def generate_host_cert(host, root_cert, root_key, host_filename, wildcard=False): # Generate key key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, 2048) # Generate CSR req = crypto.X509Req() req.get_subject().CN = host req.set_pubkey(key) req.sign(key, 'sha1') # Generate Cert cert = CertificateAuthority._make_cert(host) cert.set_issuer(root_cert.get_subject()) cert.set_pubkey(req.get_pubkey()) if wildcard: DNS = 'DNS:' alt_hosts = [DNS + host, DNS + '*.' + host] alt_hosts = ', '.join(alt_hosts) cert.add_extensions( [crypto.X509Extension('subjectAltName', False, alt_hosts)]) cert.sign(root_key, 'sha1') # Write cert + key CertificateAuthority.write_pem(host_filename, cert, key) return cert, key
def create_self_signed_cert(hostname, cert_path, pkey_path): """Generate a certificate and private key, and returns the public key as str.""" # create a key pair k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 2048) # create a self-signed cert cert = crypto.X509() cert.get_subject().C = "BR" cert.get_subject().ST = "Sao Paulo" cert.get_subject().L = "Campinas" cert.get_subject().O = hostname cert.get_subject().OU = hostname cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) if re.compile(r"[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}").match(hostname): alt_name = "IP:" + hostname else: alt_name = "DNS:" + hostname cert.add_extensions( [crypto.X509Extension(b"subjectAltName", False, alt_name.encode())] ) cert.set_pubkey(k) cert.sign(k, "sha512") with open(cert_path, "wb") as f: f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) with open(pkey_path, "wb") as f: f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k)) return
def create_certificate(certfile, pkeyfile): rootpem = open("CERT/root.crt", "rb").read() rootkey = open("CERT/root.key", "rb").read() ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, rootpem) ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, rootkey) pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 2048) cert = crypto.X509() cert.set_serial_number(int(random.random() * sys.maxsize)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) cert.set_version(2) subject = cert.get_subject() subject.CN = "Accesser_Proxy" subject.O = "Accesser" cert.add_extensions( [crypto.X509Extension(b"subjectAltName", False, parse_domain())]) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(pkey) cert.sign(ca_key, "sha256") with open(certfile, "wb") as certfile: certfile.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) certfile.close() with open(pkeyfile, "wb") as pkeyfile: pkeyfile.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)) pkeyfile.close()
def gen_ss_cert(key, domains, ips, extensions): cert = crypto.X509() cert.set_serial_number(int(binascii.hexlify(os.urandom(16)), 16)) cert.set_version(2) extensions.append(crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0")) cert.set_issuer(cert.get_subject()) sans = [] sans.extend([b"DNS:" + d.encode() for d in domains]) sans.extend([b"IP:" + d.encode() for d in ips]) extensions.append(crypto.X509Extension(b"subjectAltName", critical=False, value=b", ".join(sans))) cert.add_extensions(extensions) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(24 * 60 * 60) cert.set_pubkey(key) cert.sign(key, "sha256") return cert
def _validate_key_usage(self): found = False for extension_idx in range( 0, self.existing_certificate.get_extension_count()): extension = self.existing_certificate.get_extension(extension_idx) if extension.get_short_name() == b'keyUsage': found = True expected_extension = crypto.X509Extension( b"keyUsage", False, b', '.join(self.key_usage)) key_usage = [ usage.strip() for usage in to_text(expected_extension, errors='surrogate_or_strict').split(',') ] current_ku = [ usage.strip() for usage in to_text( extension, errors='surrogate_or_strict').split(',') ] if not compare_sets(key_usage, current_ku, self.key_usage_strict): return self.key_usage, str(extension).split(', ') if not found: # This is only bad if the user specified a non-empty list if self.key_usage: return NO_EXTENSION
