.set_pubkey(ca_key)
cert.set_issuer(cert.get_subject())
cert.sign(ca_key,"MD5")
dump_write(dump_certificate(FILETYPE_PEM, cert),
ca_crt_path)
print "Generated CA certificate in %s" % ca_crt_path
# MAKE THE SERVER CERTIFICATE
s_key = PKey()
s_key.generate_key(TYPE_RSA, 1024)
dump_write(dump_privatekey(FILETYPE_PEM, s_key),
server_key_path)
s_cert = X509()
s_sub = s_cert.get_subject()
set_x509_serv(s_sub, vars=vars)
#FORMAT : YYYYMMDDhhmmssZ
after = '20200101000000Z'
before = '20090101000000Z'
s_cert.set_notAfter(after)
s_cert.set_notBefore(before)
s_cert.set_serial_number(2)
s_cert.set_pubkey(s_key)
s_cert.set_issuer(cert.get_subject())
s_cert.sign(ca_key,"MD5")
dump_write(dump_certificate(FILETYPE_PEM, s_cert),
server_crt_path)
print "Generated Server certificate in %s" % server_crt_path
for p in [ca_key_path, server_key_path]:
os.chmod(p, 0600)
def gen_rsa_key(bits):
"""
Generate an RSA key and returns it in PEM format.
:rtype: An RSA key as an `pyopenssl.OpenSSL.crypto.PKey`
"""
key = PKey()
key.generate_key(TYPE_RSA, bits)
return crypto.dump_privatekey(SSL.FILETYPE_PEM, key)
def test_use_privatekey(self):
"""
L{Context.use_privatekey} takes an L{OpenSSL.crypto.PKey} instance.
"""
key = PKey()
key.generate_key(TYPE_RSA, 128)
ctx = Context(TLSv1_METHOD)
ctx.use_privatekey(key)
self.assertRaises(TypeError, ctx.use_privatekey, "")
def generateKey(self,directory = "D:\\test",bits=1024):
pk = PKey()
pk.generate_key(TYPE_RSA, bits)
with open (directory+'\pubkey.pem', mode='wb') as f:
f.write(dump_publickey(FILETYPE_PEM, pk))
f.close()
with open (directory+'\prikey.pem', mode='wb') as f:
f.write(dump_privatekey(FILETYPE_PEM, pk))
f.close()
def test_use_privatekey(self):
"""
L{Context.use_privatekey} takes an L{OpenSSL.crypto.PKey} instance.
"""
key = PKey()
key.generate_key(TYPE_RSA, 128)
ctx = Context(TLSv1_METHOD)
ctx.use_privatekey(key)
self.assertRaises(TypeError, ctx.use_privatekey, "")
def generatePrivate(cert_name,password, _size = 2048): pk = PKey() pk.generate_key(TYPE_RSA, _size) pk_gen = pk.to_cryptography_key() _PEM = Encoding.PEM _TraditionalOpenSSL = PrivateFormat.TraditionalOpenSSL _encryption = BestAvailableEncryption(password) pvt = pk_gen.private_bytes(_PEM, _TraditionalOpenSSL, _encryption) return pk,pvt
def gen_rsa_key(bits):
"""
Generate an RSA key and returns it in PEM format.
:rtype: An RSA key as an `pyopenssl.OpenSSL.crypto.PKey`
"""
key = PKey()
key.generate_key(TYPE_RSA, bits)
return crypto.dump_privatekey(SSL.FILETYPE_PEM, key)
def test_rsaGeneration(self):
"""
L{PKeyType.generate_key} generates an RSA key when passed
L{TYPE_RSA} as a type and a reasonable number of bits.
"""
bits = 128
key = PKey()
key.generate_key(TYPE_RSA, bits)
self.assertEqual(key.type(), TYPE_RSA)
self.assertEqual(key.bits(), bits)
def test_regeneration(self):
"""
L{PKeyType.generate_key} can be called multiple times on the same
key to generate new keys.
