def generateImpacketCert(certname='/tmp/impacket.crt'):
# Create a private key
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 2048)
# Create the certificate
cert = crypto.X509()
cert.gmtime_adj_notBefore(0)
# Valid for 5 years
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 5)
subj = cert.get_subject()
subj.CN = 'impacket'
cert.set_pubkey(pkey)
cert.sign(pkey, "sha256")
# We write both from the same file
with open(certname, 'w') as certfile:
certfile.write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey).decode('utf-8'))
certfile.write(
crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8'))
LOG.debug('Wrote certificate to %s' % certname)
def make_certificate(self, csr, ca, ca_pkey, serial, export_file=False):
crt = crypto.X509()
crt.set_serial_number(serial)
crt.gmtime_adj_notBefore(86400 * self.notbefore_days)
crt.gmtime_adj_notAfter(86400 * self.notafter_days)
crt.set_issuer(ca.get_subject())
crt.set_subject(csr.get_subject())
crt.set_pubkey(csr.get_pubkey())
crt.sign(ca_pkey, self.digest_type)
if isinstance(export_file, string_types):
dcrt = crypto.dump_certificate(crypto.FILETYPE_PEM, crt)
if not os.path.exists(export_file):
open(export_file, 'wb').close()
os.chmod(export_file, 0o600)
f = open(export_file, 'wb')
f.writelines(dcrt)
f.close()
return crt
def create_self_signed_cert(name):
from OpenSSL import crypto
# create key pair
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
# create self-signed certificate
cert = crypto.X509()
cert.get_subject().CN = name
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 86400)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.sign(key, 'sha1')
with open(CERT_FILE, 'wb') as fp:
fp.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(KEY_FILE, 'wb') as fp:
fp.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
def generateCertificateObjects(organization, organizationalUnit):
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 512)
req = crypto.X509Req()
subject = req.get_subject()
subject.O = organization
subject.OU = organizationalUnit
req.set_pubkey(pkey)
req.sign(pkey, "md5")
# Here comes the actual certificate
cert = crypto.X509()
cert.set_serial_number(1)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60) # Testing certificates need not be long lived
cert.set_issuer(req.get_subject())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(pkey, "md5")
return pkey, req, cert
def generate_user_own_cert(cn, path_to_cert=PATH_TO_CERT,
path_to_pem=PATH_TO_PEM):
logger.debug("Trying to generate user certificate files")
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.get_subject().OU = 'Mirantis Fuel-QA Team'
cert.get_subject().CN = cn
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(315360000)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
with open(path_to_pem, 'wt') as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
logger.debug("Generated PEM file {}".format(path_to_pem))
with open(path_to_cert, 'wt') as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
logger.debug("Generated PEM file {}".format(path_to_cert))
def generate_adhoc_ssl_context():
from random import random
from OpenSSL import crypto, SSL
cert = crypto.X509()
cert.set_serial_number(int(random() * sys.maxint))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
subject = cert.get_subject()
subject.CN = '*'
subject.O = 'Dummy Certificate'
issuer = cert.get_issuer()
issuer.CN = 'Untrusted Authority'
issuer.O = 'Self-Signed'
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 768)
cert.set_pubkey(pkey)
cert.sign(pkey, 'md5')
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.use_privatekey(pkey)
ctx.use_certificate(cert)
return ctx
def generate_cert_with_cn_san(self, cn, san):
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 2048)
extensions = list()
extensions.append(
crypto.X509Extension(b'basicConstraints', False,
f'CA:FALSE'.encode()))
extensions.append(crypto.X509Extension(b'subjectAltName', False, san))
cert = crypto.X509()
cert.get_subject().CN = cn
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60)
cert.set_issuer(self.ca_cert.get_subject())
cert.set_pubkey(pkey)
cert.add_extensions(extensions)
cert.set_version(2)
cert.sign(self.ca_key, 'sha256')
return cert, pkey
def create_self_signed_cert(certFile, key):
cert = crypto.X509()
cert.set_serial_number(1001)
cert.set_notBefore(b"20190101000000Z")
cert.set_notAfter(b"20290101000000Z")
subject = cert.get_subject()
subject.C = "NO"
subject.ST = "Rogaland"
subject.L = "Kolnes"
subject.O = "UiA"
subject.OU = "ICT"
subject.CN = "localhost"
cert.set_issuer(subject)
cert.set_pubkey(key)
cert.sign(key, 'SHA256')
certToByte = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
write_to_file(certToByte, certFile)
return cert
def signRequestObject(
self,
issuerDistinguishedName,
requestObject,
serialNumber,
secondsToExpiry=60 * 60 * 24 * 365, # One year
digestAlgorithm='md5'):
"""
Sign a CertificateRequest instance, returning a Certificate instance.