def __create_internal(self, data): cert_info = get_cert_info_from_data(data) data['type'] = CERT_TYPE_INTERNAL signing_cert = self.middleware.call_sync( 'certificateauthority.query', [('id', '=', data['signedby'])], {'get': True} ) public_key = generate_key(data['key_length']) signkey = load_private_key(signing_cert['privatekey']) cert = self.middleware.call_sync('certificate.create_certificate', cert_info) cert.set_pubkey(public_key) cacert = crypto.load_certificate(crypto.FILETYPE_PEM, signing_cert['certificate']) cert.set_issuer(cacert.get_subject()) cert.add_extensions([ crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert), ]) cert_serial = self.middleware.call_sync( 'certificateauthority.get_serial_for_certificate', data['signedby'] ) cert.set_serial_number(cert_serial) cert.sign(signkey, data['digest_algorithm']) data['certificate'] = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) data['privatekey'] = crypto.dump_privatekey(crypto.FILETYPE_PEM, public_key) data['serial'] = cert_serial return data
def generate_adhoc_ssl_pair(cn=None, hosts=None): from random import random from OpenSSL import crypto if cn is None: cn = '*' cert = crypto.X509() cert.set_serial_number(int(random() * sys.maxsize)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 10) # 10 years subject = cert.get_subject() subject.CN = cn subject.O = 'Dummy Certificate' # noqa: E741 if hosts is not None: hosts.append('localhost') altNames = ", ".join(["DNS:{0}".format(host) for host in hosts]) cert.add_extensions([crypto.X509Extension(b"subjectAltName", False, altNames.encode())]) issuer = cert.get_issuer() issuer.CN = subject.CN issuer.O = subject.O # noqa: E741 pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 2048) cert.set_pubkey(pkey) cert.sign(pkey, 'sha256') return cert, pkey
def generate(self, module): '''Generate the certificate signing request.''' if not os.path.exists(self.path) or self.force: req = crypto.X509Req() req.set_version(self.version) subject = req.get_subject() for (key,value) in self.subject.items(): if value is not None: setattr(subject, key, value) if self.subjectAltName is not None: req.add_extensions([crypto.X509Extension("subjectAltName", False, self.subjectAltName)]) privatekey_content = open(self.privatekey_path).read() self.privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM, privatekey_content) req.set_pubkey(self.privatekey) req.sign(self.privatekey, self.digest) self.request = req csr_file = open(self.path, 'w') csr_file.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, self.request)) csr_file.close() else: self.changed = False file_args = module.load_file_common_arguments(module.params) if module.set_fs_attributes_if_different(file_args, False): self.changed = True
def create_certificate_signing_request(cert_info): key = generate_key(cert_info['key_length']) req = crypto.X509Req() req.get_subject().C = cert_info['country'] req.get_subject().ST = cert_info['state'] req.get_subject().L = cert_info['city'] req.get_subject().O = cert_info['organization'] cn_san_list = cert_info['san'].split() + cert_info['common'].split() cn_san = ', '.join(cn_san_list) req.get_subject().CN = cn_san # first lets determine if an ip address was specified or # a dns entry in the common name default_san_type = 'DNS' try: ipaddress.ip_address(cert_info['common']) default_san_type = 'IP' except ValueError: # This is raised if say we specified freenas.org in the Common name pass req.add_extensions([ crypto.X509Extension( "subjectAltName".encode('utf-8'), False, f"{default_san_type}:{cert_info['san']}".encode('utf-8')) ]) req.get_subject().emailAddress = cert_info['email'] req.set_pubkey(key) sign_certificate(req, key, cert_info['digest_algorithm']) return (req, key)