"""
key = PKey()
for type, bits in [(TYPE_RSA, 512), (TYPE_DSA, 576)]:
key.generate_key(type, bits)
self.assertEqual(key.type(), type)
self.assertEqual(key.bits(), bits)
def gen_rsa():
"""
Generate an RSA Key Pair for digital signature
this is designed to be called once per user
TODO maybe this belongs in server-specific code since server will
need to know public and private keys
"""
pkey = PKey()
pkey.generate_key(TYPE_RSA, RSA_BITS)
pkey.check()
return pkey
def test_signWithPublicKey(self):
"""
L{X509Req.sign} raises L{ValueError} when pass a L{PKey} with no
private part as the signing key.
"""
request = self.signable()
key = PKey()
key.generate_key(TYPE_RSA, 512)
request.set_pubkey(key)
pub = request.get_pubkey()
self.assertRaises(ValueError, request.sign, pub, 'MD5')
def createDGPairs(username):
private_path = 'private/'
public_path = 'public/'
private_path += username
public_path += username
P = PKey()
P.generate_key(TYPE_RSA, 1024)
#写入
with open(public_path,'w') as f:
f.write(dump_publickey(FILETYPE_PEM, P).decode('utf-8'))
with open(private_path,'w') as f:
f.write(dump_privatekey(FILETYPE_PEM, P).decode('utf-8'))
def createDGPairs(username):
private_path = 'private/'
public_path = 'public/'
private_path += username
public_path += username
P = PKey()
P.generate_key(TYPE_RSA, 1024)
#写入
with open(public_path, 'w') as f:
f.write(dump_publickey(FILETYPE_PEM, P).decode('utf-8'))
with open(private_path, 'w') as f:
f.write(dump_privatekey(FILETYPE_PEM, P).decode('utf-8'))
def check_success(self):
"""
Call the method repeatedly such that it will return a PKey object.
"""
small = xrange(3)
for i in xrange(self.iterations):
key = PKey()
key.generate_key(TYPE_DSA, 256)
for i in small:
cert = X509()
cert.set_pubkey(key)
for i in small:
cert.get_pubkey()
def test_dsaGeneration(self):
"""
L{PKeyType.generate_key} generates a DSA key when passed
L{TYPE_DSA} as a type and a reasonable number of bits.
"""
# 512 is a magic number. The DSS (Digital Signature Standard)
# allows a minimum of 512 bits for DSA. DSA_generate_parameters
# will silently promote any value below 512 to 512.
bits = 512
key = PKey()
key.generate_key(TYPE_DSA, bits)
self.assertEqual(key.type(), TYPE_DSA)
self.assertEqual(key.bits(), bits)
def check_success(self):
"""
Call the method repeatedly such that it will return a PKey object.
