def __init__(self, *args, **kargs):
        CertificateFactory.__init__(self, *args, **kargs)

        # Transform key/signature algorithm to suitable values for keytool
        if not self.parent:
            self.keyalg = self.keyalg.upper()
            self.sigalg = self.sigalg.upper() + "with" + self.keyalg;

        # Create the CA self-signed certificate
        if not self.cacert.exists():
            cacert = self.cacert

            subAltName = cacert.getAlternativeName()
            issuerAltName = self.parent.cacert.getAlternativeName() if self.parent else None
            ext = "-ext bc:c" + \
                  ((" -ext san=" + subAltName) if subAltName else "") + \
                  ((" -ext ian=" + issuerAltName) if issuerAltName else "")

            if not self.parent:
                cacert.keyTool("genkeypair", ext, validity=self.validity, sigalg=self.sigalg)
            else:
                self.cacert = self.parent.cacert
                cacert.keyTool("genkeypair")
                pem = cacert.keyTool("gencert", ext, validity = self.validity, stdin=cacert.keyTool("certreq"))
                chain = ""
                parent = self.parent
                while parent:
                    chain += d(read(parent.cacert.pem))
                    parent = parent.parent
                cacert.keyTool("importcert", stdin=chain + d(pem))

            self.cacert = cacert
            self.cacert.generatePEM()
    def __init__(self, *args, **kargs):
        CertificateFactory.__init__(self, *args, **kargs)

        # Transform key/signature algorithm to suitable values for keytool
        if not self.parent:
            self.keyalg = self.keyalg.upper()
            self.sigalg = self.sigalg.upper() + "with" + self.keyalg;

        # Create the CA self-signed certificate
        if not self.cacert.exists():
            cacert = self.cacert

            subAltName = cacert.getAlternativeName()
            issuerAltName = self.parent.cacert.getAlternativeName() if self.parent else None
            ext = "-ext bc:c" + \
                  ((" -ext san=" + subAltName) if subAltName else "") + \
                  ((" -ext ian=" + issuerAltName) if issuerAltName else "")\
                  ((" -ext eku=" + self.extendedKeyUsage) if  self.extendedKeyUsage else "")

            if not self.parent:
                cacert.keyTool("genkeypair", ext, validity=self.validity, sigalg=self.sigalg)
            else:
                self.cacert = self.parent.cacert
                cacert.keyTool("genkeypair")
                pem = cacert.keyTool("gencert", ext, validity = self.validity, stdin=cacert.keyTool("certreq"))
                chain = ""
                parent = self.parent
                while parent:
                    chain += d(read(parent.cacert.pem))
                    parent = parent.parent
                cacert.keyTool("importcert", stdin=chain + d(pem))

            self.cacert = cacert
            self.cacert.generatePEM()
    def __init__(self, *args, **kargs):
        CertificateFactory.__init__(self, *args, **kargs)

        if not self.parent:
            self.keyalg = crypto.TYPE_RSA if self.keyalg == "rsa" else crypto.TYPE_DSA

        self.cipher = "DES-EDE3-CBC" # Cipher used to encode the private key

        if not self.cacert.exists():
            # Generate the CA certificate
            key = crypto.PKey()
            key.generate_key(self.keyalg, self.keysize)

            req = crypto.X509Req()
            setSubject(self.cacert.dn, req.get_subject())

            req.set_pubkey(key)
            req.sign(key, self.sigalg)

            x509 = crypto.X509()
            x509.set_version(0x02)
            x509.set_serial_number(random.getrandbits(64))

            x509.gmtime_adj_notBefore(0)
            x509.gmtime_adj_notAfter(60 * 60 * 24 * self.validity)
            x509.set_subject(req.get_subject())
            x509.set_pubkey(req.get_pubkey())
            extensions = [
                crypto.X509Extension(b('basicConstraints'), False, b('CA:true')),
                crypto.X509Extension(b('subjectKeyIdentifier'), False, b('hash'), subject=x509),
            ]

            subjectAltName = self.cacert.getAlternativeName()
            if subjectAltName:
                extensions.append(crypto.X509Extension(b('subjectAltName'), False, b(subjectAltName)))

            if self.parent:
                extensions.append(crypto.X509Extension(b('authorityKeyIdentifier'), False,
                                                       b('keyid:always,issuer:always'), issuer=self.parent.cacert.x509))
                if self.parent.cacert.getAlternativeName():
                    extensions.append(crypto.X509Extension(b('issuerAltName'), False, b("issuer:copy"),
                                                           issuer=self.parent.cacert.x509))

            x509.add_extensions(extensions)

            if self.parent:
                x509.set_issuer(self.parent.cacert.x509.get_subject())
                x509.sign(self.parent.cacert.pkey, self.sigalg)
            else:
                x509.set_issuer(req.get_subject())
                x509.sign(key, self.sigalg)

            self.cacert.init(key, x509)
    def __init__(self, *args, **kargs):
        CertificateFactory.__init__(self, *args, **kargs)

        if self.keyalg == "dsa":
            self.keysize = os.path.join(self.home, "dsaparams.pem")
            if not os.path.exists(self.keysize):
                self.run("openssl", "dsaparam", 1024, outform="PEM", out=self.keysize)

        if not self.cacert.exists():

            subAltName = self.cacert.getAlternativeName()
            issuerAltName = self.parent.cacert.getAlternativeName() if self.parent else None
            altName = (("\nsubjectAltName = " + subAltName) if subAltName else "") + \
                      (("\nissuerAltName = " + issuerAltName) if issuerAltName else "")

            cacert = self.cacert
            if not self.parent:
                cacert.openSSL("req", "-x509", days = self.validity, config =
                               """
                               [ req ]
                               x509_extensions = ext
                               distinguished_name = dn
                               prompt = no
                               [ ext ]
                               basicConstraints = CA:true
                               subjectKeyIdentifier = hash
                               authorityKeyIdentifier = keyid:always,issuer:always
                               {altName}
                               {dn}
                               """.format(dn=toDNSection(cacert.dn),altName=altName))
            else:
                self.cacert = self.parent.cacert
                req = cacert.openSSL("req", config=
                                     """
                                     [ req ]
                                     distinguished_name = dn
                                     prompt = no
                                     {dn}
                                     """.format(dn=toDNSection(cacert.dn)))