def createCertRequest(pkey, **name): """ Create a certificate request. @param pkey: The key to associate with the request @type pkey: crypto.PKey @keyword name: The name of the subject of the request, possible arguments are: C - Country name ST - State or province name L - Locality name O - Organization name (always forced to be "Calathi project") OU - Organizational unit name CN - Common name emailAddress - E-mail address @returns: The certificate request in an X509Req object @rtype: crypto.X509Req """ req = crypto.X509Req() subj = req.get_subject() assert 'O' not in name, repr(name) for (key, value) in name.iteritems(): setattr(subj, key, value) setattr(subj, 'O', CERT_O) x = crypto.X509Extension('subjectAltName', True, 'otherName:1.2;UTF8:some other identifier') req.add_extensions([x]) req.set_pubkey(pkey) req.sign(pkey, OPENSSL_DIGEST) return req
def CreateCert(name, signer=None, ocsp=False): global NEXT_SERIAL pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 1024) cert = crypto.X509() cert.set_version(2) cert.get_subject().CN = name cert.set_pubkey(pkey) cert.set_serial_number(NEXT_SERIAL) NEXT_SERIAL += 1 cert.set_notBefore(CERT_DATE.strftime('%Y%m%d%H%M%SZ')) cert.set_notAfter(CERT_EXPIRE.strftime('%Y%m%d%H%M%SZ')) if ocsp: cert.add_extensions( [crypto.X509Extension('extendedKeyUsage', False, 'OCSPSigning')]) if signer: cert.set_issuer(signer[1].get_subject()) cert.sign(signer[2], 'sha1') else: cert.set_issuer(cert.get_subject()) cert.sign(pkey, 'sha1') asn1cert = decoder.decode(crypto.dump_certificate(crypto.FILETYPE_ASN1, cert), asn1Spec=rfc2459.Certificate())[0] if not signer: signer = [asn1cert] return (asn1cert, cert, pkey, signer[0])
def createCertRequest(pkey, digest="sha256", **name): """ Create a certificate request. Arguments: pkey - The key to associate with the request digest - Digestion method to use for signing, default is sha256 **name - The name of the subject of the request, possible arguments are: C - Country name ST - State or province name L - Locality name O - Organization name OU - Organizational unit name CN - Common name emailAddress - E-mail address Returns: The certificate request in an X509Req object """ req = crypto.X509Req() subj = req.get_subject() if 'extensions' in name: extensions = [] for ext in name['extensions']: extensions.append(crypto.X509Extension(ext[0], ext[1], ext[2])) req.add_extensions(extensions) del name['extensions'] for key, value in name.items(): setattr(subj, key, value) req.set_pubkey(pkey) req.sign(pkey, digest) return req
def create_subcert(certfile, commonname, ip=False): cert = crypto.X509() cert.set_version(2) cert.set_serial_number( int((int(time() - sub_serial) + random.random()) * 100)) #setting the only number subject = cert.get_subject() subject.countryName = 'CN' subject.stateOrProvinceName = 'Internet' subject.localityName = 'Cernet' subject.organizationalUnitName = '%s Branch' % ca_vendor subject.commonName = commonname subject.organizationName = commonname #某些认证机制会检查签署时间与当前时间之差 cert.gmtime_adj_notBefore(sub_time_b) cert.gmtime_adj_notAfter(sub_time_a) cert.set_issuer(ca_subject) cert.set_pubkey(sub_publickey) if ip: sans = 'IP: ' + commonname else: sans = 'DNS: %s, DNS: *.%s' % (commonname, commonname) cert.add_extensions( [crypto.X509Extension(b'subjectAltName', True, sans.encode())]) cert.sign(ca_privatekey, ca_digest) with open(certfile, 'wb') as fp: fp.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