"""
small = xrange(3)
for i in xrange(self.iterations):
key = PKey()
key.generate_key(TYPE_DSA, 256)
for i in small:
cert = X509()
cert.set_pubkey(key)
for i in small:
cert.get_pubkey()
def create_session_cert(cacert, cakey, cn='localhost', serial=1):
LOG.debug('Creating session certificate')
key = PKey()
key.generate_key(TYPE_RSA, 1024)
cert = X509()
cert.get_subject().CN = cn
cert.set_serial_number(serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(365*24*60*60)
cert.set_issuer(cacert.get_subject())
cert.set_pubkey(key)
cert.sign(cakey, 'sha1')
return cert, key
def make_certs_and_key(device_public_key: bytes):
priv_key = PKey()
priv_key.generate_key(TYPE_RSA, 2048)
req = make_req(priv_key)
cert = make_cert(req, priv_key)
dev_key = load_publickey(PEM,
convert_PKCS1_to_PKCS8_pubkey(device_public_key))
dev_key._only_public = False
dev_req = make_req(dev_key, 'Device')
dev_cert = make_cert(dev_req, priv_key)
return dump_certificate(PEM, cert), dump_privatekey(
PEM, priv_key), dump_certificate(PEM, dev_cert)
def test(request):
pk = PKey()
pk.generate_key(TYPE_RSA, 512)
pri_key = dump_privatekey(FILETYPE_PEM, pk) # 生成私钥
pub_key = dump_publickey(FILETYPE_PEM, pk) # 生成公钥
dic = {}
dic["pri_key"] = pri_key.decode()
dic["pub_key"] = pub_key.decode()
print(type(pri_key))
print(dic)
return HttpResponse(json.dumps(dic, ensure_ascii=False), content_type="application/json") # 返回公私钥
def generate_key():
pk = PKey()
pk.generate_key(TYPE_RSA, 2048)
# 生成公钥文件
public_key = dump_publickey(FILETYPE_PEM, pk)
public_key_path = os.path.join(os.path.dirname(__file__), 'public_key.pem')
file_public_key = open(public_key_path, 'wb')
file_public_key.write(public_key)
file_public_key.close()
# 生成私钥文件
private_key = dump_privatekey(FILETYPE_PEM, pk)
private_key_path = os.path.join(os.path.dirname(__file__),
'private_key.pem')
file_private_key = open(private_key_path, 'wb')
file_private_key.write(private_key)
file_private_key.close()
def makeCertificate(**kw):
keypair = PKey()
keypair.generate_key(TYPE_RSA, 1024)
certificate = X509()
certificate.gmtime_adj_notBefore(0)
certificate.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year
for xname in certificate.get_issuer(), certificate.get_subject():
for (k, v) in kw.items():
setattr(xname, k, v)
certificate.set_serial_number(counter())
certificate.set_pubkey(keypair)
certificate.sign(keypair, "md5")
return keypair, certificate
def makeCertificate(**kw):
keypair = PKey()
keypair.generate_key(TYPE_RSA, 512)
certificate = X509()
certificate.gmtime_adj_notBefore(0)
certificate.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year
for xname in certificate.get_issuer(), certificate.get_subject():
for (k, v) in kw.items():
setattr(xname, k, v)
certificate.set_serial_number(counter())
certificate.set_pubkey(keypair)
certificate.sign(keypair, "md5")
return keypair, certificate
def create_self_signed_cacert():
LOG.debug('Creating CA certificate')
cakey = PKey()
cakey.generate_key(TYPE_RSA, 1024)
cacert = X509()
cacert.get_subject().CN = 'n3'
cacert.set_serial_number(1)
cacert.gmtime_adj_notBefore(0)
cacert.gmtime_adj_notAfter(365*24*60*60)
cacert.set_issuer(cacert.get_subject())
cacert.set_pubkey(cakey)
cacert.add_extensions([
X509Extension(b'basicConstraints', True, b'CA:TRUE, pathlen:0'),
X509Extension(b'keyUsage', True, b'keyCertSign, cRLSign'),
X509Extension(b'subjectKeyIdentifier', False, b'hash', subject=cacert)])
cacert.sign(cakey, 'sha1')
return cacert, cakey
def _create_self_signed_cert(self):
key = None
cert = None