                # Sign the certificate
                cacert.openSSL("x509", "-req", set_serial=random.getrandbits(64), stdin=req, days = self.validity,
                               extfile=
                               """
                               [ ext ]
                               basicConstraints = CA:true
                               subjectKeyIdentifier = hash
                               authorityKeyIdentifier = keyid:always,issuer:always
                               {altName}
                               """.format(altName=altName))

            self.cacert = cacert
    def __init__(self, *args, **kargs):
        CertificateFactory.__init__(self, *args, **kargs)

        if self.keyalg == "dsa":
            self.keyparams = os.path.join(self.home, "dsaparams.pem")
            if not os.path.exists(self.keyparams):
                self.run("openssl dsaparam  -outform PEM -out {0} {1}".format(
                    self.keyparams, self.keysize))
        else:
            self.keyparams = self.keysize

        if not self.cacert.exists():

            subAltName = self.cacert.getAlternativeName()
            issuerAltName = self.parent.cacert.getAlternativeName(
            ) if self.parent else None
            altName = (("\nsubjectAltName = " + subAltName) if subAltName else "") + \
                      (("\nissuerAltName = " + issuerAltName) if issuerAltName else "")
            extendedKeyUsage = (
                "extendedKeyUsage = " +
                self.extendedKeyUsage) if self.extendedKeyUsage else ""

            cacert = self.cacert
            if not self.parent:
                cacert.openSSL("req",
                               "-x509",
                               days=self.validity,
                               config="""
                               [ req ]
                               x509_extensions = ext
                               distinguished_name = dn
                               prompt = no
                               [ ext ]
                               basicConstraints = CA:true
                               subjectKeyIdentifier = hash
                               authorityKeyIdentifier = keyid:always,issuer:always
                               {altName}
                               {dn}
                               {extendedKeyUsage}
                               """.format(dn=toDNSection(cacert.dn),
                                          altName=altName,
                                          extendedKeyUsage=extendedKeyUsage))
            else:
                self.cacert = self.parent.cacert
                req = cacert.openSSL("req",
                                     config="""
                                     [ req ]
                                     distinguished_name = dn
                                     prompt = no
                                     {dn}
                                     """.format(dn=toDNSection(cacert.dn)))

                # Sign the certificate
                cacert.openSSL("x509",
                               "-req",
                               set_serial=random.getrandbits(64),
                               stdin=req,
                               days=self.validity,
                               extfile="""
                               [ ext ]
                               basicConstraints = CA:true
                               subjectKeyIdentifier = hash
                               authorityKeyIdentifier = keyid:always,issuer:always
                               {altName}
                               {extendedKeyUsage}
                               """.format(altName=altName,
                                          extendedKeyUsage=extendedKeyUsage))

            self.cacert = cacert
Exemple #6
0
    def __init__(self, *args, **kargs):
        CertificateFactory.__init__(self, *args, **kargs)

        if not self.parent:
            self.keyalg = crypto.TYPE_RSA if self.keyalg == "rsa" else crypto.TYPE_DSA

        self.cipher = "DES-EDE3-CBC"  # Cipher used to encode the private key

        if not self.cacert.exists():
            # Generate the CA certificate
            key = crypto.PKey()
            key.generate_key(self.keyalg, self.keysize)

            req = crypto.X509Req()
            setSubject(self.cacert.dn, req.get_subject())

            req.set_pubkey(key)
            req.sign(key, self.sigalg)

            x509 = crypto.X509()
            x509.set_version(0x02)
            x509.set_serial_number(random.getrandbits(64))

            x509.gmtime_adj_notBefore(0)
            x509.gmtime_adj_notAfter(60 * 60 * 24 * self.validity)
            x509.set_subject(req.get_subject())
            x509.set_pubkey(req.get_pubkey())
            extensions = [
                crypto.X509Extension(b('basicConstraints'), False,
                                     b('CA:true')),
                crypto.X509Extension(b('subjectKeyIdentifier'),
                                     False,
                                     b('hash'),
                                     subject=x509),
            ]

            subjectAltName = self.cacert.getAlternativeName()
            if subjectAltName:
                extensions.append(
                    crypto.X509Extension(b('subjectAltName'), False,
                                         b(subjectAltName)))

            if self.parent:
                extensions.append(
                    crypto.X509Extension(b('authorityKeyIdentifier'),
                                         False,
                                         b('keyid:always,issuer:always'),
                                         issuer=self.parent.cacert.x509))
                if self.parent.cacert.getAlternativeName():
                    extensions.append(
                        crypto.X509Extension(b('issuerAltName'),
                                             False,
                                             b("issuer:copy"),
                                             issuer=self.parent.cacert.x509))

            x509.add_extensions(extensions)

            if self.parent:
                x509.set_issuer(self.parent.cacert.x509.get_subject())
                x509.sign(self.parent.cacert.pkey, self.sigalg)
            else:
                x509.set_issuer(req.get_subject())
                x509.sign(key, self.sigalg)

            self.cacert.init(key, x509)