def create_certificate_signing_request(self, cert_info): cert_info['san'] = self.middleware.call_sync( 'certificate.san_to_string', cert_info.pop('san', [])) key = generate_key(cert_info['key_length']) req = crypto.X509Req() req.get_subject().C = cert_info['country'] req.get_subject().ST = cert_info['state'] req.get_subject().L = cert_info['city'] req.get_subject().O = cert_info['organization'] if cert_info.get('organizational_unit'): req.get_subject().OU = cert_info['organizational_unit'] req.get_subject().CN = cert_info['common'] if cert_info['san']: req.add_extensions([ crypto.X509Extension(b"subjectAltName", False, cert_info['san'].encode()) ]) req.get_subject().subjectAltName = cert_info['san'] req.get_subject().emailAddress = cert_info['email'] req.set_pubkey(key) req.sign(key, cert_info['digest_algorithm']) return (req, key)
def gen_cert(self, domain: str, key: Optional[crypto.PKey] = None, bits: int = 2048) -> Tuple[crypto.X509, crypto.PKey]: """Generate tls-alpn-01 certificate. :param str domain: Domain verified by the challenge. :param OpenSSL.crypto.PKey key: Optional private key used in certificate generation. If not provided (``None``), then fresh key will be generated. :param int bits: Number of bits for newly generated key. :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey` """ if key is None: key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, bits) der_value = b"DER:" + codecs.encode(self.h, 'hex') acme_extension = crypto.X509Extension(self.ID_PE_ACME_IDENTIFIER_V1, critical=True, value=der_value) return crypto_util.gen_ss_cert(key, [domain], force_san=True, extensions=[acme_extension]), key
def create_certificate(server_name): rootpem = open(os.path.join(certpath, "root.crt"), "rb").read() rootkey = open(os.path.join(certpath, "root.key"), "rb").read() ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM, rootpem) ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, rootkey) cert = crypto.X509() cert.set_serial_number(int(random.random() * sys.maxsize)) cert.gmtime_adj_notBefore(-600) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365) cert.set_version(2) subject = cert.get_subject() subject.CN = "Accesser_Proxy" subject.O = "Accesser" cert.add_extensions([ crypto.X509Extension(b"subjectAltName", False, ('DNS:' + server_name + ',DNS:*.' + server_name).encode()) ]) cert.set_issuer(ca_cert.get_subject()) cert.set_pubkey(pkey) cert.sign(ca_key, "sha256") with open(os.path.join(certpath, '{}.crt'.format(server_name)), "wb") as certfile: certfile.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) certfile.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)) certfile.close()
def create_keypair(self): LOG.debug('Generating Snakeoil CA') key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, self.key_size) cert = crypto.X509() cert.set_version(self.x509_version) cert.set_serial_number(self.serial) subject = cert.get_subject() set_subject_X509Name(subject, self.subject_dn) cert.set_subject(subject) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(self.expiry_days) cert.set_issuer( set_subject_X509Name(cert.get_issuer(), self.signing_dn)) cert.set_pubkey(key) cert.add_extensions([ crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:5"), ]) if not self.signing_key: self.signing_key = key # self-signed cert.sign(self.signing_key, 'sha256') LOG.debug('Snakeoil CA cert/key generated') chain = b'' if self.parent_chain_path: with open(self.parent_chain_path, 'rb') as fh: chain = fh.read() chain += crypto.dump_certificate(crypto.FILETYPE_PEM, cert) pkcs7 = self._generate_pkcs7(chain) return cert, key, chain, pkcs7