if exists(self._key_path):
try:
with open(self._key_path, 'r') as key_file:
key = load_privatekey(FILETYPE_PEM, key_file.read())
except crypto_error:
pass
if exists(self._cert_path):
try:
with open(self._cert_path, 'r') as cert_file:
cert = load_certificate(FILETYPE_PEM, cert_file.read())
except crypto_error:
pass
if key is None:
key = PKey()
key.generate_key(TYPE_RSA, 2048)
if not exists(dirname(self._key_path)):
makedirs(dirname(self._key_path))
with open(self._key_path, "w") as key_file:
key_file.write(
dump_privatekey(FILETYPE_PEM, key))
if cert is None:
cert = X509()
cert.get_subject().C = "US"
cert.get_subject().ST = "California"
cert.get_subject().L = "Palo Alto"
cert.get_subject().O = "Juniper Networks"
cert.get_subject().OU = "Contrail"
cert.get_subject().CN = "Contrail's IF-MAP v2"
cert.set_serial_number(1)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10*365*24*60*60) # Ten years
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.sign(key, 'sha1')
if not exists(dirname(self._cert_path)):
makedirs(dirname(self._cert_path))
with open(self._cert_path, 'w') as cert_file:
cert_file.write(dump_certificate(FILETYPE_PEM, cert))
def _create_self_signed_cert(self):
key = None
cert = None
if exists(self._key_path):
try:
with open(self._key_path, "r") as key_file:
key = load_privatekey(FILETYPE_PEM, key_file.read())
except crypto_error:
pass
if exists(self._cert_path):
try:
with open(self._cert_path, "r") as cert_file:
cert = load_certificate(FILETYPE_PEM, cert_file.read())
except crypto_error:
pass
if key is None:
key = PKey()
key.generate_key(TYPE_RSA, 2048)
if not exists(dirname(self._key_path)):
makedirs(dirname(self._key_path))
with open(self._key_path, "w") as key_file:
key_file.write(dump_privatekey(FILETYPE_PEM, key))
if cert is None:
cert = X509()
cert.get_subject().C = "US"
cert.get_subject().ST = "California"
cert.get_subject().L = "Palo Alto"
cert.get_subject().O = "Juniper Networks"
cert.get_subject().OU = "Contrail"
cert.get_subject().CN = "Contrail's IF-MAP v2"
cert.set_serial_number(1)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) # Ten years
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.sign(key, "sha1")
if not exists(dirname(self._cert_path)):
makedirs(dirname(self._cert_path))
with open(self._cert_path, "w") as cert_file:
cert_file.write(dump_certificate(FILETYPE_PEM, cert))
def create_csr(store,
dn_cn,
hostcert,
sans = None,
dn_ou = CS_DEF_RA_OU,
dn_l = CS_DEF_RA_L,
dn_o = CS_DEF_CA_O,
dn_c = CS_DEF_CA_C,
email = CS_DEF_EMAIL,
keybits = CS_DEF_KEYBITS,
):
""" Create a CSR PEM string for the given parameters. """
if not store.get_state() == CS_Const.Nothing:
raise Exception("Certificate in wrong state to create new CSR.")
# Generate a key
key = PKey()
key.generate_key(crypto.TYPE_RSA, keybits)
# Generate a CSR
csr = X509Req()
csr.set_pubkey(key)
dn = csr.get_subject()
dn.CN = dn_cn
dn.OU = dn_ou
dn.L = dn_l
dn.O = dn_o
dn.C = dn_c
# Create the relevant extension
if hostcert:
ext_details = ["DNS:%s" % dn_cn]
else:
ext_details = ["email:%s" % email]
if sans:
ext_details.extend(sans)
ext = X509Extension("subjectAltName", False, ','.join(ext_details))
csr.add_extensions([ext])
csr.sign(key, "md5")
# Convert the CSR & KEY to PEM files
key_pem = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
csr_pem = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
# Write them out to the store
store.write(CS_Const.KEY_FILE, key_pem, CS_DEF_KEYPERMS)
store.write(CS_Const.CSR_FILE, csr_pem, CS_DEF_CSRPERMS)