"""
req = requestObject.original
dn = requestObject.getSubject()
cert = crypto.X509()
issuerDistinguishedName._copyInto(cert.get_issuer())
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(secondsToExpiry)
cert.set_serial_number(serialNumber)
cert.sign(self.original, digestAlgorithm)
return Certificate(cert)
def create_self_signed_cert(self):
# create a key pair
pkey = crypto.PKey()
pkey.generate_key(crypto.TYPE_RSA, 2048)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().O = "IT"
cert.get_subject().CN = "ceph-dashboard"
cert.set_serial_number(int(uuid4()))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(pkey)
cert.sign(pkey, 'sha512')
cert = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
self.set_store('crt', cert.decode('utf-8'))
pkey = crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)
self.set_store('key', pkey.decode('utf-8'))
def _create_self_signed_cert(self):
"""
Creates a self signed cert. Shouldn't be called directly except by this library for its
own use.
"""
logger.debug("Creating self signed cert.")
req = crypto.X509()
gwid = "%s %s" % (self.gateway_id, self.hostname)
req.get_subject().CN = 'localhost'
req.get_subject().countryName = 'US'
req.get_subject().stateOrProvinceName = 'California'
req.get_subject().localityName = 'Sacramento'
req.get_subject().organizationName = 'Yombo'
req.get_subject().organizationalUnitName = gwid[0:63]
req.set_serial_number(int(time()))
req.gmtime_adj_notBefore(0)
req.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
self.self_signed_expires = time() + (10 * 365 * 24 * 60 * 60)
self.self_signed_created = time()
self._Configs.set("sslcerts", "self_signed_expires",
self.self_signed_expires)
self._Configs.set("sslcerts", "self_signed_created",
self.self_signed_created)
req.set_issuer(req.get_subject())
key = yield threads.deferToThread(
self._generate_key, **{
'key_type': crypto.TYPE_RSA,
'key_size': 4096
})
req.set_pubkey(key)
req.sign(key, 'sha256')
csr_key = crypto.dump_certificate(crypto.FILETYPE_PEM, req)
key_file = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
save_file(self.self_signed_cert_file, csr_key)
save_file(self.self_signed_key_file, key_file)
return {'csr_key': csr_key, 'key': key_file}
def generate_adhoc_ssl_context():
"""
Create temporary self-signed certificate for encrypted HTTP transport
Exasol does not check validity of certificates
"""
from OpenSSL import crypto
import pathlib
import ssl
import tempfile
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.set_serial_number(1)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365)
cert.set_pubkey(k)
cert.sign(k, 'sha256')
# TemporaryDirectory is used instead of NamedTemporaryFile for compatibility with Windows
with tempfile.TemporaryDirectory(prefix='pyexasol_ssl_') as tempdir:
tempdir = pathlib.Path(tempdir)
cert_file = open(tempdir / 'cert', 'wb')
cert_file.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
cert_file.close()
key_file = open(tempdir / 'key', 'wb')
key_file.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
key_file.close()
context = ssl.SSLContext()
context.verify_mode = ssl.CERT_NONE
context.load_cert_chain(certfile=cert_file.name,
keyfile=key_file.name)
return context
def _gen_ca(self, ca_name, ca_config):
ca = crypto.X509()
ca.set_version(3)
ca.set_serial_number(1)
ca.get_subject().C = ca_config["countryName"]
ca.get_subject().ST = ca_config["stateOrProvinceName"]
ca.get_subject().L = ca_config["localityName"]
ca.get_subject().O = ca_config["organizationName"]
ca.get_subject().OU = ca_config["organizationalUnitName"]
ca.gmtime_adj_notBefore(0)
ca.gmtime_adj_notAfter(5 * 365 * 24 * 60 * 60)
ca.set_issuer(ca.get_subject())
ca.set_pubkey(self.ca_key_pairs[ca_name])