def generate_test_cert(hostname='somehostname', san_list=None, expires=1000000): """ Generates a test SSL certificate and returns the certificate data and private key data. """ # Based on: http://blog.richardknop.com/2012/08/create-a-self-signed-x509-certificate-in-python/ # Create a key pair. k = crypto.PKey() k.generate_key(crypto.TYPE_RSA, 1024) # Create a self-signed cert. cert = crypto.X509() cert.get_subject().CN = hostname # Add the subjectAltNames (if necessary). if san_list is not None: cert.add_extensions([ crypto.X509Extension("subjectAltName", False, ", ".join(san_list)) ]) cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(expires) cert.set_issuer(cert.get_subject()) cert.set_pubkey(k) cert.sign(k, 'sha1') # Dump the certificate and private key in PEM format. cert_data = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) key_data = crypto.dump_privatekey(crypto.FILETYPE_PEM, k) return (cert_data, key_data)
def create(cn, issuer=None, key=None, keysize=2048, digest="sha256", notBefore="20150101000000+0000", notAfter="20300101000000+0000", additional_extensions=None): if key is None: key = crypto.PKey() key.generate_key(crypto.TYPE_RSA, keysize) cert = crypto.X509() cert.set_pubkey(key) cert.set_version(2) cert.set_serial_number(random.randint(0, 2**20)) cert.set_notBefore(notBefore) cert.set_notAfter(notAfter) cert.get_subject().CN = cn cert.set_issuer(cert.get_subject() if issuer is None else issuer.cert. get_subject()) # Add the CA=True basic constraint basicContraints = crypto.X509Extension("basicConstraints", True, "CA:TRUE") cert.add_extensions([basicContraints]) if additional_extensions is not None: cert.add_extensions(additional_extensions) signing_key = key if issuer is None else issuer.key cert.sign(signing_key, digest) return Certificate(cert, key)
def create_subcert(certfile, commonname, ip=False, sans=None): sans = sans or [] cert = crypto.X509() cert.set_version(2) cert.set_serial_number( int((int(time() - sub_serial) + random.random()) * 100)) #setting the only number subject = cert.get_subject() subject.countryName = 'CN' subject.stateOrProvinceName = 'Internet' subject.localityName = 'Cernet' subject.organizationalUnitName = '%s Branch' % ca_vendor subject.commonName = commonname subject.organizationName = commonname if ip: sans = set([ commonname, ] + sans) else: sans = set([commonname, '*.' + commonname] + sans) sans = ', '.join('DNS: %s' % x for x in sans) if not isinstance(sans, bytes): sans = sans.encode() #某些认证机制会检查签署时间与当前时间之差 cert.gmtime_adj_notBefore(sub_time_b) cert.gmtime_adj_notAfter(sub_time_a) cert.set_issuer(ca_subject) cert.set_pubkey(sub_key) cert.add_extensions([crypto.X509Extension(b'subjectAltName', True, sans)]) cert.sign(ca_key, ca_digest) with open(certfile, 'wb') as fp: fp.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
def create_certificate(self, cert_info): cert_info['san'] = self.middleware.call_sync( 'certificate.san_to_string', cert_info.pop('san', []) ) cert = crypto.X509() cert.get_subject().C = cert_info['country'] cert.get_subject().ST = cert_info['state'] cert.get_subject().L = cert_info['city'] cert.get_subject().O = cert_info['organization'] cert.get_subject().CN = cert_info['common'] # Add subject alternate name in addition to CN if cert_info['san']: cert.add_extensions([crypto.X509Extension( b"subjectAltName", False, cert_info['san'].encode() )]) cert.get_subject().subjectAltName = cert_info['san'] cert.get_subject().emailAddress = cert_info['email'] serial = cert_info.get('serial') if serial is not None: cert.set_serial_number(serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(cert_info['lifetime'] * (60 * 60 * 24)) cert.set_issuer(cert.get_subject()) # Setting it to '2' actually results in a v3 cert # openssl's cert x509 versions are zero-indexed! # see: https://www.ietf.org/rfc/rfc3280.txt cert.set_version(2) return cert