# Just to be 100% sure everything is compabile...
# ... Ensure the key is in PKCS#1 format
CS_CertTools.pkcs8_to_pkcs1(store.get_path(CS_Const.KEY_FILE))
def get_user_id(private_key, cert_path):
if os.path.exists(private_key):
with open(private_key) as fd:
key = load_privatekey(FILETYPE_PEM, fd.read())
if key.bits() != 1024:
os.unlink(private_key)
else:
user_id = get_service_id(private_key)
if not os.path.exists(private_key):
if os.path.exists(cert_path):
os.unlink(cert_path)
folder = os.path.dirname(private_key)
if not os.path.exists(folder):
os.makedirs(folder)
os.chmod(folder, 0o700)
key = PKey()
key.generate_key(TYPE_RSA, 1024)
with open(private_key, 'wb') as fd:
os.chmod(private_key, 0o600)
fd.write(dump_privatekey(FILETYPE_PEM, key))
os.chmod(private_key, 0o400)
user_id = get_service_id(private_key)
if not os.path.exists(cert_path):
ca = X509()
ca.set_version(2)
ca.set_serial_number(1)
ca.get_subject().CN = user_id
ca.gmtime_adj_notBefore(0)
ca.gmtime_adj_notAfter(24 * 60 * 60)
ca.set_issuer(ca.get_subject())
ca.set_pubkey(key)
ca.add_extensions([
X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
X509Extension(b"nsCertType", True, b"sslCA"),
X509Extension(
b"extendedKeyUsage", True,
b"serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"
),
X509Extension(b"keyUsage", False, b"keyCertSign, cRLSign"),
X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=ca),
])
ca.sign(key, "sha256")
with open(cert_path, 'wb') as fd:
fd.write(dump_certificate(FILETYPE_PEM, ca))
return user_id
def create_csr_key(subject):
key = PKey()
key.generate_key(TYPE_RSA, 2048)
req = X509Req()
req.get_subject().CN = subject['CN']
req.get_subject().O = subject['O'] # noqa: E741
req.get_subject().OU = subject['OU']
req.get_subject().L = subject['L']
req.get_subject().ST = subject['ST']
req.get_subject().C = subject['C']
req.set_pubkey(key)
req.sign(key, 'sha256')
csr = dump_certificate_request(FILETYPE_PEM, req)
privatekey = dump_privatekey(FILETYPE_PEM, key).decode('utf-8')
return csr, privatekey
def get_user_id(private_key, cert_path):
if os.path.exists(private_key):
with open(private_key) as fd:
key = load_privatekey(FILETYPE_PEM, fd.read())
if key.bits() != 1024:
os.unlink(private_key)
else:
user_id = get_service_id(private_key)
if not os.path.exists(private_key):
if os.path.exists(cert_path):
os.unlink(cert_path)
folder = os.path.dirname(private_key)
if not os.path.exists(folder):
os.makedirs(folder)
os.chmod(folder, 0o700)
key = PKey()
key.generate_key(TYPE_RSA, 1024)
with open(private_key, 'wb') as fd:
os.chmod(private_key, 0o600)
fd.write(dump_privatekey(FILETYPE_PEM, key))
os.chmod(private_key, 0o400)
user_id = get_service_id(private_key)
if not os.path.exists(cert_path):
ca = X509()
ca.set_version(2)
ca.set_serial_number(1)
ca.get_subject().CN = user_id
ca.gmtime_adj_notBefore(0)
ca.gmtime_adj_notAfter(24 * 60 * 60)
ca.set_issuer(ca.get_subject())
ca.set_pubkey(key)
ca.add_extensions([
X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
X509Extension(b"nsCertType", True, b"sslCA"),
X509Extension(b"extendedKeyUsage", True,
b"serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC"),
X509Extension(b"keyUsage", False, b"keyCertSign, cRLSign"),
X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=ca),
])
ca.sign(key, "sha256")
with open(cert_path, 'wb') as fd:
fd.write(dump_certificate(FILETYPE_PEM, ca))
return user_id
def create_self_signed_cert(cert_file_path):
private_key_path = re.sub(r".(pem|crt)$",
".key",
cert_file_path,
flags=re.IGNORECASE)
# create public/private key
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Self-signed cert