# From RFC5280: Conforming CAs MUST include keyUsage extension in
# certificates that contain public keys that are used to validate
# digital signatures on other public key certificates or CRLs.
# To facilitate certification path construction, subjectKeyIdentifier
# extension MUST appear in all conforming CA certificates, that is, all
# certificates including the basic constraints extension where the
# value of cA is TRUE.
ca.add_extensions([
# basicConstraints identifies whether subject of certificate is a CA
# pathLen expresses the number of possible intermediate CA
# certificates in a path built from an end-entity certificate up
# to the CA certificate.
crypto.X509Extension(b"basicConstraints", True,
b"CA:TRUE, pathlen:1"),
# The keyCertSign bit is asserted when the subject public key is
# used for verifying signatures on public key certificates.
crypto.X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"),
# From RFC5280: The keyIdentifier is composed of the 160-bit SHA-1
# hash of the value of the BIT STRING subjectPublicKey
crypto.X509Extension(b"subjectKeyIdentifier",
False,
b"hash",
subject=ca),
])
ca.sign(self.ca_key_pairs[ca_name], "sha256")
self.ca_certs[ca_config["ISD"]][ca_name] = ca
def generate(self, module):
if not os.path.exists(self.privatekey_path):
raise CertificateError(
'The private key %s does not exist' % self.privatekey_path
)
if not os.path.exists(self.csr_path):
raise CertificateError(
'The certificate signing request file %s does not exist' % self.csr_path
)
if not self.check(module, perms_required=False) or self.force:
cert = crypto.X509()
cert.set_serial_number(self.serial_number)
if self.notBefore:
cert.set_notBefore(to_bytes(self.notBefore))
else:
cert.gmtime_adj_notBefore(0)
if self.notAfter:
cert.set_notAfter(to_bytes(self.notAfter))
else:
# If no NotAfter specified, expire in
# 10 years. 315360000 is 10 years in seconds.
cert.gmtime_adj_notAfter(315360000)
cert.set_subject(self.csr.get_subject())
cert.set_issuer(self.csr.get_subject())
cert.set_version(self.version - 1)
cert.set_pubkey(self.csr.get_pubkey())
cert.add_extensions(self.csr.get_extensions())
cert.sign(self.privatekey, self.digest)
self.cert = cert
crypto_utils.write_file(module, crypto.dump_certificate(crypto.FILETYPE_PEM, self.cert))
self.changed = True
file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def generate_ca(config_ca):
ca = crypto.X509()
ca.set_version(2)
ca.set_serial_number(config_ca['serial'])
ca_subj = ca.get_subject()
if 'commonName' in config_ca:
ca_subj.commonName = config_ca['commonName']
if 'stateOrProvinceName' in config_ca:
ca_subj.stateOrProvinceName = config_ca['stateOrProvinceName']
if 'localityName' in config_ca:
ca_subj.localityName = config_ca['localityName']
if 'organizationName' in config_ca:
ca_subj.organizationName = config_ca['organizationName']
if 'organizationalUnitName' in config_ca:
ca_subj.organizationalUnitName = config_ca['organizationalUnitName']
if 'emailAddress' in config_ca:
ca_subj.emailAddress = config_ca['emailAddress']
if 'countryName' in config_ca:
ca_subj.countryName = config_ca['countryName']
if 'validfrom' in config_ca:
ca.set_notBefore(config_ca['validfrom'])
if 'validto' in config_ca:
ca.set_notAfter(config_ca['validto'])
key = openssl_generate_privatekey(config_ca['keyfilesize'])
ca.add_extensions([
crypto.X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
crypto.X509Extension("keyUsage", False, "keyCertSign, cRLSign"),
crypto.X509Extension("subjectKeyIdentifier", False, "hash",
subject=ca),
])
ca.add_extensions([
crypto.X509Extension("authorityKeyIdentifier",
False,
"keyid:always",
issuer=ca)
])
ca.set_issuer(ca.get_subject())
ca.set_pubkey(key)
ca.sign(key, config_ca['hashalgorithm'])
return ca, key
def create_self_signed_cert(cert_dir, keyfile, certfile):
"""
Create a self-signed `keyfile` and `certfile` in `cert_dir`
Abort if one of the keyfile of certfile exist.