def setup_atmcrypto(self): atmkey = crypto.PKey() atmkey.generate_key(crypto.TYPE_RSA, 2048) certreq = crypto.X509Req() certreq.get_subject().CN = "atm-machine.bank.example.com" certreq.set_pubkey(atmkey) certreq.sign(atmkey, "sha256") atmcert = crypto.X509() atmcert.set_subject(certreq.get_subject()) atmcert.set_serial_number(self._certauthoritynextserial) atmcert.set_issuer(self._certauthority.get_subject()) atmcert.gmtime_adj_notBefore(0) atmcert.gmtime_adj_notAfter(86400 * 365 * 3) # under CA's lifetime atmcert.set_pubkey(certreq.get_pubkey()) atmcert.add_extensions([ crypto.X509Extension("basicConstraints", True, "CA:FALSE"), crypto.X509ExtensionType("extendedKeyUsage", True, "clientAuth"), ]) atmcert.sign(self._certauthorityprivatekey, "sha256") self._certauthoritynextserial = self._certauthoritynextserial + 1 if path.exists(self._common_utils.get_authfilename()): self.error_exit('Auth file already exists (race check)') outfile = file(self._common_utils.get_authfilename(), 'w') outfile.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, atmkey)) outfile.write(crypto.dump_certificate(crypto.FILETYPE_PEM, atmcert)) outfile.write( crypto.dump_certificate(crypto.FILETYPE_PEM, self._certauthority)) outfile.close()
def _create_verification_cert(cert_file, key_file, verification_file, nonce, valid_days, serial_number): if exists(cert_file) and exists(key_file): # create a key pair public_key = crypto.PKey() public_key.generate_key(crypto.TYPE_RSA, 2046) # open the root cert and key signing_cert = crypto.load_certificate(crypto.FILETYPE_PEM, open(cert_file).read()) k = crypto.load_privatekey(crypto.FILETYPE_PEM, open(key_file).read()) # create a cert signed by the root verification_cert = crypto.X509() verification_cert.get_subject().CN = nonce verification_cert.gmtime_adj_notBefore(-1 * 24 * 60 * 60) verification_cert.gmtime_adj_notAfter(valid_days * 24 * 60 * 60) verification_cert.set_version(2) verification_cert.set_serial_number(serial_number) verification_cert.set_pubkey(public_key) verification_cert.set_issuer(signing_cert.get_subject()) verification_cert.add_extensions([ crypto.X509Extension(b"authorityKeyIdentifier", False, b"keyid:always", issuer=signing_cert) ]) verification_cert.sign(k, 'sha256') verification_cert_str = crypto.dump_certificate( crypto.FILETYPE_PEM, verification_cert).decode('ascii') open(verification_file, 'w').write(verification_cert_str)
def create_root_ca(): pkey = crypto.PKey() pkey.generate_key(crypto.TYPE_RSA, 4096) cert = crypto.X509() cert.set_version(2) cert.set_serial_number(int(random.random() * sys.maxsize)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 10) subject = cert.get_subject() subject.CN = "Accesser" subject.O = "Accesser" issuer = cert.get_issuer() issuer.CN = "Accesser" issuer.O = "Accesser" cert.set_pubkey(pkey) cert.add_extensions([ crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE"), crypto.X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert) ]) cert.add_extensions([ crypto.X509Extension(b"authorityKeyIdentifier", False, b"keyid:always", issuer=cert) ]) cert.sign(pkey, "sha256") with open(os.path.join(certpath, "root.crt"), "wb") as certfile: certfile.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) certfile.close() with open(os.path.join(certpath, "root.key"), "wb") as pkeyfile: pkeyfile.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)) pkeyfile.close() pfx = crypto.PKCS12Type() pfx.set_privatekey(pkey) pfx.set_certificate(cert) with open(os.path.join(certpath, "root.pfx"), 'wb') as pfxfile: pfxfile.write(pfx.export())
def create_csr(self): """Generates a cryptographic key-pair and a CSR""" crypto_material_state = self._state_store.get_crypto_material_state() self._LOG.info("Creating Certificate Signing Request") pKey = self._generate_key() self.version = crypto_material_state.get_version() + 1 # Create CSR csr = crypto.X509Req() csr.get_subject().C = "SE" csr.get_subject().ST = "Sweden" csr.get_subject().L = "Stockholm" csr.get_subject().O = "Hopsworks" csr.get_subject().OU = str(self.version) # CN should be the hostname of the server self.cn = self._getHostname() self._LOG.debug("Hostname used in CN is {}".format(self.cn)) csr.get_subject().CN = self.cn