cert = X509()
#subject = X509Name(cert.get_subject())
subject = cert.get_subject()
subject.CN = 'localhost'
subject.O = 'XYZ Widgets Inc'
subject.OU = 'IT Department'
subject.L = 'Seattle'
subject.ST = 'Washington'
subject.C = 'US'
subject.emailAddress = '*****@*****.**'
cert.set_version(2)
cert.set_issuer(subject)
cert.set_subject(subject)
#cert.set_serial_number(int(os.urandom(16).encode('hex'),16))
cert.set_serial_number(int(rand.bytes(16).encode('hex'), 16))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_pubkey(key)
cert.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier", False, "hash", subject=cert),
])
cert.sign(key, 'sha256')
with open(cert_file_path, 'wb+') as f:
f.write(dump_certificate(FILETYPE_PEM, cert))
with open(private_key_path, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
def _create_pkey(self, commonname, serial):
""" Generate a key pair and store it in the private key directory
The key file will be named from the common name
"""
pkey = PKey()
pkey.generate_key(crypto.TYPE_RSA, self.key_bits)
private = crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey).decode()
key_path = self._get_key_path(commonname, serial)
if os.path.exists(key_path):
raise FileExistsError(key_path)
with open(key_path, 'w') as private_file:
private_file.writelines(private)
key_link = self._get_key_link(commonname)
if os.path.exists(key_link):
os.unlink(key_link)
os.symlink(os.path.basename(key_path), key_link)
return pkey
def make_certs_and_key(device_public_key: bytes):
"""
1. create private key
2. create certificate
"""
device_key = load_publickey(
PEM, convert_PKCS1_to_PKCS8_pubkey(device_public_key))
device_key._only_public = False
# root key
root_key = PKey()
root_key.generate_key(TYPE_RSA, 2048)
host_req = make_req(root_key)
host_cert = make_cert(host_req, root_key)
device_req = make_req(device_key, 'Device')
device_cert = make_cert(device_req, root_key)
return dump_certificate(PEM, host_cert), dump_privatekey(
PEM, root_key), dump_certificate(PEM, device_cert)
def generate_ca_cert(path, common_name):
if os.path.exists(path):
print("Cert already exists at %s, not regenerating" % path)
return
# Generate key
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate certificate
cert = X509()
cert.set_version(3)
cert.set_serial_number(1)
cert.get_subject().CN = common_name
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(315360000)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.sign(key, "sha256")
with open(path, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
def otherMakeCertificate(**kw):
keypair = PKey()
keypair.generate_key(TYPE_RSA, 1024)
req = X509Req()
subj = req.get_subject()
for (k, v) in kw.items():
setattr(subj, k, v)
req.set_pubkey(keypair)
req.sign(keypair, "md5")
cert = X509()
cert.set_serial_number(counter())
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year
cert.set_issuer(req.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(keypair, "md5")
return keypair, cert
def otherMakeCertificate(**kw):
keypair = PKey()
keypair.generate_key(TYPE_RSA, 1024)
req = X509Req()
subj = req.get_subject()
for (k, v) in kw.items():
setattr(subj, k, v)
req.set_pubkey(keypair)
req.sign(keypair, "md5")
cert = X509()
cert.set_serial_number(counter())
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) # One year
cert.set_issuer(req.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(keypair, "md5")
return keypair, cert
def test_set_passwd_cb(self):
"""
L{Context.set_passwd_cb} accepts a callable which will be invoked when
a private key is loaded from an encrypted PEM.