"""
if exists(join(cert_dir, certfile)) or exists(join(cert_dir, keyfile)):
raise FileExistsError('{} or {} already exist in {}. Aborting.'.format(
keyfile, certfile, cert_dir))
else:
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "US"
cert.get_subject().ST = "Jupyter notebook self-signed certificate"
cert.get_subject().L = "Jupyter notebook self-signed certificate"
cert.get_subject().O = "Jupyter notebook self-signed certificate"
cert.get_subject().OU = "my organization"
cert.get_subject().CN = "Jupyter notebook self-signed certificate"
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha256')
with io.open(join(cert_dir, certfile), "wt") as f:
f.write(
crypto.dump_certificate(crypto.FILETYPE_PEM,
cert).decode('utf8'))
os.chmod(join(cert_dir, certfile), 0o600)
with io.open(join(cert_dir, keyfile), "wt") as f:
f.write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode('utf8'))
os.chmod(join(cert_dir, keyfile), 0o600)
def generate(self, device_id, ecc=False):
# Device client certificate
if ecc:
filename_cert = CONFIG_CERT_DIRECTORY + "ft900device1_cert.pem"
filename_pkey = CONFIG_CERT_DIRECTORY + "ft900device1_pkey.pem"
return filename_cert, filename_pkey
else:
client_key = crypto.PKey()
client_key.generate_key(crypto.TYPE_RSA, 2048)
client_cert = crypto.X509()
client_cert.set_version(0)
client_cert.set_serial_number(random.getrandbits(8*9))
client_subj = client_cert.get_subject()
client_cert.set_issuer(self.ca_subj)
client_cert.set_pubkey(client_key)
client_cert.gmtime_adj_notBefore(0)
client_cert.gmtime_adj_notAfter(CONFIG_CERT_YEARS*365*24*60*60)
client_cert.get_subject().C = CONFIG_CERT_COUNTRY
client_cert.get_subject().ST = CONFIG_CERT_STATE
client_cert.get_subject().L = CONFIG_CERT_CITY
client_cert.get_subject().O = CONFIG_CERT_COMPANY
client_cert.get_subject().OU = CONFIG_CERT_DEPARTMENT
client_cert.get_subject().CN = device_id
client_cert.sign(self.ca_key, 'sha256')
# Get epoch time as timestamp
timestamp = str(int(time.time()))
# Save certificate
filename_cert = CONFIG_CERT_DIRECTORY + device_id + "_" + timestamp + "_cert.pem"
with open(filename_cert, "wt") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, client_cert).decode("utf-8"))
# Save private key
filename_pkey = CONFIG_CERT_DIRECTORY + device_id + "_" + timestamp + "_pkey.pem"
with open(filename_pkey, "wt") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, client_key).decode("utf-8"))
return filename_cert, filename_pkey
def create_ca(CN,
C="",
ST="",
L="",
O="",
OU="",
emailAddress="",
hashalgorithm='sha256WithRSAEncryption'):
cakey = make_keypair()
careq = make_csr(cakey, cn=CN)
cacert = crypto.X509()
cacert.set_serial_number(0)
cacert.gmtime_adj_notBefore(0)
cacert.gmtime_adj_notAfter(60 * 60 * 24 * 365 *
10) # 10 yrs - hard to beat this kind of cert!
