Example #1
0
def generate_authority(domain):
    ca = CertificateAuthority(id=domain,
        cert_path=os.path.join(config.get("certificates", "ca_cert_dir"), domain+".pem"),
        key_path=os.path.join(config.get("certificates", "ca_key_dir"), domain+".key"))

    # Generate private key and create X509 certificate, then set options
    key = OpenSSL.crypto.PKey()
    key.generate_key(OpenSSL.crypto.TYPE_RSA, 2048)
    crt = OpenSSL.crypto.X509()
    crt.set_version(3)
    crt.set_serial_number(int(systemtime.get_serial_time()))
    crt.get_subject().O = "arkOS Servers"
    crt.get_subject().CN = domain
    crt.gmtime_adj_notBefore(0)
    crt.gmtime_adj_notAfter(5*365*24*60*60)
    crt.set_issuer(crt.get_subject())
    crt.set_pubkey(key)
    crt.add_extensions([
        OpenSSL.crypto.X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
        OpenSSL.crypto.X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
        OpenSSL.crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=crt),
    ])
    crt.sign(key, "sha256")
    # Save to files
    with open(ca.cert_path, "wt") as f:
        f.write(OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_PEM, crt))
    os.chmod(ca.cert_path, 0660)
    with open(ca.key_path, "wt") as f:
        f.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key))
    ca.expiry = crt.get_notAfter()
    storage.certs.add("authorities", ca)
    return ca
Example #2
0
def generate_certificate(
        id, domain, country, state="", locale="", email="", keytype="RSA",
        keylength=2048, message=DefaultMessage()):
    signals.emit("certificates", "pre_add", id)

    # Check to see that we have a CA ready; if not, generate one
    basehost = ".".join(domain.split(".")[-2:])
    ca = get_authorities(id=basehost)
    if not ca:
        message.update("info", "Generating certificate authority...")
        ca = generate_authority(basehost)
    with open(ca.cert_path, "r") as f:
        ca_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, f.read())
    with open(ca.key_path, "r") as f:
        ca_key = OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, f.read())

    # Check to see that we have DH params, if not then do that too
    if not os.path.exists("/etc/arkos/ssl/dh_params.pem"):
        message.update("info", "Generating Diffie-Hellman parameters...")
        s = shell("openssl dhparam 2048 -out /etc/arkos/ssl/dh_params.pem")
        if s["code"] != 0:
            raise Exception("Failed to generate Diffie-Hellman parameters")
        os.chown("/etc/arkos/ssl/dh_params.pem", -1, gid)
        os.chmod("/etc/arkos/ssl/dh_params.pem", 0750)

    # Generate private key and create X509 certificate, then set options
    message.update("info", "Generating certificate...")
    kt = OpenSSL.crypto.TYPE_DSA if keytype == "DSA" else OpenSSL.crypto.TYPE_RSA
    try:
        key = OpenSSL.crypto.PKey()
        key.generate_key(kt, keylength)
        crt = OpenSSL.crypto.X509()
        crt.set_version(3)
        crt.get_subject().C = country
        crt.get_subject().CN = domain
        if state:
            crt.get_subject().ST = state
        if locale:
            crt.get_subject().L = locale
        if email:
            crt.get_subject().emailAddress = email
        crt.get_subject().O = "arkOS Servers"
        crt.set_serial_number(int(systemtime.get_serial_time()))
        crt.gmtime_adj_notBefore(0)
        crt.gmtime_adj_notAfter(2*365*24*60*60)
        crt.set_issuer(ca_cert.get_subject())
        crt.set_pubkey(key)
        crt.sign(ca_key, "sha256")
    except Exception, e:
        raise Exception("Error generating self-signed certificate: "+str(e))