csr.set_pubkey(pKey) ### For kafka fix base_constraints = ([ crypto.X509Extension( "keyUsage", False, "Digital Signature, Non Repudiation, Key Encipherment") ]) x509_extensions = base_constraints # If there are SAN entries, append the base_constraints to include them. san_constraint = crypto.X509Extension( "subjectAltName", False, "DNS: %s" % self._config.hostname) x509_extensions.append(san_constraint) csr.add_extensions(x509_extensions) ### End Kafka csr.sign(pKey, 'sha256') self.csr_req = crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr) self._private_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, pKey) cryptography_key = pKey.to_cryptography_key() self._private_key_rsa = cryptography_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption()) self._LOG.debug("Finished CSR")
def _create_csr(self): LOG.info('[%s] Generating CSR' % self.name) req = crypto.X509Req() LOG.debug('[%s] Attaching Certificate Version to CSR: %s' % (self.name, self.version)) req.set_version(self.version) subject = req.get_subject() for (key, value) in self.subject.items(): if value is not None: LOG.debug('[%s] Attaching %s to CSR: %s' % (self.name, key, value)) setattr(subject, key, value) LOG.info('[%s] Attaching SAN extention: %s' % (self.name, self.subjectAltName)) try: req.add_extensions([ crypto.X509Extension(bytes('subjectAltName', 'utf-8'), False, bytes(self.subjectAltName, 'utf-8')) ]) except TypeError: req.add_extensions([ crypto.X509Extension('subjectAltName', False, self.subjectAltName) ]) LOG.debug('[%s] Loading private key: %s/private/%s.key' % (self.name, self.path, self.name)) privatekey_content = open('%s/private/%s.key' % (self.path, self.name)).read() privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM, privatekey_content) LOG.info('[%s] Signing CSR' % self.name) req.set_pubkey(privatekey) req.sign(privatekey, self.digest) LOG.debug('[%s] Writting CSR: %s/csr/%s.csr' % (self.name, self.path, self.name)) csr_file = open('%s/csr/%s.csr' % (self.path, self.name), 'w') csr_file.write( (crypto.dump_certificate_request(crypto.FILETYPE_PEM, req)).decode('utf-8')) csr_file.close()
def make_csr(private_key_pem, domains=None, must_staple=False, ipaddrs=None): """Generate a CSR containing domains or IPs as subjectAltNames. :param buffer private_key_pem: Private key, in PEM PKCS#8 format. :param list domains: List of DNS names to include in subjectAltNames of CSR. :param bool must_staple: Whether to include the TLS Feature extension (aka OCSP Must Staple: https://tools.ietf.org/html/rfc7633). :param list ipaddrs: List of IPaddress(type ipaddress.IPv4Address or ipaddress.IPv6Address) names to include in subbjectAltNames of CSR. params ordered this way for backward competablity when called by positional argument. :returns: buffer PEM-encoded Certificate Signing Request. """ private_key = crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem) csr = crypto.X509Req() sanlist = [] # if domain or ip list not supplied make it empty list so it's easier to iterate if domains is None: domains = [] if ipaddrs is None: ipaddrs = [] if len(domains) + len(ipaddrs) == 0: raise ValueError( "At least one of domains or ipaddrs parameter need to be not empty" ) for address in domains: sanlist.append('DNS:' + address) for ips in ipaddrs: sanlist.append('IP:' + ips.exploded) # make sure its ascii encoded san_string = ', '.join(sanlist).encode('ascii') # for IP san it's actually need to be octet-string, # but somewhere downsteam thankfully handle it for us extensions = [ crypto.X509Extension(b'subjectAltName', critical=False, value=san_string), ] if must_staple: extensions.append( crypto.X509Extension(b"1.3.6.1.5.5.7.1.24", critical=False, value=b"DER:30:03:02:01:05")) csr.add_extensions(extensions) csr.set_pubkey(private_key) csr.set_version(2) csr.sign(private_key, 'sha256') return crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr)