cacert.set_issuer(careq.get_subject())
cacert.set_subject(careq.get_subject())
cacert.set_pubkey(careq.get_pubkey())
cacert.set_version(2)
# Set the extensions in two passes
cacert.add_extensions([
crypto.X509Extension('basicConstraints', True, 'CA:TRUE'),
crypto.X509Extension('subjectKeyIdentifier',
True,
'hash',
subject=cacert)
])
# ... now we can set the authority key since it depends on the subject key
cacert.add_extensions([
crypto.X509Extension('authorityKeyIdentifier',
False,
'issuer:always, keyid:always',
issuer=cacert,
subject=cacert)
])
cacert.sign(cakey, hashalgorithm)
return (cacert, cakey)
def generate_device_cert(dev_serial_num,
dev_pub_key_path="keys/device_pub_key.pem",
ca_priv_key_path="certificates/rootCA.key",
ca_cert_path="certificates/rootCA.pem"):
if True:
# read device public key from previously read from the device
dev_pub_key = crypto.load_publickey(crypto.FILETYPE_PEM,
open(dev_pub_key_path, 'r').read())
else:
# for development only, use public key from self generated private key
dev_priv_key = crypto.load_privatekey(
crypto.FILETYPE_ASN1,
open("keys/device_priv_key.der", 'rb').read())
dev_pub_key = crypto.load_publickey(
crypto.FILETYPE_PEM,
crypto.dump_publickey(crypto.FILETYPE_PEM, dev_priv_key))
ca_privatekey = crypto.load_privatekey(crypto.FILETYPE_PEM,
open(ca_priv_key_path, 'r').read())
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
open(ca_cert_path, 'r').read())
# create cert signed by ca_cert
cert = crypto.X509()
cert.set_subject(ca_cert.get_subject())
cert.get_subject(
).CN = cytools.target_name.upper() + '-' + str(dev_serial_num)
cert.set_serial_number(int(dev_serial_num))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(dev_pub_key)
cert.sign(ca_privatekey, 'sha256')
open("certificates/device_cert.pem", "wb")\
.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
open("certificates/device_cert.der", "wb")\
.write(crypto.dump_certificate(crypto.FILETYPE_ASN1, cert))
print('Device certificate generated successfully.')
return 0
def _create_ca_cert(self, pub_key, issuer="Manger", subject=None):
"""
Create a CA Certificate that will be signed with each agent key
Args:
pub_key (PKey): Key to be set in certificate
issuer (str): Name or hostname for the certificate issuer
subject (str): Name or hostname for the ceritifcate subject. If none will be same as issuer
Returns:
ca_cert : X509 Object. Created ca certificate
"""
ca_cert = crypto.X509()
ca_cert.set_serial_number(random.randint(50000000, 100000000))
xt = crypto.X509Extension(b"basicConstraints", 1, b"CA:TRUE")
ca_cert.add_extensions((xt, ))
ca_cert.gmtime_adj_notBefore(0)
ca_cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
ca_cert.set_version(2)
ca_issuer = ca_cert.get_issuer()
ca_issuer.commonName = issuer
ca_cert.set_issuer(ca_issuer)
if subject:
ca_subj = ca_cert.get_subject()
ca_subj.commonName = subject
ca_cert.set_subject(ca_subj)
else:
ca_subj = ca_cert.get_subject()
ca_subj.commonName = issuer
ca_cert.set_subject(ca_subj)
ca_cert.set_pubkey(pub_key)
return ca_cert
def installCertificates(session):
if not os_exists(CERT_FILE) \
or not os_exists(KEY_FILE):
print "[Webinterface].installCertificates :: Generating SSL key pair and CACert"
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = "DE"
cert.get_subject().ST = "Home"
cert.get_subject().L = "Home"
cert.get_subject().O = "Dreambox"
cert.get_subject().OU = "STB"
cert.get_subject().CN = socket_gethostname()
cert.set_serial_number(random.randint(1000000, 1000000000))
cert.set_notBefore("20120101000000Z")
cert.set_notAfter("20301231235900Z")
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