"""
key = PKey()
key.generate_key(TYPE_RSA, 128)
pemFile = self.mktemp()
fObj = file(pemFile, 'w')
passphrase = "foobar"
fObj.write(dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase))
fObj.close()
calledWith = []
def passphraseCallback(maxlen, verify, extra):
calledWith.append((maxlen, verify, extra))
return passphrase
context = Context(TLSv1_METHOD)
context.set_passwd_cb(passphraseCallback)
context.use_privatekey_file(pemFile)
self.assertTrue(len(calledWith), 1)
self.assertTrue(isinstance(calledWith[0][0], int))
self.assertTrue(isinstance(calledWith[0][1], int))
self.assertEqual(calledWith[0][2], None)
class CertificateAuthority(object):
def __init__(self, ca_file='ca.pem', cache_dir=gettempdir()):
'''
The constructor for making a certificate authority file
'''
self.ca_file = ca_file
self.cache_dir = cache_dir
self._serial = self._get_serial()
if not path.exists(ca_file):
self._generate_ca()
else:
self.readCertificateAuthorityFile(ca_file)
def _get_serial(self):
'''
Makes sure that every certificate is associated with an unique serial number
'''
s = 1
for c in filter(lambda x: x.startswith('.pymp_'), listdir(self.cache_dir)):
c = load_certificate(FILETYPE_PEM, open(path.sep.join([self.cache_dir, c])).read())
sc = c.get_serial_number()
if sc > s:
s = sc
del c
return s
def _generate_ca(self):
'''
This function generates the certificate authority file
'''
# Generate key
self.key = PKey()
self.key.generate_key(TYPE_RSA, 2048)
# Generate certificate
self.cert = X509()
self.cert.set_version(3)
self.cert.set_serial_number(1)
self.cert.get_subject().CN = 'ca.mitm.com'
self.cert.gmtime_adj_notBefore(0)
self.cert.gmtime_adj_notAfter(315360000)
self.cert.set_issuer(self.cert.get_subject())
self.cert.set_pubkey(self.key)
self.cert.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier", False, "hash", subject=self.cert),
])
self.cert.sign(self.key, "sha1")
with open(self.ca_file, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, self.key))
f.write(dump_certificate(FILETYPE_PEM, self.cert))
def readCertificateAuthorityFile(self, file):
'''
Reads a CA file assuming it is already present and configured
'''
self.cert = load_certificate(FILETYPE_PEM, open(file).read())
self.key = load_privatekey(FILETYPE_PEM, open(file).read())
def __getitem__(self, cn):
'''
Gets the specified Certificate authority file if it already exists, else creates one!
'''
cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn])
if not path.exists(cnp):
# create certificate
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha1')
# Sign CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha1')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
return cnp
@property
def serial(self):
'''
A static function which generates a unique serial number for every certificate
'''
self._serial += 1
return self._serial
class CAAuth(object):
'''
用于CA证书的生成以及代理证书的自签名
'''
def __init__(self,ca_file = "ca.pem", cert_file = 'ca.crt'):
self.ca_file_path = os.path.join(os.path.dirname(os.path.abspath(__file__)),ca_file)
self.cert_file_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), cert_file)
self._gen_ca()#生成CA证书,需要添加到浏览器的合法证书机构中
def _gen_ca(self,again=False):
# Generate key
#如果证书存在而且不是强制生成,直接返回证书信息
if os.path.exists(self.ca_file_path) and os.path.exists(self.cert_file_path) and not again:
self._read_ca(self.ca_file_path) #读取证书信息
return
self.key = PKey()
self.key.generate_key(TYPE_RSA, 2048)
# Generate certificate
self.cert = X509()
self.cert.set_version(2)
self.cert.set_serial_number(1)
self.cert.get_subject().CN = 'baseproxy'
self.cert.gmtime_adj_notBefore(0)
self.cert.gmtime_adj_notAfter(315360000)
self.cert.set_issuer(self.cert.get_subject())
self.cert.set_pubkey(self.key)
self.cert.add_extensions([
X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"),
X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=self.cert),
])
self.cert.sign(self.key, "sha256")
with open(self.ca_file_path, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, self.key))
f.write(dump_certificate(FILETYPE_PEM, self.cert))
with open(self.cert_file_path, 'wb+') as f:
f.write(dump_certificate(FILETYPE_PEM, self.cert))
def _read_ca(self, file):
self.cert = load_certificate(FILETYPE_PEM, open(file,'rb').read())
self.key = load_privatekey(FILETYPE_PEM, open(file,'rb').read())
def __getitem__(self, cn):
#将为每个域名生成的服务器证书,放到临时目录中
cache_dir =gettempdir()
root_dir = os.path.join(cache_dir,'baseproxy')
if not os.path.exists(root_dir):
os.makedirs(root_dir)
cnp = os.path.join(root_dir,"baseproxy_{}.pem".format(cn))
if not os.path.exists(cnp):
self._sign_ca(cn,cnp)
return cnp
def _sign_ca(self,cn,cnp):
#使用合法的CA证书为代理程序生成服务器证书
# create certificate
try:
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha256')
# Sign CSR
cert = X509()
cert.set_version(2)
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
ss = ("DNS:%s" % cn).encode(encoding="utf-8")
cert.add_extensions(
[X509Extension(b"subjectAltName", False, ss)])
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha256')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
except Exception as e:
raise Exception("generate CA fail:{}".format(str(e)))
@property
def serial(self):
return int("%d" % (time.time() * 1000))