def sign_req(req, cacert, cakey): # Validate Subject contents. Not necessary for CA gen, but kept anyhow matching_template(req, cacert) # Validate signature req.verify(req.get_pubkey()) request_subject = components(req.get_subject()) cert = _crypto.X509() subject = cert.get_subject() cert.set_serial_number(int(uuid.uuid1())) cert.set_version(VERSION) for attrib in ATTRIBS_TO_KEEP: if request_subject.get(attrib): setattr(subject, attrib, request_subject[attrib]) issuer_subject = cert.get_subject() cert.set_issuer(issuer_subject) cert.set_pubkey(req.get_pubkey()) # Validity times cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(CA_LIFE()) cert.add_extensions(CA_EXTENSIONS) cacert = cert extension = _crypto.X509Extension(b"subjectKeyIdentifier", critical=False, value=b"hash", subject=cert) cert.add_extensions([extension]) # We need subjectKeyIdentifier to be added before we can add # authorityKeyIdentifier. extension = _crypto.X509Extension( b"authorityKeyIdentifier", critical=False, value=b"issuer:always,keyid:always", issuer=cacert, ) cert.add_extensions([extension]) cert.sign(cakey, "sha512") return cert
def generate_public_key(self, json, root_key=None, root_ca=None, ca_id=None): # Generating the serial number md5_hash = hashlib.md5() md5_hash.update(str(uuid.uuid4())) serial = int(md5_hash.hexdigest(), 24) # Generating the certificate ca_cert = crypto.X509() if "C" in json['subjectDN']: ca_cert.get_subject().C = json['subjectDN']['C'] if "O" in json['subjectDN']: ca_cert.get_subject().O = json['subjectDN']['O'] if "OU" in json['subjectDN']: ca_cert.get_subject().OU = json['subjectDN']['OU'] if "CN" in json['subjectDN']: ca_cert.get_subject().CN = json['subjectDN']['CN'] ca_cert.set_version(2) ca_cert.set_serial_number(serial) ca_cert.gmtime_adj_notBefore(0) ca_cert.gmtime_adj_notAfter( int((self.expires_in - datetime.datetime.now()).total_seconds())) ca_cert.set_pubkey(self.pKey) ca_cert.set_issuer(ca_cert.get_subject()) ca_cert.add_extensions([ crypto.X509Extension("basicConstraints", True, "CA:TRUE"), crypto.X509Extension("keyUsage", True, "keyCertSign, cRLSign"), crypto.X509Extension("subjectKeyIdentifier", False, "hash", subject=ca_cert), crypto.X509Extension("authorityKeyIdentifier", False, 'keyid,issuer', issuer=ca_cert) ]) # Signing the key ca_cert.sign(self.pKey, str(json['hash'])) # Setting the public key self.public = crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert)
def dummy_cert(commonname, certdir = 'crt', ca = 'APPP.pks', sans = ''): if not os.path.exists(certdir): os.makedirs(certdir) namehash = sha256(commonname.encode()).hexdigest() certpath = os.path.join(certdir, namehash + ".pem") if os.path.exists(certpath) and os.path.getsize(certpath) > 0: logger.debug('Certificate for %s already exists.', commonname) return certpath logger.debug('Creating certificate for %s.', commonname) ss = [] for i in sans: ss.append("DNS: %s"%i) ss = ", ".join(ss).encode() if ca: f = open(ca, "r") raw = f.read() ca = crypto.load_certificate(crypto.FILETYPE_PEM, raw) key = crypto.load_privatekey(crypto.FILETYPE_PEM, raw) f.close() else: return None req = crypto.X509Req() subj = req.get_subject() subj.CN = commonname req.set_pubkey(ca.get_pubkey()) req.sign(key, "sha1") if ss: req.add_extensions([crypto.X509Extension(b"subjectAltName", True, ss)]) cert = crypto.X509() cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(60 * 60 * 24 * 3652) cert.set_issuer(ca.get_subject()) cert.set_subject(req.get_subject()) cert.set_serial_number(int(time()*10000)) if ss: cert.add_extensions([crypto.X509Extension(b"subjectAltName", True, ss)]) cert.set_pubkey(req.get_pubkey()) cert.sign(key, "sha1") f = open(certpath, "w+b") f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) f.close() return certpath