print "[Webinterface].installCertificates :: Signing SSL key pair with new CACert"
cert.sign(k, 'sha1')
try:
print "[Webinterface].installCertificates :: Installing newly generated certificate and key pair"
open(CERT_FILE,
"wt").write(crypto.dump_certificate(crypto.FILETYPE_PEM,
cert))
open(KEY_FILE,
"wt").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
except IOError, e:
#Disable https
config.plugins.Webinterface.https.enabled.value = False
config.plugins.Webinterface.https.enabled.save()
#Inform the user
session.open(
MessageBox,
"Couldn't install generated SSL-Certifactes for https access\nHttps access is disabled!",
MessageBox.TYPE_ERROR)
def create_self_signed_cert(self, common_name):
C_F = self.settings.certificates.certificate
K_F = self.settings.certificates.privatekey
P_F = joinFilePath(
getDirNameByPath(self.settings.certificates.privatekey),
'server.pub.key')
if not exists(C_F) or not exists(K_F):
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
cert = crypto.X509()
cert.get_subject().C = self.settings.certificates.country
cert.get_subject().ST = self.settings.certificates.state
cert.get_subject().L = self.settings.certificates.city
cert.get_subject().O = self.settings.certificates.organization
cert.get_subject().OU = self.settings.certificates.unit
cert.get_subject().CN = common_name
cert.set_serial_number(1000)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(315360000)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
with open(C_F, "wb") as f:
f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(K_F, "wb") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
with open(P_F, "wb") as f:
f.write(crypto.dump_publickey(crypto.FILETYPE_PEM, k))
def generate_cert(root_ca_cert_str, server_cert_str, server_host):
"""Generates a cert_str with the sni field in server_cert_str signed by the
root_ca_cert_str.
Args:
root_ca_cert_str: PEM formatted string representing the root cert
server_cert_str: PEM formatted string representing cert
server_host: host name to use if there is no server_cert_str
Returns:
a PEM formatted certificate string
"""
EXTENSION_WHITELIST = set(['subjectAltName'])
if openssl_import_error:
raise openssl_import_error # pylint: disable=raising-bad-type
common_name = server_host
reused_extensions = []
if server_cert_str:
original_cert = load_cert(server_cert_str)
common_name = original_cert.get_subject().commonName
for i in xrange(original_cert.get_extension_count()):
original_cert_extension = original_cert.get_extension(i)
if original_cert_extension.get_short_name() in EXTENSION_WHITELIST:
reused_extensions.append(original_cert_extension)
ca_cert = load_cert(root_ca_cert_str)
ca_key = load_privatekey(root_ca_cert_str)
cert = crypto.X509()
cert.get_subject().CN = common_name
cert.gmtime_adj_notBefore(-60 * 60)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 30)
cert.set_issuer(ca_cert.get_subject())
cert.set_serial_number(int(time.time()*10000))
cert.set_pubkey(ca_key)
cert.add_extensions(reused_extensions)
cert.sign(ca_key, 'sha256')
return _dump_cert(cert)
def gen_cert(ca=None, ca_key=None, ca_cert=None, commonName=None):
'''Create an CERT signed by an given CA'''
# Generate a CSR
# http://docs.ganeti.org/ganeti/2.14/html/design-x509-ca.html
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 4096)
req = crypto.X509Req()
if commonName is None:
commonName = input("CommonName: ")
req.get_subject().CN = commonName
req.set_pubkey(key)
req.sign(key, "sha512")
key = crypto.dump_privatekey(crypto.FILETYPE_PEM, key).decode("utf-8")
# Load cert and key if an ca is supplied
if ca is not None:
ca_cert = ca.get_cert()
ca_key = ca.get_key()
ca_cert = crypto.load_certificate(crypto.FILETYPE_PEM,