# See LICENSE for details.
#
# Stress tester for thread-related bugs in global_passphrase_callback in
# src/ssl/context.c. In 0.7 and earlier, this will somewhat reliably
# segfault or abort after a few dozen to a few thousand iterations on an SMP
# machine (generally not on a UP machine) due to uses of Python/C API
# without holding the GIL.
from itertools import count
from threading import Thread
from OpenSSL.SSL import Context, TLSv1_METHOD
from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM, PKey, dump_privatekey
k = PKey()
k.generate_key(TYPE_RSA, 128)
file('pkey.pem', 'w').write(dump_privatekey(FILETYPE_PEM, k, "blowfish", "foobar"))
count = count()
def go():
def cb(a, b, c):
print count.next()
return "foobar"
c = Context(TLSv1_METHOD)
c.set_passwd_cb(cb)
while 1:
c.use_privatekey_file('pkey.pem')
threads = [Thread(target=go, args=()) for i in xrange(2)]
for th in threads:
th.start()
def generate_rsa():
keys = []
for i in range(100):
key = PKey()
key.generate_key(TYPE_RSA, 1024)
keys.append(key)
def generate_dsa():
keys = []
for i in range(100):
key = PKey()
key.generate_key(TYPE_DSA, 512)
keys.append(key)
class CertificateAuthority(object):
def __init__(self, ca_file='ca.pem', cache_dir=gettempdir()):
self.ca_file = ca_file
self.cache_dir = cache_dir
self._serial = self._get_serial()
if not path.exists(ca_file):
self._generate_ca()
else:
self._read_ca(ca_file)
def _get_serial(self):
s = 1
for c in filter(lambda x: x.startswith('.pymp_'), listdir(self.cache_dir)):
c = load_certificate(FILETYPE_PEM, open(path.sep.join([self.cache_dir, c])).read())
sc = c.get_serial_number()
if sc > s:
s = sc
del c
return s
def _generate_ca(self):
# Generate key
self.key = PKey()
self.key.generate_key(TYPE_RSA, 2048)
# Generate certificate
self.cert = X509()
self.cert.set_version(3)
self.cert.set_serial_number(1)
self.cert.get_subject().CN = 'ca.mitm.com'
self.cert.gmtime_adj_notBefore(0)
self.cert.gmtime_adj_notAfter(315360000)
self.cert.set_issuer(self.cert.get_subject())
self.cert.set_pubkey(self.key)
self.cert.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier", False, "hash", subject=self.cert),
])
self.cert.sign(self.key, "sha1")
with open(self.ca_file, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, self.key))
f.write(dump_certificate(FILETYPE_PEM, self.cert))
def _read_ca(self, file):
self.cert = load_certificate(FILETYPE_PEM, open(file).read())
self.key = load_privatekey(FILETYPE_PEM, open(file).read())
def __getitem__(self, cn):
cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn])
if not path.exists(cnp):
# create certificate
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha1')
# Sign CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha1')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
return cnp
@property
def serial(self):
self._serial += 1
return self._serial