bytes(ca_cert, 'utf-8'))
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM,
bytes(ca_key, 'utf-8'))
# Generate Cert
cert = crypto.X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(random.randint(0, sys.maxsize))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(1 * 365 * 24 * 60 * 60)
cert.set_issuer(ca_cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(ca_key, "sha512") # Sign with CA
cert = crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8")
return cert, key
def create_signed_client_cert(client_public_key, country, state, locality, organization,
organizational_unit, common_name, email, valid_until):
"""
Function for generating client certificates
"""
# load files
try:
with open(settings.CERT_CA_FILE) as ca_file:
ca = crypto.load_certificate(crypto.FILETYPE_PEM, ca_file.read())
with open(settings.CERT_CA_KEY_FILE) as ca_key_file:
ca_key = crypto.load_privatekey(crypto.FILETYPE_PEM, ca_key_file.read())
except IOError as e:
log.error(e)
raise
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = country
cert.get_subject().ST = state
cert.get_subject().L = locality
cert.get_subject().O = organization
cert.get_subject().OU = organizational_unit
cert.get_subject().CN = common_name
cert.get_subject().emailAddress = email
cert.set_serial_number(uuid.uuid4().int)
now = datetime.now()
cert.set_notBefore(now.strftime("%Y%m%d%H%M%SZ"))
cert.set_notAfter(valid_until.strftime("%Y%m%d%H%M%SZ"))
cert.set_issuer(ca.get_subject())
cert.set_pubkey(client_public_key)
cert.sign(ca_key, 'sha1')
return cert
def _create_self_signed_cert(self,
directory,
email,
common_name,
cert_ttl,
country='RU',
state='Moscow',
city='Moscow',
organization='Nekrasovka',
organizational_unit='Nekrasovka'):
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 1024)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = country
cert.get_subject().ST = state
cert.get_subject().L = city
cert.get_subject().O = organization
cert.get_subject().OU = organizational_unit
cert.get_subject().CN = common_name
cert.set_serial_number(int(time.time()))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(int(cert_ttl) * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha1')
open(self.cert_path,
"wb+").write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
open(self.private_key_path,
"wb+").write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
open(self.public_key_path,
"wb+").write(crypto.dump_publickey(crypto.FILETYPE_PEM, k))
p12 = crypto.PKCS12()
p12.set_privatekey(k)
p12.set_certificate(cert)
open(self.pfx_path, 'wb+').write(p12.export())
def __init__(self):
self.ca_key = crypto.PKey()
self.ca_key.generate_key(crypto.TYPE_RSA, 2048)
self.ca_cert = crypto.X509()
self.ca_cert.set_version(2)
self.ca_cert.set_serial_number(1)
self.ca_cert.get_subject().CN = "MyEC"
self.ca_cert.get_subject().ST = "Portugal"
self.ca_cert.get_subject().L = "Guimarães"
self.ca_cert.get_subject().OU = "UMinho"
self.ca_cert.set_issuer(self.ca_cert.get_subject())
self.ca_cert.set_pubkey(self.ca_key)
self.ca_cert.add_extensions([
crypto.X509Extension(b"subjectKeyIdentifier",
False,
b"hash",
subject=self.ca_cert),
])
self.ca_cert.add_extensions([
crypto.X509Extension(b"authorityKeyIdentifier",
False,
b"keyid:always,issuer",
issuer=self.ca_cert),
])
self.ca_cert.add_extensions([
crypto.X509Extension(b"basicConstraints", True, b"CA:TRUE"),
crypto.X509Extension(b"keyUsage", True,
b"digitalSignature, keyCertSign, cRLSign"),
])
self.ca_cert.gmtime_adj_notBefore(0)
self.ca_cert.gmtime_adj_notAfter(24 * 60 * 60)
self.ca_cert.sign(self.ca_key, 'sha256')
def generate_dummy_ca_cert(subject='_WebPageReplayCert'):
"""Generates dummy certificate authority.
Args:
subject: a string representing the desired root cert issuer
Returns:
A tuple of the public key and the private key strings for the root
certificate
"""
if openssl_import_error:
raise openssl_import_error # pylint: disable=raising-bad-type
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 1024)
ca_cert = crypto.X509()
ca_cert.set_serial_number(int(time.time() * 10000))
ca_cert.set_version(2)
ca_cert.get_subject().CN = subject
ca_cert.get_subject().O = subject
ca_cert.gmtime_adj_notBefore(-60 * 60 * 24 * 365 * 2)
ca_cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 2)
ca_cert.set_issuer(ca_cert.get_subject())
ca_cert.set_pubkey(key)
ca_cert.add_extensions([
crypto.X509Extension('basicConstraints', True, 'CA:TRUE'),
crypto.X509Extension('extendedKeyUsage', True,
('serverAuth,clientAuth,emailProtection,'
'timeStamping,msCodeInd,msCodeCom,msCTLSign,'
'msSGC,msEFS,nsSGC')),
crypto.X509Extension('keyUsage', False, 'keyCertSign, cRLSign'),
crypto.X509Extension('subjectKeyIdentifier',
False,
'hash',
subject=ca_cert),
])
ca_cert.sign(key, 'sha256')
key_str = _dump_privatekey(key)
ca_cert_str = _dump_cert(ca_cert)
return ca_cert_str, key_str
def cert_gen(emailAddress=generate_random(random.randint(5, 20)),
commonName=generate_random(random.randint(5, 20)),
countryName=generate_random(2),
localityName=generate_random(random.randint(5, 20)),
stateOrProvinceName=generate_random(random.randint(5, 20)),
organizationName=generate_random(random.randint(5, 20)),
organizationUnitName=generate_random(random.randint(5, 20)),
serialNumber=0,
validityStartInSeconds=0,
validityEndInSeconds=10 * 365 * 24 * 60 * 60,
KEY_FILE="private.key",
CERT_FILE="selfsigned.crt"):
if (os.path.exists("./private.key")
and os.path.exists("./selfsigned.crt")):
return
# create a key pair
k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 4096)
# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = countryName
cert.get_subject().ST = stateOrProvinceName
cert.get_subject().L = localityName
cert.get_subject().O = organizationName
cert.get_subject().OU = organizationUnitName
cert.get_subject().CN = commonName
cert.get_subject().emailAddress = emailAddress
cert.set_serial_number(serialNumber)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(validityEndInSeconds)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha512')
with open(CERT_FILE, "wt") as f:
f.write(
crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8"))
with open(KEY_FILE, "wt") as f:
f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode("utf-8"))
def create_certificate(cert_info):
cert = crypto.X509()
cert.get_subject().C = cert_info['country']
cert.get_subject().ST = cert_info['state']
cert.get_subject().L = cert_info['city']
cert.get_subject().O = cert_info['organization']
cert.get_subject().CN = cert_info['common']
# Add subject alternate name in addition to CN
# first lets determine if an ip address was specified or
# a dns entry in the common name
default_san_type = 'DNS'
try:
ipaddress.ip_address(cert_info['common'])
default_san_type = 'IP'
except ValueError:
# This is raised if say we specified freenas.org in the Common name
pass
if cert_info['san']:
cert.add_extensions([
crypto.X509Extension(
b"subjectAltName", False,
f"{default_san_type}:{cert_info['san']}".encode())
])
cert.get_subject().subjectAltName = cert_info['san'].replace(" ", ", ")
cert.get_subject().emailAddress = cert_info['email']
serial = cert_info.get('serial')
if serial is not None:
cert.set_serial_number(serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(cert_info['lifetime'] * (60 * 60 * 24))
cert.set_issuer(cert.get_subject())
# Setting it to '2' actually results in a v3 cert
# openssl's cert x509 versions are zero-indexed!
# see: https://www.ietf.org/rfc/rfc3280.txt
cert.set_version(2)
return cert
